Bolt collects the following types of personal data:

• User-provided Information. If you contact us (such as through our Contact IR page) or we receive your personal data from you through any other method (e.g. email), we may collect and store any information about you that you provide, including your name and email address, professional title and company name, phone number, and we may link this information with other information about you.
• Marketing and Communications Information. We will store your preferences relating to our promotional emails, and your communication preferences.
• Device and Usage Information. We may receive information from your device, including IP address (including approximate geolocation inferred from that address), web browser type, operating system version (to the extent applicable), and device identifiers. We receive information about your interactions with our Site, such as the time spent interacting with content and the dates and times of your visits. This may include certain information collected via cookies and similar technologies (including your preferences in respect of the use of those technologies) – for more information on these technologies, please see our Cookie Notice.

We use personal data we collect or receive in a variety of ways such as for Site functionality and for operating our business, including the following:

• Dealing with inquiries and contacts. To provide you with requested information or answer your inquiry or otherwise to deal with any contact you might make with us (such as using our Contact IR page or any ‘Contact Us’ or similar function on the Site) or any other method of communication (e.g. email), as well as any issues arising from such contacts (including replying to you) and interactions.
• Business operation. We use your personal data that we collect or receive through the Site to operate our business.
• Site operation. To operate and make available the Site, including through use of strictly necessary Cookies. This may include tracking issues that might be occurring on the Site and our systems and generally keeping our Site, services and associated systems operational and secure.
• Marketing and promotion. To send you marketing communications relating to our operations and activities (e.g., as part of a newsletter that you may be able to subscribe for via the Site) and other informational materials and content, as well as other communications that may include invitations to events or webinars hosted or sponsored by Bolt.
• Analytics. For website analytics purposes, which we may do to improve and refine the Site and our operations, including creation of aggregated, de-identified or other anonymous data (e.g., through the use of analytics cookies used to monitor and record the number of unique and repeat users on the Site, how long users stay on the Site for, and what parts of functionalities of the Site they visit and use etc). For more information on these technologies, please see our Cookie Notice.
• R&D. To conduct research and development activities on new technical features of the Site or associated functionalities. As part of these activities, we may create aggregated, de-identified or anonymized data from personal data. We may use this aggregated, de-identified or anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Site and promote our business.
• Legal Compliance. To comply with legal (including contractual), regulatory, or other requirements, including court orders or in the course of litigation or defense from legal claims
• Protection and enforcement of rights. To protect, maintain and enforce the rights, property, or safety of Bolt, or any of our respective business partners, or other third parties in accordance with applicable laws.
• Cooperation with law enforcement. To cooperate with law enforcement authorities in investigating and prosecuting users who violate our rules or engage in behavior that is illegal or harmful to other users, including suspected fraud, or situations involving potential threats to the physical safety of any person.
• Further uses. In some cases, we may use your personal data for further uses beyond those listed above, in which case, we will ask for your consent to use of your personal data for those further purposes they are not compatible with the initial purpose for which information was collected.

We may disclose your personal data to third parties in the following circumstances:

• Disclosures to Third Parties Assisting in Our Operations. We work with third-party service providers to provide services for us. These third parties may have access to or process your personal data where reasonably necessary for them to perform their functions and provide their services to us.
• Disclosures to Professional Advisers. We may disclose your personal data to lawyers, bankers, auditors and insurers and other professional advisers, such as those who provide consultancy, banking, legal, insurance, accounting or similar services to us.
• Disclosures to Government Authorities. We may disclose your personal data if required to do so by law or in the good-faith belief that such action is necessary to comply with state and federal laws, local or foreign laws, in response to a court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement or other governmental agencies.
• Disclosures Required by Law. We also reserve the right to disclose your personal data that we believe, in good faith, is appropriate or necessary to: (i) take precautions against liability; (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity; (iii) investigate and defend ourselves against any third‑party claims or allegations; (iv) protect the security or integrity of the Site and any facilities or equipment used to make the Site available; or (v) protect our property or other legal rights (including, but not limited to, enforcement of our agreements), or the rights, property, or safety of others.
• Corporate Events. Personal data of our users may be disclosed in the context of actual or prospective corporate events (e.g., investments in Bolt, financing of Bolt, or the sale, transfer or merger of all or part of our business, assets or shares) where we may need to share certain personal data with prospective counterparties and their advisers. Personal data of our users may also be transferred to an acquirer, successor, or assignee of Bolt as part of any merger, acquisition, sale of assets, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which personal data is transferred to one or more third parties as one of our business assets.
• Marketing and Analytics. We may make certain aggregated, automatically collected, or otherwise non-directly identifying personal data available to third parties for use by those third parties on our behalf to enable them to provide certain marketing and/or analytics services to us.

