Privacy Notice

AZURITY PRIVACY NOTICE

(Last updated: December 9, 2025)
Azurity Pharmaceuticals Inc., including its subsidiaries, affiliates, successors, assigns and representatives worldwide, cares about your privacy and wants you to be familiar with how we collect use, and disclose information. This privacy notice (“Privacy Notice”) describes the privacy practices of Azurity Pharmaceuticals, Inc. and its subsidiaries and affiliates listed at the bottom of this notice (collectively, “Azurity”, “we”, “us”, “our”). Azurity specializes in providing innovative, high-quality medicines that serve overlooked patients. We supply a range of products (“Products”) to treat a wide range of medical conditions.

This Privacy Notice describes how we collect, use, disclose and otherwise process your personal data, and explains the rights and choices available to you with respect to your information.

1. When does this Privacy Notice Apply?

This Privacy Notice applies when we act as a controller of your personal data. This means we decide why we collect your personal data and how we use it. “Personal data” has different meanings given to it by the data protection and privacy laws applicable to you. It generally includes, for example, any information or opinion relating to you which allows us to identify you, such as your name, phone number, postal address, email address, or your online identifiers.

This Privacy Notice applies when:

You inquire about our Products, or otherwise communicate with us as a prospective customer or business partner.
We enter a commercial transaction with you, or a company you represent.
We process your information to promote or market our Products to you.
You visit, interact, or use our website(s), https://azurity.com/, and any other website that links to this notice.
You make a medical inquiry, report a possible side effect or make a complaint about our Products.
You interact with us via our social media pages, such as our product Facebook or Instagram pages.
You sign up to our webinars, events, or promotional activities.
You interact with us in person at our offices.
You provide us with services as our vendor.

This Privacy Notice does not apply to:

Clinical trial participants or personnel: If you enroll or otherwise participate in a clinical trial which we sponsor, please refer to the privacy notice for that clinical trial.
Azurity employees, contractors or job applicants.
Information which does not constitute personal data.
This is not applicable to EU: If we do not maintain information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual or household, such information is not considered personal data and this Privacy Notice will not apply to our processing of that information.
Information collected by our business partners and distributors: When you give your data to one of our distributors who sell our Products, that distributor’s privacy notice, rather than this Privacy Notice, will apply to their processing of your personal data. However, our partners may share limited personal data related to adverse effects which we are obliged to report. In those limited cases, this Privacy Notice applies.
External websites or services: Our website may contain links to other websites. We are not responsible for the handling of your personal data by those websites and recommend you review the privacy policy of those websites.

2. Personal data We Collect, How We Collect It, Who We Share Personal data With, and Purposes for Processing

Sources From Where We Collect Personal Data
The personal data we collect from you, either directly or indirectly, will depend on how you interact with us and with our website. We collect personal data about you from the following different sources:

Information that you provide directly
We collect personal data directly from you when you engage with us via social media, you interact with us at our offices or via electronic communication, you request information or enquire about our Products, you register or attend our webinar or events, or when you enter into business transactions with us, or on behalf of a company you represent.
Information that we collect indirectly
We collect your personal data indirectly, including through automated means from your device when you use our website or if you visit our offices (via CCTV). Some of the information we collect indirectly is captured using cookies and other tracking technologies, as explained further in the “Cookies and similar tracking technology” section below.
Information from third parties
We also collect your personal data from third party sources, i.e. our service providers that provide operational assistance, email, marketing and analytics services, and social media platforms. We may have also collected some personal data from our third-party business partners that distribute and sell our Products. We will continue to collect personal data from these sources. Information received from third parties will be checked to ensure that the third party either has your consent or are otherwise legally permitted or required to disclose your personal data to us.

The table below provides further detail regarding how we collect personal data from you.

