Surf Therapeutics Privacy Policy
Effective Date: January 3, 2026
This Privacy Policy explains, in clear and complete terms, how Surf Therapeutics, Inc. ("Surf," "we," "us," or "our") collects, uses, stores, discloses, and protects personal information. This is Surf’s master privacy policy and applies to:
The Surf Therapeutics public website (the "Website"); and
Surf’s patient registry and research‑outreach activities (described in Supplement A below).
This Privacy Policy does not apply to information collected in connection with actual clinical trials, medical treatment, employment, or other Surf services, each of which is governed by separate privacy notices or informed consent documents.
1.
Overview of How Surf Uses Personal Information
Communicating with individuals who request updates about Surf and our work;
Operating and improving our Website;
Conducting IRB‑approved research‑outreach activities through our patient registry;
Complying with legal, regulatory, and ethical obligations.
We do not sell personal information, engage in targeted advertising, or use personal information for unrelated commercial purposes.
2.
Categories of Personal Information We Collect
The types of personal information we collect depend on how you interact with Surf.
A.
Website and Communications Information
When you visit the Website, sign up to receive updates, or communicate with us, we may collect
Email address;
Name, organization, or role, if you choose to provide it;
Communications you send to us;
Basic technical information necessary to operate the Website (such as IP address or browser type).
Providing this information is voluntary. You may unsubscribe from Surf email communications at any time using the link included in our emails.
B.
Patient Registry Information
If you choose to participate in Surf’s patient registry, we collect additional information as described in Supplement A (Patient Registry Privacy Supplement) below.
Email address;
Name, organization, or role, if you choose to provide it;
Communications you send to us;
Basic technical information necessary to operate the Website (such as IP address or browser type).
Providing this information is voluntary. You may unsubscribe from Surf email communications at any time using the link included in our emails.
3.
How We Use Personal Information
We use personal information only for purposes consistent with this Privacy Policy.
A.
Website and Communications Uses
We use Website‑related information to:
Send you company news, updates, and announcements you request;
Respond to inquiries or communications you send to us;
Operate, maintain, and improve the Website;
Comply with applicable laws and legal obligations.
B.
Research‑Outreach Uses
We use patient registry information solely for research‑outreach purposes, as described in Supplement A.
4.
How We Share Personal Information
We do not sell personal information.
We share personal information only in limited circumstances:
A.
Service Providers
We may share information with trusted service providers that help us operate the Website or conduct registry activities (such as email services, secure data hosting, or IT support). These providers are contractually required to protect personal information and use it only to perform services on our behalf.
B.
Legal and Regulatory Disclosures
We may disclose personal information if required to do so by law, court order, government authority, or regulatory or ethics oversight.
C.
Research Partners
Sharing related to patient registry activities is described in Supplement A.
5.
Your Choices and Rights
Depending on how you interact with Surf, you may have the following choices:
Email communications: You may unsubscribe from Surf email updates at any time using the unsubscribe link included in our emails.
Access, correction, and deletion: You may request access to, correction of, or deletion of personal information we hold about you, subject to legal limitations.
Requests may be made by contacting us at inquiry@surftherapeutics.com. We may need to verify your identity before fulfilling certain requests.
6.
Data Retention
We retain personal information only for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, comply with legal and regulatory obligations, resolve disputes, and enforce our agreements.
7.
Data Security
We use administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. No system can be guaranteed to be completely secure, but we take reasonable measures to reduce risk.
8.
International Data Transfers
Surf is based in the United States. Personal information may be stored or processed in the United States or other countries that may have different data‑protection laws than your country of residence. We take appropriate steps to protect personal information in accordance with this Privacy Policy.
9.
Children
The Website and patient registry are intended only for individuals 18 years of age or older. We do not knowingly collect personal information from children.
10.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date and post the revised version on the Website.
11.
Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact:
Surf Therapeutics, Inc.
Email: inquiry@surftherapeutics.com
Supplement A:
Patient Registry Privacy Supplement
This Supplement applies only to individuals who choose to participate in the Surf patient registry. It supplements, and should be read together with, the main Surf Therapeutics Privacy Policy above.
A. 1
What the Patient Registry Is (and Is Not)
The patient registry is a voluntary research‑outreach program that allows individuals to share information with Surf so that they may be contacted about potential clinical research opportunities.
Participation in the registry:
Does not enroll you in a clinical trial;
Does not determine eligibility for any study;
Does not obligate you to participate in research;
Does not provide medical advice, diagnosis, or treatment; and
Does not create a physician‑patient or healthcare provider relationship.
The registry and its data‑collection activities have been reviewed and approved by an Institutional Review Board (IRB).
A. 2
Information Collected Through the Patient Registry
If you complete the patient registry form, we may collect:
Identifiers and Contact Information
Full name
Date of birth
City and state of residence
Email address
Phone number
Preferred method of contact
Health and Medical Information
Self‑reported diagnosis information
Disease history and symptoms
Current and prior medications and treatments
Laboratory or biomarker information, if known
General health information and medical exclusions
Pregnancy‑related information, where applicable
Research Interest and Consent Information
Your interest in learning about clinical research opportunities
Your consent to be contacted by Surf, a contract research organization (CRO), or a clinical site
All registry information is self‑reported. We do not independently verify the accuracy or completeness of the information you provide. Some registry information may be considered health data or sensitive personal information under applicable law.
