Privacy Policy

Quince Therapeutics, Inc. (“Quince,” “we” or “us”) is committed to protecting your privacy and keeping you informed of how we collect and safeguard your personal information. This Privacy Policy (“Policy”) and the Terms of Use (“Terms”) describe and govern how Quince collects, uses, discloses and secures information (including Personal Data defined below) collected from or about you through its website and any online applications and services (“Services”) owned and controlled by Quince at www.quincetx.com, except as otherwise noted herein, as well as the Personal Data you submit or we collect when you receive our Services in connection with the following:

Visit our locations or attendance at one of our events;
Engage in phone, email, or mail communications;
Social media interactions on our websites and other third-party websites like Facebook, YouTube, Instagram, and Twitter; or
View our online advertisements.

Anyone who accesses or utilizes our Services is hereinafter referred to as a “user”, or collectively the “users”. In this Policy, the individual user will be referred to as “you” or “your”.

By accessing or using our Services, you consent to the terms of this Policy and to our Terms, which includes without limitation Quince collecting, using or storing such information consistent with this Policy and our Terms.

UPDATES TO THIS POLICY

Quince may update this Policy from time to time in its sole discretion in accordance with the Modification provisions of our Terms. We will use best efforts to notify you of updates to our Policy and Terms by posting a notice on our website or by contacting you. You are encouraged to review this Policy and our Terms periodically and to contact us with questions.

CONTACT US

If you require any additional information or have questions or complaints regarding our Policy, please email legal@quincetx.com or mail Quince pursuant to the Notices Section in our Terms.

WHAT IS PERSONAL DATA?

In general, personal data is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household (“Personal Data”). Examples include name, address, IP address, phone number, email address, demographic information such as gender, date of birth, geographic information and preferences for using the Services or communicating with you when such information as identified by you in communications with Quince.

WHAT PERSONAL DATA DOES QUINCE COLLECT?

As described below, we may collect or have collected in the preceding 12 months the following categories of Personal Data. We may add to the categories of Personal Data we collect. In that case, we will inform you.

Identifiers. Examples include real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, or other similar identifiers.
Other elements. Examples include name, signature, characteristics or description, address, telephone number, education, employment, employment history, bank account number, credit card number.
Characteristics of protected classifications under California or federal law. Examples include race, religion, and age.
Commercial information. This includes services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Education information. This includes information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, Sec. 1232g; 34 C.F.R. Part 99).
Internet or other electronic network activity. Examples include browsing history, search history, a consumer’s interaction with an internet website, application, or advertisement.
Geolocation data. This might include location information while using one of our apps.
Audio, electronic, visual, thermal, olfactory, or similar information. Examples of this category including identifiable information obtained about you while speaking with our employees on the telephone.
Professional or employment-related information.
Consumer profile. This includes inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, and behaviors.
Sensitive personal information. This includes personal information that would reveal identifiers such as social security, driver’s license, state identification card, or passport numbers, as well as log-in, financial account, required security or access code and other information that would permit access to an account. It also would include precise geolocation and racial or ethnic origin, religious or philosophical beliefs, union membership or a consumer’s genetic or medical information.

We generally retain all categories of personal information only as long as required by law and as needed for our business, if longer, as provided under our record retention policies. We consider several criteria when determining the retention period(s) for categories of Personal Data. These include, without limitation: regulatory record retention requirements, contractual obligations, limitation periods, maintaining customer service, securing our information systems, and identity verification.

WHY DOES QUINCE COLLECT YOUR PERSONAL DATA?

Set forth below are some examples of business or commercial purposes for which we may have collected your Personal Data. We may change or add to the purposes we collect Personal Data. In that case, we will inform you and obtain your consent when required by law.

To provide you with information, products, or services, including the Services, that you request or receive from us, including with respect to clinical trials.
To fulfill or meet the reason for which the information is provided. For example, if you obtain a service from us, we will collect your address for shipping purposes or to fulfill our tax collection and reporting obligations.
To contact you and/or provide you with email alerts, event registrations and other notices concerning our products or services, or events or news, that may be of interest to you.
To engage in marketing activities.
To communicate with you in social media concerning our products and services.
To carry out our obligations and enforce our rights including those arising from any contracts entered into between you and us, including for billing, payment, and collections.
To review, improve, and monitor our website, applications, online services, and overall customer experience, including to provide customization to meet the specific needs, ensure a consistent experience, and to assess trends, interests, and the demands of clients.
To provide customer service and engage in quality control activities concerning our products and services.
For testing, research, analysis and product and service development.
To respond to law enforcement requests and as required by applicable law, court order, governmental regulations, or other lawful processes.
As described to you when collecting your personal information or as otherwise set forth in the California Consumer Privacy Act (“CCPA”).
To process applications for employment, as well as to evaluate and improve our recruiting efforts.
As necessary or appropriate to protect the rights, property, security, and safety of us, our employees, our consumers, our information systems, and the public.
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.