Categories of Personal Data We Collect

The categories of personal data which we collect depends on the nature of the relationship you have with us and the requirements of applicable laws. The categories of personal data we collect include:

Biographical information (such as first name and surname).
Business contact information (such as job title, employer name, email address, mailing address, phone number).
Public professional information (such as if you are a third party with whom we have or are contemplating a contractual relationship, such as a health care professional, we collect publicly available information related to your practice, such as license information, disciplinary history, prior litigation and regulatory proceedings, and other due diligence related information).
Payment-related information (such as billing address, partial credit card number, tax identification number and financial account information). We may collect some payment related information from you in these instances.
If you are a health care professional, we collect information about the programs and activities in which you have participated, our interactions with you, your prescribing of our products, and the agreements you have executed with us.
Your photograph if you visit our offices.
Your digital or electronic signature.
Publicly available information (such as your social media handle, comments describing support for and experience with Azurity products).
CCTV information if you are a visitor to an Azurity office location, we collect information through closed circuit television.
Other personal data you voluntarily provide to us (such as in emails, on phone calls, through our websites or mobile applications, or in other correspondence, such as market research surveys, with Azurity or its service providers or business partners).
Automated information. We and our service providers may also collect certain information about your use of our websites by automated means, such as cookies, web beacons and other online tracking technologies. Please see our Cookie Notice for more information. We and our service providers may collect “Automated Information” about your online activities over time and across our own and third-party websites when you use our websites. The information that we may collect by automated means includes: details about the devices that are used to access our websites (such as the IP address, and type of operating system and web browser); dates and times of visits to, and use of, our websites; information about how our websites are used (such as the content that is viewed on our websites and how users navigate between our webpages; URLs that refer visitors to our websites; search terms used to reach our websites.
Pharmacovigilance information, such as information you provide us when you make a medical inquiry, report a possible side effect or make a complaint about our Products.

Some of the personal data that you provide includes sensitive personal data, such as health-related information which we need for pharmacovigilance reasons, including adverse event reporting, if you provide this information as part of a medical inquiry or complain about our Products.

Who We Share Personal Data With

The categories of individuals or entities we share your personal data with include:

Azurity affiliates and subsidiaries.
Service providers that perform services on our behalf, including:
- Data storage and analytics providers.
- Customer service (including our medical information line) and patient support providers (including for product quality and adverse event reporting, patient co-pay assistance, medicine intake adherence programs, etc.).
- Product recall service providers.
- Technology providers (including technology support, email and web hosting providers, marketing and advertising technology providers, email and text communications providers).
- Event planning and travel organizations that help facilitate Azurity programs.
- Payment, shipping, and fulfilment service providers.
- Professional advisors such as our lawyers and accountants.
Regulators worldwide, as required by law, including in connection with monitoring, review and approval of our studies, products and services, and adverse event reporting.
Business partners with whom we jointly develop products or services.
Any other person with your consent to the disclosure (obtained separately from any contract between us).

Unless prohibited by applicable law, we may disclose your personal data as part of a corporate business transaction, such as a merger, acquisition, reorganization, joint venture or financing or sale of our assets, and could be sold or transferred to a third party as party of such a transaction (provided that we inform the buyer it must use your personal data only for the purposes disclosed in this Privacy Notice). We may also disclose personal data to a successor entity in the event of insolvency, bankruptcy, or receivership. After such a sale or transfer, you may contact the recipient with any inquiries concerning the processing of your personal data.

In addition, we may share your information to comply with legal and regulatory requirements (such as to comply with a government request, subpoena, or similar request), and protect against fraud, illegal activity (such as identifying and responding to incidents of hacking or misuse of our websites and systems), and claims and other liabilities.

Purposes for Processing and Lawful Basis for Processing

We use the personal data that we collect from and about you only for the purposes described in this Privacy Notice or for purposes that we explain to you at the time we collect your information. Depending on our purpose for collecting your information, where your personal data is subject to the EU General Data Protection Regulations (GDPR) or UK GDPR, we rely on one of the following legal bases:

Contract – we require certain personal data in order to provide the goods and support the services you purchase or request from us;
Consent – in certain circumstances, we may ask for your consent (separately from any contract between us) before we collect, use, or disclose your personal data, in which case you can voluntarily choose to give or deny your consent without any negative consequences to you;
Legitimate interests – we will use or disclose your personal data for the legitimate interests of either Azurity or a third party, but only when we are confident that your privacy rights will remain appropriately protected. If we rely on our (or a third party’s) legitimate interests, these interests will normally be to: operate, provide and improve our business, including our website; communicate with you and respond to your questions; improve our website or use the insights to improve or develop marketing activities and promote our products and services; detect or prevent illegal activities (for example, fraud); and/or to manage the security of our IT infrastructure, and the safety and security of our employees, customers, vendors and visitors. Where we require your data to pursue our legitimate interests or the legitimate interests of a third party, it will be in a way which is reasonable for you to expect as part of the running of our business and which does not materially affect your rights and freedoms. We have identified below what our legitimate interests are; or
Legal obligation – there may be instances where we must process and retain your personal data to comply with laws or to fulfill certain legal obligations.

