Privacy Notice

1. What is this Privacy Notice about?

2. Who is the controller responsible for processing your personal data?

3. What personal data do we process?

4. What is the source of the personal data?

5. For what purposes do we process your personal data?

6. On what basis do we process your personal data?

7. What applies in case of profiling and automated individual decisions?

8. With whom do we share your personal data?

9. Is your personal data disclosed across international borders?

10. How long do we process your personal data?

11. How do we protect your personal data?

12. What are your rights?

13. Notice to California Residents

14. CCPA Notice at Collection for Online Sources

15. Can we update this Privacy Notice?

1. What is this Privacy Notice about?

We take your privacy very seriously and are committed to being transparent with how we use your information. This Privacy Notice describes how Myovant Sciences, Inc. and its subsidiaries and affiliates (“Myovant” “we”, “us” and/or “our”) collect and process personal data that we collect online (e.g., through our websites) and offline (e.g., through in-person activities).

“Personal data” means data relating to identified or identifiable individuals. “Processing” means any operation that is performed on personal data, such as collection, storage, use, alteration, disclosure and erasure.

In addition, for certain processing activities, we may inform you about the processing of your personal data separately, through consent forms, terms and conditions, or additional privacy notices, which may apply instead of or in addition to this Privacy Notice, in cases such as clinical research; employee recruitment, onboarding, and human resources; website cookies; patient support; and pharmacovigilance, medical information, and product quality complaints.

Our websites may also contain links to third-party websites, even though we do not endorse and are not responsible for the content of those third-party websites. We encourage you to review the privacy notices of any third-party site where relevant.

If you disclose personal data to us about you or other individuals, such as family members or co-workers, you confirm that you are authorized to do so and that the relevant personal data is accurate. Please make sure that these individuals have been informed about this Privacy Notice.

We do not knowingly collect any personal data on this website from anyone under the age of 16 without the prior consent of a parent or guardian. All minors should seek their parent’s or guardian’s permission prior to disclosing any personal data on this website.

This Privacy Notice is aligned with EU General Data Protection Regulation (“GDPR”), the Swiss Act on Data Protection (“DPA”), the revised Swiss Act on Data Protection (“revDPA”), and the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (“CCPA”). However, the applicability of these laws to your personal data depends on factors such as your and our location and the location of the persons to whom we share your personal data.

2. Who is the controller responsible for processing your personal data?

Myovant Sciences, Inc., 2000 Sierra Point Parkway, 9th Floor, Brisbane, CA 94005, USA (“Myovant Sciences, Inc.”) and Myovant Sciences GmbH, Aeschengraben 27, 4051 Basel, Switzerland (“Myovant Sciences GmbH”) are joint controllers for the processing under this Privacy Notice with Myovant Sciences, Inc. being the lead controller, unless we notify you otherwise in an individual case. In certain circumstances, such as for legal obligations or where you otherwise interact with the relevant company, a Myovant affiliate other than Myovant Sciences, Inc. or Myovant Sciences GmbH (a “Myovant Affiliate”) will act as the controller.

In other situations, we may process personal data alongside third parties, either as independent controllers, each responsible for our own processing activities, or as joint controllers, collectively responsible for processing of personal data. When we act as an independent controller, questions regarding our processing should be directed to us, and questions regarding the other controller should be directed to the other controller. When we act as a joint controller, we will remain a primary contact and will have entered into an agreement with the other controller(s) to specify which controller will be responsible for your data protection rights. If you wish to receive information about the controllers for a specific processing activity, you are welcome to contact us as part of your access right (Section 12).

