Data Privacy Framework Policy

Data Privacy Framework Policy

Last Updated : December 23, 2025

Nurix Therapeutics Inc (“Nurix”, “We”, “Us”) recognizes that the European Economic Area (EEA), the UK and Switzerland (“Territories”) have established strict protections regarding the handling of Personal Data, including requirements to provide adequate protection for Personal Data transferred outside of the Territories.

Therefore, Nurix has certified to the US Department of Commerce that it adheres to the Principles of the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (“Swiss-US DPF”) (collectively referred to as “DPF”).

Nurix is committed to handling all Personal Data received from the Territories in reliance on the DPF in accordance with the Principles.

Our commitment to adhere to the Principles is not time-limited in respect of Personal Data received during the period in which we enjoy the benefits of the DPF. Instead, we will continue to apply them to such data for as long as we store, use or disclose them, even if we subsequently leave the DPF in whole or in part for any reason.

This Policy supplements our Privacy Policy, EU Privacy Notice, and US Privacy Notice and governs the handling of Personal Data following their transfer from the Territories.

If there is any conflict between the terms in this Policy and the Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program and to view our certification, please visit https://www.dataprivacyframework.gov/.

1. Categories of Personal Data

We process the following categories of Personal Data:

  • a. Personal Identifiers: These are items of Personal Data which can be used to directly identify you.
    • i. Name
    • ii. Address
    • iii. Email Address
    • iv. Telephone Number
  • b. Behavioral Information: These are information related to how you use our digital services such as our website or applications our employees use at work.
    • i. Which web browser you use (User Agent String)
    • ii. How you interact with our services (Log Files)
    • iii. Whether you are authorized to access our services (Identity and Access Management)
  • c. Professional Information: These are information related to your professional activities, usually related to employees or other companies we work with.
    • i. Who you work for
    • ii. What your job is
    • iii. The number of hours you have worked
  • d. Clinical Data: These are data for our patients who participate in our clinical trials, like health data, biological samples, images (e.g., x-rays, CT scans), weight, and age.
  • e. Ethnic Origin/race of patients participating in our clinical trials.

2. Processing Purposes

We process your Personal Data for the following services (collectively, the “Services”):

  • a. Security: We process certain Personal Data to ensure network and information security, including monitoring authorized users’ access to our Services for the purpose of preventing cyber-attacks, unauthorized use of our systems and website / app, prevention or detection of crime and ensure that only authorized persons are able to access our services, places (sites, buildings or rooms within a building).
    • i. Example: we need to log all access to our systems to ensure that there is no unauthorized access – this includes who accessed it, when, what they did etc. If we were unable to process this information, we would not be able to secure the confidential information we process.
  • b. Provision of Services: We process certain Personal Data to ensure we can provide a specific service to you, e.g. to i) provide access to certain areas, functionalities, and features of our Services; (ii) communicate with you about your account, activities on our Services and policy changes; and (iii) allow you to register for events.
    • i. Example: we need to process various information about our employees to be able to pay their salary, conduct performance reviews and make pension contributions.
  • c. Due Diligence: We process certain Personal Data to conduct checks known as due diligence.
    • i. Example 1: we need to process various information to conduct checks in relation to the qualifications of our employees and employees of our partners/vendors, to ensure that they have the qualifications they claim to have. This is incredibly important when conducting clinical trials as our trial participants would be put at significant risk if unqualified personnel were working on the trial.
    • ii. Example 2: we are required by law to conduct certain checks to ensure that we do not work with companies or contractors/consultants who engage in money laundering, bribery, modern slavery and more. Such checks require us to process Personal Data related to those individuals and/or company representatives.
  • d. Legal Claims: We process certain Personal Data to defend and enforce our rights including, against legal claims that involve us, and to manage regulatory matters, investigations, data breaches, and/or data subject requests.
  • e. Targeted Advertising: We process certain Personal Data to enable us to carry out targeted advertising based on your online activity, and to personalize your browsing experience on our website.
  • f. Clinical Research and Safety Monitoring: We process certain Personal Data, including Clinical Data and ethnic origin/race information, to conduct clinical trials, pharmaceutical research, drug development activities, patient safety monitoring, adverse event reporting, regulatory submissions, scientific publications, and to comply with current and future regulatory requirements governing pharmaceutical research and development. This includes processing data to evaluate the safety and efficacy of our investigational products, analyze clinical trial outcomes, fulfill pharmacovigilance obligations, and support our legitimate research interests in developing innovative therapeutic solutions.
    • i. Example: we need to process clinical trial participants’ health data, biological samples, medical images, demographic information including ethnic origin and race, and other clinical information to conduct clinical studies evaluating our investigational drugs in accordance with applicable study protocols. This processing is essential for monitoring patient safety during trials, reporting adverse events to regulatory authorities, analyzing treatment effectiveness across diverse populations, and obtaining regulatory approvals for our investigational products.

We will only process Personal Data in ways that are compatible with the purpose that we collected it. Before we use your Personal Data for a purpose that is materially different than the purpose we collected it for, we will let you know and, where appropriate, obtain your consent.