The following table provides more details on our purposes for processing your personal data, categories of personal data we process, how we collect your personal data, who we share your personal data with and the related legal bases in relation to personal data that is subject to the EU General Data Protection Regulation (“GDPR”) and UK GDPR. The legal basis under which your personal data is processed will depend on the data concerned and the specific context in which we use it.

Purpose of Processing	Categories of Personal data	How We Collect it	Who We Share It With	Legal Basis for Processing (EU and UK)	Legal Basis for Processing (India)
To respond to your inquiries about our Products, or to otherwise communicate with you as a prospective customer.	Biographical information; business contact information; public professional information; other personal data you voluntarily provide to us.	Directly from you. Through our websites. From third party service providers, data brokers, or business partners	Azurity affiliates and subsidiaries; service providers.	Our legitimate interests (to operate, provide and improve our business; to communicate with you) – where our communications are not necessary to perform or enter into a contract with you.	Consent Legitimate uses – for the specified purpose for which you have voluntarily provided your personal data
To enter into a commercial transaction with you as a customer.	Biographical information; business contact information; payment-related information; digital or electronic signature.	Directly from you	Azurity affiliates and subsidiaries; service providers.	To enter into and perform in term of our contract with you. To comply with applicable laws (to conduct necessary anti-fraud and identify checks).	Consent Legitimate uses – for compliance with regulatory/legal obligations
To respond and provide you with customer support related to our Products, including tracking and responding to safety and product quality concerns (including product recalls).	Biographical information; business contact information; payment-related information; other personal data you voluntarily provide to us. Pharmacovigilance information	Directly from you	Azurity affiliates and subsidiaries; service providers.	Our legitimate interests to operate, provide and improve our business; to communicate with you) – where our communications are not necessary to perform or enter into a contract with you To comply with applicable laws (being product safety laws and regulations).	Consent Legitimate uses – for the specified purpose for which you have voluntarily provided your personal data / compliance with regulatory/legal obligations
To promote or market our Products or services to you and analyze how you interact with our marketing and advertisements, surveys, and market research.	Biographical information; business contact information; automated information.	Directly from you Indirectly from you	Azurity affiliates and subsidiaries; service providers.	Consent (where required under applicable law) Otherwise, our legitimate interests to operate, provide and improve our business; to improve our website or use the insights to improve or develop marketing activities and promote our products and services.	Consent
To communicate with you about our webinars, events, or promotional activities.	Biographical information; business contact information; automated information.	Directly from you	Azurity affiliates and subsidiaries; service providers.	Consent (where required under applicable law). Otherwise our legitimate interests (to operate, provide and improve our business; to communicate with you and to develop marketing activities and promote our products and services).	Consent
To provide you with access to our offices	Biographical information; business contact information.	Directly from you	Azurity affiliates and subsidiaries; service providers.	Our legitimate interests to detect or prevent illegal activities (e.g. fraud) and/or to manage the security of our offices.	Consent Legitimate uses – for the specified purpose for which you have voluntarily provided your personal data / compliance with regulatory/legal obligations
To analyze how you interact, or use our website(s), https://azurity.com/ or social media pages, to improve	Automated information	Indirectly from you	Azurity affiliates and subsidiaries.	Consent (where required under applicable law) Otherwise our legitimate interests (to operate, provide and improve our business including our website, to improve our website or use the insights to improve or develop marketing activities and promote our products and services).	Consent
To comply with legal obligations imposed on us, including reporting adverse events, product complaints, spend transparency, and patient safety, respond to requests under data protection law, as well as other legal or regulatory requirements, judicial process.	Business contact information; biographical information; public professional information; payment-related information; health care professional information Pharmacovigilance information	Directly from you	Azurity affiliates and subsidiaries; service providers; regulatory agencies; other legal or judicial agencies.	Legal obligations (being product safety laws and regulations).	Legitimate uses – for compliance with regulatory/legal obligations
To comply with our company policies (including due diligence and contracting activities).	Business contact information; Biographical information; Public professional information; payment-related information; health care professional information.	Directly from you	Azurity affiliates and subsidiaries.	Legitimate interests to protect our business interests.	Consent
To protect our rights or enforce obligations, including identifying, investigating, and responding to fraud, illegal activity (such as incidents of hacking or misuse of our websites and mobile applications), and claims and other liabilities, including by enforcing the terms and conditions that govern the services we provide; to respond to data subject rights requests.	Biographical information; business contact information; automated information; CCTV information; other personal data you voluntarily provide to us. Pharmacovigilance information	Directly from you Indirectly from you	Azurity affiliates and subsidiaries.	Legal obligations Legitimate interests (to operate, provide and improve our business, including our website; to detect or prevent Illegal activities (e.g. fraud) and/or to manage the security of our IT infrastructure).	Legitimate uses – for compliance with regulatory/legal obligations
To support, facilitate, and arranging travel and other logistics for public health initiatives, symposia, conferences, and scientific, educational, community, and volunteer events, including those at Azurity offices	Biographical information; business contact information; payment-related information;	Directly from you	Azurity affiliates and subsidiaries; service providers	Consent (where required under applicable law). Our legitimate interests (to operate our business).	Consent Legitimate uses – for the specified purpose for which you have voluntarily provided your personal data
To awarding scholarships and grants	Biographical information; business contact information; payment-related information	Directly from you	Azurity affiliates and subsidiaries; service providers.	Our legitimate interest (to promote our business)	Consent Legitimate uses – for the specified purpose for which you have voluntarily provided your personal data
To attributing authorship to academic and promotional materials	Biographical information; personal and business contact information;	Directly from you Third parties	Azurity affiliates and subsidiaries; service providers.	To comply with legal obligations (under copyright laws). Otherwise in our legitimate interest (to operate and provide our business) and to promote our products and services)	Consent Legitimate uses – for the specified purpose for which you have voluntarily provided your personal data

