Privacy Policy and Notice of Information Practices

Effective Date: January 1, 2023

Gritstone bio, Inc. (“Gritstone,” “we,” “us” or “our”) respects the privacy of visitors to our websites and online services and values the confidence of our customers, partners, patients, and employees. This Privacy Policy and Notice of Information Practices (“Privacy Notice”) sets forth Gritstone’s practices regarding the collection, use and disclosure of information that you may provide through the website(s) that we operate, their subdomains, and all portals, applications, products, services, events and any interactive features, applications or other services that link to this Privacy Notice (“Website” or “Sites”), as well as Personal Information provided to Gritstone by any means, including in person or by telephone or webform. Additional privacy disclosures may be made at the time of collection of the information. Please read the entire Privacy Notice before using our Website or our Services.

All references to “you,” “your” and “User” in this policy means the person who accesses, uses, or registers for our Site or our Services. If you use or access our Site or our Services on behalf of a company or organization, such company or organization will also be considered to be a party to this Privacy Policy and any agreements you make. By using the Website, you agree to abide by the terms of this Privacy Notice. This Privacy Notice is also part of our Terms of Use, which govern your use of the Website.

In this Policy, we tell you what information we collect from you, the sources from which we get that information, why we collect it, how we use it, under what circumstances we may share it with third parties, how we protect that information, and what choices you may make about that information. These choices may differ depending on where you live, so please check the location-specific choices for your state or country of residence. If you have questions about this Privacy Policy, contact us at privacy@gritstone.com.

What Information we Collect

The type of information we collect depends on the context in which you interact with our Site and our Services. You may be a website visitor, a patient at a clinical trial site, or a job applicant, employee, or contractor. Residents of California and Virginia, as well as the United Kingdom (“U.K.”) and the European Economic Area (“EEA”) may have additional disclosures available to them, as set forth in the location-specific sections below.

Information You Provide to Us:

In connection with the Services we provide, we may ask you to provide use with certain information, including:

Contact information, such as first and last name, email address, home or business postal address, and telephone or mobile number;
Consumer information like a username, your service history, your preferences or a consumer profile based on your use of the Site or the Services;
Employment information, such as educational information, employment information, social security or passport number, military or veteran status, driver’s license, references, and your birthdate or age;
Health information, like a medical diagnosis or treatment information;
Demographic information, such as your country, state, or county of residence or business operation (“Demographic Information”)
Other information that could reasonably be used to identify you personally or identify your household or device.

At our clinical trial sites, you may also be asked to provide:

Your gender, date of birth, country of domicile, and nationality;
Information about your racial or national origin;
Information about your health and medical conditions;
Information regarding your family and/or your family’s health and medical history; and
Biometric data, including genetic information, if applicable.

Please note that any information taken from you in person may be subject to additional disclosures and/or confidentiality requirements set forth in materials given to you at the time of data collection.

Separately, you also may provide us with the following personal information when you interact with our Site or the Services:

Social media information, such as social media handles, content and other data shared with us through third-party features that you use on our Site and other service (such as apps, tools, payment services, widgets and plug-ins offered by social media services like Facebook and Twitter) or posted on social media pages (such as our social media page or other pages accessible to us);
Recordings of your voice, as may be contained in customer service phone recordings kept for quality assurance purposes or training (you will always be notified in advance if we record our calls with you for quality assurance purposes);
Your image or likeness as captured on audiovisual recordings in the public spaces of our office locations;
Your geolocation information if you have enabled your device’s location services or if you type in your address in any form on our Website.

Additionally, we may obtain other identifying information from you where you expressly provide us with the information. This information could come from interviews and telephone calls with you, letters, emails or other communications from you, information from your referral or reference sources, information provided via web forms or inputs/uploads into our Site or at events we attend or sponsor, documents you have provided to us, and employment applications.