3. Data Transfers to Third Parties

  • a. Service Providers acting as our processors:
    • i. We use several different service providers to process your Personal Data on our behalf – these service providers are acting as our processors.
    • ii. You can find a full list of all processors acting on our behalf by clicking on this link.
    • iii. We share your Personal Data with such service providers forbusiness purposes, such as to manage customer, supplier and vendor accountsand relationships and related services; operate our IT systems and secure our systems; prevent fraud and other illegal activities; obtain professional advice about legal and accounting matters; provide our Services and ensurethe smooth conducting of our clinical trials to which you may participate.
    • iv. Where required by the DPF, we enter into written agreements with those service providers requiring them to provide the same level of protection the DPF requires and limiting their use of the data to the specified services provided on our behalf. We take reasonable and appropriate steps to ensure that such service providers process Personal Data in accordance with our DPF obligations and to stop and remediate any unauthorized processing. Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of Personal Data that we transfer to them. Any contractual obligations we place on our processors also apply to any onward transfers of Personal Data.
  • b. Affiliated Entities: If we transfer your Personal Data to one of our affiliated entities within our corporate group, we will take steps to ensure that your Personal Data is protected with the same level of protection the DPF requires.
  • c. Third Party Websites:Our Services may contain links to websites and services owned or operated by third parties (each, a “Third-Party Service”). These Third-Party Services may include features that collect your IP address and information about which pages you visit on our Services and may set cookies to enable the links to function properly. Any information you provide on such sites is provided directly to the Third-Party Service, and we are not responsible for their content, privacy practices, or security policies. We recommend that you carefully review the privacy policies of all Third-Party Services you access. Our Services may also include access to publicly accessible blogs, forums, or social media pages. Personal Data you voluntarily publish on such platforms may be viewed and used by others without restriction. Your interactions with these platforms are governed by the privacy policies of the companies providing them.
  • d. No Sale of Personal Data:Except for certain limited cookies and tracking technologies that support analytics and other website functions, we do not sell or share for cross-context behavioral advertising any of the categories of Personal Data we collect.
  • e. Disclosures for National Security or Law Enforcement: Under certain circumstances, we may be required to disclose your Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements. We will only do so in accordance with the DPF Principles.

4. Your Rights

Under the DPF, you have rights in relation to your Personal Data. These include:

  • a. Information on the types of Personal Data collected.
  • b. Information on the purposes of collection and use.
  • c. Information on the type or identity of third parties to which your Personal Data is disclosed.
  • d. Choices for limiting use and disclosure of your Personal Data.
  • e. Access to your personal data.
  • f. Notification of our liability if we transfer your Personal Data.
  • g. Notification of the requirement to disclose your Personal Data in response to lawful requests by public authorities.
  • h. Reasonable and appropriate security for your Personal Data.
  • i. A response to your complaint within 45 days.
  • j. Cost-free independent dispute resolution to address your data protection concerns.
  • k. The ability to invoke binding arbitration to address any complaint that the organization has violated its obligations under the DPF Principles to you and that has not been resolved by other means.

5. Access, Correction and Deletion Rights

  • a. You may have the right to access the Personal Data that we hold about you and to request that we correct, amend, or delete it if it is inaccurate or processed in violation of the DPF. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of someone other than the individual requesting access.
  • b. If you would like to request access to, correction, amendment, or deletion of your Personal Data, you can submit a written request to dpo@nurixtx.com or via our Privacy Portal.
  • c. We may request specific information from you to confirm your identity. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to your request. We will notify you to explain the basis of the denial.
  • d. For requests for access or deletion, we will first acknowledge receipt of your request within 10 business days of receipt of your request. We will provide a substantive response to your request as soon as we can, generally within 30 days from when we receive your request, although we may be allowed to take longer to process your request under certain circumstances.
  • e. If we expect your request is going to take us longer than normal to fulfill, we will let you know.
  • f. We usually fulfill requests and provide information free of charge, but we may charge a reasonable fee to cover our administrative costs of providing the information in certain situations. In some cases, the law may allow us to refuse to act on certain requests. When this is the case, we will endeavor to provide you with an explanation as to why.

6. Security

  • a. Nurix maintains reasonable and appropriate security measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the DPF.
  • b. We have developed the security aspects of our privacy framework around ISO 27001 and NIST (National Institute of Standards and Technology) – these are globally recognized standards and frameworks and provide best practice for protecting data.
  • c. We retain your Personal Data in a form identifying or making you identifiableonly for as long as it serves a purpose of processing for which it was collected. After such purpose ceases to exist, we remove direct identifiers from your data and instead use pseudonymous identifiers – this means we change the data so that it cannot be linked directly to you without a specific key – which is kept secure.
  • d. We also receive Personal Data of clinical trials participants in a de-identified form and the key to the identification is held only by the principal investigator of the study sites.

7. Complaints and Recourse Mechanism

In compliance with the DPF, Nurix commits to resolve Principles-related complaints about our collection and use of your Personal Data.

  • a. Internal Complaint Mechanism: In some cases, we may not act on your requests (e.g., if we cannot do so under other laws that apply). When this is the case, we will explain our reasons for not providing you with the information or taking the action (e.g., correcting data), as you requested. In such cases, you should first contact Nurix’s Data Protection Officer at dpo@nurixtx.com or via our Privacy Portal.
  • b. Independent Dispute Resolution Bodies: : If we cannot resolve your complaint, you may file a complaint free of charge with the competent data protection authority in your country of residence or habitual residence. In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Nurix commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
  • c. Binding Arbitration: To the extent we or the independent dispute resolution bodies cannot resolve your complaints, you may, under certain circumstances, invoke binding arbitration to resolve the complaint through the Data Privacy Framework Arbitration Panel. Additional information on the arbitration process is available on the DPF website.
  • d. Enforcement: Nurix is subject to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC).

8. Contact Us

  • a. If you have any questions about this Policy or would like to request access to your Personal Data, please contact us via our Privacy Portal or contact us using the following contact details:
    • Nurix Therapeutics, Inc.
    • 1600 Sierra Point Parkway
    • Brisbane, CA 94005
  • b. To contact our Data Protection Officer (DPO) directly, please send an email to dpo@nurixtx.com.
  • c. To contact our EU, UK and Swiss Data Protection Representative (DPR) directly, please send an email to nurixtx@datarep.com.

9. Changes to This Policy

We reserve the right to amend this Policy from time to time consistent with the DPF’s requirements.