In some situations, we may have a separate agreement or relationship with you with respect to a specific type of processing of your data, such as if you participate in a special program, activity, event, or clinical trial. These situations will be governed by specific terms, privacy notices, or consent forms that provide additional information about how we will use your information. We will honour these additional terms with respect to your information and thus, strongly recommend you review the additional terms prior to participating in any programs. If there is a conflict between this Privacy Policy and a separate written agreement on the subject matter of this Privacy Policy, the separate written agreement shall govern with regard to any conflicts.

Cookies and similar tracking technology

We use cookies and similar tracking technology (collectively, “Cookies”) to collect and use personal data about you. For further information about the types of Cookies we use, why, and how you can control Cookies, please see our Cookie Notice.

3. Where Is Your Data Stored and Transferred to?

Azurity has offices in Boston, Ireland, Switzerland, India, and certain parts of Europe. We operate across multiple regions through our affiliates, subsidiaries, service providers, and business partners. As part of our global operations, your personal data may be stored, processed, or transferred to various locations, including but not limited to the United States, India, countries within the European Union, Switzerland, Canada, and other jurisdictions where we or our partners maintain a presence.

Where we transfer your personal data to countries and territories outside of the European Economic Area, which have been formally recognised as providing an adequate level of protection for personal data, we rely on the relevant “adequacy decisions” from the European Commission and “adequacy regulations” (data bridges) from the Secretary of State in the UK. We may transfer your name, contact details etc – Please find the complete list in Annexure I, from the European Economic Area and the UK to Switzerland, Canada and United States in reliance on the European Commission’s adequacy decision for Switzerland, Canada and United States.

Where the transfer is not subject to an adequacy decision or regulations, we have taken appropriate safeguards to ensure that your personal data will remain protected in accordance with this Privacy Notice and applicable laws. The safeguards we use to transfer personal data are in case of both our group companies and third party service providers and partners, the European Commission’s Standard Contractual Clauses as issued on 4 June 2021 under Article 46(2) using controller to controller and controller to processor transfers including the UK Addendum or and the UK International Data Transfer Agreement permitted under Article 46(2) of the UK GDPR for the transfer of data originating in the UK.

Our Standard Contractual Clauses entered into by our group companies and with our third-party service providers and partners can be provided on request. Please note that some sensitive commercial information may be redacted from the Standard Contractual Clauses.

We remain liable for the protection of your personal data that we transfer or have transferred to third parties through our designated data transfer mechanism, such as the Standard Contractual Clauses, UK International Data Transfer Agreement and UK Transfer Addendum, except to the extent that we are not responsible for the event that leads to any unauthorized or improper processing. In all cases, we will only transfer personal data as permitted by applicable laws.

4. Your Privacy Rights

You have specific rights regarding your personal data that we collect and process. In this section, we first describe your rights and then we explain how you can exercise those rights.

