Supplemental Notice to Healthcare Providers and Key Opinion Leaders

Kymera Therapeutics, Inc. (“Kymera”, “us”, “we”) respects your privacy and is committed to protecting it through our compliance with the practices described in this privacy notice (“Notice”), consistent with applicable laws.

This Notice describes how Kymera, with its registered offices at 500 North Beacon Street, 4th Floor, Watertown, Massachusetts, 02472 USA, as a controller, collects, discloses, maintains, protects, uses, and otherwise process (“Process”) the personal information or personal data (“Personal Data”) of healthcare providers (“HCPs”) and key opinion leaders (“KOLs”), including but not limited to clinicians, investigators, physicians, pharmacists, researchers, and other HCPs. Personal Data does not include, and this Notice does not apply to, aggregate information or information that has been de-identified or anonymized in accordance with applicable law. Any specific privacy notice will be delivered to the data subjects for that specific purpose(s).

Please read this Notice carefully to understand what personal data we collect, how we collect it, how we use it, how we protect it, who we may disclose it to, and how you can manage your personal data. Please note that Kymera may provide additional privacy notices to individuals at the time we collect their personal data. For example, we provide a specific privacy notice to clinical trial study staff that describes our privacy practices in connection with conducting clinical trials. Employment applicants may also be provided with a separate privacy notice. In the event of any conflict or inconsistency, this type of an “in-time” notice will govern how we may process the information you provide at that time.

If you have any questions about this Notice or wish to exercise your rights regarding personal data that Kymera has collected from you, either directly or through a third party, please get in touch with us as described in Section 1 below (“How to Contact Us”). We will comply with applicable law regarding your rights as a Data Subject.

1. How To Contact Us

Mailing address
Kymera Therapeutics, Inc.
500 North Beacon Street, 4th Floor
Watertown, MA 02472

Email address
privacy@kymeratx.com

2. What is Personal Data, and what are the types of Personal Data that we Process?

Personal Data is any information that relates to an identified or identifiable living individual. Depending on the nature of our relationship with you and the requirements of applicable laws, we may use the following Personal Data about you (below is not a full accounting of the data related to any category):

  • Identity data: name or similar identifier, initials, title, social security or other government-issued identification number, date of birth, and gender.
  • Contact data: address (including work address), email address, social media handle, phone number, fax number, and other similar contact data.
  • Employment and professional information: employer, job title, specialty/field of expertise, educational and employment history, institution affiliations/credentials, ID number, awards and honors, background checks (when applicable), membership in professional organizations, research interests, references, publications and speaking engagements, affiliations with patient advocacy organizations, interests in or experience with Kymera’s products or treatment habits, or any other information included on your curriculum vitae.
  • Publicly available information: license information, discipline, information about programs/studies and other activities in which you have participated, prior litigation or regulatory proceedings, and other due diligence information.
  • Photograph, audio, video, or public comments, including but not limited to publicly available social media posts and opinions.
  • Communications data: your preferences in receiving materials regarding our company, products, and any other information you may request from us and our third parties.
  • Financial information: tax identification number, transfer details, bank account information, credit card number, bank accounts, and electronic signature.
  • Inferences: notes about preferences and aptitudes.
  • Technical and Operational information: IP address, country or geographic region location, username, and password for Kymera systems and solutions.
  • Any other information: any other information relevant to any inquiries, comments, market research, responses, or interactions that you have or share with us or our service providers/business partners.

We also collect, use, and share Aggregated Data, such as statistical or demographic data, for any purpose. Aggregated Data could be derived from your personal data, but is not considered personal data in law, as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, suppose we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you. In that case, we treat the combined data as personal data which will be used in accordance with this Notice.

Please note that it is not Kymera’s intention to process your sensitive information. Unless required under applicable law or in accordance with certain services, we will not request any sensitive information, including health information about any patients or yourself, from you, and we request that you do not provide this Personal Data to us. In the event that we receive your sensitive information, we will process it only to the extent necessary to comply with your instructions and as required by applicable law.

