CA Compliance

Madrigal Pharmaceuticals, Inc. Supplemental Privacy Notice for California Residents

Effective Date: January 14, 2022

This Supplemental Privacy Notice for California Residents (“California Supplement” or “Supplement”) supplements the information contained in the Madrigal Pharmaceuticals, Inc. (“Madrigal” or “We” or “Us” or “Our”) Privacy Policy and applies solely to visitors, users, and others with respect to Our website at www.madrigalpharma.com (Our “Website”), who reside in the State of California (“consumers” or “you”). We provide this California Supplement to comply with the California Consumer Privacy Act of 2018 2018 (as amended by the California Privacy Rights Act of 2020) (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this Supplement.

Together with the Privacy Policy, this supplement describes the types of information We collect from you or that you may provide when you visit the Website and Our practices for using, maintaining, protecting, and disclosing that information. Please read this supplement carefully.

Information We Collect

The Website collects information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“Personal Information”). Personal Information as described in this Supplement does not include any information not included within the scope of CCPA.

The categories of Personal Information We have collected from consumers within the last twelve (12) months include:

Identifiers including names, email addresses, employment information, online identifiers, I.P. addresses, postal addresses, or other similar identifiers;
internet or other similar network activity including browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement; and/or
Geolocation data.

We obtain these categories of Personal Information listed above directly or indirectly from you (e.g., when you fill out a form on the Website or share your professional resume) or automatically from your devices when using the website (e.g., via cookies). Please see our Privacy Policy for additional detail.

How We May Use of Personal Information

We use the Personal Information We collect:

To provide you with information regarding Madrigal’s products, services, and other information, and to improve the experience for visitors the Website, to maintain proper business functions, and to engage with you and others.
To respond to you, such as when you complete a form on the Website.
To personalize your experience with Us, including to present the Website and its contents to you, remember your interests and preferences, and customize your experience.
For analytics, to understand how you use the Website, track certain activity on and off the Website, including by identifying the different websites you visit to understand how you search, and to determine the methods and devices used to access the Website and improve the Website.
For our business purposes, such as operating and improving upon Our business, maintaining Our programs, contacts, and records, determining your satisfaction with Our Website, detecting, and preventing fraud or misuse of Our Website and related services, and for any other legitimate business purpose.
For legal and safety purposes, such as defending or protecting Us, Our customers, you, or third parties, from harm or in legal proceedings, protecting or enforcing Our rights, protecting Our security and the security of Our customers, employees, and property, responding to legal process, or addressing legal and regulatory compliance.
To fulfill any other lawful purpose for which you provide your information.
To notify you about changes to the Website or any products or services We offer or provide though it.
In any other way We may describe when you provide the information.

We will not collect additional categories of Personal Information or use the Personal Information We have collected for materially different, unrelated, or incompatible purposes without first providing you notice.

Please note that we do not use or disclose sensitive Personal Information.

How We May Disclose Personal Information

We do not “sell” or “share” your Personal Information as those terms are defined under the CCPA, and We do not knowingly sell or share the Personal Information of anyone under the age of 16. We do, however, disclose your Personal Information or certain components thereof, to certain third parties we work with to support our business and who are bound by contractual and/or other obligations to keep confidential and use Personal Information only for the purposes for which we disclose it to them, such as to store or host Website content, or to optimize the content, design and function of the Website.

In the preceding twelve (12) months, We may have disclosed your Personal Information for a business purpose to the following categories of recipients:

Personal Information Category	Categories of Third Parties to Whom the Personal Information Was Disclosed
Identifiers (including names, email addresses, online identifiers, I.P. addresses, postal addresses, or other similar identifiers)	IT Service Providers Analytics Providers Data Storage Providers Technology Partners
California Customer Records personal information categories (including credit card numbers, debit card numbers, or other financial information)	None
Protected classification characteristics under California or Federal law (including age, race, color, ancestry, national origin, or citizenship)	None, except gender, by inference arising from the use of a title (e.g. Mr. or Mrs.) or first name (e.g. Joseph or Alice) when voluntarily provided by a Website visitor. IT Service Providers Analytics Providers Data Storage Providers Technology Partners
Commercial information (including purchasing or consuming histories)	None
Internet or other similar network activity (including browsing history, search history, information on a consumer’s interaction with a website	IT Service Providers Analytics Providers Data Storage Providers Technology Partners
Geolocation data	IT Service Providers Analytics Providers Data Storage Providers Technology Partners
Professional or employment related information	IT Service Providers Analytics Providers Data Storage Providers Technology Partners

Retention of Personal Information

We will keep your Personal Information for as long as we have a relationship with you. Once Our relationship with you has come to an end, We will retain your Personal Information for a period of time that enables us to:

Maintain business records for analysis and/or audit purposes
Comply with record retention requirements under the law
Defend or bring any existing or potential legal claims
Deal with any complaints regarding the services

We will delete your Personal Information when it is no longer required for these purposes. If there is any information that We are unable, for technical reasons, to delete entirely from Our systems, We will put in place appropriate measures to prevent any further processing or use of the data.

Your Rights and Choices

The CCPA provides California residents with specific rights regarding their Personal Information. This section describes your CCPA rights and explains how to exercise those rights.

Under the CCPA, if you are a California resident, you may have the right to:

Right to Know: You have the right to request to know what Personal Information we have collected about you, including the categories of Personal Information, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom we disclose Personal Information, and the specific pieces of Personal Information that we have collected about you.
Right to Delete: You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions.
Right to Correct: You have the right to request that we correct inaccurate Personal Information that we maintain about you.
Right to Non-discrimination: You have the right not to receive discriminatory treatment for exercising any of your CCPA rights.

Exercising Your Rights to Know or Delete

To exercise your rights to know or delete described above, please submit a request by either:

Emailing us at [email protected] or call at 888-210-2064. Please include the words “CCPA Data Right Request” in the subject line of your email.

Only you, or someone legally authorized to act on your behalf (as evidenced by a signed authorization that the agent is able to act on your behalf), may make a request to know or delete related to your Personal Information. You may also make a request to know or delete on behalf of your child.

You may only submit a request to know twice within a 12-month period. Please describe your request with enough detail to allow Us to properly, understand, evaluate and respond to it. Your request to know or delete must provide sufficient information that allows Us to reasonably verify you are the person about whom We have collected Personal Information or an authorized representative, which must include your first and last name, email address, and zip code.

We may ask you to submit additional evidence to prove your identity. The evidence We may request from you, and the degree of certainty We will require to reach regarding your identity and the authenticity of your request will depend upon the nature of your request.

We cannot respond to your request or provide you with Personal Information if We cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. We will only use Personal Information provided in the request to verify the requestor’s identity or authority to make it.

Response Timing and Format

We will confirm receipt of your request within ten (10) business days.

We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If We require more time (up to another 45 days), We will inform you of the reason and extension period in writing.

The response We provide will explain the reasons We cannot comply with a request, if applicable. For data portability requests, We will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded. If We determine that the request warrants a fee, We will tell you why We made that decision and provide you with a cost estimate before completing your request.

Other California Privacy Rights

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of the Website that are California residents to request certain information regarding our disclosure of certain information to third parties for their direct marketing purposes. To make such a request, please send an email to [email protected].

Contact Information

If you have any questions or comments about this California Supplement, the ways in which We collect and use your information described here and in the Privacy Policy, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Email: [email protected]

Postal Address: 200 Barr Harbor Drive Suite 200, West Conshohocken, PA 19428

If you need to access to our Privacy Policy or this supplement in an alternative format due to having a disability, please contact [email protected].

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.