1. What information do we collect?

In Short: We collect personal information that you provide to us.

We may ask you to provide personal information for purposes including, but not limited to, the following:

• Buying our products and services.
• Activating or registering certain products and services or enhancing functionality.
• Receiving information about our products and services.
• Participating in our online communities, including our social media channels/pages.
• Storing your preferences for future interactions and communications from us.
• Helping us to develop products and services and create campaigns that are designed around you, optimize customer services, and continuously improve our websites.
• Helping us to improve products and services and allowing us to keep you informed of, or involve you in the testing of, new products and services.
• Resolving consumer and/or product and service issues.
• Registering visitors of our facilities or organized events and conferences.
• Contract or tender management.
• Receiving personalized messages, special offers, and advertisements relevant to your personal interests based on information shared with us and data collected through cookies or similar techniques.

We maintain physical, technical, and administrative safeguards to protect your personal information and only allow disclosures as permitted by law to assist in providing products or services. We may also collect product and service information and provide these statistics to others in an aggregated, de-identified form.

Personal information collected may include:

• Contact details (e.g., name, address, email, phone, organization name, job title).
• Unique identifiers and technical data (e.g., username, password, marketing preferences, account settings, IP address, browser type, operating system, device model, session data).
• Resume or CV details (e.g., work history, qualifications, references, completed trainings).
• Travel and identity information (e.g., passport info, social security number where required by law, emergency contacts, family details per local law).
• Financial information (e.g., bank account details, creditworthiness, VAT number, purchase history).
• Multimedia data (e.g., pictures, video, audio recordings with permission).
• Sensitive personal information (e.g., health data, product claim reports, criminal records for due diligence in accordance with law).

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

2. how do we process your information?

In Short: We process your information based on valid legal grounds to provide, operate, and improve our services, communicate with you, ensure security, comply with legal requirements, and fulfill other purposes with your consent.

We process your personal information for various reasons, depending on how you interact with our services, including:

• Providing and delivering services: We process your information to provide the products and services you request.
• Managing customer support and inquiries: We process your information to respond to questions, troubleshoot issues, and provide customer support.
• Sending administrative information: We process your information to provide updates about our products, services, policies, and important account-related information.
• Fulfilling and managing orders: We process your information to facilitate and manage orders, payments, returns, and related transactions.
• Enabling user interactions: If you use features that allow communication with other users, we may process your information to facilitate those communications.
• Enhancing security and preventing fraud: We use your information to safeguard our systems, detect fraudulent activity, and ensure compliance with security protocols.
• Meeting legal and regulatory obligations: We process personal information as required to comply with applicable laws, enforce agreements, respond to legal proceedings, and meet industry-specific regulations.
• Protecting vital interests: We may process your information when necessary to prevent harm or protect an individual's vital interests.

3. What legal bases do we rely on to process your information?

In Short: We process your personal information only when it is both necessary and lawful. Lawful bases for processing include your consent, legal obligations, contractual necessity, protection of vital interests, and our legitimate interests.

If you are located in the EU or UK

The GDPR and UK GDPR require us to specify the legal bases we rely on to process your personal information. We may process your information under the following legal bases:

• Consent: We process your information when you have given us explicit permission to do so for a specific purpose. You can withdraw your consent at any time.
• Performance of a Contract: We process your information when it is necessary to fulfill our contractual obligations to you, including providing our services or responding to your requests before entering into a contract.
• Legal Obligations: We process your information when required to comply with legal obligations, such as cooperating with law enforcement, regulatory agencies, or legal proceedings.
• Legitimate Interests: We process your information when it is necessary for our legitimate business interests, provided that those interests do not override your fundamental rights and freedoms.
• Vital Interests: We process your information when necessary to protect your vital interests or those of another individual, such as in cases involving potential threats to safety.

If you are located in Canada

Under Canadian privacy laws, we may process your personal information with:

• Express consent: You have given us explicit permission to use your personal information for a specific purpose.
• Implied consent: Your permission can be reasonably inferred from your actions or the nature of our interactions.

You can withdraw your consent at any time.

In certain circumstances, we may process your information without consent when permitted by law, including:

• When collection is clearly in the best interest of an individual and consent cannot be obtained in a timely manner.
• For investigations related to fraud detection and prevention.
• For business transactions, subject to specific conditions.
• When necessary to assess, process, or settle an insurance claim based on a witness statement.
• For identifying injured, ill, or deceased persons and communicating with their next of kin.
• When we have reasonable grounds to believe an individual has been, is, or may be a victim of financial abuse.
• When obtaining consent would compromise the availability or accuracy of information collected for investigating breaches of agreements or legal violations.
• When disclosure is required by a subpoena, warrant, court order, or other legal mandate.
• When the information was produced by an individual in a professional capacity and is collected for a consistent purpose.
• When processing is solely for journalistic, artistic, or literary purposes.
• When the information is publicly available as defined by applicable regulations.

We apply appropriate safeguards to ensure compliance with all applicable legal frameworks while respecting your rights and privacy.

