Privacy Notice

This Privacy Notice applies to users or visitors to our website, investors, vendors, service providers, event delegates, any other member of the public providing us with unsolicited personal data, or if you contact us by any other means.

Definitions
When are We acting as a Data Controller?
How can I contact Crescent Biopharma?
Third party websites and links
Giving your reviews and sharing your thoughts
Children
How does Crescent Biopharma collect my Personal Data?
What Personal and Special Category Data does Crescent Biopharma collect about me, and what is the purpose and lawful basis for processing?
How We keep you updated on Our products and services
How long does Crescent Biopharma keep my Personal Data?
What are my data rights and can I object to you processing my Personal Data?
Providing us with other people’s data
Automated decision making and profiling
How do We protect your Personal Data?
Will Crescent Biopharma share my Personal Data with other organisations?
Will my data be processed outside my home country?
How can I make a complaint?
Updates and changes to this Privacy Notice
Revision history
Appendix A: Personal and Special Category Data processed, purpose, lawful basis and condition for processing in the EU and UK

1. Definitions

Term	Meaning
Crescent Biopharma, Inc. / Crescent Biopharma / Crescent Bio / CBIO / Affiliates / We / Our / Us	Crescent Biopharma, Inc., with its registered office in the U.S. at 300 Fifth Avenue, Waltham, MA 02451.
Cookies	Cookies are small text files stored on your device that help Us remember your actions and preferences. Cookies may store information about Your browsing history, preferences, or activity on the Service, helping to improve functionality, analytics, and user experience.
Data Protection Legislation	Means the EU General Data Protection Regulation, the UK General Data Protection Regulation, the UK Data Protection Act 2018 (DPA 2018), the UK Data (Use and Access) Act 2025, the Privacy and Electronic Communications Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003. Where our activities involve individuals in the United States, the term also includes applicable U.S. federal and state privacy laws governing personal information, such as the California Consumer Privacy Act (CCPA/CPRA) and any other relevant state legislation, to the extent they apply to our processing. Where our activities involve individuals in Australia or South Korea (officially, the Republic of Korea), the term also includes the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles, and the Personal Information Protection Act (PIPA) of the Republic of Korea, together with any regulations, guidance, or subordinate legislation issued under those laws to the extent they apply to our processing of personal data. For all other locations, the term also includes any data protection, privacy, or cybersecurity laws that apply to the personal data we process in those jurisdictions. This includes any replacement legislation coming into effect from time to time and any applicable local laws where the Data Subject are a resident, including, if relevant to the jurisdiction, Common Law (also referred to as case law or judge made law) as necessary to comply with the local law.
Data Controller	The natural or legal person, public authority, agency, or other body, which alone or jointly with others determines the purposes and means of the processing of Personal Data. In the context of this Privacy Notice, ‘Data Controller’ means Crescent Biopharma.
Data Processor	A natural or legal person, public authority, agency, or other body, which processes Personal Data on behalf of the Data Controller. In the context of this policy, ‘Data Processor’ means Our suppliers, vendors, or contractors that are delivering services under Our instruction.
Process/ Processing/ Data Processing	Means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data	Means any information relating to an identified or identifiable individual whose data we process.
Special Category Data	Categories of Personal Data that merit specific protection because of the additional risks to the individual’s fundamental rights and freedoms. These categories are closely linked with the freedom of thought, conscience, and religion, freedom of expression, freedom of assembly and association, the right to bodily integrity, the right to respect for private and family life, or freedom from discrimination. Special Category Data depends on your jurisdiction and may include information about any of the individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetic data, biometric data, health or health condition, whether related to physical or mental health, sex life, sexual orientation.
Website	Means the Crescent Biopharma website, https://www.crescentbiopharma.com.

2. When are We acting as a Data Controller?

This Privacy Notice provides you with information on how We manage your personal data in your interactions with Us, regardless of your location.

