Consumer Health Data Privacy Policy

Last updated on April 1, 2024

SpringWorks Therapeutics, Inc., and its affiliates (“SpringWorks”) value your privacy. This Consumer Health Data Privacy Policy (“Policy”) describes the types of identifiable data that we collect and that we use to identify your past, present or future health status (“health data”). This Policy also explains how and why we (and our service providers on our behalf) collect, use, maintain and share (collectively referred to as “processing”) your health data. It does not apply in an employment context or in other contexts excluded by applicable law.

If you participate in certain SpringWorks sponsored programs or services, you may receive a separate privacy policy specific to that program or service. That separate privacy policy will govern to the extent there is a conflict with this Policy.

Types of Health Data We Collect

We collect the following types of health data:
• Health condition, status, disease or diagnosis, including symptoms
• Medical treatments and visit dates, including surgeries, imaging and other medical procedures
• Medications and allergies
• Reproductive or sexual health information, treatment and services
• Lab testing and results
• Claims data and other payment information reflecting purchase or use of any health service

We may collect other types of health data that you voluntarily provide to us through correspondence or other interactions.

Sources of Your Health Data

We collect your health data from:

You or your representative: We collect health data from you (or your representative, if appli-cable) if you contact us or share your health data directly with us.

Service Providers. We work with service providers who collect information on our behalf to provide services to us or to you on our behalf. These service providers may collect information, which may include health data, to process your request to participate in a program, a SpringWorks sponsored event, or a patient support program (“Programs”). They may also collect your health data in connection with your request for communications regarding disease management or about our product(s).

Why We Collect Your Health Data

We process your health data for the following purposes:

To provide you with products and services, including to ensure proper and efficient delivery of services; to respond to inquiries and other communications; to obtain, analyze and report in-formation on product use and service participation, including to create aggregated, de-identified or anonymized data; and to track your progress/outcomes.

To contact you or your representative in response to an inquiry from you.

To comply with regulatory obligations, including safety oversight and reporting obligations.

To address legal, safety or security matters, such as complying with legal and contractual ob-ligations; protecting our, your, or other third parties’ safety or rights; detecting, preventing, and responding to security incidents; protecting against malicious, deceptive, fraudulent, or illegal activity; performing audits; investigating or responding to a complaint or compliance issue; and asserting or defending against legal claims.

In connection with business transactions, such as the negotiation or completion of a merger, acquisition, partnership, business reorganization, debt finance, an insolvency, bankruptcy, re-ceivership, sale of all or a portion of its assets, or other similar business transaction, including completing related due diligence.

For other legitimate internal business purposes necessary to support the delivery of goods and services, such as for information technology operations and support; data analysis, data ag-gregation and data de-identification/anonymization; and improving patient experiences and our products and services.

We may process your health data for other purposes as disclosed to you at the time you provide health data or with your consent.

To respond to inquiries concerning your data privacy rights.

Parties To Which We Disclose Health Data

We may disclose all the types of health data identified above to the following parties:

Service providers to help us store, manage and transmit health data concerning products, ser-vices and Programs.

Legal/regulatory authorities and associated third parties.

Third parties associated with corporate transactions.

Why We Disclose Health Data

To provide you with products and services, including to ensure proper and efficient delivery of services; to respond to inquiries and other communications; to obtain, analyze and report in-formation on product use and service participation, including to create aggregated, de-identified or anonymized data; and to track your progress/outcomes.

To contact you or your representative in response to an inquiry from you.

To comply with regulatory and other legal matters, including safety and oversight require-ments, or when otherwise required or permitted in connection with a legal claim, investigation, legal process or other legal matter.

To address legal, safety or security matters, such as complying with legal and contractual obligations; protecting our, your, or other third parties’ safety or rights; detecting, preventing, and responding to security incidents; protecting against malicious, deceptive, fraudulent, or il-legal activity; performing audits; investigating or responding to a complaint or compliance is-sue; and asserting or defending against legal claims

In connection with business transactions, such as the negotiation or completion of a merger, acquisition, partnership, business reorganization, debt finance, an insolvency, bankruptcy, re-ceivership, sale of all or a portion of its assets, or other similar business transaction, including completing related due diligence.

Third parties identified by you including your representative at your or their request.

As directed by you or your representative.

For other legitimate internal business purposes necessary to support the delivery of goods and services, such as for information technology operations and support; data analysis, data aggregation and data de-identification/anonymization; and improving patient experiences and our products and services.

To respond to inquiries concerning your data privacy rights.

We may share your health data with other parties as disclosed to you at the time you provide health data or with your consent.

Your Privacy Rights

You have the following rights with respect to your health data. These rights may be subject to some conditions or exceptions under applicable law. Know and Access. You have the right to right to confirm whether we are collecting, sharing, or selling your health data and to access this data, including a list of third parties to which we have shared or sold your health data.

• Review and Modify. You have the right to review and request changes to your health data.

• Delete. You have the right to request that we delete your health data.

• Restrict Processing. You have the right to request that we cease collecting, sharing, or selling your health data.

• Appeal. You have the right to appeal instances where we deny your rights request.

You may exercise your rights by contacting us via our toll-free number at 855-722-2291 or via our email box at privacy.office@springworkstx.com.

Changes To This Policy

We may change this Policy from time to time. This may be necessary, for example, if the law changes or if we change how we process health data in a material way that requires us to change our Policy. We will post the updated Policy here and may also share material changes directly with you if required by law and if we have your contact information for a specific program or service that was impacted by the change to the Policy.

Our Contact Information

Comments, questions or concerns about this Policy or our privacy practices may be directed to us via our toll-free number at 855-722-2291 or our email box at privacy.office@springworkstx.com.

Our mailing address is:
SpringWorks Therapeutics, Inc.
100 Washington Blvd
Stamford, CT 06902