This Privacy Policy, effective as of August 5, 2023, is intended to make clear what sorts of data we (Seven Bridges Genomics Inc.) collect from you, what we do with it, and how our users (“you”) can control what happens to it.

I. WHAT DATA WE COLLECT

In the course of your use of our Services, we may collect the following types of information:

Payment Information: In order to pay for Services, you may be required to submit payment information, such as a credit card number and billing address.

Account Information: In the course of registering an account or subsequently, we may ask you to provide information such as your name, employer, email address or phone number.

User Activity Information: We may keep logs of your activity as you use our Services, for example which pages you visit, when you start a task, or what calls are made to our API. We may also track user activity on our site using third-party services such as Google Analytics, which you can learn more about at http://www.google.com/analytics/, Fullstory, which you can learn more about at https://www.fullstory.com, Appcues, which you can learn more about at https://www.appcues.com/, and Pendo, which you can learn more about at https://www.pendo.io/.

Other User Provided Personal Information: You may provide information to us via other communications with our team, for instance emails exchanged with our support team or suggestions submitted via a feedback form.

Submitted Data: You may provide us sequencing data derived from a human or other organism, for instance by uploading a BAM file or FASTQ file.

Submitted Metadata: When you provide us Submitted Data, that Submitted Data will usually be accompanied by associated metadata describing the Submitted Data, which may include information about the subject(s) of the sequencing data, for instance phenotype or population statistics.

II. WHAT WE DO WITH IT

We use your Payment Information in order to bill you for the Services. We do this on the basis of your consent and our legitimate interest in getting paid for Services. Your Payment Information, and some elements of your Account Information are stored and processed on our behalf for this purpose by a third-party service provider, Stripe Inc. – check out their privacy policy at https://stripe.com/us/privacy and their security protections at https://stripe.com/help/security. We do not store any credit card information ourselves.

On the basis of your consent, we may use your Account Information to contact you about your use of our Services, for instance to let you know a task has completed, or to otherwise inform you about our Services, for instance by letting you know about changes or improvements to our offerings. In addition, if your email address is associated with a Gravatar, we may pull that Gravatar for display on our platform. You can learn more about Gravatar at https://en.gravatar.com/. Your Account Information may be stored on our behalf on third-party infrastructure provider Amazon Web Services Inc. (AWS) or Google Cloud Platform (GCP).

We may use User Activity Information, Account Information and Other User Provided Personal Information to maintain, improve and better understand usage of our Service, on the basis of our legitimate interest in ensuring your data, our other clients’ data, and our systems are secure, in developing our Service to better serve you and other clients, and in managing and developing our business. In some cases, we may also be required to retain this information in order to meet our legal obligations.

We carefully select third-party partners and service providers who may process personal information about you on our behalf. Specifically, Seven Bridges periodically employs digital marketing service providers to conduct marketing activity on Seven Bridge’s behalf, where such activity may result in the compliant processing of personal information. Seven Bridges appointed data processors include Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact SoPro and view their privacy policy at http://sopro.io. Sopro are registered with the ICO Reg: Z123456. Their Data Protection Officer can be emailed at: dpo@sopro.io.

We store and process Submitted Data and Submitted Metadata on your behalf, for instance when you run a pipeline on your data. If you consent, we may also access and process your Submitted Data and Submitted Metadata in order to provide support to you, for instance by running a few tests on your data for debugging purposes if your task fails. Your data is processed on your selected cloud infrastructure provider, either AWS or GCP, and stored on their servers in encrypted form. You can find more information about AWS online at Amazon Web Services’ security practices and GCP online at Google Cloud Platform’s security.

If you explicitly so choose (see “Controlling Your Data” below), we may share your Submitted Data and some elements of your Account Information with other users to whom you have granted permission to participate in your project. Your name and institutional affiliation may also be shared automatically with users who have granted you project permissions.

Seven Bridges may disclose your data if disclosure of your data to third parties is necessary to respond to a lawful request by public authorities, including to meet national security or law enforcement requirements, or if, at our sole discretion, we believe this is necessary in order to meet any legal requirement or enforceable governmental request or to identify, contact, or bring legal action against someone who may (either intentionally or unintentionally) be causing injury to or interference with our rights or property, users of our Service, or anyone else who could be harmed by such activities.

We will not use your data in ways that go beyond those laid out in this Privacy Policy without your consent.

III. COOKIES

Seven Bridges uses cookies for two primary purposes: to ensure platform security and to collect User Activity Information that will allows us to improve the user’s experiences with our platform or website. More specifically, we use cookies to authenticate users of the platform, monitor incidents of Cross-Site Request Forgery (CSRF), enable Google Analytics, enable FullStory and

enable Appcues. We will obtain users’ consent for any cookies related to Google Analytics, FullStory or Appcues.

