Last updated August 13, 2018.    

At Albireo Pharma, Inc. (“Albireo,” “we,” “us” or “our”) we take your privacy and the security of your information very seriously.   

This Privacy Policy (“Policy”) covers Albireo owned and operated websites (“Site or “Sites”), including, and any services offered via the Site (collectively, the “Services”).  This Privacy Policy is incorporated into, and is part of, our Terms of Use (available here) which govern your access to the Site and your use of the Site and/or Services.  Unless otherwise defined herein, capitalized terms shall have the meaning assigned to such terms in the Terms of Use.  Website users who are located in the European Economic Area (EEA) should review our GDPR Privacy Notice, which supplements this general Privacy Policy.

If you have any questions regarding this Policy please contact us at

The Policy describes the types of information we gather from people visiting our Site and from individual users (“you” or “users”) interacting with our Site and how we use, transfer, and secure such information.  Your access to our Site and use of any Services indicates your acceptance of this Policy.  This Policy does not govern information we receive from third parties.  If you do not agree to the terms of this Policy, please do not use the Site, or any of our Services.  Each time you use any Site, or any Services, the current version of this Privacy Policy will apply. Accordingly, when you use any Site or Services, you should check the date of this Policy (which appears at the top) and review any changes since you last reviewed the Policy.  When we make any change to this Policy that has a significant impact on the privacy rights of users, we will flag that change on the main page of the Site.

1               Types of Information We Collect

We may collect two types of information from users of our Sites and Services: “Personal Information,” which is information that you provide that can be used to identify you (such as name, email address, etc.), and “Aggregate Information,” which is information that cannot be used to identify you.  Some countries consider IP addresses and device identifiers to be personal data.  When technologies used on our Site collect such information, the information obtained is immediately de-identified so that it becomes Aggregate Information.

1.1.         Personal Information Collected

1.1.1.     We collect Personal Information that you voluntarily provide to us when you use our Sites and Services.  For example, you may provide us with your email address, first name and last name, a message (which could, at your discretion, contain Personal Information), or other Personal Information. 

 1.1.2.     Some links on our Site (available here) may redirect you to third-party websites and services that We do not operate.  The privacy practices of these websites and services will be governed by their own policies.    We make no representation or warranty as to the privacy policies of any third parties, including the providers of third-party applications.  If you are submitting information to any such third party through our Site or Services, you should review and understand that party’s applicable policies, including their privacy policy, before providing your information to the third party.

1.2.         Aggregate Information Collected

1.2.1.     Aggregate Information is information that does not identify you.  Aggregate Information may be collected when you visit our Site or interact with our Services, independent of any information you voluntarily enter.  We may collect, use, store, and transfer Aggregate Information without restriction.   

1.2.2.    Although we do our best to honor the privacy preferences of our visitors, we are not able to respond to Do Not Track signals from your browser at this time. 

1.3.         Use of “Cookies”

1.3.1.     Cookies are alphanumeric identifiers that we transfer to your computer's hard drive through your web browser to help us identify you when you come to our Site.  Click here for a list of the cookies that this Site uses.  You have choices with respect to cookies.  By modifying your browser preferences, you have the choice to accept all cookies, to be notified when a cookie is set, or to reject all cookies.  If you choose to reject all cookies you may be unable to use those aspects of our Sites that require registration in order to participate.  You can learn more about cookies and how they work at  You can always disable cookies through your browser settings. Doing so, however, may disable certain features on our Sites.  You can opt out from third-party cookies that are used for advertising purposes on the NAI website at

1.4.         Analytics

1.4.1.     We may use third parties, such as Google Analytics or other analytics providers, to analyze traffic to a Site. Google Analytics does not create individual profiles for visitors and only collects aggregate data.  To disable Google Analytics, please download the browser add-on for the deactivation of Google Analytics provided by Google at  To learn more about privacy and Google Analytics, please consult the Google Analytics overview provided by Google at    You may find additional information about Google Analytics at  

1.4.2.     We may also use cookies, pixels, beacons, or other web tracking technologies to track the amount of time spent on our Sites or social media and whether or not certain content, such as a video was viewed. We may work with a trusted third party to collect and process this information for us, based on our instructions and in compliance with this Privacy Policy.

2               Sharing of Personal Information with Third Parties

2.1.         We may transfer Personal Information to third parties for the purpose of providing the Services.  We may disclose Personal Information to our affiliates or third-party service providers to provide you with the Services.  These third-party service providers are not authorized to retain, share, store or use the Personal Information for any purposes other than to provide the services they have been hired to provide. 

