Privacy Policy

Preamble

With the following privacy policy we would like to inform you which types of your personal data (hereinafter also abbreviated as “data”) we process for which purposes and in which scope. The privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles and newsletter (hereinafter collectively referred to as “online services”).

The terms used are not gender-specific.

Last Update: 5 May 2026

Controller:

Graph Therapeutics FlexCo (FN 631231)

Xista Science Park

Plöckingstraße 1, 3400

Klosterneuburg, Austria

Authorised Representatives:

Gregory Vladimer, Robert Sehlke

E-mail address: office@graphtx.com

Legal Notice: https://graphtx.com/imprint

Overview of processing operations

The following summarises the types of data processed, the purposes for which they are processed and the concerned data subjects.

Categories of Processed Data

• Contact data (e.g. names, e-mail addresses, telephone numbers).

• Content data (e.g. text input, photographs, videos).

• Usage data (e.g. websites visited, interest in content, access times).

• Meta/communication data (e.g. device information, IP addresses).

• Job applicant details (e.g. CVs, cover letters, qualifications, certificates).

• Newsletter subscription data (e.g. e-mail address, subscription preferences).

Categories of Data Subjects

• Users (e.g. website visitors, newsletter subscribers).

• Job applicants.

• Business contacts (e.g. prospective collaborators, investors, partners).

Purposes of Processing

• Contact requests and communication.

• Job application process.

• Feedback.

• Research, collaboration and fundraising (e.g. business development, investor relations, partnership outreach).

• Newsletter and marketing communications.

• Provision of our online services and usability.

• Analysis and improvement of our online services.

Legal Bases for the Processing

In the following, you will find an overview of the legal bases of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection provisions of your or our country of residence or domicile may apply. If, in addition, more specific legal bases are applicable in individual cases, we will inform you of these in the data protection declaration.

• Consent (Article 6 (1) (a) GDPR) — The data subject has given consent to the processing of his or her personal data for one or more specific purposes (e.g. newsletter subscription, non-essential cookies).

• Performance of a contract and prior requests (Article 6 (1) (b) GDPR) — Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

• Legitimate Interests (Article 6 (1) (f) GDPR) — Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

• Job application process as a pre-contractual or contractual relationship (Article 9 (2)(b) GDPR) — If special categories of personal data within the meaning of Article 9 (1) GDPR are requested from applicants within the framework of the application procedure, their processing shall be carried out in accordance with Article 9 (2)(b) GDPR, or in the case of voluntary consent on the basis of Article 9 (2)(a) GDPR.

In addition to the data protection regulations of the General Data Protection Regulation, national regulations apply to data protection in Austria. This includes in particular the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act – DSG) and, with respect to cookies and similar technologies, the Austrian Telecommunications Act (TKG 2021, § 165). The Data Protection Act contains special provisions on the right of access, rectification or cancellation, processing of special categories of personal data, processing for other purposes and transmission and automated decision making in individual cases.

Security Precautions

We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input, transmission, securing and separation of the data. In addition, we have established procedures to ensure that data subjects’ rights are respected, that data is erased, and that we are prepared to respond to data threats rapidly. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and service providers, in accordance with the principle of privacy by design and privacy by default.

SSL/TLS encryption (https): In order to protect your data transmitted via our online services in the best possible way, we use SSL/TLS encryption. You can recognise such encrypted connections by the prefix https:// in the address bar of your browser.

Cookies and Consent for Non-Essential Technologies

Our website uses cookies and similar technologies. Cookies that are strictly necessary for the operation of the website are set on the basis of our legitimate interest (Article 6 (1) (f) GDPR) and applicable Austrian law (§ 165 (3) TKG 2021).

Non-essential cookies and similar technologies (in particular for analytics and embedded third-party services) are only set after you have given your consent via our cookie banner, in accordance with Article 6 (1) (a) GDPR and § 165 TKG 2021. You can withdraw your consent at any time with effect for the future by re-opening the cookie settings on our website or by clearing the cookies in your browser. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Transmission of Personal Data

In the context of our processing of personal data, it may happen that the data is transferred to other places, companies or persons or that it is disclosed to them. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are embedded in a website or used by us internally (for example, customer relationship management, meeting transcription, productivity, and recruitment tools). In such a case, the legal requirements will be respected and in particular corresponding contracts or agreements (including data processing agreements pursuant to Article 28 GDPR), which serve the protection of your data, will be concluded with the recipients of your data.

An overview of the main service providers we use is set out in the relevant sections below (Web Hosting, Analytics, Newsletter, Job Application Process, Customer Relationship Management, Meeting Transcription and Productivity Tools, and Social Media Profiles).

