Purpose

Calico Life Sciences, LLC (Calico) complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework (collectively, “Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, United Kingdom and Switzerland to the United States. Calico has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/

Scope

This Statement describes the principles pursuant to which Calico manages Personal Information received: (i) from Employees, in support of Calico’s human resources and business operations; (ii) in the course of Calico’s operations involving current, prospective and former clients, customers, partners, investors, visitors and guests (collectively “Clients”); and (iii) in the course of its related interactions with current, prospective and former research investigators, data or service suppliers, and strategic partners, and subcontractors (collectively, “Suppliers”). The categories of Personal Information covered by this Statement include Personal Information relating to Employees, Clients and Suppliers. In connection with Calico’s Operations, Calico may now and/or in the future: (a) transfer Personal Information of Employees, Clients and/or Suppliers outside of the EEA, United Kingdom and Switzerland to the United States; and/or (b) access Personal Information regarding Employees, Clients and/or Suppliers from the United States.

Definitions

The following capitalized terms are used throughout this document and are defined as follows:

“Agent” or collectively, “Agents” means any third party that processes Personal Information pursuant to the instructions of, and solely for, Calico or to which Calico discloses Personal Information for use on its behalf.

“Citizen” or collectively, “Citizens” means a lawful citizen or citizens of the EEA and Switzerland and includes both Employees, Clients and Suppliers.

“EEA” means the European Economic Area, composed of the following thirty-one (30) countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Ireland, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden..

“Employee” or collectively, “Employees,” means any Calico Citizen-employee(s) (and any and all dependents thereof), including, but not limited to, temporary, permanent, and former employees, directors, contractors, workers and retirees.  For purposes of this Statement only, the term “Employee” or “Employees” shall also include any of Calico’s independent contractors and job applicants that are Citizens.

“Calico” or the “Company” collectively refers to Calico and any and all subsidiaries and affiliates thereof that are incorporated in any state or territory of the United States.

“Personal Information” means any information or set of information about an identified or identifiable Citizen, including, but not limited to: (a) first name or initial and last name; (b) home or other physical address; (c) telephone number; (d) email address or online identifier associated with the Citizen; (e) Social Security number or other similar identifier; (f) employment, financial or health information; or (g) any other information relating to a Citizen that is combined with any of the above. The term “Personal Information” does not include anonymized information or information that is reported in the aggregate (provided that such aggregated information is not identifiable to a natural person).

“Privacy Shield Principles” collectively means the following seven (7) privacy principles as described in the Privacy Shield: (1) Notice, (2) Choice, (3) Accountability for Onward Transfer,

(4) Security, (5) Data Integrity and Purpose Limitation, (6) Access, and (7) Recourse, Enforcement and Liability as agreed to by the U.S. Department of Commerce and the European Commission.

“Process” or “Processing” of Personal Information means any operation or set of operations which is performed upon Personal Information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

“Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data where Processed to uniquely identify a person, any information that concerns medical or health conditions, social security measures or sex life, or information relating to the commission of a criminal offense.

“Statement” means this Privacy Shield Privacy Policy Statement.

Capitalized terms not defined above have the definitions set forth in the respective paragraphs of this Statement.

Privacy Shield Principles

1. Notice: In the event that Calico collects Personal Information from a Citizen, Calico will furnish a notice to the Citizen that describes: (i) the types of Personal Information that it collects about such Citizens; (ii) the purposes for which it collects such information; (iii) the types of third parties to which it discloses such information, and the purposes for which it does so; and (iv) how to contact Calico with any inquiries or complaints, including any relevant establishment in the EEA, United Kingdom and/or Switzerland that can respond to such inquiries or complaints. Notice will be provided in clear and conspicuous language at the time of collection, or as soon as reasonably practicable thereafter. In any event, notice will be provided before Calico discloses the Personal Information or uses such information for a purpose other than that for which the Personal Information was originally collected or Processed.

