Spyre Therapeutics,
Inc.’s Privacy Statement

Last Updated: 04/08/2025

Spyre Therapeutics, Inc. (“Spyre“ or the “Company” or “us” or “we”) recognizes and respects the privacy rights of individuals regarding their personal data and are committed to complying with all applicable data privacy laws. When we address “personal data,” we mean any information relating to an identifiable natural person. This Privacy Statement explains what types of personal data we may collect from you; how and why that data are collected, used, processed and protected; as well as how to exercise any privacy rights you may have with respect to the management of your personal data. This Privacy Statement applies to information we collect about you through our interactions with you, including when you visit our website(s).

UPDATES TO THIS PRIVACY STATEMENT

We may update this Privacy Statement from time to time. Please check this Statement periodically for any changes. When we update our Privacy Statement, we will take appropriate measures to inform you, consistent with the significance of the changes we make. You can see when this Privacy Statement was last updated by checking the “last updated” date displayed at the top of this Privacy Statement.

HOW TO CONTACT US

For questions, please contact complianceofficer@spyre.com or 650-239-3102 ext. 908. You may also send requests to exercise rights with respect to your data to privacy@spyre.com.

WHAT PERSONAL DATA DOES SPYRE COLLECT ABOUT YOU

Spyre may collect, use, store, process, and or share personal data from the following broad categories:

• Identity Data: Includes, for example, name, marital status, title, social security or similar national identification number, date of birth, and gender.
• Contact Data: Includes, for example, physical address, billing address, email address, and telephone number(s).
• Financial Data: Includes, for example, bank account, payment card details, insurance information, and payroll data.
• Transaction Data: Includes, for example, details related to payments and other details regarding services you have received from the Company.
• Technical Data: Includes, for example, internet protocol (IP) address, login data, browser type and version, time zone and location settings, location, browser plug-in types and versions, operating system, platform, and other technology on the devices you use to access Spyre’s website.
• Profile Data: Includes, for example, your username and password to access any authenticated area of our website(s), your preferences, and feedback and survey responses.
• Usage Data: Includes, for example, information about how you use our website, products, and services.
• Marketing and Communications Data: Includes, for example, your preferences in receiving materials regarding our products and services communications from Spyre and our third parties in addition to your communication preferences.
• Special Categories of Personal Data: Includes information that most people would consider sensitive, for example, details about your race or ethnicity, sexual orientation, information about your health, and genetic and biometric data.

HOW SPYRE COLLECTS PERSONAL DATA ABOUT YOU

Information that you provide to us directly and voluntarily

You may choose to interact with us directly by completing forms or corresponding with us by electronic or written means or even by speaking to us over the phone. For example, you might sign up to receive clinical, educational, disease awareness, promotional or other information from Spyre; you might provide us with feedback or complete a survey; you might send us unsolicited information; or might otherwise express interest in participating in our offerings or research programs. During such interactions we will ask you to provide certain information voluntarily, which may include various categories of data like Identity Data, Contact Data, and in some instances, Special Categories of Personal Data.

Information that we collect automatically

When you visit and interact with our website(s), we may collect certain information automatically from you and about you, such as Technical Data, which may include information from your device like your IP address, device type, unique device identification numbers, browser-type, preference settings, broad geographic location (e.g., country or city-level location) and other technical information. Some of this information is collected using cookies and similar tracking technologies. Collecting this information enables us to better understand the visitors who come to our website(s), where they come from, and what content on our website(s) is of interest to them. We use this information, including information collected using such technologies, for our internal analytics and marketing purposes, to improve the quality and relevance of our website(s) to our visitors, to track and respond to concerns, and to comply with regulatory monitoring and reporting obligations. You can find more information about our use of cookies and other tracking technologies in our “Cookies and Other Tracking Technologies” section below.

Information we receive from third parties (or publicly available sources)

We may receive categories of personal data about you from various third parties and public sources, such as:

• Technical Data from analytics providers such as Google, advertising networks, and search information providers.
• Contact Data, Financial Data, and Transaction Data from providers of technical, payment, and delivery services.
• Identity Data and Contact Data from publicly available sources.
• Special Categories of Personal Data, which may include health data, from, e.g., our service providers, collaborators or business partners who assist us in our work and the offerings we may provide.

