Privacy Policy

Covant Therapeutics Operating, Inc. and its respective subsidiaries and affiliates ("Covant", "we", "us", or "our") recognize the importance of protecting your privacy. This Privacy Policy ("Policy”) explains how we collect, use and disclose information about you when you use our websites that link to this policy, including but not limited to www.covanttx.com (collectively, the "Sites"). This Policy does not apply to our collection, use, or disclosure of data collected through other means. If we have collected information from or about you subject to a separate Covant privacy policy, consent, or other agreement ("Other Agreement"), to the extent the Other Agreement includes additional terms that are not covered by or are inconsistent with this Policy, the terms and conditions of the Other Agreement will supersede this Policy.

When you use our Sites, we collect, use, and disclose information about you as described in this Policy. Before you use or submit any information through a Site, please carefully review this Privacy Policy and the Terms of Use for that Site.

If we decide to make changes to this Policy, we will post an updated version of the Policy on the Sites. Your use of a Site following the posting of an updated version of the Policy constitutes your acceptance of the updated Policy, so please check the Policy periodically to be sure you are still comfortable with its terms.

The principle focus of the Policy is our practices and policies with respect to your personally identifiable information ("PII"). For purposes of this Policy, PII about you means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household.

Covant Therapeutics Operating, Inc. is the controller for Covant's processing under this Policy, unless we tell you otherwise in individual cases. However, unless we tell you otherwise, this Policy also applies where a Covant subsidiary or affiliate (a "Group Company") is the controller, instead of Covant Therapeutics, Inc. This applies, in particular, where your PII is processed by a Group Company in connection with its own legal obligations or contracts or where you share PII with such Group Company. In these cases, this Group Company is the controller and only if it shares your data with other Group Companies or Covant Therapeutics, Inc. for their own processing, these other companies also become controllers.

You may contact us for any data protection concerns under the contact details provided in Section XIV below.

Covant collects PII about you when you actively provide it to us, such as by completing an online form, responding to a request for information or a survey, signing up to receive communications from us, or submitting employment inquiries. We also collect some PII from you automatically through your browser when you visit a Site, such as your Internet Protocol (IP) address.

We also may collect PII about you from other sources, such as our business partners; the Internet, including social media websites; the press or other print media; and other organizations or individuals as permitted under applicable law.

Listed below are the types of PII that we may collect about you. Some of these types of information may not be PII, depending on other information about you to which we have access. Each type of information listed below is PII only if the information identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household.

• Identifiers such as: your name, postal address, online identifier, Internet Protocol (IP) address, email address, Social Security number, driver's license number, or other similar identifiers.
• "Customer Records" information (some of which may be identifiers or professional/employment-related information as well), such as your name, Social Security number, physical characteristics or description, address, telephone number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number other financial information, medical information, health insurance information, or communications exchanged with you.
• Commercial information, such as records of personal property, products or services purchased, obtained, or considered, other purchasing or consuming histories or tendencies or communications exchanged with commercial partners or authorities.
• Internet or other similar network activity, such as browsing history, search history, information on your interaction with our website, mobile application(s), or an advertisement. This may include hardware and browser information of your computer or other online device.
• Professional or employment-related information, such as your current or past job history.
• Personal characteristics that are related to classifications legally protected from discrimination, such as race, national origin, ethnicity, marital status,age and gender.
• Inferences drawn from other PII, such as a summary we might make based on your apparent personal preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

We may use the PII we collect from you for a variety of purposes permitted by law, including:

• To communicate with you, including to invite you to participate in surveys, to respond to your inquiries, and to fulfill your requests -- this is necessary for our legitimate interests in running our business and to comply with our legal obligations.
• To provide you with information about our products and services, and to provide you with our products and services -- this is necessary for our legitimate interests in running our business and to take steps to enter into agreements with you;
• To improve our services as well as the content of the Site, including to customize the Site to your preferences -- this is necessary for our legitimate interests in running our business effectively and efficiently;
• For our data analysis, product development, and marketing and research purposes -- this is necessary for our legitimate interests in running our business effectively and efficiently;
• To prevent fraud, including by confirming your identity -- this is necessary to comply with our legal obligations;
• To maintain and upgrade the security of any data or information collected -- this is necessary for our legitimate interests in data security and to protect the vital interests of you or other data subjects;
• For risk management and compliance purposes, including to comply with law enforcement and other legal processes -- this is necessary to comply with our legal obligations;
• For any other purpose you may agree to at or before the time the personal information is collected from you.

