Privacy Policy

Effective Date: March 3, 2026

Last Updated: March 3, 2026

1. Introduction

GRIN Therapeutics, Inc. (“GRIN Therapeutics,” “we,” “us,” or “our”) is a clinical-stage biotechnology company dedicated to developing precision therapeutics for serious pediatric neurodevelopmental disorders. GRIN Therapeutics is an affiliate of Neurvati Neurosciences, Inc., a Blackstone Life Sciences portfolio company.

This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you visit our website at grintherapeutics.com, use our services, or otherwise interact with us. This policy also describes your choices and rights regarding your personal information.

“Personal Information” means any information relating to an identified or identifiable individual, as defined under applicable privacy laws including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

We may update this policy from time to time. We encourage you to review it periodically. If we make material changes, we will provide prominent notice on our website. If you do not agree with this policy, please do not use our website or services.

This policy applies to:

  • Visitors to grintherapeutics.com
  • Patients, caregivers, and family members who contact us or request information about our clinical programs
  • Healthcare professionals who engage with us regarding clinical research opportunities
  • Business partners and collaborators
  • Job applicants who submit inquiries through our website

2. What Personal Information We Collect

We collect various types of information depending on how you interact with us.

2.1 Information You Provide to Us

When you interact with us through our website, you may voluntarily provide personal information including:

  • Your name
  • Email address
  • Your self-identified role (e.g., patient, caregiver, physician, business development representative, media) when submitted through our contact forms
  • Free-text messages describing how we can assist you, which may include health-related information you voluntarily share
  • Resume, qualifications, and related information if you inquire about employment opportunities
  • Your consent to receive information about GRIN Therapeutics and updates about our research

2.2 Information Collected Automatically

When you visit our website, we may automatically collect certain information through cookies and similar technologies, including:

  • IP address, browser type and version, operating system, and device type
  • Pages visited, time spent on pages, referring URL, and clickstream data
  • Approximate geographic location derived from your IP address

2.3 Sensitive Personal Information

Our contact forms do not request health or medical information. However, visitors may voluntarily include health-related details (such as a diagnosis or clinical trial interest) in free-text form submissions. We treat any such voluntarily disclosed health information with heightened care and process it only to respond to your inquiry.

We do not use voluntarily disclosed health information for marketing purposes, and we do not require you to provide any health information to use our website.

3. How We Collect Information

We collect Personal Information through the following means:

  • Contact forms on our website for patients, clinical researchers, business partners, career inquiries, and general inquiries
  • Email communications delivered through our email marketing platform (Brevo/Sendinblue)
  • Automated technologies, including cookies, Google Tag Manager, and Google reCAPTCHA v3 (used for spam prevention on contact forms)
  • Third-party sources, including publicly available sources, clinical trial databases, or partner organizations in connection with our research programs

4. How We Use Your Information

We process your Personal Information for the following purposes:

  • To respond to your inquiries and provide requested information about our research programs and clinical trials
  • To communicate updates about GRIN Therapeutics, including clinical trial progress and corporate news, where you have opted in to receive such communications
  • To process career inquiries and job applications
  • To analyze and improve our website performance and user experience
  • To prevent fraud and spam through Google reCAPTCHA v3
  • To comply with legal obligations, including regulatory requirements applicable to clinical-stage pharmaceutical companies
  • To protect our rights and the safety of our users

5. Legal Basis for Processing (EU/EEA Visitors)

If you are located in the European Union or European Economic Area, we rely on the following legal bases under the GDPR:

  • Consent: Where you have opted in to receive communications, subscribed to updates, or consented to the use of non-essential cookies through our consent management platform.
  • Legitimate Interest: To operate and improve our website, to respond to inquiries, and to ensure website security, where our interests are not overridden by your rights.
  • Legal Obligation: Where processing is necessary to comply with applicable laws and regulations.
  • Vital Interests: In rare circumstances where necessary to protect the vital interests of an individual.