You may contact us for data protection concerns and to exercise your rights under Section 12 as follows:

Myovant Sciences, Inc.
2000 Sierra Point Parkway
9th Floor
Brisbane, CA 94005
USA
privacy@myovant.com

We have appointed the following additional positions, whom you may also contact with data protection concerns:

• a Data Protection Officer according to articles 37 et seq. GDPR for Myovant Sciences Ireland Limited (Ireland):Myovant Sciences, Inc.
  Data Protection Officer
  2000 Sierra Point Parkway
  9th Floor
  Brisbane, CA 94005
  USA
  privacy@myovant.com
• a Data Protection Representative in the EU according to article 27 GDPR for all Myovant companies based outside the Switzerland or the European Economic Area (“EEA”):Myovant Sciences Ireland Limited
  EU Representative
  Western Business Park
  Shannon Co. Clare Ireland
  Shannon, Clare
  Ireland, V14 FW97
  privacy@myovant.com

3. What personal data do we process?

We process various categories of personal data about you. The main categories of personal data are the following:

• Personal data collected through the website or technical data: When you use our website or other online offerings, we collect technical data (e.g., the IP address, information about the operating system on your device and the browser you use, the location, date, and time of use). Technical data as such does not permit us to draw conclusions about your identity. However, technical data may be linked with other categories of data (and potentially with your person) in relation to registrations or the performance of a contract. We generally keep technical data for up to 6 months. To ensure the functionality of these offerings, we may also assign an individual code to you or your terminal device (e.g., a cookie, see our Cookie Notice, available at https://www.myovant.com/cookie-policy/).
• Registration data: Certain offerings and services may only be used with a registration, which can happen directly with us or through third-party login service providers. In this regard you must provide us with certain data, and we collect data about the use of the offering or service. Registration data includes the information you provide when you create an account on our website (e.g., name, user ID, password). Registration data may be required in relation to access control to certain facilities, potentially including biometric data, depending on the control system. We generally keep this data for up to 24 months from the date the use of the service ceases.
• Communication data: When you are in contact with us by email, telephone, or by letter or other means of communication, we collect the data exchanged between you and us (e.g., content of emails or letters), including your contact details (e.g., name, phone number, address) and the metadata of the communication. If we record telephone conversations or video conferences (e.g., for training and quality assurance purposes) you will be informed of this separately, for example by a notice during the video conference. If we have to determine your identity, we collect data to identify you (for example a copy of an ID document). We generally keep this data for up to 24 months from the last exchange between us. Emails in personal mailboxes and written correspondence are generally kept for at least 10 years.
• Master data: With master data we mean the basic data about you that we need, in addition to contract data (see below), for the performance of our contractual and other business relationships or for marketing purposes, such as name, contact details, your role and function as well as details of your relationship with us (customer, investor, supplier, caregiver, health care provider, visitor, service recipient, etc.), your bank details, your date of birth, photos, copies of ID cards, treatment history, legal representative, signature authorizations and declarations of consent. We may also process health data and information about third parties as part of master data, and we may also collect master data from our shareholders and investors. We generally keep master data for up to 10 years from the last exchange between us or from the end of the contract. For contacts used only for marketing and advertising, the retention period is usually much shorter, usually no more than 2 years from the last contact.
• Personal data from health care professionals, researchers and personnel from Clinical Research Organizations and our vendors: we collect personal data from the different vendors, partner organizations and professionals that participate on the studies or clinical trials, including their contact details, qualifications, resumes, biography, pictures, in rare cases also videos or other personal data.
• Patient health data: If you are a patient, we collect information about your health (e.g. your health condition, health insurance coverage, healthcare provider, caregiver or other third parties). We generally keep this data for up to 5 years from the end of your treatment or from the end of the contract.
• Personal data collected from public sources: including from internet sites to ensure a proper due diligence (of e.g., collaborating professionals) for purposes of clinical trials.
• Contract data: This means data that is collected in relation to the conclusion or performance of a contract. This includes information about the contracts (e.g., type and date of conclusion of the contract, duration of the contract) and the services provided or to be provided, as well as data from the period leading up to the conclusion of a contract, information required or used for performing a contract (e.g., information related to billing), and information about feedback (e.g., complaints, feedback about our services). Contract data also includes financial data, such as credit information (meaning information that allows us to draw conclusions about the likelihood that receivables will be paid), information about reminders and debt collection. We generally keep this data for up to 10 years from the last contract activity or from the end of the contract.
• Behavioral and preference data: Depending on our relationship with you, we try to get to know you better and to tailor our products, services and offers to you. For this purpose, we collect and process data about your behavior and preferences. We do so by evaluating information about your behavior in our domain (e.g., your response to electronic communications, navigation on our website, interactions with our social media pages and your participation in sweepstakes, competitions and similar events), and we may also supplement this information with third-party information, including from public sources. We anonymize or delete this data when it is no longer relevant for the purposes pursued, which may be – depending on the nature of the data – between a few weeks and 6 years. In our Cookie Notice (available at: https://www.myovant.com/cookie-policy/), we describe how tracking works on our website.
• Other data: We also collect personal data from you in other situations. For example, data that may relate to you (such as files, evidence, etc.) is processed in relation to administrative or judicial proceedings. We may also collect your contact details if you request information or submit questions to us, including other personal data that you decide to share with us. We may also collect personal data for health protection (for example as part of health protection concepts). We may obtain or create photos, videos and sound recordings in which you may be identifiable (e.g., at events or with our security cameras). We may also collect personal data about who enters certain buildings, and when or who has access rights (including in relation to access controls, based on registration data or lists of visitors, etc.), who participates in events or campaigns and who uses our infrastructure and systems and when. The retention period for these data depends on the processing purpose and is limited to what is necessary. This ranges from a few days for many security cameras, to several years or more for reports about events with images.