Information That Is Automatically Collected

In addition to information that you choose to submit to us, we and/or our service providers may automatically collect and/or store certain information when you visit or interact with the Site(s) (“Usage Information”). This Usage Information may be stored and/or accessed from your personal computer, laptop, tablet, mobile phone or other device (a “Device”) whenever you visit or interact with our Site(s). Usage Information may include:

Your Internet Protocol (IP) address, which is the number automatically assigned to your computer whenever you access the Internet and that can sometimes be used to derive your general geographic area; other unique identifiers, including mobile device identification numbers (e.g., IDFA, MAC address, Android/Google Advertising ID, IMEI) (“Device Identifiers”);
Your Device functionality (including browser, browser language, operating system, hardware, mobile network information);
Your device characteristics;
Sites you visited before and after visiting our Sites;
Pages you view and links you click on within the Sites, including remembering you and your preferences;
Your device location and/or other geolocation information, including the zip code, state, or country from which you accessed the Sites;
Information collected through cookies, web beacons and other technologies;
Information about your interactions with email messages, such as the links clicked on and whether the messages were received, opened, or forwarded; and
Standard Server Log Information.

We may use cookies, pixel tags and similar technologies to automatically collect this information. Cookies are small bits of information that are stored by your computer’s web browser. Pixel tags are very small images or small pieces of data embedded in images, also known as “web beacons” or “clear GIFs,” that can recognize cookies, the time and date a page is viewed, a description of the page where the pixel tag is placed, and similar information from your computer or device. By using the Website, you consent to our use of cookies and similar technologies. You can decide if and how your computer will accept a cookie by configuring your preferences or options in your browser. However, if you choose to reject cookies, you may not be able to use certain online products, services or features on the Website. You can get more information about Cookies and Tracking Technologies, and instructions on how to opt out of these items, in our Cookie Policy.

For location information, we may use this information to provide customized Services, content, and other information that may be of interest to you. If you no longer wish for us or our service providers to collect and use location information, you may disable the location features on your device. Consult your device manufacturer’s settings for instructions. Please note that if you disable such features, your ability to access certain features, Services, or content may be limited or disabled.

Information From Third Parties

We may collect information about you from other sources, including consumer credit reporting agencies or background check vendors, in order to evaluate your application for employment. We also may obtain Personal Information about you if you are listed as a dependent or beneficiary of a Gritstone clinical trial patient or an employee. We may also obtain information about you (e.g., an email address), if another User has forwarded information about our Services to you. We may combine the information we collect from third parties with information that we have collected from you or through your use of the Services.

In addition, the Site(s) may include functionality that allows certain kinds of interactions between the Site and your account on a third-party website or application. The use of this functionality may involve the third-party site providing information to us. For example, we may provide links on the Site to facilitate sending a communication from the Site or we may use third parties to facilitate emails or postings to social media (like a “Share” or “Forward” button). These third parties may retain any information used or provided in any such communications or activities and these third parties’ practices are not subject to our Privacy Policy. We may not control or have access to your communications through these third parties. Further, when you use third-party sites or services, you are using their services and not our services and they, not we, are responsible for their practices. You should read the applicable third-party privacy policies before using such third-party tools on our Site.

Use of Information

We may use information that we collect through the Website or in person for a variety of purposes, including to:

Operate and improve our Website, products, information, and services;
Understand you and your preferences to enhance your experience and enjoyment using our Website, products, and services;
Process employment applications;
Respond to your comments and questions and provide customer service;
Provide and deliver products, information, and services you request;
Conduct clinical trials and other analytics and/or research regarding information obtained during clinical trials;
Process and analyze information, including medical information, test results, clinical evaluations and notes, and other personal information collected from you during your visits to a clinical trial site;
Meet our audit, compliance, and regulatory obligations;
Send you information, including confirmations, invoices, technical notices, updates, security alerts and support and administrative messages;
Communicate with you about upcoming events and news about products, information and services offered by Gritstone and our selected partners;
Link or combine with other personal information we get from third parties, to help understand your needs and provide you with better service;
Assist when it is necessary for emergency medical purposes or to protect your or another person’s vital interests;
Verify your identity and for fraud prevention;
Comply with a law, court order, or other judicial or administrative process;
Protect, investigate, and deter against fraudulent, unauthorized, or illegal activity; and
As otherwise described to you at the point of collection or pursuant to your consent.

Sharing of Information

We are committed to maintaining your trust, and we want you to understand when and with whom we may share the information we collect.

