Privacy Notice

Last Updated: December 10, 2024

This Privacy Notice applies to the processing of Personal Information by Maze Therapeutics, Inc. (“Maze,” “we,” “us,” or “our”) including on our website available at www.mazetx.com and our other online and offline offerings which link to, or are otherwise subject to, this Privacy Notice (collectively, the “Services”).

Maze is headquartered in South San Francisco, California in the United States (“U.S.”). Many of our IT and other functions are administered centrally by Maze in the U.S., and any information you provide or we collect may be transmitted for processing and/or storage to a country other than your country of residence, and it may also be communicated to third parties hired by us to provide services such as website hosting, database management, or analytics. By using the Services, you consent to the collection, use, storage, and processing of your Personal Information in the United States and in any country to which we may transfer your Personal Information as part of our business operations. For more information, please see International Transfers of Personal Information.

If your Personal Information is processed in the European Economic Area (“EEA”), please see our Supplemental European Privacy Notice, developed pursuant to European data protection laws.

Please review this Notice carefully. To the extent permitted by applicable law, by providing us your Personal Information or otherwise interacting with us, you are agreeing to this Notice.  We may update this Privacy Notice from time to time in our sole discretion. If we do, we’ll let you know by posting the updated Privacy Notice on our website, and/or we may also send other communications.

Click on any of the links below to visit the specific area of this Privacy Notice or continue scrolling to read this Privacy Notice in its entirety.

PERSONAL INFORMATION WE COLLECT

HOW WE USE PERSONAL INFORMATION

HOW WE DISCLOSE PERSONAL INFORMATION

HOW WE PROTECT PERSONAL INFORMATION

INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

RETENTION OF PERSONAL INFORMATION

YOUR PRIVACY CHOICES AND RIGHTS

CHILDREN’S PERSONAL INFORMATION

THIRD-PARTY WEBSITES/APPLICATIONS

CONTACT US

ANNEX A – SUPPLEMENTAL U.S. PRIVACY NOTICE

ANNEX B – SUPPLEMENTAL CONSUMER HEALTH DATA PRIVACY STATEMENT

ANNEX C – SUPPLEMENTAL EUROPEAN PRIVACY NOTICE

ANNEX D – CONSUMER HEALTH DATA AUTHORIZATION

PERSONAL INFORMATION WE COLLECT

This section describes information individuals might choose to provide to us voluntarily, as well as our practices for the automatic collection and use of visitors’ device-related information and analytics information, such as visitors’ IP addresses and information related to the use and navigation of our Services.

We define Personal Information as information that can (directly or indirectly) identify, locate, or be used to contact you or communicate with you, such as your name, address, telephone number, e-mail address, characteristics, or descriptions (such as gender and date of birth), and other similar and associated information (“Personal Information”). Personal Information includes certain subsets of Personal Information considered “sensitive” or “special” pursuant to applicable laws, such as information about health or medical status, healthcare products used, or treatment or other services received (collectively, “Sensitive Personal Information”).

Information You Provide

In most cases, we collect Personal Information directly from you. We will ask you for Personal Information, for example, when you interact with us, such as using any interactive features or applications, signing up to receive a newsletter, or a clinical trial participant who has enrolled in a clinical trial sponsored by Maze may choose to share his or her experiences with us; a clinical trial investigator might ask us to send information about one or more of our pipeline products. In limited circumstances, such as an adverse event with one of our products, we may also be required to obtain Personal Information about your medical condition to enable required reporting to government regulatory agencies. Before providing Sensitive Personal Information to us, we urge you to carefully consider whether to disclose it. If you do provide Sensitive Personal Information to us, you are consenting to its use and disclosure for the purposes and in the manner described at the time of collection and as set forth in this Privacy Notice.

Through your use of our Services, you may choose to provide us with Personal Information identifying you or your family members. This Personal Information may include a person’s name, postal or email address, phone number, Social Security or national identifying number, information about your health or medical condition, or any other information allowing Maze to identify or contact you.

In addition, some aspects of our Services may be restricted to use only by licensed health care professionals and access to such Services may require Personal Information to facilitate registration and verification. In these instances, to fulfill your request to use these Services, we may ask for Personal Information such as your name, postal or email address, phone number, and perhaps a medical license number or other information to verify eligibility to view certain restricted content or to allow you to register for an event. Health care professionals should ensure they have obtained their patient’s consent (where required) before submitting personal or medical information about their patients.

Information We Collect Automatically

Additionally, through your use of the Services, we collect information related to your use by automated means, such as the date and time of your website sessions, movements across our websites, and the browser information and operating system you use and other system settings, as well as the language your system uses and the country, region, and time zone where your device is located (collectively, “Usage Data”).

Usage Data also includes the IP Address of the device used to connect to the Internet collected by our website server logs. An IP address is the unique identifier used by connected devices to identify and communicate with each other on the Internet. In certain circumstances, where we link Usage Data and Personal Information, Usage Data may be considered Personal Information. Usage Data may also allow us to identify the country you are visiting from, so we may direct you automatically to the content appropriate for your country.