2.2.         We may also elect to transfer your Personal Information to third parties under special circumstances to: (i) to comply with a legal requirement, judicial proceeding, court order, or legal process served on Us; (ii) to investigate a possible crime, such as fraud or identity theft; (iii) in connection with the sale, purchase, merger, reorganization, liquidation or dissolution of Albireo; (iv) when we believe it is necessary to protect the rights, property, or safety of Albireo or other persons, or (v) as otherwise required or permitted by law. 

3               Corrections/Information Removal/Opt Out

3.1.         You can request that any Personal Information stored by We be deleted at any time by contacting us at  We may require you to provide certain information to verify that it is you making the request.  We will consider all requests for deletion carefully and we will comply with applicable data protection laws.  If we determine that we have a legitimate reason to decline your request (and the applicable privacy laws allow us to do so), we will discuss that with you and try to address your concerns.

3.2.         If you no longer wish to receive our newsletter and promotional communications, you may opt out of receiving them by following the instructions included in each communication.

4               Children and Privacy

4.1.         We do not knowingly collect Personal Information from children in connection with the features of our Sites or Services. If we become aware that an individual under the age of 16 has provided personally identifiable information through our Sites or Services, we will immediately remove the individual’s personally identifiable information from our files.  We request that parents and guardians do not use the Site or e-mail to provide us with any Personal Information concerning children.  Any communications relating to clinical trials should be made through the communication channels described in the applicable informed consent, patient information sheet or other instructions provided to clinical trial participants.

5               How Do We Protect Your Information?

5.1.         We take the security of your Personal Information very seriously.  We use reasonable administrative, physical, and technical safeguards to secure the Personal Information you share with us. Despite these safeguards and our additional efforts to secure your information, We cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third-parties will not be able to defeat our security and improperly collect, access, steal, or modify your Personal Information. 

5.2.         Any email or other communication purporting to be from one of our websites asking you to provide sensitive information (including medical information) via email, should be treated as unauthorized and suspicious and should be reported to us immediately by emailing

6               Will We Change This Privacy Policy?

6.1.         Each time you use our Site or Services the current version of the Policy will apply. When you use our Site, you should check the date of this Policy (which appears at the top of the Policy) and review any changes since the last version. Our business changes frequently and this Policy is subject to change from time to time. Unless stated otherwise, our current Policy applies to all information that we have about you. We will not materially change our policies and practices to make them less protective of your privacy without the consent of affected users. When we make any change to this Policy that has a significant impact on the privacy rights of users, we will flag that change on the main page of the Site.

7               How to Contact Us

7.1.         To contact us with your questions or comments regarding this Policy or the information collection and dissemination practices of this website, please email us at

8               Governing Law

8.1.         This Policy is governed by the laws of the Commonwealth of Massachusetts, U.S.A. without giving effect to any principles of conflict of law.

GDPR Privacy Notice

Our processing of personal data of people who are in the European Economic Area (EEA) is governed by the General Data Protection Regulation (the “GDPR”), which applies from May 25, 2018. The GDPR requires us to provide certain information to you about your personal data, which we refer to in this notice as your Personal Information.  This Notice is for people who are located in the EEA and supplements our general Albireo Privacy Policy.

Data Controller

The data controller for this Site is Albireo Pharma, Inc.  For our contact information, see the section headed “How to Contact Us”.  

Purposes of the processing

We use your Personal Information to communicate with you about our research and products, disseminate information relating to Albireo, and respond to your inquiries.  We also process your Personal Information via automated technologies (such as cookies) to improve our Site and better understand the interests and needs of our users.  Our Cookies Notice provides additional information regarding the automatic processing of Personal Information via our Site.

Lawful basis for the processing

Generally, we process personal data on the basis that the processing is necessary for purposes of our legitimate interest in conducting our day-to-day business as a pharmaceutical company, having taken into account any risks to your fundamental rights and freedoms (including your right to privacy). 

We may also process personal data on other bases permitted by the GDPR and applicable laws, such as when the processing is necessary for us to comply with our legal obligations.

Our legitimate interests

We have a legitimate interest in conducting our day-to-day business as a pharmaceutical company. Specifically, as is common in our industry, we use our Site to communicate with patient communities, investors and other individuals who are interested in our products or development pipeline, respond to queries, provide relevant information and continually improve the way we provide information and respond to users.

