This “Privacy Policy” describes the privacy practices of Crinetics Pharmaceuticals, Inc. and our affiliates (collectively, “Crinetics”, “we”, “us”, or “our”) in how we collect, use, disclose, and otherwise process your Personal Information, and explains the rights and choices available to you with respect to your information.

In some cases, Crinetics may provide additional privacy notices to you at the time we collect your data. For example, we may provide a specific privacy notice that describes our privacy practices prior to your submissison of your data on our website. This type of “in-time” notice will govern how we may process the information you provide to us at that time, and such notice will prevail in the event of discrepancies between this Privacy Policy and the notice. This Privacy Policy does not apply when you have been notified that an alternative notice applies or where we process your personal data on behalf of your medical institution or healthcare professional in connection with your medical treatment. Your medical institution and/or healthcare professional is solely responsible for the processing of your personal data for the provision of your medical treatment and care.

This document can be printed for reference by using the print command in the settings of any browser.

BY PROVIDING YOUR PERSONAL INFORMATION TO CRINETICS OR USING OUR WEBSITES OR ONLINE APPLICATIONS, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS PRIVACY NOTICE AND UNDERSTAND OUR COLLECTION, USE AND DISCLOSURE OF THAT PERSONAL INFORMATION FOR THE PURPOSE(S) SPECIFIED IN THIS PRIVACY POLICY.

DATA CONTROLLER

Crinetics Pharmaceuticals, Inc. is the Data Controller of your Personal Information.  Our contact details are below:

6055 Lusk Blvd, San Diego, CA 92121

Owner contact email[email protected]

Whose Personal Information we collect

We collect Personal Information about the following types of individuals:

  • clinical trial participants
  • patients and patient family members, caregivers or advocates
  • physicians, pharmacists, and other health care professionals
  • clinical trial investigators
  • researchers, contractors and consultants
  • job candidates
  • other individuals who interact directly with Crinetics or its service providers or business partners, including users of our websites and mobile applications

How we collect Personal Information

We collect Personal Information:

  • Directly from you or your authorized representative
  • Through our digital assets, including websites and mobile apps, including through Cookies and other Trackers as defined below
  • From healthcare professionals
  • From contract research organizations and clinical trial investigators
  • From government agencies or public records
  • From third party service providers, data brokers, or business partners
  • From industry and patient groups and associations 

Types of Personal Information we collect

The types of Personal Information we collect, and share depend on the nature of the relationship you have with Crinetics, the purpose for which data is collected, and the requirements of applicable laws.

For clinical trial participants, we may collect:

  • Health and medical information (such as medical insurance details, information about physical and mental health conditions and diagnoses, treatments for medical conditions, genetic information, family medical history, and medications an individual may take, including the dosage, timing, and frequency) in connection with managing clinical trials, conducting research, providing patient support programs, managing compassionate use and expanded access programs, and tracking adverse event reports.
  • Biographical and demographic information (such as age, gender, marital status, and information regarding any parents or legal guardians).
  • Publicly available information (such as comments describing support for and experience with Crinetics products) without linking directly to the individual.

For visitors to our website and other individuals, we may collect:

  • Personal and business contact information and preferences (such as name, job title and employer name, email address, mailing address, phone number, and emergency contact information).
  • Biographical and demographic information (such as date of birth, age, gender, marital status, and information regarding any parents or legal guardians).
  • Professional credentials, educational and professional history, institutional affiliations, information from background checks and other data which may be included on a resume or a curriculum vitae,
  • Transaction data, such as electronic signatures, payment-related information we need to pay for professional services, such as consulting, that individuals may provide to us (such as tax identification number and financial account information).
  • If you are a healthcare professional, we may collect information related to your practice, license information and information about the programs and activities in which you have participated and the agreements you have executed with us.
  • Other information you provide to us, such as through your interactions with our digital assets such as websites, in emails, on phone calls, in market research surveys, or in other correspondence with Crinetics or its service providers or business partners.
  • Publicly available information, such as your photograph, social media handle, information related to the organization for which you work.

If you are uncertain about which Personal Information is required for you to provide to us is mandatory in order for us to provide you with our Services, please contact us using the contact details below.

HOW WE PROCESS PERSONAL INFORMATION

SAFEGUARDS FOR PROCESSING

We put appropriate organizational, logical, and physical security measures in place to ensure a level of security commensurate with the risk to your rights and freedoms. This includes measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of your data.

In addition to our access, in some cases, the Personal Information may be accessible to individuals involved with the operation of this Website or external parties (such as technical service providers, mail carriers, hosting providers, IT companies, communications agencies, etc.) appointed by us, if necessary, as Data Processors.  We carefully choose who we work with, and require they have adequate security measures in place to protect your Personal Information. You may request the updated list of these parties from us at any time.

