Privacy Notice of Compass Pathways

This is the Privacy Notice of Compass Pathways and its subsidiaries, to be collectively referred to as “Compass”. Compass respects your right to privacy and we take our responsibilities seriously under all the applicable data protection laws including the UK’s GDPR and Data Protection Act 2018.

Please read this Privacy Notice alongside any other privacy notice we may provide when collecting or processing personal data about you. This notice provides details on how and why we collect and use your personal data. It supplements any other privacy notices you may receive from us and is not intended to replace them.

It is important that the personal data we hold about you is accurate and up to date. Please notify us of any changes to your personal data during our relationship.

1. Who We Are

Compass is a biotechnology company dedicated to accelerating patient access to evidence-based innovations in mental health. We are comprised of different legal entities, including Compass Pathways PLC and Compass Pathfinder Limited registered in England: 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, WA14 2DT, United Kingdom, and Compass Pathways Inc. registered in New York: 28 Liberty Street, New York, NY, United States, 10016.

In this Privacy Notice, Compass (referred to as “we,” “us,” or “our”) is the data controller responsible for the personal data we process about you, in accordance with this notice. If you have any questions about this Privacy Notice, or if you wish to exercise your legal rights, please refer to the “How to Contact Us” section below.

2. Information We Collect About You

Personal data refers to any information about an individual that can be used to identify them, directly or indirectly. It does not include data where the identity has been removed (anonymous data). We collect and use your personal data in different ways. They type of data we collect and how we use it will depend on the nature of our relationship.

The types of personal data we may collect, or you provide to us, may include:

• Identity Data: Full name, date of birth, gender, social security number, diversity data, passport information, national insurance number, identification number.
• Contact Data: Billing address, delivery address, email address, phone numbers, emergency contact details.
• Legal Data: Patent and Intellectual Property applications, licensing agreements and litigation materials.
• Financial Data: Bank account details, payment card information, salary or income details.
• Health Data: Mental health information, medical history, audio or video recordings, questionnaire answers.
• Employment Data: Job title, employer name, employment history, work location, employment status
• Education and Training: Academic qualifications, school/university attended, certifications and training courses attended
• Transaction Data: Details about payments made to you or received from you, purchases of products or engagement of your services.
• Technical Data: IP address, login data, browser type and version, time zone setting, device information, operating system, platform, and other similar data related to your devices.
• Usage Data: Information about how you use our website.
• Communications Data: Your preferences for receiving materials and communications, email content, job opportunities, or company updates from us and our third-party partners.

3. How We Use Your Information

We use the personal data you provide to manage our relationship with you, including before, during, and after your engagement with us. We may also use it in the following ways, depending on the nature of our relationship:

Business and contractual relationships

• Managing our contractual relationships
• Execution and management of Agreements with academic partners such as healthcare organisations, research centres, healthcare professionals
• Implementing and managing invoicing, payments and for accounting purposes

Research and development activities

• Implementing and managing our research and development activities such as clinical studies or other types of scientific research projects
• Safeguarding our clinical research participants
• Supporting Investigator Initiated Studies
• Monitor healthcare outcomes
• Participating in or supporting our psychological support model including training and mentoring

Compliance with legal, regulatory, best practices and ethical obligations

• Complying with the applicable industry standards
• Financial and tax reporting requirements
• Monitoring adverse events and safety reporting
• Management of data subject access requests

Managing recruitment

• Evaluate your suitability for a role at Compass
• Perform background checks in compliance with applicable local laws

Managing our website

• Maintain and administer our website, troubleshoot, analyse data, and perform internal research.
• Secure our website, prevent fraud, and measure its effectiveness

Communicating with you

• Provide you with information about our Company, research programme, and job opportunities.
• Communicate with you such as responding to your enquiries or for business development purposes
• To establish partnerships, collaborations and networking opportunities
• To provide Company updates. You can opt out of these communications at any time here.

Protect our rights and interests

• Management of any investigations, pre-litigation, and litigation.
• Protection of our rights or those of third parties, including intellectual property rights, privacy, safety, and property.
• Protect against any actions or omissions which are likely to cause harm to Compass, including fraudulent actions or omissions.

4. Cookies

Our website uses cookies and analytics tools to improve our services, customise content for users, and monitor website traffic and usage. Cookies are small text files stored on your device to enhance your browsing experience, keep you signed in, and provide analytics.

We do not use cookies for marketing or tracking purposes. However, they help us understand how visitors interact with our website.

For more information about our cookies and to manage your cookie preferences please click here.