4. What is the source of the personal data?

• From you: Much of the data set out in Section 3 is provided to us by you (through forms, when you communicate with us, in relation to contracts, when you use the website, etc.). You are not obliged or required to disclose personal data to us except in certain cases, for example because of binding health protection concepts (legal obligations). If you wish to enter into contracts with us or use our services, you must also provide us with certain personal data, in particular master data, contract data, communication data and registration data, as part of your contract obligation. When using our website, the processing of technical data cannot be avoided. If you wish to gain access to certain systems or buildings, you must also provide us with registration data. However, in the case of behavioral and preference data, you generally have the option of not giving consent or objecting.
• From third parties: As far as it is lawful we can also collect personal data from public sources (e.g., debt collection registers, commercial registers, the media, or the internet including social media) or receive personal data from public authorities and from other third parties (e.g., health care providers, caregivers, clinical trial investigators, research organizations, credit agencies, address brokers, patient groups and associations and other business partners, internet analytics services). Categories of personal data that we receive about you from third parties include, in particular, master data (e.g., information from public registers), contractual data (e.g., credit information), patient health data (e.g., from health care providers) and other data (e.g., information in connection with administrative and legal proceedings). However, this also includes personal data from correspondence and discussions with third parties and all other data categories pursuant to Section 3.

5. For what purposes do we process your personal data?

We process your personal data for the following purposes:

• Communication with you: We process your personal data to communicate with you. In particular, we use communication data, master data, registration data and patient health data for this purpose. This refers to all purposes where you communicate with us (e.g., to answer inquiries and the performance of a contract).
• Operation, evaluation and improvement of our business and services: We collect personal data (e.g., medical records) to provide our products and services, to customize and adapt them to specific medical conditions and diagnoses and to offer initial and ongoing support related to them. For this purpose, we use in particular communication data, master data, contractual data and patient health data.
• To track and monitor adverse and other relevant events (pharmacovigilance): As required by pharmaceutical regulations, Myovant must collect safety information related to our products and investigate any reports of adverse events/special situations and products complaints that we receive in accordance with applicable laws and processes. Equally we must ensure timely and accurate provision of medical information to the inquirer. For more information about how we use and disclose personal data for these purposes, please see our Privacy Notice for Pharmacovigilance, Medical Information and Product Quality Complaints on our website.
• Initiation, administration and performance of a contract: We conclude various kinds of contracts with customers, suppliers, subcontractors or other business partners (e.g., project partners). In particular and depending on the circumstances, we process master data, contract data, patient health data, communication data and registration data. As part of managing contractual relationships, we process data for the administration of the customer relationship, to provide and claim contractual services (which includes involving third parties, such as health care providers, caregivers, logistics companies, security service providers and advertising service providers, etc.). The enforcement of legal claims arising from contracts (debt collection, legal proceedings, etc.) is also part of the performance, as are accounting, termination of contracts and public communication.
• Marketing purposes and relationship management: For these purposes we process personal data, for example, to send our customers and other contractual partners personalized advertising (e.g., as printed material, electronically or by phone) for products and services from us and from third parties (e.g., from advertising partners) and as part of marketing campaigns. You can object to such contacts at any time or refuse or withdraw consent to be contacted for marketing purposes (see Section 12). Relationship management includes addressing existing customers and their contacts, possibly personalized on the basis of behavioral and preference data. In the context of relationship management, we may also operate a customer relationship management system in which we keep the data of customers, health care providers and other business partners. For these purposes, we mainly process communication, registration, behavioral and preference data. With your consent, we can target our online advertising on the internet more specifically to you.
• Market research, improvement of our services and operations and product development: We strive to continuously improve develop and improve our products and services (including our website). To this end, we analyze which products are used by which groups of people, for which treatment and in which way, and how new products and services can be designed. We also conduct regular clinical research analysis on our products. For these purposes, we process in particular master data, behavioral data and preference data, but also communication data and information from customer surveys, polls and studies and other information, for example from the media, social media, the Internet and other public sources. Other our business operations for which we collect and process your personal data encompass marketing and sales, research and development, patient support, donations and sponsorships, communications, business administration (finance and accounting, human resources, prevention and investigatory activities) and other. We use pseudonymized personal data or anonymized data for these purposes to the extent possible.
• Security and access control: We continuously review and improve the appropriate security of our IT and other infrastructure. We therefore process personal data, e.g., for monitoring, inspection, analysis and testing of our networks and IT infrastructures, for system and error checks, for documentation purposes and in the context of backups. Access controls include electronic system access controls (e.g., logging into user accounts), as well as physical access controls (e.g., facility access). For security purposes (to prevent and investigate incidents), we also keep access protocols and visitor lists and use surveillance systems.
• Compliance with laws, directives and recommendations from authorities and internal regulations: This includes, for example, the implementation of health security concepts, the regulated fight against money laundering and terrorist financing and conducting internal and external investigations. For all these purposes, we process in particular master data, contract data and communication data, but also, under certain circumstances, behavioral data and data from the category of “other data”. The legal obligations may arise under US and Swiss law but also under foreign regulations to which we are subject, as well as self-regulations, industry standards, our own “corporate governance” and instructions and requests from authorities.
• Risk management and corporate governance: We may process personal data as part of risk management (e.g., to protect against tortious acts) and corporate governance, including our business organization (e.g., resource planning) and corporate development (e.g., the purchase and sale of business units or entities). In particular, we process master data, contract data, registration data and technical data, but also behavioral and communication data.
• Public interest in the area of public health: This includes, for example, ensuring high standards of safety of our products and devices, personalizing and tailoring our products to specific health conditions and diagnoses (e.g., by creating an array map) to provide patients with appropriate treatment.
• Further purposes: These further purposes include, for example, training and educational purposes, administrative purposes (e.g., managing master data or accounting), protecting our rights and evaluating and improving internal processes. We may combine, aggregate, or anonymize personal data with data we may collect from or about you from other sources (e.g., public databases, providers of demographic information, marketing and alliance partners, social media platforms, and other third parties). We may use your data for our legitimate internal purposes, including audits, monitoring and prevention of fraud, infringement, and other potential misuse of our products and services, and for enhancing the quality of our services. We may use recordings of (video) conferences for quality assurance purposes and trainings. These further purposes also include safe-guarding other legitimate interests that cannot be named exhaustively.

6. On what basis do we process your personal data?

We can process your personal data based on the following:

• Initiation, administration and performance of contracts: We process personal data during the initiation (pre-contractual), the conclusion, the administration and the execution of a contract as well as for the fulfillment of the obligations arising from such contract.
• Legitimate interest: Pursuant to our legitimate interest, we can process your personal data based on a balancing of our interests against your interests.
• Consent: Where we ask for your consent for certain processing activities, we will inform you separately about the relevant processing purposes. You may withdraw your consent at any time with effect for the future by providing us written notice (by mail) or, unless otherwise noted or agreed, by sending an email to us; see our contact details in Section 2. For withdrawing consent for online tracking, see our Cookie Notice (available at: https://www.myovant.com/cookie-policy/). Once we have received notification of withdrawal of consent, we will no longer process your information for the purpose(s) you consented to, unless we have another legal basis to do so. Withdrawal of consent does not, however, affect the lawfulness of the processing based on the consent prior to withdrawal.
• Legal requirements: We may process your personal data within the scope of applicable legal, regulatory and standard practice requirements.

