A.GENERAL PRIVACY POLICY

TYPES OF PERSONAL INFORMATION WE COLLECT, PURPOSES FOR THE COLLECTION AND LEGAL BASIS FOR THE PROCESSING

1.  Categories of Personal Data	2. Purpose(s) of the processing	3. Legal basis (-es) of the processing
Personal information (name and email address)   Healthcare Professionals’ professional contact information, credential and institutional affiliations information, information about Terns programs and activities, published papers, photograph, and/or prescribing of Terns products and information in any agreements executed with Terns.	Providing you with our Services, such as:  · Responding to your questions, comments, and other requests; · Providing access to certain areas, functionalities, and features of our Services including our blog and job board; · Complying with regulatory requirements; · Communicating with you about your interaction with our Services and any policy changes; · Communicating with our industry partners and our network to support your use of the Services; and · Answering your requests for customer or technical support.	The processing of your personal data for this purpose is based on the legitimate interest of the Controller [Terns] (art. 6.1.f, GDPR).
Personal information (name and email address)   Healthcare Professionals’ professional contact information, credential and institutional affiliations information	Providing you additional content and Services, such as: · Providing you with customized materials about products and Services that may be of interest; and · Other purposes you consent to, are notified of, or are disclosed when you provide personal information, including, for example, the consent you provide when you participate in an event or clinical trial.	The processing of your personal data for this purpose requires your consent (art. 6.1.a, GDPR)   Important Note: You may contact us at any time to opt out of the use of your personal information for marketing purposes, as described below.
Name, contact information, resume, employment and educational history and other personal information, which may be shared with our service providers	Recruiting personnel for employment	The processing of your personal data for this purpose is a legal obligation (art. 6.1.c, GDPR) and it is also necessary for the execution of pre-contractual measures (art. 6.1.b, GDPR).
Personal information such as your name, address, email address, phone number, medical history, biographic and demographic information, and medical treatment Health and medical information (such as medical insurance details, information about physical and mental health conditions and diagnoses, treatments for medical conditions, genetic information, family medical history, and medications an individual may take, including the dosage, timing, and frequency)	· Managing clinical trials, · Conducting research, · Providing patient support programs, · Distributing and marketing our products, · Managing compassionate use and expanded access programs, and · Tracking adverse events. Important Note: Unless it is for pharmacovigilance, information that we receive from our partners is required to be de-identified.	The processing of your personal data for this purpose requires your consent (art. 6.1.a, GDPR).
Contact and personal information Professional credentials Financial information (from individuals who interact with or express an interest in our company and/or our Services).	Proper and comprehensive management of your participation in conferences, trade shows and other events organized by Terns or by third parties.	The processing of your personal data for this purpose is necessary for the execution of a contract or the execution of pre-contractual measures (art. 6.1.b, GDPR).
Key Opinion Leaders’ name and contact information, biography, and resume information	Management of consultation insight provided for Terns	The processing of your personal data for this purpose is necessary for the execution of a contract or the execution of pre-contractual measures (art. 6.1.b, GDPR).
Personal information and other data	Creating de-identified and aggregated information, such as de-identified demographic information, de-identified Service usage information, information about the computer or device from which you access our Services, or other analyses we create.	The processing of your personal data for this purpose is based on the legitimate interest of the Controller [Terns] (art. 6.1.f, GDPR).
Social Media Content	Any content you provide on our channels (blogs or social media pages such as LinkedIn) will be considered “public” and is not subject to privacy protections.	N/A.

 

SOURCES OF INFORMATION

 

a) The information you provide directly to us.

b) We may obtain information about you from other sources, including through third party services and organizations to supplement information provided by you. For example, if you access our Services through a social networking site, we may collect information about you from that third-party application that you have made public via your privacy settings. This supplemental information allows us to verify information that you have provided to us and to enhance our ability to provide you with information about our business, products, and Services.

 

HOW WE DISCLOSE YOUR INFORMATION

We may share your personal information with the following categories of third parties or for the following purposes:

Clinical Research Organizations
If you participate in clinical trials and research, the Investigative Sites may disclose any personal information you provide in conjunction with your participation, to the Clinical Research Organization (“CRO”) we have partnered with, who is responsible for organizing the research or conducting the clinical trial. We endeavor not to collect clinical trial participant personal information directly, and other than pharmacovigilance data, all information we receive from the Investigative Sites and CROs are required to be de-identified.

Service Providers
We may share any personal information we collect about you with our third-party service providers. The categories of service providers (processors) to whom we entrust personal information include: IT and related services; information and services; customer service providers; and vendors to support the provision of the Services.

Industry Partners
We may provide personal information to our industry partners with whom we jointly offer support and services. In such cases, our partner’s name will appear along with ours.

