OCULAR THERAPEUTIX PRIVACY POLICY

This Ocular Therapeutix, Inc. (“Ocular Therapeutix”, “our”, or “we”) Privacy Policy explains what personal information we collect about you, what we do with it, and how you can control it. This Privacy Policy applies to Ocular Therapeutix websites and personal information collected offline.

By using our websites, you agree to the terms of this Privacy Policy. We reserve the right to update or modify this policy at any time without prior notice. If and when our Privacy Policy changes, Ocular Therapeutix will post the revised policy on our websites with a revised effective date, unless another type of notice is required by applicable law. Such changes to the Privacy Policy will become effective when posted. Your continued use of our websites after any changes or revisions to this Privacy Policy shall indicate your agreement with the terms of such revised Privacy Policy. We encourage you to check this page frequently by clicking on the Privacy Policy link on our websites.

Please read our Terms and Conditions of Use to understand the general rules about your use of our websites. Except as written in any other disclaimers, policies, terms of use, or other notices on our websites, this Privacy Policy and the Terms and Conditions of Use are the complete agreement between you and Ocular Therapeutix with respect to your use of our websites. You may be subject to additional terms that may apply when you access particular services or materials on certain areas on our websites, or by following a link from our websites.

Ocular may have additional privacy notices or terms that are tailored and more specific for the different ways your personal information is collected. For example, clinical trial subjects are provided with separate notices related to their personal information collected for the trial. Employment applicants may also be provided with a separate privacy notice.

If you receive a privacy notice provided to you for a specific purpose, the terms of the more specific notice or contract will control to the extent that other notice differs or conflicts with this Privacy Policy.

WHAT INFORMATION DO WE COLLECT AND USE?

The information we receive, and how we use it, depends on the nature of your relationship with us and requirements of applicable laws. The term “personal information” can have different meanings. In general, we use the term “personal information” to mean information that can uniquely identify you, but we will treat information we collect from you as personal information wherever necessary. We may collect and use the following different categories of information about you, which includes personal information and non-personal information:

  • Identity Data such as first name, maiden name, last name, username or similar identifier, marital status, title, social security number, date of birth and gender.
  • Contact Data such as billing address, delivery address, email address and telephone numbers.
  • Financial Data such as bank account, payment card details, insurance information and payroll data.
  • Professional or Employment-related Data such as employer and employment history.
  • Transaction Data such as details about payments to you and other details regarding services you have received from us.
  • Technical Data such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our websites or intranet.
  • Profile Data such as information regarding your communication preferences, and feedback and survey responses.
  • Usage Data such as information about how you use our websites, intranet, and other services.
  • Marketing and Communications Data such as your preferences in receiving materials regarding our products and services from us and our third parties and your communication preferences.
  • Special Categories of Personal Information/Sensitive Personal Information such as details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data, and other personal information, such as a social security number, that may also be considered sensitive personal information pursuant to applicable law.

HOW DOES OCULAR THERAPEUTIX COLLECT PERSONAL INFORMATION?

Direct interactions. You may give us your personal information, such as Identity Data, Contact Data and Financial Data by filling in forms or by corresponding with us by mail, phone, and email or otherwise. This includes personal information you provide when you, for example:

  • Contact us by email, phone or mail, either using addresses or numbers posted on our websites or when you contact our employees directly;
  • Sign up on our websites to receive clinical, promotional, disease awareness, or other information about products or services we offer or plan to offer in the future;
  • Subscribe to receive email notifications or other publications;
  • Enter a promotion or survey;
  • Give us some feedback;
  • Provide unsolicited information to us;
  • Provide information to us as our business partner;
  • Apply for employment or consulting opportunities with us or when you become an employee or a consultant; or
  • Express interest in participating in our clinical trials or other studies and research programs.

Automated interactions. As you interact with our websites or use our intranet, and in some emails we may send each other, we may automatically collect Technical Data. This can include your preferences (like, language and the location you are in). We may also collect information about your visits to our websites, such as the length of visits to certain pages and page interaction information. Automatic technologies we use may include web server logs, cookies, pixels and web beacons that are described in “Cookies and Other Tracking Mechanisms” below.

Third parties (or publicly available sources). We may receive categories of personal information about you from various third parties and public sources as set out below, such as:

  • Technical Data from analytics providers such as Google, advertising networks and search information providers;
  • Contact Data, Financial Data and Transaction Data from providers of technical, payment and delivery services;
  • Identity Data and Contact Data from recruitment agencies;
  • Identity Data and Contact Data from publicly available sources; and
  • Special Categories of Personal Information including health data from Contract Research Organizations (“CROs”) managing clinical research on our behalf.

HOW DOES OCULAR THERAPEUTIX USE PERSONAL INFORMATION?

