BridgeBio Global Privacy Notice

Welcome to the Privacy Notice (“Notice”) of BridgeBio Pharma, Inc., a company with its registered office at 3160 Porter Drive, Palo Alto, CA 94304, USA, as well as its affiliates and subsidiaries that link to this Notice (collectively, referred to as “BridgeBio”, “we,” “our,” or “us” and “Controller”). BridgeBio is a team of experienced drug discoverers, developers, and innovators working to create life-altering medicines that target well-characterized genetic diseases at their source.

This Notice describes our general practices regarding how we collect, use and disclose “personal data” (i.e., information related to an identified or identifiable person) of patients, caregivers, health care professionals, researchers, research study participants, as well as other individuals with whom we interact, for example representatives of the scientific community, visitors to our online services and sites that link to this Notice, and users of our products and services, including website visitors, job applicants, vendors, service providers, business partners, and investors.

In addition to BridgeBio Pharma, Inc., your personal data may also be processed by the BridgeBio company with which you are in contact (also acting as a controller), as it determines the data processing, and why and how the data is processed. It may exercise this responsibility alone or jointly with other companies in the BridgeBio group, acting as “joint controllers”. Other BridgeBio companies, including BridgeBio International GmbH, may also be separate independent controllers for some of the personal data we collect. For example, the BridgeBio company you are in contact with may share your personal data with other BridgeBio entities for centralized data processing activities. If you would like more information about which controller is relevant to your personal data, please contact us at the contact details below.

We process the personal data we collect from and about you in accordance with applicable data protection regulations and principles, including U.S. and applicable EU/UK regulations/member state law. We understand the importance of your privacy and are committed to providing appropriate privacy protections to everyone we collect personal data from.

In this Privacy Notice, you will learn about the following:

Table of Contents

1. HOW YOUR PERSONAL DATA IS COLLECTED
2. WHAT PERSONAL DATA WE COLLECT AND THE LEGAL BASIS FOR WHICH WE USE IT
   1. Research Participants, Patients, and Caregivers
      1. Important Note on Other Applicable Privacy and Consent Notices for Research Participants
      2. Personal Data We Collect from Research Participants
      3. Personal Data We Collect From Patients and Caregivers
      4. The Legal Basis for which We Use Personal Data Collected From Patients, Caregivers, and Research Participants
   2. Website Visitors
      1. Personal Data We Collect from Website Visitors
      2. The Legal Basis for which We Use Personal Data Collected from Website Visitors
         
         Note about cookies and tracking technologies.
   3. Key Opinion Leaders and Healthcare Professionals
      1. Personal Data We Collect from Healthcare Professionals and Key Opinion Leaders
      2. The Legal Basis for which We Use Information from KOLs and HCPS
   4. Vendors
      1. Personal Data We Collect from Vendors
      2. The Legal Basis for which We Use Personal Data from Vendors
   5. Job Candidates
      1. Personal Data We Collect from Job Candidates
      2. The Legal Basis for which We Use Personal Data of Job Candidates
   6. General Processing of Data Subject’s Personal Data
      1. Other Personal Data We Collect from You
         
         We collect personal data from you for other purposes including the following:
      2. The Legal Basis for which We Use Your Personal Data
3. CATERGORIES OF PERSONAL DATA WE PROCESS
4. SHARING AND DISCLOSURE OF PERSONAL DATA
5. DATA RETENTION
6. YOUR RIGHTS AND CHOICES
7. INFORMATION FOR EUROPEAN ECONOMIC AREA (EEA), UK, AND SWISS RESIDENTS
   1. Data Controller
   2. Data Protection Officer – Contact Details
   3. Data Protection Representative – Contact Details
8. COLLECTION OF PERSONAL DATA FROM MINORS
9. CHANGES TO THIS NOTICE
10. INTERNATIONAL USERS AND DATA TRANSFERS
11. DATA SECURITY
12. CONTACT US – CONTROLLER CONTACT DETAILS

1. HOW YOUR PERSONAL DATA IS COLLECTED.

We may collect or obtain your personal data in the following ways:

• Directly from you or someone acting directly on your behalf.
• From your healthcare provider or healthcare organization, including hospitals, clinics, and other healthcare organizations
• From contract research organizations or clinical research investigators
• From industry and patient advocacy organizations
• From third parties (including, for example, business partners, sub-contractors, search information providers, data aggregators, and social media platforms)
• From other organisations, if you have permitted these organisations to share your personal data with us or other like companies. Before allowing such third-party organisations to share your personal data, you should check their privacy notices carefully
• From publicly available sources (where possible) to keep your personal data up to date
• From government authorities
• Through our Sites
• Automatically through cookies and other technologies

2. WHAT PERSONAL DATA WE COLLECT AND THE LEGAL BASIS FOR WHICH WE USE IT

We process personal data for the following business, commercial, and operational purposes (Please note that if and only to the extent that applicable laws require a “legal basis” to process personal data, we indicate our legal bases applicable for those jurisdictions only):

2.1 Research Participants, Patients, and Caregivers

2.1.1 Important Note on Other Applicable Privacy and Consent Notices for Research Participants

Personal data is collected from participants in BridgeBio’s clinical research projects (“Research”) in the course of delivering those projects (“Research Participants”). If you are a Research Participant, you should read this Notice in conjunction with any informed consent forms, privacy notices, and/or clinical trial documents that are provided to you (and sometimes to your family members) about the collection, use, and transfer of your personal data for the Research purpose (“Research Notices”). Research Notices describe in more detail how Research Participants’ personal data will be processed concerning a particular study, including the types of personal data collected, the purposes and legal bases of processing, processing methods, your rights concerning your personal data, how long your personal data and biological samples (if any) are retained, whether your personal data is transferred internationally if personal data will be shared with third parties and specific security measures to protect personal data. Please note that Research Notices take precedence over this Notice concerning the processing of personal data of Research Participants. For your convenience, however, we provide a general summary of our information practices concerning Research Participants below.

2.1.2 Personal Data We Collect from Research Participants

When you choose to serve as a Research Participant, entities that jointly conduct Research-related activities with us, including providers of clinical trial operations services such as trial site personnel, investigators who provide you with investigational drugs, clinical research organizations (“CROs”), various laboratories, imaging centers and others (collectively, referred to as “Research Partners”) collect personal data about you including your name, email address, address, and other contact information. Our Research Partners also collect demographic information (also known as “sensitive data”), such as racial or ethnic origin, gender, age, or information regarding the participant’s sex life, and may also collect information concerning your medical or health conditions, including images and biological samples.

The information that we collect from our Research Partners is received in pseudonymized form, meaning that the information has been configured in such a way that the personal data can no longer be attributed to a specific person without the use of additional information (which is kept separate and secure to avoid re-association with the individual). Exceptions to when this information may be received in non-pseudonymized form are rare and include, for instance, where information is needed to be processed following the death of a Research Participant.

Our Research Partners’ use of your personal data is governed by our contracts with them, as well as the Research Partner’s own privacy policies. Each Research Partner will have its own privacy notice, and its privacy practices may differ from the practices described in this Notice. Our Research Partners will provide you with their privacy notices when you choose to participate in Research.

2.1.2 Personal Data We Collect from Research Participants

When you contact us or share your personal data with us, we may use the personal data we collect from patients and their caregivers. This may include monitoring pharmacovigilance and product safety, reviewing and responding to medical inquiries, reporting adverse effects, or quality complaints, as well as obtaining and sharing patient stories to help our community to better understand our patients, caregivers, and HCP’s journeys.

For more information related to medical information requests, adverse event reporting, and quality complaints, we have a separate privacy notice which you can access here.

Due to the nature of our business, BridgeBio may be subject to a number of legal requirements, thus requiring BRIDGEBIO to process personal data and sensitive information (including health information and mental and physical characteristics) to meet these requirements. When permissible under the law, we will attempt to limit and protect the processing of your personal data to the extent possible, for example, pseudonymizing information, while still complying with our legal obligations.