3. How do we collect your Personal Data?

We may collect or obtain Personal Data:

  • Directly from you or someone acting directly on your behalf when you interact with Kymera, please note that if you interact with Kymera’s websites, please refer to the applicable privacy notice for that website for how Kymera will process your Personal Data related to the website
  • From other HCPs, healthcare organizations, clinics, hospitals, institutions, or other similar third parties
  • From third-party service providers, data brokers, business partners, social media platforms, and data aggregators
  • From contract research organizations (“CROs”) or clinical research investigators (“PIs”)
  • From industry groups, events, programs, and patient advocacy organizations (“PAOs”)
  • From individuals who report adverse events or quality issues
  • From government authorities or public sources

4. The purposes for which we Process your Personal Data and the legal basis we rely on for such Processing.

In the last 12 months, Kymera has Processed Personal Data for the following purposes:

Required in accordance with our legitimate interests: (Please note that the accounting of the types of Personal Data Processed for each purpose below is merely illustrative and is not exhaustive of the Personal Data Processed on a case-by-case basis.)

  • Manage our relationship with you. We may use your identity data, contact data, employment and professional information, publicly available information, inferences, and other Personal Data collected through our interactions with you and from third-party sources.
  • Interacting with you and maintaining records related to any interactions. We may use your identity data, contact data, your employment and professional information, inferences, or any other Personal Data you share with us. Kymera requests that you do not share any sensitive or health information with us unless we are required to do so by law.
  • Communicate with you and provide you with information about our activities or tailored information about a program that you have expressed interest in. We may use your identity data, contact data, your employment and professional information, inferences, publicly available information, and other Personal Data collected through our interactions with you.
  • Processing and responding to any unsolicited requests for information. Depending on the nature of your request, the type of Personal Data Processed may vary, including but not limited to your identity data, contact data, and any other Personal Data that you may provide. Kymera requests that you do not provide any sensitive or health information.
  • To seek your views and/or improve our products, services, and Kymera materials (including but not limited to promotional, scientific, and educational information). We may use your identity data, contact data, your employment and professional information, inferences, or any other Personal Data you share with us. We may also use your Personal Data to analyze and improve our interactions, events, and activities with you and other HCPs, which may include any information you provide about diagnosis or treatment approaches.
  • Invite you and pre-contract with you to be a key opinion leader/advisor, to invite you to an event, Kymera organized meetings or meetings sponsored by Kymera (including but not limited to advisory boards, medical events, conferences, etc.), or to invite you to participate in research, including but not limited to market research. We may use your identity data, contact data, your employment and professional information, inferences, financial information, or any other Personal Data you share with us. In addition, we may use your information in contemplation of a contract related to any invitation.
  • Training and quality assurance purposes. We may use your identity data, contact data, your employment and professional information, publicly available information, and other Personal Data collected through our interactions with you and from third-party sources.
  • Operating and administration of Kymera’s business, including but not limited to supporting safe, responsible, compliant, and ethical business and commercial operations; facilitating quality and safety of our products and research; conducting audits and investigations; managing our financial and other accounts; developing and improving our products, etc. We may use any of the categories of Personal Data, including, but not limited to, identity data, contact data, background information, education history, photographs, videos, and audio information.
  • Establishment, exercise, or defense of legal claims. We may use your identity data, contact data, your employment and professional information, publicly available information, financial information, and other Personal Data collected through our interactions with you and from third-party sources.
  • Protecting rights and interests, including but not limited to protecting the health, safety, and security of Kymera, its employees, patients, caregivers, HCPs, and the general public; enforcing our legal rights; and pursuing remedies or otherwise taking steps to limit losses and liabilities. We may use your identity data and contact data to investigate potential violations of our contracts or to address health and medical emergencies.
  • De-identification of your Personal Data. Per applicable legal requirements, we may de-identify or anonymize Personal Data from and about you so that it can no longer be linked to you. Information that has been de-identified/anonymized (as applicable by law) in such a way is no longer subject to this Notice and can be used and shared by Kymera at our discretion.