Where we ask for your consent for certain processing activities, we will inform you separately about the relevant processing purposes. You may withdraw your consent at any time with effect for the future. Once we have received notification of withdrawal of consent, we will no longer process your PII for the purpose(s) you consented to, unless we have another legal basis to do so. Withdrawal of consent does not, however, affect the lawfulness of the processing based on the consent prior to withdrawal.

Where we do not ask for consent for processing, the processing of your PII relies on the requirement of the processing for initiating or performing a contract with you (or the entity you represent) or on our or a third-party's legitimate interest in the specific processing, in particular in pursuing the purposes and objectives set out in Section IV and in implementing related measures. This also includes the marketing of our products and services, the interest in better understanding our markets and in managing and further developing our company, including its operations, safely and efficiently. Our legitimate interests also include compliance with legal regulations, insofar as this is not already recognized as a legal basis by applicable data protection law.

Where we receive sensitive PII (for example health data, data about political opinions, religious or philosophical beliefs, and biometric data for identification purposes), we may process your PII on other legal basis, for example, in the event of a dispute, as required in relation to a potential litigation or for the enforcement or defense of legal claims. In some cases, other legal basis may apply, which we will communicate to you separately as necessary.

We may share the PII we collect as follows:

• With our service providers, whom we engage to assist us with technology support, operational support and other forms of assistance, and whom we bind by contract to protect the confidentiality and security of the PII we share with them -- this is necessary for our legitimate interests in running our business effectively and efficiently;
• To our affiliated entities within the Covant corporate family, for legally permissible purposes -- this is necessary for our legitimate interests in running our business effectively and efficiently;
• In the event of a proposed or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our company or its assets, to the proposed or actual acquiring party or assignee -- this is necessary for our legitimate interests in achieving our business objectives and to comply with our legal (contractual) obligations;
• As we believe to be appropriate: (i) when required by applicable law, including laws outside your country of residence; (ii) to comply with legal process; (iii) to respond to requests from public and government authorities; (iv) to enforce the terms and conditions for use of the Sites, including this Policy; (v) to protect and defend our rights and property; (vi) to protect the interests of Covant or others; and (vii) to permit us to pursue available remedies or limit the damages that we may sustain -- all to fulfill our legal obligations and protect our legal rights.
• For any other purpose with any other persons or entities consistent with your consent at or before the time the PII is shared.
• Absent your consent, we do not sell your PII and we do not share your PII with non-affiliated entities for them to use for their own direct marketing purposes. We may aggregate your PII with that of others and, to the extent the aggregation de-identifies the information such that it is no longer PII, we may use and share the de-identified data for any purpose, without limitation.

Our websites use cookies and similar technologies to help us distinguish access by you (through your system) from access by other users, so that we can ensure the functionality of the website and carry out analysis and personalization. To learn more about cookies, please visit http://www.allaboutcookies.org. We do not intend to determine your identity, even if that is possible where we or third-party service providers can identify you by combination with registration data. However, even without registration data, the technologies we use are designed in a way that you may be recognized as an individual visitor each time you access the website, for example by our server (or third-party servers ) using cookies. Depending on the purpose of these technologies, we may ask for consent before they are used. You can also set your browser to block or deceive certain types of cookies or alternative technologies, or to delete existing cookies. You can also add software to your browser that blocks certain third-party tracking. You can find more information on the help pages of your browser (usually with the keyword "Privacy").