Digital Advertising, Cookies and Other Data Collection Technologies

When you visit our websites, we collect different types of Usage Data by automated means, using technologies such as APIs, web services, scripts, cookies, pixels, tags, web beacons, browser analysis tools, and server logs. Using these technologies, we may also collect data about the website you were visiting before and after you came to a Maze website. We may also use vendors, such as Adobe and Google, to place cookies and collect data to enable certain services we use, including advertising, visitor tracking, personalization, site analytics and security services, including reCAPTCHA, and the data may be disclosed to our vendors for these purposes.

Other data may be disclosed to vendors providing additional services integrated into our Services, including performance monitoring, user experience components such as user interface frameworks, images and web fonts, maps, and ecommerce functionality. When we send email communications, we may place a web beacon or similar tracking technology in the email to know whether your device may HTML emails or to collect data on whether the email or an attachment or link in the email has been opened or forwarded.

When you visit our websites, we may place cookies on your computer. Cookies are small text files used by websites and mobile apps to uniquely identify your browser and/or to store data or settings in your browser. Cookies allow us to recognize you when you return. They also help us provide a customized experience and enable us to detect certain kinds of fraud. Please note, some of our websites may use Web Storage instead of cookies.

We may use or request to use cookies from third-party advertising companies that may place an advertising tag on your web browser. The advertising tag allows third parties to serve our ads to you on other websites and digital services. These companies may use information obtained from cookies and other data collection tools to measure advertising effectiveness and provide advertisements of interest to you on these other websites.

You may opt-out of receiving targeted advertising from Network Advertisers by clicking the “Ad Options” icon on the advertisements or by going to www.networkadvertising.org. In addition, the Digital Advertising Alliance maintains a web site where consumers can opt out from receiving interest-based advertising from some or all of the network advertising companies participating in the program (www.AboutAds.info/choices).

In many cases, the data we collect using cookies and other tools is only used in a non-identifiable way, without any reference to Personal Information. However, under some privacy and data protection laws, this data could be considered Personal Information. This Privacy Notice governs how we use this data when it is considered your Personal Information.

Information Collected from Third Parties

We recognize we might receive Personal Information in ways other than through our Services. We collect information about potential customers for the purposes of providing our products and services – such as contact information, financial/billing information, and any other information provided to us during the course of doing business. Physicians also notify us of complaints or adverse events with our products and may inadvertently include information about the patient’s health. We also maintain records interest in clinical studies and attendance at educational and other events we host.

We also collect information from our vendors, suppliers, consultants, professional advisors, and other third parties for the purposes of managing and operating our business. For example, we will collect business contact information, financial information, and other information necessary to engage our suppliers and other business partners and to evaluate their performance.

HOW WE USE PERSONAL INFORMATION

Personal Information is given the same protection by us, whether we receive it through a website or by other means. The descriptions below apply to Personal Information collected or received by us, no matter how the information was received.

If you choose to provide Personal Information to us, Maze may use your Personal Information for a range of business, operational, and legal purposes, including to:

• Respond to your specific inquiry or request, and to provide you with information and access to resources you have requested from us;
• Provide, operate, and maintain the Services;
• Improve the navigation and content of our websites, system administration, and security;
• Provide you with general health information (such as information on certain health conditions) as well as information about our products and services;
• Provide you with marketing communications and offers for products and services and to deliver advertising (including targeted advertising) to you on this and other websites;
• Process and complete transactions;
• Manage our relationships, including to respond to inquiries and comments;
• Create anonymized or de-identified data so it is no longer Personal Information;
• Carry out research and development; or
• Carry out other legitimate business purposes, and other purposes about which we will notify our users.

Furthermore, if you visit one of our facilities, we collect certain limited Personal Information as part of our visitor management processes including your name; your contact details, your Maze host’s name, your photograph, and license plate number for the purposes protecting the health and safety of all those who visit and work from our facilities. At certain locations, we may use CCTV which takes recordings for security surveillance purposes.

We will give you an opportunity to tell us whether we may use your Personal Information to send you other information about Maze’s products, activities, or opportunities. In most circumstances, you will be able to “unsubscribe” from these communications by following the instructions provided at the time you sign up for the communications or are included in such communications. Maze does not sell Personal Information to third parties for the third parties’ marketing purposes.

We may use the Usage Data and the device-related and analytics information we and our partners collect during your future visits. This information allows us to direct you to specific content on our websites you may find of interest and to remember your computer/device the next time you visit. If you visit multiple Maze websites, we may aggregate the Usage Data and such information from your visits to better understand usage of and across our websites.

We may also aggregate device-related and analytics information collected from website visitors to help us improve our websites by monitoring interest in the content and understanding how visitors navigate the websites. This information may also help us identify problems with our websites.

If you choose to provide Personal Information to us, we may combine that information with the non-Personal Information collected through IP address recognition and cookies to help us understand your specific interests and deliver pertinent information to you.

HOW WE DISCLOSE PERSONAL INFORMATION

While we do not directly sell, rent, or loan your Personal Information, we may share your information with companies, organizations, and individuals outside of Maze as described below.

Please note certain U.S. state laws have adopted a broad definition of a “sale” and may treat certain of these disclosures as “sales” under their definitions. Please see our “Supplemental U.S. Privacy Notice” for additional information.

We may share your Personal Information with Maze’s affiliates, with our business collaborators, and our product co-promotion and co-development partners, marketing and advertising agencies, and social media companies and platforms for the purposes as described in this Privacy Notice.

