Privacy Policy.

Effective Date: To be set on counsel approval. Last reviewed: To be set on counsel approval.

This Privacy Policy will become effective on the date set by Burna AI following review and approval by privacy counsel. Until that date, this document is a non-binding draft and does not govern any data practices.

Burna AI, Inc. ("Burna AI," "we," "us," or "our") provides a software platform used by cancer centers, pharmaceutical sponsors, biotechnology companies, and contract research organizations in connection with oncology clinical operations and drug safety workflows.

This Privacy Policy explains how Burna AI collects, uses, discloses, and protects personal information through its public website at burna.ai and related domains (the "Website"), and in connection with prospective customer and design partner interactions, marketing communications, and resource downloads (collectively, the "Services covered by this Policy").

Who this Policy covers

• Visitors to the Website.
• Individuals who submit inquiries, request demos, sign up for the quarterly briefing or other email communications, download briefs and resources, or participate in scoping conversations regarding potential pilots or design partnerships.
• Prospective customer and design partner personnel (clinical, administrative, legal, security, procurement) who interact with Burna AI before a customer agreement is executed.

Burna AI may provide additional privacy notices for specific products, regions, or processing activities (for example, a Cookie Policy, a Subprocessor List, and region-specific notices). Where another notice applies, that notice supplements this Policy.

We collect the categories of personal information described below. The specific information we collect depends on how you interact with the Website and Services covered by this Policy.

3.1 Information you provide to us

• Identifiers and contact information. Name, business email address, telephone number, postal address, professional title or role, and employer or institution name.
• Account and inquiry information. Information you provide when you contact us, request a demonstration, request a brief or other resource, register for an event, or participate in a scoping conversation about a potential pilot or design partnership.
• Commercial and engagement information. Information shared during pre-contract conversations, including stated needs, evaluation criteria, technical environment summaries, and procurement timelines, to the extent voluntarily provided.
• Communications. The content of emails, web form submissions, voicemails, scheduling notes, and other communications you send to us.
• Marketing preferences. Email subscription preferences and unsubscribe selections.

3.2 Information collected automatically

• Internet and network activity information. Internet Protocol (IP) address, browser type and version, operating system, device identifiers, device type, language preferences, referring and exit pages, pages viewed, links clicked, dates and times of access, and approximate location derived from IP address.
• Cookies and similar technologies. As described in Section 9 and in the separate Cookie Policy.

3.3 Information from third parties

• Service providers who help us operate the Website, deliver email, or analyze Website usage.
• Publicly available professional sources (for example, business directories and professional networking platforms) used to verify or supplement contact information provided to us.
• Partners and referrers who introduce you to Burna AI with your knowledge.

3.4 Inferences

Based on the information above, we may draw limited inferences about a visitor's professional role, organization type (for example, academic medical center, pharmaceutical sponsor, contract research organization), and likely interest in particular Burna AI resources.

3.5 What we do not collect through the Website

The Website is not designed to collect PHI, payment card information, government identification numbers, or sensitive personal information beyond what is reasonably necessary to respond to a business inquiry. Please do not submit such information through the Website. PHI handling on the Burna AI platform is governed by the applicable customer agreement and BAA.

For individuals in jurisdictions that require a lawful basis for processing, we identify the basis or bases on which we rely under the European Union General Data Protection Regulation ("GDPR") and the United Kingdom General Data Protection Regulation ("UK GDPR").

4.1 Purposes of processing

• Respond to inquiries and requests. Reply to questions, fulfill brief and resource download requests, arrange demonstrations, and provide requested information. Lawful bases: performance of a contract or pre-contract steps (GDPR Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)).
• Deliver resources and communications. Provide the materials you request. Lawful bases: contract or pre-contract steps; legitimate interests; consent where required (Art. 6(1)(a)).
• Send marketing communications. Quarterly briefing, Clinical Intelligence Weekly, event invitations, product updates. Lawful bases: consent; legitimate interests in promoting our Services where permitted.
• Evaluate fit for pilots and design partnerships. Assess whether a prospective customer or design partner is a good fit. Lawful bases: pre-contract steps; legitimate interests.
• Operate, maintain, and improve the Website. Monitor performance, analyze usage trends, debug issues, develop new features. Lawful bases: legitimate interests in operating a secure and effective Website.
• Security, fraud prevention, and protection of rights. Detect, investigate, and prevent fraudulent, unauthorized, or unlawful activity. Lawful bases: legitimate interests; legal obligation (Art. 6(1)(c)); establishment, exercise, or defense of legal claims.
• Comply with legal obligations. Comply with laws, regulations, court orders, and lawful requests by public authorities. Lawful bases: legal obligation; legitimate interests.
• Corporate transactions. Evaluate, negotiate, and complete mergers, acquisitions, financings, or sales of assets. Lawful bases: legitimate interests; legal obligation.

