1

Privacy Policy

March, 2026

INTRODUCTION

ORIC Pharmaceuticals, Inc. (hereinafter “ORIC”, “we”, “our”, and/or “us”) values the privacy of individuals who use our website (“Site”). This privacy policy (“Privacy Policy”) explains how we collect, use, and disclose personal information from users of our Site. By using our Site, you agree to the collection, use, disclosure, and procedures this Privacy Policy describes. Beyond the Privacy Policy, your use of our Site is also subject to our Terms of Use.

ORIC, as the Controller of the personal data, has committed to comply with:

  • The General Data Protection Regulation N°EU 2016/679 (hereinafter, the “GDPR”);
  • The General Data Protection Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (hereinafter the “UK GDPR”) and the UK Data Protection Act 2018 (amended 2020) (hereinafter the “Data Protection Act”);
  • The California Consumer Privacy Act 2018 (hereinafter the “CCPA”), The California Consumer Privacy Rights Act 2020 (hereinafter “CPRA”), The Californian Online Privacy Protection Act 2003 (hereinafter the “CalOPPA”);
  • And all EU applicable laws and regulations regarding data protection.

Collectively referred to as “Data Protection Laws”.

GENERAL WARNING AND USE OF SOCIAL MEDIA

Access to the Website implies the User’s full and unreserved acceptance of this Privacy Policy, as well as its general terms of use and the Cookies Notice. The User acknowledges having read the information below.

This Privacy Policy is valid for all pages hosted on the Website. It is not valid for the pages hosted by third parties to which ORIC may refer and whose privacy notices may differ. ORIC cannot therefore be held responsible for any data processed on these websites or by them. This Privacy Policy also applies to any other website that ORIC may operate, including our company pages on LinkIn and any other social media platform.

Please, note that for the use of social media, ORIC will be Joint-Controller with LinkedIn and any other social media platform on which ORIC maintains a company page only for the following activities: accessing and processing statistical aggregate data provided by the applicable social media platoform. For any other processing on the platform, the applicable social media platform shall be considered as the sole Data Controller.

Facebook, including Instagram, and LinkedIn have created an “addendum” to their user agreements for company pages for the processing for which they are Joint-Controllers with us. Such agreement is not currently provided by Twitter, YouTube, Flickr or Vimeo.

WHY, HOW AND FOR HOW LONG DO WE COLLECT YOUR PERSONAL DATA?

Depending on the purpose for which we process your personal data, we need to process one or other personal data. We will keep them for no longer than necessary to fulfill the purposes for which we collected it, including any legal requirements.

Depending on each case, the processing will therefore be as follows:

Purposes Types of personal data Legal basis Retention period
To answer your queries either by email or through the contact form

Name, email address

Please note that other Personal Data may be processed by ORIC depending on your request and the information you provide us.

This processing is based on our legitimate interest in answering the requests or queries raised by you through the existing different contact channels.

We understand that the processing of these data is also beneficial to you to the extent that it enables us to assist you adequately and answer to the queries raised.

 We will process your data for the time necessary to meet your request.
To send you newsletters Name, email address

This processing is based on your consent.

Please, remember that you may unsubscribe from the Newsletter at any time without any cost.

 We will process your data until you unsubscribe to the Newsletter.
For job application Name, email, address, CV, background, education and employment experience

This processing is then based on our legitimate interest for the purpose of our recruitment process in order to administer and appraise job applications.

We understand that the processing of these data is also beneficial to you to the extent that it enables you to get a job by providing a spontaneous application or answering to an offer.

 We will process your data for the time necessary to manage your application.
To organize your participation in one of our events Name, email address, financial details This processing is based on our contractual obligations We will process your data related to your subscription and payment for the time necessary for the organization of your participation to one of our events.

YOUR CHOICES

Marketing Communications. You can unsubscribe from our promotional emails via the link provided in the emails. Even if you opt-out of receiving promotional messages from us, you will continue to receive administrative messages from us.

Do Not Track. There is no accepted standard on how to respond to Do Not Track signals, and we do not respond to such signals.