Advertising Partners and Social Media Partners
Through our Services, we may allow third party advertising partners such as Google, to set Technologies and other tracking tools to collect information regarding your activities and your device (e.g., your IP address, ad identifiers, page(s) visited, location, time of day). We may also combine and share such information and other information with third party advertising partners. These advertising partners may use this information (and similar information collected from other websites) for purposes of delivering targeted advertisements to you when you visit third party websites within their networks. We may allow access to other data collected by the Services to share information that may be useful, relevant, valuable or otherwise of interest to you. If you prefer not to share your personal information with third party advertising partners, you may follow the instructions below.

Affiliates
We may share personal information with our affiliated companies.

Disclosures to Protect Us or Others
We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.

Disclosure in the Event of Merger, Sale, or Other Asset Transfers
If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then your information may be sold or transferred as part of such a transaction, as permitted by law and/or contract.

INTERNATIONAL DATA TRANSFERS

You acknowledge that all information processed by us may be transferred, processed, and stored anywhere in the world, including but not limited to, outside the United States, the EU/EEA (the United Kingdom (UK) and Switzerland are also included) South Korea and Australia or other countries worldwide, which may have data protection laws that are different from the laws where you live, in accordance with the provisions of the applicable data protection law.

We have taken appropriate safeguards to require that your personal information will remain protected and require our third-party service providers and partners to have appropriate safeguards as well and according to any local regulations which may be applicable. These include implementing the EU Standard Contractual Clauses, which may require the recipient to put in place supplementary measures to ensure an essentially equivalent level of protection is provided, as is in the EU/EEA, the UK or Switzerland.

We will ensure that your rights and an adequate level of protection essentially equivalent to that ensured within EU/EEA, UK and Switzerland are guaranteed. You may obtain further details and a copy of the relevant data transfer mechanisms that we have in place can be provided upon request by contacting our Global Privacy Office via e-mail at privacy@ternspharma.com.

YOUR CHOICES

General
You have certain choices about your personal information.

Where you have consented to the processing of your personal information, you may withdraw that consent at any time and prevent further processing by contacting us as described below. Even if you opt out, we may still collect and use non- personal information regarding your activities on our Services and for other legal purposes as described above.

Email and Telephone Communications
If you receive an unwanted email from us, you can use the unsubscribe link found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails regarding products or Services you have requested. We may also send you certain non-promotional communications regarding us and our Services, and you will not be able to opt out of those communications (e.g., communications regarding the Services or updates to our terms or this Privacy Policy).

We process requests to be placed on do-not-mail, do-not-phone and do-not-contact lists as required by applicable law.

“Do Not Track”
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.

Third-Party Behavioral Tracking:
We also note that we do not allow third-party behavioral tracking.

YOUR PRIVACY RIGHTS

In accordance with applicable law, you may have the right to:

• have your personal information updated and corrected

• request confirmation of whether and how we are processing your personal information;
• obtain access to or a copy of your personal information;
• receive an electronic copy of your personal information or ask us to send that information to another company;
• restrict our uses of your personal information, including the right to opt in or opt out of the sale of your personal information to third parties, depending on applicable law;
• seek correction or amendment of inaccurate, untrue, incomplete, or improperly processed personal information;
• object to the processing of your personal information (including, for direct marketing purposes) or withdraw consent to the processing of your personal information.
• request erasure of personal information held about you, subject to certain exceptions prescribed by law.

If you have any questions or would like to exercise any of these rights, please contact us as set forth below. We will process such requests in accordance with applicable laws. To protect your privacy, we will take steps to verify your identity before fulfilling your request.

You also have, where provided by applicable law, the right to launch a complaint with the competent data protection authority if you believe we did not properly handle your Personal Data or did not respect your rights.

A list of the competent data protection authorities in the EU and their contact details can be found here : Our Members | European Data Protection Board (europa.eu).

If you live in the UK or Switzerland you have the right to lodge a complaint with the competent authorities accordingly: Information Commissioner’s Office – Make a complaint or Federal Data Protection and Information Commissioner (FDPIC) - Report of violation of data protection regulations (for data subjects).

DATA RETENTION

We store the personal information we receive as described in this Privacy Policy for as long as you use our Services or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

SECURITY OF YOUR INFORMATION

We are taking steps to ensure that your information is treated securely and in accordance with this Privacy Policy. Unfortunately, no system is 100% secure, and we cannot ensure or warrant the security of any information you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unintentional disclosures.

By using the Services or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on the Services, by mail or by sending an e-mail to you.

CHILDREN’S INFORMATION

The Services are not directed to children, and we do not knowingly collect personal information from children. If you learn that your child has provided us with personal information without your consent, you may contact us as set forth below. If we learn that we have collected any personal information in violation of applicable law, we will promptly take steps to delete such information and terminate the child’s account.

CONTACT US

If you have any questions about our privacy practices or this Privacy Policy, or if you wish to submit a request to exercise your privacy rights above, please contact us at:

Terns Pharmaceuticals, Inc.