Right to be Informed

This right allows you to know what personal data we collect about you, why we collect it, who collects it, how long it will be kept, who we share it with, amongst other things. Through this Privacy Notice we are informing you of this processing information.

If we do not collect personal data directly from you, we may be exempt from the obligation to inform you as provided by applicable data protection law including: (i) when providing the information is either impossible or unreasonably expensive; (ii) the gathering and/or transmission is required by law, or if (iii) the personal data must remain confidential due to professional secrecy or other statutory secrecy obligations.

Right of Access

You have the right to obtain from us all information regarding our data processing activities that concern you. This includes confirmation of whether we process personal data concerning you (or your child) and, where that is the case, a copy or access to the personal data and certain related information. In particular, you have the right to access: (i) a summary of personal data which is being processed by us and the processing activities undertaken by us with respect to such personal data; and (ii) the identities of all other controllers and data processors with whom the personal data has been shared by us, along with a description of the personal data so shared.

Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.

Right to Correct or Rectify or Complete

Subject to certain conditions, and where we have relied on your consent to process personal data, or where you have voluntarily provided your personal data for a specified purpose, you have the right to correct inaccurate or incomplete personal data.

Right to Deletion (Right to be Forgotten/ of Erasure)

You have the right to ask us to delete your personal data which we process. Sometimes it is not possible for either technical or legal reasons for us to delete/ erase your personal data. If that is the case, we will consider if we can limit how we use it and inform you of our reason for denying your deletion request.

Right to Restrict Processing

You have the right to ask us to only use or store your personal data for certain purposes. You have this right in certain circumstances, such as where you believe the information, we have about you is inaccurate or is being processed in an unlawful way.

Right to Object

You have the right to ask us to stop using your personal data. You have this right when we rely on our legitimate interests (or of a third party). You can also object to us processing your personal data for direct marketing purposes.

Following your request, we will stop processing the relevant personal data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your personal data to establish, exercise, or defend a legal claim.

Right to Data Portability (Right to Move or Transfer)

You have the right to ask for and receive a portable copy of your personal data that you have given us or that you have generated by using our services, so that you can: move it; copy it; keep it for yourself; or transfer it to another organization.

We will provide your personal data in a structured, commonly used, and machine-readable format. When you request this information electronically, we will provide you a copy in electronic format.

Rights in Relation to Automated Decision-Making

For automated decisions that may seriously impact you, you have the right not to be subject to automatic decision-making, including profiling. But in those cases, we will always explain to you when we might do this, why it is happening, and the effect.

Right to Withdraw Your Consent

Where we rely on your consent as the legal basis for processing your personal data, you may withdraw your consent at any time. If you withdraw your consent, our use of your personal data before you withdraw is still lawful.

If you have given consent for your details to be shared with a third party and wish to withdraw this consent, please also contact the relevant third party to change your preferences.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. Unless applicable data protection laws permit it, we will not: deny you goods or services; charge you different prices or rates for goods or services, including through granting discounts or other benefits or imposing penalties; provide you a different level or quality of goods or services; or suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Right to Opt Out of the Sale of Share of My Personal data

Azurity does not “sell” personal data as most people would typically understand that term i.e., for money. However, we may allow certain third-party advertising partners to collect information about consumers through our website for purposes of serving ads that are more relevant, for ad campaign measurement and analytics, and for ad fraud detection and reporting. This practice is interpreted to constitute a “sale” or “share” under certain data protection laws.

Depending on the region where you are located, you have the right to opt out of the “sale” or “share” of your personal data. To opt out of the sale or share of your personal data, you can contact us.

You can also alter the configuration of your browser to reject certain types of online tracking technologies. You can set up Do Not Track (“DNT”) or Global Privacy Control (“GPC”), or manage cookies using your browser settings.

We do not “sell” the personal data of consumers we know to be less than 16 years of age. However, if an activity or practice we engage in is found to constitute a “sale,” we will obtain affirmative authorization in accordance with applicable law.

If DPDPA applies to you, if you are less than 18 years of age, you will be considered a minor.

Right to opt-out of marketing communications

You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), please contact us using the contact details provided under the “How to Contact Us” heading below. If you choose to opt out of marketing communications, we will still send you non-promotional emails, such as emails about your account or our ongoing business relations.

Right to Limit Use of My Sensitive Personal data

If the CCPA applies to you, you have the right to ask us to limit use of your sensitive personal data.