5. Legal Basis for Processing Your Personal Data

We will only use your personal information when the law allows us to. We process your data based on the following legal grounds:

• Contract: To fulfil our contractual obligations, including requests for your services.
• Consent: When required, we obtain your consent to process your data.
• Legal Obligations: To comply with relevant laws and regulations.
• Legitimate Interests: To pursue our legitimate business interests and where your interests and fundamental rights do not override those interests, such as managing relationships, improving our business practices, and internal research to enhance our study participants’ experience.

We will not process your data unless we have a lawful basis. In some cases, we may process special categories of personal data with your explicit consent or as required by law.

6. Who We Share Your Information With

We may share your personal data with third parties for the purposes outlined in this Privacy Notice. These third parties include:

• To other Compass entities and third parties as required for our everyday business purposes such as human resources
• Contract research organisations (CROs) who manage our clinical trials and other research partners.
• Third-party service providers assisting with business functions like technical support, consultancy, or analytics.
• Credit agencies or background check companies for verification purposes.
• Legal, regulatory, or government authorities, as required by law, such as tax reporting, and as required to support our clinical research programme and drug application.
• Outside Counsel, external law firms and accountancy firms to support our patent or intellectual property applications, external and internal auditors.
• In case of a business transaction (e.g., sale or merger), personal data may be transferred to the new owners.

We require all third-party partners to handle your personal data in accordance with applicable data protection laws.

7. International Data Transfers

We may transfer your personal data internationally. When doing so, we ensure adequate protection by using approved safeguards, such as the EU’s Standard Contractual Clauses, the UK’s International data transfer agreement, the EU-US Data Privacy Framework, or adequacy decisions by relevant authorities, depending on the jurisdiction. If necessary, we will obtain your consent for international data transfers.

8. How we protect your information

We implement reasonable technical and organisational measures to safeguard your personal data against unauthorised access, alteration, or destruction. These include policies and procedures to protect the confidentiality, integrity, availability and security of your personal data. Only authorised personnel and third-party service providers with a business need to know will access your data.

We also require our third-party vendors to implement appropriate security measures to protect your personal data.

9. Your Rights

Under applicable data protection laws and in certain circumstances, you have the following rights concerning your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Correct any inaccurate or incomplete data we hold about you.
• Erasure: Request deletion of your personal data, where there is no valid reason for us to retain it.
• Objection: Object to the processing of your personal data for certain purposes, including marketing.
• Restriction: Ask us to suspend processing your data in specific situations.
• Data Portability: Request a copy of your data in a structured, machine-readable format or transfer it to another service provider.
• Withdraw Consent: If we process your data based on your consent, you can withdraw that consent at any time.

Please note Compass does not conduct automated individual decision-making. This is decision-making by automated means without human involvement that could impact you.

For California residents, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to request the deletion of your personal data, the right to opt-out of the sale of your personal data, and the right to know what personal data we have collected.

For Canadian residents, we adhere to the Personal Information Protection and Electronic Documents Act (PIPEDA), which provides you with similar rights.

To exercise certain rights, we may request that you verify your identity and, when applicable, assist us in locating your personal data. In most cases, we will respond within one month of either (i) confirming your identity or (ii) if no identity verification is required, the date we received your request.

If you wish to contact us or would like to exercise any of these rights, please get in touch using the details in the “How to Contact Us” section below.

If you are based in the EU, Norway or Iceland you may contact our EU Representative, DataRep, to exercise your rights by sending an email to DataRep at datarequest@datarep.com quoting “Compass Pathways” in the subject line or by contacting DataRep on their online webform at www.datarep.com/data-request. Please ensure “Compass Pathways” is referenced.

If your request or concern is not satisfactorily resolved by us, you have the right to lodge a complaint with the appropriate supervisory authority:

• UK: Information Commissioner,
• EU/ UK Data Protection Authorities: Our Members | European Data Protection Board (europa.eu)
• California: Contact Us | State of California – Department of Justice – Office of the Attorney General
• USA: Contact the Federal Trade Commission | Federal Trade Commission (ftc.gov)

10. How long we use your personal data

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

Factors influencing the retention period include:

• Amount, nature, and sensitivity of the personal data.
• Potential risk of harm from unauthorised use or disclosure of the data.
• Purpose for which the data is processed, and whether those purposes can be achieved by other means.
• Applicable legal, regulatory, tax, accounting, or other requirements.

Once the retention period expires, personal data will be deleted. Your Rights such as access, erasure, rectification, and data portability cannot be enforced once the retention period expires.

11. Changes to Our Privacy Notice

We may update this Privacy Notice from time to time. Any changes will be posted on this page, and where appropriate, we will notify you. Please review this notice periodically to stay informed about how we are protecting your personal data.

How to Contact Us

If you have any questions about this Privacy Notice or would like to exercise your data protection rights, please contact us at:

Data Protection Officer: Debbie Longden

By email: privacy@compasspathways.com