1065 E. Hillsdale Drive, Suite 100

Foster City, CA 94404

privacy@ternspharma.com

+1-800-516-2804

https://www.ternspharma.com/contact

 

B. SUPPLEMENTARY PRIVACY POLICY FOR INDIVIDUALS WHO ARE LOCATED IN CALIFORNIA AND OTHER U.S. STATES
 

The present section applies to the U.S. residents, in addition to what is mentioned to section A above.

In the U.S. there is no general federal privacy regulation yet. However, multiple sectoral laws apply on a federal level. If you are a U.S. resident, you may have separate rights regarding your personal information (hereinafter referred to as “Personal Information” in the U.S. legal context), in accordance with the applicable U.S. State Privacy Laws. This Supplemental Website Privacy Policy (“Supplemental Policy”) applies only to consumers residing in California, Colorado, Virginia, Utah and Connecticut.

For all residents of the rest U.S. states with no specific local privacy laws in effect, the local sectoral laws, per each U.S. state are applicable.

The Supplemental Policy provides information under:

• California Consumer Privacy Act of 2018 (CCPA) last amended by California Privacy Rights Act of 2020 (collectively, the “CCPA”)
• Colorado Privacy Act of 2021(the “CPA”)
• Consumer Data Protection Act of 2021 in Virginia (the “CDPA”)
• Consumer Privacy Act of 2022 in Utah (the “UCPA”)
• Connecticut Data Privacy Act of 2022 (the “CDPA”)

For Nevada consumers only, we have also included a specific sub-section “Privacy Notice for Nevada Residents”, at the end of this Supplemental Policy.

The language used in this Supplemental Privacy Policy refers only to consumers of particular U.S. States applies only to those consumers.

1. Collection & Processing of Personal Information and Disclosure of Personal Information to Vendors & Third Parties

In the past 12 months we have collected, processed and disclosed to Clinical Research Organizations, Service Providers, Industry partners, Advertising Partners and Social Media Partners, Affiliates or legal authorities etc.)

Category of Personal Information	Collected by Terns?	Disclosed by Terns for a Business Purpose?
Identifiers	Yes	Yes
Personal information categories listed in Cal. Civ, Code §1798.80(e)	Yes	Yes
Characteristics of protected classifications under California or federal law	Yes	Yes
Commercial information	No	No
Biometric information	No	No
Internet activity or electronic network activity information	Yes	Yes
Geolocation data	No	No
Audio, electronic, visual, thermal, olfactory, or similar information	No	No
Professional or employment-related information	Yes	Yes
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99))	Yes	Yes
Inferences drawn from other personal information to create a profile	No	No

For California consumers: We do not “sell” your personal information under the CCPA, including for payment or similar consideration, and we have not sold your personal information within the 12 months preceding the date of this Privacy Policy. Moreover, we do not knowingly sell or share the Personal Information of minors under 16 years of age.

For Colorado, Virginia, Utah, and Connecticut Consumers: We do not process, sell, or share Personal Information to Third Parties for purposes of targeted advertising, as these terms are defined in the CPA, CDPA, UCPA, and CDPA.

2. Sources from which we collect Personal Information

We collect Personal Information directly from California, Colorado, Virginia, Utah, and Connecticut consumers. We may also collect Personal Information from our Service Providers, healthcare providers, public databases, demographic data providers, publications, professional organizations, social media platforms and mobile.

3. Purposes for Processing & Disclosing of Personal Information

We collect and process Personal Information for a variety of purposes, as described in section A of the General Privacy Policy above.

We do not use and disclose Sensitive Personal Information other than to provide you with our services and products as permitted by applicable law, to detect and prevent any security incidents involving Personal Information, to ensure the physical safety of natural persons (including reporting adverse events), as well as to fulfil any other purpose that is permitted under applicable U.S. State Privacy Laws.

4. Your Privacy Rights and How to Exercise them

California, Colorado, Virginia, Utah, and Connecticut consumers have certain rights with respect to the collection and use of their Personal Information.

As required by the CCPA, we provide detailed information below regarding the data subject rights available to California consumers. Colorado, Virginia, Utah, and Connecticut consumers have similar rights and can find more detail by referencing the CPA, CDPA, UCPA, or CDPA, as applicable.

