PRIVACY POLICY

Effective as of February, 10 2025                                                                                              

This Privacy Policy describes the privacy practices of Vigil Neuroscience, Inc. and our subsidiaries and affiliates (collectively, “Vigil”, “we”, “us”, or “our”) and how we handle personal information that we collect through our website —https://www.vigilneuro.com/— and any other website that we own or control and which posts to this Privacy Policy (collectively, the “Service”). Vigil may provide additional or supplemental privacy policies to individuals for specific products or services that we offer at the time we collect personal information, for example, in connection with our clinical trials or patient advocacy. These supplemental privacy policies govern how we may process your information in the context of the specific product or service.

Personal information we collect and how we receive it

1.     Information you provide to us. Personal information you provide to us through the Service or otherwise may include:

  • Contact details, such as your first and last name, email and mailing addresses, phone number, professional title and company name.

  • Communications that we exchange with you, including when you contact us with questions, feedback, or otherwise.

  • Registration information, such as information that may be related to a product or an event for which you register.

  • Other data not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

2.     Information we obtain from third parties:

  • Social media information. We may maintain pages on social media platforms, such as X, and LinkedIn. When you visit or interact with our pages on those platforms, the platform provider’s privacy policy will apply to your interactions and their collection, use and processing of your personal information. You or the platforms may provide us with information through the platform, and we will treat such information in accordance with this Privacy Policy.

  • Other Sources. We may obtain your personal information from other third parties, such as marketing partners, publicly-available sources and data providers.

3.     Automatic data collection. We, our service providers, and our business partners may automatically log information about you, your computer or mobile device, and your interaction over time with the Service, our communications and other online services, such as:

  • Device data, such as your computer’s or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers, language settings, mobile device carrier, radio/network information (e.g., WiFi, LTE, 3G), and general location information such as city, state or geographic area.

  • Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times, and duration of access.

  • Cookies and similar technologies. Like many online services, we use the following tracking technologies:

    • Cookies, which are text files that websites store on a visitor‘s device to uniquely identify the visitor’s browser or to store information or settings in the browser for the purpose of helping you navigate between pages efficiently, remembering your preferences, enabling functionality, and helping us understand user activity and patterns. We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser, but always have an expiration date. Some of the cookies placed on your device through our Service are first-party cookies which are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our Service. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you. Please also refer to our cookie banner(s) for more information on the types of cookies used on our websites.

    • Local storage technologies, like HTML5 and Flash, that provide cookie-equivalent functionality but can store larger amounts of data, including on your device outside of your browser in connection with specific applications.

    • Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.

Your choices regarding the use of cookies and similar technologies

You have the following choices with respect to your personal information:

1.     Online tracking opt-out. There are a number of ways to opt out of having your online activity and device data collected through our Service, which we have summarized below. You have the right to opt out of the following types of cookies, namely, functional cookies, performance cookies, analytics cookies, and advertising cookies.

  • Blocking cookies in your browser. Most browsers let you remove or reject cookies. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. For more information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit allaboutcookies.org.

Use the following links to learn more about how to control cookies and online tracking through your browser:

  • Update your cookie consent preferences. You can update your cookie consent preferences using our consent preferences center available on our websites.

2.     Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

How we use your personal information

We use your personal information for the following purposes and as otherwise described in this Privacy Policy or at the time of collection:

1.     Service delivery. We use your personal information to:

  • provide, operate and improve the Service and our business;

  • provide information about our products and Services;

  • communicate with you about the Service, including by sending announcements, updates, security alerts, and support and administrative messages;

  • communicate with you about events in which your participate;

  • understand your needs and interests, and personalize your experience with the Service and our communications; and

  • provide support for the Service, respond to your requests, questions and feedback.

2.     Research and development. We may use your personal information for research and development purposes, including to analyze and improve the Service and our business. As part of these activities, we may create aggregated, de-identified or other anonymous data from personal information we collect. We make personal information into anonymous data by removing information that makes the data personally identifiable to you. We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.  

 3.     Compliance and protection. We may use your personal information to:

  • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;

  • protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);

  • audit our internal processes for compliance with legal and contractual requirements and internal policies;

  • enforce the terms and conditions that govern the Service; and

  • prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.   

How we share your personal information

We may share your personal information with the following parties and as otherwise described in this Privacy Policy or at the time of collection: 

Affiliates. Our corporate parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Policy.