If you receive commercial email from us, you may unsubscribe at any time by following the instructions contained within the email (e.g., by clicking the ‘Unsubscribe’ link in the footer of such an email). You may also opt out from receiving commercial email from us by sending your request to us by email at privacy@boltbio.com.

Please be aware that if you opt out of receiving commercial email from us or otherwise modify the types of emails and alert communications you receive from us, it may take up to ten business days for us to process your request – and you may continue receiving promotional communications from us during that period – however, we will ordinarily process these types of opt-out requests more quickly.

For more information on cookies and other tracking devices and ways to exercise preferences regarding them, see our Cookie Notice.   Please note that if you delete, or choose not to accept, cookies from the Site, you may not be able to utilize the features of the Site to their fullest potential.

Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

According to our retention policy, we only keep personal data in our records as long as it is necessary for the purposes they have been processed or as required by applicable laws or regulations. After the retention period expires, the personal data is deleted or anonymized – if this is not technically possible in the circumstances (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible (e.g., at the time at which that backup is replaced in line with our established schedule). If we anonymize your personal data (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you. The retention periods are established considering the purposes defined in this Notice, all relevant legal and regulatory requirements, and the context in which we process your personal data. We also consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and any applicable legal requirements to retain such data.

We use certain physical, managerial, and technical safeguards that are designed to improve the integrity and security of information that we collect and maintain. Please be aware that no security measures are perfect or impenetrable. We cannot and do not guarantee that information about you will not be accessed, viewed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

Bolt stores personal data by using physical, technical, and administrative safeguards designed to secure data against foreseeable risks, such as unauthorized use, access, disclosure, destruction, or modification.

In addition, our information security team has developed policies, standards, and procedures to support and enforce preventive and detective operational controls designed to protect the confidentiality, integrity, and availability of all data collected and managed by Bolt.

Bolt does not knowingly collect information directly from or about persons under 18 years old via the Site or in any other context covered by this Notice. If you are under 18 years old, do not use or provide any information on or via the Site or otherwise.

Please revisit this page periodically to stay aware of any changes to this Notice, which we may update from time to time. If we modify this Notice, we will make it available through the Site, and indicate the date of the latest revision. In the event that the modifications materially alter your rights or obligations hereunder, we will make reasonable efforts to notify you of the change. For example, we may generate a pop-up or similar notification when you access the Site for the first time after such material changes are made. Your continued use of the Site after the revised Notice has become effective indicates that you have read and understood the current version of this Notice.

You can check the “last updated” date posted to see when the Privacy Notice was last updated.

European-specific information about us

Controller. Bolt is the controller of the processing of your personal data covered by this Notice for purposes of European data protection legislation, including the General Data Protection Regulation of the European Union (the “GDPR”). See the Contact Information section above for our contact details.

Personal Data. For European users, references to your “personal data” in this Notice should be understood to include a reference to your “personal data” (as defined in the GDPR) – i.e., information about you, from which you are either directly identified or can be identified. It does not include ‘anonymous data’ (i.e., information where your identity has been permanently removed).

Our Representative in Europe. Our EU representative appointed under the GDPR is Data Protection Representative Limited t/a DataRep. You can contact them:

• By email to: boltbio@datarep.com.
• By postal mail to: 12 Northbrook Road, Dublin, Ireland.

Our Data Protection Officer. The GDPR requires us to appoint a “Data Protection Officer”, this is a person who is responsible for independently overseeing and advising us in relation to our compliance with the GDPR (including compliance with the practices described in this Notice). If you want to contact our Data Protection Officer directly, you can email: privacy@boltbio.com.

Legal Basis of our Processing of your Personal Data

In respect of each of the purposes for which we use your personal data, the GDPR requires us to ensure that we have a “legal basis” for that use. Our legal bases for processing your personal data described in this Notice are listed below:

• Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests (“Legitimate Interests”). More detail about the specific legitimate interests pursued in respect of each Purpose we use your personal data for is set out in the table below.
• where we need to comply with a legal or regulatory obligation (“Compliance with Law”).
• Where we have your specific consent to carry out the processing for the purpose in question (“Consent”).

We have set out below, our legal basis in respect of each relevant purposes for which we use your personal data as well as the particular types of your personal data used in that processing activity.

Data Processing Outside Europe

We are a U.S.-based company and many of our service providers, advisers, partners or other recipients of data are also based in the U.S. This means that, if you use the Site or interact with us, your personal data will necessarily be accessed and processed in the U.S. It may also be provided to recipients in other countries outside Europe. These countries and jurisdictions may not have the same data protection laws as your own jurisdiction.

