DATA PRIVACY FRAMEWORK PRINCIPLES: POLICY STATEMENT

PURPOSE

Calico Life Sciences LLC (“Calico”) complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF and Swiss-U.S. Data Privacy Framework (collectively, “Data Privacy Framework”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data (“Personal Information”) transferred from the European Union, United Kingdom and Switzerland to the United States. Calico has certified to the Department of Commerce that it adheres to the Data Privacy Framework Principles with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework Principles (collectively, the “Data Privacy Framework Principles”). If there is any conflict between the terms of our online privacy policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov.

This Statement describes the principles pursuant to which Calico manages Personal Information received: (i) from Workers, in support of Calico’s human resources and business operations; (ii) in the course of Calico’s operations involving current, prospective and former clients, customers, partners, investors, visitors and guests (collectively “Clients”); and (iii) in the course of its related interactions with current, prospective and former research investigators, data or service suppliers, and strategic partners, and subcontractors (collectively, “Suppliers”). The categories of Personal Information covered by this Statement include Personal Information relating to Workers, Clients and Suppliers. In connection with Calico’s Operations, Calico may now and/or in the future: (a) transfer Personal Information of Workers, Clients and/or Suppliers outside of the EEA, United Kingdom and Switzerland to the United States; and/or (b) access Personal Information regarding Workers, Clients and/or Suppliers from the United States.

DEFINITIONS

The following capitalized terms are used throughout this document and are defined as follows:

“Agent” or collectively, “Agents” means any third party that processes Personal Information pursuant to the instructions of, and solely for, Calico or to which Calico discloses Personal Information for use on its behalf.

“Citizen” or collectively, “Citizens” means a lawful citizen or citizens of the EEA, the UK  and Switzerland and includes both Workers, Clients and Suppliers.

“EEA” means the European Economic Area.

“Worker” or collectively, “Workers,” means for purposes of this Statement only, any Calico Citizen-employee(s) (and any and all dependents thereof), including, but not limited to, temporary, permanent, and former employees, directors, contractors, workers and retirees as well as independent contractors and job applicants.  Workers

“Calico” or the “Company” collectively refers to Calico and all subsidiaries and affiliates thereof that are incorporated in any state or territory of the United States.

“Personal Information” includes the term “personal data” and means any information or set of information about an identified or identifiable Citizen, including, but not limited to: (a) first name or initial and last name; (b) home or other physical address; (c) telephone number; (d) email address or online identifier associated with the Citizen; (e) Social Security number or other similar identifier; (f) employment, financial or health information; or (g) any other information relating to a Citizen that is combined with any of the above. The term “Personal Information” does not include anonymized information or information that is reported in the aggregate (provided that such aggregated information is not identifiable to a natural person).

“Data Privacy Framework Principles” collectively means the following seven (7) privacy principles as described in the Data Privacy Framework: (1) Notice, (2) Choice, (3) Accountability for Onward Transfer, (4) Security, (5) Data Integrity and Purpose Limitation, (6) Access, and (7) Recourse, Enforcement and Liability as agreed to by the U.S. Department of Commerce and the European Commission.

“Process” or “Processing” of Personal Information means any operation or set of operations which is performed upon Personal Information, whether by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

“Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data where Processed to uniquely identify a person, any information that concerns medical or health conditions, social security measures or sex life, or information relating to the commission of a criminal offense.

“Statement” means this Data Privacy Framework Statement.

Capitalized terms not defined above have the definitions set forth in the respective paragraphs of this Statement.