Service providers. Companies and individuals that provide services on our behalf or help us operate the Service or our business, including:

  • Hosting providers

  • Information technology providers

  • Payment processors

  • Customer support service providers

  • Email delivery service providers

  • Website analytics service providers

Professional advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.

Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above.

Business transferees. Acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests in, Vigil or our affiliates (including, in connection with a bankruptcy or similar proceedings). 

Please keep in mind that whenever you voluntarily make your personal information available for viewing by third parties or the public on or through our Service, that information can be seen, collected and used by others. We are not responsible for any use of such information by others.

International data transfer

We are headquartered in the United States and may use service providers that operate in other countries. Your personal information may be transferred to the United States or other locations where privacy laws may not be as protective as those in your state, province, or country. 

Other sites and services

The Service may contain links to websites and other online services operated by third parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites or online services operated by third parties, and we are not responsible for their actions. 

Security

We employ a number of technical, organizational and physical safeguards designed to protect the personal information we collect from unauthorized processing, including unauthorized access, disclosure, alteration, or destruction. However, no security measures are failsafe and we cannot guarantee the security of your personal information.

Children 

The Service is not intended for use by children under 16 years of age. If we learn that we have collected personal information through the Service from a child under 16 without the consent of the child’s parent or guardian as required by law, we will delete it.

Job applicants

When you visit the “Careers” portion of our website, we collect the information that you provide to us in connection with your job application. This includes business and personal contact information, professional credentials and skills, educational and work history, and other information of the type that may be included in a resume. This may also include diversity information that you voluntarily provide. We use this information to facilitate our recruitment activities and process employment applications, such as by evaluating a job candidate for an employment activity, and monitoring recruitment statistics. We may also use this information to provide improved administration of the website, and as otherwise necessary (a) to comply with relevant laws or to respond to subpoenas or warrants served on Vigil; (b) to protect and defend the rights or property of Vigil or others; (c) in connection with a legal investigation; and/or (d) to investigate or assist in preventing any violation or potential violation of the law, this Privacy Policy, or Vigil’s Terms of Use.

Visitors from the United Kingdom (“UK”) and European Economic Area (“EEA”)

Controllership role

For personal data subject to the EU or UK General Data Protection Regulation, within the scope of this Privacy Policy, Vigil acts as a data controller for the personal information that we process. This means that we alone determine the purposes and means of the processing of your personal information.

Lawful basis of processing

We may process your personal information on the basis of:

·        your consent;

·        the need to perform a contract with you;

·        our legitimate interests or those of a third party, such as our interest in marketing our Services;

·        the need to comply with the law; or

·        any other ground, as required or permitted by law.

Where we receive your personal information as part of providing our Service to you based on a contract, we require such personal information to be able to carry out the contract. Without that necessary personal information, we will not be able to provide the Service to you.

Where we process personal information on the basis of our legitimate interests, we will always do so after a careful assessment which requires balancing your right to privacy and our legitimate interests. You have the right to ask us more about how we decided to choose this legal basis. To do so, please use the contact details below.

How long we retain your personal information

We will retain your personal information for as long as is necessary to fulfil the purpose for which we collected it (as listed above) and any other permitted linked purpose, and in compliance with our data retention policies as applicable from time to time. For example, we will retain and use your personal information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

Transfers outside of the EEA, the UK, or Switzerland

When your personal information is safeguarded by the EU or UK General Data Protection Regulation, or Swiss data protection law, before sending it to parties outside of the EEA, the UK, or Switzerland, we will either obtain your consent or ensure that the third party maintains the same level of privacy and security for your personal information as we do.

In some cases, the authorities of a country may have determined that the laws of other countries, territories or sectors within a country provide a level of protection equivalent to domestic law. You can see here the list of countries, territories and specified sectors that the European Commission recognized as providing an adequate level of protection for personal information, here the list of the UK, and here the list of Switzerland.

We are accountable for the protection of your personal information when we transfer it to others. We either send it to a country, territory or sector within a country that is recognized as providing the same level of personal information protection as the country of origin, or use safeguards like the Standard Contractual Clauses approved by the European Commission under Article 46.2 of the GDPR, with necessary adjustments for transfers from the UK or Switzerland, or use specific transfer instruments like the UK International Data Transfer Agreement.