We may share Personal Information with our service providers, who are bound by law or contract to protect Personal Information and only use such Personal Information in accordance with our instructions or the agreements we have signed. For example, we may share Personal Information with service providers who provide data processing or fulfilment services for us.

We may disclose Personal Information for legal and law enforcement purposes. This includes in response to legal process, for example, in response to a court order or a subpoena, or in response to a law enforcement agency’s request. For example, if you use our websites to report an adverse product experience, we may be required to report such information to the U.S. Food and Drug Administration (“FDA”) or to similar regulatory agencies in other countries.

We also may disclose such information to third parties:  (i) in connection with fraud prevention activities, (ii) where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, (iii) in situations that may involve violations of our terms of use or other rules, (iv) to protect our rights and the rights and safety of others, (v) as needed to support external auditing, compliance and corporate governance functions, and (vi) as otherwise required by law.

We may also disclose your Personal Information to a third party in connection with the sale, assignment, or other transfer of Maze’s asset(s), which may include our websites to which the information relates. We will make it clear to the third-party purchaser that it may only use Personal Information received from us for purposes consistent with this Privacy Notice. However, in the event of a sale or merger, your continued use of such websites may signify your agreement to be bound by the Privacy Notice and other applicable terms of the subsequent owner or operator.

Please note we may also disclose data about you that is not personally identifiable. For example, we may publish reports containing aggregate and statistical data about our customers.

Finally, we may alternatively request your consent to share your Personal Information with some third parties. In those circumstances, we will only share your Personal Information with your consent.

HOW WE PROTECT PERSONAL INFORMATION

Consistent with applicable laws and requirements, we have implemented reasonable physical, technical, and administrative safeguards designed to protect Personal Information from loss, misuse, alteration, theft, unauthorized access, and unauthorized disclosure consistent with legal obligations and industry practices. However, as is the case with all websites, applications, products, and services, we are unable to guarantee the complete security for information collected through our websites and Services.

We are not responsible for any interception or interruption of any communications or for changes to or losses of information through the internet. Users of our websites and Services are responsible for maintaining the security of any password, user ID, or other form of authentication involved in obtaining access to password protected or secure areas of our websites. It is your responsibility to safeguard any passwords, ID numbers, or similar individual information associated with your use of our websites and Services. Any access to our websites and Services through your user ID and password will be treated as authorized by you. If we believe it is necessary or advisable to help protect your Personal Information and/or the integrity of our websites and Services, we may suspend your use of all or part of our websites and Services without notice.

Unauthorized access to any of our websites or Services is prohibited and may lead to criminal prosecution.

INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

All personal information processed by us may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States or other countries, which may have data protection laws that are different from the laws where you live. These countries may or may not have adequate data protection laws as defined by the data protection authority in your country.

If we transfer personal information from the European Economic Area, Switzerland, and/or the United Kingdom to a country that does not provide an adequate level of protection under applicable data protection laws, one of the safeguards we may use to support such transfer is the EU Standard Contractual Clauses.

For more information about the safeguards we use for international transfers of your personal information, please contact us as set forth below.

RETENTION OF PERSONAL INFORMATION

We retain information for so long as it is necessary and relevant for our business, operational, and legal purposes. In addition, we retain Personal Information to comply with applicable law, prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation, enforce our Terms of Use, and other actions permitted by law. When your Personal Information is no longer needed for Maze’s business, operational, and legal purposes, we dispose of it subject to applicable law. Whenever possible, we aim to de-identify the information or otherwise remove some or all information identifying you from records we may need to keep for periods beyond the specified retention period.

YOUR PRIVACY CHOICES AND RIGHTS

Your Privacy Choices. The privacy choices you may have about your Personal Information are described below.

• Email Communications. If you receive an unwanted promotional email from us, you can use the unsubscribe functionality found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails. We may also send you certain non-promotional communications regarding us and the Services, and you will not be able to opt out of those communications (e.g., communications regarding the Services or updates to this Privacy Notice).
• Do Not Track signals and Global Privacy Control. Certain web browsers and other programs may transmit “do-not-track” “opt-out” signals, also called a Global Privacy Control (or “GPC”) signal (we refer to these as “GPC Signals”), to websites with which the browser communicates.  In most cases you will need to change your web browser’s settings or add an application to your web browser to enable your browser to send a GPC Signal. Our websites will recognize GPC Signals for website users differently, based on the location of the user when they access our websites.  For users that access our websites from U.S. states that have laws requiring recognition of GPC Signals, we will recognize and apply the GPC Signal to inactivate all the cookies for that website, except for cookies that are necessary for the website to operate.  Additionally, if you are accessing our websites from one of these states, you can determine if your browser GPC Signal has been recognized by clicking on the “My Privacy Choices” link in the footer of the website and checking that appropriate cookies have been turned off.  For users from states not currently requiring recognition of the GPC Signal, our website servers may recognize and apply the GPC Signal for only advertising and social media cookies but will not apply the GPC Signal to functional or performance cookies. You can always check and adjust your cookie settings by going to the “My Privacy Choices” link in the footer of this website.
  