Right to Nominate

If the DPDPA applies to you, you have the right to nominate any other individual who can exercise rights in relation to your personal data in the event of your death or incapacity.

Right to Complain or Grievance Redressal

You have the right to complain if you are unhappy with how we process your personal data. If you are based in the European Economic Area or United Kingdom, you can complain to your national supervisory authority. Contact details for supervisory authorities in Europe are available here and for the UK. Certain supervisory authorities will require that you exhaust our own internal complaints process before looking into your complaint.

If DPDPA applies to you, you have the right to lodge your grievance with us if you are unhappy with how we process your personal data or regarding exercise of your rights under this Privacy Notice. You can lodge a complaint with the Data Protection Board of India after having exhausted our grievance procedure described below.

However, we hope that you will contact us first so we can address your concerns.

How can you exercise your privacy rights?

To exercise any of the rights listed above, please:

Email our Privacy Officer at privacy@azurity.com with the subject line “Privacy Rights Request” (Preferred Method)
Write to us: Azurity Pharmaceuticals, Inc. 8 Cabot Road, Suite 2000, Woburn, MA 01801, USA. Attention: Legal Department – Privacy Officer

When submitting a privacy request, please describe your relationship with us and provide sufficient detail to allows us to properly understand, evaluate, and respond to you.

Verifying Your Identity/ Authority

We may need to verify your identity before processing your request, which may require us to request additional personal data from you. We will only use this additional personal data provided in connection with your request to review and comply with the request.

If you are submitting a request on behalf of somebody else, we will need to verify your authority to act on behalf of that individual. When contacting us, please provide us with proof that the individual gave you signed permission to submit this request, with a valid power of attorney and/or any other documentary evidence required under law, on behalf of the individual.

Responding To You

We will confirm the receipt of your request at the earliest possible, however, in all cases within the timelines as prescribed by the applicable data protection laws and, in that communication, we will also describe our identity verification process (if needed) and when you should expect a response, unless we have already granted or denied the request.

Please allow us up to a month to reply to your requests (except requests to stop selling your personal data) from the day we received your request. If we need more time (up to 90 days in total), we will inform you of the reason why and the extension period in writing.

We will act upon your request to opt-out from selling your personal data within the timelines mentioned under the applicable data protection laws. We will also notify the third parties to whom we sold your personal data of your request and instruct them not to further sell your personal data. We will inform you about this in ninety (90) days from the receipt of your request.

If we cannot satisfy a request, we will explain why in our response. For data portability requests, we will choose a format to provide your personal data that is readily useable and should allow you to transmit the information from one entity to another entity without difficulty.

We will not charge a fee for processing or responding to your requests. However, we may charge a fee if we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate before completing your request.

In certain circumstances, we may decline a request to exercise the rights described above, particularly where we are unable to verify your identity. If we are unable to comply with all or a portion of your request, we will explain the reasons for declining to comply with the request.

5. Minors

We do not knowingly collect personal data from children under age 18 through our websites, or mobile applications. If we learn that we have collected personal data directly from a child under the age of 18 through our websites, we will delete that information or process it only upon obtaining verifiable parental consent, in accordance with applicable data protection laws.

6. How We Protect Personal data

Azurity maintains reasonable administrative, technical, and physical safeguards designed to protect the personal data we maintain against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure, or use. The measures are designed to provide a level of security appropriate to the risk of processing. However, we cannot guarantee that the measures we maintain will ensure the security of the personal data.

7. How Long Do We Retain Your Personal data

We will retain your personal data for as long as is necessary to fulfil the purpose for which we collected your personal data and any other permitted linked purpose and in compliance with our data retention policies. For example, we will retain and use your personal data to the extent necessary to comply with our legal obligations under product and safety laws, tax laws, to resolve disputes, and enforce our legal agreements and in accordance with our internal policies.

If your personal data is used for more than one purpose, we will retain it until the purpose with the longest retention period expires; but we will stop using it for the purpose with a shorter retention period once that period expires. Our retention periods are also based on our business needs and good practice.

Your personal data may need to be retained in our backup systems and will only be deleted or overwritten at a later time, normally done on a daily basis. This may be the case even when you or a Supervisory Authority has validly asked us to delete your personal data or when we do not no longer have a legal basis for processing such personal data. Please note that our backups are protected, and we have implemented a system to remind us to delete again the data when we restore a backup to production systems.