DATA PRIVACY FRAMEWORK PRINCIPLES

1. Notice: In the event that Calico collects Personal Information from a Citizen, Calico will furnish a notice to the Citizen that describes: (i) the types of Personal Information that it collects about such Citizens; (ii) the purposes for which it collects such information; (iii) the types of third parties to which it discloses such information, and the purposes for which it does so; and (iv) how to contact Calico with any inquiries or complaints, including any relevant establishment in the EEA, United Kingdom and/or Switzerland that can respond to such inquiries or complaints. Notice will be provided in clear and conspicuous language at the time of collection, or as soon as reasonably practicable thereafter. In any event, notice will be provided before Calico discloses the Personal Information or uses such information for a purpose other than that for which the Personal Information was originally collected or Processed.
2. Choice: In the event that Personal Information is to be used for a new purpose that is materially different from the purpose(s) for which the Personal Information was originally collected or subsequently authorized, or transferred to a non-Agent third party, Citizens will be provided, where practical and appropriate, with an opportunity to decline to have their Personal Information so used or transferred. In the event that the Personal Information used for a purpose other than that for which it was originally collected or subsequently authorized or transferred to the control of a non-Agent third party is Sensitive Personal Information, the Citizen’s affirmative express consent will be obtained prior to the use or transfer of the Sensitive Personal Information or as otherwise permitted in accordance with the Data Privacy Framework Principles.
3. Accountability for Onward Transfer: Calico will endeavor to only transfer Personal Information to an Agent where such Agent has given assurances that it provides at least the same level of privacy protection as is required by the Data Privacy Framework Principles and this Statement and will notify Calico if it makes a determination it can no longer meet this obligation. Where Calico has knowledge that an Agent is using or sharing Personal Information in a way that is contrary to the Data Privacy Framework Principles and/or this Statement, Calico will take reasonable steps to prevent or stop such Processing. With respect to onward transfers to   Agents, the Data Privacy Framework requires that, to the extent it is responsible for the event, Calico shall remain liable should its Agents Process Personal Information in a manner inconsistent with the Data Privacy Framework Principles.
4. Security: Calico takes reasonable and appropriate administrative, technical and physical precautions designed to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction, regardless of whether such Personal Information is in electronic or tangible, hard copy form.
5. Data Integrity and Purpose Limitation: Calico endeavors to limit the collection, usage, and retention of Personal Information to that which is relevant for the intended purposes of Processing, and takes reasonable steps designed to ensure that all Personal Information is reliable for its intended use, accurate, complete and current. Calico depends on its Workers to keep Personal Information reliable, accurate, complete and current.
6. Access: Citizens may seek confirmation regarding whether Calico is Processing Personal Information about them, request access to their Personal Information and ask that the Company correct, amend or delete that information, where it is inaccurate or has been Processed in violation of the Data Privacy Framework Principles. Although Calico makes good faith efforts to provide Citizens with access to their Personal Information, Calico reserves the right to limit or deny such access where the burden or expense of providing access would be disproportionate to the risks to the Citizen’s privacy, where the rights of Citizens other than the subject Citizen would be violated, where the information is commercially proprietary or where doing so is otherwise consistent with the Data Privacy Framework  Principles. If Calico determines that access should be restricted in any instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries.
7. Recourse, Enforcement and Liability: Calico has implemented mechanisms to verify its ongoing compliance with the Data Privacy Framework Principles and this Statement. Any party that violates the Privacy Principles and/or this Statement will be subject to disciplinary procedures in accordance with Calico’s disciplinary procedures. In the event of a dispute, Citizens are able to seek resolution of their questions or complaints regarding use and disclosure of their Personal Information in accordance with the Data Privacy Framework Principles contained in this Statement. If you feel that Calico is not abiding by the terms of this Statement or is not in compliance with the Data Privacy Framework Principles, please contact Calico at the contact information provided below. In addition, Calico has agreed to cooperate with JAMS Data Privacy Framework Dispute Resolution Program with respect to complaints related Client and Supplier data and with the local data protection authorities with respect to Worker and human resources data. For more information and to submit a complaint to JAMS, visit https://www.jamsadr.com/.   Such independent dispute resolution mechanisms are available to Citizens free of charge. If any request remains unresolved, Citizens may have a right to invoke binding arbitration under the Data Privacy Framework. The FTC has jurisdiction over Calico’s compliance with the Data Privacy Framework.

LIMITATION ON SCOPE OF DATA PRIVACY FRAMEWORK PRINCIPLES

Adherence to these Data Privacy Framework Principles may be limited (i) to the extent required or allowed by applicable law, rule or regulation; (ii) to the extent necessary to respond to lawful requests by public authorities, including to meet national security, law enforcement, legal or governmental requirements; and/or (iii) to protect the health or safety of a Citizen.

CONTACT INFORMATION

If you have questions regarding this Statement or any of Calico’s privacy practices, please contact us by mail or e-mail at the following address: privacy@calicolabs.com

CHANGES TO THIS STATEMENT

This Statement may be amended from time to time in a manner that is consistent with the requirements of the Data Privacy Framework Principles. When this Statement is updated, the “Last Updated” date at the bottom of this document shall be amended accordingly. Any material changes to this Statement will be posted on Calico’s website at https://www.calicolabs.com/privacy-policy/.

LAST UPDATED: August 16, 2023