Categories of Personal Information

We process the following information when provided voluntarily by our Site users: name, e-mail address and country were the user is located.  We also process automatically-gathered information as described in our Cookies Notice.

Recipients of your Personal Information

We use various service providers to manage our Site.  Our service providers change from time to time.  Note that our service providers have entered into contracts with us that restrict what they can do with your Personal Information. If you would like specific information about our service providers who have received your information, please contact us at  and we will provide that information to you.

Information regarding the transfers of personal data outside of the European Economic Area (EEA)




Albireo is based in the USA and that’s where we process the Personal Information of users.  When you provide Personal Information to us, we request your consent to transfer that Personal Information to the USA.  The USA does not have an adequacy decision from the European Commission, which means that the Commission has not determined that the laws of the USA provide adequate protection for Personal Information.  Although the laws of the USA do not provide legal protection that is equivalent to EU data protection laws, we nonetheless treat the Personal Information of EEA users in accordance with this GDPR Privacy Notice.  We take appropriate steps to protect your privacy and implement reasonable security measures to protect your Personal Information in storage. We use secure transmission methods to collect personal data such as Site passwords.  We also enter into contracts with our data processors that require them to treat Personal Information in a manner that is consistent with this Notice.

Retention period for Personal Information

How long we retain Personal Information varies according to the type of information in question and the purpose for which it is used.  We delete Personal Information within a reasonable period after we no longer need to use it for the purpose for which it was collected (or for any subsequent purpose that is compatible with the original purpose).  This does not affect your right to request that we delete your personal data before the end of its retention period.  We may archive personal data (which means storing it in inactive files) for a certain period prior to its final deletion, as part of our ordinary business continuity procedures.

Your rights to access, correct, restrict or delete your personal data and object to processing

You have the right to request access to your personal data, to have your personal data corrected, restricted or deleted, and to object to our processing of your personal data.  Your rights may be subject to various limitations under the GDPR.  If you wish to exercise any of these rights, or if you have any concerns about our processing of your personal data, please contact us in any of the ways listed in the section “How to Contact Us”.  The GDPR’s data portability rights are not relevant to the kinds of processing that we do in connection with our Site.

The right to lodge a complaint with a supervisory authority

You have the right to file a complaint concerning our processing of your personal data with your national (or in some countries, regional) data protection authority.   The EU Commission has a list here:

Statutory or contractual requirement or other obligation to provide any personal data

Users of our Site are under no statutory or contractual requirement or other obligation to provide Personal Information to us via our Site.

Cookies Notice

Our Site uses cookies to distinguish you from other users of our Site. This helps us to provide you with a better experience when you use our Site and also allows us to improve our site.

A cookie is a small file containing letters and numbers that we store on your device if you agree. Cookies contain information that is transferred to your device and then later read from your device.

We use the following categories of cookies:

  • Strictly Necessary / Functionality cookies. These are cookies that are required for the operation of our Site – and specifically, to allow you to sign into the Site.  These cookies cannot be switched off.  You can set your browser to block these cookies, but as a result, some parts of our Site will not work as designed.

Cookie Name

Definition Persistent or Session Based



This cookie name is associated with the Concrete5 web content management system, and is used to maintain a user session between pages. This is a persistent cookie with an average life span of 0 days. Persistent

Strictly Necessary


This cookie is set by the Google Cloud Load Balancer. The purpose of it to ensure all client requests are handled by the same backend server. It’s a common good practice when using Load balancers and web applications that require user sessions.

Without that cookie the load balancer would just assign the request to a random backend server, causing the users to be suddenly logged out or just showing up websites incomplete or with missing assets.


Strictly Necessary


  • Analytical cookies.   Analytical cookies allow us to analyze how our Site.  For example, we use analytical cookies to count the number of visitors and sources of web traffic so we can see how users move around our Site when they are using it. This helps us to improve the way our Site works, for example, by ensuring that users can find what they are looking for easily. All information these cookies collect is aggregated and therefore anonymized.  Currently, we use the following analytical cookies:

Cookie Name

Definition Persistent or Session Based



This cookie is associated with Google Universal Analytics. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years. Persistent



This cookie is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.




This cookie is associated with Google Universal Analytics. It appears to store and update a unique value for each page visited. Session



These cookies are used to gather website statistics, and track conversion rates. This cookie expires after 1 month Persistent



Adobe Site Catalyst cookie, determines whether cookies are enabled in the browser. Session



Adobe Site Catalyst cookie, stores information about the previous link clicked within the site. Session