PRIVACY POLICY PRIVACY POLICY Last updated: February 1, 2021 Vifor Pharma, Inc., (“Vifor Pharma,” “we,” “our,” “us”) is committed to protecting the privacy and security of Personal Information, including for visitors to our website, patients, healthcare providers, investors, and job applicants. This privacy policy (the “Privacy Policy”) describes what we do with the Personal Information we collect from you through ViforPharma.com, Veltassa.com, and any of our other websites and online services that link to this Privacy Policy (the “Services”) and offline. This Privacy Policy also applies to our employees, independent contractors, and job applicants. By using the Services, you agree to our collection and use of Personal Information as described in this Privacy Policy. The term “Personal Information” as used herein includes any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include de-identified or aggregate information. Personal Information Collection In the 12 months preceding the date of this Privacy Policy, we may have collected the following categories of Personal Information from or about you when you visited or used the Services, accessed various content or features, submitted information to us (including as an employee, contractor or job applicant) or directly contacted us with questions or feedback: Personal identifiers, such as name, address, phone number, email address, social security number, drivers’ license number or state ID number, information about any beneficiaries, dependents, or emergency contacts, or other similar identifiers; Characteristics of protected classes, including sex/gender (including pregnancy, childbirth, breastfeeding and/or related medical conditions), age (over 40), marital status, disability information, requests for leave from employment for family care, pregnancy or serious health reasons; Educational and professional information; and Audio or visual information, including when we record in-house presentations, interviews or other internal media activities; and We also may collect certain categories of Personal Information automatically when you visit the Services or otherwise interact with us, including: Your Internet Protocol (IP) address, which is the number automatically assigned to your computer whenever you access the Internet and that can sometimes be used to derive your general geographic area; Other unique identifiers, including mobile device identification numbers; Your browser type and operating system; Sites you visited before and after visiting the Services; Pages you view and links you click on within the Services; Information about your interaction with the Services or other websites, applications or advertisements; Information about your interactions with email messages, such as the links clicked on and whether the messages were received, opened, or forwarded; and Standard Server Log Information. We will continue to collect the same categories of Personal Information from you from the same sources. Use of Personal Information In the 12 months preceding the date of this Privacy Policy, we may have used your Personal Information for the following purposes, and we may continue to use your Personal Information for the same purposes: Providing you with the products, services, newsletters, and information you request and respond to correspondence that we receive from you; Contacting you via email and otherwise about products and services that we think might be of interest to you; Maintaining or administering the Services, performing business analyses, or for other internal purposes to improve the quality of our business, the Services, and other products and services we offer; Customizing and personalizing your use of the Services; Processing employment applications; Employee recruitment and hiring; Employee performance management; To comply with health and safety regulations, security measures, and monitoring, managing, and securing IT resources for our employees and contractors; Managing and administering benefits and compensation; To conduct internal investigations and ensure compliance with company policies and the law; and To contact designated individuals in case of an emergency Sharing of Personal Information We are committed to maintaining your trust, and we want you to understand when and with whom we may share the Personal Information we collect. We do not sell Personal Information. Service Providers: We may share your Personal Information with service providers that perform certain functions or services on our behalf (such as to host the Services, fulfill orders, provide products and services, manage databases, perform analyses, provide customer service, provide you with information about our products or those of our partners or affiliates, or send communications for us). Business Transfer: If we sell all or part of our business, or make a sale or transfer of assets, or are otherwise involved in a merger or business transfer, or in the unlikely event of bankruptcy, a business reorganization, or similar event, we may transfer your information as part of such transaction. Administrative or Legal Process: We may disclose your information to third parties in order to protect the legal rights, safety, and security of our organization, our corporate affiliates, subsidiaries, business partners, and the users of our Services; enforce our Terms of Use; respond to and resolve claims or complaints; prevent fraud or for risk management purposes; and comply with or respond to law enforcement or legal process or a request for cooperation by a government or other entity, whether or not legally required. Other Parties With Your