What privacy rights you have

You have specific rights regarding your personal information that we collect and process.

To exercise your data protection rights, please email us at dataprivacy@vigilneuro.com. Provide as much information that you consider fit to help us identify you and swiftly treat your request.

Right to know what happens to your personal information

This is called the “right to be informed”. It means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your personal information, how long we will keep it, and who it will be shared with, among other things.

We are informing you of how we process your personal information with this Privacy Policy.

Right to know what personal information Vigil has about you

This is called the “right of access”. This right allows you to ask for full details of the personal information we hold about you.

Once we receive and confirm that the request came from you or your authorized agent, we will disclose to you:

·         the categories of your personal information that we process;

·         the categories of sources for your personal information;

·         our purposes for processing your personal information;

·         where possible, the retention period for your personal information or, if not possible, the criteria used to determine the retention period;

·         the categories of third parties with whom we share your personal information;

·         if we carry out automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you;

·         the specific pieces of personal information we process about you in an easily sharable format;

·         the categories of parties that received your personal information from us;

·         if we rely on legitimate interests as a lawful basis to process your personal information, the specific legitimate interests; and

·         the appropriate safeguards used to transfer personal information from the EEA, UK, or Switzerland to a third country, if applicable.

Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.

Right to correct your personal information

This is called the “right to rectification”. It gives you the right to ask us to correct anything that you think is wrong with the personal information we have on file about you (or your child), and to complete any incomplete personal information.

Right to delete your personal information

This is called the “right to erasure”, “right to deletion”, or the “right to be forgotten”. This right means you can ask for your personal information to be deleted.

Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.

Right to ask us to limit how we process your personal information

This is called the “right to restrict processing”. It is the right to ask us to only use or store your personal information for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.

Right to ask us to stop using your personal information

This is called the “right to object”. This is your right to tell us to stop using your personal information. You have this right where we rely on a legitimate interest of ours (or of a third party). You may also object at any time to the processing of your personal information for direct marketing purposes.

We will stop processing the relevant personal information unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your personal information to establish, exercise, or defend a legal claim.

Right to port or move your personal information

This is called the “right to data portability”. It is the right to ask for and receive a portable copy of your personal information that you have given us, so that you can:

·         move it;

·         copy it;

·         keep it for yourself; and/or

·         transfer it to another organization.

We will provide your personal information in a structured, commonly used, and machine-readable format. When you request this information electronically, we will give you a copy in electronic format.

Right related to automated decision making

We sometimes use computers to study your personal information. For decisions that may seriously impact you, you have the right not to be subject to automatic decision-making, including profiling. But in those cases, we will always explain to you when we might do this, why it is happening and the effect.

Right to withdraw your consent

Where we rely on your consent as the legal basis for processing your personal information, you may withdraw your consent at any time. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.

As discussed above, if we requested your consent to process your personal information, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds.

Right to lodge a complaint with a supervisory authority

If the GDPR applies to our processing of your personal information, you have the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your personal information.

Specifically, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work, or the alleged violation of the GDPR, or in the United Kingdom, in case of violation of the UK GDPR.

How to contact us

You can reach us by email at dataprivacy@vigilneuro.com or at the following mailing address:

Vigil Neuroscience, Inc.

Attn: Data Privacy

100 Forge Road

Suite 700

Watertown, MA 02472 USA

You can also contact us using one of the contact methods below:

Vigil’s Data Protection Officer

VeraSafe, LLC

Address: 100 M Street S.E., Suite 600, Washington, D.C. 20003 USA

Phone: +1-617-398-7067

Email address: experts@verasafe.com

Vigil’s Data Protection Representative in the EU

VeraSafe Netherlands BV

Keizersgracht 555

Amsterdam 1017 DR

The Netherlands

Phone: +420 228 881 031

Contact form: www.verasafe.com/privacy-services/contact-article-27-representative

Vigil’s Data Protection Representative in the UK

VeraSafe United Kingdom Ltd.

37 Albert Embankment, London SE1 7TL, United Kingdom

Phone: +44 (20) 4532 2003

Contact form: www.verasafe.com/privacy-services/contact-article-27-representative   

Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service. If required by law we will also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via email or another manner through the Service. Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Service after the effective date of any modified Privacy Policy indicates your acceptance of the modified Privacy Policy.