Privacy Policy

Introduction

MIRATI THERAPEUTICS, INC. (“we”, “us”, “our”, “Mirati”, and “organization”) is committed to and

recognizes the importance of respecting and protecting your privacy. This Privacy Policy applies to

our collection and use of personal information through our websites or mobile applications

(together, the “Site”) and through our oline business-related interactions with you. We encourage

you to carefully read this Privacy Policy and click on the available links below if you are interested in

additional information on a particular topic. Mirati wants you understand how and why we process

personal information. After review, if you do not agree with our use of your personal information as

described in this Privacy Policy, please do not use the Site or otherwise provide personal

information to us.

The protection of your personal information is a commitment we take seriously. We evaluate our

privacy policies and procedures to implement enhancements and improvements on a consistent

basis. In the event we do make signicant alterations to this Privacy Policy, we will place a notice

prominently on this Site before the changes become eective. This Privacy Policy is incorporated

into and made a part of Mirati’s Terms of Use.

Below is a list of topics related to privacy and the collection of personal information. Please review

each item and if interested, click on a topic.

How does Mirati obtain your Personal Information?

Mirati collects Personal Information from numerous sources, including:

• Directly from you, your references or other sources provided by you. For example, when you

enquire about our targeted oncology therapeutics, contact us via the Site, apply for

employment, ask to be a clinical study participant or a principal investigator in one of our

clinical studies, or in any way engage with us or our personnel;

• Cookies and automated technologies, such as when you interact with our website;

• Third party vendors, which may include those vendors, suppliers, contractors or business

partners that provide services for us (e.g. market research vendors or adverse event

reporting);

• Government oicials or entities; and

• Publicly available sources.

What type of Personal Information does Mirati collect?

“Personal Information” is dened as any information that relates to you directly or indirectly, by

reference to an identier, location, or factors specic to physical, physiological, genetic, economic,

cultural or social identity. Mirati may collect and process the following Personal Information about

you:

• Contact information, such as your name, email address, phone number, address, company

ailiation, or job title;

• Access information, such as your log-in username and password details;

• Online and technical identiers, such as your IP (Internet Protocol) address and cookies;

• Professional credentials, such as curriculum vitae/resume, work history, qualications or

any other type of information that may be included on a resume or curriculum vitae;

• Demographic and health data information;

• Communication and correspondence information, such as the content of communications

you send us to report a problem or to submit a query, or your response to a survey;

• Financial and government identifying numbers, such as U.S. social security numbers for

payment processing purposes in the U.S.;

• Identication information, including biographical and contact data;

• Banking information collected for payment processing purposes;

• Health data collected for the conduct of clinical studies;

• Your unique patient identier which is assigned to you in the event you participate in one of

our clinical studies;

• Genetic data;

• Biometric data, which is data relating to physical or biological characteristics; and

• Any other information that you or an authorized party provides to us that can be used to

identify you.

How will Mirati share your Personal Information?

Mirati will share your Personal Information within our organization, at your direction, as disclosed to

you at the time of collection, or in the following circumstances:

• Services by Third Party Providers: We may provide your Personal Information to our service

providers that help us run and manage our organization and process Personal Information

solely on our behalf. The categories of service providers may include delivery services,

nancial institutions, clinical research organizations, central laboratories, clinical database

companies, payroll and benet companies, and specialty pharmacies, among others.

• Corporate Transaction: In the event Mirati is involved in a merger, reorganization, acquisition

or sale of all or a portion of our assets, or other corporate transaction, we may disclose your

Personal Information as part of that transaction.

• Third Party Collaborators: We may share your Personal Information with other companies

with which we collaborate regarding your participation in a clinical study as follows:

• contract research organization services;

• safety and pharmacovigilance software and related services;

• data storage and archiving software and related services;

• data analytics and reporting software and services;

• services related to the collection, storage, testing, and transportation of biological material;

• software that randomly decides which treatment you will receive during the clinical study;

and

• electronic data capture software and hardware.

Some of these third party collaborators may be located outside of the United States, European

Union or the European Economic Area. In some cases, data protection authorities may not have

determined that those countries’ data protection laws provide a level of protection equivalent to

U.S. or European Union law. We will only transfer your Personal Information to third parties in these

countries when there are appropriate safeguards in place. These may include the European

Commission-approved standard contractual data protection clauses. To access these standard

contractual data protection clauses, please contact our Data Protection Oicer.