2.1.4 The Legal Basis for which We Use Personal Data Collected From Patients, Caregivers, and Research Participants

We use the personal data we collect in the following ways and in accordance with the following legal bases:

To conduct the Research, including performing drug development Research and Research-related activities, such as reporting to industry regulators. For Research purposes, to process your personal data (including sensitive data), we rely on the following legal bases:

• as necessary for certain legitimate business interests (for non-sensitive data), which include the following: to send administrative information to you, for example, information regarding the Research trial, or changes to, or termination of the Research;
• reasons of public interest in the area of public health based on applicable law, which provides for suitable and specific measures to safeguard your rights and freedoms, in particular, professional secrecy;
• for scientific research purposes to the extent allowed under applicable law which shall be proportionate to the aim pursued, respect the essence of your right to data protection and provide for suitable and specific measures to safeguard your fundamental rights and interests; and/or

in accordance with your consent (and for sensitive data, explicit consent). If we have sought your consent (and/or explicit consent) to engage in a certain Research activity, you may withdraw your consent at any time and instruct us to discontinue collecting your personal data.

For Personal Data we collect from Patients and Caregivers (including sensitive data) we rely on the following legal bases:

• as necessary for certain legitimate business interests (for non-sensitive data), which include the following: to review and respond to your inquiries for medical information, for recordkeeping purposes, for appropriate quality control requirements, and to support other business needs;
• as necessary for BRIDGEBIO’s compliance with legal obligations; and/or
• in accordance with your consent (and for sensitive data, explicit consent). If we have sought your consent (and/or explicit consent) to engage in certain activities, you may withdraw your consent at any time and instruct us to discontinue collecting your personal data.

As necessary to comply with legal, regulatory, and government requirements including:

• comply with legal obligations or regulatory obligations and legal process;
• respond to requests from public and government authorities (including public and government authorities outside your country of residence, as necessary in our legitimate business interests as required by applicable law);

2.2 Website Visitors

2.2.1 Personal Data We Collect from Website Visitors

When you access and use our websites or online services that link to this Notice (the “Websites”), we collect the following types of personal data from and about you.

Personal Data You Provide Us. We collect personal data that visitors to the Websites send to us electronically, for example collecting your internet protocol address, browser history, or when you complete any “free text” boxes in our forms (such as on our “Information Request” or “Contact Us” page), request information, subscribe to our emailing lists, or when you agree to receive communications or other promotion materials. While the type of personal data we collect through these methods depends on the nature of your inquiry, it typically includes name, email address, and other contact information. If you register on our Websites, we will also collect information such as a username and password. law);

2.2.2 The Legal Basis for which We Use Personal Data Collected from Website Visitors

As necessary for certain legitimate business interests, which include the following:

• To authenticate users, provide access to the Websites, and maintain the functionality and availability of our Websites;
• To respond to your inquiries and fulfill your requests for products, services, and information;
• To send you administrative messages and marketing communications (in accordance with applicable local legal requirements) about products, services, and initiatives that we think may be of interest to you;
• To prevent fraud or criminal activity, misuse of our products or services, and ensure the security of our IT systems, architecture, and networks; and
• To (a) comply in good faith with legal obligations and legal processes; (b) respond to requests from public and government authorities including public and government authorities outside your country of residence; (c) enforce our legal terms; (d) protect our operations or those of any of our affiliates; (e) protect our rights, privacy, safety or property, and/or that of our affiliates, you or others; and (f) allow us to pursue available remedies or limit the damages that we may sustain, as required or permitted by the law.

Note about cookies and tracking technologies.

Our Websites process certain types of personal data automatically when you access and use our Websites and interact with some of the emails that we may send you through the use of cookies, web beacons, and similar technologies:

• Cookies: A cookie is a piece of information that is placed and stored on your computer when you access certain websites. Many web browsers are set up to automatically accept cookies, however, you can change your browser settings to deny all cookies or specific types of cookies, however, we cannot guarantee that our websites will be fully functional if you deny cookies.
• Web Beacons: BridgeBio may use web beacons or pixels to help assess the response of our communications or user interactions with our websites.
• Analytics: Certain websites may collect, analyse, and measure web traffic and behaviour to better optimize the website and understand user preferences. To learn more about Google’s privacy practices, please review the Google Privacy Policy. To prevent Google Analytics from using your information for analytics, you can install the Google Analytics Opt-Out Browser Add-on here.

We use these technologies to operate and administer our Websites, analyze usage data, advertise our services, and make it easier for you to use the Websites during future visits. For more information on how we use these types of technologies, please see our Cookies Notice.

Do Not Track Signals.