Consent: We may share information with third parties for other purposes at your direction or when you otherwise consent to such sharing. Aggregate Information: We may share aggregate information, such as demographic and usage statistics, with other organizations. Cookies and Related Technologies We may use cookies, pixel tags, and similar technologies to automatically collect your Personal Information. Cookies are small bits of code that are stored by your computer’s web browser and that may automatically identify your browser to the Services whenever your computer is used to visit the Services. Pixel tags are very small images or small pieces of data embedded in images, also known as “web beacons” or “clear GIFs,” that can recognize cookies, the time and date a page is viewed, a description of the page where the pixel tag is placed, and similar information from your computer or device. You can decide if and how your computer will accept a cookie by configuring your preferences or options in your browser. However, if you choose to reject cookies and similar technologies, you may not be able to use certain online products, services or features on the Services. In addition, we may allow third parties to place and read their own cookies, web beacons, and similar technologies to collect information through the Services. For example, like many website operators, we may use Google Analytics to learn more about how visitors interact with our Services. You can find out more about how Google uses this data by clicking here: https://policies.google.com/technologies/partner-sites For more information about how to opt-out of Google Analytics (i.e., you do not want it to be used in your browser), click here: https://tools.google.com/dlpage/gaoptout. You understand that when you use the Services, these analytics providers may collect information related to your use of the Services. In some cases, third parties may be able to collect information about your online activities over time and across different websites when you use our Services. Links To Other Web Sites and Social Media Buttons The Services may contain links to other websites or online services or social media buttons that are operated and maintained by third parties and that are not under the control of or maintained by us. Such links do not constitute an endorsement by us of those other websites, social media platforms, the content displayed therein, or the persons or entities associated therewith. This Privacy Policy does not apply to those websites, services or platforms. We encourage you to review the privacy policies of these third-party websites, services or platforms. Security We have adopted reasonable security measures to help protect against loss, misuse, and unauthorized access to your Personal Information. Please note that no data transmission or storage can be guaranteed to be 100% secure. As a result, while we strive to protect your information and privacy, we cannot guarantee or warrant the security of any information you disclose to us or transmit to the Services. Children’s Online Privacy The Services are directed to a general audience. We do not knowingly collect, use, or disclose Personal Information from children under the age of 13. If we learn that we have collected Personal Information from a user under 13, we will promptly delete Personal Information collected from that user. We do not sell the Personal Information of minors under 16 years of age. Opting Out of Direct Marketing Emails You may direct us to stop sending you marketing emails by selecting the “unsubscribe” link at the bottom of such emails and following the accompanying instructions. Please allow us a reasonable time to process your request. Changes To This Privacy Policy We may update this Privacy Policy periodically to reflect changes in our privacy practices. We will post a prominent notice through our Services to notify you of changes, and indicate at the top of this Privacy Policy when it was most recently updated. Your continued use of the Services following any notification of posted changes constitutes your acceptance of such changes. Your California Privacy Rights If you are a California resident, you may have separate rights regarding your Personal Information, in accordance with applicable California law. Shine the Light. California's "Shine the Light" law, Civil Code section 1798.83, requires certain businesses to respond to requests from California residents asking about the business' practices related to disclosing Personal Information to third parties for the third parties' direct marketing purposes. We do not disclose Personal Information to such entities, for such purposes. Do Not Track. Some web browsers may transmit “do-not-track” signals to the websites with which the user communicates. Because of differences in how web browsers incorporate and activate this feature, it is not always clear whether users intend for these signals to be transmitted, or whether they even are aware of them. Because there currently is no industry standard concerning what, if anything, websites should do when they receive such signals, we currently do not take action in response to these signals. California Consumer Privacy Act of 2018. The California Consumer Privacy Act of 2018 (the “CCPA”) grants California residents certain rights with respect to their Personal Information, including, as described below, the right to know about, delete, and if applicable, opt-out of the sale of their Personal Information. These rights are subject to certain limitations, however, such as that they do not all apply to Personal Information about employees, applicants, and