In accordance with the provisions of Articles 13 and 14 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016, regarding the protection of individuals with regard to the processing of personal data and the free movement of such data (hereinafter, "GDPR"), and Articles 6 and 11 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, "LOPDGDD"), which regulates the right to information in the collection of data, we inform you of the following:

Who is responsible for the processing of your personal data?

The owner of the website is MINORYX THERAPEUTICS SL (with VAT number B65648156 and registered office at AVDA. ERNEST LLUCH 32 TCM, 08302, MATARO, BARCELONA, SPAIN); and its subsidiary MINORYX THERAPEUTICS BE, SA (a company incorporated under the laws of Belgium, with registered office at I-Tech Incubator 2, rue Auguste Piccard 48, 6041 Charleroi, Belgium, and VAT number BE0713984534), collectively referred to as "MINORYX," and as such, informs that:

• It is the Data Controller for the personal data collected on this website,
• In accordance with the provisions of current regulations, the personal data provided to us will be processed for the purposes described in this document, and
• It will be carried out with all the necessary technical and organizational measures to comply with the required privacy levels.

The website may contain sections with information about our company, our science, our programs, clinical studies, and a contact form that corresponds to MINORYX THERAPEUTICS SL.

What personal data do we collect?

The personal data that the user may provide:

• Name and Surname.
• Phone number
• Email address
• IP address
• Information for a job application, in addition to the above, CV, city of residence, previous employment information, referral source, etc.
• Any other information or data that the user decides to share with us.

Not accepting this data protection policy implies the inability to navigate the website.

Why and for what purpose do we process your data?

Depending on the purposes, we will need to process different data, which in general will be, as appropriate, the following:

• The website provides information about the services offered by MINORYX, a Clinical-stage biotechnology company focused on the discovery and development of novel therapies for severe orphan genetic diseases of the central nervous system (CNS) with a significant unmet medical need. The website provides information about the company, our science, our programs, and our clinical studies of interest to users.
• Manage and respond to possible inquiries, complaints, and/or claims made through any means. It is also informed that the personal data of the interested party for these purposes will only be kept while the response to the inquiry, complaint, and/or claim presented is being processed and responded to.
• The collection and automated processing of data through the website will be carried out through the contact form. The data provided to manage any request made by an interested party through the channels provided for this purpose will be collected in order to respond to it, as well as to study the possibility of contracting with us. The data will be kept for the time that any liability could arise from the services requested by the interested party.

It is reported that the personal data obtained through the contact form will be part of the Register of Activities and Treatment Operations (RAT), which will be periodically updated in accordance with the provisions of the GDPR, since all relevant security measures have been adopted in this regard.

The user is informed of the possibility of withdrawing consent if it has been granted for a specific purpose, without affecting the legality of the processing based on the prior consent before its withdrawal.

What is the legal basis for the processing of your data?

The purposes of the processing described above can be carried out on the following legal bases:

• Express consent from users regarding the completion of forms with their personal data.
• Execution and management of a therapy services contract.
• Any other legal obligation arising from the services or actions requested through the contact form.

How long do we keep your data?

The processing of personal data of interested parties for the purposes described will be maintained for the time necessary to fulfill the stated purpose, as well as for compliance with legal obligations arising from the data processing. Without prejudice to the need for retention for the formulation, exercise, or defense of potential claims and/or as long as permitted by applicable law.

MINORYX undertakes to cease the processing of personal data when the retention period has ended, as well as to block them properly in our databases.

To which recipients are your data communicated?

MINORYX may communicate the data of interested parties to third parties such as governmental bodies and public security forces when required by legal obligation.

It is also informed that MINORYX may transfer data to third parties in order to manage the service, and therefore, it is stated that the purpose is to ensure the security of personal data when sent outside the company and to ensure that third-party service providers respect confidentiality and have adequate measures to protect personal data. These third parties are obliged to ensure that the information is processed in accordance with data privacy regulations. In some cases, the law may require the disclosure of personal data to public bodies or other parties; only the strictly necessary data will be disclosed for the fulfillment of such legal obligations.

Where are your data stored?

In general, data is stored within the EU. Data sent to third parties outside the EU will be ensured to provide an adequate level of protection, either because they have Binding Corporate Rules (BCR) or because they have adhered to the "Privacy Shield."

What rights do you have and how can you exercise them?

All interested parties can exercise the rights recognized in the LOPDGDD and the GDPR, addressed to the email: gdpr@minoryx.com

In accordance with current regulations, you can exercise:

• Right of access: you can request information about the personal data we have about you.
• Right of rectification: you can communicate any changes to your personal data.
• Right to erasure and to be forgotten: you can request the deletion, with prior blocking, of personal data.
• Right to restriction of processing: involves restricting the processing of personal data.
• Right to object: you can withdraw consent for data processing, objecting to further processing.
• Right to data portability: in some cases, you can request a copy of personal data in a structured, commonly used, and machine-readable format for transmission to another controller.
• Right not to be subject to automated individual decision-making: you can request that decisions based solely on automated processing, including profiling, that have legal effects or significantly affect the data subject be avoided.

In some cases, the request may be rejected if you request the deletion of data necessary for the fulfillment of legal obligations. Also, if you have any complaints about data processing, you can file a complaint with the data protection authority.

Who is responsible for the accuracy and truthfulness of the provided data?

The user is solely responsible for the accuracy and correctness of the included data, exempting MINORYX from any liability in this regard. Users guarantee and respond, in any case, for the accuracy, validity, and authenticity of the provided personal data, and undertake to keep them duly updated. The user agrees to provide complete and correct information on the contact form.

MINORYX is not responsible for the accuracy of information not of its own creation and for which another source is indicated, and therefore assumes no responsibility for any potential damages that may arise from the use of such information.

MINORYX reserves the right to update, modify, or delete the information contained on its web pages, and may even limit or deny access to such information. MINORYX is exempt from liability for any damage or harm that the user may suffer as a result of errors, defects, or omissions in the information provided by MINORYX, provided that it comes from sources outside MINORYX.

What security measures do we apply to protect your personal data?

MINORYX has adopted the levels of security protection for personal data legally required and seeks to install additional technical or organizational means at its disposal to prevent the loss, misuse, alteration, unauthorized access, and theft of personal data provided to MINORYX.

MINORYX is not responsible for hypothetical damages or harm that may arise from interference, omissions, interruptions, computer viruses, telephone breakdowns, or disconnections in the operational functioning of this electronic system, caused by external causes to MINORYX, delays or blockages in the use of this electronic system caused by deficiencies or overloads of telephone lines or overloads in the Data Processing Center, in the Internet system, or in other electronic systems, as well as damages that may be caused by third parties through illegal intrusions outside the control of MINORYX. However, the user should be aware that security measures on the Internet are not impregnable.

How do we use cookies?

The website and social media accounts of MINORYX use cookies to optimize and customize user navigation. Cookies are physical information files that are housed on the user's own device, and the information collected through cookies is used to facilitate the user's navigation of the portal and optimize the browsing experience. Data collected through cookies may be shared with their creators, but in no case will the information obtained through them be associated with personal data or data that can identify the user. However, if the user does not want cookies to be installed on their hard drive, they have the possibility to configure their browser to prevent the installation of these files. For more information, please refer to our Cookie Policy.

Can the privacy policy be modified?

This privacy policy may be modified. We recommend that you review the privacy policy periodically.

Privacy policy updated on November 2023.