Table of Contents

• Collection of Your Health Data
• Categories of Health Data We Collect and Share
• Sources of Your Health Data
• How we Use Your Health Data
• Parties To Which We Disclose Health Data
• Your Privacy Rights
• Changes To This Policy
• Our Contact Information
• Privacy Policy

Consumer Health Data Privacy Policy

Last updated on June 28, 2024

This Consumer Health Data Privacy Policy (“Policy”) describes the types of personal information that we collect and use to identify your past, present, or future health status (“Health Data”). This Policy also explains how and why we (and our service providers on our behalf) collect, use, maintain, and share (collectively referred to as “processing”) your Health Data. This Policy does not apply to the collection of Health Data from employees. For additional information relating to our general privacy practices in connection with our websites (“Site”) and additional rights that you may have, please visit our Privacy Policy.

If you participate in certain SpringWorks sponsored programs or services, you may receive a separate privacy policy specific to that program or service. That policy will govern to the extent there is a conflict with this Policy.

Collection of Your Health Data

Your Health Data will be collected in connection with your relationship with SpringWorks when you: 1) engage in a clinical trial that we sponsor; 2) participate in one of our compassionate use programs; 3) provide personal information on our websites and/or marketing programs; and 4) report an adverse event to us.

When you participate in one of our clinical trials, you will be provided with an informed consent form, which will explain how your Health Data will be collected and used. To preserve the integrity of our trial data, SpringWorks does not receive identifiable Health Data from participants in our clinical trials.

Likewise, when you participate in our compassionate use program or other patient support programs, we do not generally collect, store, or receive health information that you have provided directly to your prescribing physician. Please contact your prescribing physician or healthcare provider directly to learn how you can exercise your rights with respect to your Health Data.

Below is information about the Health Data that SpringWorks collects and uses and your rights relating to that Health Data.

Categories of Health Data We Collect and Share

We collect the following categories of Health Data:

• Health condition, status, disease, or diagnosis, including symptoms.
• Medical history, medical treatments, and visit dates, including surgeries or other health-related procedures, imaging, and other medical procedures.
• Social, psychological, behavioral, or medical intervention.
• Use or purchase of prescribed medication.
• Bodily functions, vital signs, or symptoms.
• Reproductive or sexual health information, treatment, and services.
• Lab testing and results.
• Claims data and other payment information reflecting purchase or use of any health services.
• Data that identifies a consumer seeking health care services.
• Health-related data that have been derived or inferred from the above.

We may collect other types of Health Data that you voluntarily provide to us through correspondence or other interactions.

Sources of Your Health Data

We collect your Health Data from:

Your prescribing physician, you, or your representative. We collect Health Data from you (or your representative, such as your caregiver, if applicable) or your prescribing physician, if you or they contact us or share your Health Data directly with us. For example, you or your prescribing physician may share your Health Data with us in connection with patient safety reports.

Service Providers. We work with service providers who collect information on our behalf to provide services to us or to you on our behalf. These service providers may collect information, which may include Health Data, to process your request to participate in a program, or a SpringWorks sponsored event (“Programs”). They may also collect your Health Data in connection with your request for communications regarding disease management or about our product(s).

How we Use Your Health Data

We process your Health Data for the following purposes:

To provide you with products and services, including to ensure proper and efficient delivery of services; to respond to inquiries and other communications; to obtain, analyze, and report information on product use and service participation, including to create aggregated, de-identified or anonymized data; and to track your progress/outcomes.

To send you communications regarding our research, educational materials, and marketing initiatives related to our products when you elect to receive those communications from us.

To facilitate the sharing of patient and caregiver stories when you or your representative and/or caregiver elect to share such information.

To facilitate programs that you elect to participate in, such as our compassionate use or financial assistance programs, including to verify your information; to ensure proper and efficient delivery of services; to respond to inquiries and other communications; to obtain, analyze, and report information about our programs, including to create aggregated, de-identified, or anonymized data; and to track your progress/outcomes.

To contact you or your representative or your prescribing physician in response to an inquiry from you, your representative (e.g. caregiver), or your prescribing physician; however, to preserve your confidentiality, our standard procedure in the usual course of operating our compassionate use or financial assistance programs is to communicate through your prescribing physician rather than directly with you or your representative.

To comply with regulatory obligations, including safety oversight and reporting obligations.

To address legal, safety, or security matters, such as complying with legal and contractual obligations; protecting our, your, or other third parties’ safety or rights; detecting, preventing, and responding to security incidents; protecting against malicious, deceptive, fraudulent, or illegal activity; performing audits; investigating or responding to a complaint or compliance issue; and asserting or defending against legal claims.

In connection with business transactions, such as the negotiation or completion of a merger, acquisition, partnership, business reorganization, debt finance, an insolvency, bankruptcy, receivership, sale of all or a portion of its assets, or other similar business transaction, including completing related due diligence.

For other legitimate internal business purposes necessary to support the delivery of goods and services, such as for information technology operations and support; data analysis, data aggregation, and data de-identification/anonymization; and improving patient experiences and our products and services.

We may process your Health Data for other purposes as disclosed to you at the time you provide Health Data or with your consent.

To respond to inquiries concerning your data privacy rights.

Parties To Which We Disclose Health Data

We may disclose all the types of Health Data identified above to the following parties:

Service providers, to help us store, manage, and transmit Health Data concerning products, services, and programs.

Law Enforcement/Regulatory Bodies, where we are required to do so under applicable laws or local statutes, or with government or regulatory agencies consistent with our legal obligations.

Third parties associated with corporate transactions, including parties who collaborate with us to sponsor or administer any of the initiatives described in this Policy.

Advertising partners, which may collect Health Data about you over time and across different websites or online services you may visit. (*Note that this does not apply to Health Data collected in connection with our compassionate use or similar patient support program).

Your Privacy Rights

You may exercise your privacy rights, including the right to withdraw consent, obtain access to and request changes to, or the deletion of, your Health Data, by contacting us via our toll-free number at 855-722-2291 or clicking here.

Changes To This Policy

We may change this Policy from time to time. This may be necessary, for example, if the law changes or if we change how we process Health Data in a material way that requires us to change our Policy. We will post the updated Policy here and may also share material changes directly with you if required by law and if we have your contact information for a specific program or service that was impacted by the change to the Policy.

Our Contact Information

Comments, questions, or concerns about this Policy or our privacy practices may be directed to us via our toll-free number at 855-722-2291 or by clicking here.

Our mailing address is:

SpringWorks Therapeutics, Inc.
100 Washington Blvd
Stamford, CT 06902