4.2 Withdrawal of consent

Where we rely on consent, you may withdraw consent at any time by following the instructions in the relevant communication or by contacting us at privacy@burna.ai. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We do not sell personal information. We share personal information only as described in this Section.

5.1 Service providers and subprocessors

We share personal information with service providers and subprocessors that perform services on our behalf, subject to written contracts that restrict their use of the information. Categories include:

• Cloud infrastructure and hosting providers.
• Database and storage providers.
• Email delivery providers.
• Customer relationship management and sales operations providers.
• Analytics and product telemetry providers.
• Communications and scheduling platforms.
• Security, fraud prevention, and monitoring providers.
• Professional services firms (legal, accounting, audit).

A current list of categories and, where applicable, named subprocessors is maintained at burna.ai/subprocessors.

5.2 Customers and design partners

When you communicate with Burna AI on behalf of a customer or prospective customer, we may share relevant information internally and with the corresponding organization for the purpose of advancing the engagement.

5.3 Legal and safety disclosures

We may disclose personal information when we believe in good faith that disclosure is necessary to comply with applicable law, regulation, legal process (such as a subpoena or court order), or governmental request; cooperate with law enforcement or regulators; enforce our terms, agreements, or policies; or protect the rights, property, or safety of Burna AI, our customers, our personnel, or others, including in connection with security incidents.

5.4 Corporate transactions

If Burna AI is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, personal information may be transferred or disclosed as part of that transaction, subject to standard confidentiality protections and, where required, notice to affected individuals.

5.5 With your direction or consent

We may share personal information with other parties at your direction or with your consent.

Burna AI is headquartered in the United States and may process personal information in the United States and in other countries where we or our service providers maintain operations. These countries may have data protection laws that differ from those of your country of residence.

Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the relevant authority, we rely on appropriate safeguards, including:

• The European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the United Kingdom International Data Transfer Addendum or the UK International Data Transfer Agreement.
• Adequacy decisions where issued by the relevant authority.
• Other safeguards permitted under applicable law.

For customers with regional data residency requirements, Burna AI offers regional residency options for product data, including PHI processed under a BAA. Regional residency for the platform is separate from the data handling described in this Policy, which concerns Website and pre-contract interactions. Details of available residency configurations are provided in customer documentation and procurement materials.

You may request a copy of the safeguards we use for international transfers by contacting privacy@burna.ai, subject to redaction for confidentiality and legal reasons.

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, regulatory, or reporting requirements, to resolve disputes, and to enforce our agreements.

• Website form submissions and inquiry records: retained for 24 months from the date of last interaction, unless extended because an active engagement, pilot evaluation, or contractual relationship is ongoing.
• Marketing email lists: retained until you unsubscribe or until we determine that the address is inactive based on engagement signals, whichever comes first.
• Website session logs: retained for 90 days, unless retained longer to investigate a security incident or comply with legal obligations.
• Aggregated analytics data: retained for 12 months.
• Records required for legal, regulatory, audit, or tax purposes: retained for the period required by applicable law.

When personal information is no longer required, we delete or de-identify it in a secure manner.

Depending on where you reside, you may have certain rights regarding your personal information. To exercise any right, contact privacy@burna.ai. We will respond within the timeframes required by applicable law. We may need to verify your identity before fulfilling a request.

8.1 GDPR and UK GDPR

• Right of access. Obtain confirmation of processing and a copy of your information.
• Right to rectification. Request correction of inaccurate or incomplete information.
• Right to erasure. Request deletion in certain circumstances.
• Right to restriction of processing.
• Right to data portability. Receive certain information in a structured, machine-readable format and, where technically feasible, request its transmission to another controller.
• Right to object. Including direct marketing and profiling.
• Right to withdraw consent. Without affecting the lawfulness of prior processing.
• Right not to be subject to solely automated decision-making. Burna AI does not use solely automated decision-making in connection with the Website or pre-contract interactions.
• Right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office).

8.2 California (CCPA and CPRA)

• Right to know, delete, correct.
• Right to opt out of sale. Burna AI does not sell personal information as defined under California law.
• Right to opt out of sharing for cross-context behavioral advertising. Burna AI does not share for this purpose.
• Right to limit use and disclosure of sensitive personal information.
• Right to non-discrimination. We will not discriminate against you for exercising any CCPA right.