We use Google Analytics ( http://www.google.com/analytics/ ) to help us monitor performance and usage patterns on the Sites. Google Ireland Ltd. (located in Ireland) is the provider of the service "Google Analytics" and acts as our processor. Google Ireland relies on Google LLC (located in the United States) as its sub-processor (collectively, "Google"). Google collects information about the behavior of visitors to our website (duration, page views, geographic region of access, etc.) through performance cookies and on this basis creates reports for us about the use of our website. We have turned off the "Data sharing" option that would enable Google to access, analyze and use data for its own purposes and deactivated the "Signals" option. Although we can assume that the information we share with Google is not personal data for Google, it may be possible that Google may be able to draw conclusions about the identity of visitors based on the data collected, create personal profiles and link this data with the Google accounts of these individuals for its own purposes. In any event, if you consent to the use of Google Analytics, you expressly consent to any such processing, including the transfer of your personal data (in particular website and app usage, device information and unique IDs) to the United States and other countries, where it may be accessible to authorities not subject to adequate privacy protections. Information about data protection with Google Analytics can be found here https://support.google.com/analytics/answer/6004245 and if you have a Google account, you can find more details about Google's processing here https://policies.google.com/technologies/partner-sites?hl=en.

We will retain PII about you for the period necessary for us to fulfill the legitimate purposes for which we collect PII as outlined in this Policy. We endeavor to use reasonable organizational, technical, and administrative measures to protect the PII we maintain within our organization.

If you would like to update PII that you have provided to us, you may contact us through one of the means listed in Section XIV ("How to Contact Us") at the end of this Policy.

Our Sites are not directed to users under the age of 16 and we do not knowingly collect PII online from any person we know to be under the age of 16.

We disclose PII to other parties (see Section VI) that are not necessarily located in the European Union, the United Kingdom or in Switzerland. Also, most of our Sites are designed for users from the United States, the United Kingdom, and Switzerland, and are controlled and operated by us from the United States. Your PII may therefore be processed both, in Europe and in the United States, and in exceptional cases, in any country in the world.

If a recipient is located in a country without adequate statutory data protection, we require the recipient to undertake to comply with data protection (for this purpose, we use the revised European Commission's standard contractual clauses, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj? ), unless the recipient is subject to a legally accepted set of rules to ensure data protection and unless we cannot rely on an exception. An exception may apply for example in case of legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires disclosure, if you have consented or if data has been made available generally by you and you have not objected against the processing.

Our Sites may provide links to third-party websites. When you click on one of these links, you will be accessing content that is not subject to this Policy. We are not responsible for the information- collection practices of the other websites that you visit, and advise you to review their privacy policies before you provide them with any PII.

If you are a resident of California, you have certain privacy rights under the California Consumer Privacy Act ("CCPA"). We honor those rights, as described below, and we are prohibited by law from discriminating against you for exercising any of those rights.

If you are a California resident, you have the right to know what PII we have collected about you, why we collected it, and the categories of third parties (excluding service providers) with whom we have shared the PII during the past 12 months. (See below on "How to Submit a Request."") You may request that we provide a description of the categories of PII we have collected (a "Categories Request"), or request access to the specific pieces of PII we have collected (a "Specific Pieces Request.")

If you wish to make a Categories Request, you will need to provide us with at least two data elements specific to you, such as your cell phone number or mother's maiden name (depending on the data elements we already maintain about you), so that we can verify your identity. After we confirm that your request is a verifiable consumer request, we will disclose to you:

The categories of PII we collected about you.
The categories of sources for the PII we collected about you (e.g., social media websites, government records available to the public, etc.).
Our business or commercial purpose for collecting that PII.
The categories of third parties other than service providers (if any) with whom we shared the PII.

If you make a Specific Pieces Request, before we respond, we need to be sure we have verified your identity with great certainty to safeguard your privacy. In order to verify your identity, you will need to provide to us at least three data elements specific to you, together with a signed declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request. After we confirm that your request is a verifiable consumer request, we will disclose to you the specific pieces of PII we collected about you that you requested.

You have the right to request that we delete any of your PII that we collected from you and retained. We are not obligated to comply with your request if we have a legal basis to retain the PII. If you make a request for us to delete PII, you will need to provide us with at least two data elements specific to you so that we can verify your identity. Once we receive and confirm that your request is a verifiable consumer request (see below on "How to Submit a Request"), we will inform you whether we have deleted (and have directed our service providers to delete) your PII from our records, or whether we are declining to grant your request to delete due to an exception to the CCPA deletion requirements.