HOW WE USE PERSONAL INFORMATION

We may use Personal information for the following purposes, including:

  • Communicating with you about our products, pipeline and service offerings which may be made available to you from time to time, as well as responding to inquiries about our products and services.
  • Improving our business operations, including monitoring and analyzing user engagement with our digital assets (such as websites and mobile applications) and other services that we may offer to you.
  • Tracking safety and product quality concerns.
  • Complying with regulatory monitoring and reporting obligations such as adverse events, product complaints and patient safety, as well legal obligations related to enforcement requests.
  • Supporting, facilitating, and arranging travel and other logistics for public health initiatives, conferences and educational events.
  • Managing patient engagement activities and patient support programs.
  • Engaging with healthcare professionals.
  • Protecting against and responding to fraudulent or illegal activities, including but not limited to hacking or misuse of online applications

  LEGAL BASIS OF PROCESSING

Certain privacy laws require us to establish a legal justification on which we rely to process Personal Information.  We may process Personal Information relating to you if one of the following applies:

  • You have provided consent for one or more specific processing purposes;
  • The processing provision of information is necessary for the performance of an agreement with you and/or pre-contractual obligations relating to such an agreement;
  • The processing is necessary for compliance with a legal obligation to which we are subject;

The processing is related to a task that we carry out in the public interest or in the exercise of  official authority;

  • The processing is necessary for the purposes of our legitimate interests or those of a third party.

If you share anyone else’s personal data on our digital assets, including our website, you confirm that You have the third party’s consent to provide their Data to the Owner.

Unless specified otherwise, all Personal Information collected by this website is required by Crinetics to provide its Services.  If you do not provide certain information, it may make it impossible for us to provide certain Services that are applicable to You.

Use for New Purposes

  • We may use your Personal Information for reasons not described in this Privacy Policy where permitted by law and where such reason is otherwise compatible with the purpose for which we collected your Personal Information. If we need to use your Personal Information for an unrelated purpose, we will notify you and explain the applicable legal basis for that purpose and, where applicable request your consent.

CATEGORIES OF RECIPIENTS OF YOUR PERSONAL INFORMATION

Your personal information is shared with teams and individuals within our company and its affiliates as described in the Data Controller section, who require access to it to perform their job duties.

We may also share your information with service providers and other entities for the purposes described in the “How We Use Personal Information” section. These may include, without limitation:

  • Service providers
  • Advertising and marketing companies
  • Recruiting agencies
  • Regulatory and judicial bodies, and law enforcement authorities
  • Business partners

In all cases, we share your personal information on a need-to-know basis and to the extent necessary to achieve a specific, legitimate purpose.

 PLACE OF PROCESSING

Personal Information is processed at our operating offices listed in  the “Data Controller” section and in any other places where the parties involved in the processing are located.

Depending on your location, your Personal Information may be transferred to a country other than where you live. If any such transfer takes place, Crinetics is committed to complying with transfer rules under applicable laws, including through the use of appropriate transfer mechanisms and the implementation of safeguards. You can find out more about the transfer by checking relevant sections of this Privacy Policy, the “in-time” notices where provided, or by contacting us using the information provided in the contact section.

For Swiss residents: your personal data is transferred to third countries listed below. The safeguards for the transfer of your personal data is described in the section titled “Methods of Processing.”

RETENTION TIME

Personal Information shall be processed and stored for as long as required for the purpose for which it was collected.

Therefore:

  • Personal Information collected for purposes related to the performance of a contract between Crinetics and you or providing you with updates on our products or services shall be retained until you no longer wish to receive updates on our products or services or such contract has been fully performed, and for such period thereafter as may be required in order that we can meet our legal obligations.
  • Personal Information collected for the purposes of our legitimate interests shall be retained for as long as needed to fulfill such purposes. You may find specific information regarding the legitimate interests pursued by us within the relevant sections of this document or by contacting us.

We may retain Personal Information for a longer period whenever you have given consent to such processing and as long as such consent is not withdrawn. We may be obliged to retain your Personal Information for a longer period, however, to comply with applicable laws, for the performance of a legal obligation upon order of an authority, or any other legal, ethical and regulatory requirements which may impact our retention period.

SERVICE PROVIDERS USED FOR THE WEBSITE PROCESSING OF PERSONAL DATA

Personal Information is collected for the following purposes and using the following services:

  1. ANALYTICS

The services contained in this section enable us to monitor and analyze web traffic and can be used to keep track of User behavior.

Google Analytics (Google LLC)

Google Analytics is a web analysis service provided by Google LLC (“Google”). Google utilizes the data collected to track and examine the use of this Website, to prepare reports on its activities and share them with other Google services.