Where we receive sensitive personal data (for example health data and biometric data for identification purposes), we may process your data on other legal basis, for example, in the event of a dispute, as required in relation to a potential litigation or for the enforcement or defense of legal claims.

In some cases, other legal basis may apply, which we will communicate to you separately as necessary.

7. What applies in case of profiling and automated individual decisions?

We may automatically evaluate personal aspects relating to you (“profiling”) based on your personal data (Section 3) for the purposes set out in Section 5, where we wish to determine preference data, but also to detect misuse and security risks, to check your credit rating, to perform statistical analysis or for operational planning. We may also create profiles for these purposes, i.e., we may combine behavioral and preference data, but also master data, contract data and technical data relating to you to better understand you as a person with your various interests and other characteristics.

In certain situations, it may be necessary for the efficiency and consistency of decision-making processes that we automate discretionary decisions that produce legal effects concerning you or similarly significantly affect you (“automated individual decisions”). In these cases, we will inform you accordingly and take the measures required by applicable law.

8. With whom do we share your personal data?

In relation to our contracts, the website, our services and products, our legal obligations or otherwise with protecting our legitimate interests and the other purposes set out in Section 5, we may disclose your personal data to third parties, in particular to the following categories of recipients:

• Other Myovant Affiliates: Other Myovant Affiliates may have access in particular to personal data mentioned in Section 3 (including health data) for the purposes listed in Section 5. If you wish to object to the disclosure and use of personal data for marketing purposes, you can do so through Myovant Sciences, Inc. (Section 2), even if the processing concerns another Myovant Affiliate once data has already been transferred. Your personal data may also be disclosed to other Myovant Affiliates, for example, if certain products and services originate from one Myovant Affiliate and another Myovant Affiliate is only coordinating the performance.
• Service providers: We work with service providers who process your personal data on our behalf or in rare cases as joint controllers with us or who receive data about you from us as separate controllers (e.g., IT providers, and related infrastructure provision, website hosting, shipping companies, advertising service providers, security companies, data analysis, payment processing, order fulfillment, customer service, email delivery, auditing and other similar services). This may include health data. We always require that our service providers adhere to appropriate restrictions on access and use of your personal data. etc.). This may include health data. For more information on the service providers used for the website, see our Cookie Notice, (available at https://www.myovant.com/cookie-policy/).
• Contractual partners including customers: This refers to customers (e.g., service recipients) and our other contractual partners as this data disclosure results from these contracts. If you work for one of these contractual partners, we may also disclose your personal data to that partner in this regard. This may include health data. These recipients also include contractual partners with whom we cooperate or who carry out advertising for us.
• Authorities: We may disclose personal data to agencies, courts and other authorities if we are legally obliged or entitled to make such disclosures or if it appears necessary to protect our interests. This may include health data. These authorities act as separate controllers.
• Clinical trial registries: We publish information from our protocols and clinical study results on clinical trial registries and we disclose clinical study documentation. We provide qualified researchers access to individual patient data.
• Healthcare provider and other persons: We share your information with healthcare providers as may be necessary in connection with products and services you receive, as well as with third parties (e.g., service recipients, healthcare payers, third-party payees specified by you, family members, research organizations, the media and associations in which we participate or if you are included in one of our publications) insofar as necessary to pursue the purposes set out in Section 5. Other recipients include, for example, delivery recipients or third-party payees specified by you, third parties in relation to agency relationships (e.g., your lawyer or your bank) or persons involved in administrative or legal proceedings. If we cooperate with the media and share materials with them (for example photos), this may also affect you depending on the circumstances. As part of our business development, we may sell businesses, parts of businesses or companies to others or acquire them from others or enter into partnerships, which may also result in the disclosure of data (including from you, e.g., as a customer, supplier or as a supplier representative) to those persons involved in these transactions. In relation to communicating with competitors, industry organizations, associations and other bodies, data may be exchanged that also affects you.