The Websites currently do not respond to “Do Not Track” (“DNT”) signals and operate as described in this Notice whether or not a DNT signal is received, as the industry is working diligently to define how best to comply with DNT and develop a common approach to CNT signals. If we do respond to DNT signals in the future, we will update this Notice to describe how we do so. To learn more about Do Not Track, please visit http://www.allaboutdnt.com.

Interest-Based Advertising. Some of our online services may integrate third-party advertising technologies that allow for the delivery of relevant content and advertising on external, non-BridgeBio-affiliated services. The ads on third-party services may be based on various factors, such as the content of the page you are visiting, your searches, demographic data, and your activities on our websites and third-party services. We neither have access to nor does this Notice govern, the use of cookies or other tracking technologies that may be placed on your device to access the services by non-affiliated third parties. To learn more about certain third-party trackers used for interest-based advertising, for example, through cross-device tracking, and to exercise certain choices regarding such technologies, please visit the Digital Advertising Alliance (DAA), Network Advertising Initiative (NAI), Digital Advertising Alliance-Canada, European Interactive Digital Advertising Alliance, or your device settings if you have the DAA or other mobile app that allows you to control interest-based advertising on your device. We do not control these opt-out links or whether any company chooses to participate in these opt-out programs. The opt-outs described at the links above are device- and browser-specific and may not work on all devices. If you clear cookies on your device or in your browser, you will have to go through the process of opting out again. If you choose to use any of these opt-out tools, this does not mean you will cease to see advertising. Rather, the ads you see will just not be based on your interests.

Links to Other Websites.

This Notice only applies to our Websites. The Websites may contain links to other websites not operated or controlled by us (“Third Party Websites”), including social media services such as Twitter, YouTube, Vimeo, or LinkedIn (“Social Media Services”). The information that you share with Third Party sites will be governed by the specific privacy policies and terms of service of the Third-Party sites and not by this Notice. We do not own, control, or operate such Third-Party Websites, and we are not responsible for the privacy policies or practices of such Third-Party Websites. By providing these links, we do not imply that we endorse or have reviewed these Third-Party Websites. We encourage you to read the privacy policies of such Third-Party Websites before disclosing personal data on Third Party Websites.

2.3 Key Opinion Leaders and Healthcare Professionals

2.3.1 Personal Data We Collect from Healthcare Professionals and Key Opinion Leaders

We collect personal data about you as healthcare professionals (“HCPs”) and Key Opinion Leaders (“KOLs”) through interactions we have with you, from patient advocacy groups, study sites, from publicly available sources, including public websites, public databases (e.g. public transparency reporting records) referrals, research papers, and professional networking platforms and social media pages (e.g. LinkedIn). If you meet with BridgeBio representatives, attend scientific or educational meetings, conferences, symposiums, and workshops we sponsor, we also collect information regarding payments or other transfers of value as required to comply with transparency requirements, your attendance from the organizations that conduct those events in accordance with the sharing permissions granted to such organizations.

We may occasionally purchase the contact details of HCPs who might be interested in hearing from us. Before purchasing such information, we will check with the vendor that any personal data was originally collected in a compliant manner, to make sure that we only contact people who have actively expressed an interest in receiving information from third parties and where it is lawful to do so (e.g. vendors such as IQVIA, Veeva and/or OpenData, etc.). You can access such vendor privacy notices from respective vendor websites. Relevant personal data we may purchase in this instance includes contact details, (academic) title, specialty, work address, phone number work language, type of your practice, your position, current and past engagements, etc.

For HCPs and KOLs based in the EEA, UK, and Switzerland, we have a separate privacy notice which you can access here.

2.3.2 The Legal Basis for which We Use Information from KOLs and HCPS

Where necessary for BridgeBio’s legitimate interests, as listed below, and where our interests are not overridden by your data protection rights, we may use personal data collected from KOLs and HCPs:

• To manage and administer our relationship with you and to respond to your requests;
• To record, investigate, and respond to complaints;
• To manage and follow up on Adverse Events reports.

Where necessary to comply with a legal obligation, including sharing your personal data to comply with applicable transparency requirements or to respond to requests from law enforcement authorities.

With your consent, we may use your personal data:

• To provide you with information about our activities or tailored information about a program that you have signed up for;
• To understand our stakeholders’ needs, sentiments, and market trends, so that we can improve our products and services, including our communications;
• To seek your views on or conduct market research related to our products and services; and
• we may also request information, pictures, and/or videos when organizing events, congresses, etc.