Cookies. We may use technologies such as cookies, pixel tags, browser analysis tools, server logs, and web beacons which automatically collect certain information from you. This information may include the Internet Protocol (IP) address, browser type, language, internet service provider (ISP), referring and exit page, operating system, and date/time stamp. In addition to the purposes above, we use this Personal Data to understand and analyze trends, to administer the website, to learn about user behavior on the website, and to gather demographic information about our user base as a whole. To monitor use of the website and improve its quality, we may compile statistical information concerning the use of the website through analytics services, such as those provided by Google Analytics. Examples of this information may include: the number of visitors to the website or to sections or pages within the website, patterns of traffic flowing through the website, length of time spent on the website, or in sections or pages of the website, the other sites that refer visitors to the website, the pages of the website that visitors frequently use as entry and exit points, utilization of the browser and operating systems and versions used by visitors to the Website.

This website may use social media plugins (e.g., Facebook and LinkedIn) to enable you to easily share information with others. When you visit our website, the operator of the social plugin can place a cookie on your computer, enabling that operator to recognize individuals who have previously visited our website. If you are logged into the social media website (e.g., Facebook, Twitter) while browsing our website, the social plugins allow that social media website to share data about your activities on our website with other users of their social media website. For example, Facebook Social Plugins allow Facebook to show your likes and comments on our pages to your Facebook friends. Facebook Social Plugins also allow you to see your friends’ Facebook activity on our website. We do not control any of the content form the social media plugins. For more information about social plugins from other media websites, you should refer to those sites’ privacy and data/information sharing statements/policies.

By accessing or using the website, including to use the Services, you consent to the processing of any Personal Data provided or collected for the analytics purposes and functions described above. You also acknowledge and agree that such Personal Data may be transferred from your current location to the offices and servers of Quince, and Quince and any authorized third parties referred to herein located in the United States will have access to your Personal Data. You may opt-out of receiving non-services related emails from Quince by emailing us at legal@quincetx.com.

WHAT ARE THE SOURCES OF PERSONAL DATA QUINCE COLLECTS?

The categories of sources of Personal Data are described below. The examples provided are for illustration purposes and are not exhaustive.

You. Examples of when we collect that information include:
- During a website visit or completed form, or when you visit us at one of our locations or events.
- If you upload or share a photo, submit a request, submit information, or post other digital content through one of our websites, applications or via social media interactions on third party websites like Facebook or Twitter
- If you participate in a clinical trial administered by us
- If you register for a referral program
- If you participate in a promotion, program, clinic or workshop
- If you apply or inquire about employment.
- In connection with your interactions with us as a registered user of our websites
- We may use tracking tools like browser cookies, flash cookies, and web beacons.
Your friends and family, such as when they provide your information through one of our refer-a-friend type features or programs. Persons who share such information in connection with those features or programs should only submit email addresses of individuals with whom they have a close personal or family relationship, who would be interested in receiving the communication, and who have authorized the sharing of their email address
News outlets
Cookies, social media and related services

DOES QUINCE DISCLOSE MY INFORMATION WITH THIRD PARTIES?

As described below, we may disclose and have disclosed certain categories of Personal Data during the past 12 months, as described below:

Categories of Personal Information Disclosed

Identifiers
Other elements
Characteristics of protected classifications under California or federal law
Commercial information
Education information
Internet or other electronic network activity
Geolocation data
Audio, electronic, visual, thermal, olfactory, or similar information
Professional or employment-related information
Consumer profile
Sensitive Personal Information

Categories of Third Parties to Whom Disclosed

Third parties as directed by you. We will disclose your Personal Data with those third parties to whom you direct.
Our business partners. For example, we might disclose your Personal Data with one of our business partners for purposes of collaborating on providing Services to you, or to invite you to an event we are organizing. These business partners should also have their own privacy statements that set out the manner in which they will collect, use, and disclose Personal Data. Where applicable, we encourage you to review each such business partner’s privacy statement before signing on with them.
Third parties who perform services on our behalf. For example, we disclose information with certain service providers, including marketing companies, professional service providers, debt collectors, information technology providers, and data storage companies. We might also authorize our service providers to collect Personal Data on our behalf.
Governmental entities, legal service providers. We may disclose your Personal Data in order to comply with the law and in the course of providing our products and services. We may also disclose information if a government agency or investigatory body submits a request.
Successors to all or portions of our business. If all or part of our business is sold, we may disclose Personal Data in preparation for or as part of that transaction.