Where we share your personal data with recipients who are outside Europe, we take reasonable steps to maintain adequate safeguards to enable the transfer of the personal data to the U.S. and other jurisdictions. You may contact us if you want further information on the specific mechanism used by us when transferring your personal data out of Europe.

Data Privacy Framework

Bolt Biotherapeutics, Inc. complies with the EU-U.S. Data Privacy Framework (the Data Privacy Framework) as set forth by the U.S. Department of Commerce.

Bolt has certified to the U.S. Department of Commerce that it adheres to EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the EU in reliance on the EU-U.S. DPF (“DPF Principles”). If there is any conflict between the terms in this Notice (or the relevant applicable privacy notice that also addresses the Data Privacy Framework such as that which is provided to individuals in the context of clinical trials or privacy notices to clinical site staff) and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit the Data Privacy Framework website.

In compliance with the Data Privacy Framework, Bolt commits to resolve complaints about its collection or use of your personal data. EU individuals with inquiries or complaints regarding our handling of personal data received in reliance on the Data Privacy Framework should first contact Bolt at: privacy@boltbio.com. You can also call us at +1-650-665-9295 or write us at:

Bolt Biotherapeutics, Inc.
900 Chesapeake Drive
Redwood City, CA 94063
Attn: Legal Department

Depending upon the context in which Bolt processes personal data received in reliance upon the Data Privacy Framework, relevant individuals may have rights to access personal data about them, and choices to limit the use and disclosure of their personal data. Please submit a written request to exercise your rights or choices to the contact information above. We may request specific information from you to confirm your identity in an effort to respond to your request.

In compliance with the Data Privacy Framework, Bolt commits to refer unresolved complaints concerning its handling of personal data received in reliance on the Data Privacy Framework to the JAMS, an alternative dispute resolution provider based in United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit JAMS Data Privacy Framework (DPF) Dispute Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

If your Data Privacy Framework complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. Please refer to the Data Privacy Framework Annex 1 for more information.

With respect to personal data received or transferred pursuant to the Data Privacy Framework, the U.S. Federal Trade Commission has jurisdiction over Bolt’s compliance with the Data Privacy Framework.

Bolt may collect, use and disclose categories of personal data received in reliance upon the Data Privacy Framework for the purposes described in this Notice. The types of third parties to which Bolt may share personal data received in reliance on the Data Privacy Framework and for which purposes are set out in the section of this Notice entitled “Disclosures of Personal Data.” Bolt’s accountability for personal data that it receives in the United States under the Data Privacy Framework and subsequent onward transfers to a third party is described in the Data Privacy Framework Principles. In particular, Bolt remains responsible and liable under the Data Privacy Framework Principles if third parties to whom it discloses personal data process it in a manner inconsistent with the Data Privacy Framework Principles unless Bolt proves that it is not responsible for the event giving rise to the damage. Bolt may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Data Protection Rights

European data protection legislation gives you certain rights regarding your personal data in certain circumstances. If you are located within Europe, you may ask us to take the following actions in relation to your personal data that we hold:

• Right to Request Access, Rectification, Restriction of Processing, Erasure, and Data Portability. We provide you with access to your own personal data and information about our processing of your personal data. In addition, we will rectify your personal data when it is incorrect or inaccurate, and we will give effect to requests to exercise the right to erasure, portability, and to restriction of processing as and when those rights are available in the circumstances (e.g., where they are not incompatible with other legal obligations or conflict with our legitimate interest to process).
• Right to Object. This right exists where we are relying on a Legitimate Interest as the legal basis for our processing and there is something about your particular situation, which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
• Right to Withdraw Consent at Any Time. When we use your personal data based on your consent, you have the right to withdraw such consent at any time. If you withdraw your consent, we may not be able to provide you with access to the certain specific functionalities of our Site. We will advise you if this is the case at the time you withdraw your consent.
• Right to Lodge a Complaint with your Supervisory Authority. If you are not satisfied with our response or how we process your personal data, you can make a complaint to the data protection authority of your habitual residence. A list of the European authorities is available here.
• Automated Decision Making. Bolt does not engage in automated decision making, including profiling

Whether or not we are required to fulfill any request you make will depend on a number of factors (e.g., why and how we are processing your personal data), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time.

Requests to exercise your Data Privacy Rights requests should be submitted as follows:

• To exercise your rights, or for any further privacy-related question or concerns you may have, you can contact us by email at privacy@boltbio.com or by phone at (650) 665-9295. We will attend to your request in a timely manner within 30 days after receiving your request. If for any reason we need to extend this period of time, we will contact you.
• You also have the right to lodge a complaint with a supervisory authority.
• A list of the European authorities is available here.