If you consent to the use of trackers related to this service, Google may use the data collected to contextualize and personalize the ads of its own advertising network. In this case, Google is solely responsible for the use of your data, as explained at: www.google.com/analytics/terms/us.html.

Personal Information processed: Cookies; Usage Data as defined below.

  1. CONTACTING YOU

Contact form (this Website)

By providing your Personal Information on our website you authorize us to use your details to reply to requests for information, provide you with useful updates or any other kind of request as indicated by the form’s header.

Personal Information processed: Contact information, including email address, first name, last name and phone number; profession; information you directly provide as text input.

Mailing list or newsletter (this Website)

By registering on the mailing list or for the newsletter, your email address will be added to the contact list of those who may receive email messages containing information of commercial or promotional nature concerning this Website. Your email address might also be added to this list as a result of signing up to receive service offerings through this Website, providing information through website forms, or after making a purchase.

Personal Information processed: Contact information including: email address, first name last name, and relationship to Crinetics (e.g. patient, caregiver, healthcare professional, investor, etc.).

  1. DISPLAYING CONTENT FROM EXTERNAL PLATFORMS

This type of service allows you to view content hosted on external platforms directly from the pages of this Website and interact with them.

This type of service might still collect web traffic data for the pages where the service is installed, even when Users do not use it.

Google Fonts (Google LLC)

Google Fonts is a typeface visualization service provided by Google LLC that allows this Website to incorporate content of this kind on its pages.

Personal Information processed: Usage data and; various types of data specified in our privacy policy in connection with our Services.

YOUR RIGHTS

Depending on your geographical location, place of residence, and applicable privacy laws, you may be able to exercise certain rights with regard to the information we process about You.

In particular, you may have the right to do the following:

  • Withdraw consent at any time. You have the right to withdraw consent where you have previously given consent to the processing of your Personal Information.
  • Object to processing of your Data. You have the right to object to the processing of your Personal Information if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
  • Opt out to new purposes for processing your data, where the processing is based on consent.
  • Access Data. You have the right to learn if we are processing Personal Information and request a copy of the Personal Information that we are processing.
  • Verify and seek rectification. You have the right to verify the accuracy of your Personal Information and ask for it to be updated or corrected.
  • Restrict the processing of their Personal Information. You have the right, under certain circumstances, to restrict the processing of your Personal Information. In this case, we will not process your Personal Information for any purpose other than storing it, unless otherwise required by applicable law.
  • Request Personal Information be deleted or otherwise removed. You have the right, under certain circumstances, to request that we erase your Personal Information.
  • Receive Personal Information and have it transferred to another controller. You have the right to receive your Personal Information in a structured, commonly used and machine- readable format and, if technically feasible, to have it transmitted to another controller. This provision is applicable provided that the Personal Information is processed by automated means and that the processing is based on your consent, on a contract to which you are a party or have pre-contractual obligations thereof.
  • Lodge a complaint. You have the right to bring a claim before a competent data protection authority in your region, as may be applicable.
  • Nondiscrimnation. You have the right to not be treated in a discriminatory manner for exercising the above rights with regard to your Personal Information.

Please note that all these rights are not absolute and will be assessed on a case-by-case basis.

DETAILS ABOUT THE RIGHT TO OBJECT TO PROCESSING

Where Personal Information is processed for a public interest, in the exercise of an official authority vested in us or for the purposes of the legitimate interests pursued by us, you may object to such processing by providing grounds related to your particular circumstances to justify your objection.

You may object to your Personal Information being processed for direct marketing purposes at any time without providing any justification.

HOW TO EXERCISE THESE RIGHTS

You should direct any requests to exercise the above rights by contacting us using the contact details provided in this document. Please note that depending on your location of residence, you may be asked to provide additional Personal Information as required by law to verify your identity. These requests can be exercised free of charge, and we will address them as early as possible and within the required timelines of applicable laws.

CHILDREN

We comply with the requirements of the US Children’s Online Privacy Protection Act (COPPA) and do not knowingly collect Personal Information from children under age 13 through our Websites or mobile applications. If we learn that we have collected Personal Information directly from a child under the age of 13 through our websites or mobile applications, we will delete that information.

CALIFORNIA RESIDENTS

The following disclosures are made in compliance with the California Consumer Privacy Act (CCPA), as amended.

In the past 12 months, Crinetics has collected the Personal Information described above, under the section “Types of Personal Information we Collect” from the sources listed under the section “How we collect Personal Information”.  This information falls into the following categories of Personal Information under the CCPA:

  • Identifiers,
  • Categories of Personal Information described in section 1798.80(e) of the California civil code,
  • Characteristics of protected classifications under California or federal law,
  • Commercial information,
  • Internet or electronic network activity information,
  • Professional or employment-related information,
  • Commercial information, and
  • Education information.