Ocular and/or the service providers, vendors and other third parties we hire to perform services on our behalf may use your personal information, for example,

  • To comply with or fulfill a request that you have made;
  • To respond to a question, comment or concern;
  • To maintain and develop our business or professional relationship with you;
  • To provide you with products, services, or programs for which you have signed up;
  • To send you additional information about our products and services (unless you opt-out of receiving marketing communications);
  • To investigate or respond to issues such as complaints or security threats and for fraud prevention;
  • To help us evaluate and modify products and services;
  • To exercise our legal rights;
  • To conduct audits;
  • To comply with our regulatory monitoring and reporting obligations;
  • To improve our websites; and
  • For product development.

HOW LONG DOES OCULAR THERAPEUTIX RETAIN PERSONAL INFORMATION?

We will retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. There may also be circumstances where data is retained until it is manually deleted by Ocular Therapeutix.

HOW DOES OCULAR THERAPEUTIX SECURE PERSONAL INFORMATION?

We have put in place security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed while it is under our control. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

Please note, however, that any information you send to Ocular Therapeutix via email, in a sign-up form or via the Internet may not be completely secure. We take reasonable steps to protect the personal information provided from loss, misuse and unauthorized access or disclosure. Due to the nature of the Internet, there is a possibility that unsecured (unencrypted) email or Internet transmissions could be intercepted and read by third parties. Therefore, you should take special care in deciding what information you send to us via e-mail, in a sign-up form or via other Internet transmission.

HOW DOES OCULAR THERAPEUTIX SHARE PERSONAL INFORMATION?

We may share your personal information with the parties set forth in this section for the purposes described in “How Does Ocular Therapeutix Use Personal Information” above.

  • Internal Parties: Individuals or groups within Ocular Therapeutix to operate our business.
  • Our subsidiaries, related companies or affiliates: other companies within the Ocular
  • Therapeutix family of companies, such as subsidiaries, affiliates and holding companies (if applicable).
  • Our partners: our partners, including other companies and academic institutions, such as those listed or referenced on our websites.
  • External Third Parties: third parties who perform services on our behalf and help further our business requirements, including without limitation, for market research, marketing communications, technological maintenance, data storage, system administration, and data analysis and processing.
  • Parties as part of a business transaction: third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. If a change happens to our business, then the new owners may use your personal information in the same way as set out in this Privacy Policy.
  • Professional advisers: advisors (e.g., lawyers, bankers, auditors and insurers) who, for example, may provide consultancy, banking, financial, legal, insurance and accounting and payroll services.
  • Government Authorities: Revenue and Customs, U.S. Internal Revenue Service, the U.S. Food and Drug Administration, and other government agencies, regulators and authorities.

We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.

We do not sell your personal information.

MARKETING AND ANALYTICS

We strive to provide you with choices regarding certain personal information uses, particularly around marketing communications. We may use your Identity Data, Contact Data, Technical Data, Usage Data and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services and materials may be relevant for you (we call this marketing). We have established the following personal information control mechanisms:

  • Opting in. You will receive marketing communications from us if you have requested information from us and opted-in to receive that marketing.
  • Consent to third-party marketing. We will get your express opt-in consent before we share your personal information with any company outside Ocular Therapeutix for marketing purposes.
  • Opting out. You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you. Remember, however, that even if you opt-out of receiving these marketing communications, we may still email you in order to provide a product or service that you request.
  • Cookies. Most web browsers allow some control of most cookies through the browser settings. For additional information about how Ocular Therapeutix uses cookies and similar technologies, see “Cookies and Other Tracking Mechanisms” below.

Online Analytics. We may use third-party web analytics services (such as those of Google Analytics) on our websites to collect and analyze the information discussed above, and to engage in auditing, research or reporting. The information (including your IP address) collected by various analytics technologies described in “Cookies and Other Tracking Mechanisms” below will be disclosed to or collected directly by these service providers, who evaluate information, including by noting the third-party website from which you arrive, analyzing usage trends, assisting with fraud prevention, and providing certain features to you. To prevent Google Analytics from using your information for analytics, you may install the Google Analytics Opt-out Browser Add-on by visiting http://tools.google.com/dlpage/gaoptout.

COOKIES AND OTHER TRACKING MECHANISMS

We may also collect data about your use of our websites through the use of Internet server logs, cookies, tracking pixels, and/or other tracking technologies. As we adopt additional technologies, we may also gather additional information through other methods.

Cookies are small files that are automatically stored on your computer when you visit a website. Cookies are used to (a) recognize your device; (b) store your preferences and settings; (c) understand the web pages of the website you have visited; (d) perform searches and analytics; and (e) assist with security functions. Cookies perform many functions, such as allowing you to navigate between pages efficiently, remembering your preferences, and generally improving the user experience.