HOW SPYRE USES YOUR PERSONAL DATA

Spyre and/or our affiliates or service providers may use your personal data for various relevant purposes including, for example, to:

• Communicate with you;
• Provide you with offerings for which you expressed interest;
• Help us develop additional products and services that are likely to be of interest to you or others like you, or those you care for;
• Investigate or respond to issues such as complaints, security threats or preventative measures against bad actors;
• Help us evaluate and modify our existing products and services;
• Comply with or fulfill a request that you have made;
• Maintain and develop our business or professional relationship with you (as applicable);
• Conduct depersonalized and aggregate statistical studies and research related to our products and services and the use of websites to help us understand trends and needs;
• As necessary, recognize you and allow you to log-on to certain pages and features for which you have registered;
• Exercise our legal and regulatory rights and obligations, including taking actions in furtherance of study participant safety; and
• Conduct and evaluate audits (such as compliance or corporate audits).

MARKETING USE OF YOUR PERSONAL DATA

We strive to provide you with choices regarding certain personal data uses, particularly around communications related to Spyre, our products and services. We may use your categorized Identity Data, Contact Data, Technical Data, Usage Data, and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services and materials may be relevant for you. We have established the following personal data control mechanisms:

• Opting in. You will receive certain communications from us if you have requested information from us and opted-in to receive such communications.
• Consent to third-party marketing. We will not share your personal data for marketing purposes with any company outside of Spyre and its service provider network unless you provide your express opt-in consent to do so.
• Opting out. You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you. Remember, however, that even if you opt-out of receiving these marketing communications, Spyre will still communicate with you to provide an offering that you request.
• Online Analytics. Spyre may use third-party web analytics services (such as, for example, Google Analytics) on our website(s) to collect and analyze the information discussed in this Statement, and to engage in auditing, research or reporting. The information (including your IP address) collected by various analytics technologies will be disclosed to or collected directly by these service providers, who evaluate information, including by noting the third-party website(s) from which you arrive, analyzing usage trends, assisting with fraud prevention, and providing certain features to you. To prevent Google Analytics from using your information for analytics, you may install the Google Analytics Opt-out Browser Add-on by visiting http://tools.google.com/dlpage/gaoptout.

HOW SPYRE SHARES YOUR PERSONAL DATA

We do not sell your personal data. We may share your personal data with the following categories of parties for the purposes described in this Statement:

• Internal and Affiliated Parties: Individuals or groups within our Company or within our family of companies, like subsidiaries, parents or related corporate entities.
• Partners: Entities, service providers, consultancies or academic institutions, with whom we have formal professional relationships.
• External Third Parties: Entities or individuals whose services we have formally retained to perform services on our behalf and help further our business requirements, including without limitation, for professional services, research, communications, technological maintenance, data storage, system administration, and data analysis and processing.
• Parties as part of a business transaction: Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Statement.
• Government Authorities: Government agencies, regulators and authorities as may be advisable under or required by law.

We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

OUR BASIS FOR HANDLING YOUR PERSONAL DATA

Spyre will only collect, process, and use the personal data described above where applicable laws allow us to do so. Simply put, we will do so only when we have your consent and/or when we have a legitimate business interest. In some cases, we may also have a legal or regulatory obligation to collect personal information from you, such as if there is a requirement to report an adverse event for our products. Please note that we may process your personal data based upon more than one lawful basis and legitimate interest depending upon the specific purpose(s) for which we are using the personal data. Spyre’s primary legitimate interests include the research, development, production, and promotion of next generation therapeutics at the heart of our corporate mission.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided under the “How To Contact Us” section above.

HOW SPYRE PROTECTS YOUR PERSONAL DATA

We have put in place technical and organizational security measures to prevent your personal data from being accidentally lost, impermissibly altered, disclosed, used, or accessed in an unauthorized way while it is under our control. In addition, we limit access to your personal data to those employees, agents, designees, and other third parties who have a business need to do so. Those parties will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have implemented reasonable procedures to guard against and address data breaches. In the unlikely event of a breach implicating your personal data that requires notification, we will do so and fulfill all our related legal obligations.

COOKIES AND OTHER TRACKING TECHNOLOGIES

As we have stated earlier, we may automatically collect some personal data when you visit and engage with our website(s) using Internet server logs, cookies, beacons, and/or other tracking technologies.

Cookies are small files that are automatically stored on your computer when you visit a website. Cookies are used to (a) recognize your device; (b) store your preferences and settings; (c) understand the web pages of the website you have visited; (d) perform searches and analytics; and (e) assist with security functions. Cookies perform many functions, such as allowing you to navigate between pages efficiently, remembering your preferences, and generally improving the user experience.