As necessary for the performance of our contract with you, including any consulting, scientific, or advisory board agreements, key opinion leader agreements, or other service agreements that we may enter into with HCPs and KOLs. To the extent any agreements between BridgeBio and you provide an additional privacy notice regarding any specific processing of your personal data, such privacy notice will supersede anything provided herein in this Notice.

2.4 Vendors

2.4.1 Personal Data We Collect from Vendors

We collect personal data about vendor employees, contractors, and representatives when we contact them about using their products and services or once we have engaged such vendors to perform services on our behalf. Such personal data may include name, job title, and contact information.

2.4.2 The Legal Basis for which We Use Personal Data from Vendors

Where necessary for BridgeBio’s legitimate interests, and where our interests are not overridden by your data protection rights, we may use personal data collected from vendors to contact them about their products or services, perform diligence on such products and services, for billing and administrative purposes, and for recordkeeping purposes.

2.5 Job Candidates

2.5.1 Personal Data We Collect from Job Candidates

We collect personal data from job candidates when they apply for positions at BridgeBio, including name, contact information, resume, reference information, and other information submitted as part of the application process.

2.5.2 The Legal Basis for which We Use Personal Data of Job Candidates

We may use personal data collected from job candidates to identify potential candidates, process their applications, schedule interviews, communicate with them, evaluate their candidacy and application materials, contact references, and keep records for our internal human resources purposes and external reporting requirements. We may retain personal data related to job candidates, where required by applicable law, in accordance with your consent, or for our legitimate interests, including contacting candidates about future opportunities, and to comply with legal requirements.

For job candidates based in the EEA, UK, and Switzerland, please see our separate candidate privacy notice available here.

2.6 General Processing of Data Subject’s Personal Data

2.6.1 Other Personal Data We Collect from You

We collect personal data from you for other purposes including the following:

• Operating and overseeing our business, for example, supporting safe, responsible, compliant, and ethical business and commercial operations; facilitating quality and safety of our products and research; conducting audits and investigations; managing our financial and other accounts; developing and improving our products; monitoring and managing service providers; recruiting and assessing potential talent, and otherwise administering our business (e.g., providing key functions like finance, accounting, human resources, IT, security, legal, and compliance).
• Supporting our research and business, for example, measuring the response of promotional activities; personalizing our interactions with you; and targeted advertisements on third-party services.
• Getting to know our users and stakeholders, for example, identifying business opportunities and gathering and analysing stakeholder needs, preferences, sentiments, and opinions on BridgeBio, its products, and indications.
• Protecting rights and interests, for example, protecting the health, safety, and security of BRIDGEBIO, its employees, patients, caregivers, HCPs, and the general public; enforcing our legal rights; and pursuing remedies or otherwise taking steps to limit losses and liabilities.
• Monitoring fraud and abuse, for example, investigating potential claims of fraud and abuse.
• Responding to legal inquiries, requests, and summons, for example, complying with legal requests from administrative or judicial authorities and complying with subpoenas.
• Giving donations, grants, and access to products through compassionate use.
• Other contractual interactions, we may use certain personal data to establish and maintain contractual interactions.

2.6.2 The Legal Basis for which We Use Your Personal Data

Where necessary for BridgeBio’s legitimate interests, as listed below, and where our interests are not overridden by your data protection rights, we may use your personal data:

• To operate and oversee our business;
• To support our research and business;
• To get to know our users and stakeholders; and/or
• To protect our rights and interests.

Where necessary to comply with a legal obligation, including sharing your personal data to comply with any applicable legal inquiries, requests, and summons, to monitor for fraud and abuse, or to respond to requests from law enforcement authorities.

As necessary for the performance of our contract with you, including; giving donations, grants, and access to products through compassionate use or for other contractual requirements.

