BridgeBio Global Privacy Notice

Welcome to the Global Privacy Notice (“Notice”) of BridgeBio Pharma, Inc., and its affiliates and subsidiaries (collectively, referred to as “BridgeBio”, “we,” “our,” or “us”). BridgeBio is a team of experienced drug discoverers, developers, and innovators working to create life-altering medicines that target well-characterized genetic diseases at their source. This Notice describes how we collect, use, and disclose personal data from the individuals with whom we interact, including patients, caregivers, research participants, website visitors, and business contacts such as service providers, partners, and investors.

BridgeBio Pharma Inc. is the data controller of your personal information and is responsible for providing this Notice. Your personal data may also be processed by the BridgeBio affiliate with which you are in contact, who may act as a separate or joint controller.We process the personal data we collect from and about you in accordance with applicable data protection regulations. We understand the importance of your privacy and are committed to providing appropriate privacy protections.

Table of Contents

  • Personal Data We Collect and Purposes for Processing
  • Sources of Personal Data
  • Legal Basis for Processing
  • Data Sharing
  • Retention
  • Security
  • International Data Transfers
  • Cookies and Similar Technologies
  • Third Party Websites
  • Marketing Communications
  • Your Privacy Rights
  • Additional Information for California Residents
  • Additional Information for Other U.S. Residents
  • Children's Privacy
  • Contact Us
  • Privacy Notice Updates

Personal Data We Collect and Purposes for Processing

We collect personal data from various categories of individuals. The following sections describe what information we collect and how we use it.

Patients

We collect and process personal data from patients who use our products or services, contact us for information, or participate in patient support programs.

  • Personal Data We Collect:Contact information (name, email address, postal address, phone number); demographic information (age, date of birth, gender); health information (diagnosis, diseases, symptoms, patient ID, dates of service, medical history, treatment information, genetic information); insurance and payment information; mental and physical characteristics (such as eye color, height, weight, attitude, and emotions); communications and interactions with BridgeBio; and other information you voluntarily provide. If you, or someone on your behalf, are reporting an adverse event, BridgeBio may obtain sensitive personal data, including details about your side effects, or physical or mental health, as part of the tracking and reporting process.
  • How We Use This Information:To provide patient support services and programs; to respond to inquiries and provide information about our products; to administer product distribution and access programs; to report adverse events and product complaints; to conduct pharmacovigilance activities; to comply with legal and regulatory obligations; to maintain records of our interactions; and to develop and improve our products and services.

Caregivers

We collect personal data from caregivers who interact with us on behalf of patients or in connection with our patient support programs.

  • Personal Data We Collect:Contact information (name, email address, postal address, phone number); relationship to patient; communications and interactions with BridgeBio; and other information you choose to provide.
  • How We Use This Information:To provide patient support services; to facilitate communication regarding patient care, including adverse event reporting; to respond to inquiries; to maintain records; and to develop and improve our products and services.

Research Participants

If you are a research participant in a BridgeBio clinical trial or research study, you should read this Privacy Notice in conjunction with the informed consent forms, supplemental privacy notices, and clinical trial documents provided to you. Those study-specific notices describe in detail how your personal data will be processed for that specific research study or clinical trial.

When you participate in clinical research, our research partners, including clinical trial sites, investigators, clinical research organizations (“CROs”), laboratories, and imaging centers, collect personal data about you such as contact information, demographic information, health and medical information, images, and biological samples. Each research partner operates under its own privacy notice and is governed by our contracts with them. Their privacy practices may differ from those described in this Notice.

  • Personal Data We Collect:Contact information (name, email address, postal address, phone number); demographic information including ethnic origin, age, gender, or information regarding the participant’s sex life; health and medical information (medical history, diagnoses, genetic information, test results, vital signs, imaging); information from biological samples; study-related information (eligibility data, study visits, treatment information, adverse events); and family medical history (where relevant to genetic studies).
  • How We Use This Information:To communicate with you; conduct clinical research and trials; to assess safety and efficacy of investigational products; to comply with regulatory requirements; to monitor participant safety; to report adverse events; to analyze study results; to publish research findings (in de-identified or aggregated form); and to advance scientific understanding of genetic diseases.

Website Visitors

We collect personal data from visitors to our websites, including bridgebio.com, ttrmatters.com, attruby.com, forgingbridges.com and other BridgeBio-operated websites and online services.