Crinetics does not sell Personal Information.

The Personal Information that Crinetics has disclosed to third parties in the past 12 months is described above, under the section “Safeguards for processing”, and includes data from the following categories of Personal Information under the CCPA:

  • Identifiers,
  • Categories of Personal Information described in section 1798.80(e) of the California civil code,
  • Characteristics of protected classifications under California or federal law,
  • Commercial information,
  • Internet or electronic network activity information,
  • Professional or employment-related information,
  • Commercial information, and
  • Education information.

 COOKIE POLICY

 Do Not Track Signals

Your browser settings may also allow you to transmit a “Do Not Track” signal when you visit various websites. Like many websites, our Services are not designed to respond to “Do Not Track” signals received from browsers. To learn more about “Do Not Track” signals, you can visit http://www.allaboutdnt.com/.

 Cookies and Other Similar Technologies

We use cookies and similar technologies (such as web beacons, tags, scripts and device identifiers) to collect and store analytics and other information when you use our Website. The cookies we use include both first party and third-party cookies.

Cookies, or similar technologies, may provide us the following information:

  • The type of web browser software you use
  • The name of the domain from which you access the Internet (including client and server IP addresses, usernames, ports, queries, or other status-related information)
  • The Internet address of the website from which you linked directly to our Website
  • The date and time you access our Website
  • Which pages you have visited on our Website

In most cases we will not be able to identify you directly from the information we collect using these technologies. To prevent the potential for such identification, you may choose to disable cookies through your browser. However, if you do so, you may be unable to access or utilize certain parts of our website, or your experience may be altered.

The following types of cookies may be used on our Website:

 Strictly Necessary Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

 Performance Cookies: These cookies allow us to analyze, measure and improve the performance of our websites. They help us understand which pages are the most and least popular and see how visitors move around the site. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.

Functional Cookies: These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

 Targeting Cookies: These cookies may be set through our site by our advertising partners to build a profile of your interests and show you ads they believe would be relevant to you on other sites. We may also use information collected about you to provide you with relevant information on our products and services, and to analyze our advertising performance. By accepting these cookies, you allow us to customize the information we send to you based on your interests, which may enhance your interactions with us.

 Social Media Cookies: These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

LEGAL ACTION

We may use Personal Information for Court proceedings or in pre-proceedings arising from improper use of this Website or the related Services.  We may also disclose Personal Information upon request of public authorities.

INFORMATION NOT CONTAINED IN THIS POLICY

If you have any questions about the collection or processing of your Personal Information or our processing activities, you may contact us at any time. Please see the contact information at the beginning of this document.

HOW “DO NOT TRACK” REQUESTS ARE HANDLED

With regard to how third-parties we engage with track “Do Not Track” requests, please review their privacy policies.

LINKS AND THIRD-PARTY WEBSITES

For your convenience and information, we may provide links to websites and other third-party content that is not owned or operated by us. These links are not an endorsement, authorization, or representation that we are affiliated with that third party. We do not exercise control over third-party websites or services and are not responsible for their actions. Other websites and services follow different rules regarding the use or disclosure of the personal information you submit to them. We encourage you to read the privacy policies of the other websites you visit and services you use.

CHANGES TO THIS PRIVACY POLICY

We reserve the right to make changes to this privacy policy at any time by notifying you on this page and/or sending you a notice. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.

Should the changes affect processing activities performed where we rely on your consent, we will collect new consent from you, as required.

DEFINITIONS AND LEGAL REFERENCES

Personal Information

Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person, as defined by applicable privacy laws.

Usage Data

Information collected automatically through this Website (or third-party services employed in this Website), which can include: the IP addresses or domain names of the computers you utilize, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system you utilize, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User’s IT environment.

Data Processor

The natural or legal person, public authority, agency or other body which processes Personal Information on behalf of the Controller, as described in this privacy policy and defined by applicable laws.

Data Controller (or Owner)

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Information, as defined by applicable laws, including the security measures concerning the operation and use of this Website. The Data Controller, unless otherwise specified, is the Owner of this Website.

This Website (or this Application)

The means by which your Personal Information is collected and processed, when you visit our website, provide information through our website or sign up to receive updates from Crinetics.

Service

The service provided by this Website as described in the relative terms (if available) and on this site/application.

Cookie

Cookies are Trackers consisting of small text files stored in your browser.

Tracker

Tracker indicates any technology – e.g. Cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting – that enables us to track you, for example by accessing or storing information on your device.

Legal information

This privacy policy adheres to the requirements of the provisions of privacy laws that are applicable to us.

Latest update: June, 2025