3 CATERGORIES OF PERSONAL DATA WE PROCESS

The types of personal data we process include:

• Contact information, such as name, address, email address, phone number, date of birth, and other similar contact information.
• Health information, such as diseases, symptoms, complications, therapies, medications, patient or research study ID, outcomes, barriers to access, insurance information, and dates of service.
• Mental and physical characteristics, such as eye colour, height, weight, attitude, and emotions.
• Employment-related information, such as an employer, job title, specialty, employment history, awards and honours, membership in professional organizations, speaking engagements, and affiliations with patient advocacy organizations.
• Education history, such as level of education attained, institutions attended, majors and areas of study, and grades.
• Job candidates and recruitment-related information, such as social security number; government-issued identification number; interview information and notes; employment history; employee termination information; race or ethnic origin; credit history; criminal history; immigration status and other appropriate information, i.e. work permit status; and employer name for contingent/consultant worker.
• Photograph, audio, or video information.
• System Account information, such as username and password.
• Financial information, such as bank account information, credit card number, and bank accounts.
• Demographic information, such as age and gender.
• Inferences, such as notes about preferences and aptitudes.
• Opinions or statements, such as publicly available social media posts and opinions on BridgeBio, its products, and indications in public news reports.
• Internet or other electronic network activity information, such as IP address, country or geographic region location, browser type, device type, operating system, dates, and times you access our services, browsing history, and other information about your interactions with our online services. We collect such information through cookies and other tracking technologies. Please see our “Cookies and Other Tracking Technologies” section above.

In addition to the above, we will collect any other information that you provide to us.

4. SHARING AND DISCLOSURE OF PERSONAL DATA

With your consent, we may share or disclose your personal data at your direction, such as when you specifically authorize a third party to access personal data that we maintain about you (e.g., your health care provider).

Where necessary for our legitimate interests and where our interests are not overridden by your data protection rights, we may, from time to time, disclose your personal data amongst our affiliates and to third parties for the purposes referred to above including:

• manage and administer our (or our affiliates) relationship with you and to respond to your requests;
• protect our operations or those of any of our affiliates;
• protect our rights, privacy, safety, or property, and/or that of our affiliates, you or others.

There are certain circumstances in which we may share your personal data with third parties without further notice to you unless required by applicable law, as set forth below:

• Vendors and Service Providers: We disclose your information to other entities providing services on our behalf, including entities providing us with research services, providers of administrative services such as email communication (including appointment reminders, investment information you request through the Websites, medical information requests, and marketing communications), event organization and travel agencies, for processing and mailing purposes, customer relationship management, support services, and other business operations such as data storage, data analytics providers (in connection to Website analytics), distributors, IT and data security, legal services, audits or investigations, etc. Pursuant to our instructions, these parties will access, process, or store personal data only in the course of performing their duties to us.
• Business partners and research organizations who collaborate with us in relation to our products and services, such as researchers with whom we partner, companies with which we co-develop an investigational drug, etc.
• Business Transfers or Acquisitions: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, your personal data may be transferred to a successor or affiliate as part of that transaction along with other assets, to potential acquirers, financiers, and professional advisers in connection with a proposed sale, assignment or other transfer.
• Legal Requirements: If required to do so by law or in response to a government or law enforcement agency, or in the good faith belief that such action is necessary, including but not limited to (a) comply with a legal obligation, (b) protect and defend our rights or property, (c) act in urgent circumstances to protect the personal safety of you, us, or the public, (d) to protect rights and interests as needed for audits, investigations, responding to complaints or threats, or to exercise our legal rights, or (e) protect against legal liability.

5. DATA RETENTION

We will keep your personal data for as long as reasonably necessary for the purposes described in this Notice. For instance, for certain processing, we will retain your personal data for so long as we have a legitimate business need to do so, or for certain personal data, we will retain the processing for such period as is required by law (e.g. for regulatory reporting including to government entities who may oversee the safety and efficacy of Research, legal, tax, accounting or other purposes).

To determine the appropriate retention period for your personal data, we will consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we use your personal data, and whether we can achieve those purposes through other means, and the applicable legal requirements. For further information in relation to our retention periods please contact our Data

Protection Officer using the information in the “Contact Information” section below at any time.

Anonymous/De-identified information. In accordance with applicable legal requirements, we may anonymise/de-identify personal data collected from and about you so that it can no longer be linked to you or your device. Information that has been anonymised/de-identified in such a way is no longer subject to this Notice and can be used and shared by us at our discretion and maintained indefinitely.