  • Personal Data We Collect:Information you provide voluntarily (name, email address, phone number, inquiry details when you contact us or subscribe to communications); automatically collected information (IP address, browser type, device information, operating system, pages visited, time spent on pages, links clicked, referring website); information you voluntarily provide when you email us or submit an inquiry via our website; inferences, such as notes about preferences; and information from cookies and similar technologies (see the cookies section in this Notice for details).

  • How We Use This Information:To operate and maintain our websites; to communicate with you; to respond to inquiries and provide requested information; to send marketing communications (where you have opted-in); to analyze website usage and improve user experience; to detect and prevent fraud, abuse, and security incidents; to comply with legal obligations and respond to law enforcement requests; and to display relevant content and advertising.

Business Partners, HCPs, KOLs, Vendors, Investors, Event Attendees

We collect personal data from individuals at organizations with which we have professional and business relationships, including service providers, Healthcare Professionals (“HCPs”), Key Opinion Leaders (“KOLs”), business partners, investors, payers, and event attendees.

  • Personal Data We Collect:Business contact information (such as name, job title, employer, business email address, business phone number, business address); payment, billing, and bank information; communications and transaction history; responses to our surveys; travel documentation, including passport number for travel plans coordinated by or on behalf of BridgeBio; photos, audio, and video information; information about the scientific and medical activities you have with us; and professional and academic background information relevant to the business relationship (such as name of employer/institution, CV, academic research papers, past engagements, etc.).
  • How We Use This Information:To manage business relationships and communications; conduct market research and develop our products; follow up on informational requests; give donations, grants, and access to products through compassionate use; identify business opportunities; send marketing communications and event invites; hire or partner with you; perform due diligence and verify your eligibility to access certain products, including conducting background checks where permitted; process payments and maintain financial records; comply with legal and regulatory requirements; to manage vendor performance and relations; provide investor relations services; and for other legitimate business purposes.

Sources of Personal Data

We may collect personal data from various sources including from:

  • Individuals who directly access or use our services or communicate with us about our services as described above in the previous section (this includes when you email, call, or contact us via our sites)

  • Others acting on behalf of patients and other individuals about whom personal data relates, such as caregivers, authorized representatives and legal guardians

  • Your healthcare professional, healthcare provider or healthcare organization, including hospitals and clinics

  • Contract Research Organizations and clinical trial investigators

  • Government agencies

  • Service providers or business partners, where you have consented to have your personal information shared

  • Industry and patient groups and patient advocacy associations

  • Publicly available sources, including information provided on websites, social media channels, public forums or platforms

  • Automatically via cookies, web beacons, and pixels on our sites, as described in this Notice

Legal Basis for Processing

Where required by applicable data protection law, such as the European and United Kingdom General Data Protection Regulation (“GDPR”), we process your personal data only when we have a valid legal basis. The legal basis for our processing depends on the specific context for which we use your personal data. Below are the legal bases that we rely on.

  • Consent:Where you have provided your consent to the processing of your personal data for specific purposes (e.g., marketing communications, research activities, clinical trials).
  • Contractual Necessity:Where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract (e.g., providing patient support services, fulfilling orders, managing vendor relationships, providing grants and donations).
  • Legal Obligation:Where processing is necessary to comply with legal or regulatory obligations (e.g., pharmacovigilance reporting, adverse event reporting, financial record-keeping, transparency reporting, responding to law enforcement requests).
  • Legitimate Interests:Where processing is necessary for our legitimate business interests or those of a third party, provided these interests do not override your fundamental rights and freedoms. Our legitimate interests include: operating and improving our business; conducting research and development; maintaining business relationships; security and fraud prevention; advertising and marketing our products and services.

How We Share Your Personal Data

We may share your personal data with the following categories of recipients:

  • BridgeBio Affiliates:We may share personal data with other BridgeBio affiliate companies and subsidiaries for the purposes described in this Notice, including centralized data processing, business operations, and research activities.
  • Service Providers:We engage third-party service providers to perform functions on our behalf, including IT services, cloud hosting, data analytics, customer support, marketing services, payment processing, and research support. Our key service providers include Amazon Web Services, Microsoft Azure, Zoom, and Marketo. These providers have access to personal data only as necessary to perform their functions and are contractually obligated to only handle that information under our instructions and in accordance with applicable privacy laws.
  • Study Teams: We may share data with study teams such as healthcare providers, hospitals, CROs, research institutions, third party analytics teams, and clinical trial sites as necessary for research, patient care coordination, and clinical trial administration.
  • Regulatory Authorities:We may share data with regulatory authorities (such as the FDA, EMA, and other health authorities) to comply with legal and regulatory obligations, including adverse event reporting and pharmacovigilance.
  • Business Partners:We may share data with distributors, collaboration partners, and other business partners in connection with our products and services.
  • Advertising and Marketing Partners:We share with our advertisers, analytics providers, and marketing partners aggregate statistics, metrics, and reports about the performance of their ads on our sites. This aggregated data may include the number of unique user views, demographics about the users who saw their ads or content, and conversion rates. Certain features allow you to share your personal data with advertisers on our platform if you choose to do so.
  • To Comply With Legal Obligations:We may disclose personal data when required by law, in response to legal process (subpoenas, court orders), to law enforcement, or when necessary to comply with the law and/or protect our rights, property, or safety.
  • Business Transfers:In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the acquiring entity.

Retention

We keep your personal data as long as reasonably necessary for the purposes described in this Notice. For instance, for certain processing, we will retain your personal data for so long as we have a legitimate business need to do so, or for certain personal data, we will retain the processing for such period as is required by law (e.g., for regulatory reporting including to government entities who may oversee the safety and efficacy of research, legal, tax, accounting or other purposes). For further information please contact our Data Protection Officer using the details in the “Contact Us” section below.

Security

BridgeBio implements appropriate technical, physical, and organizational security controls to protect your personal data from unauthorized access, use, and disclosure. However, please note that no method of internet transmission can be completely secure and we cannot guarantee absolute security of your personal data.

International Data Transfers

BridgeBio is an international organization with affiliates and subsidiaries in and outside the United States. We transfer the personal data we collect about you to other BridgeBio affiliates and third parties globally. Such data transfers include the transfer of personal data to countries that may not have the same level of data protection as the country in which the personal data initially originated.

Where cross-border data transfers occur, we ensure that an adequate level of data protection exists in the recipient country, by executing with third parties, including our affiliates, appropriate contractual arrangements for cross-border data transfers to third-party countries for controllers or processors as applicable. For transfers governed by UK GDPR and EU GDPR, measures include transfers based on adequacy decisions, EU standard contractual clauses (SCCs), and supplementary measures.

Cookies and Similar Technologies

We use cookies, log files, pixels, tags, local storage objects, and other similar technologies to automatically collect information about your activities, such as your searches, page views, date and time of your visit, and other information about your use of our sites. We also collect information about your web browser or mobile device, such as your browser type, type of computer or mobile device, browser language, IP address, mobile carrier, unique device identifier, and requested and referring URLs. We receive analytics information when you view content on or otherwise interact with our sites. For detailed information about cookies and these technologies, as well as how to update your preferences, refer to our Cookie Notice.

  • Do Not Track (“DNT”): We do not currently recognize DNT signals.
  • Global Privacy Control (“GPC”): We recognize and honor GPC signals. If you enable GPC in a browser or extension that supports it, we will treat that signal as a valid request to opt out of the "sale" or "sharing" of your personal data for that browser as required under applicable law. To enable GPC and learn more, visit globalprivacycontrol.org.
  • Do Not Sell or Share My Personal Information: BridgeBio does not sell your personal data in exchange for money. However, we may share personal information (obtained via cookies and similar technologies) with third parties for cross-context behavioral advertising. Under California, Virginia, Colorado, Connecticut, Utah, and other applicable U.S. state privacy laws, this type of sharing may be considered a “share” or "sale." You have the right to opt-out of such sharing by updating your cookie preferences via the "Your Privacy Choices" link on our sites.

Marketing Communications

We may send you marketing and promotional communications about our products, services, research, and other information that may be of interest to you, where permitted by law and where you have provided consent or we have another lawful basis. You can opt-out of marketing emails at any time by clicking the "unsubscribe" link in the email or by visiting our preference center here. Please note that even if you opt-out of marketing communications, we may still send you transactional messages related to your relationship with BridgeBio, such as adverse event notifications or administrative messages.