We do not sell your Personal Data and do not have actual knowledge that we have sold personal information of minors under age 16.

HOW DOES QUINCE SAFEGUARD PERSONAL DATA?

To protect against unauthorized destruction, loss, alteration, access, disclosure, or use (collectively, “Unauthorized Processing”), we maintain administrative, technical, and physical safeguards designed to protect the information you provide and that we collect about you. Unfortunately, despite these efforts, we cannot ensure or warrant the security of any information you provide to us. In addition, we are not responsible for the security of information you transmit to us over networks that we do not control, including the Internet and wireless networks. As a result, we will not be liable for any loss or damage arising from any Unauthorized Processing of your information.

USERS OUTSIDE OF THE UNITED STATES: Quince is based in the state of California in the United States. The information processes and transmitted to you through Services are subject to United States laws. The privacy laws in your state or country of residence may be different from the United States. If you are visiting from another country with laws governing data collection and use, please note that we may transfer your information to recipients in countries other than the country in which you originally provided the information. When we transfer your Personal Data, it will be in compliance with this Policy. By using the Services, you are consenting to the storage, use and transmission of your Personal Data for processing.

LINKS TO OTHER WEBSITES: The Services may contain links to other websites. Any Personal Data you provide to linked pages is provided directly to that third party and is subject to the privacy policy of that third party. Quince is not responsible for Personal Data provide by you to a third party using a link from our website. Links are provided only as a convenience.

CHILDREN’S PRIVACY: Quince does not seek or knowingly collect any personal information about children under the age of thirteen (13) years of age. If we become aware that we have unknowingly collected personal information from a child (as defined here), we will make commercially reasonable efforts to delete such information from our database. If you are a parent or guardian of a minor who has provided us information and become aware that the child has shared his/her information with us, please contact us at legal@quincetx.com to request the information be deleted.

GOVERNING LAW: This Policy is governed by the laws of California and is subject to the same terms and conditions provided in the Terms.

CALIFORNIA PRIVACY RIGHTS

This section of the Privacy Policy (“CA Policy”) supplements and amends the information contained in our Privacy Policy with respect to California residents. This CA Policy applies solely to individuals, visitors, users, and others who are natural persons and residents of the State of California (“consumers” or “you”).

THIS ADDENDUM TO THE PRIVACY POLICY DOES NOT APPLY TO USERS WHO ARE NOT NATURAL PERSONS AND NOT CALIFORNIA RESIDENTS.

The CA Policy describes our policies and practices regarding the Personal Data we collect, use, and disclose about you, including Personal Data you submit or we obtain when you use the Services, including accessing this website. This CA Policy is adopted in part to comply with the CCPA.

Any terms defined within the CCPA have the same meaning when utilized within this CA Policy. The other provisions of the Policy continue to apply except as modified in this CA Policy. Note, however, that Personal Data as used in this CA Policy does not include:

Publicly available information from government records.
De-identified or aggregated consumer information.
Information excluded from the CCPA’s scope, such as personal information covered by certain sector-specific privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA), the California Confidential Medical Information Act (CMIA), the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

Consumer Rights. Pursuant to the CCPA, and as detailed below, consumers have various rights with respect to their Personal Data:

Request to Delete. You have the right to request that we delete your Personal Data from our records and direct any service providers or contractors to delete your Personal Data from their records, subject to certain exceptions. Upon receipt of a confirmed verifiable consumer request (see below), and as required by the CCPA, we will delete and direct any service providers or contractors to delete your Personal Data from our records.