Please note that when processing your Personal Data based upon our legitimate interests, we strive to maintain a balance between our legitimate interests and your privacy.

Related to the contract (including pre-entering a contract) between us:

  • Interacting with you and compensating you (if applicable) as KOL, advisor, investigator, researcher, event or meeting attendee or speaker (including but not limited to advisory boards, medical events, conferences, etc.). We may use your identity data, contact data, your employment and professional information, inferences, photo/video, financial information, or any other Personal Data you share with us. In addition, we may use your information in contemplation of a contract related to any invitation.
  • To seek your views and/or improve our products, services, and Kymera materials (including but not limited to promotional, scientific, and educational information). We may use your identity data, contact data, your employment and professional information, inferences, or any other Personal Data you share with us. We may also use your Personal Data to analyze and improve our interactions, events, and activities with you and other HCPs, which may include any information you provide about diagnosis or treatment approaches.
  • To determine and document any services, compensation, and agreements in compliance with applicable laws, including determining fair market value and transparency laws and local requirements. We may use your identity data, contact data, your employment and professional information, inferences, photo/video, financial information, or any other Personal Data you share with us.
  • Collect certain information from or about you (where consent is required under applicable law) for internal and external use. We use your identity data, contact data, photographs/video, or other Personal Data that may indicate race, ethnic origin, or other physical characteristics.
  • Other contractual interactions.

When required by law, for example, by:

  • Monitoring and reporting pharmacovigilance and product safety, quality, and complaints related to our products and any clinical research. We may use your identity data, contact data, your employment and professional information, and any other Personal Data you may share with us. We process this Personal Data and sensitive data only when required by law and as necessary for reasons of public interest in the area of public health.
  • Complying with transparency requirements. We may use your identity data, contact data, your employment and professional information, and financial information.
  • Ensuring compliance with applicable laws and regulations. We may use your identity data, contact data, financial information, and any other Personal Data that you may share with us.
  • Verify your eligibility to access certain products, services, or data that may be provided only to licensed HCPs or others conducting background checks to ensure that it is permissible for Kymera to work with you. The types of Personal Data Processed may vary.
  • Responding to legal inquiries, requests, and summons. We may use your identity data, contact data, employment and professional information, financial information, and any other Personal Data that you may share with us.

In accordance with your consent:

  • Send communication, promotional, and other materials or engage you to participate in marketing research (where consent is required under applicable law). You have the right to opt out of communications at any time. We use your identity data, contact data, your employment and professional information, publicly available information, inferences, and other Personal Data collected through our interactions with you and from third-party sources.

Due to the nature of our business, Kymera may be subject to certain legal requirements, which necessitate the processing of personal data and sensitive information (including health information and mental and physical characteristics) to meet these requirements. When permissible under the law, we will attempt to limit and protect the Processing of your Personal Data to the extent possible, for example, by pseudonymizing information, while still complying with our legal obligations. To the extent applicable, Kymera will reasonably rely on the authority of HCPs and any other individuals to act on your behalf. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 C.F.R. § 164.512(b), permits health professionals to disclose information about adverse events/side effects to pharmaceutical companies.

For additional information relevant to California residents, including related to their privacy rights under the California Consumer Privacy Act (“CCPA”), please refer to our Supplemental Privacy Policy for California Residents, which is available here: Supplemental Privacy Policy for California Residents.

Individuals located in the European Economic Area (“EEA”) or the United Kingdom (“UK”), please see the “Supplemental Notice to EEA/UK Data Subjects” for additional information.