Links to Third-Party Websites

This Notice only applies to our sites, although our sites may contain links to other websites not operated or controlled by us (“Third-Party Websites”). The information that you share with Third-Party Websites is governed by the specific privacy policies and terms of service of the Third-Party Websites and not by this Notice. By providing these links, we do not imply that we are responsible for, or operate, control, endorse, or have reviewed these Third-Party Websites. We encourage you to review the privacy policies of such Third-Party Websites before disclosing your personal data.

Your Privacy Rights

Depending on where you live and the local laws, you may have certain rights regarding your personal data. These may include the following:

  • Right of Access: You can request confirmation of whether we process your personal data and obtain a copy of the personal data.
  • Right to Rectification: You can request correction of inaccurate or incomplete personal data.
  • Right to Erasure: You can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary or you withdraw consent.
  • Right to Restriction: You can request that we restrict processing of your personal data in certain circumstances.
  • Right to Data Portability: You can request a copy of your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller.
  • Right to Object: You can object to processing of your personal data based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you can withdraw consent at any time.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority.

Please contact us at dataprivacy@bridgebio.com if you would like to exercise your privacy rights. We may ask for additional information as necessary to validate your identity before responding to your request. Please note that personal data may be exempt from such requests under specific circumstances. If we are unable to comply with your request in full or part, we will confirm this with you and provide the reasoning behind our position.

Additional Information for California Residents

This section provides additional information in accordance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act, (“CCPA”) for residents of California about how we handle personal data. This section of this Notice describes the categories of personal data that we collect, use, and disclose in order to operate our business over the past 12 months.

  • Data Sources. As we describe in the section titled Sources of Personal Data section, we collect information directly from you when you use our services or contact us; from others acting on your behalf such as caregivers, authorized representatives, or legal guardians; from healthcare providers, hospitals, clinics, contract research organizations, and clinical trial investigators; from government agencies; from service providers and business partners where you have consented to sharing; from industry groups, patient advocacy organizations, and publicly available sources including websites, social media, and public forums; and automatically through cookies, web beacons, and pixels.

  • Data Collection. As we describe in the section titled Personal Data We Collect and Purposes for Processing, we collected the following categories of personal data in the past 12 months (as defined under the CCPA):
    • Identifiers (name, email address, postal address, phone number, IP address, online identifiers)

  • Personal information categories listed in Cal. Civ. Code § 1798.80(e) (name, contact information, financial information, medical information, health insurance information)

  • Protected classification characteristics (age, gender, date of birth, genetic information, race, ethnicity)

  • Commercial information (products or services purchased, transaction history, purchasing history)

  • Internet or other electronic network activity (browsing history, search history, interactions with websites, usage data)

  • Geolocation data (approximate location derived from IP address)

  • Audio, electronic, visual, or similar information (call recordings, photographs, event recordings)

  • Professional or employment-related information (job title, employer, business contact details, credentials, professional memberships, resume information for business contacts)

  • Education information (schools attended, degrees, educational history)

  • Inferences (preferences, characteristics, attitudes)

  • Sensitive Personal Information (racial or ethnic origin, genetic data, health information, including mental and physical health diagnoses and treatment information)
  • Data Processing. As we describe in the section titled Personal Data We Collect and Purposes for Processing,we use your information to provide our services, for billing and payment, to protect against fraud, to promote our services to you, to enable communications, for research and development, provide support, quality and safety testing, to analyze how our services are used, for regulatory reporting purposes, and to comply with law.

  • Data Sharing. As we describe in the section titled Data Sharing, we may disclose the following categories of personal data for business purposes with service providers, CROs, research partners and study teams, analytics and marketing providers, BridgeBio affiliates, government agencies, when required by law, and as directed by you: (1) identifiers, (2) protected classification characteristics, (3) Internet or other similar network activity, (4) geolocation data, (5) photos or visual information, (6) employment information, (7) education information, and (8) inferences.
  • Data Retention. As we describe in the section titled Retention, we keep your personal data for as long as necessary to provide our services. Once our relationship with you has come to an end, we may retain your personal data for a period of time that enables us to maintain business records for audit purposes, comply with record retention requirements under the law, and defend or bring any existing or potential legal claims.
  • Sensitive Personal Information: We collect and use sensitive personal information, including health information, for the purposes described in this Notice. We do not use or disclose sensitive personal information for purposes other than those permitted under CCPA and other applicable law without providing appropriate notice and obtaining consent where required.

