Privacy Statement

ONL Therapeutics Global Privacy Notice

ONL Therapeutics, Inc. (“ONL,” “we,” “us,” or “our”) is committed to protecting the privacy of your personal information. This Global Privacy Notice (“Notice”) describes how ONL may collect, use, store, process, share, and transfer your personal information, along with how we protect your personal information. ONL, as the Controller of your personal information, adheres to applicable privacy laws and regulations including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the European Union General Data Protection Regulation (GDPR). This Notice describes our general practices, but where local laws or regulations require that we process your personal information differently, we will comply with those local laws.

Information We Collect
“Personal information” refers to any information which could identify you directly (such as your name) or indirectly (such as your date of birth). We may collect the following categories of personal information, depending on the context of our interaction with you:

We collect personal information directly from you, from our affiliates, from clinicians or clinical research sites, and from service providers.

Processing Use
ONL may collect and use your personal information for reasons including, but not limited to, those listed below:

Please note that specific arrangements, contracts, consents, notices, or other forms of disclosure provided or made available to you may specify more detailed and/or additional uses of your personal information.

1. Participants in Clinical Trials (Subjects)
Third parties may process your personal data on our behalf as part of a clinical trial. Personal data collected by the third party may include your name, address, health related information, age, and biometric data relating to the trial. This information is pseudonymized (meaning you are assigned a subject identifier, not your name) when available to ONL, absent specific situations described in the subject consent.

2. Clinical Investigators and Site Personnel
We may process personal data relating to clinical investigators, sub investigators, research staff, and other site personnel for the following purposes:

  • To identify, evaluate, qualify, and engage investigators and clinical trial sites for participation in ONL sponsored clinical trials or other research activities.
  • To initiate, conduct, manage, monitor, audit, and close out clinical trials and related research activities, including regulatory submissions and inspections.
  • To communicate scientific, medical, safety, and operational information relating to investigational products and clinical trial protocols.
  • To collect, review, and report safety information, including adverse events, serious adverse events, suspected unexpected serious adverse reactions, and other safety signals associated with investigational products.
  • To comply with pharmacovigilance, regulatory reporting, transparency, disclosure, and clinical trial registration requirements under applicable laws and regulations.
  • To process payments, reimbursements, grants, and other financial interactions related to clinical research activities, and to maintain documentation required under applicable transparency laws.
  • To document and maintain records of training, qualifications, delegation, and oversight in accordance with Good Clinical Practice and applicable regulatory requirements.
  • To coordinate study related meetings, investigator meetings, site visits, and other communications necessary for the conduct of clinical research.
  • To maintain appropriate oversight of vendors, contract research organizations, and other third parties involved in the conduct of clinical trials.

3. Employment Applicants

  • To process employment applications and contact applicants regarding potential employment or engagement;
  • To discuss and make hiring decisions, and to respond to queries about the result of recruitment;
  • To ensure compliance with applicable employment laws and regulations.

4. Current and Former Employees

  • To plan and manage personnel assignment, assessment, treatment, development, conditions of work, welfare program, health and safety;
  • To effectuate compensation and the provision of employee benefits, including communications with insurance companies and brokers;
  • To communicate with unions or works councils;
  • To communicate with the employee and their family members in case of emergency;
  • To assign and track training records;
  • To communicate employee news internally or externally;
  • To make notifications and reports to government agencies.

5. Technical

  • To monitor ONL website usage levels, diagnose problems, and detect cybersecurity threats;
  • To provide you with a more personal and interactive experience and improve our marketing efforts using cookies;
  • To analyze website usage and performance through analytics tools such as Google Analytics, which use cookies and similar technologies to collect information about how users interact with the website (such as pages visited, time spent on pages, and navigation patterns) in order to improve website performance, functionality, and user experience
  • To collect information about the type of devices accessing ONL websites;
  • To manage teleconferencing, videoconferencing, or web conferencing with ONL;
  • To capture data related to when you contact us via our “Contact” page.

If we decide to use your personal information for a purpose other than originally intended when we first collected your data, we will provide you with new Notice.

Legal Basis for Processing
ONL can collect and use your personal information when any of the following apply:

Sharing and Disclosure
We may share personal information with:

We do not sell your personal information.

When sharing personal information, as noted above, ONL will require that such third parties:

Cookies and Analytics
Our website uses Google Analytics, a web analytics service provided by Google LLC. Google Analytics uses cookies and similar technologies to help us analyze how users interact with our website. Information generated by these technologies may be transmitted to and stored by Google on servers located outside your country of residence, including in the United States. We use this information to understand website usage and improve our services.