We are not required to comply with your request to delete your Personal Data if it is necessary for us (or our service providers or contractors) to maintain your Personal Data in order to

Complete the transaction for which the Personal Data was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between the us and you.
Help to ensure security and integrity to the extent the use of your Personal Data is reasonably necessary and proportionate for those purposes.
Debug to identify and repair errors that impair existing intended functionality.
Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that confirms or adheres to all other applicable ethics and privacy laws, when the Company’s deletion of the information is likely to render impossible or seriously impair the ability to complete such research, if you have provided informed consent.
To enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us and compatible with the context in which you provided the information.
Comply with a legal obligation.

Upon receipt of a confirmed verifiable consumer request (see below), and as required by the CCPA, we will provide a response to such requests.

If you are under the age of 18, and a registered user of any Service where this CA Policy is posted, California law permits you to request and obtain removal of content or information you have publicly posted. You may submit your request using the contact information in the Policy. Please be aware that such a request does not ensure complete or comprehensive removal of the content or information you have posted and that there may be circumstances in which the law does not require or allow removal even if requested.

Request to Know. You have the right to request that we disclose the following to you as it relates to the 12-month period preceding its receipt of your verifiable consumer request:

The categories of Personal Data we have collected about you.
The categories of sources from which the Personal Data was collected.
The business or commercial purpose for collecting Personal Data.
The categories of Personal Data we disclosed for a business purpose.
The categories of third parties with whom we disclose Personal Data.
The specific pieces of Personal Data we collected about you.

Upon receipt of a verifiable consumer request (see below), and as required by the CCPA, we will provide a response to such requests.

Request to Correct Inaccurate Information. You have the right to request that we correct inaccurate Personal Data that we maintain. Upon receipt of a verifiable consumer request (see below), and as required by the CCPA, we will provide a response to such requests.
Direct the Company to Limit the Use of Sensitive Personal Information. You have the right to direct that we limit the use of sensitive personal information we collect about you to (i) uses that an average consumer would expect are reasonably necessary to provide the goods and or services you have requested, (ii) perform certain other activities permitted under the CCPA, and (iii) what is permitted by applicable law. Your right to direct the Company under this paragraph applies only to sensitive personal information that we collect or processed for the purpose of inferring characteristics about you.
Nondiscrimination. We will not discriminate against you in violation of the CCPA for exercising any of your CCPA rights. For example, we generally will not provide you a different level or quality of goods or services if you exercise your rights under the CCPA.

Submitting Consumer Rights Requests. To submit any of the Consumer Rights requests as outlined above, please contact us at 833-278-9963 or legal@quincetx.com. We reserve the right to only respond to verifiable consumer requests. A verifiable consumer request is one made by any individual who is:

the consumer who is the subject of the request,
a consumer on behalf of the consumer’s minor child, or
by a natural person or person registered with the Secretary of State authorized to act on behalf of a consumer.

If we request, you must provide us with sufficient information to verify your identity and/or authority to act on behalf of the consumer. In general, we may ask you to provide identifying information that we already maintain about you or we may use a third-party verification service. In either event, we will try to avoid asking you for sensitive Personal Data to verify your identity. We may not be able to respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you. However, making a verifiable consumer request does not require you to create an account with us. Additionally, you will need to describe your request with sufficient detail to allow us to review, understand, assess, and respond. Personal Data collected from an individual to determine whether a request is a verifiable consumer request may not be used or disclosed for any other purpose except as required by law. We will endeavor to respond to a verifiable consumer request within forty-five (45) calendar days of receipt, but we may require an extension of up to forty-five (45) additional calendar days to respond and we will notify you of the need for the extension.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the receipt of your verifiable consumer request. With respect to Personal Data collected on and after January 1, 2022, and to the extent expressly permitted by applicable regulation, you may request that such disclosures cover a period beyond the 12 months referenced above, provided doing so would not require a disproportionate effort by the Company.

The response we provide will also explain the reasons we cannot comply with a request, if applicable. To the extent permitted by the CCPA, we will respond to no more than two requests during any 12-month period.

You may authorize a natural person or a business registered with the California Secretary of State to act on your behalf with respect to the right under this CA Policy. When you submit a Request to Know or a Request to Delete, unless you have provided the authorized agent with a qualifying power of attorney, you must provide your authorized agent written permission (signed by you) to act on your behalf and verify the authorized agent’s identity with us. We reserve the right to deny requests from persons or businesses claiming to be authorized agents that do not submit sufficient proof of their authorization.

Do Not Track. “Do Not Track” is a privacy preference that you can set in your Internet search browser that sends a signal to a website that you do not want the website operator to track certain browsing information about you. However, because our website is not configured to detect Do Not Track signals from a user’s computer, we are unable to respond to Do Not Track requests.