California Privacy Rights

Individuals in California have the right to make the following privacy requests:

  • Copy and Right to Know: You have the right to request a copy of the specific pieces of personal information that we have collected about you over the past 12 months. You also have a right to request a disclosure about the categories of information, sources, and purposes of collection, as well as categories of third parties we have shared it with over the past 12 months.

  • Deletion: You have the right to request deletion of personal information that we have collected about you.

  • Correction: You have the right to request that we correct inaccurate personal information that we maintain about you.

  • Right to Limit Use of Sensitive Personal Information: You can request that we limit our use and disclosure of sensitive personal information to certain permitted purposes.

  • Opt-out of having your personal information shared for targeted advertising: You can exercise this right by visiting the “Your Privacy Choices” link on our sites.

You may exercise your CCPA rights by emailing us at dataprivacy@bridgebio.com or calling us at our U.S. toll-free phone number at 1-877-595-8877. We may ask for additional information as necessary to validate your identity before responding to your request.

Authorized Agent: You may designate an authorized agent to submit a privacy rights request on your behalf by providing a signed and authenticated letter that identifies your agent and the purposes for your appointment of an agent. If you are an authorized agent, you must provide your full name, email address, city, state of residence, and a letter, signed by the individual that authorized you, that appoints you as their agent.

Non-Discrimination: BridgeBio will not discriminate against you, including by denying or providing different quality of services, if you choose to exercise your privacy rights.

Additional Information for Other U.S. Residents

If you are a resident of a U.S. state with comprehensive privacy legislation (including but not limited to Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Indiana, Kentucky, Maryland, Minnesota, and Rhode Island), you have the following rights regarding your personal information, subject to certain exceptions under applicable law:

  • Right to Know: Request information about the categories and specific pieces of personal information we have collected about you, the sources from which we collected it, the purposes for which we use it, and the categories of third parties with whom we share it.

  • Right to Delete: Request deletion of your personal information, subject to certain legal exceptions.

  • ·Right to Correct: Request correction of inaccurate personal information we maintain about you.

  • Right to Opt-Out: Request to opt-out of the sale or sharing of your personal information, targeted advertising, and certain types of profiling.

  • Right to Portability: Request a copy of your personal information in a portable format.

  • Right to Non-Discrimination: Exercise your privacy rights without receiving discriminatory treatment.

To exercise these rights, contact us at dataprivacy@bridgebio.com. We will respond to your request within the timeframe required by applicable law. You may be required to verify your identity before we process your request. Consumers can also designate an authorized agent to exercise these rights on their behalf.

Children’s Privacy

In general, our sites and services are intended for general audiences and not for minors. No personal data should be submitted to BridgeBio through the website by visitors who are less than 18 years old. If we become aware that we have collected personal data without legally valid parental consent from minors under an age where such consent is required pursuant to applicable law, we will take reasonable steps to delete it as soon as possible. In connection with our research, we obtain legally adequate parental consent before allowing minors (under the age of majority in their jurisdiction of residence) to serve as research participants.

Contact Us

Please contact us if you have questions about our Privacy Notice or our data protection practices. You may send an email to dataprivacy@bridgebio.com or send mail to:

  • Attn: Legal Department
c/o BridgeBio Pharma, Inc.

Suite 250, 3160 Porter Drive

Palo Alto, CA 94304 (USA)

Our appointed Data Protection Officer for the EEA and the UK is as follows:

  • Bird & Bird DPO Services SRL

Avenue Louise 235 b

1
1050 Brussels, Belgium

Email: DPO.BridgeBio@twobirds.com

Our appointed Data Protection Representatives for the EEA and the UK are as follows:

  • For Europe (EEA)
    BridgeBio Europe BV
    Weerdestein 97
    1083 GG Amsterdam
The Netherlands
    Email: EU.datarepresentative@bridgebio.com
  • Bird & Bird (UK)

12 New Fetter Lane, London

EC4A 1JP, United Kingdom

Email: DPO.BridgeBio@twobirds.com

Our appointed Data Protection Officer for Brazil is as follows:

  • Prado Vidigal Advogados, CNPJ

Rua Gomes de Carvalho, n. 1069

15 Andar, Vila Olímpia

São Paulo - SP, Brasil, CEP 04547-004

Email: paulo@pradovidigal.com.br

Privacy Notice Updates

Our sites and services, along with data protection laws, may change from time to time. As a result, we may update this Notice at any time and when we do, we will post an updated version on this page and change the “Last Updated” date above.