  Some web browsers incorporate other “do-not-track” (“DNT”) or similar features that signals to websites with which the browser communicates that a visitor does not want to have their online activity tracked. As of the Effective Date, not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, we along with many other digital service operators do not respond to all DNT signals. We recognize GPC signals as required under certain state privacy laws, but we do not currently recognize other DNT signals. For more information about the Global Privacy Control, please visit https://globalprivacycontrol.org.
• Cookies. You may stop or restrict the placement of technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, the Services may not work properly.
  
  Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt-out of certain tracking on some mobile applications by following the instructions for Android, iOS, and others.
  
  The online advertising industry also provides mechanisms that may allow you to opt out of receiving targeted ads from organizations that participate in self-regulatory programs. To learn more, visit the Network Advertising Initiative, the Digital Advertising Alliance, and the European Digital Advertising Alliance.
  
  Please note you must separately opt out in each browser and on each device.

Your Privacy Rights. In accordance with applicable law, you may have the right to:

• Confirm Whether We Are Processing Your Personal Information;
• Request Access to or Portability of Your Personal Information;
• Request Correction of Your Personal Information;
• Request Deletion of Your Personal Information;
• Request Restriction of or Object to our Processing of Your Personal Information; and
• Withdraw Your Consent to our Processing of Your Personal Information. Please note that your withdrawal will only take effect for future processing and will not affect the lawfulness of processing before the withdrawal.

If you would like to exercise any of these rights, please contact us as set forth in “Contact Us” below. We will process such requests in accordance with applicable laws.

Some laws may allow you to appeal our decision if we decline to process your request. If applicable laws grant you an appeal right, and you would like to appeal our decision with respect to your request, you may do so by informing us of this and providing us with information supporting your appeal.

• Data Privacy Rights – U.S. States with Privacy Laws

U.S. consumers residing in a state with a comprehensive privacy law, such as California, should visit the Supplemental U.S. Privacy Notice for more information regarding their privacy rights and the designated methods for making data subject rights requests under their respective state laws.

If you are a consumer residing in a U.S. state with a comprehensive consumer health data privacy law, such as the state of Washington or Nevada, please review our Supplemental Consumer Health Data Privacy Statement for our privacy practices related to consumer health data.

• Data Privacy Rights – EEA

Consumers whose Personal Information is collected and/or processed in the EEA should visit our Supplemental European Privacy Notice for more information regarding their privacy rights and choices.

CHILDREN’S PERSONAL INFORMATION

Maze does not intend to collect Personal Information from children under the age of majority without consent from the child’s parent or legal guardian. We do not share Personal Information of anyone under the age of majority with anyone outside of Maze (except where required by law, with consent, or to our agents who have committed to maintain data privacy).

Children under the age of majority should not submit any Personal Information to us without the express permission of their parent or legal guardian. If Maze learns a child under the age of majority has provided us with Personal Information about themselves or another user has provided such information without appropriate parental or guardian consent, we will delete such information from our active databases in accordance with applicable law, unless we are required by law to retain it. If you believe your child has submitted Personal Information and you would like to request their information be removed from our systems, please use the contact information in the Contact Us section below. We will make reasonable efforts to comply with your request.

THIRD-PARTY WEBSITES/APPLICATIONS

The Services may contain links to other websites and applications and such websites and applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing Personal Information to third-party websites or applications is at your own risk.

CONTACT US

Maze is the controller of the Personal Information we process under this Privacy Notice.

If you have any questions about our privacy practices or this Privacy Notice, or to exercise your rights as detailed in this Privacy Notice, please contact us at: 

Maze Therapeutics, Inc.
171 Oyster Point Blvd, Suite 300
South San Francisco, CA, 94080
(650) 850-5070

privacy@mazetx.com

EU Representative:
MyData-Trust France
Rue de Rennes, 140b
75006 Paris, France

maze.dpr.eu@mydata-trust.info

UK Representative:
MyData-Trust LTD
Belmont Building, Belmont Road
Uxbridge, England, UB8 1HE

maze.dpr.uk@mydata-trust.info

If you wish to receive a response by email, please be sure to include your name, postal address, and email address. If we do not receive an email address, we will respond by postal mail.

ANNEX A – SUPPLEMENTAL U.S. PRIVACY NOTICE

This Supplemental U.S. Privacy Notice supplements our Privacy Notice and only applies to our processing of Personal Information from U.S. consumers residing in a state with a comprehensive privacy law. 

Notice at Collection

At or before the time of collection, U.S. consumers residing in a state with a comprehensive privacy law have a right to receive notice of our privacy practices. Such consumers can find this information below.

