Privacy Policy - ATTOVIA

Privacy Notice

Last Updated: April 9, 2026

Attovia Therapeutics, Inc. (“Attovia”) is committed to protecting and maintaining your privacy. This Privacy Notice is designed to help you understand how we collect, use, and share your personal information. Attovia processes personal information in accordance with applicable national, provincial/state, and local laws and regulations. This Privacy Notice applies to the processing of your personal information when:

You visit https://www.attovia.com or any other Attovia website or other online offerings that link to, or are otherwise subject to, this Privacy Notice (collectively, the “Services”);

We respond to communications you make with us online (such as by email or via our “Contact Us” form), via phone, or offline to our physical address;

You are a principal, employee, agent, or contractor of our actual or potential business partners;

You are a clinical investigator, member of an investigator team, or other study site personnel;

You are a clinical study candidate; or

You are a candidate for employment or internship at Attovia.

Disclosure Regarding Additional Privacy Policies and Notices. Attovia may have other unique privacy policies or notices that apply to certain specific situations. To the extent you were provided with a different privacy policy or notice and that policy or notice applies, those policies or notices may supplement this Privacy Notice or may apply in lieu of this Privacy Notice. For example, if you are a participant in a clinical study, clinical trial, or other health-related research, you should receive a separate privacy notice regarding the personal information we process for those purposes.

Disclosure Regarding the Supplemental Consumer Health Data Privacy Notice. For information on our processing of “consumer health data” via the Services that is subject to the Washington My Health My Data Act, the Nevada Consumer Health Data Privacy Law, or other applicable state privacy laws that expressly apply to consumer health data, please see Annex A – Supplemental Consumer Health Data Privacy Notice.

UPDATES TO THIS PRIVACY NOTICE
PERSONAL INFORMATION WE COLLECT
HOW WE USE PERSONAL INFORMATION
HOW WE SHARE PERSONAL INFORMATION
YOUR PRIVACY CHOICES AND RIGHTS
INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION
RETENTION OF PERSONAL INFORMATION
SUPPLEMENTAL NOTICE FOR EU/UK GDPR
CHILDREN’S PERSONAL INFORMATION
CONTACT US

Annex A – Supplemental Consumer Health Data Privacy Notice

1. UPDATES TO THIS PRIVACY NOTICE

We may update this Privacy Notice from time to time in our sole discretion. If we do, we’ll let you know by posting the updated Privacy Notice on our website, and we may also send other communications.

2. PERSONAL INFORMATION WE COLLECT

We collect personal information that you provide to us, personal information we collect automatically when you use the Services, and personal information from third-party sources, as described below.

A. Personal Information You Provide to Us Directly

We may collect personal information that you provide to us.

Engagement with Our Services. We may collect personal information in connection with your engagement with our Services.
Healthcare Professionals. If you are a healthcare professional, we may collect personal information such as your professional contact information, credential and institutional affiliations information, information about our programs and activities in which you have participated, information about our interactions with you, information about your published papers, your photograph, information about your prescribing of our products and services, and information contained in agreements executed with us.

Clinical Trial Participation. If you are a clinical study candidate or participant, we may collect information necessary to assess your eligibility and facilitate your participation in clinical research. This may include your contact information, demographic details, relevant medical history, and other data required by study protocols or regulatory requirements.
Your Communications with Us. We, and our service providers, may collect the information you communicate to us, such as through our website contact forms, email or other correspondence. This may include your name, contact details, and the content of your communications.
Surveys. We may contact you to participate in surveys. If you decide to participate, we may collect personal information from you in connection with the surveys.
Conferences, Trade Shows, and Other Events. We may collect personal information from individuals when we attend or host conferences, trade shows, and other events.
Business Development and Strategic Partnerships. We may collect personal information from individuals and third parties to assess and pursue potential business opportunities.
Job Applications. If you apply for a job with us, we will collect any personal information you provide in connection with your application, such as your contact information and resume or CV.

B. Personal Information Collected Automatically

We may collect personal information automatically when you use the Services.

Device Information. We may collect personal information about your device, such as your Internet Protocol (IP) address, user settings, cookie identifiers, other unique identifiers, browser or device information, Internet service provider, and location information (including, as applicable, an approximate location derived from the IP address and precise geo-location information).