You may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

6. How We Share Information

We share Personal Information only as described in this policy:

  • Affiliates: With Neurvati Neurosciences, Inc. (our parent company) and its affiliates, as needed to support our operations and research programs.
  • Service Providers: With vendors who perform services on our behalf, including website hosting, email communications, spam prevention, and analytics. Our service providers are contractually prohibited from using your Personal Information for their own purposes.
  • Clinical Trial Partners: With clinical research organizations and regulatory authorities as required for our clinical development programs, subject to appropriate data protection agreements.
  • Legal Requirements: In response to valid legal process, including subpoenas, court orders, or regulatory requests, or where disclosure is necessary to protect our rights, safety, or property.
  • Business Transfers: In connection with any merger, acquisition, or sale of assets, your Personal Information may be transferred as part of the transaction.

We do not sell your Personal Information. We do not share your Personal Information with third parties for their own direct marketing purposes.

7. How Long We Retain Your Information

We retain Personal Information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements.

  • Contact form submissions: Retained for the duration needed to respond to your inquiry and for a reasonable period thereafter for record-keeping.
  • Email marketing data: Retained until you unsubscribe or request deletion.
  • Website analytics data: Retained in accordance with our analytics provider’s standard retention settings.
  • Career inquiries: Retained only for the internal application review process and deleted after a reasonable period.

After the applicable retention period, we will delete or anonymize your Personal Information.

8. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to improve your browsing experience and to understand how visitors use our site.

8.1 Types of Cookies We Use

  • Essential Cookies: Required for basic website functionality and security. These cannot be disabled.
  • Analytics Cookies: Help us understand how visitors interact with our website. We use Google Tag Manager to manage analytics tags. These cookies are only set with your consent (for EU/EEA visitors).
  • Functional Cookies: Enable enhanced functionality, such as remembering your preferences.

8.2 Google reCAPTCHA v3

Our contact forms use Google reCAPTCHA v3 to prevent spam and abuse. reCAPTCHA collects hardware and software information and sends it to Google for analysis. Your use of reCAPTCHA is subject to Google’s Privacy Policy and Terms of Service.

8.3 Managing Your Cookie Preferences

When you first visit our website, our cookie consent banner allows you to accept or reject non-essential cookies. You can change your preferences at any time through the consent preference center accessible via the cookie icon on our website.

You may also control cookies through your browser settings. Please note that disabling cookies may affect the functionality of our website.

9. Your Rights (EU/EEA Residents)

If you reside in the European Union or European Economic Area, you have the following rights with respect to your Personal Information under the General Data Protection Regulation (GDPR):

  • Right of Access: You have the right to access the Personal Information we hold about you and to receive a copy.
  • Right to Rectification: You have the right to correct inaccurate or incomplete Personal Information.
  • Right to Erasure: You have the right to request deletion of your Personal Information, subject to legal retention requirements.
  • Right to Restrict Processing: You have the right to restrict the processing of your Personal Information in certain circumstances.
  • Right to Object: You have the right to object to processing of your Personal Information based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to Data Portability: You may request a copy of your Personal Information in a structured, commonly used, machine-readable format.
  • Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including profiling.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, please contact us at DPO@grintherapeutics.com.

We may request additional information to verify your identity before processing your request. We will respond within 30 days, or within the timeframe required by applicable law.

10. Information for California Residents

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides California residents with specific rights regarding their Personal Information.

10.1 Your California Privacy Rights

  • Right to Know and Access: You may request information about the categories and specific pieces of Personal Information we have collected about you, the sources from which it was collected, the purposes for collection, and the categories of third parties with whom it has been shared.
  • Right to Delete: You may request that we delete Personal Information we have collected from you, subject to certain exceptions.
  • Right to Correct: You may request that we correct inaccurate Personal Information.
  • Right to Data Portability: You may request a copy of your Personal Information in a portable format.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

10.2 Sale and Sharing of Personal Information

We do not sell or share (as defined under CCPA/CPRA) Personal Information. We do not use or disclose sensitive Personal Information for purposes other than those permitted under CCPA/CPRA.

To opt out of any future sharing of Personal Information for cross-context behavioral advertising, click the “Do Not Sell or Share My Personal Information” link in the footer of our website, or contact us at DPO@grintherapeutics.com.