Data Processing in Third Countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or the processing takes place in the context of the use of third party services or disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.

Subject to express consent or transfer required by contract or law, we process or have processed the data only in third countries with a recognised level of data protection, on the basis of special guarantees, such as a contractual obligation through so-called standard contractual clauses of the EU Commission, the EU–U.S. Data Privacy Framework where applicable, or if certifications or binding internal data protection regulations justify the processing (Articles 44 to 49 GDPR; information page of the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en).

Erasure of Data

The data processed by us will be erased in accordance with the statutory provisions as soon as their processing is revoked or other permissions no longer apply (e.g. if the purpose of processing this data no longer applies or they are not required for the purpose). If the data is not deleted because they are required for other and legally permissible purposes, their processing is limited to these purposes. This means that the data will be restricted and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or for which storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person. In the context of our information on data processing, we may provide users with further information on the deletion and retention of data that is specific to the respective processing operation.

Provision of Online Services and Web Hosting

In order to provide our online services securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers they manage) the online services can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security and technical maintenance services.

The data processed within the framework of the provision of the hosting services may include all information relating to the users of our online services that is collected in the course of use and communication. This regularly includes the IP address, which is necessary to be able to deliver the contents of online services to browsers, and all entries made within our online services or from websites.

• Processed data types: Content data (e.g. text input, photographs, videos); Usage data (e.g. websites visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: Provision of our online services and usability.

• Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processing methods, procedures and services used:

Website hosting via Framer

Our website (graphtx.com) is built and hosted using Framer, a website builder and hosting platform. When you visit our website, Framer and its sub-processors process technical data such as your IP address, browser information, and access times in order to deliver the website to you securely and reliably.

• Service provider: Framer B.V., Joop Geesinkweg 901-999, 1114 AB Amsterdam, Netherlands.

• Website: https://www.framer.com.

• Privacy policy: https://www.framer.com/legal/privacy-policy/.

Collection of access data and log files

We, ourselves or our web hosting provider, collect data on the basis of each access to the server (so-called server log files). Server log files may include the address and name of the web pages and files accessed, the date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a general rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the stability and optimal load balancing of the servers.

Retention period: Log file information is stored for a maximum period of 30 days and then deleted or anonymised. Data, the further storage of which is necessary for evidence purposes, are excluded from deletion until the respective incident has been finally clarified.

Analytics and Website Usage Data

Google Analytics 4

With your consent, we use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland, to help us understand how visitors use our website and to improve user experience.

Data collected:

• IP address (used by Google to determine an approximate geographic location; in GA4, IP addresses are not stored or logged after this lookup).

• Browser type and version.

• Operating system and device information.

• Pages visited and time spent on each page.

• Referring website or source.

• Date and time of visit.

• Approximate geographic location (country, region, city).

Purposes:

• Understanding our website traffic and visitor demographics.

• Improving our website content and user experience.

• Analysing which pages are most popular.

• Identifying technical issues.

Google Analytics 4 uses cookies and similar technologies to collect this information. The data is transmitted to and stored by Google on servers which may be located outside your country of residence, including in the United States. Google may use this information to evaluate your use of the website, compile reports on website activity for us, and provide other services relating to website activity and internet usage. Transfers to Google LLC in the United States take place on the basis of EU Standard Contractual Clauses and, where applicable, Google’s certification under the EU–U.S. Data Privacy Framework.

Legal basis: Consent (Article 6 (1) (a) GDPR; § 165 (3) TKG 2021). You can withdraw your consent at any time with effect for the future via our cookie settings.

Data retention: We have configured Google Analytics to retain user-level and event-level data for a maximum of 12 months.

Your options:

• Decline non-essential cookies in our cookie banner, or withdraw a previously given consent at any time.

• Use Google’s opt-out browser add-on: https://tools.google.com/dlpage/gaoptout.

• Adjust your browser settings to block cookies, or use browser privacy/incognito mode.

Further information: https://policies.google.com/privacy and https://business.safety.google/privacy/.

Newsletter and Updates via Substack

We operate a newsletter and content publication on Substack (graphtx.substack.com), where we share news, research updates and other content related to our work in precision immunology. Subscribing to our Substack publication is optional and based on your consent.

When you subscribe, Substack processes your e-mail address and, depending on your interaction, additional information such as opens, clicks and IP-derived metadata. When you visit our Substack page, Substack also processes technical and usage data as described in their privacy policy. We receive aggregate and (depending on subscriber settings) limited individual information about subscribers and engagement.