6. YOUR RIGHTS AND CHOICES

6.1 BridgeBio respects the rights of individuals that you live in a country or U.S. State that provides certain additional rights with regard to your personal data. We will honour such requests in accordance with applicable laws and regulations, including obligations that we verify your identity before responding to your request. Depending on your jurisdictions, your rights may include some or all the following:

• request access to and/or a copy of certain personal data we hold about you
• opt-out or object to the processing of your personal data for direct marketing purposes (including any direct marketing processing based on profiling) or the sharing of your personal data for cross-context behavioral advertising for Business or Commercial purposes (as defined by applicable law). You may opt out of communications from us at any time by following the opt-out instructions in the communication such as selecting an unsubscribe link. We may still need to send you important administrative messages even if you opt out of receiving communications.
• request that we update or rectify personal data that is out of date or incorrect
• request that we delete certain personal data that we are holding about you
• oppose, cancel, or restrict the way that we process and disclose certain personal data
• receive and transfer your personal data to a third-party provider of services
• withdraw your consent for the processing of your personal data, which will not affect the lawfulness of processing prior to the withdrawal

We will consider all requests and provide our response within the period stated by applicable law. Please note, however, that certain personal data may be exempt from such requests in some circumstances, which may include if we need to keep processing your personal data for our legitimate interests, to comply with a legal obligation, or where the personal data provided in connection with Research is necessary for the public interest. For example, to safeguard the validity of the Research and comply with regulatory obligations related to clinical trials, we may not be able to delete your Research data even if you decide to stop participating in the Research. If we are unable to comply with your request in full or part, we will confirm this with you and the reasoning behind our position.

Please note that in certain circumstances we will need to provide you with certain information for us to comply with legal obligations or to administer our relationship with you. We will inform you where such personal data is required and the consequences of failing to provide such personal data (which may include an inability for us to consider you as a Research Participant or to create an account on our Websites).

We may request you provide us with the information necessary to confirm your identity before responding to your request as required or permitted by applicable law. If you would like further information in relation to your legal rights under applicable law or would like to exercise those rights, please contact our Data Protection Officer using the information in the “Contact Information” section below at any time.

In some circumstances, we may need to route your request to a Research Partner who maintains your personal data in connection with Research to request to exercise your rights.

6.2 Additional Rights for Residents of certain U.S. States

Please note that we do not currently meet the threshold applicability requirements of U.S. State privacy laws, including the California Consumer Privacy Act (“CCPA”). If we meet those thresholds in the future, we will update this Notice to include applicable disclosures related thereto.

Certain U.S. Consumers (as defined by applicable U.S. privacy laws) have certain rights concerning their personal data. You may exercise the rights applicable to you by emailing us at [email address] or calling us at [1-800 phone number]. We will honour such requests in accordance with applicable laws and regulations, including obligations that we verify your identity before responding to your request.

We do not knowingly sell the personal data of consumers under 16 years of age.

We do not and will not discriminate against you for exercising your data subject rights, however, certain services and features available may be impacted or no longer be available depending on your request. Any difference in the Services is related to the value provided.

Verification of Request: When you make a request, please provide your first and last name, email address, city and state of residence, and which of the right(s) described below you are requesting. We will verify your request against our records. We cannot fulfil any unverified or incomplete requests.

Authorized Agent: You may designate an authorized agent to request data subject rights on your behalf by providing a signed and authenticated letter that identifies (i) your agent and (ii) the purposes for and nature for which you are appointing the agent. If you are an authorized agent, you must provide the information described in “Verification of Requests” hereinabove related to the consumer for which you are acting as an agent, as well as your own first and last name and email address, and a letter that has been signed by the consumer that appoints you as their agent. In some instances, we may decline to honour your request if an exception applies under applicable law, however, we will respond to your request in compliance with applicable law.

If you would like to exercise your rights under U.S. State Privacy Laws, please contact us at dataprivacy@bridgebio.com or call our U.S. toll-free phone number at 1-877-595-8877.

7. INFORMATION FOR EUROPEAN ECONOMIC AREA (EEA), UK, AND SWISS RESIDENTS

In addition to the above, this section of the Notice applies if you are a resident of the European Economic Area (EEA) (which includes the European Union and the countries of Iceland, Liechtenstein, and Norway), the United Kingdom, or Switzerland. Please read specific privacy notices for HCPs/KOLs and job applicants here.