• Personal Information Collected. See the section of this Supplemental U.S. Privacy Notice titled “Overview of Personal Information Collected, Disclosed, Sold and/or Shared” for a list of Personal Information which may be collected.
• Uses of Personal Information. See the section of this Supplemental U.S. Privacy Notice titled “Uses of Personal Information” for a list of the purposes for which we use Personal Information.
• Is Personal Information “Sold” or “Shared” for “Cross-Context Behavioral Advertising”? See the section of this Supplemental U.S. Privacy Notice titled “Overview of Personal Information Collected, Disclosed, Sold and/or Shared” for more details. See the section of this Supplemental U.S. Privacy Notice titled “‘Sales’ of Personal Information and/or ‘Sharing’ for ‘Cross-Context Behavioral Advertising” for instructions on how to opt-out of these activities.
• For How Long is Personal Information Retained? To determine the appropriate retention period for Personal Information, we consider applicable legal requirements, the amount, nature, and sensitivity of the Personal Information, certain risk factors, the purposes for which we process your Personal Information, and whether we can achieve those purposes through other means.
• Additional Information. For more information on our privacy practices, please review this Supplemental U.S. Privacy Notice and our Privacy Notice. Importantly, the section of our Privacy Notice titled “Your Privacy Rights” includes important details about how you can exercise the rights afforded to U.S. consumers residing in a state with a comprehensive privacy law.

CATEGORIES OF SOURCES FROM WHICH PERSONAL INFORMATION IS COLLECTED

We collect Personal Information you provide to us, collected automatically when you use the Services, and from third-party sources.

Overview of Personal Information Collected, Disclosed, sold, and/or shared

U.S. consumers residing in a state with a comprehensive privacy law are provided with the right to know what categories of Personal Information Maze has collected about them, whether Maze disclosed that Personal Information for a business purpose (e.g., to a service provider), whether Maze “sold” that Personal Information, and whether Maze “shared” that Personal Information for “cross-context behavioral advertising” in the preceding twelve months. U.S. consumers residing in a state with a comprehensive privacy law may find this information below:

Category of Personal Information Collected by Maze	Category of Third Parties to Whom Personal Information is Disclosed to for a Business Purpose	Category of Third Parties to Whom Personal Information is Sold and/or Shared
Identifiers: A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, or other similar identifiers.	Service providers Business partners Affiliates Advertising partners Internet service providers Data analytics providers Operating systems and platforms Clinical research organizations Clinical trial sites	Business partners Advertising partners Other third parties with whom you interact Internet service providers Data analytics providers Operating systems and platforms Clinical research organizations Clinical trial sites
Commercial information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	Service providers Business partners Affiliates Advertising partners Internet service providers Data analytics providers Operating systems and platforms Clinical research organizations Clinical trial sites	Business partners Advertising partners Other third parties with whom you interact Internet service providers Data analytics providers Operating systems and platforms Clinical research organizations Clinical trial sites
Internet or other electronic network activity: Browsing history, search history, information on a consumer’s interaction with an internet website, application, or advertisement.	Service providers Business partners Affiliates Advertising partners Internet service providers Data analytics providers Operating systems and platforms Clinical research organizations Clinical trial sites	Business partners Advertising partners Other third parties with whom you interact Internet service providers Data analytics providers Operating systems and platforms Clinical research organizations Clinical trial sites
Inferences drawn from other Personal Information to create a profile about a consumer: Profile reflecting a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	Service providers Business partners Affiliates Advertising partners Internet service providers Data analytics providers Operating systems and platforms Clinical research organizations Clinical trial sites	Business partners Advertising partners Other third parties with whom you interact Internet service providers Data analytics providers Operating systems and platforms Clinical research organizations Clinical trial sites
Personal information that reveals a consumer’s social security, driver’s license, state identification card, or passport number	Service providers Business partners Affiliates Advertising partners Internet service providers Data analytics providers Operating systems and platforms Clinical research organizations Clinical trial sites	Business partners Advertising partners Other third parties with whom you interact Internet service providers Data analytics providers Operating systems and platforms Clinical research organizations Clinical trial sites
Personal information that reveals a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account	Service providers Business partners Affiliates Advertising partners Internet service providers Data analytics providers Operating systems and platforms	N/A
Personal information that reveals a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership	Service providers Business partners Affiliates Advertising partners Internet service providers Data analytics providers Operating systems and platforms	Business partners Advertising partners Other third parties with whom you interact Internet service providers Data analytics providers Operating systems and platforms
Personal information collected and analyzed concerning a consumer’s health	Service providers Business partners Affiliates Advertising partners Internet service providers Data analytics providers Operating systems and platforms	Business partners Advertising partners Other third parties with whom you interact Internet service providers Data analytics providers Operating systems and platforms
Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation	Service providers Business partners Affiliates Advertising partners Internet service providers Data analytics providers Operating systems and platforms	Business partners Advertising partners Other third parties with whom you interact Internet service providers Data analytics providers Operating systems and platforms

USES OF PERSONAL INFORMATION

We may use and disclose the Personal Information that we collect for the following business and commercial purposes:

• Providing the Services as further described in our Privacy Notice;
• Processing for administrative purposes as further described in our Privacy Notice;
• Processing for marketing purposes as further described in our Privacy Notice;
• Processing with your consent or direction as further described in our Privacy Notice;
• Processing to carry out automated decision making as further described in our Privacy Notice;
• Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards;
• Helping to ensure security and integrity to the extent the use of Personal Information is reasonably necessary and proportionate for these purposes;
• Debugging to identify and repair errors that impair existing intended functionality;
• Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of your current interaction with Maze;
• Providing advertising and marketing services;
• Undertaking internal research for technological research, development and demonstration;
• Undertaking activities to verify or maintain the quality or safety of a service or product owned, manufactured, manufactured for, or controlled by Maze, and to improve, upgrade, or enhance the service or product that is owned, manufactured, manufactured for, or controlled by Maze.