Usage Information. We may collect personal information about your use of the Services, such as the pages that you visit, items that you search for, the types of content you interact with, information about the links you click, the frequency and duration of your activities, and other information about how you use the Services.

Cookie Notice (and Other Technologies). We, as well as third parties, may use cookies, pixel tags, and other technologies (“Technologies”) to automatically collect personal information through your use of the Services.
- Cookies. Cookies are small text files stored in device browsers.
- Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services that collects personal information about use of or engagement with the Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement. We may also include web beacons in emails to understand whether messages have been opened, acted on, or forwarded.

See “Your Privacy Choices and Rights” below to understand your choices regarding these Technologies.

C. Personal Information Collected from Third Parties

We may collect personal information about you from third parties. For example, if you access the Services using a third-party website (such as www.clinicaltrials.gov), application, service, products, or technology (each a “Third-Party Service”), we may collect personal information about you from that Third-Party Service that you have made available via your privacy settings.

3. HOW WE USE PERSONAL INFORMATION

We use personal information for a variety of business purposes, including to provide the Services, for administrative purposes, to improve the Services, to provide you with marketing materials, and with your consent, as described below.

A. Provide the Services

We use personal information to provide the Services, such as:

Managing your information;
Providing access to certain areas, functionalities, and features of the Services;
Communicating with you;
Answering requests;
Allowing you to register for events;
Analyzing, improving, upgrading, and/or enhancing the Services through the use of artificial intelligence and other methods;
Sharing personal information with third parties as needed to provide the Services; and
Processing your financial information and other payment methods.

EU/UK GDPR Lawful Bases: If the EU GDPR or the UK GDPR applies to our processing of personal information under this section, our lawful bases may include performance of a contract, legitimate interest, consent, and/or compliance with legal obligations.

B. Improve the Services and Develop New Products and Services

We use personal information to improve the Services and to develop new products and services, such as improving, upgrading, or enhancing the Services.

C. Operate Our Business

We use personal information to operate our business, such as:

Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
Carrying out analytics;
Creating de-identified and/or aggregated information. If we create or receive de-identified information, we will not attempt to reidentify such information unless doing so is permitted by, or we are required to do so to comply with, applicable laws;
Processing applications if you apply for a job we post on our Services;
Allowing you to register for events;
Enforcing our agreements and policies; and
Carrying out activities that are required to comply with our legal obligations.

D. Marketing

We may use personal information in connection with our marketing activities including to tailor and provide you with marketing communications, promotions, and offers that may interest you.

EU/UK GDPR Lawful Bases: If the EU GDPR or the UK GDPR applies to our processing of personal information under this section, our lawful bases may include legitimate interest and/or consent.

E. With Your Consent or Direction

We may use personal information: (i) for other purposes that are clearly disclosed to you at the time you provide the personal information, (ii) with your consent, or (iii) as otherwise directed by you.

4. HOW WE SHARE PERSONAL INFORMATION

We share personal information with third parties for a variety of business purposes, including to provide the Services, to protect us or others, or in connection with a major business transaction such as a merger, sale, or asset transfer, as described below.

A. Disclosures to Provide the Services

We may share any of the personal information we collect with the categories of third parties described below.

Service Providers. We may share personal information with service providers that assist us with the provision of the Services. This may include, but is not limited to, service providers that provide us with hosting services, webchat tools, customer service, artificial intelligence (“AI”) or machine learning services, analytics, marketing services, IT support, and related services.
Other Users You Share or Interact With. The Services may allow Attovia users to share personal information or interact with other users of the Services.
Third-Party Services You Share or Interact With. The Services may link to or allow you to interface with, interact with, share information with, direct us to share information with, access, and/or use a Third-Party Service. Any personal information shared with a Third-Party Service will be subject to the Third-Party Service’s privacy policy. We are not responsible for the processing of personal information by Third-Party Services.
Business Partners. We may share your personal information with business partners we work with to provide you with a product or service you have requested. We may also share your personal information with business partners with whom we jointly offer products or services.

Once your personal information is shared with our business partner, it will also be subject to our business partner’s privacy policy. We are not responsible for the processing of personal information by our business partners.