International Transfers
To facilitate our global operations, personal information may be transferred to, stored at, or processed in locations outside the country where you reside, including the United States. Laws in these countries may differ from each other and from your country of residence. ONL takes appropriate steps to ensure personal information is processed and transferred according to applicable laws, but not all countries are subject to the same data protection laws. When necessary by applicable law, ONL ensures appropriate safeguards are in place through the use of written agreements with recipients that require them to provide certain protections to your personal information, such as Standard Contractual Clauses adopted by the EU and UK. Please contact ONL at privacy@onltherapeutics.com for more information regarding these safeguards.

Data Retention
We retain personal information only as long as necessary for the purposes described in this Notice, to comply with legal obligations, resolve disputes, enforce agreements, or fulfill regulatory requirements. During these periods, we will take appropriate steps to ensure that the privacy of your personal information is maintained.

Your Rights and Choices
You have certain rights with respect to your personal information, although some exceptions may apply depending on our basis for processing your personal information and the law in your jurisdiction.

Depending on these, you may have the right to:

To exercise your rights, please contact us at privacy@onltherapeutics.com. We will review each request individually and, where legal or regulatory restrictions prevent us from fulfilling it, we will explain the basis for our decision. In accordance with applicable law, we may request information necessary to confirm your identity before processing your request regarding your personal data.

US State Privacy Rights
Some state laws in the United States provide consumers with additional rights with respect to their personal information (also known as “personal data”), as those terms are defined under those applicable state laws. Such state laws may include, but are not limited to, the California Consumer Privacy Act of 2018 (the “CCPA”) as amended by the California Privacy Rights Act, the Colorado Privacy Act (“CPA”) and the Virginia Consumer Data Protection Act (“VCDPA”). Any personal information we collect is collected for the commercial purpose of effectively providing our services to you, as well as enabling you to learn more about, and benefit from, our services. If you reside in a state that provides additional rights with respect to your personal information, you may exercise each of your rights as identified below, subject to our verification of your identity.

1. Access. You have the right to request that we disclose certain information to you about our collection, use and disclosure of your Personal Information over the past 12-months. Any disclosures we provide will only cover the 12-month period preceding the receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

2. Correction. You can correct what personal data our Website database currently contains by accessing your account directly, or by contacting us to request that we correct or rectify any personal data that you have provided to us.

3. Limit Use and Disclosure of Sensitive Personal Information. If we collect any sensitive personal information, you have the right to request that we limit the use of the sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.

4. Portability. Upon request and when possible, we can provide you with copies of your Personal Information. When such a request cannot be honored, we will advise you accordingly. You can then choose to exercise any other rights under this Policy.

5. Deletion. You have the right to request that we delete any of your Personal Information, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies. Where applicable, we will ensure such changes are shared with trusted third parties.

6. Opt-out of Processing. You have the right to request that we do not sell your Personal Information, use your Personal Information for Targeted Advertising, or use your Personal Information for profiling. Where applicable, we will ensure such changes are shared with trusted third parties.

7. Non-Discrimination. If a data subject exercises his or her rights under applicable state law, including but not limited to the CCPA, CPA, and VCDPA, we shall not discriminate against that data subject by denying our goods or services, charging different prices or rates to similarly situated consumers, providing a different level or quality of our goods or services, or taking any other adverse action.

8. Exercising your rights. If you are a data subject that has rights under applicable state law, including but not limited to the CCPA, CPA, and VCDPA, who chooses to exercise the rights listed above, you can email privacy@onltherapeutics.com.

Only you, or someone legally authorized to act on your behalf, may make a request related to your Personal Information. If an authorized agent makes a request on your behalf, we may require proof that you gave the agent permission to submit the request.

9. Responding to Your Request. Upon receiving your request, we will confirm receipt of your request by sending you an email confirming receipt. To help protect your privacy and maintain security, we may take steps to verify your identity before granting you access to the Personal Information. In some instances, such as a request to delete personal information, we may first separately confirm that you would like for us to in fact delete your personal information before acting on your request.

We will respond to your request within 45-days. If we require more time, we will inform you of the reason and extension period in writing.

In some cases our ability to uphold these rights for you may depend upon our obligations to process Personal Information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, or because processing is necessary to deliver the services you have requested. Where this is the case, we will inform you of specific details in response to your request.

Security
We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, loss, misuse, or alteration. Although we take appropriate steps to safeguard data, no method of transmission or storage is entirely secure.

Changes to this Notice
We may update this Notice to reflect changes in our practices or legal requirements. We will post the revised Notice on our platforms with an updated effective date.

Contact Information
If you have questions, requests, or concerns about this Notice or our privacy practices, please contact:

Email: privacy@onltherapeutics.com

Address:
ONL Therapeutics, Inc.
110 Miller Ave., Suite 300
Ann Arbor, MI 48104

Effective Date: March 26, 2026

Privacy Statement | Accessibility Statement | Terms of Use | Copyright All Rights Reserved ©2026