Depending on your relationship with Us, We will hold and manage your information differently. We could be in possession of your information as a:

User or visitor to our websites or,
Investor, or
Vendor, or
Service provider, or
Delegate at an event, or
Any other member of the public providing Us with unsolicited Personal Data, or
If you contact Us by any other means.

This Privacy Notice details how We manage your information in all the above situations as a Data Controller unless otherwise stated. Unless otherwise stated, this Privacy Notice applies when We are acting as a Data Controller for your information.

In some cases, where We are collecting information for new or novel purposes, We will provide specific privacy information at the point that We collect your information. If We have provided the following to you, you should read Our:

Healthcare Professional Privacy Notice
Participant Privacy Notice (within the Participants Informed Consent Form)

If you are a website visitor, this Privacy Notice should be read together with our Cookie Notice.

Where there is a conflict between local law and the provisions of this Privacy Notice, local law will prevail.

3. How can I contact Crescent Biopharma?

If you would like to exercise one of your rights as set out in this Privacy Notice, or you have a question, query, or complaint about this Privacy Notice or the way your Personal Data is processed, please contact Us using the contact details below.

We have appointed DPO Centre Europe as Our EU Representative and DPO Centre Limited as Our UK Representative for data protection matters. The contact details for Our EU and UK Representative can be found below.

For EU residents:
- Email: DPO-EUrep@crescentbiopharma.com
- Phone: +34 91 905 3074 (answered in English and Spanish)
For UK residents:
- Email: DPO-UKrep@crescentbiopharma.com
- Phone: +44 (0) 203 797 6340 (answered in English)

For residents in all other countries, please contact Us by email on dpo@crescentbiopharma.com.

4. Third party websites and links

Our website may contain links to other sites operated by third parties. We do not control third party websites, and we are not responsible for their content, their privacy notices, or their use of Personal Data. Our inclusion of links to third party websites does not imply any endorsement of the content, of their owners or operators. Any information submitted by you directly to these third parties is subject to that third party’s own data protection obligations.

5. Giving your reviews and sharing your thoughts

When using Our website, you may be able to share information through social networks like LinkedIn and X. For example, when you ‘like’, ‘share’ or review Our services. When doing this, your Personal Data may be visible to the providers of those social networks and/or their other users. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts, so you are comfortable with how your Personal Data is used and shared on them.

6. Children

While Our website is designed for a general audience, We will not knowingly collect Personal Data of children. If you believe We might have any Personal Data from or about a child, please email Us at dpo@crescentbiopharma.com.

7. How does Crescent Biopharma collect my Personal Data?

Where We are acting as a Data Controller, We may have obtained your Personal Data directly or indirectly through a number of channels.

We may have collected your information directly from you when you have:

Visited Our website
Completed a contact form
Contacted Us by phone
Signed up to receive marketing material
Responded to one of Our surveys
Met with or engaged with Us at an event, exhibition or conference
Visited Our office
Interacted with Us on social media platforms (such as LinkedIn)
Supported our clinical trials
Provided services or any other type of support to Us.
Invested in Our company.
Generally engaged with Us or Our service providers.
Otherwise provided it to Us

In some circumstances, We may collect your information indirectly, such as from:

Publicly available sources when it is in Our legitimate interest to do so.
Third party event companies we work with.

8. What Personal and Special Category Data does Crescent Biopharma collect about me, and what is the purpose and lawful basis for processing?

The table below outlines the types of Personal Data We may collect about you.