• As Required By Law: We may disclose your Personal Information if we determine that the

disclosure is necessary: (i) to comply with any law applicable to us, a request from law

enforcement, a regulatory agency, or other legal process; (ii) to protect the legitimate rights,

privacy, property, interests or safety of Mirati, our business partners, personnel, or the

general public; (iii) to pursue available remedies or limit damages; (iv) to enforce our Terms

of Use ; or (v) to respond to an emergency.

How do we use your Personal Information?

We may collect and use your Personal Information with your consent for the specic purpose

identied in the individual notice given at the point of collection or in order to manage or fulll our

contractual relationships. For example, in some circumstances, processing of your Personal

Information is necessary to full our or your (at your request) obligation in an employment or

service contract. In addition, we may need to collect and process your Personal Information to

comply with our legal obligations and/or fulll our legitimate interests.

We are committed to collecting and processing your Personal Information in a lawful and

transparent manner. For further details on the legal bases Mirati assigns for data collection and use,

please reference the below table.

Use of your Personal

Information

Categories of Personal

Information we Process

Source of the

Personal

Information

Legal Basis

Obtain your subscription

preferences and send

surveys, questionnaires,

event related materials,

or commercial

communications

Contact information and

other information you

provide, such as your

topic preferences and

areas of interest

You

Consent: To obtain

your subscription

preferences and send

you commercial

communications

Legitimate interests:

To provide you with

surveys,

questionnaires,

information you need

and services you

request

Respond to inquiries and

fulfill requests

Contact information and

other information you

You

Legitimate interests:

To provide you with

provide, such as your

requests

information you need

and other services you

request and to

efficiently

communicate with

you

Enter into or perform a

contract

Contact information and

other information you

provide

You

Contract: To conduct

our normal course of

business

Comply with applicable

laws, regulations, codes,

court order or other legal

obligations (e.g.,

pharmacovigilance

obligations, financial

disclosure requirements)

Contact information and

other information you

provide

You

Legal obligation: To

comply with

applicable legal

obligations

Fraud and security

monitoring

IP address

You and your

network

provider

Legitimate interests:

To protect your

information

and deliver event-related

materials

Contact information and

other information you

provide, such as your

preferences for the event

You

Legitimate interests:

To enable your

attendance at our

events and to deliver

you event materials

Contract: As may be

described in a written

agreement or on the

registration page for

the event

Perform website

analytics

Technical information

and other information we

collect, such as

demographics, behavior

tracking, and event

tracking

First and third-

party analytics

Consent: To

understand more

about our Site visitors

(what pages you view,

how long you visit,

your devices, etc.) in

order to improve our

services

Reviewing requests to

participate in clinical

studies and screening

eligibility for enrollment

Contact information,

clinical study participant

qualification information,

and other information

relevant to your eligibility

and qualifications to

participate in clinical

studies sponsored or

conducted by us.

You and your

healthcare

provider

Legitimate interest: To

ensure research

subjects are eligible

and appropriate for

the studies we

sponsor or conduct

Consent: For

collection of health

data to assess your

eligibility to

participate in clinical

studies

Your participation in a

clinical study

Identification

information, including

biographical and contact

data; health data; your

unique patient identifier

which is assigned to you

for the clinical study;

genetic data; and

biometric data, which is

data relating to physical

or biological

characteristics

You, your

healthcare

provider or a

third party we

engage to assist

in conducting

the clinical

study

Consent: Informed

consent form signed

prior to any study

related activities

Recruiting personnel for

employment

Contact information,

recruitment information,

and other information

relevant to potential

recruitment by Mirati

You, your

references,

your former

employers

Pre-contractual

Measures: To recruit

and evaluate potential

candidates to join

Mirati

Legal obligations: To

comply with

applicable legal

obligations, including

for employment law

purposes

Sharing for the provision

of information about our

targeted oncology

therapeutics

Contact information and

other information you

provide

You

Contract: To allow for

the secure transfer

and processing of

personal data

Management of the

Expanded Access

Program to

investigational

medicines prior to

regulatory approval

Contact information and

other information you

provide

You

Legitimate Interests:

to provide you with the

information you need

about applying for the

Expanded Access

Program

We may also aggregate or de-identify your Personal Information so that it can no longer be used to

identify you. This aggregated or de-identied information may be used for any purpose permitted by

law and is no longer subject to this Privacy Policy.

Technical Information and Do Not Track Policy

Our Site automatically collects certain information when you use our Site, such as your IP address,

browsing history (including without limitation search terms and clickstream data), device type,

operating system information and other usage information about your use of the Site. We collect

this information to analyze trends and statistics as well as for site administration purposes. We use

cookies and other similar technologies to manage and customize your experience through our Site.