Corporate Parents and Affiliates. As applicable, we may share your information with affiliated entities for a variety of purposes, including business, operational and marketing purposes.
Service Providers. We may share your information with service providers that perform certain functions or services on our behalf (such as to host the Website, manage databases, process data, perform analyses or send communications for us).
Other Parties When Required by Law or as Necessary to Protect the Website. We may disclose your information to third parties in order to: protect the legal rights, safety and security of Gritstone, affiliates and the users of our Website; enforce our Terms of Use; prevent fraud (or for risk management purposes); and comply with or respond to law enforcement or legal process or a request for cooperation by a government entity, whether or not legally required.
In Connection with a Transfer of Assets. If we sell all or part of our business, or make a sale or transfer of assets, or are otherwise involved in a merger or business transfer, or in the event of bankruptcy, we may transfer your information to one or more third parties as part of that transaction.
Other Parties with Your Express or Implied Consent. We may share information about you with third parties when you consent to such sharing.
Aggregate Information. We may disclose to third parties information that does not describe or identify individual users, such as aggregate website usage data or demographic reports.
In addition, we may allow third parties to place and read their own cookies, web beacons and similar technologies to collect information through the Website. For example, our third-party service providers may use these technologies to collect information that helps us with traffic measurement, research, and analytics. Please note that you may need to take additional steps beyond changing your browser settings to refuse or disable some of these technologies. If you choose to refuse, disable, or delete these technologies, some of the functionality of the Website may no longer be available to you. You understand that when you use the Website, these analytics providers may collect information related to your use of the Website.

Security

We maintain a variety of security procedures to help protect against loss, misuse, unauthorized access, disclosure, alteration, or destruction of the information you provide through the Website. However, no data transmission over the Internet or stored on a server can be guaranteed to be 100% secure. As a result, while we strive to protect your information and privacy, we cannot guarantee or warrant the security of any information you disclose or transmit to us online and cannot be responsible for the theft, destruction or inadvertent disclosure of your information. Please see our Terms of Use for additional information.

Response to “Do Not Track” Signals

Do Not Track (“DNT”) is a web browser setting that requests that a web application disable its tracking of an individual user. When you choose to turn on the DNT setting in your browser, your browser sends a special signal to websites, analytics companies, ad networks, plug in providers, and other web services you encounter while browsing to stop tracking your activity. However, because there currently is no industry standard concerning what, if anything, websites should do when they receive such signals, we currently do not take action in response to these signals. You can learn more about Do Not Track here.

Children’s Privacy

Gritstone respects the privacy of children, and we are committed to complying with the Children’s Online Privacy Protection Act (COPPA). For that reason, no part of our Site is targeted to attract anyone under the age of 13. Gritstone does not knowingly collect, use, or disclose personal information from children under the age of 13 without prior parental consent, except as permitted by COPPA. Users from ages 13 to 15 must represent and warrant that they are visiting the Site under the supervision of a parent or guardian, and we may ask your parent or guardian to provide prior written consent for you to use the Site. By providing your consent, you agree that we may collect, use, and disclose your child’s Personal Information consistent with this Privacy Notice. If you believe we have information regarding a child under the age of 16 that you have not authorized, you may contact us at privacy@gritstone.com or use the Webform below to request that we delete it.

Your Choices Regarding Your Personal Data

You have many choices when it comes to your Personal Information. You may always change the settings on your Device (such as location settings, cookies, or allowing apps to track you) to limit some of the information that is shared with us. You can review our Cookie Policy for more information on controlling cookies.

If you receive emails or other communications from us, you may indicate a preference to stop receiving further communications from us and you will have the opportunity to “opt-out” by following the unsubscribe instructions provided in the email you receive or by contacting us directly at our contact information below. If you opt out, we may still send you non-promotional emails, such as emails about our ongoing business relations. You may also request changes or updates to your personal information by sending a request to our contact information below.

Depending on the jurisdiction in which you reside, you may have additional options to access, correct, delete or limit the information you have provided to use. Please see the location-specific privacy notices below.

Location-Specific Privacy Notices:

Your Data Protection Rights Under the General Data Protection Regulation (GDPR)

This section of the Privacy Policy applies if you are a resident of or located within the European Economic Area (EEA). We adopted this section to comply with European privacy laws, including GDPR. Any terms defined in the GDPR have the same meaning when used in this section. As a data subject under GDPR, you have certain additional data protection rights. These rights include:

The right to access, update or delete the information we have on you. Whenever made possible, you can access, update or request deletion of your Personal Information by contacting us at the contact information below.
The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
The right to object. You have the right to object to our processing of your Personal Information.
The right of restriction. You have the right to request that we restrict the processing of your personal information.
The right to data portability. You have the right to be provided with a copy of the information we have on you in a structured, machine-readable, and commonly used format.
The right to withdraw consent. You also have the right to withdraw your consent at any time where Gritstone relied on your consent to process your personal information.