Personal data category	Examples of data items collected
Account information	Username, account ID, login details, passwords, user preferences, access logs.
Browser and user information	Certain technical and usage information may be automatically collected when you access or use the website, including IP address, browser type and version, operating system, pages visited, referring URLs, and the date and time of visits. Such information is used to support the operation, security, maintenance, and improvement of the website, enhance user experience, and analyze website performance and usage trends. Except where required by applicable law, such information is not used to directly identify individuals.
Contact details	First and last name, e-mail address and phone number
Company details	Company name, job titles, location of employment/workplace, employment history, working hours.
Complaint information	Details of the complaint, nature of the issue raised, supporting documents, and outcomes or resolutions.
Cookies	Unique identifiers / Cookie IDs, IP address, device information, browser type, pages viewed, time spent on site, log files, usage data, cookie IDs, account/technical data, timestamped interactions. Please refer to Our Cookie Notice.
Correspondence information	Copies of e‑mails, letters, meeting notes, and any communications exchanged with Us or Our service providers.
Identity information	Name, date of birth, photographs, driving licence, passport, professional licence number, or government ID number.
Financial information	Bank account details, financial information, and expenses details.
Surveys and opinions	Information you provide when you participate in Our surveys or provide feedback.
Website security	Cookies necessary for security purposes. Please refer to Our Cookie Notice.
Other information	Any other personal data that you choose to share with Us.

We generally process Personal Data about the following activities, to:

Maintain business records, audit trails and regulatory compliance.
Ensure our IT systems, website, network and data remain secure.
Manage financial accounting and corporate reporting.
Defend or respond to complaints, legal claims or regulatory enquiries.
Support business operations, administration and service improvement.

If you are a EU or UK residents, please refer to Appendix A for the Personal and Special Category Data processed, purpose, lawful basis, and condition for processing.

The legal basis for processing your Personal Data is based on compliance with a Legal Obligation, Contract, Our Legitimate Interest, or your Consent that We will have requested/stated at the point the information was initially provided, therefore, We will not store, process, or transfer your data unless We have an appropriate lawful reason to do so.

We will only use your Personal Data for the purposes for which We collected it, unless We reasonably consider that We need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your Personal Data for an unrelated purpose, We will notify you and We will explain the legal basis which allows Us to do so.

Please note that We may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

If you are an investor, vendor, or service provider, if you fail to provide certain information when requested, we may not be able to perform the engagement we have entered into with you. We may also be prevented from complying with our legal obligations, such as to ensure the health and safety of Our workers, compliance with right to work laws, and any local tax requirements.

9. How We keep you updated on Our products and services

We will send you relevant news about Our services in a number of ways, including by email, but only if We have a Legitimate Interest or your Consent to do so. Where We rely on Legitimate Interest, We have completed a Legitimate Interest Assessment for the processing activity, or, for data of UK residents acting in a business environment, We rely on the Corporate Subscriber exemption.

We make every effort to ensure that we only send such communications to those acting in a business capacity and do not send such materials to consumers via personal email addresses if it is clear they are not acting in such a capacity.

For individuals in California, We do not share personal information as defined by California Civil Code Section 1798.83 (“Shine The Light Law”) with third parties for their direct marketing purposes.

When We send you marketing by email, each email communication will have an option to object to the processing. If you wish to amend your marketing preferences, you can do so by following the link in the email you receive from Us and updating your preferences, or by contacting Us at dpo@crescentbiopharma.com.

10. How long does Crescent Biopharma keep my Personal Data?

The period for which We will retain Personal Data is outlined in our Data Retention Policy. Data retention will vary depending on the purposes that it was collected for, as well as the requirements of any applicable law or regulation. We may also retain your Personal Data for longer periods where We need to exercise, establish, or defend against legal claims, but we will never retain your information for longer than is necessary. When Personal Data is no longer required, We delete or anonymise data in line with Data Protection Legislation and appropriate industry guidance.

We consider the retention period to begin from the point at which We last contacted you or otherwise reviewed your record to determine whether it was still active, unless otherwise required by law.

11. What are my data rights and can I object to you processing my Personal Data?

It is important that the Personal Data we hold about you is accurate and current. Please keep Us informed if your Personal Data changes during or after your engagement with Us.