THIRD PARTIES

Our Site may contain links to other websites, products, or services that we do not own or operate. We are not responsible for the privacy practices of these third parties. Please be aware that this Privacy Policy does not apply to your activities on these third-party services or any information you disclose to these third parties. We encourage you to read their privacy policies before providing any information to them.

SECURITY

ORIC treats your personal data in a confidential manner and provides for a sufficient and adequate level of protection of your personal data.

Your personal data are contained behind secured networks and are only accessible by a limited number of persons who have special access rights to such systems and are required to keep the information confidential.

YOUR RIGHTS

According to the GDPR, and UK GDPR you have the following rights subject to limitation as set forth by applicable data protection law:

  • Access. You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, information related to the processing of data and a copy of the data being processed.
  • Rectification. You have the right to require rectification of inaccurate or incomplete data about you.
  • Right to be forgotten. To obtain the deletion of your personal data under certain specified circumstances.
  • Restrict processing. You have the right to restrict processing of data under certain specified circumstances.
  • Data portability. You have the right to request for the receipt or the transfer to another organization, in a machine-readable form, of your personal data.
  • Object to processing. You have the right to object, on grounds relating to your particular situation, at any time to the processing of your data.
  • Right to withdraw consent. When you have given your explicit consent for the processing of your data, you can withdraw it at any time without any cost nor justification.

Under CCPA/CPRA provisions: please note that you have several rights that are further described in the Annex A.

Please note that all these rights are not absolute and will be assessed on a case-by-case basis by our Data Protection Officer (“DPO”).

If you would like to exercise your rights, please let us know by contacting our DPO, oricpharma.dpo@mydata-trust.info.

You also have the right to lodge a complaint if you consider that your personal data is not processed in accordance with the GDPR, the UK GDPR and the CCPA/CPRA.

If you are an EEA resident: You have the right to lodge a complaint with the Supervisory Authority in the Member State of the European Union of your habitual residence, place of work or place of the alleged infringement.

If you are a UK resident: you may file a complaint with the Information Commissioner’s Office (“ICO”), the Supervisory Authority of UK, following the instructions available in the service channels.

If you are a Californian resident: you can file a complaint with the California Privacy Protection Agency and, where appropriate, the California Attorney General’s office.

Please find the contact information of all Authorities in the section “Contact Information”.

CHILDREN’S PRIVACY

We do not knowingly collect, maintain, or use personal information from children under 16 years of age, and no part of our Site is directed to children. If you learn that a child has provided us with personal information in violation of this Privacy Policy, then you may alert us at info@oricpharma.com.

INTERNATIONAL VISITORS AND DATA SHARING

We do not sell or trade your personal data to outside parties.

Nevertheless, ORIC has contracted with the following Services Providers to manage the Website that may have access to your personal data:

  • Notified for the management of ORIC’s investor relations webpage.
  • Smartrecruiters for employment inquiries.

Sharing your personal data as explained above may involve a transfer of personal data to a country outside the European Economic Area (EEA) and the UK. ORIC is therefore committed to complying with the transfer rules under applicable Data Protection Laws and therefore ensure to:

  • Transfer your data to countries where the data recipient is located that has been recognized as adequate by the European Commission, by the UK secretary of state; or
  • Where a country has not received an adequacy decision from the European Commission, or the UK secretary of state, to implement appropriate safeguards, such as the EU Standard Contractual Clauses (“SCCs”) (and the UK addendum), and/or the International Data Transfer Agreement (“IDTA”).

You can contact our DPO (see contact details below) if you want more details about the mechanism supporting data transfer.

QUESTIONS ABOUT OUR PRIVACY PRACTICES

If you have questions about your privacy on our Site or this Privacy Policy, please contact us at info@oricpharma.com.

CHANGES TO THIS PRIVACY POLICY

We will post any changes to the Privacy Policy on this page, and the revised version will be effective when it is posted. If we materially change the ways in which we collect, use, or disclose personal information previously collected from you through our Site, we will attempt to notify you through our Site, by email, or other means where appropriate.