Legal Basis for Processing Personal Information Under GDPR

Under applicable law, Gritstone is considered a “data controller” for the personal information you have provided directly to us in connection with your use of the Sites and Services. In some instances, we may be a “data processor” for information you have provided to a clinical trial site or other third party who provides your Personal Information to us. Gritstone’s legal basis for collecting and using the Personal Information described in this Privacy Policy depends on the Personal Information we collect and the specific context in which we collect it.

Gritstone may collect or process your Personal Information because:

We need to perform a transaction or contract with you or provide a service;
You have given us permission to do so;
The processing is in our legitimate interests and it is not overridden by your rights; or
To comply with the law.

Retention of Information

Gritstone will retain your Personal Information only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your Information to comply with applicable laws), resolve disputes and enforce our legal agreements and policies.

Gritstone will also retain Personal Information and usage data for internal analysis purposes. Usage Data is data collected automatically either generated by the use of the Site or from the Site infrastructure itself (for example, the duration of a page visit). Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Site or we are legally obligated to retain this data for longer periods.

Transfer of Information

If you are visiting the Site from a location outside of the United States, your connection will be through and to servers located in the United States or in the United Kingdom. All information you receive from the Site will be created on servers located in the United States, and all information you provide will be maintained on web servers and systems located within the United States. Your information, including your Personal Information, may be transferred to – and maintained on --- computers located in the United States or in the United Kingdom. The data protection laws in the United States may differ from those of the country in which you are located, and your information may be subject to access requests from governments, courts, or law enforcement in the United States according to laws of the United States. Your consent to this Privacy Policy, followed by your submission of your information represents your agreement to the collection, storage, processing and transfer of your information in and to the United States, or other countries and territories, pursuant to the laws of the United States.

Gritstone will take all the steps reasonably necessary to ensure that your Personal Information is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Information will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information, such as Standard Contractual Clauses or other transfer mechanisms.

Disclosure of Personal Information

Gritstone may disclose your Personal Information as set forth in the sections above in the good faith belief that such action is necessary to:

To comply with a legal obligation;
To protect and defend the rights or property of Gritstone;
To prevent or investigate possible wrongdoing in connection with the Service;
To protect the personal safety of users of the Service or the public; and/or
To protect against legal liability.

Disclosure for Law Enforcement - Under certain circumstances, Gritstone may be required to disclose your Personal Information if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).

Security of Information

The security of your Personal Information is important to us but remember that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

Exercising Your Rights Under GDPR:

If applicable, you may exercise any of rights under GDPR by submitting a verifiable data subject request to us by using our webform or emailing us at privacy@gritstone.com. You may make a request related to your personal information or on behalf of someone for which you have authorization. You must include your full name, email address, and attest to the fact that you are a citizen or resident of the EEA by including your country of citizenship or residence in your request. We may require you to confirm your identity and/or legal standing for the request as well as your residency in the EEA in order to obtain the information. We will respond to your request within 30 days or let you know if we need additional time.

Webform: Click Here.

Email Address: privacy@gritstone.com

Please note that we will ask you to verify your identity before responding to such requests, and we may deny your request if we are unable to verify your identity or authority to make the request.

Should you wish to raise a concern about our use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local supervisory authority; however, we hope that we can assist with any queries or concerns you may have about our use of your Personal Information first by contacting us at privacy@gritstone.com.

For more information about GDPR, please contact your local data protection authority in the EEA.

Your Rights Under the UK GDPR

If you are based in the United Kingdom, the following provisions also apply:

UK GDPR means the Retained Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

If we share your personal data within Company or with third parties located outside the United Kingdom, we take steps to ensure that appropriate safeguards are in place to guarantee the continued protection of your personal data, such as by entering into the international data transfer addendum to the European Commission’s Standard Contractual Clauses, adopted by the UK Government under section 119A of the Data Protection Act 2018.