8. Links to Third-Party Websites and Third-Party Content

For your convenience and information, we may provide links to third-party websites and other third-party content that is not owned or operated by Azurity. The websites and third-party content to which we link may have separate privacy notices or policies. Azurity is not responsible for the privacy practices of any entity that it does not own or control.

9. Updates to Our Privacy Notice

We reserve the right to change this Privacy Notice at any time. When we update this Privacy Notice, we will notify you of changes by updating the date of this Privacy Notice and providing other notification as required by applicable law.

10. How to Contact Us

You may contact us with questions, comments, or complaints about this Privacy Notice or our privacy practices, or to submit a verifiable privacy request. When raising a privacy request or complaint, please provide sufficient details (including your relationship with us) and any relevant documentation.

The contact information for our Privacy Officer is:

Azurity Pharmaceuticals, Inc.
Attn: Legal Department – Privacy Officer
8 Cabot Road, Suite 2000
Woburn, MA 01801
privacy@azurity.com

11. Corporate Entities Covered by this Privacy Notice

This Privacy Notice covers Azurity and all its affiliates and subsidiaries across the globe.

Annexure I

Personal Data Categories:

Candidates (Job Applicants)
- Identification Data: Name, date of birth, gender, nationality
- Contact Details: Address, phone number, email
- Professional Information: CV details, education, qualifications, work experience
- Recruitment Data: Interview notes, assessment results, references
- Background Check Data: Criminal records (where legally permitted), credit checks
- Technical Data: IP address, device information (if applying online)
Employees
- Identification & Contact Data: Name, employee ID, address, phone, email
- Employment Details: Job title, department, manager, work history
- Payroll & Financial Data: Bank account, tax ID, salary, benefits
- Performance Data: Appraisals, training records
- Health & Safety Data: Occupational health records, disability information (wherever applicable)
- Access & IT Data: Login credentials, system usage logs
- ID Proofs – such as PAN, Aadhar (only for India)
Third Parties (Vendors, Contractors, Partners)
- Business Contact Data: Name, role, company, email, phone
- Contractual Data: Agreements, compliance certifications
- Financial Data: Payment details, invoices
- Due Diligence Data: Anti-bribery checks, sanctions screening
Clinical Trial Participants (Patients)
- Identification Data: Name, date of birth, gender, unique trial ID., age, body weight, BMI
- Health Data: Medical history, diagnoses, treatment details, lab results
- Genetic & Biometric Data: DNA samples, fingerprints (if applicable)
- Lifestyle Data: Smoking, alcohol use, diet (if relevant to trial)
- Consent Records: Signed informed consent forms
Healthcare Professionals (HCPs)
- Identification Data: Name, professional ID, license number., NPI (National Provider Identifier (USA ONLY), Suffix
- Contact Details: Address, phone, email., City, State, Postal Code, Country, Alternate Phone Number, Fax Number
- Professional Data: Specialization, qualifications, affiliations, Occupation, Institution, Institution ID, Department
- Financial Data: Payments for services, honoraria, travel reimbursements. FMV (Fare Market Value), Bank Information
- Publication & Research Data: CV, authored studies, speaking engagements
Patient’s / Consumer or related information, any concerned person communicating on behalf of Patient(s) / Consumer(s)
- Patient Information
- Identification Data: First Name, Middle Name, Last Name, Initials
- Contact Details: Address 1, City, State, Postal Code
- Personal Data: Date of Birth, Age, Height, Weight, Gender, Pregnant
- Professional Data: Occupation
- Medical Information: Relevant Medical history like Any procedures (present or past), past medications, surgeries, Any current Medications information, Any Adverse event/Adverse drug reactions and Product quality issues (Device malfunction etc)
- Others: Ethnic Group, Military Group, Race Information
- Adverse event reports, pharmacovigilance data
- Description of the event, Diagnosis, Symptoms, Onset Date/Time of the event, Onset From Last Dose, Stop Date/Time of the event, Duration of the event, Onset Latency, Patient Prior Health History, Treatment Received, Intensity, Frequency, Outcome of Event, Country in which Event Occurred, Seriousness criteria, Death details, Date of death occurred, Autopsy Done?, Autopsy Results (if available), Event causality with respect to product (i.e., related or not related to product)
Other Common Categories
- Special Categories under GDPR:
  - Racial or ethnic origin
  - Religious or philosophical beliefs
  - Trade union membership
  - Health data
  - Genetic data
  - Biometric data
  - Sexual orientation (only if relevant and legally permitted)
- Technical & Online Data:
  - IP address, cookies, browsing history (for website visitors), Geo-fencing limited places (Russia and China).
  - Marketing & Communication Data:
  - Preferences, opt-in/opt-out records
  - From HCPs – Name, NPI (National Provider Identifier), Email ID, Phone – via Web Forms
  - Virtual Sales – names of providers, phone numbers and emails