 

Disclosure Regarding Individuals Under the Age of 16

Maze does not have actual knowledge of any “sale” of Personal Information or “sharing” of Personal Information of minors under 16 years of age for “cross-context behavioral advertising.”

Disclosure Regarding Sensitive Personal Information

Maze only uses and discloses sensitive Personal Information for the following purposes:

• To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.
• To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, and or confidentiality of stored or transmitted Personal Information.
• To resist malicious, deceptive, fraudulent, or illegal actions directed at Maze and to prosecute those responsible for those actions.
• To ensure the physical safety of natural persons.
• For short-term, transient use.
• Maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services
• To verify or maintain the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by Maze, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by Maze.
• For purposes that do not infer characteristics about individuals.

Right to Limit Use and Disclosure of Sensitive Personal Information

U.S. consumers residing in a state with a comprehensive privacy law may have the right to limit certain uses and disclosures of “sensitive Personal Information” by Maze. Such consumers may exercise these rights by following the instructions in that section or by emailing us at:  privacy@mazetx.com.

Non-Discrimination

U.S. consumers residing in a state with a comprehensive privacy law have the right not to receive discriminatory treatment by us for the exercise of their rights conferred under applicable comprehensive privacy law.

ANNEX B – SUPPLEMENTAL CONSUMER HEALTH DATA PRIVACY STATEMENT

This Supplemental Consumer Health Data Privacy Statement (“Consumer Health Data Privacy Statement”) supplements Maze’s Privacy Notice.

This Supplemental Consumer Health Data Privacy Statement only applies to Personal Information that we process that is “consumer health data” subject to the Washington My Health My Data Act (“MHMDA”) or Nevada Senate Bill 370 (“NV SB 370”) (as applicable).

Terms used in this Supplemental Consumer Health Data Privacy Statement that are defined in MHMDA or NV SB 370 will have the meaning set forth in those laws to the extent such laws are applicable.

Consumer Health Data We Collect

Under the MHMDA, “consumer health data” is defined as “Personal Information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”

Under NV SB 370, “consumer health data” is defined as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer.”

Because consumer health data is defined very broadly, many of the categories of Personal Information that we collect under our Privacy Notice may also be considered consumer health data.

Examples of consumer health data that you may provide to us, or that we may otherwise collect, may include:

• Information that could identify your attempt to seek health care services or information, including services that allow you to assess, measure, improve, or learn about your or another person’s health. For example, we collect your search queries on the Services, which may include queries or other information concerning nutrition, wellness, fitness, medical conditions, or other health-related topics.
• Information about your health-related conditions, symptoms, status, diagnoses, disease, testing, or treatments.
• Information about social, psychological, behavioral, and medical interventions.
• Information about use or purchase of prescribed medication.
• Information about measurements of bodily functions, vital signs, symptoms, or characteristics.
• Information about diagnoses or diagnostic testing, treatment, or medication.
• Information about surgeries or other health-related procedures.
• Reproductive or sexual health information.
• Information about gender-affirming care.
• Biometric information.
• Genetic data.
• Information about your access to healthcare, including precise location information that could reasonably indicate an attempt to acquire or receive health services or supplies; or
• Information processed to associate or identify an individual with the data listed above that is derived or extrapolated from non-health information.
• Information related to the precise (geo)location information of a consumer used to indicate an attempt by a consumer to receive health care services or products.
• Other information that may be used to infer or derive data related to the above or other consumer health data.

Sources of Consumer Health Data

We collect consumer health data that you provide to us, consumer health data we collect automatically when you use the Services, and consumer health data from third-party sources, as described in our Privacy Notice and below.

Why We Collect and Use Consumer Health Data

We collect and use consumer health data for the purposes and in the manner described in the “How We Use Personal Information” section of our Privacy Notice.

Primarily, we collect and use consumer health data as reasonably necessary to provide you with the products or Services you have requested or authorized. This may include delivering and operating the products or Services and their features, personalization of certain product or Services features, ensuring the secure and reliable operation of the products or Services and the systems that support them, troubleshooting and improving the products and Services, and other essential business operations that support the provision of the products and Services (such as analyzing our performance and meeting our legal obligations).

We may also use consumer health data for other purposes for which we give you choices and/or obtain your consent as required by law.

Sharing of Consumer Health Data

We may share each of the categories of consumer health data described above for the purposes described above and in the “How We Use Personal Information” section of our Privacy Notice.

In particular, we may share consumer health data, with your consent or as reasonably necessary to complete any transaction or provide any product or Service you have requested or authorized, as described above.

We only share or disclose your consumer health data as needed to provide you with the products or services that you request, or with your explicit consent. We may share or disclose any or all the above categories of consumer health data to the following entities, who shall use the data only as permitted for the purposes set forth above, and within the bounds of our contracts with them:

These general categories of third parties:

• Business Collaborators
• Product co-promotion partners
• Product co-development partners
• Marketing and Advertising Agencies
• Social Media Companies and Platforms
• Service Providers (including those hosting or analyzing data on our behalf, those assisting with fraud prevention, those assisting in program administration, those assisting in incident management and reporting, those administering our call center and websites, and those who assist with our information technology and security programs)
• Emergency Personnel
• Authorized/legal representatives, family members, and caregivers
• Third parties (including those with whom Maze has joint marketing and similar arrangements, those who provide marketing and data analytics services, those who provide program enrollment or product fulfillment, payment, and authorization, other third parties as necessary to complete transactions and provide products/services, or where required by law)
•  Maze  lawyers, auditors, and consultants
• Legal and regulatory bodies.