Where We are acting as a Data Controller, and under certain circumstances, by law you may have the right to:

Request access to your Personal Data (commonly known as a Data Subject Access Request (DSAR)). This enables you to receive a copy of the Personal Data We hold about you.
Request correction of the Personal Data that We hold about you.  This enables you to have any incomplete or inaccurate information We hold about you corrected.
Request erasure of your Personal Data.  This enables you to ask Us to delete or remove Personal Data where there is no good reason for Us continuing to process it.  You also have the right to ask Us to delete or remove your Personal Data where you have exercised your right to object to processing.
Object to processing of your Personal Data where We are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground.  You also have the right to object where We are processing your Personal Data for direct marketing purposes.
Request the restriction of processing of your Personal Data. This enables you to ask Us to suspend the processing of Personal Data about you.
Request the transfer of your Personal Data to another party.
Right to withdraw Consent. In the limited circumstances where We are processing your data on the basis of Consent you have provided Us, and We have no other legal justification or obligation to continue the processing, you have the right to withdraw your Consent for that specific processing at any time.

 For your protection and to protect the privacy of others, in some circumstances, We may need to verify your identity before completing your request.

If you object to Us using your Personal Data or withdraw Consent for Us to use your Personal Data (when We are processing your Personal Data based on your Consent) after initially giving it to Us, We will respect your choice in line with applicable law.

If you would like to exercise any of these rights or would like to confirm the accuracy of your information, please contact dpo@crescentbiopharma.com.

12. Providing us with other people’s data

If you give us any Personal Data that does not relate to, you must ensure that you have the required legal basis to collect and share their Personal Data. You must also tell them what information you have given to Us, and make sure they agree we can use it as set out in this Privacy Notice. You must also tell them how they can see what information We have about them, correct any mistakes or request copies of their Personal Data.

13. Automated decision making and profiling

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

14. How do We protect your Personal Data?

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, We limit access to your Personal Data to those employees, contractors, and trusted third parties who have a business need-to-know basis for the purpose of supporting Us to deliver Our services.

Examples of Our security measures include:

Limiting access to Our buildings to those that We believe are entitled to be there by use of passes.
Implementing access controls to Our information technology.
Personal Data stored in hard copy will be stored in locked filing cabinets in the office, and access to information will be limited on a need-to-know basis.
Ensuring there are appropriate procedures and technical security measures (including strict encryption, anonymisation, and archiving techniques) to safeguard your Personal Data across all Our systems, website, and offices.
When We work with trusted third parties, known as Data Processors, who help to deliver Our services or manage Our business, We carry out due diligence checks to review a third parties’ compliance with Data Protection Legislation before We work with them and ensure there are appropriate contracts in place before a Data Processor processes any Personal Data.
Regular training for staff on information security and data protection.
We have procedures in place to deal with any suspected data security breaches and will notify you and any applicable regulator of a suspected breach where We are required to do so.
Policies and procedures to cover data protection matters including security incidents, Personal Data breaches, and data subject right requests. We will notify you and any applicable regulator of a suspected breach where We are required to do so.

15. Will Crescent Biopharma share my Personal Data with other organisations?

We may disclose the Personal Data We hold about you to:

Any other member of Crescent Biopharma or business partners.
With companies affiliated with Us when this is necessary to deliver Our services.
Banks and other financial institutions.
Payment service providers.
For vendors and service providers, your employer or the corporate entity that you represent, solely for the purposes of providing the Services to you and/or your employer where We have a contract with your employer or the company you represent.
Third party companies in the event that We are involved in a corporate transaction, such as an actual or potential merger, joint venture, consolidation, or asset sale, or, if the ownership of our business, assets, or drug development rights is transferred to another entity, whether through merger, acquisition, sale, or licensing. We may share your Personal Data with the acquiring or licensing entity. This is to ensure continuity of research, regulatory obligations, and product development. The receiving entity will be required to process your Personal Data in accordance with applicable data protection laws and the purposes outlined in this Privacy Notice, or as otherwise communicated to you at the time of transfer. We may, from time to time, expand or reduce Our business and this may involve the sale and/or the transfer of control of all or part of Our business. Any Personal Data that you have provided will, where it is relevant to any part of Our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by Us.
Our professional advisors, such as lawyers, accountants, auditors, financial services providers, and other professionals.
Our service providers as Data Processors on Our behalf, including IT hosting companies – We may engage other companies and individuals to perform functions on Our behalf. We use Data Processors who are third parties who provide elements of services for Us. We have Data Processor Agreements in place with Our Data Processors. This means that they cannot do anything with your Personal Data unless We have instructed them to do it. They will not share your Personal Data with any organisation apart from Us or further Sub-Processors who must comply with Our Data Processor Agreement. They will hold your Personal Data securely and retain it for the period We instruct. Further, they must process the Personal Data in accordance with this Privacy Notice and as permitted by applicable data protection laws. Examples include data storage and hosting, IT provision, network monitoring, and analytics on systems and services.
We share account and other Personal Data when We believe sharing is appropriate to comply with the law, enforce or apply Our agreements with third parties, or protect the rights, property, or safety of Our Staff Members or others. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction. However, this does not include selling, renting, sharing, or otherwise disclosing personally identifiable information from customers for commercial purposes in a way that is contrary to the commitments made in this Privacy Notice.
Regulatory authorities as required by any such authority, including tax authorities.
Law enforcement agencies, courts, and other relevant tribunals.

16. Will my data be processed outside my home country?

Your data will be processed in the U.S as We are a U.S. based company. Our third-party Data Processors may be based outside your home country, in countries such as the US.

Where you are based in the EU or UK and we were required to transfer your Personal Data out of the EU or UK to countries not deemed by the European Commission or UK government/authorities to provide an adequate level of Personal Data protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the Data Protection Legislation, such as the specific contracts containing standard data protection clauses approved by the UK government or European Commission (as relevant) providing adequate protection of Personal Data. If you would like more information about how your Personal Data may be transferred, or a copy of this documentation, please contact Us at dpo@crescentbiopharma.com.

17. How can I make a complaint?

You have the right to make a complaint if you are unhappy about how your Personal Data is processed. However, We would appreciate the chance to deal with your complaint before you approach the Supervisory Authority, so please contact Us in the first instance at dpo@crescentbiopharma.com. Your satisfaction is extremely important to Us and We will always do Our very best to solve any problems you may have. If you remain dissatisfied, you may wish to contact the Supervisory Authority.

You have the right to complain about the use of your Personal Data to the local Supervisory Authority. Depending on your jurisdiction, it is possible that a different regulator or Supervisory Authority may govern the processing of Personal Data. Your government’s website should be able to point you in the right direction of the relevant regulatory body.

If you are located within the EEA, you can find the contact details for your local Supervisory Authority on the link below.

https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

In the UK, the Supervisory Authority is the Information Commissioner’s Office, they can be contacted by:

Phone: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Email: icocasework@ico.org.uk
Online

18. Updates and changes to this Privacy Notice

We may change this Privacy Notice from time to time, for example, if the law changes. Any changes become effective when We publish an update to this Privacy Notice. Any changes will be effective immediately upon posting of the revised Privacy Policy and updating the “last modified” date. If there are significant changes, providing that we have your email address, We may contact you to notify you of the update.

19. Revision history

No.	Detail/Changes	Last modified
V1.0	First draft of the Privacy Policy.	March 2025
V2.0	Comprehensive update to cover the laws referenced in the definition of Data Protection Legislation.	May 8, 2026

Appendix A: Personal and Special Category Data processed, purpose, lawful basis and condition for processing in the EU and UK