A web server log is a file where website activity is stored. An IP address is a number assigned to your device whenever you access the Internet that allows devices and servers to recognize and communicate with each other. Ocular Therapeutix may collect IP addresses to conduct system administration and report aggregate information to affiliates, business partners, service providers and/or vendors to conduct website and application analysis and performance reviews.

Web beacons are small strings of code that are placed in websites, email messages, and/or online ads. They are sometimes called “clear GIFs” (Graphics Interchange Format), “GIF tags”, “Action tags”, “tracking pixels” or “pixel tags.” Web beacons are most often used in conjunction with cookies to track activity on our websites. When you visit a particular web page, web beacons notify us of your visit and for other related website statistics. Since web beacons are used in combination with cookies, if you disable cookies the web beacons will only detect an anonymous website visit. When used in an email, web beacons enable us to know whether you have received or opened the email and may be used for other analytics, personalization, and advertising. Web beacons, cookies and other tracking technologies do not automatically obtain your personal information. Only if you voluntarily submit personal information, such as by registering or sending e-mails, can these automatic tracking technologies be used to provide further information about your use of websites to improve their usefulness to you.

If you do not wish to have cookies on your system, you can set your browser preferences to refuse them or to alert you when cookies are being sent. Please note that you can change your settings to notify you when a cookie is being set or updated, or to block cookies altogether. For additional information, please consult your browser’s “help” section. If you choose to decline cookies, you may not be able to fully experience the features of our websites.

WHAT ABOUT PRIVACY ON OTHER SITES?

Our websites may contain links to other websites that are not owned, controlled, reviewed or monitored by Ocular Therapeutix. Please be aware that we are not responsible for the privacy policies of such other sites or how these sites operate or treat your personal information. We encourage you to be aware that when you leave our websites and to read the privacy policies and terms and conditions of each and every third-party website.

Please note that linked third-party websites may also use cookies or other tracking mechanisms. We cannot control the use of cookies or other tracking mechanisms by these third-party websites. For example, when you link from this site to a third-party website, that website may have the ability to recognize that you have come from our site by using cookies. If you have any questions about how third- party websites use cookies, you should contact such third parties directly.

HOW CAN YOU CONTROL YOUR INFORMATION?

Ocular Therapeutix may require you to provide certain personal information in order for you to, for example, receive additional product information or information about a disease state. You could decide not to submit any personal information at all by not entering it into any forms or data fields and not using any available personalized services.

If you have filled out a form that stores data within our database and wish for the data to be anonymized or removed or believe the personal information we have collected is out of date or incorrect, you may contact us as provided in the “How to Contact Ocular Therapeutix” section below.

If you opt-in for particular services or communications, such as an e-newsletter, you will be able to unsubscribe at any time by following the instructions included in each communication. If you decide to unsubscribe from a service or communication, we will work to remove your information promptly, although we may require additional information before we can process your request. You may also contact us as provided in the “How to Contact Ocular Therapeutix” section below.

Ocular Therapeutix will not discriminate against users that choose to withhold their personal information from us.

ARE THERE SPECIAL RULES ABOUT CHILDREN’S PRIVACY?

While in some instances we may collect personal information about children with the consent of a parent or guardian, such as clinical activities or for patient support programs, we do not otherwise knowingly solicit data from, or market to, children. If a parent or guardian becomes aware that his or her child has provided us with personal information, he or she should contact us as described in the “How to Contact Ocular Therapeutix” section below. We will take reasonable steps to delete such data from our database within a reasonable time.

We do not knowingly collect personal information from children under the age of 13 on our websites. If we become aware that we have collected personal information from children under the age of 13 on our websites, we will take reasonable steps to delete it as soon as practicable. If you think that we have collected personal information from a child under the age of 13, contact us as described in the “How to Contact Ocular Therapeutix” section below.

HOW WE RESPOND TO DO NOT TRACK SIGNALS

Some web browsers may transmit “do-not-track” signals to websites with which the browser communicates. Websites linked to this Privacy Policy do not currently respond to these “do-not-track” signals.

NOTICE TO CALIFORNIA RESIDENTS

If you reside in California, please read this section for additional disclosures about how we collect, use, and disclose information about you and information about your rights under California law.