Notice of financial incentives. Burna AI does not offer financial incentives or price differences in exchange for the retention or sale of personal information. Shine the Light. Burna AI does not disclose personal information to third parties for their direct marketing purposes.

8.3 Other United States state privacy laws

Residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia (as applicable laws come into effect) may have rights similar to those described above, including the right to access, correct, delete, port, and opt out of certain processing, as well as the right to appeal a denial of a request. Contact privacy@burna.ai.

8.4 International rights

Canada (PIPEDA). Access, correction, withdrawal of consent. Australia. Access and correction under the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Japan (APPI). Disclosure, correction, addition, deletion, suspension of use, erasure. Korea (PIPA). Access, correct, delete, and suspend processing. Singapore (PDPA). Access, correction, withdrawal of consent. Brazil (LGPD). Confirm processing, access, correct, anonymize, block/delete, port, withdraw consent, oppose processing. UAE and KSA. Rights under applicable federal, free zone, or national data protection laws.

8.5 How to exercise your rights

Email privacy@burna.ai with sufficient information for us to identify you and the nature of your request. You will not be charged a fee unless your request is manifestly unfounded or excessive. If we deny your request, you may appeal our decision by replying to our response with the word "Appeal" in the subject line. If your appeal is denied, you may contact your local supervisory or data protection authority.

The Website uses cookies and similar technologies (pixels, web beacons, local storage, and software development kits) to operate the Website, remember preferences, analyze usage, and support marketing activities.

For a detailed description of the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy. Where required by law, we obtain consent before placing non-essential cookies, and you may withdraw consent at any time through the cookie preferences interface on the Website.

The Website and Services covered by this Policy are intended for business audiences and are not directed to children. Burna AI does not knowingly collect personal information from children under the age of 16 (or such other age established under applicable law). If you believe a child has provided personal information to us, please contact privacy@burna.ai, and we will take appropriate steps to delete the information.

Burna AI maintains reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, loss, and destruction. These safeguards include:

• Encryption in transit using Transport Layer Security (TLS) 1.3 for supported endpoints.
• Encryption at rest using AES-256 for supported data stores.
• Access controls based on least privilege, multi-factor authentication for administrative access, and role-based authorization.
• Logging, monitoring, and incident response procedures.
• Personnel security training and confidentiality obligations.
• Vendor risk management and contractual data protection requirements with service providers.

No method of transmission over the internet or method of electronic storage is fully secure. Although we strive to use commercially acceptable means to protect personal information, we cannot guarantee its absolute security.

For additional information about Burna AI's security and compliance posture, see burna.ai/security-and-compliance. To report a suspected security vulnerability or incident, contact security@burna.ai.

Where Burna AI provides services to a HIPAA Covered Entity or to another Business Associate, Burna AI operates as a Business Associate under HIPAA. The handling of PHI in that context is governed by the executed Business Associate Agreement and the underlying customer agreement, not by this Privacy Policy.

The Website does not collect PHI. Information about Burna AI's HIPAA compliance program, the BAA, and PHI handling on the platform is provided to customers as part of the procurement and contracting process and is summarized in customer documentation. If you believe you have submitted PHI to Burna AI through the Website in error, please contact privacy@burna.ai so we can take appropriate steps to address the submission.

Some browsers offer a "Do Not Track" ("DNT") setting that signals a user's preference not to be tracked across websites. Because there is no industry consensus on how to interpret DNT signals, the Website does not respond differently to DNT signals at this time. You may use the cookie preferences interface on the Website and the controls described in the Cookie Policy to manage tracking on the Website.

Where required by law, the Website will recognize and honor opt-out preference signals (including Global Privacy Control signals) as opt-outs of sale and sharing for cross-context behavioral advertising under applicable state laws.

We may update this Privacy Policy from time to time. When we make material changes, we will provide notice by:

• Communicating the change by email to active contacts where we have a current business email address and the change is material to the relationship.
• Posting a prominent notice on the Website at least 30 days in advance of the effective date of the change, except where a shorter period is required by law or to address security or legal risk.

The "Effective Date" at the top of this Policy indicates when the current version became effective. Continued use of the Website after the effective date constitutes acceptance of the updated Policy, to the extent permitted by law. Prior versions of this Policy will be made available on request to privacy@burna.ai.

For questions about this Privacy Policy or about Burna AI's privacy practices, or to exercise any of the rights described above, please contact us using the details below. Postal address and Data Protection Officer or EU/UK representative details will be confirmed by counsel where required by applicable law.