Name	Provider	Purpose	Expiration
ARRAffinity	snazzymaps.com (third-party cookie)	This is an Azure cookie. It keeps track of connecting users by giving them a so-called cookie. This ensures the link between clients and the server they connect to for the entirety of their session.	Session
ARRAffinitySameSite	snazzymaps.com (third-party cookie)	This is an Azure cookie. This cookie is used for load balancing and to distribute traffic to the Website on several servers in order to optimize response times.	Session
wordpress_test_cookie	Azurity (first-party cookie)	Used on websites built with Wordpress. This cookie tests whether or not the browser has cookies enabled.	Session

Name	Provider	Purpose	Expiration
_clck	Azurity (first-party cookie)	This cookie is used by Microsoft Clarity. It persists the Clarity User ID and preferences, unique to that site is attributed to the same user ID.	1 year
_ga	Azurity (first-party cookie)	This cookie is associated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports.	14 months
_ga_xxxxxxxxxx	Azurity (first-party cookie)	This cookie is used to generate statistical data on how the visitor uses our services.	1 year
_gat_UA-nnnnnnn-nn	Azurity (first-party cookie)	Google Analytics sets this cookie for user behavior tracking.	Less than 1 day
_gclxxxx	Azurity (first-party cookie)	This cookie is a Google conversion tracking cookie used in connection with Google Analytics.	89 days
_gid	Azurity (first-party cookie)	Installed by Google Analytics, this cookie stores information on how visitors use a website while also creating an analytics report of the website’s performance. It stores and updates a unique value for each page visited. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.	1 day
itsec-hb-login-*	Azurity (first-party cookie)	This cookie is placed by iThemes Security. It is used to provide the hiding of the WordPress login URL.	Less than 1 day
SM	Azurity (first-party cookie)	This cookie is used in synchronizing the MUID across Microsoft domains.	Session

Name	Provider	Purpose	Expiration
ANONCHK	Microsoft Clarity (third-party cookie)	This cookie indicates whether MUID is transferred to ANID, a cookie used for advertising. Clarity doesn't use ANID and so this is always set to 0.	Less than 1 day
ar_debug	doubleclick.net (third-party cookie)	This cookie is used by DoubleClick for advertising that Google serves across the Internet. Also used to store and track conversations.	30 days
CLID	Microsoft Clarity (third-party cookie)	This cookie identifies the first-time Clarity saw this user on any site using Clarity.	1 year
_clsk	Azurity (first-party cookie)	This cookie is associated with Microsoft Clarity. This cookie is used to store and connect multiple page views by a user into a single Clarity session recording.	1 day
IDE	doubleclick.net (third-party cookie)	This cookie is used by DoubleClick for advertising that Google serves across the Internet.	2 years
MR	Microsoft Bing (third-party cookie)	This cookie is used to synchronize the ID across many different Microsoft domains to enable user tracking.	6 days
MR	Microsoft Clarity (third-party cookie)	This cookie is used to synchronize the ID across many different Microsoft domains to enable user tracking.	6 days
MUID	Microsoft Bing (third-party cookie)	This cookie is set to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising and site analytics.	1 year
MUID	Microsoft Clarity (third-party cookie)	This cookie is set to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising and site analytics.	1 year
receive-cookie-deprecation	doubleclick.net (third-party cookie)	Part of a Google Chrome experiment to identify if a user's browser is in specific test groups within Chrome’s Privacy Sandbox initiative. Websites must opt-in to use it. The cookie tracks group participation (e.g., "example_label_1") and it will be discontinued after the experiment.	180 days
SRM_B	Microsoft Bing (third-party cookie)	This cookie identifies unique web browsers visiting Microsoft sites. These cookies are used for advertising, site analytics, and other operational purposes.	1 year
test_cookie	doubleclick.net (third-party cookie)	This cookie is used by DoubleClick for advertising that Google serves across the Internet.	Less than 1 day