Advertising Partners. We may share your personal information with third-party advertising partners. These third-party advertising partners may set Technologies on our Services to collect personal information regarding your activities and your device (e.g., IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this personal information (and similar information collected from other services) to tailor and deliver personalized ads to you when you visit digital properties within their networks. This practice is commonly referred to as “interest-based advertising,” “personalized advertising,” or “targeted advertising.”

B. Disclosures to Protect Us or Others

We may share your personal information and related information with external parties if we, in good faith, believe doing so is required or appropriate to comply with law enforcement requests, national security requests, or other government requests; comply with legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual unauthorized or illegal activity.

C. Disclosure in the Event of Merger, Sale, or Other Asset Transfers

If we are contemplating or involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, purchase or sale of assets, transition of service to another provider, or other similar corporate transaction, your personal information may be shared, sold, or transferred as part of such a transaction.

5. YOUR PRIVACY CHOICES AND RIGHTS

Your Privacy Choices. The privacy choices you may have about your personal information are described below.

Email Communications. If you receive an unwanted email from us, you can use the unsubscribe functionality found at the bottom of the email to opt out of receiving future emails. Note that you will not be able to opt out of certain communications (e.g., communications regarding the Services or updates to this Privacy Notice).
Text Messages. If you receive an unwanted promotional text message from us, you may opt out of receiving future promotional text messages from us by following the instructions in the text message you have received from us or by otherwise contacting us as set forth in “Contact Us” below.
“Do Not Track.” Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.
Cookies. You may stop or restrict the placement of Technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, the Services may not work properly.

Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt out of certain tracking on some mobile applications by following the instructions for Android, iOS, and other mobile operating systems.

The online advertising industry also provides mechanisms that may allow you to opt out of receiving targeted ads from organizations that participate in self-regulatory programs. To learn more, visit the Network Advertising Initiative, the Digital Advertising Alliance, and the European Digital Advertising Alliance.

Please note you must separately opt out in each browser and on each device.

Your Privacy Rights. In accordance with applicable law, you may have the right to:

Request Access to or Portability of Your Personal Information;
Request Correction of Your Personal Information;
Request Deletion of Your Personal Information;
Request Restriction of, or Object to, Our Processing of Your Personal Information; and
Withdraw Your Consent to Our Processing of Your Personal Information. Please note that your withdrawal will take effect only for future processing and will not affect the lawfulness of processing before the withdrawal.

If you would like to exercise any of these rights, please contact us as set forth in “Contact Us” below. While you will generally not be required to pay a fee to access your personal information or to exercise any of your other statutory rights, we may charge a reasonable fee if your request for access is clearly completely unfounded or excessive or decline to comply with such requests where permitted by applicable data privacy laws.

We will process such requests in accordance with applicable laws.

Only you, or someone legally authorized to act on your behalf in certain jurisdictions, may make a request to exercise the rights listed above regarding your personal information. If your personal information is subject to a law that allows an authorized agent to act on your behalf in exercising your privacy rights and you wish to designate an authorized agent, please provide written authorization signed by you and your designated agent using the information found in “Contact Us” below and ask us for additional instructions.

To protect your privacy, we may take steps to verify your identity before fulfilling requests submitted under applicable privacy laws. These steps may involve asking you to provide sufficient information that allows us to reasonably verify that you are the person about whom we collected personal information or an authorized representative. Examples of our verification process may include asking you to confirm the email address we have associated with you.

Some laws may allow you to appeal our decision if we decline to process your request. If applicable laws grant you an appeal right, and you would like to appeal our decision with respect to your request, you may do so by informing us of this and providing us with information supporting your appeal.

You also have the right to lodge a complaint about our processing of your personal information with the body regulating data protection in the country or state / province in which you live.

If your personal information is subject to the applicable data protection laws of the European Economic Area or the United Kingdom, you have the right to lodge a complaint with the competent supervisory authority if you believe that our processing of your personal information violates applicable law.

If you are located within the European Economic Area, you may find the contact details of the competent authorities in the following link: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

If you are located within the United Kingdom, you may lodge a complaint with the Information Commissioner’s Office (ICO) by clinking here: https://ico.org.uk/make-a-complaint/.

6. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

All personal information processed by us may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States or other countries, which may have data protection laws that are different from the laws where you live. These countries may or may not have adequate data protection laws as defined by the data protection authority in your country.

If we transfer personal information from the European Economic Area, Switzerland, and/or the United Kingdom to a country that does not provide an adequate level of protection under applicable data protection laws, one of the safeguards we may use to support such transfer is the EU Standard Contractual Clauses.

For more information about the safeguards we use for international transfers of your personal information, please contact us as set forth below.

7. RETENTION OF PERSONAL INFORMATION

We store the personal information we collect as described in this Privacy Notice for as long as you use the Services, or as long as necessary to fulfill the purpose(s) for which it was collected, or as long as necessary to pursue our business purposes.

To determine the appropriate retention period for personal information, we may consider applicable legal requirements; the amount, nature, and sensitivity of the personal information; certain risk factors; the purposes for which we process your personal information; and whether we can achieve those purposes through other means.

8. SUPPLEMENTAL NOTICE FOR EU/UK GDPR

This Supplemental Notice for EU/UK GDPR applies only to our processing of personal information that is subject to the EU or UK General Data Protection Regulation.

In some cases, providing personal information may be a requirement under applicable law, a contractual requirement, or a requirement necessary to enter into a contract. If you choose not to provide personal information in cases where it is required, we will inform you of the consequences at the time of your refusal to provide the personal information.

If we process personal information that is considered a “special category of personal data,” then our processing of this personal information may be supported by one or more of the following conditions:

Explicit Consent: You may have provided your explicit consent for our processing of your personal information.
Necessary for Employment, Social Security, or Social Protection Law Purposes: Our processing of your personal information may be necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment, social security, and/or social protection law.
Publicly Available Personal Information. Our processing of your personal information may relate to personal information that has been manifestly made public by you.
Necessary to Protect Vital Interests: Our processing of your personal information may be necessary to protect your vital interests if you are physically or legally incapable of giving consent.
Necessary for the Establishment, Exercise, or Defense of Legal Claims: Our processing of your personal information may be necessary for the establishment, exercise, or defense of legal claims.
Necessary for Substantial Public Interest: Our processing of your personal information may be necessary for reasons of substantial public interest.
Necessary for Medical Purposes: Our processing of your personal information may be necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services, or it may be necessary pursuant to a contract with a health professional.
Necessary for Substantial Interest in the Area of Public Health: Our processing of your personal information may be necessary for reasons of public interest in the area of public health.

9. CHILDREN’S PERSONAL INFORMATION

The Services are not directed to children under 18, and we do not knowingly collect personal information from children.

If you are a parent or guardian and believe that your child has uploaded personal information to the Services in violation of applicable law, you may contact us as described in “Contact Us” below.

10. CONTACT US

Attovia is the controller of the personal information we process under this Privacy Notice.

If you have any questions about our privacy practices or this Privacy Notice, or to exercise your rights as detailed in this Privacy Notice, please contact us at: info@attovia.com.

Annex A – Supplemental Consumer Health Data Privacy Notice

This Supplemental Consumer Health Data Privacy Notice (“Consumer Health Data Privacy Notice”) supplements the Attovia Privacy Notice. This Consumer Health Data Privacy Notice only applies to personal information that we process that is “consumer health data” subject to the Washington My Health My Data Act (“MHMDA”), the Nevada Consumer Health Data Privacy Law (“NCHDPL”), or other applicable state privacy laws that expressly apply to consumer health data.

Terms used in this Consumer Health Data Privacy Notice that are defined in the MHMDA, NCHDPL, or other applicable state privacy laws that expressly apply to consumer health data, will have the meaning set forth in those laws to the extent such laws are applicable.

CONSUMER HEALTH DATA WE COLLECT

Consumer health data is defined very broadly, and many of the categories of personal information that we collect under our Privacy Notice may also be considered consumer health data.