IV. TRANSFERS

In addition to the potential transfer of data to the third-party services we mention in the previous sections, we may also transfer any and all information we collect from users to a third party in the event of any corporate reorganization, merger, sale, joint venture, assignment, transfers, or other disposition of all or any portion of Seven Bridges Genomics’ business, assets, or stock. All data transfers of EU and UK subjects shall be subject to a Seven Bridges’ Data Protection Addendum (DPA), as noted within our Terms of Use. If a DPA is not currently in place, please contact dpo@sevenbridges.com prior to processing any data on our platform.

ANY transfers of European or UK citizen personal data outside of the European Union or the United Kingdom, including transfers to Seven Bridges affiliates or subsidiaries, will only be transferred if a legal basis for such transfer exists (as is required under Articles 46, 47 and 49 of the EU GDPR for EU citizens, and as permitted under the UK GDPR for UK citizens), subject to the Model Contractual Clauses (MCCs) of the aforementioned DPA. For example, our team members in Serbia may have access to your data to provide customer support. Such access will be governed by contractual provisions between Seven Bridges Genomics Inc. and its subsidiary in Belgrade that include the E.U. MCCs as incorporated into our DPA. Transfer of personal data of EU or UK persons to countries outside the EU or UK shall be performed only if a DPA is in place and subject to its terms.

V. CONTROLLING YOUR DATA

You may choose to direct how your data is processed by Seven Bridges. Namely, you can request Seven Bridges to grant you access to, delete, stop further processing, or return any or all your personal data. However, please be aware any such request may affect the provisioning of the Services.

Accessing Your Information. Seven Bridges can give you a summary of all your personal data processed or stored in connection with the Services. This may include information about the nature of the Services, information you provided to process the enrollment of the Services, payment information, and contact information. You may contact dpo@sevenbridges.com to request access to your data at any time.

Deleting Your Information. If you no longer receive our Services, or if you want to remove your personal data from our records, you may send a request by contacting dpo@sevenbridges.com. Please note any deletion requests will be handled in compliance with applicable laws and regulations, and you will be informed if any data must be kept for that matter.

VI. DATA PRIVACY FRAMEWORK

Seven Bridges Genomics Inc. complies with the EU-U.S. Data Privacy program Framework (EU-U.S. DPF), the UK Extension to the EU-US DPF, and the Swiss-U.S. Data Privacy program Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Seven Bridges Genomics Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Program

Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF. Seven Bridges Genomics Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

As described above, we may share Personal Data, as defined in the EU’s General Data Protection Regulation (GDPR) with service providers we have retained to perform services on our behalf, when such service providers are (a) subject to GDPR, or the Swiss Federal Act on Data Protection, as applicable, (b) subscribe to the Data Privacy program Framework principles or (c) contractually agree to provide at least the same level of protection for Personal Data as is required by the relevant Data Privacy program Framework. In the context of such an onward transfer to a third party, Seven Bridges has responsibility for and may be liable for the processing of personal information it receives pursuant to the EU-U.S. Data Privacy program Framework and Swiss-US Data Privacy program Framework and subsequently transfers onward. If there is any conflict between the policies in this privacy policy and data subject rights under the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification page, please visit https://www.dataprivacyframework.gov/.

In compliance with the Data Privacy Framework (DPF) Principles, Seven Bridges Genomics Inc. commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Data Privacy Framework (DPF). European Union, United Kingdom (including Gibraltar) and Swiss individuals with Data Privacy Framework (DPF) inquiries or complaints should first contact Seven Bridges Genomics Inc. at dpo@sevenbridges.com

You may also contact our subsidiary Seven Bridges Genomics UK Ltd. by mail at:

Oury Clark Solicitors 10 John Street London WC1N 2EB United Kingdom

Or our EU Representative at:

INSTANT EU GDPR REPRESENTATIVE LTD Office 2, 12A Lower Main Street, Lucan Co. Dublin K78 X5P8 Ireland

Seven Bridges Genomics Inc. has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, the Data Privacy Framework Services, operated by the BBB National Programs, Inc. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you. If your

DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2

Seven Bridges and our commitments under the DPF program are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

VII. FURTHER INFORMATION

Links to Third Party Sites

Our Site and Services may contain links to sites and services maintained by third parties. For instance, earlier in this Privacy Policy we link to http://aws.amazon.com/security/, a site maintained by Amazon Web Services. This Privacy Policy does not apply to such third-party sites and services, and Seven Bridges Genomics is not responsible for and makes no representations about their practices. Third-party sites and services may collect and disclose information about you in various ways, and may have different rules and policies regarding collection, use and disclosure of such information.

Questions, Comments, and Complaints

If you have any questions, comments, or complaints about this Privacy Policy or our use of your personal data, please contact us at dpo@sevenbridges.com.

VIII. PRIVACY POLICY CHANGES

We may update or otherwise modify this Privacy Policy periodically. We shall notify you of changes to this Privacy Policy by posting it on this page, so please check back periodically. In some cases, we may also notify you via email or other mechanisms.