A web server log is a file where website activity is stored. An IP address is a number assigned to your device whenever you access the Internet that allows devices and servers to recognize and communicate with each other. Spyre may collect IP addresses to conduct system administration and report aggregate information to affiliates, business partner and/or service providers to conduct website and application analysis and performance reviews.

Beacons are small strings of code that are placed in websites, email messages, and/or online ads. Sometimes called "tracking pixels" or “pixel tags,” beacons are most often used in conjunction with cookies to track activity on websites. Since beacons are typically used in combination with cookies, if you disable cookies the beacons will only detect an anonymous website visit. When used in an email, beacons enable us to know whether you have received or opened the email and may be used for other analytics, personalization, and advertising.

If you do not wish to have cookies on your system, you can set your browser preferences to refuse them or to alert you when cookies are being sent. You are able to change our setting to notify you when a cookie is being placed or to block cookies altogether. For additional information, consult your browser's “Help” section because controls and settings vary by browser. If you choose to decline all cookies, you may not be able to fully experience all the features of our website(s). Some web browsers may transmit “do-not-track” signals to websites with which the browser communicates. Websites linked to this Privacy Statement do not currently respond to these “do-not-track” signals.

HOW LONG WE WILL RETAIN YOUR PERSONAL DATA

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

EFFECT OF OTHER PRIVACY STATEMENTS OR NOTICES

Spyre may have additional privacy statements or notices that are directed to and tailored for the different ways your personal data is collected. For example, applicants for employment may be provided with a separate privacy statement and clinical trial participants are provided with separate notices related to their personal data as collected for the trials.

If you receive a privacy statement or notice provided to you for a specific purpose, the terms of the more specific statement or notice will control to the extent that other statements or notices may differ from this Privacy Statement.

LINKS TO OTHER SITES

Spyre may offer links to other sites that we believe may offer useful information to visitors of our website(s). The inclusion of a link on the Spyre website(s) does not imply our endorsement of the linked site or service. Spyre is not responsible for content that exists on third party websites. When you click on one of these links, you will be transferred from the website and be connected to the site of the organization or company that you selected. At such point, this Privacy Statement will not apply to your activity on the non-Spyre website(s). Each of these linked sites maintains its own independent privacy policies and procedures, which you should consult before providing any of your personal information.

Please note that linked third-party websites may also use cookies or other tracking technologies. We cannot control the use of cookies or other tracking technologies by any such third-party websites. For example, when you link from this site to a third-party website, that website may have the ability to recognize that you have come from our site by using cookies. If you have any questions about how third-party websites use cookies, you should contact such third parties directly.

After choosing to move to a third-party’s website, our Privacy Statement will no longer apply.

CHILDREN’S PRIVACY

We do not intend for our website(s) or online services to be used by anyone under the age of 18. In some limited instances we may collect personal data about children, but we will do so only with the proper consent of a parent or guardian. We do not otherwise knowingly collect or solicit data about or from children without the express consent of a parent or guardian. If a parent or guardian becomes aware that his or her child has provided us with personal data without proper adult consent, he or she should contact us as described in the “How to Contact Us” section above. In such an event, we will take reasonable steps to delete such data.

We do not knowingly collect personal data from children under the age of 13 on our website. If we become aware that we have collected personal data from children under the age of 13 on our website, we will take reasonable steps to delete such data.

NOTICE TO CALIFORNIA RESIDENTS

California's Shine the Light Law (California Civil Code Section 1798.83) permits certain California residents who are individual customers to request certain information regarding its disclosure of "personal information" to third parties for their direct marketing purposes. To make such a request, please contact us using our contact information listed in the “How to Contact Us” section above.

Be sure to include your name and address. You can include your email address if you want to receive a response by email. Otherwise, we will respond by postal mail within the time required by law.

NOTICE TO NEVADA RESIDENTS

Section 603A of the Nevada Revised Statutes permits certain Nevada residents who are "consumers" to submit a request at any time to an "operator" of a website in Nevada directing the operator not to make any sale of any "covered information" the operator has collected or will collect about the consumer. Spyre does not currently "sell" or plan to sell covered information as defined in the Nevada law. If you are a Nevada resident, you may submit a verified request by contacting us by sending an email or contacting us by using the information provided in the “How to Contact Us” section above.