A. 3
How Patient Registry Information Is Used
We use patient registry information only for legitimate, limited research‑outreach purposes, including
Operating and administering the registry;
Assessing general research feasibility and outreach needs;
Identifying and contacting individuals who have agreed to be contacted;
Allowing a CRO or clinical site study team to contact you regarding a research opportunity;
Complying with applicable laws, regulations, IRB requirements, and ethical standards.
We do not use patient registry information for advertising, marketing, or unrelated commercial purposes.
A. 4
Sharing of Patient Registry Information
We do not sell patient registry information.
We may share registry information only with:
CROs engaged by Surf to support research outreach; or
Clinical sites or study teams conducting research studies,
and only if you have agreed to be contacted. These parties may use registry information only to contact you about research opportunities and must protect the information.
We may also share registry information with service providers or disclose it if required by law or IRB oversight.
A. 5
Your Choices Regarding the Patient Registry
Participation in the patient registry is entirely voluntary. At any time, you may:
Ask us to stop contacting you;
Request access to, correction of, or deletion of your registry information;
Withdraw your consent for us to process your health information.
Requests may be made by contacting inquiry@surftherapeutics.com. We may need to verify your identity before fulfilling certain requests.
A. 6
Retention and Security
We retain patient registry information only for as long as reasonably necessary to support research‑outreach activities and comply with legal and IRB requirements, unless you request deletion sooner.
We apply appropriate administrative, technical, and organizational safeguards to protect registry information.
A. 7
Relationship to Informed Consent
This Privacy Policy and Supplement are not clinical trial informed consent documents. If you are invited to participate in a research study, you will receive a separate informed consent document describing how your information will be used in that study.
Supplement B:
U.S. State Privacy Rights
This Supplement provides additional information for residents of certain U.S. states that have enacted comprehensive privacy laws. It applies only to the extent required by applicable state law and supplements the main Privacy Policy above.
State privacy laws vary, and not all rights described below apply in every state or to every type of data. Nothing in this Supplement expands Surf’s data‑collection or use practices beyond those described in the main Privacy Policy.
B. 1
States Covered
Depending on your state of residence, this Supplement may apply to you if you reside in, for example, California, Colorado, Connecticut, Utah, Virginia, or other states with similar privacy laws.
B. 2
Categories of Personal Information
For purposes of applicable state privacy laws, Surf may collect the following categories of personal information:
Identifiers (such as name, email address, and IP address);
Internet or electronic activity information related to Website use;
Communications you send to us;
Health information collected through the patient registry, as described in Supplement A.
Surf does not sell personal information and does not share personal information for targeted advertising.
B. 3
Rights You May Have Under State Law
Depending on your state of residence, you may have the right to:
Confirm whether we are processing your personal information;
Request access to the personal information we hold about you;
Request correction of inaccurate personal information;
Request deletion of personal information, subject to legal exceptions;
Obtain a copy of certain personal information in a portable format;
Opt out of certain types of processing, such as targeted advertising or sale of personal information (which Surf does not engage in).
We will not discriminate against you for exercising any applicable privacy rights.
B. 4
How to Exercise State Privacy Rights
You may submit a request to exercise applicable state privacy rights by contacting us at inquiry@surftherapeutics.com. We may need to verify your identity and state of residence before processing your request.
If permitted by law, you may designate an authorized agent to make a request on your behalf.
B. 5
Appeals
If we deny a request you submit under applicable state privacy law, you may have the right to appeal that decision. To submit an appeal, please contact us using the information above and include sufficient detail for us to review your request. We will respond within the timeframe required by applicable law.
Supplement C:
Consumer Health Data (Washington and Similar Laws)
This Supplement applies only to the extent Surf is subject to state consumer health data laws, such as the Washington My Health My Data Act, and only with respect to data covered by those laws.
C. 1
Consumer Health Data We Collect
Through the patient registry, Surf may collect consumer health data such as information about medical conditions, symptoms, treatments, and related health history, as described in Supplement A.
C. 2
How We Use and Share Consumer Health Data
We collect and use consumer health data solely for research‑outreach purposes and related administrative, compliance, and security activities.
We do not sell consumer health data and do not share it for advertising or marketing purposes.
We may share consumer health data only with:
Contract research organizations or clinical sites involved in research outreach, and only if you have consented to be contacted; or
Service providers or authorities as required by law or IRB oversight.
C. 3
Your Rights Regarding Consumer Health Data
Depending on applicable law, you may have the right to:
Confirm whether we collect or use consumer health data about you;
Access consumer health data we hold about you;
Request deletion of consumer health data;
Withdraw consent for the collection or use of consumer health data.
Requests may be submitted by contacting inquiry@surftherapeutics.com
C. 4
Changes to This Supplement
We may update this Supplement as required to comply with evolving state consumer health data laws.