You have the same data subject rights as those for the EU listed above, except that references to the "GDPR" should be read as references to the "UK GDPR" and complaints should be filed with the UK supervisory

Your California Privacy Rights

This section of the Privacy Policy applies solely to California residents. We have adopted this policy to comply with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). Any terms defined in the CCPA have the same meaning when used in this section. Gritstone’s California employees, prior employees, contractors and job applicants may have additional disclosures available to them. Current employees may review the notice to California employees that has been provided to you. Job applicants may review the link to the notice in any job listing after January 1, 2023.

California residents have the following rights:

To know the categories of Personal Information being collected about you, the purposes for which the categories of information are collected or used, and whether that information is sold or shared;
To know the length of time we intend to retain each category of Personal Information;
To know whether your Personal Information is sold or disclosed and to whom;
To access your Personal Information;
To delete the Personal Information you have provided to us, with certain exceptions;
To correct your Personal Information if it is inaccurate;
To access information about automated decision making and to reject such automated decision-making in certain instances;
To know if Sensitive Personal Information (“SPI”) is being collected about you, the categories of SPI being collected, the purposes for which the categories of SPI are collected or used, and whether the SPI is sold or shared;
To limit the use of your SPI, if it is used for cross-contextual behavioral advertising or for the purpose of inferring characteristics about you;
To opt out of the sale or sharing of Personal Information; and
Not to be discriminated or retaliated against, even if you exercise your privacy rights.

The earlier sections in this Privacy Policy describe in detail what categories of information we collect and the purposes for which we use that information.

Request for Information, Correction, or Deletion

California consumers have the right to request, under certain circumstances, that a business that collects personal information about the consumer disclose to the consumer the information listed below for the preceding 12 months:

The categories of Personal Information we have collected from you;
The categories of sources from which we collected the Personal Information;
The business purpose we have for collecting your Personal Information;
The specific pieces of Personal Information we have collected about you.
The categories of Personal Information that we have disclosed for a business purpose, or if we have not disclosed that information for a business purpose;
The categories of Personal Information that we have sold, or if we have not sold the Personal Information;
The categories of third parties to whom the Personal Information was disclosed for a business purpose or sold;
The business purpose we have for disclosing or selling that Personal Information; and
The categories of Sensitive Personal Information we have collected, and whether such information is sold or shared, except for such information that is collected or processed without the purpose of inferring characteristics about you.

Please note that if we collected information about you for a single one-time transaction and do not keep that information in the ordinary course of business, that information will not be retained for purposes of a request under this section. In addition, if we have de-identified or anonymized data about you, we are not required to re-identify or otherwise link your identity to that data if it is not otherwise maintained that way in our records.

You also have the right to request that we correct or delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

As permitted by the CCPA/CPRA, if you request deletion of Personal Information that we have collected about you, we, our service providers, and our contractors may be unable to comply with such a request if your Personal Information is necessary to:

Complete the transaction for which the Personal Information was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between us and you;
Prevent, detect, and investigate security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
Debug to identify and repair errors that impair existing intended functionality;
Exercise free speech, ensure the right of another Consumer to exercise his or her right of free speech, or exercise another right provided for by law;
Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with section 1546) of Title 12 of Part 2 of the Penal Code;
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of that information is likely to render impossible or seriously impair the achievement to such research, if you have provided informed consent;
Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
Comply with a legal obligation; or
Otherwise use your Personal Information, internally, in a lawful manner that is compatible with the context in which you provided the information.

Do Not Sell or Share My Personal Information

As a California resident, you also have the right, at any time, to tell us not to sell Personal Information – this is called the “right to opt-out” of the sale of Personal Information. You may exercise this right as set forth in the section entitled “Exercising Your California Privacy Rights” below.

Limit the Use of My Sensitive Personal Information

California consumers have the right to limit the use of each type of Sensitive Personal Information (“SPI”) for each purpose with each type of third-party partner. Consumers can revoke this permission at any time. Please note that Gritstone only keeps SPI for the transaction for which it is required. At this time, we do not provide your Sensitive Personal Information to any third parties other than those service providers that are necessary for us to provide our Services to you. We do not share your SPI for cross-contextual behavioral advertising or for the purpose of inferring characteristics about you.