SUPPLEMENTAL EUROPEAN ECONOMIC AREA ("EEA") and UNITED KINGDOM ("UK") PRIVACY STATEMENT

If you are resident within European Union ("EU"), European Economic Area or United Kingdom, please read this section carefully as it will supplement the other provisions of this Privacy Statement.

1. How We Use Your Personal Data

We will use your personal data only when the law allows us to do so. Most commonly, we will use your personal data in the following circumstances:

• Where you have given us your consent, for a specific purpose.
• Where we need to perform the contract, we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.
• Where necessary for scientific research purposes.
• Where we need to protect your vital interests or the vital interests of another natural person.
• Where it is needed in order to perform a task in the public interest or to exercise official authority.

Generally, you will have the right to withdraw your consent at any time by contacting us using the contact information listed in the “How to Contact Us” section above.

We have set out below, in a table format, a description of all the ways we may use your personal data, and which of the corresponding legal bases we rely upon to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. Please contact us if you need additional details about the specific legal basis we are relying on to process your personal data where more than one basis has been set out in the table below.

2. Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

3. Clinical Trials

To the extent that Spyre may undertake clinical trial studies within the EEA or UK, we may also use information from clinical trial participants’ medical records and other health data in order to conduct clinical or scientific research to improve healthcare. Spyre may contract with specialized service providers, such as Contract Research Organizations (“CROs”), clinical trial sites or other service partners, typically as data processors, to collect the personal data of the participants of the clinical trial and to manage the clinical trials that we sponsor. We may then process key-coded or pseudonymized personal data of clinical trial participants which means that we do not have direct or immediate access to their identifiable personal data (except, for example, to comply with legal requirements such as those related to our pharmacovigilance obligations).

We would have a legitimate interest in using information related to your health for research studies when you agree to take part in a research study by providing your informed consent to participate. Our exception to the general provision at Article 9(1) of the GDPR not to process special categories of data is that processing is necessary for scientific research purposes in accordance with Article 89 of the GDPR. This means that we will use your personal data collected in the course of a research study when we act as the data controller for such studies in the ways needed to conduct and analyze the research study. Your rights to access, change or move your personal data may be limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use only the minimum personal data needed for these purposes.

In addition, the personal data of potential and actual site investigators, employees or contractors may also be collected directly by Spyre or through the CRO that we may work with and is typically used, for example, to verify the individual’s qualifications, satisfy documentation requirements for the purpose of the clinical trial, to verify financial disclosures to avoid any conflict of interest and to otherwise conduct and analyze the research study.

Please see the "How We Use Your Personal Data" section of this Supplemental Statement above for additional information about the collection and use of personal data.

4. International Transfers of Personal Data

Spyre is based outside the EEA and the UK, so the processing of your personal data may involve a transfer of data outside the EEA or the UK.

Whenever we transfer your personal data out of the EEA or UK, we ensure an adequate and similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries or entities that have been deemed by the applicable supervisory authority to provide an adequate level of protection for personal data;
• We will only transfer your personal data to countries or entities pursuant to the terms of binding agreement to and compliance with standard contractual clauses or binding corporate rules, each as approved by the European Commission or other regulators, as applicable;
• We will only transfer your personal data to countries or entities pursuant to the consent of the individual to whom the personal data pertains; or
• We will only transfer your personal data to countries or entities as otherwise authorized by the EEA or UK or permitted by applicable EEA or UK requirements.

5. Your Data Protection Rights

This section provides information on the rights that you have under EEA or UK law in relation to your personal data. Under certain circumstances, individuals located in the EEA or UK have the following data protection rights:

• To access their personal data.
• To correct their personal data.
• To erase their personal data.
• To object to the processing of their personal data.
• To restrict the processing of their personal data.
• To transfer their personal data.
• To not be subject to a decision based solely on automated processing, including profiling.
• To withdraw any consent that they have previously provided for the processing of their personal data.

To exercise any of the rights described above, please send a message to privacy@spyre.com. Please be aware that your rights in relation to clinical research data may be limited.

For advice or to make a complaint, you can also contact the applicable Supervisory Authority within the EEA at this link (https://edpb.europa.eu/about-edpb/board/members_en) or the Information Commissioner's Office within the UK at this link (https://ico.org.uk/make-a-complaint/).

You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee or refuse to comply with your request if it is clearly unfounded, repetitive or excessive.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests in a timely fashion and as may be required by applicable law. Occasionally it may take us longer than usual if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.