In addition, we may share or disclose consumer health data as permitted or required by law, such as (i) to an acquiring organization if we are involved in a sale or a transfer of our business, (ii) as needed to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, (iii) in situations that may involve violations of our terms of use or other rules, (iv) to protect our rights and the rights and safety of others, (v) as needed to support external auditing, compliance and corporate governance functions, (vi) as needed to preserve the integrity or security of our systems, or (vii) to investigate, report, or prosecute those responsible for any action that is illegal under applicable state or Federal law.

How to Exercise Your Rights

MHMDA and NV SB 370 provide consumers with certain rights with respect to consumer health data.

Under MHMDA, consumers have the right to: (i) confirm whether Maze is collecting, sharing, or selling consumer health data and to access such data; (ii) withdraw consent from Maze’s collection and sharing of consumer health data; and (iii) request that Maze delete consumer health data.

Under NV SB 370, consumers have the right to: (i) confirm whether Maze is collecting, sharing or selling consumer health data; (ii) have Maze provide the consumer with a list of all third parties with whom Maze has shared consumer health data relating to the consumer or to whom Maze has sold such consumer health data; (iii) request that Maze cease collecting, sharing, or selling consumer health data relating to the consumer; and (iv) request that Maze delete consumer health data.

The rights afforded to consumers under MHMDA and NV SB 370 are subject to certain exceptions.

Subject to certain legal limitations and exceptions, you have the following rights with respect to any consumer health data we may collect about you:

• The right to confirm whether we are collecting, sharing, or selling your consumer health data and to access such data, including to receive a list of affiliates or specific third parties with whom we have shared or sold your information, along with contact information such as an active email address for each third party;
• The right to review and request corrections to your consumer health data;
• The right to withdraw consent from our collection or sharing of your consumer health data; and
• The right to request that we delete your consumer health data.

You may submit a request pursuant to any of these rights by contacting us at privacy@mazetx.com.

Maze will not discriminate against you for exercising any of your rights. We will make reasonable efforts to respond promptly to your requests in accordance with applicable laws. Please allow 45 days for a response.  We may, after receiving your request, require additional information from you to authenticate your request and verify your identity. Please be aware that we may be unable to afford these rights to you under certain circumstances, such as if we are legally prevented from doing so.

If we deny your request, you have the right to appeal that denial by contacting us at privacy@mazetx.com. We will process and respond to your appeal within the time permitted by applicable law. If you are a Washington resident and your appeal is unsuccessful, you may raise a concern or file a complaint with the Washington State Attorney General at www.atg.wa.gov/file-complaint.

You can request to exercise such rights by following the instructions found under the “Your Privacy Choices and Rights” section of our Privacy Notice.

If your request to exercise a right under MHMDA or NV SB 370 is denied, you may appeal that decision by contacting us at:  privacy@mazetx.com.

DISCLOSURE REGARDING THIRD PARTY COLLECTION oF CONSUMER HEALTH DATA UNDER NV SB 370

This section only applies to our processing of consumer health data that is subject to NV SB 370.

We do not allow third parties to collect consumer health data over time and across different Internet websites or online services when the consumer uses any Internet website or online service of Maze.

Nonetheless, please note that third parties may still be able to collect consumer health data from you over time and across different websites depending on your browser, browser add-ons, and associated permissions you set on your device.

This collection of consumer health data by those third parties is unrelated to Maze’s collection of consumer health data from you, and we encourage you to view those third parties’ privacy statements for more information about their processing of consumer health data and the methods they provide to allow you to opt out of such processing.

This Supplement applies to Nevada consumers for purposes of providing additional disclosures required by Nevada’s Consumer Health Data Privacy Law. We collect, use, process, and share consumer health data for the purposes and manners described above in our Consumer Health Data Privacy Notice.

Nevada Supplemental Consumer Health Data Privacy Notice

Third Party Collection of Consumer Health Data on Maze Websites. We limit third party collection of consumer health data over time and across different Internet websites or online services when Nevada consumers use our websites or online services. We do this by disabling certain cookies or by ensuring that entities whose cookies, web beacons, pixels, and other online trackers we use on our websites and online services are our service providers or processors under applicable U.S. state privacy or consumer health data privacy laws. Nonetheless, please note that other third parties may still be able to process consumer health data from you over time and across different websites depending on your browser, browser settings and add-ons, and associated permissions you have set on your device. This collection of consumer health data by those third parties is unrelated to Maze processing of consumer health data from you, and we encourage you to review your browser settings and review those third parties’ privacy notices for more information about their consumer health data practices.

Review and Revision of Consumer Health Data. If you would like to review and/or revise your consumer health data, you may submit a request to us via any of the methods listed in this Privacy Notice.