Right Not to Be Discriminated Against

We will not discriminate against you for exercising any of your rights under the CCPA or CPRA. Unless permitted by California law, we will not:

Deny you goods or services;
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
Provide you a different level or quality of goods or services; or
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Personal Information Collected About California Consumers

In connection with your relationship with us, Gritstone has collected and sold or shared the following categories of Personal Information (set forth in section 1798.140(v)(1) of the CCPA) from consumers within the twelve (12) months prior to the date of this Privacy Policy:

Category of Personal Information Collected	Sources of Collected Personal Information	Collected	Sold	Shared
A. Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers	You Automatically Third Parties	Yes	Yes	Yes
B. Personal information described in the California Customer Records statute at Cal. Civ. Code 1798.80(e)	You Automatically Third Parties	Yes	Yes	Yes
C. Characteristics of protected classifications under California or federal law	You Third Parties	Yes (if relevant to clinical trial information)	No	No
D. Commercial information including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies	You Automatically	Yes	No	Yes (for analytics purposes)
E. Biometric information	You Third Parties	Yes (for some office locations or quality assurance calls)	No	No
F. Internet or other electronic network activity information including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement	Automatically	Yes	Yes	Yes (may be shared for analytics purposes)
G. Geolocation data	You Automatically	Yes	Yes	Yes
H. Audio, electronic, visual, thermal, olfactory, or similar information	Automatically Third Parties (e.g., customer service calls or surveillance of public areas or worksites)	Yes	No	Yes
I. Professional or employment-related information	You Third Parties	Yes (if relevant to clinical trial information)	No	No
J. Education information (as defined in 20 U.S.C. section 1232g, 43 C.F.R. Part 99)	N/A	No	No	No
K. Inferences drawn from any of the information above to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	You Automatically Third Parties	Yes	Yes	Yes
L. Sensitive Personal Information (such as social security number, driver’s license number, Account log-in, debit, or credit card number in combination with password or PIN, precise geolocation (within 1850 feet), racial/ethnic origins, religious or philosophical beliefs, union membership, contents of e-mails or texts to others, genetic/biometric data, health information, sex life/sexual orientation data)	You Third Parties	Yes (if relevant to clinical trial information)	No	No

Additional Information for California Employees, Job Applicants and Contractors:

In connection with your application for employment or your employment or contractor relationship with the Company, the Company may collect the following categories of Personal Information (as set forth in California Civil Code sections 1798.140(v)(1)(A) through (L), effective January 1, 2023):

Category of Personal Information	Examples of Information Collected in this Category	Sources of Personal Information	Collected?	Sold (for monetary/non-monetary consideration) or Shared (for cross-context behavioral advertising)?
A. Identifiers (Cal. Civ. Code 1798.140(v)(1)(A))	Real name, alias, postal address, unique personal identifier, online identifier, Internal Protocol address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers.	YOU AUTOMATICALLY THIRD PARTIES	Yes	No/No
B. Personal information described in California Civ. Code § 1798.80(e) (the Customer Records statute)	Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information in this category may overlap with other categories.	YOU THIRD PARTIES	Yes	No/No
C. Characteristics of protected classifications under California or federal law Cal. Civ. Code 1798.140(v)(1)(C))	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or credit, marital status, medical condition (AIDS/HIV status, cancer), physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information), political activities or affiliations, familial status, source of income status, status as a victim of domestic violence, assault, or stalking.	YOU THIRD PARTIES	Yes	No/No
D. Commercial information (Cal. Civ. Code 1798.140(v)(1)(D))	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	YOU AUTOMATICALLY	Yes (for reimbursement of expenses or other submissions)	No/No
E. Biometric information (Cal. Civ. Code 1798.140(v)(1)(E) as defined in Cal. Civ. Code 1798.140(c))	An individual’s genetic, physiological, biological or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA) or activity patterns that can be used to establish individual identity, including images of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health or exercise data that contain identifying information.	YOU AUTOMATICALLY	Yes (audio and video of public work areas may be collected in some instances, or for quality assurance)	No/No
F. Internet or other electronic network activity information (Cal. Civ. Code 1798.140(v)(1)(F))	Browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.	AUTOMATICALLY	Yes	Yes/Yes (some analytics may be provided to third parties handling internet traffic)
G. Geolocation data (Cal. Civ. Code 1798.140(v)(1)(G))	Physical location and/or movements.	YOU AUTOMATICALLY	Yes (for company owned devices or devices accessing company systems)	No/No (but if location services are enabled on your device, other apps may push ads to you)
H. Sensory data (Cal. Civ. Code 1798.140(v)(1)(H))	Audio, electronic, visual, thermal, olfactory, or similar information.	AUTOMATICALLY THIRD PARTIES	Yes (audio and video of public work areas may be collected in some instances, or for quality assurance)	No/No
I. Professional or employment related information (Cal. Civ. Code 1798.140(v)(1)(I))	Current or past job history or performance evaluations	YOU THIRD PARTIES (e.g., from references)	Yes	No/No
J. Non-public education information (per the Family Educational Rights and Privacy Act – 20 U.S.C. § 1232g, 34 CFR Part 99) (Cal. Civ. Code 1798.140(v)(1)(J))	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	YOU THIRD PARTIES (to verify degrees or for background checks)	Yes	No/No
K. Inferences drawn from other personal information Cal. Civ. Code 1798.140(v)(1)(K))	Information used to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	YOU THIRD PARTIES	Yes	No/No
L. Sensitive Personal Information (Cal. Civ. Code 1798.140(v)(1)(L))	Social security number, driver’s license number, account log-in, debit, or credit card number in combination with password or PIN, precise geolocation (less than 1850 sf radius), racial/ethnic origins, religious or philosophical beliefs, union membership, contents of e-mails or texts to others, genetic/biometric data, health information, sex life/sexual orientation data	YOU AUTOMATICALLY (for geolocation related to company devices/company network access)	Yes	No/No