​​If you are working for or seeking to work for Covant, or if you are an employee or other representative of a business or other organization that is exploring or engaging in a business-to- business transaction with Covant, the CCPA currently does not provide your with a "right to know" or "right to request deletion" until January 1, 2023.

To request access to or deletion of your PII as described above, please submit a verifiable consumer request to us by either:

Sending us an email at info@covanttx.com ; or
Mailing your request to:
Covant Therapeutics Operating, Inc.
451 D Street
Boston, MA 02210 

You may make a request on your own behalf, and if you are the parent or guardian of a minor child, you also may make a request related to your child's PII. If you wish to designate an authorized agent to make a request on your behalf, please provide us with a signed declaration stating that your intent is to permit that individual to act on your behalf and include such individual's full name, address, email address, and phone number. That way we will be sure you have fully authorized us to act in accordance with the requests of that individual.

As indicated above, in order to protect your PII from unauthorized disclosure or deletion at the request of someone other than you or your legal representative, Covant requires identification verification before granting any request to provide copies of, know more about, or delete your PII. We take special precautions to help ensure this. We cannot respond to your request or provide you with PII if we cannot verify your identity or authority to make the request and confirm that the PII relates to you. We will only use PII collected in connection with a request from you to verify your identity or authority to make the request.

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 45 additional days), we will inform you in writing of the reason(s) and the number of additional days we need to respond.

If you reside in the European Economic Area, Switzerland, or the United Kingdom, you have the following rights in relation to your PII (referred to in these jurisdictions as "Personal Data"), depending on the applicable data protection law:

• Access. You have the right to request details about the Personal Data that we hold about you and copies of that Personal Data.
• Right to Withdraw Consent. Where you have consented to our processing of your Personal Data, you have the right to withdraw such consent at any time. In the event you wish to withdraw your consent to processing, please contact us as described in Section XIV ("How to Contact Us") below.
• Data Portability. In certain circumstances, you may request us to port (i.e., transmit) your Personal Data directly to another organization or to you.
• Rectification. You have the right to ensure that the Personal Data about you that we hold is accurate and up to date. If you think that any information we have about you is incorrect or incomplete, please contact us as described in Section XIV ("How to Contact Us") below.
• Deletion. You have the right to have your Personal Data deleted in certain specified situations.
• Restriction of processing. You have the right in certain specified situations to require us to restrict processing your Personal Data.
• Object to processing. You have the right to object to specific types of processing of your Personal Data, such as, where we are processing your Personal Data for the purposes of direct marketing, for profiling carried out for direct marketing purposes and for other legitimate interests in processing.
• Prevent automated decision-taking. In certain circumstances, you have the right not to be subject to decisions about you being made solely on the basis of automated processing.

If you wish to enforce any of your rights under data protection laws applicable in the EU, UK, or Switzerland, please contact us as indicated in Section XIV ("How to Contact Us") below. In order for us to be able to prevent misuse, we need to identify you (for example by means of a copy of your ID card, if identification is not possible by other means). We will respond to your request without undue delay and by no later than one month from receipt of any such request, unless a longer period is permitted by applicable data protection laws. Please note that conditions, exceptions, or restrictions apply to these rights under applicable data protection law (for example to protect third parties or trade secrets). We will inform you accordingly where applicable. We may charge a reasonable fee for dealing with your request, and if we choose to do so, we will notify to you. Please note that we will only charge a fee where we are permitted to do so by applicable data protection laws. If you are concerned that we have not complied with your legal rights under applicable data protection laws, you may contact your local supervisory authority.

A list of the supervisory authorities of the European Union, along with their contact details can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en The Information Commissioner's Office http://www.ico.org.uk/ is the data protection regulator in the UK. The Federal Data Protection and Information Commissioner https://www.edoeb.admin.ch/edoeb/en/home.html is the data protection regulator in Switzerland.

If you have any questions regarding this Policy or want to exercise your data protection rights under Section XIII please send an email to info@covanttx.com or write to us at:

Covant Therapeutics Operating Inc, Inc.
451 D Street
Boston, MA 02210

This Privacy Policy is effective as of: September 28, 2022.