7.1. Data Controller

BridgeBio and the BridgeBio subsidiary or affiliate that engages directly with you offers the Website you are using, administer the Research in which you are participating, or otherwise are the data controllers for processing your personal data. To find out our contact details, please see the “Contact Us” section below

7.2. Data Protection Officer – Contact Details

BridgeBio has appointed Bird & Bird DPO Services SRL as a Data Protection Officer (DPO) for the EEA and the UK and may be reached:

• by using the following email: DPO.BridgeBio@twobirds.com
• by mail at the following address
  
  Bird & Bird DPO Services SRL
  
Avenue Louise 235 b
  1
1050 Brussels, Belgium

If you are an EEA, UK resident, and would like to contact our Data Protection Officer on matters related to the processing of personal data, or otherwise exercise your rights in respect of your personal data (described above), please contact dataprivacy@bridgebio.com.

7.3. Data Protection Representative – Contact Details

When required, our appointed Data Protection Representative will be:

• For Europe (EEA)
  
  BridgeBio Europe BV

  Weerdestein 97
  
1083 GG Amsterdam
The Netherlands

  Email: EU.datarepresentative@bridgebio.com
• For the UK
  
  BridgeBio UK Limited

  307 Euston Road NW1 3AD London
  United Kingdom
  
Email: UK.datarepresentative@bridgebio.com

8. COLLECTION OF PERSONAL DATA FROM MINORS

In general, our Websites and services are intended for general audiences and not for minors. No personal data should be submitted to BridgeBio through the website by visitors who are less than 18 years old. If we become aware that we have collected personal data without legally valid parental consent from minors under an age where such consent is required pursuant to applicable law, we will take reasonable steps to delete it as soon as possible. In connection with our Research, we obtain legally adequate parental consent before allowing minors (under the age of majority in their jurisdiction of residence) to serve as Research Participants.

9. CHANGES TO THIS NOTICE

The Websites, our Research, and our business may change from time to time. As a result, we may change this Notice at any time and when we do, we will post an updated version on this page and change the Last Updated date above, unless another type of notice is required by the applicable law. You should consult this Notice regularly for any changes. By continuing to use the Websites, participate in Research, or provide us with information after we have posted an updated Notice, or notified you if applicable, you consent to the revised Notice and practices described in it.

10. INTERNATIONAL USERS AND DATA TRANSFERS

BridgeBio Pharma Inc. is an international organization with affiliates and subsidiaries in and outside the United States. We transfer the personal data we collect about you within BridgeBio (to other BridgeBio affiliates worldwide) and to third parties. Such data transfers include the transfer of personal data to countries that may not have the same level of data protection as the country in which the personal data initially originated. Where cross-border data transfers occur, we ensure that an adequate level of data protection exists in the recipient country, by executing with third parties, including our affiliates, appropriate contractual arrangements for cross-border data transfers to third-party countries for controllers or processors as applicable. For transfers governed by UK and EU GDPR, these- measures will include transfers based on adequacy decisions, EU standard contractual clauses (SCCs), the UK international data transfer agreements, and addendum to the EU SCCs supplemented by any supplementary measures as may be required.

11. DATA SECURITY

We have implemented a variety of technological and organizational procedures and measures to protect your personal data from unauthorized access, use, and disclosure. However, please note that no method of Internet transmission can be completely secure. As such, we cannot guarantee absolute security of your Personal data. Please take steps to protect yourself, such as using and protecting your unique login credentials and passwords, utilizing encryption, and using anti-virus solutions.

12. CONTACT US – CONTROLLER CONTACT DETAILS

Please feel free to contact us if you have any questions about our Notice or our information practices.

You may contact us as follows: You may send an email to dataprivacy@bridgebio.com or send mail to:

Attn: Legal Department

c/o BridgeBio Pharma, Inc.

Suite 250, 3160 Porter Drive
Palo Alto, CA 94304 (USA)

If you would like to exercise your rights under U.S. State Privacy Laws, please contact us at dataprivacy@bridgebio.com or call our U.S. toll-free phone number at 1-877-595-8877.

If you have any concerns or complaints about our data processing activities, we urge you to contact our DPO to attempt to resolve such issues directly with us. However, if applicable, you may make a complaint to the data protection supervisory authority in the country where you are based or seek a remedy through local courts if you believe your rights have been breached.