10.3 How to Exercise Your Rights

You may exercise your California privacy rights by:

We may ask for additional information to verify your identity. If you use an authorized agent, we may require written authorization. You may also designate an authorized agent to submit a request on your behalf.

10.4 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of Personal Information as defined by the CCPA:

  • Identifiers (name, email address, IP address)
  • Internet or other electronic network activity information (browsing history, interactions with our website)
  • Professional or employment-related information (job title, company name)
  • Geolocation data (general location inferred from IP address)

11. International Data Transfers

GRIN Therapeutics is headquartered in the United States. If you are located outside the United States, please be aware that your Personal Information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For transfers of Personal Information from the EU/EEA or the United Kingdom to the United States, we implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs): We use the European Commission’s Standard Contractual Clauses as a transfer mechanism where applicable, supplemented by additional safeguards where required by the circumstances of the transfer.
  • UK International Data Transfer Addendum: For transfers from the United Kingdom, we use the UK Addendum to the EU SCCs.

To obtain a copy of the transfer safeguards we use, please contact us at DPO@grintherapeutics.com.

12. Security

We implement appropriate technical and organizational measures to protect your Personal Information against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access. These measures include:

  • Encryption of data in transit using SSL/TLS
  • Access controls limiting employee access to Personal Information on a need-to-know basis
  • Contractual requirements for service providers to maintain appropriate security standards
  • Regular review of our data collection, storage, and processing practices

No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your Personal Information, we cannot guarantee absolute security. In the event of a data breach, we will notify affected individuals and relevant authorities as required by applicable law.

13. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals based on Personal Information collected through our website.

Google reCAPTCHA v3 uses automated analysis to distinguish human visitors from bots for spam prevention purposes only. This does not result in decisions that produce legal or similarly significant effects on you.

14. Children’s Privacy

Our website is not directed to children under the age of 13 (or under 16 for EU/EEA residents). We do not knowingly collect Personal Information from children without parental consent. If we become aware that we have collected Personal Information from a child without appropriate consent, we will take steps to delete that information.

GRIN Therapeutics’ clinical programs focus on pediatric neurodevelopmental disorders. Any Personal Information related to clinical trial participants (including minors) is collected and processed under separate clinical trial informed consent procedures and applicable clinical trial regulations, not through this website.

If you believe a child may have provided us with Personal Information through this website without parental consent, please contact us.

15. Sensitive Information

Unless specifically requested, we ask that you not send us sensitive Personal Information (such as health information, government-issued identification numbers, or information about race, religion, or political opinions) through our website. If we need to collect sensitive Personal Information, we will do so only with your explicit consent and for a stated purpose.

Our contact forms do not request health or medical information. However, visitors may voluntarily include health-related details in free-text form submissions. We treat any such voluntarily disclosed health information with heightened care and process it only to respond to your inquiry.

16. Do Not Track Signals

Some browsers include a “Do Not Track” feature that signals to websites you visit that you do not want your online activity tracked. Our consent management platform (Osano) honors Global Privacy Control (GPC) signals as a valid opt-out of the sale or sharing of Personal Information under the CCPA.

17. EU Representative and Data Protection Officer

Under GDPR Article 27, GRIN Therapeutics has designated the following representative in the European Union:

Richard Valanzola

Our Data Protection Officer can be contacted at:

dpo@grintherapeutics.com

18. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or want to submit a data subject access request, please contact us:

GRIN Therapeutics, Inc.

Email: DPO@grintherapeutics.com

Phone: +1-877-225-0014

Website: grintherapeutics.com/contact

We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA/CPRA). If we need additional time, we will notify you of the extension and the reason.

If you are not satisfied with our response to a privacy-related inquiry, you may contact:

  • For EU/EEA residents: Your local supervisory authority. Details of EU supervisory authorities can be found at edpb.europa.eu.
  • For California residents: The California Attorney General’s office at oag.ca.gov.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the “Last Updated” date at the top of this page and provide prominent notice where appropriate. We encourage you to review this policy periodically.