Each of these categories of recipients may involve third parties, so that your personal data may also be disclosed to them. We can restrict the processing by certain third parties (for example IT providers), but not by others (for example authorities, banks, etc.).

In addition, we enable certain third parties to collect personal data from you on our website and at events organized by us (for example press photographers, providers of tools on our website, etc.). Where we have no control over these data collections, these third parties are sole controllers. If you have concerns or wish to exercise your data protection rights, please contact these third parties directly. See our Cookie Notice (available at: https://www.myovant.com/cookie-policy/) for the website.

9. Is your personal data disclosed across international borders?

Your personal data may be processed by Myovant and our vendors in the U.S., EEA, Switzerland, UK, and India, and, in certain cases, in other countries (depending on e.g., the location of a particular clinical site, Contract Research Organization or the partners’ employees). More specific information about the recipients of personal data and their location may be found in respective privacy notices covering specific relevant processes, such as clinical trial consent forms.

Personal data we collect may be transferred, stored and otherwise processed to various destinations outside of your home country, including countries whose data protection provisions are not comparable to those in your home country. In the case of transfers of personal data from within the EEA, Switzerland, or UK to a jurisdiction that has not been found by the European Commission to adequately protect data, we require recipients to agree to the revised European Commission’s standard contractual clauses, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj and corresponding UK contracts, unless the recipient is subject to a legally accepted set of rules to ensure data protection or we can rely on another exception in the law. An exception may apply for example in case of legal proceedings; overriding public interest; or if the performance of a contract requires disclosure, if you have consented or if personal data has been made available generally by you and you have not objected against the processing.

Please note that data exchanged via the internet is often routed through third countries. Your personal data may therefore be sent outside of your home country even if the sender and recipient are in the same country.

10. How long do we process your personal data?

We retain personal information for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. When we no longer need the personal information we collect, we either anonymize the information or securely destroy the data. You will find further information on the respective storage and processing periods for the individual data categories in Section 3 and in our Cookie Notice (available at: https://www.myovant.com/cookie-policy/).

11. How do we protect your personal data?

We take appropriate security measures in order to maintain the required security of your personal data and ensure its confidentiality, integrity, and availability, and to protect it against unauthorized or unlawful processing, and to mitigate the risk of loss, accidental alteration, unauthorized disclosure or access.

12. What are your rights?

Applicable data protection laws grant you the right to object to the processing of your data in some circumstances, in particular for direct marketing purposes, for profiling carried out for direct marketing purposes and for other legitimate interests in processing.

To help you control the processing of your personal data, you have the following rights in relation to our data processing, depending on the applicable data protection law:

• The right to request information from us as to whether and what data we process from you;
• The right to have us correct data if it is inaccurate;
• The right to request erasure of data;
• The right to request that we provide certain personal data in a commonly used electronic format or transfer it to another controller;
• The right to withdraw consent, where our processing is based on your consent;
• The right to receive, upon request, further information that is helpful for the exercise of these rights;
• The right to request that processing decisions based on automated decision-making (Section 7) be reviewed by a human.

If you wish to exercise the above-mentioned rights in relation to us, please contact us using the contact details in Section 2. In order for us to be able to prevent misuse, we need to identify you (for example by means of a copy of your ID card if identification is not possible by other means).

You also have these rights in relation to other parties that cooperate with us (see Section 8 and our Cookie Notice, available at: https://www.myovant.com/cookie-policy/) as separate controllers – please contact them directly if you wish to exercise your rights in relation to their processing.

Please note that conditions, exceptions, or restrictions may apply to these rights under applicable data protection law (for example, to protect third parties or trade secrets). We will inform you accordingly where applicable.

When you are asked to share your personal data with us, you may decline, however, please note that your choice not to share your personal data with us may in certain limited cases mean that you will not be able to use or fully benefit from our services, features or offerings.