5. Who do we share your Personal Data with?

Kymera may share your Personal Data:

  • Internal Parties: with people within the company who have a “need to know” that data for business or legal reasons (e.g., to direct a query that you have submitted to the relevant person within Kymera);
  • Our Collaborators: with our collaborators, including other companies and institutions, such as those listed or referenced on our website.
  • External Third Parties: with third parties, vendors, and service providers, including Kymera’s advisors, suppliers of IT services, and third parties engaged by Kymera, under the legal bases set out above;
  • Parties as part of a business transaction: with a third party related to a business transfer, including but not limited to as part of a sale, assignment, or transfer of a Kymera business or assets, or an acquisition of or merger with another entity. We may also share your Personal Data in contemplation of such transactions, such as due diligence.
  • Government Authorities: with government or law enforcement agencies (where required or permitted by applicable laws, court orders, or government regulations);
  • Other Third Parties: with third parties to protect rights and interests, including when needed for audits, investigations, or to respond to inquiries/complaints, etc.; and
  • As authorized by you: with your consent or as directed by you.

6. Transfers of Personal Data

Kymera is based in the United States, which may not have the same level of data protection as your country. In addition, please note that any person to whom Kymera may disclose your Personal Data under this Notice may be situated in a country other than your own, and that such country may provide a lower level of data protection requirements than your own country.

Whenever we transfer Personal Data across borders, we take the legally required steps to ensure that appropriate safeguards are in place to protect your Personal Data and to ensure it is treated in accordance with this Notice, including, but not limited to, utilizing data transfer mechanisms permitted under applicable laws, such as standard contractual clauses.

7. How long do we retain your Personal Data?

We will only retain your personal data (which includes Personal Information for purposes of the California Consumer Privacy Act (“CCPA”) and similar U.S. State laws) for as long as necessary to fulfill the purposes for which we collected it. To determine the appropriate retention period for personal data (including Personal Information), we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and applicable legal requirements.

8. How do we secure your Personal Data?

We have implemented commercially reasonable and appropriate security measures designed to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized manner, altered, or disclosed while it is under our control, taking into consideration the risks involved in processing and the nature of the personal data.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we take appropriate steps to protect your personal data, we cannot guarantee the security of your personal data transmitted to the Website or via email transmission. Any transmission of personal data is at your own risk.

9. Your rights

Many jurisdictions afford data subjects’ or consumers’ rights. We comply with all applicable laws that permit data subject rights and will honor requests in accordance with these laws. Depending on your jurisdiction, your rights may include the following:

  • request an accounting of, access to, and/or a portable copy of the Personal Data that we hold about you;
  • request that we rectify, delete, limit, or opt out of the processing of your Personal Data;
  • request to opt out of communications from us at any time by following any Unsubscribe or opt-out instructions in the communication, including selecting the unsubscribe link. We may still need to send you important administrative messages even if you opt out of receiving communications, and/or
  • withdraw, at any time, your consent without any legal effect impacting you at any time by contacting us as provided for in Section 1. Contact Us regarding this Notice; however, we cannot guarantee that we will be able to give every right or continue certain activities after respecting your request.
  • Automated decision-making: Kymera does not engage in any automated decision-making.

Please submit your written request to the Data Protection Officer, Bird & Bird DPO Services SRL, via privacy@kymeratx.com or Bird & Bird DPO Services SRL, Avenue Louise 235 b 1, 1050 Brussels, Belgium. You may also contact our EU/UK Data Protection Representative at https://verasafe.com/public-resources/contact-data-protection-representative or at VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P. If you are not satisfied with the handling of your concern or complaint by Kymera, you can escalate this to your national Supervisory Authority, if applicable – available here.

10. Children’s Privacy

While in some instances we may collect personal data about children with the consent of a parent or guardian, such as for clinical activities, we do not otherwise knowingly solicit data from, or market to, children. The Website is not intended for children, and we do not knowingly collect personal data from children. If a parent or guardian becomes aware that his or her child has provided us with personal data, he or she should contact us as described in Section 1 above (“How to Contact Us”). We will take reasonable steps to delete such data within a reasonable time.

11. Changes To This Notice

We reserve the right to modify this Notice at any time. We encourage you to periodically review this page for the latest information on our privacy practices. If we make any changes, the updated Notice will be posted with a revised effective date, unless another type of notice is required by applicable law. Your continued use of the Website and/or services or offerings after any such updates take effect will constitute acceptance of any changes.

*****

Last Revised: September 3, 2025