CALIFORNIA CONSUMER PRIVACY ACT OF 2018 (“CCPA”) SUPPLEMENTAL NOTICE

Information We Collect About You

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with particular California consumers or households (“personal information” as defined by the CCPA and referenced within this CCPA Supplemental Notice). Personal information does not include: (1) publicly available information from government records; (2) de-identified or aggregated consumer information; or (3) information excluded from the CCPA’s scope such as (i) health or medical information collected by entities directly subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), clinical trial data, or certain other research data; and (ii) personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

In particular, we may have collected the following categories of personal information from you within the last twelve (12) months:

  1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, email address, account name and social security number;
  2. Personal information categories described in Cal Civ. Code 1798.80(e), such as name, signature, social security number, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance;
  3. Non-public education information;
  4. Professional or employment-related information;
  5. Characteristics of protected classifications under California or federal laws;
  6. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
  7. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application or advertisement;
  8. Audio, electronic, visual, thermal, olfactory, or similar information, such as call recordings;
  9. Biometric information;
  10. Geolocation data; and
  11. Inferences drawn from other personal information.

Sources of Personal Information

We obtain the personal information from the following categories of sources:

  • Directly from you, your caregiver or agent;
  • Indirectly from you or your caregivers or agents (i.e., in the course of providing services);
  • Directly and indirectly from activity on our websites (for example, from submissions through our websites or from website usage details collected automatically); and
  • From third parties in connection with the provision of services.

Use of Personal Information

We may use the personal information we collect for one or more of the business purposes described above in the “How Does Ocular Therapeutix Use Personal Information” section above.

How We Share Your Personal Information

We do not “sell” (as such term is defined by the CCPA) your personal information.

For information about how we may share your personal information for business purposes, please see the “How Does Ocular Therapeutix Share Personal Information” section above.

How Long We Retain Your Personal Information

For information about how long we may retain your personal information, please see the “How Long Does Ocular Therapeutix Retain Personal Information” section above.

CCPA RIGHTS OF CALIFORNIA RESIDENTS

If you are a California resident, subject to some limitations and the verification of your identity, you have the following rights under the CCPA:

  1. The right to request that we disclose certain information to you about our collection and use of your personal information (the right to know), including to ask us to send you the following information:
    • The categories of personal information we have collected about you
    • The categories of sources from which we collected personal information
    • Our business or commercial purpose for collecting personal information
    • The categories of third parties with whom we share personal information
    • The specific pieces of personal information the business has collected about you
    • The categories of personal information that we disclose to third parties
  2. The right to ask us to delete the personal information that we have collected from you (subject to certain exceptions).
  3. The right to non-discrimination for exercising your CCPA rights. If you exercise your privacy rights under California law, we will not do any of the following in retaliation:
    • Deny you goods or services
    • Charge you different prices or rates for goods or services
    • Provide you a different level or quality of goods or services
    • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services
  4. The right to opt-out of the sale of your personal information (we do not sell your personal information).

In order for us to process a request for you to exercise your CCPA rights, we will first verify your identity by asking you to provide certain personal information. This may include a description of your relationship with us, your first and last name, email address, telephone number and postal address or other personal information that will allow us to verify your identity. Please submit your requests sending us an email to law@ocutx.com or by using any of the contact methods described in the “How to Contact Ocular Therapeutix” section of this Privacy Policy below.

You may designate an authorized agent to exercise your CCPA rights on your behalf in accordance with the CCPA. We may require that you provide the authorized agent with written permission to act on your behalf and that the authorized agent verify his or her identity directly with us.

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. When you submit a request to exercise your CCPA rights, we will do our best to respond to your request as soon as possible after we verify your identity, and, in any event, no later than 45 days after receiving your request.

SHINE THE LIGHT LAW

California Civil Code Section 1798.83 permits California residents who are individual “customers” of Ocular Therapeutix to request certain information regarding our disclosure of “personal information” to third parties for their direct marketing purposes. To make such a request, please contact us using our contact information listed in the “How to Contact Ocular Therapeutix” section of this Privacy Policy below. Be sure to include your name and address, and your email address if you wish to receive a response by email. Otherwise, we will respond by postal mail within the time required by law.

NOTICE TO NEVADA RESIDENTS

Section 603A of the Nevada Revised Statutes permits Nevada residents who are Ocular Therapeutix “consumers” to at any time, submit a request to an “operator” of a website in Nevada directing the operator not to make any sale of any “covered information” the operator has collected or will collect about the consumer. We do not currently “sell” or plan to sell covered information as defined in the Nevada law. If you are a Nevada resident, you may submit a verified request by contacting us by sending an email to law@ocutx.com or calling 877-628-8998 to opt out of sales and we will record your instructions and incorporate them in the future if our policy changes. We will respond within the time required by law.

HOW TO CONTACT OCULAR THERAPEUTIX

If you have questions or comments about this Privacy Policy, please send an email to law@ocutx.com. You may also call us at 877-628-8998 or send us a letter addressed to the following address by First Class Postage Prepaid U.S. Mail or overnight courier:

Ocular Therapeutix, Inc. 24 Crosby Drive Bedford, MA 01730 Attn: Law Department

This Privacy Policy was last revised on January 5, 2023.