If you do not agree with the way we handle your rights or with our data protection practices, please let us or our Data Protection Officer know (Section 2). If you are located in the EEA, the UK or in Switzerland, you also have the right to lodge a complaint with the competent data protection supervisory authority in your country. You can find a list of authorities in the EEA here: https://edpb.europa.eu/about-edpb/board/members_en. You can reach the UK supervisory authority here: https://ico.org.uk/global/contact-us/. You can reach the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html.

13. Notice to California Residents

This Section only applies to users of our services who reside in the State of California and is intended to describe our practices and your rights under the CCPA.

For purposes of this Notice to California Residents, the term “personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, and it includes “personal data” as defined in Section 1 of this Privacy Notice. Personal information does not include (i) publicly available information that is made available from federal, state, or local government records, (ii) lawfully obtained, truthful information that is a matter of public concern; (iii) information that we have a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; (iv) information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience; (v) information collected in a clinical trial or other biomedical research study subject to, or conducted in accordance with, applicable regulations or guidelines on the protection of human subjects; (vi) information collected and maintained by us in compliance with the California Confidentiality of Medical Information Act (CMIA); or (vii) anonymized or aggregated data that cannot be used to identify you.

California privacy rights. California residents have the right to:

• Request additional disclosures about the personal information we collect, use, disclose, sell and share;
• Request access to and deletion of your personal information, subject to certain exceptions;
• Opt out of the sale and sharing of your personal information;
• Correct inaccurate personal information that we maintain about you;
• Limit the use and disclosure of sensitive personal information; and
• Obtain a copy of your personal information.

We will not discriminate against you for exercising any of these rights, for example, by charging a different price or denying goods or services. However, we may charge a different price or rate or provide a different level or quality of goods or services when that difference is reasonably related to the value provided to us by the data.

Methods for submitting requests. If you wish to exercise any of these rights, please email with the phrase “California Privacy Rights” in the subject line to privacy@myovant.com. You may also send a postcard to us at Myovant Sciences, Inc., 2000 Sierra Point Parkway, 9th Floor, Brisbane, CA 94005 USA (please mark the envelope “Data Protection Officer”). We will review your request and respond accordingly. The rights described herein are not absolute, and we reserve all of our rights available to us at law in this regard. Additionally, if we retain your personal information only in de-identified form, we will not attempt to re-identify your data in response to a California privacy rights request.

If you make a request related to personal information about you, you will be required to supply a valid means of identification as a security precaution. We will verify your identity with a reasonably high degree of certainty using the following procedure where feasible: we will match identifying information you provide when making the request to the personal information maintained by us, or use a third-party identity verification service. If it is necessary to collect additional information, we will use the information only for verification purposes and will delete it as soon as practicable after complying with your request. For requests related to particularly sensitive information, we may require additional proof of your identity.

If you make a California privacy rights request through an authorized agent, we will require written proof that the agent is authorized to act on your behalf.

We will process your request within the timeframe provided by applicable law.

Additional Disclosures.