If any of this information can be used to identify you because, for example, we link it to your

Personal Information, we will treat such information as Personal Information. You may choose to

decline cookies. You have the ability to delete cookie files from your hard drive at any time.

Some web browsers incorporate a “Do Not Track” (“DNT”) or similar feature that signals to

websites that a user does not want to have his or her online activity and behavior tracked. If a

website that responds to a particular DNT signal receives the DNT signal, the browser can block

that website from collecting certain information about the browser’s user. Mirati leverages third-

party analytics and market performance tools in the administration of its websites. As a result, we

have employed best practices and policies to respect browsers using the DNT signal. Mirati

respects this tag through applied policies in software developed for us as well as our use of tools to

help provide better services and messaging to clinical data subjects and healthcare professionals.

Mirati assumes no liability for policies of or failure to comply with the DNT signal by our partners or

vendors.

Please read our Cookies Policy for more information about our collection of your data through

cookies and other technical processes.

Retention of Personal Information

We will keep your Personal Information for as long as necessary to fulll the purposes for which we

collected it, including any legal, professional, accounting or reporting requirements. We will not

keep your data longer than what is authorized by the law. To determine the appropriate retention

period, we consider the amount, nature, and sensitivity of Personal Information, the potential risk

of harm from unauthorized use or disclosure of your Personal Information, the purposes for which

we process your Personal Information, whether we can achieve those purposes through other

means, and all applicable legal requirements. If you would like to know more about how long we

keep your Personal Information, you can contact our Data Protection Oicer using the information

listed below.

How can you access your Personal Information?

You may request access and modications to the Personal Information, other than information

described under Legal Requirements below, we maintain about you by contacting us using the

contact information below. We will respond to your inquiry within 30 days. If you wish to exercise

any of your rights (including the rights of individuals in the European Economic Area (“EEA”)

discussed below) or advise us of any changes to your Personal Information, please contact our

Data Protection Oicer using the contact information provided below. Under the European Union’s

General Data Protection Regulation (“GDPR”), a response to a Data Subject Access Request will be

provided free of charge, unless the request is deemed to be manifestly unfounded, excessive or

repetitive in character. We may charge you a reasonable fee if you request additional copies of your

Personal Information or make other requests that are manifestly unfounded or excessive. If we are

unable to honor your request, or before we charge a fee, we will let you know why.

Legal Requirements

In order to comply with applicable law, you understand that we may not be permitted to comply

with your request to amend or remove Personal Information that was provided to us by you or a

healthcare provider regarding your participation in a clinical study, an adverse event or reaction

involving our targeted cancer therapeutics, or required disclosures of your Personal Information as

required by court order or other legal or regulatory process.

Third Party Websites and Services

When interacting with us, you may come across links or references to third party websites and

services that we do not operate or control. If you provide your Personal Information to that third

party through its websites or services, you will be subject to that third party’s privacy practices and

policies and terms of use. This Privacy Policy does not apply to any Personal Information that

you provide to a third-party website or service. We recommend that you read the privacy policy

that applies to that third party website or service. A link or reference to a third-party website or

service does not mean that we endorse that third party, or the quality or accuracy of the information

presented on its website or service.

Special Notice to California Residents

California Civil Code Section 1798.83 permits individual California residents to request certain

information regarding our disclosure of certain categories of Personal Information to third parties

for those third parties’ direct marketing purposes. To make such a request, please contact us using

the information in the “Contact Us” section below. This request may be made no more than once

per calendar year, and we reserve our right not to respond to requests submitted other than to the

email or mailing addresses specied below.

International data transfers

Mirati is committed to complying with this Privacy Policy and data protection laws, including those

outside of the United States, that apply to our collection and use of your Personal Information. Your

personal information could be transferred to countries located outside your country or region,

including to countries that may not provide a similar or adequate level of protection to that

provided by your country or region. For example, if you are located in the EEA, we may transfer your

personal information to the United States or other countries outside of the EEA. By providing us

with your Personal Information and using our Site, you acknowledge that your Personal Information

may be transferred and processed outside your country or region. Mirati will take all the necessary

measures to ensure that any transfers of your personal information comply with those data

protection and privacy laws as well as with specific rules included in European data protection

laws. If you would like to know more about how we protect your Personal Information, you can

For the transfer of personal information from the EEA and Switzerland to any countries not

recognized by the European Commission as providing an adequate level of data protection

according to EEA standards, we have implemented adequate measures to protect the personal

information, such as by ensuring the recipient is bound by standard contractual clauses (“SCCs”)

adopted by the European Commission. If you are located in the EEA or Switzerland, you can

request more information about these measures by contacting us at the address or email address

in the “Contact Information” section below.