Questions. If you have questions about this CA Policy, please contact us as described in the Policy.

EUROPEAN ECONOMIC AREA

Please review this section carefully if you are located in the European Economic Area (“EEA”). This section incorporates the general provisions of the Policy, where applicable. If any provision in the Policy is inconsistent with this EEA section (“EEA Policy”), the terms of this EEA Policy shall apply to the processing of Personal Data subject to this EEA Policy. Terms used in this EEA Policy shall have the meaning ascribed to them by the applicable data protection law, including the definition of Personal Data.

For purposes of applicable data protection laws, we are the data controller of the Personal Data we collect through this website to which this section applies. As data controller, we process your Personal Data in accordance with this EEA Policy. If you have any questions, you may contact us at legal@quincetx.com.

We make every attempt to process your Personal Data in accordance with applicable law. In addition to the information provided above, individuals located in the European Economic Area should be aware of the following:

Rights. You may have certain additional rights, subject to limitations, regarding the processing of your Personal Data. These may include the right to:

Access or request a copy of your Personal Data
Correct any inaccuracies relating to your Personal Data
Restrict the processing of your Personal Data
Object to the processing of your Personal Data, including where the data is used for marketing purposes
Request the erasure of your Personal Data
Receive your Personal Data in a commonly used machine-readable format and have that data transmitted to a data controller of your choosing.
Withdraw your consent to the processing of your Personal Data
Right not to be subject to automated decisions where the decision produces a legal effect or similarly significant effect
Lodge a complaint with the appropriate authority in your jurisdiction.

To exercise any of these rights, please contact us legal@quincetx.com. Legal Basis for processing. The following chart identifies the legal basis for processing Personal Data we collect from you. We may process your Personal Data for a variety of purposes as outlined in this EEA Policy. In general, we will process your personal data based on your consent, our legitimate interests, for performance of a contract with you or to meet legal obligations.

Purpose for processing	Data elements	Legal basis for processing
To register your interest in our Services	Identity data Contact data Profile data Usage data	Performance of a contract with you Legitimate interests Consent
To manage our relationship with you which will include notifying you about changes to our Terms or Privacy Policy	Identity data Contact data Services data Technical data Marketing and Communications data	Performance of a contract with you Necessary to comply with a legal obligation Necessary for our legitimate interests (to keep our records updated and to study how customers use our Services) Consent
To administer and protect our business, the Services and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	Identity data Contact data Profile data Usage data Technical data Marketing and Communications data	Necessary to comply with a legal obligation Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security) Consent
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you	Identity data Contact data Services data Profile data Usage data Technical data Marketing and Communications data	Performance of a contract with you Necessary to comply with a legal obligation Necessary for our legitimate interests (to study how customers use our Services, to develop and maintain our Services, to grow our business) Consent
To use data analytics to improve our Services, marketing, relationships and experiences	Identity data Contact data Services data Professional data Profile data Usage data Technical data Marketing and Communications data	Performance of a contract with you Necessary for our legitimate interests (to study how customers use our Services, to develop and maintain our Services, to grow our business) Consent
To make suggestions and recommendations to you about Services that may be of interest to you	Identity data Contact data Services data Profile data Usage data Technical data Marketing and Communications data	Performance of a contract with you Necessary for our legitimate interests (to study how customers use our Services, to develop and maintain our Services, to grow our business) Consent

We will only process your personal data for the purpose for which we collected it and for further purposes only if we deem them compatible with that original purpose.

You may obtain information regarding how we assess our legitimate interests or opt out of our processing your Personal Data where our legitimate interests are not outweighed by your privacy rights by contacting us at legal@quincetx.com.

Retention. We retain your personal data only for the period of time needed to fulfill the purposes stated in this Policy, comply with applicable laws, and for our legitimate business needs.

Transfers. When we share your personal data within our company or with our subsidiaries, we may transfer your data out of the EEA. We will make such transfers to ensure a similar degree of protection is afforded to it by following safeguards as required under applicable law and, where applicable, appropriate contractual clauses. To obtain additional information on how we transfer your personal data, please contact us at legal@quincetx.com. In the event we transfer your personal data to third parties we have engaged to process your data, and those parties are outside of the EEA, we will ensure appropriate contractual clauses are in effect with such third parties.

These rights may not apply for individuals residing outside of the resident of the EEA.