2. Choice: In the event that Personal Information is to be used for a new purpose that is materially different from the purpose(s) for which the Personal Information was originally collected or subsequently authorized, or transferred to a non-Agent third party, Citizens will be provided, where practical and appropriate, with an opportunity to decline to have their Personal Information so used or transferred. In the event that the Personal Information used for a purpose other than that for which it was originally collected or subsequently authorized or transferred to the control of a non-Agent third party is Sensitive Personal Information, the Citizen’s affirmative express consent will be obtained prior to the use or transfer of the Sensitive Personal Information or as otherwise permitted in accordance with the Privacy Shield Principles.

3. Accountability for Onward Transfer: Calico will endeavor to only transfer Personal Information to an Agent where such Agent has given assurances that it provides at least the same level of privacy protection as is required by the Privacy Shield Principles and this Statement and will notify Calico if it makes a determination it can no longer meet this obligation. Where Calico has knowledge that an Agent is using or sharing Personal Information in a way that is contrary to the Privacy Shield Principles and/or this Statement, Calico will take reasonable steps to prevent or stop such Processing. With respect to onward transfers to   Agents, Privacy Shield requires that, to the extent it is responsible for the event, Calico shall remain liable should its Agents Process Personal Information in a manner inconsistent with the Privacy Shield Principles.

4. Security: Calico takes reasonable and appropriate administrative, technical and physical precautions designed to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction, regardless of whether such Personal Information is in electronic or tangible, hard copy form.

5. Data Integrity and Purpose Limitation: Calico endeavors to limit the collection, usage, and retention of Personal Information to that which is relevant for the intended purposes of Processing, and takes reasonable steps designed to ensure that all Personal Information is reliable for its intended use, accurate, complete and current. Calico depends on its Employees to keep Personal Information reliable, accurate, complete and current.

6. Access: Citizens may seek confirmation regarding whether Calico is Processing Personal Information about them, request access to their Personal Information and ask that the Company correct, amend or delete that information, where it is inaccurate or has been Processed in violation of the Privacy Shield Principles. Although Calico makes good faith efforts to provide Citizens with access to their Personal Information, Calico reserves the right to limit or deny such access where the burden or expense of providing access would be disproportionate to the risks to the Citizen’s privacy, where the rights of Citizens other than the subject Citizen would be violated, where the information is commercially proprietary or where doing so is otherwise consistent with the Privacy Shield Principles. If Calico determines that access should be restricted in any particular instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries.

7. Recourse, Enforcement and Liability: Calico has implemented mechanisms to verify its ongoing compliance with the Privacy Shield Principles and this Statement. Any party that violates the Privacy Principles and/or this Statement will be subject to disciplinary procedures in accordance with Calico’s disciplinary procedures.

In the event of a dispute, Citizens are able to seek resolution of their questions or complaints regarding use and disclosure of their Personal Information in accordance with the Privacy Shield Principles contained in this Statement. If you feel that Calico is not abiding by the terms of this Statement, or is not in compliance with the Privacy Shield Principles, please contact Calico at the contact information provided below. In addition, Calico has agreed to cooperate with JAMS Privacy Shield Dispute Resolution Program with respect to complaints related Client and Supplier data and with the local data protection authorities with respect to Employee and human resources data. For more information and to submit a complaint to JAMS, visit https://www.jamsadr.com/eu-us-privacy-shield. Such independent dispute resolution mechanisms are available to Citizens free of charge. If any request remains unresolved, Citizens may have a right to invoke binding arbitration under Privacy Shield. The FTC has jurisdiction over Calico’s compliance with the Privacy Shield.

Limitation on Scope of Privacy Shield Principles

Adherence to these Privacy Shield Principles may be limited (i) to the extent required or allowed by applicable law, rule or regulation; (ii) to the extent necessary to respond to lawful requests by public authorities, including to meet national security, law enforcement, legal or governmental requirements; and/or (iii) to protect the health or safety of a Citizen.

Contact Information

If you have questions regarding this Statement or any of Calico’s privacy practices, please contact us by mail or e-mail at the following address:
privacy@calicolabs.com

Changes to this Statement

This Statement may be amended from time to time in a manner that is consistent with the requirements of the Privacy Principles. When this Statement is updated, the “Last Updated” date at the bottom of this document shall be amended accordingly.  Any material changes to this Statement will be posted on Calico’s website and available to the general public at https://www.calicolabs.com/privacy-policy/.

Last Updated: October 3, 2019