Standard Contractual Clauses Framework

Mirati has entered into contractual relationships that adhere to the SCCs as adopted by the

European Commission regarding the processing of personal information transferred from

organizations in the European Union and Switzerland to the U.S. To learn more about data transfers

under the SCCs click here.

The SCCs cover both “personal information,” which means any information from which an

individual can be directly or indirectly identified, as well as “sensitive personal information,” which

means personal information revealing an individual’s racial or ethnic origin, political opinions or

membership of political parties or similar movements, religious or philosophical beliefs,

membership of a professional or trade organization or union, physical or mental health, including

any opinion thereof, sex life, and, where permitted by applicable law, criminal offences and alleged

offences, criminal records or proceedings with regard to criminal or unlawful behavior. Where the

individual is based in Switzerland, the definition of sensitive personal information also includes

personal information revealing an individual’s ideological views or activities, information on social

security measures or administrative or criminal proceedings and sanctions, which are treated

outside pending proceedings.

The SCCs apply to personal information both in electronic or paper form, including personal

information and sensitive personal information from agents, consultants, contractors, vendors,

service providers, business associates, healthcare professionals, patients, clinical study

participants and others.

Mirati shall remain liable under the SCCs if an agent uses or discloses personal information

received from Mirati in a manner inconsistent with the SCCs, unless Mirati proves that it is not

responsible for the event giving rise to the damage.

With respect to personal information transferred or received pursuant to the SCCs, Mirati is subject

to the investigatory and enforcement powers of various privacy protection authorities. In certain

instances, Mirati may be required to disclose personal information in response to lawful requests

by public authorities, including to meet national security or law enforcement requirements.

What are the special rights of individuals in the European Economic

Area?

If you are located in the EEA and we maintain your Personal Information, you have the following

additional rights (under the GDPR) with regard to your Personal Information. Note that some of

these rights may not be exercisable if you are a patient or may only be exercisable for reasons

related to your particular situation.

• Right to be informed: You have the right to obtain from our Data Protection Officer

confirmation as to whether or not personal data concerning you are being processed and,

where that is the case, all necessary information to make the process transparent.

• Right to access and receive: You may request a copy of or access to the Personal

Information we hold about you.

• Right to portability: You may request that we transfer your Personal Information to a third

party in a machine-readable format.

• Right to correct: You may ask us to update or correct inaccurate or incomplete Personal

Information we hold about you.

• Right to limit or restrict: You may have the right to request that we stop using all or some

of your Personal Information or to limit our use of it.

• Right to erase: You may have the right to request that we delete all or some of your

Personal Information. This right may be limited if we have collected your Personal

Information for research purposes.

• Right to withdraw consent: You have the right to withdraw any consent you have

previously given to Mirati at any time. Your withdrawal of consent does not affect the

lawfulness of our collecting, using, and sharing of your Personal Information prior to the

withdrawal of your consent. Even if you withdraw your consent, we have the right to use

your Personal Information if it has been fully anonymized and cannot be used to personally

identify you.

• Right to complain: You have the right to lodge a complaint with your Supervisory Authority

or with the Supervisory Authority where the alleged violation took place.

Changes to Privacy Policy

Mirati reserves the right to modify this Privacy Policy at any time. Any changes to this Privacy Policy

will become eective when we post the revised Privacy Policy on the Site.

Security

We implement technical and organizational measures designed to ensure your Personal

Information is protected from unauthorized access, use, disclosure, alteration or destruction, in

accordance with applicable laws and regulations. For example, we limit our collection and use of

your Personal Information to the extent necessary to provide you with our services. If you would like

to know more about how we protect your Personal Information, you can contact our Data

Protection Oicer using the information listed below.

MIRATI THERAPEUTICS, INC. is the data controller of the Personal Information collected under this

process your Personal Information. Please contact us using the information below and we will

respond to you within 30 days.

MIRATI THERAPEUTICS, INC.

3545 Cray Court

San Diego, CA 92121 USA

Email: [email protected]

If you are located in the EEA and have a question about your Personal Information, please contact:

Name: BMS DPO

Address: Bristol Myers Squibb, Engineering Building, Cruiserath Drive, Mulhuddart, Dublin

15, Ireland

Email: [email protected]

If you are a patient in a clinical study and have a question about your Personal Information, please

contact your healthcare provider.