We use this information for the purposes stated below:

For Job Applicants:

To recruit employees, including evaluation of marketing and job offering services, website traffic, and referral sources;
To process your application for employment;
To conduct employment-related background screening and/or reference checks;
To send you correspondence and information relating to your application or your employment with the Company;
To verify your identity, citizenship, or legal right to work for the Company, or to assist or cooperate with obtaining relevant immigration documents;
To verify your educational background and/or degrees, certifications, licensing, or qualifications for the position you apply for;
To verify your prior employment;
To offer you employment with Company;
For testing, evaluation and/or reporting metrics, including but not limited to aggregating or anonymizing such information for workforce analytics, data analytics, and benchmarking;
To comply with applicable law or regulatory requirements, including legal requirements under state and federal law, law enforcement investigations or inquiries, as well as internal company reporting obligations, such as diversity, equity and inclusion initiatives and/or Equal Employment Opportunity Act reporting obligations;
To detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for such activity;
For quality assurance purposes, including call monitoring or customer service, and debugging to identify and repair errors that impair existing intended functionality;
For auditing related to a current interaction with the applicant or employee and concurrent transactions, including, but not limited to, counting impressions to unique visitors, verifying positioning and quality of impressions, and auditing compliance with this and other standards;
To analyze the effectiveness of placement of job listings and job descriptions;
For fraud prevention;
For internal research for technological development and demonstration; and
For other purposes stated at or before the time of the collection of the information.

For Employees, Contractors, and Past Employees/Contractors:

All of the above, plus:

To track time and attendance;
To administer employee benefits, such as medical, dental, commuter and retirement benefits, including the recording and processing of eligibility of dependents and beneficiaries, absence and leave monitoring, insurance and accident management, and rewards or discount programs offered to employees;
To provide healthcare-related services, such as accommodations and/or services based on eligibility (e.g., disability, worker’s compensation, medical condition);
To provide payroll, invoice, and tax services, including reimbursement for expenses, salary administration, payroll management, payment of expenses, payment of state and/or federal income taxes (if applicable), social security and unemployment taxes, and to administer other compensation-related payments, including bonuses and equity, if applicable;
To provide voluntary employee wellness programs and health content;
To conduct performance-related reviews, including performance appraisals, professional development, career planning, skills monitoring, job moves, promotions and staff re-structuring;
To monitor work-related licenses and credentials and ensuring compliance, training, examination and other requirements are met with applicable regulatory bodies or governing agencies;
To provide employees with other employment-related services, such as handling of employees’ claims, travel for the Company, moving or relocation services, or administration of separation from employment;
To assist you in case of an emergency, including maintaining contact information for you, your partner or spouse, and/or your dependents in case of personal or business emergency;
To maintain the safety and security of our employees, residents, tenants, contractors, visitors and others, including maintenance of security on Company websites, apps, intranets and/or extranets (such as monitoring email and internet access, and ensuring secure network access and data integrity), maintenance of physical security (including controlled entry to Company worksites and/or real estate assets), monitoring of worksite locations and/or real estate assets, including using biometrics or location monitoring for keys, key fob or key card entry to Company property, ensuring that employees, contractors and visitors comply with all applicable safety regulations;
To send employee gifts and/or bonuses, if applicable;
In connection with audiovisual surveillance of public spaces;
For internal company directories;
For video presentations, interviews, training materials, and/or web conferences within the scope of your employment or contract;
For the tracking of Company-owned or Company-leased vehicles, computers, equipment, and devices, including, but not limited to, remote deletion of Company data on business or personal devices;
For verification of proper use of Company resources;
To facilitate a better working environment;
To maintain commercial insurance policies and overages, including for workers’ compensation and other liability insurance; and
For other purposes stated at or before the time of the collection of the information.