contractors, or information processed exclusively in the business-to-business context (e.g., information about an individual acting in his or her capacity as a representative of an entity). Where exceptions to the CCPA apply to a request you submit, we will provide you with an explanation. As a California Resident, you have the right to request: Information about the Personal Information that we have collected, used, and disclosed about you in the 12 months prior to our receipt of your request, including the categories of Personal Information collected; the categories of sources; the business or commercial purposes for which we collected your Personal Information; the categories of Personal Information disclosed for a business or commercial purpose; and the categories of third parties with whom we shared your Personal Information. The specific pieces of Personal Information that we have collected about you in the 12 months prior to receipt of your request; and, To have your Personal Information deleted. For deletion requests, please note that the law allows us to retain your Personal Information where it is necessary for us to provide you with a product or service that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with or exercise rights provided by the law. The law also permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us. To submit requests to know or delete your Personal Information, you may contact us at 650-421-9500 or privacy@viforpharma.com We will respond to requests to know or delete Personal Information initially by acknowledging receipt of the request within 10 business days. We will provide a substantive response to your request within 45 days from receipt of your request, although we may be allowed to take longer to process your request under certain circumstances. If we expect your request is going to take us longer than normal to fulfill, we’ll let you know. When you make a request to know or delete your Personal Information, we will take steps to verify your identity. These steps may include asking you for Personal Information, such as your name, address, or other information we maintain about you. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of the denial. You are also entitled to submit a request for Personal Information that could be associated with a household as defined in the CCPA. To submit a request to know or delete household Personal Information, such requests must be jointly made by each member of the household, and we will individually verify all of the members of the household using the verification criteria explained above, and separately verify that each household member making the request currently resides in the household. If we are unable to verify the identity of each household member with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of our denial. You may also designate an authorized agent to submit requests on your behalf. If you do so, you will be required to verify your identity by providing us with certain Personal Information as described above. Additionally, we will also require that you provide the agent with written and signed permission to act on your behalf, and we will separately confirm with you that you provided the agent with permission to submit the request. We will deny the request if the agent is unable to meet submit proof to us that you have authorized them to act on your behalf or if any of the above verification criteria are not met. If you exercise any of your privacy rights, we will not discriminate against you in any manner. International Users Please note that the Services are directed towards users who reside in the United States and the information we collect is governed by US law. If you are accessing the Services from outside of the US, please be aware that any information collected through the Services, including personal information, will be transferred, processed, stored, and used in the US and other jurisdictions. Data protection laws in the US and other jurisdictions may be different from those of your country of residence. While we are responding the recent decisions of the Court of Justice of the European Union and the government of Switzerland to invalidate the Privacy Shields by relying instead on other EU-approved transfer mechanisms, your use of the Services, decision to provide such data to us, or to allow us to collect such data through our Website, App or Platform, constitutes your acknowledgement that we can only perform our services for you by transferring your data to and processing your data in the United States, and your consent to the transfer to and from, processing, usage, sharing, and storage of information about you in the US and other jurisdictions as set out in this Privacy Policy even though the standards of data protection and privacy available in the United States may not be the same or as high as the standards in your home country. Accessibility We are committed to ensuring that our communications are accessible to people with disabilities. To make accessibility-related requests or report barriers, please contact us at 650-421-9500 or privacy@viforpharma.com Contact Us If you have any questions about this Privacy Policy or the privacy practices of the Services, please contact privacy@viforpharma.com or Privacy Officer, Vifor Pharma, Inc., 200 Cardinal Way, Redwood City, CA 94063. In all communications to Vifor Pharma, please include the email address used for registration (as applicable), the website address, or the specific Vifor Pharma program in which you provided Personal Information. Please also include a detailed explanation of your request.