You can unsubscribe at any time using the unsubscribe link in any newsletter e-mail or in your Substack account settings; this will withdraw your consent with effect for the future.

• Processed data types: Contact data (e.g. e-mail address, name, if provided); Usage data (e.g. opens, clicks); Meta/communication data (e.g. IP addresses, device information).

• Data subjects: Newsletter subscribers and visitors of our Substack page.

• Purposes of processing: Newsletter and marketing communications; analysis of newsletter performance; provision of our online services.

• Legal basis: Consent (Article 6 (1) (a) GDPR) for newsletter subscription; Legitimate Interests (Article 6 (1) (f) GDPR) for analysis of newsletter performance and operation of the Substack page.

Service provider: Substack Inc., 548 Market Street, PMB 72296, San Francisco, CA 94104, USA. Transfers to the United States take place on the basis of EU Standard Contractual Clauses and, where applicable, Substack’s certification under the EU–U.S. Data Privacy Framework.

Privacy policy: https://substack.com/privacy.

Customer Relationship Management (CRM)

For our business development, investor relations and collaboration outreach we use a customer relationship management (CRM) system. In this system we store contact details and communications history of business contacts (e.g. prospective collaborators, investors, partners and their representatives) so that we can manage and document our business relationships.

• Processed data types: Contact data (e.g. name, e-mail, telephone number, employer, role); Content data (e.g. notes, e-mail correspondence, meeting notes); Meta/communication data.

• Data subjects: Business contacts.

• Purposes of processing: Research, collaboration and fundraising; contact requests and communication.

• Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR) for the maintenance and management of our business relationships; where required, Consent (Article 6 (1) (a) GDPR).

Service provider: Attio Ltd., 86–90 Paul Street, London EC2A 4NE, United Kingdom. The United Kingdom is recognised by the European Commission as offering an adequate level of data protection (adequacy decision).

Privacy policy: https://attio.com/legal/privacy.

Meeting Transcription and Productivity Tools

In selected meetings (e.g. internal discussions or external calls where participants have been informed in advance) we use a meeting transcription service to generate notes, summaries and searchable transcripts. Audio, video and/or transcripts of these meetings are processed by our service provider on our behalf. Where required by applicable law, we obtain the consent of meeting participants before recording or transcription begins.

• Processed data types: Content data (e.g. audio recordings, video, transcripts, summaries); Contact data; Meta/communication data.

• Data subjects: Meeting participants (employees, business contacts, applicants where applicable).

• Purposes of processing: Documentation of meetings, internal knowledge management, follow-up actions.

• Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR) and, where required, Consent (Article 6 (1) (a) GDPR).

Service provider: Fireflies.ai (Aerolab Inc.), 2261 Market Street #4280, San Francisco, CA 94114, USA. Transfers to the United States take place on the basis of EU Standard Contractual Clauses.

Privacy policy: https://fireflies.ai/privacy_policy.pdf.

In addition, we use Google Workspace (Google Ireland Limited) for e-mail, calendar, document collaboration and storage in the course of our day-to-day operations.

Privacy policy: https://policies.google.com/privacy.

Job Application Process

The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information contained therein. In principle, the required information includes personal information such as name, address, a contact option and proof of the qualifications required for a particular employment. Upon request, we will be happy to provide you with additional information.

If made available, applicants can submit their applications via an online form. The data will be transmitted to us encrypted according to the state of the art. Applicants can also send us their applications by e-mail. Please note, however, that e-mails on the Internet are generally not sent in encrypted form. As a rule, e-mails are encrypted during transport, but not on the servers from which they are sent and received. We can therefore accept no responsibility for the transmission path of the application between the sender and the reception on our server. For the purposes of searching for applicants, submitting applications and selecting applicants, we may make use of the applicant management and recruitment software, platforms and services of third-party providers in compliance with legal requirements. Applicants are welcome to contact us about how to submit their application or send it to us by regular mail.

Processing of special categories of data: If special categories of personal data within the meaning of Article 9 (1) GDPR (e.g. health data, such as severely handicapped status or ethnic origin) are requested from applicants within the framework of the application procedure, their processing shall be carried out in accordance with Article 9 (2)(b) GDPR, in the case of the protection of vital interests of applicants or other persons pursuant to Article 9 (2)(c) GDPR or for the purposes of preventive health care or occupational medicine, for the assessment of the employee’s ability to work, for medical diagnostics, care or treatment in the health or social sector or for the administration of systems and services in the health or social sector in accordance with Article 9 (2)(h) GDPR. In the case of a communication of special categories of data based on voluntary consent, their processing is carried out on the basis of Article 9 (2)(a) GDPR.