Further, please note that under the CPRA, we may use your personal information for Company business or other notified purposes, provided that the use of Personal Information is reasonably necessary and proportionate to achieve the operational purpose for which the Personal Information was collected or processed.

Exercising Your California Privacy Rights

To exercise the access, correction, Do Not Sell, and deletion rights described in this section, please submit a verifiable consumer request to us by using our webform or calling us with your request at the contact information below. Only you or an authorized agent may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. You must include your full name, email address, and attest to the fact that you are a California resident by including a California postal address in your request. We may require you to confirm your identity and/or legal standing for the request as well as your residency in California in order to obtain the information, and you are only entitled to make this request twice a year. We will respond to your request within 45 days or let you know if we need additional time.

Webform: Click Here

Toll-Free Number for California Privacy Requests: (888) 914-9661 [PIN 203788]

Email Address: privacy@gritstone.com

We may be unable to respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Your Virginia Privacy Rights

If you are a Virginia resident, you have the right under the Virigina Consumer Data Protection Act (“VCDPA”), upon a verified request, to:

To confirm whether or not a controller is processing your personal data and to access such personal data;
To correct inaccuracies in your personal data;
To delete your personal data;
To obtain a copy of your personal data that you previously provided to us in a portable, and if technically feasible, readily usable format, if processing is carried out by automated means;
To opt out of the processing of your personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

To exercise these rights, you or your authorized agent may make a request to confirm, access, correct, delete, obtain a copy, or opt-out of the processing of your personal data for targeting advertising, sale, or profiling by contacting us as follows:

Webform: Click Here

Email Address: privacy@gritstone.com

If you use an authorized agent to submit your request, we may require proof of the written authorization you have given. We also may require you to confirm your identity and your residency in order to obtain the information, and you are only entitled to make this request up to twice annually. For emails, please include “Virginia Privacy Rights” as the subject line. You must include your full name, email address, and attest to the fact that you are a Virginia resident. We will process your request within 45 days or let you know if we need additional time or cannot process your request. If you make this request by telephone, we may also ask you to provide the request in writing so that we may verify your identity. If we are unable to honor your request for any reason, we will notify you of the reason within the request time period.

If we decline to take action on your request, you can appeal our decision by submitting an email to privacy@gritstone.com entitled “Virginia Privacy Rights Appeal” and we will review your request and respond within 60 days of the receipt of your appeal with a written explanation of the reasons for our decision. If your appeal is denied, you may contact the Virginia Attorney General. to submit a complaint.

Policy Updates

This Privacy Notice may be revised from time to time as we add new features and services, as laws change, and as industry privacy and security best practices evolve. We display an effective date on the policy in the upper left corner of this Privacy Policy so that it will be easier for you to know when there has been a change. If we make any material change to this Privacy Notice regarding use or disclosure of personal information, we will provide advance notice through the Website. Small changes or changes that do not significantly affect individual privacy interests may be made at any time and without prior notice. If you are concerned about how your personal information is used, please visit our Site often for this and other important announcements and updates.

Contact Information

If you have any questions about this Privacy Notice, please contact us at:

Gritstone bio, Inc.
Attn: Compliance Dept.
5959 Horton St., Ste. 300
Emeryville, CA 94608
(510) 871-6100