UPDATES TO THIS supplemental CONSUMER HEALTH DATA PRIVACY STATEMENT

We may update this Supplemental Consumer Health Data Privacy Statement from time to time in our sole discretion. If we do, we’ll let you know by posting the updated Supplemental Consumer Health Data Privacy Statement on our website, and/or we may also send other communications.

ANNEX C – SUPPLEMENTAL EUROPEAN PRIVACY NOTICE

This Supplemental European Privacy Notice only applies to our processing of Personal Information that is subject to the EU or UK General Data Protection Regulation.

In some cases, providing Personal Information may be a requirement under applicable law, a contractual requirement, or a requirement necessary to enter a contract. If you choose not to provide Personal Information in cases where it is required, we will inform you of the consequences at the time of your refusal to provide the Personal Information.  

If we process Personal Information that is considered a “special category of personal data,” then our processing of such Personal Information may be supported by one or more of the following conditions:

• Explicit Consent: You may have provided your explicit consent for our processing of your Personal Information.
• Necessary for Employment, Social Security, or Social Protection Law Purposes: Our processing of your Personal Information may be necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment, social security, and/or social protection law.
• Necessary to Protect Vital Interests: Our processing of your Personal Information may be necessary to protect the vital interests of you if you are physically or legally incapable of giving consent.
• Publicly Available Personal Information: Our processing of your Personal Information may relate to Personal Information which has been manifestly made public by you.
• Necessary for the Establishment, Exercise or Defense of Legal Claims: Our processing of your Personal Information may be necessary for the establishment, exercise or defense of legal claims.
• Necessary for Substantial Public Interest: Our processing of your Personal Information may be necessary for reasons of substantial public interest.
• Necessary for Medical Purposes: Our processing of your Personal Information may be necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, or pursuant to contract with a health professional.
• Necessary for Substantial Interest in the Area of Public Health: Our processing of your Personal Information may be necessary for reasons of public interest and/or public health.

If your Personal Information is subject to the applicable data protection laws of the European Economic Area or the United Kingdom, you have the right to lodge a complaint with the competent supervisory authority if you believe our processing of your Personal Information violates applicable law.

• If you are located within the European Economic Area, you may find the contact details of the competent authorities in the following link: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.
• If you are located within the United Kingdom, you may lodge a complaint with the Information Commissioner’s Office (ICO) by clinking here: https://ico.org.uk/make-a-complaint/.

If you have any questions about our privacy practices or this Privacy Notice, or to exercise your rights as detailed in this Privacy Notice, please contact us at: 

Maze Therapeutics, Inc.
171 Oyster Point Blvd, Suite 300
South San Francisco, CA, 94080
(650) 850-5070

privacy@mazetx.com

EU Representative:
MyData-Trust France
Rue de Rennes, 140b
75006 Paris, France

maze.dpr.eu@mydata-trust.info

UK Representative:
MyData-Trust LTD
Belmont Building, Belmont Road
Uxbridge, England, UB8 1HE

maze.dpr.uk@mydata-trust.info

If you wish to receive a response by email, please be sure to include your name, postal address, and email address. If we do not receive an email address, we will respond by postal mail.

ANNEX D – CONSUMER HEALTH DATA AUTHORIZATION

This Consumer Health Data Privacy Authorization (“Authorization”) supplements Maze Therapeutics, Inc.’s (“Maze,” “we,” “us,” or “our”) Privacy Notice, Supplemental Consumer Health Data Privacy Statement, and the Maze  cookie banner  and applies only to “consumer health data” subject to the Washington My Health My Data Act (“MHMDA”) or Nevada Consumer Health Data Privacy Law (“NVCHDPL”) (as applicable).

Terms used in this Authorization defined in MHMDA or NVCHDPL will have the meaning set forth in those laws to the extent such laws are applicable.

If you opt-in to “personalized marketing” through the www.mazetx.com cookie banner , you allow Maze to “sell” your consumer health data as described below:

• Specific consumer health data intended for “sale”:  Consumer health data collected via cookies and similar technologies including but not limited to browsing activity on the Maze website.
• Purpose of the “sale” of consumer health data:  To tailor and deliver personalized advertisements to you.
• How consumer health data purchasers gather and use the data:  Consumer health data purchasers will gather the data via cookies and other tracking technologies when you visit the Maze website. These purchasers may use the data to assist us to deliver personalized advertisements to you and in accordance with their privacy policies linked below.
• Consumer health data purchasers’ contact information:
  • Google: Privacy Policy
  • Facebook/Meta:  Privacy Policy
• Contact information for Maze:  privacy@mazetx.com

Please note:

• The provision of goods or services may not be conditioned upon you accepting the terms of this authorization.
• Purchasers may redisclose the consumer health data sold under this authorization and such data may no longer be protected by the MHMDA and/or NVCHDPL.
• You may revoke this authorization at any time through the Maze cookie banner . To do so, please be sure the box next to “Personalize marketing” is unchecked and click “Save my choices.” You may also click “Decline all” to decline our use of all cookies not required to operate our website.
  • A revocation will not impact previously sold consumer health data. In addition, if you use different browsers or devices, you must indicate your choices on each browser/device used to access privacy@mazetx.com.
  • If you have any questions about how to revoke your authorization, please contact privacy@mazetx.com.
• This authorization will expire one year after accepting it.