In specific:

• If you are a California consumer, you may request disclosure of information we collect or share about you. You can submit a request to us for the following data regarding the Personal Information we have collected about you in the 12 months prior to our receipt of your request (a “request to know”):
• The categories of Personal Information we have collected.
• The categories of sources from which we collected Personal Information.
• The business or commercial purposes for which we collected the Personal Information.
• The categories of third parties with which we shared the Personal Information.
• The categories of Personal Information we disclosed for a business purpose, and for each category identified, the categories of third parties to whom we disclosed that particular category of Personal Information.
• The specific pieces of Personal Information we collected.
• You may request to correct inaccuracies in your Personal Information.
• You may request to have your Personal Information deleted (right to erasure). In this case, we may ask you to confirm your request before we delete your Personal Information.
• You may request to receive a copy of your Personal Information, including, where applicable, a copy in a portable, readily usable format.
• You may request to opt out of targeted advertising or the sharing of your Personal Information for cross-context behavioral advertising.
• You may request to opt out of the processing of your Personal Information for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
• Upon request, we will delete the Personal Information we have collected about you, except for situations where specific information is necessary for us to provide you with a product or service that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with or exercise rights provided by the law.

The law also permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us.

For requests to know or delete relating to California consumers, we will first acknowledge receipt of the request within ten (10) business days of receipt of your request. When you make a request to know or delete your Personal Data, we will take steps to verify your identity. These steps may include asking you for Personal Information, such as your name, address, or other information we maintain about you. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of the denial.

If you are a California consumer, you are also entitled to submit a request for Personal Information that could be associated with a household as defined in the CCPA. To submit a request to know or delete household Personal Information, such requests must be jointly made by each member of the household, and we will individually verify all members of the household using the verification criteria explained above, and separately verify that each household member making the request currently resides in the household. If we are unable to verify the identity of each household member with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of our denial.

If you have any questions or would like to exercise any of these rights, please contact us as set forth below. We will process such requests in accordance with the applicable U.S. Privacy Laws. To protect your privacy, we will take steps to verify your identity before fulfilling your request.

Terns Pharmaceuticals, Inc.

1065 E. Hillsdale Drive, Suite 100

Foster City, CA 94404

privacy@ternspharma.com

+1-800-516-2804

https://www.ternspharma.com/contact

Authorized Agents: You may also designate an authorized agent to submit requests on your behalf. If you do so, you will be required to verify your identity by providing us with certain Personal Information as described above. Additionally, we will also require that you provide the agent with written and signed permission to act on your behalf, and we will separately confirm with you that you provided the agent with permission to submit the request. We will deny the request if the agent is unable to submit proof to us that you have authorized them to act on your behalf or if any of the above verification criteria are not met.

Shine the Light: California's "Shine the Light" law, Civil Code section 1798.83, requires certain businesses to respond to requests from California residents asking about the business' practices related to disclosing certain types of Personal Information to third parties for the third parties' direct marketing purposes. We do not disclose Personal Information to such entities, for such purposes.

We will not unlawfully discriminate or retaliate against you for exercising your rights under applicable law.

Appeal: If we refuse to take action on your request, you may have the right under applicable law to appeal the refusal within a reasonable period after you have received notice of the refusal. You may file an appeal by contacting us via email at privacy@ternspharma.com .

5. Other U.S. States’ specific disclosures

California Residents Under Age 18: If you are a resident of California under age 18 and a registered user of our Services, you may ask us to remove any content you have publicly provided to such Services by writing to privacy@ternspharma.com .

Nevada Residents as Covered by Nevada Privacy Law: We do not sell Covered Information as defined under Nevada law. If you would like to make a request regarding the selling of your Covered Information, please contact privacy@ternspharma.com .

 

C. SUPPLEMENTARY PRIVACY POLICY IF YOU ARE LOCATED IN

AUSTRALIA

The present chapter applies to individuals who are located in Australia, in addition to what is mentioned to section A above.

If you are located in Australia, we may process your personal data under the Privacy Act 1988 (Cth) No. 119 1988, as amended by the Privacy Legislation Amendment Act 2022 ('the Privacy Act') together with the Australian Privacy Principles (‘APPs’), as applicable.

We only collect from you and process your Personal Information (including sensitive/health information) for a variety of purposes, as described in detail in section A of the General Privacy Policy above. We only process those of your Personal Information, which is reasonably necessary to fulfill those purposes mentioned above.

D. SUPPLEMENTARY PRIVACY POLICY IF YOU ARE LOCATED IN SOUTH KOREA

The present chapter applies to persons located in South Korea, in addition to what is mentioned at the section A of the General Privacy Policy above.

If you are located in South Korea, we may handle your personal data (process) under the Personal Information Protection Act 2011 (as amended in 2023) (“PIPA”).

We process your Personal Data for a variety of purposes, as described in detail in section A of the General Privacy Policy above. We only process those of your Personal Information, which is reasonably necessary to fulfill those purposes mentioned above.

 

CHANGES TO THIS POLICY

We may revise this Policy, including the Supplemental Policies referred above (the “Policy”), from time to time in our sole discretion.

If there are any material changes to this Policy, we will post the new Policy and/or notify you as required by applicable law.

You understand and agree that you will be deemed to have accepted the updated Policy if you continue to use the Services after the new Policy takes effect.