Erasure of data: In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicant’s data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, to which applicants are entitled at any time. Subject to a justified revocation by the applicant, the deletion will take place at the latest after the expiry of a period of six months, so that we can answer any follow-up questions regarding the application and comply with our duty of proof under the regulations on equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.

Talent pool: Admission to a talent pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and that they can revoke their consent at any time for the future.

• Processed data types: Job applicant details (e.g. personal data, postal and contact addresses and the documents pertaining to the application and the information contained therein, such as cover letter, curriculum vitae, certificates, etc., as well as other information on the person or qualifications of applicants provided with regard to a specific job or voluntarily by applicants).

• Data subjects: Job applicants.

• Purposes of processing: Job application process (establishment and possible later execution as well as possible later termination of the employment relationship).

• Legal basis: Job application process as a pre-contractual or contractual relationship (Article 6 (1) (b) GDPR; for special categories: Article 9 (2)(b) GDPR).

We use various online services to manage applications and communicate with applicants. You can find further information on data processing of these partners here:

Personio

We use Personio as our applicant tracking and HR management system. Application data submitted to us, including documents you provide (CV, cover letter, certificates) and any communications, is stored in Personio.

• Service provider: Personio SE & Co. KG, Seidlstraße 3, 80335 München, Germany.

• Website: https://www.personio.de.

• Privacy policy: https://www.personio.de/datenschutz/.

• Data processing agreement: https://www.personio.de/auftragsverarbeitungsvertrag/.

Profiles in Social Networks and External Online Presences

We maintain online presences within social networks and on third-party publishing platforms and process user data in this context in order to communicate with the users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may entail risks for users, e.g. by making it more difficult to enforce users’ rights.

In addition, user data is usually processed within social networks for market research and advertising purposes. For example, user profiles can be created on the basis of user behaviour and the associated interests of users. The user profiles can then be used, for example, to place advertisements within and outside the networks which are presumed to correspond to the interests of the users. For these purposes, cookies are usually stored on the user’s computer, in which the user’s usage behaviour and interests are stored. Furthermore, data can be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective networks or will become members later on).

For a detailed description of the respective processing operations and the opt-out options, please refer to the respective data protection declarations and information provided by the providers of the respective networks.

Also in the case of requests for information and the exercise of rights of data subjects, we point out that these can be most effectively pursued with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need help, please do not hesitate to contact us.

• Processed data types: Contact data (e.g. e-mail, telephone numbers); Content data (e.g. text input, photographs, videos); Usage data (e.g. websites visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: Contact requests and communication; feedback (e.g. collecting feedback via online form); marketing.

• Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR).

LinkedIn

• Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

• Website: https://www.linkedin.com.

• Privacy policy: https://www.linkedin.com/legal/privacy-policy.

• Data processing agreement and Standard Contractual Clauses: https://legal.linkedin.com/dpa.

• Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Changes and Updates to the Privacy Policy

We kindly ask you to inform yourself regularly about the contents of our data protection declaration. We will adjust the privacy policy as changes in our data processing practices make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

If we provide addresses and contact information of companies and organisations in this privacy policy, we ask you to note that addresses may change over time and to verify the information before contacting us.

Rights of Data Subjects

As data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

• Right to object: You have the right, on grounds arising from your particular situation, to object at any time to the processing of your personal data which is based on letter (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing.

• Right of withdrawal for consents: You have the right to revoke consents at any time.

• Right of access: You have the right to request confirmation as to whether the data in question will be processed and to be informed of this data and to receive further information and a copy of the data in accordance with the provisions of the law.

• Right to rectification: You have the right, in accordance with the law, to request the completion of the data concerning you or the rectification of the incorrect data concerning you.

• Right to erasure and right to restriction of processing: In accordance with the statutory provisions, you have the right to demand that the relevant data be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the statutory provisions.

• Right to data portability: You have the right to receive data concerning you which you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements, or to request its transmission to another controller.

• Complaint to the supervisory authority: In accordance with the law and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR. The competent supervisory authority in Austria is the Austrian Data Protection Authority (Datenschutzbehörde, www.dsb.gv.at).

Terminology and Definitions

This section provides an overview of the terms used in this privacy policy. Many of the terms are drawn from the law and defined mainly in Article 4 GDPR. The legal definitions are binding. The following explanations, on the other hand, are intended above all for the purpose of comprehension. The terms are sorted alphabetically.

• Controller: “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

• Personal data: “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• Processing: The term “processing” covers a wide range and practically every handling of data, be it collection, evaluation, storage, transmission or erasure.