What activity is being carried out with the data?	What personal data is processed? (Personal data category)	What special category data is processed?	What is the EU/UK GDPR lawful basis for processing personal data?	What is the EU/UK GDPR condition for processing special category data?	If processing special category data and the GDPR Articles 9 (b), (h), (i) or (j) apply, what is the UK Data Protection Act 2018 condition for processing special category data?	If processing special category data and the GDPR Article 9 (g) applies, what is the UK Data Protection Act 2018 condition for processing special category data?
Service management: To monitor, provide and maintain our service.	Contact details; Cookies.	No special category data processed.	6 (1) (b) Contract 6 (1) (f) Legitimate Interest	Not applicable as special category data will not be processed	Not applicable as Articles 9 (b), (h), (i) or (j) do not apply.	Not applicable as Article 9 (g) does not apply.
Following up with enquiries: Customer service enquiries, reply to suggestions, issues, questions or complaints you have contacted Us about. Communicating with you and facilitating your communication with others.	Contact details; Correspondence information; Complaint information; Account information.	No special category data processed.	6 (1) (f) Legitimate Interest	Not applicable as special category data will not be processed	Not applicable as Articles 9 (b), (h), (i) or (j) do not apply.	Not applicable as Article 9 (g) does not apply.
Data subject rights requests: To manage data subject right requests.	Contact details; Identity information; Correspondence information; Complaint information; Account information.	No special category data processed.	6 (1) (c) Legal obligation	Not applicable as special category data will not be processed	Not applicable as Articles 9 (b), (h), (i) or (j) do not apply.	Not applicable as Article 9 (g) does not apply.
Investor management: To manage our investors, including anti-money laundering, anti-bribery and “know your client” processes, administration of investment, provision of investor services legal and regulatory compliance, and relationship management.	Contact details; Financial information; Identity information.	No special category data processed.	6 (1) (b) Contract 6 (1) (c) Legal obligation	Not applicable as special category data will not be processed	Not applicable as Articles 9 (b), (h), (i) or (j) do not apply.	Not applicable as Article 9 (g) does not apply.
Vendor management: To manage our vendors and service providers.	Contact details; Financial information; Contract information; Company details.	No special category data processed.	6 (1) (b) Contract 6 (1) (f) Legitimate Interest	Not applicable as special category data will not be processed	Not applicable as Articles 9 (b), (h), (i) or (j) do not apply.	Not applicable as Article 9 (g) does not apply.
Payments: Taking payment from you or giving you a refund and associated financial accounting.	Contact details; Financial information.	No special category data processed.	6 (1) (b) Contract 6 (1) (c) Legal obligation	Not applicable as special category data will not be processed	Not applicable as Articles 9 (b), (h), (i) or (j) do not apply.	Not applicable as Article 9 (g) does not apply.
Legal claims: To respond to and defend against legal claims, where you have provided us with information which may give rise to legal claims.	Contact details; Other information.	No special category data intentionally processed unless you have chosen to share it with Us.	6 (1) (c) Legal obligation 6 (1) (f) Legitimate Interest	9 (2) (f) Legal claims	Not applicable as Articles 9 (b), (h), (i) or (j) do not apply.	Not applicable as Article 9 (g) does not apply.
IT Administration: To ensure that Our business (website, IT network and infrastructure) is safe and secure.	Account information; Browser and user information; Contact details; Company details; Complaint information; Cookies; Correspondence information; Identity information; Financial information; Surveys and opinions; Website security; Other information.	No special category data processed.	6 (1) (f) Legitimate Interest	Not applicable as special category data will not be processed	Not applicable as Articles 9 (b), (h), (i) or (j) do not apply.	Not applicable as Article 9 (g) does not apply.
Analytics: To use data analytics to improve our website, products, services, marketing, customer relationships and experience, and to deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising We serve to you.	Account information; Cookies; Browser and user information; Surveys and opinions.	No special category data processed.	6 (1) (a) Consent 6 (1) (f) Legitimate Interest	Not applicable as special category data will not be processed	Not applicable as Articles 9 (b), (h), (i) or (j) do not apply.	Not applicable as Article 9 (g) does not apply.
Marketing: Contacting you about news stories, and information relevant to our products and services.	Contact details; Browser and user information; Cookies Surveys and Opinions.	No special category data processed.	6 (1) (a) Consent 6 (1) (f) Legitimate Interest	Not applicable as special category data will not be processed	Not applicable as Articles 9 (b), (h), (i) or (j) do not apply.	Not applicable as Article 9 (g) does not apply.

Contents