• Categories of personal information we collect. In the previous 12 months, Myovant has collected the following categories of personal information:
  • Identifiers such as names, dates of birth, and contact information;
  • Information protected by California Civil Code Section 1798.80, subdivision (e), such as names and contact information;
  • Characteristics of protected classifications under California or federal law, such as age, ancestry, and medical condition;
  • Biometric information such as genetic characteristics;
  • Internet or other electronic network activity information;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information;
  • Sensitive personal information, such as information collected and analyzed concerning a consumer’s health and sexual orientation; and
  • Inferences drawn from the foregoing information to create profiles reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
• Sources from which we collect personal information. Myovant may collect personal information from you directly. Myovant may also receive personal information about you from third parties or through automated means. For additional information on how we may collect personal information, refer to the section of this Privacy Notice above labeled “What is the source of the personal data?”
• Purpose for collecting, sharing or selling personal information. Your personal information may be collected or used for the purposes described in the sections of this Privacy Notice above labeled “What is the source of the personal data?” and “For what purposes do we process your personal data?” as well as for other purposes that may be described to you at the time that we collect your personal information. Your personal information will be retained in accordance with the section of this Privacy Notice above labeled “How long do we process your personal data?”
• Categories of third parties to whom we disclose your personal information. Myovant may disclose your personal information to the third parties described in the sections of this Privacy Notice above labeled “With whom do we share your personal data?” as well as with other third parties as may be described to you at the time that we collect your personal information.
• Disclosures of Personal Information. In the previous 12 months, Myovant has disclosed the following categories of personal information for a business purpose:
  • Identifiers such as names, dates of birth, and contact information;
  • Information protected by California Civil Code Section 1798.80, subdivision (e), such as names and contact information,
  • Characteristics of protected classifications under California or federal law such as age, ancestry, and medical condition;
  • Commercial information such as records of products or services purchased;
  • Biometric information such as genetic characteristics;
  • Internet or other electronic network activity information;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information; and
  • Inferences drawn from the foregoing information to create profiles reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
• Sharing or Sale of Personal Information. Note that we do not generally sell or share information as the terms “sell” and share” are traditionally understood. We do not sell or share personal information (including de-identified personal information) to third parties for money. During the past 12 months, we may have engaged in delivering online advertising that was tailored to your interests, but we did not disclose data that would identify you by name, address or phone number. To the extent “sale” or “share” under the CCPA is interpreted to include advertising technology activities such as those disclosed here and in our Privacy Notice as a “sale” or “sharing,” we will comply with applicable law, including the CCPA, as to such activity. As described herein, you have the right to opt-out of the “sale” or “sharing” of your personal information. Additionally, you should know that the CCPA prohibits third parties to whom we “sell” or “share” personal information from reselling or re-sharing it, unless you have received explicit notice and an opportunity to opt-out of further sales or sharing.

14. CCPA Notice at Collection for Online Sources

The CCPA requires us to provide certain disclosures at or before our collection of CCPA personal information from California residents. The below CCPA Notice at Collection for Online Sources provides you with the information about how we collect and use, sell or share and retain your CCPA personal information in the online context. When you use or interact with our services online, including when you communicate with Myovant by email, complete or submit forms to us on our websites, or when you visit our websites or interact with us on social media, we may collect and use the following categories of information:

Category of CCPA Personal Information	Purpose for Collection and Use	Is the information sold or shared?
Identifiers	Market and communicate about our products, services, events, and other offerings Administer user accounts Provide, support, personalize, and develop our products, services, events, and other offerings Provide service to our customers	Limited to our websites for HCPs or our services for HCPs – potential sharing with our service providers
Categories described in Civ. Code § 1798.80(e)	Market and communicate about our products, services, events, and other offerings Administer user accounts Provide, support, personalize, and develop our products, services, events, and other offerings Provide service to our customers, which include Providers Process payments, administer fees, provide users with invoices, or resolve billing issues	Limited to our websites for HCPs or our services for HCPs – potential sharing with our service providers
Internet or other similar network activity	Market and communicate about our products, services, events, and other offerings Conduct research and analysis	N/A
Professional or employment-related information	Administer user accounts Provide, support, personalize, and develop our products, services, events, and other offerings Provide service to our customers, which include Providers	N/A

Retaining Personal Information. We will retain your personal information described in this Notice only for as long as is necessary for the purposes set out in this Privacy Notice subject to your right, in certain circumstances, to have your personal information erased. We may be required by law to hold certain personal information for specific periods. In other cases, we will retain your personal information for an appropriate period after our relationship ends to protect ourselves from legal claims or to administer our business. When deciding how long to retain your personal information, we take into account how long we need to retain the personal information to fulfil the purposes described above and to comply with our legal and regulatory obligations. We may also retain your personal information to investigate or defend against legal claims in accordance with the limitation periods of countries where legal action may be brought.

15. Can we update this Privacy Notice?

Our Privacy Notice may change from time to time. We will post any Privacy Notice changes on this page and, if the changes are material, we may also provide a more prominent notice (including, for certain services, email notification of Privacy Notice changes).

Last updated: 08.03.2023