Examples of consumer health data that you may provide to us, or that we may otherwise collect, may include:

Information that could identify your inquiry about, or attempt to participate in, clinical research or health-related services.
Information about your health-related conditions, symptoms, status, diagnoses, disease, testing, or treatments.
Information about social, psychological, behavioral, and medical interventions.
Information about use or purchase of prescribed medication.
Information about measurements of bodily functions, vital signs, symptoms, or characteristics.
Information about diagnoses or diagnostic testing, treatment, or medication.
Information about surgeries or other health-related procedures.
Reproductive or sexual health information.
Other information that may be used to infer or derive data related to the above or other consumer health data.

SOURCES OF CONSUMER HEALTH DATA

We collect consumer health data that you provide to us, consumer health data we collect automatically when you use the Services, and consumer health data from third-party sources, as described in our Privacy Notice and below.

WHY WE COLLECT AND USE CONSUMER HEALTH DATA

We collect and use consumer health data for the purposes and in the manner described in the “How We Use Personal Information” section of the Privacy Notice.

Primarily, we collect and use consumer health data as reasonably necessary to respond to your inquiries, facilitate your engagement with us outside of formal clinical trial participation, and provide you with information or Services you have requested or authorized. This may include responding to your requests for information about our research; conducting pre-screening or eligibility assessments prior to formal enrollment in a clinical trial; and communicating with you regarding events, updates, or opportunities related to our research activities. It may also involve ensuring the secure and reliable operation of our websites, online forms, and supporting systems; troubleshooting, monitoring and improving our communications and outreach efforts; and supporting essential business operations, such as analyzing website performance and meeting our legal obligations.

We may also use consumer health data for other purposes for which we give you choices and/or obtain your consent as required by law.

SHARING OF CONSUMER HEALTH DATA

We may share each of the categories of consumer health data described above for the purposes described above and in the “How We Use Personal Information” section of the Privacy Notice. In particular, we may share consumer health data with your consent or as reasonably necessary to complete any transaction or provide any product or Service you have requested or authorized, as described above.

THIRD PARTIES WITH WHICH WE SHARE CONSUMER HEALTH DATA

We may share consumer health data with the categories of third parties listed in the “How We Disclose Personal Information” section of the Privacy Notice.

HOW TO EXERCISE YOUR RIGHTS

In accordance with applicable law, you may have specific rights with respect to your consumer health data, including the right to:

Confirm whether Attovia is collecting, sharing, or selling consumer health data;
Request access to or portability of your consumer health data;
Request correction of your consumer health data;
Request to opt out of certain processing activities including, as applicable, if we process your consumer health data for “targeted advertising” (as “targeted advertising” is defined by applicable consumer health data privacy laws), if we “sell” your consumer health data (as “sell” is defined by applicable consumer health data privacy laws), or if we engage in “profiling” in furtherance of certain “decisions that produce legal or similarly significant effects” concerning you (as such terms are defined by applicable consumer health data privacy laws);
Request a list of all third parties with whom Attovia has shared your consumer health data, or to whom Attovia has sold such consumer health data;
Request that Attovia cease collecting, sharing, or selling your consumer health data;
Request deletion of your consumer health data; and
Withdraw your consent from Attovia’s collection and sharing of consumer health data.

The rights afforded to consumers under applicable consumer health data privacy laws are subject to certain exceptions.

You can request to exercise such rights by following the instructions found under the “Your Privacy Choices and Rights” section of the Privacy Notice.

If your request to exercise a right under MHMDA or NCHDPL is denied, you may appeal that decision by contacting us at: info@attovia.com.

If your appeal is unsuccessful and your consumer health data is subject to MHMDA, you can raise a concern or lodge a complaint with the Washington State Attorney General at www.atg.wa.gov/file-complaint.

DISCLOSURE REGARDING THIRD PARTY COLLECTION oF CONSUMER HEALTH DATA UNDER NCHDPL

This section only applies to our processing of consumer health data that is subject to NCHDPL.

When you visit Attovia’s websites or online services, we may allow third parties to collect consumer health data via Technologies that they may use over time and across different Internet websites or online services.

For more details, see “How We Disclose Personal Information” > “Advertising Partners” in the Privacy Notice.

UPDATES TO THIS CONSUMER HEALTH DATA PRIVACY NOTICE

We may update this Consumer Health Data Privacy Notice from time to time in our sole discretion. If we do, we’ll let you know by posting the updated Consumer Health Data Privacy Notice on our website, and/or we may also send other communications.