CONTACT INFORMATION

If you have any questions, comments, or concerns about our processing activities, please email us at info@oricpharma.com or write to us at:

240 E. Grand Ave
2nd Floor
South San Francisco, CA 94080.

EU Data Protection Representative

Rue de Rennes, 140b, 75006 Paris (France)

oricpharma.dpr.eu@mydata-trust.info

UK Data Protection Representative

Uxbridge, England, UB8 (United Kingdom)

oricpharma.dpr.uk@mydata-trust.info

Data Protection Officer

oricpharma.dpo@mydata-trust.info

For other EU Data Protection Authorities

European Data Protection Board – Members

For UK Supervisory Authority (“ICO”)

Tel: +55 (0)3 03 12 31 11 3

Website: ICO – Your right to complain

For California Offices

Data Protection Agency: info@cppa.ca.gov

Attorney General Website: California Attorney General – Contact

ANNEX A: additional information for California residents

Depending on your residency, you may have certain additional information and certain rights. In the United States, these rights vary by States.

If you are a Californian resident, additional information should be provided as follows:

Do Not Track (“DNT”) requests. DNT is an optional browser setting that allows you to express your preferences regarding tracking by advertisers or other third parties. Some web browsers may allow you to transmit a “Do Not Track” signal to online services and websites. If a website receives such signal, the web browser can block that website from collecting certain Personal Information about you. We will try our best to respond to global privacy controls, including DNT signals. However, we do not assume liability for failure to comply with DNT signal by our partners and / or providers.

Children’s Online Data. It is not our intention to collect personal information from children under the age of 13 through our Website. If you are under 13, please do not give us any personal information through our Website. We encourage parents and legal guardians to monitor their children’s internet usage and to help enforce our Notice by instructing their children never to provide us personal information. If you have reason to believe that a child under age 13 has provided personal information to us through our Website, please contact us and we will endeavor to delete that personal information from our records, unless other applicable law requires us to retain that information

If you are a California resident, you have the following rights with respect to your Personal Information:

“Shine the Light” and “Eraser” Laws. You may request a list of all third parties to which we have disclosed certain information for those third parties’ direct marketing purposes.

The right to know. You may have the right to request that we disclose to you the personal information we have collected or sold about you and how it is used and shared. Here is the information you may have access to:

  • the categories of personal information collected;
  • the categories of sensitive personal information collected;
  • the categories of sources from which the personal information or sensitive personal information is collected;
  • the business purpose for such collection, sharing, or selling;
  • the categories of third parties to whom to personal information or sensitive personal information is disclosed to;
  • the specific pieces of personal information collected; and
  • the length of time that the business intends to retain each category of personal information and sensitive personal information.

The right to access. You may have the right to access personal information which we may collect or retain about you free of charge (for which we have 45 days to respond). If requested, we shall provide you with a copy of your personal information which we collect. You also have the right to receive your personal information in a structured and commonly used format so that it can be transferred to another entity (“data portability”).

The right to opt-out of the sharing of my personal information. You have the right to opt-out from the sharing of your personal information, which means that any third party who has received your personal information as part of their ‘share’ may only further share that personal information if you have provided “explicit notice” and the opportunity to opt-out of that subsequent share. This right can be exercised by clicking the link HERE and cannot be re-solicited before a period of 12 months for additional purposes.

The right to limit use of sensitive personal information. You have the right to direct us to limit the use of your sensitive personal information to what’s necessary or reasonably expected to perform the service or provide the goods. This right can be exercised by contacting legal@oricpharma.com.

The right to correct inaccurate personal information. You have the right to require rectification of inaccurate personal information about you. Upon verifying the validity of a verifiable consumer correction request, we will use commercially reasonable efforts to correct your personal information as directed within 45 days (with the possibility to extend the period once), taking into account the nature of the personal information and the purposes of maintaining your personal information.

The right to request deletion of personal information. You have the right to request the deletion of your personal information collected, or maintained by us, subject to certain exceptions permitted by law.

In the event of a request for deletion, we will acknowledge receipt of your request within ten (10) business days and will endeavor to respond substantially within forty-five (45) days.

The right to not be subject to discrimination (“right to equal service and price”). You have the right not to be denied of goods or services, to be charged for different prices or rates for goods or services or provided a different level or quality of goods or services.