4. When and with whom do we share your personal information?

In Short: We may share your information in specific situations as described in this section and with certain third parties.

We share personal information only when necessary and in accordance with applicable laws. This may include the following situations:

• Business Transfers. We may share or transfer your information in connection with, or during negotiations for a merger, acquisition, sale of company assets, financing, or other business transactions involving all or part of our company.
• Affiliates and Internal Use. We may share your information within our organization, including our parent company, subsidiaries, affiliates, or other companies under common control to facilitate internal business operations, manage HR processes, support IT infrastructure, and ensure compliance. These entities are required to honor this Privacy Notice.
• Human Resources and Employment-Related Use: If you are an employee, contractor, or job applicant, we may process and share your personal information for HR-related purposes, including payroll, benefits administration, performance management, background checks (where permitted by law), workplace compliance, and regulatory reporting.
• Business Partners. With your consent where required, we may share your information with trusted business partners to provide you with specific products, services, and promotional offers that may be of interest to you.
• Service Providers. We may engage third-party vendors, contractors, or agents to perform services on our behalf, such as payment processing, IT support, customer service, and marketing activities. These service providers are contractually required to protect your information and are bound by Data Processing Agreements.
• Legal and Regulatory Requirements: We may disclose your information when required by law, such as to comply with legal processes (e.g., subpoenas, court orders, government requests), enforce our policies, or protect the rights, property, or safety of our company, customers, or others.
• Protecting Rights and Preventing Harm: We may share information when necessary to detect, prevent, or address fraud, security risk, misconduct, or other harmful activities that could impact individuals or our business.

We take appropriate steps to ensure that any internal or external parties with whom we share personal information maintain confidentiality and process data in compliance with applicable privacy laws.

5. How do we handle employee data?

In Short: We process employee and HR data for essential employment-related purposes, including payroll, benefits, recruitment, compliance, and workplace safety. Access is strictly limited to authorized personnel.

We collect and process personal information from employees, job applicants, and contractors for the following purposes:

• Payroll, benefits administration, and compensation: Managing salaries, tax reporting, retirement plans, and employee benefits.
• Recruitment, onboarding, and performance evaluations: Processing applications, conducting background checks (where permitted by law), onboarding new hires, and evaluating performance.
• Legal and regulatory compliance: Meeting workplace regulations, labor laws, and reporting obligations.
• Workplace safety and emergency preparedness: Maintaining workplace security, processing health and safety reports, and managing emergency contact information.

Access and Protection of HR Data

HR data is accessed only by authorized personnel, including the HR department, payroll processors, and regulatory bodies when legally required. We implement safeguards to ensure confidentiality and compliance with applicable privacy laws.

Employee Rights & HR Data Requests

Employees, job applicants, and contractors have the right to:

• Access, update, or request deletion of their personal data, subject to legal and business requirements.
• Understand how their data is processed, stored, and protected.
• Report concerns related to HR data privacy or potential misuse.

To exercise these rights, individuals can submit a request through our HR department or contact our designated privacy officer.

6. Do we use cookies and other tracking technologies?

In Short: We may use cookies and other tracking technologies to collect, store and manage your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) when you interact with our Services. These technologies help us:

• Maintain security and prevent unauthorized access.
• Improve website stability by preventing crashes and fixing bugs.
• Save your preferences and enhance user experience.
• Support basic site functionality and performance.

Third-Party Tracking and Advertising

We allow third parties and service providers to use online tracking technologies for analytics and advertising purposes, including:

• Managing and displaying advertisements.
• Understand how their data is processed, stored, and protected.
• Sending reminders, such as abandoned shopping cart notifications (based on your communication preferences).

These third parties may use their tracking technologies to deliver targeted advertising on our services or across other websites.

Your Choices and Opt-Out Options

If these tracking technologies are classified as a “sale” or “sharing” (including targeted advertising) under applicable U.S. state privacy laws, you can opt out by submitting a request as described in "DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?"

For more details on how we use cookies and how you can manage your preferences, please refer to our Cookie Policy.

7. Is your information transferred internationally?

In Short: We may transfer, store, and process your information in countries other than your own.

Our servers are located in the United States. If you access our services from outside the United States, your information may be transferred to, stored in, and processed in our facilities or by third parties with whom we may share personal information (see "WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?").  This includes transfers to the United States, United Kingdom, Germany, Denmark, and other countries.

International Data Transfers and Legal Safeguards

If reside in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, please note that some of these countries may not have data protection laws as comprehensive as those in your home country. However, we take all necessary measures to protect your personal information in accordance with this Privacy Notice and applicable law.

European Commission's Standard Contractual Clauses:

We have implemented safeguards, including the European Commission's Standard Contractual Clauses (SCCs), for personal data transfers between:

• Our affiliated group companies
• Our third-party service providers

These clauses require recipients to protect personal information originated from the EEA or UK in accordance with European data protection laws. Our SCCs are available upon request. We have implemented similar safeguards with our third-party providers, and additional details can be provided upon request.

Compliance with the Data Privacy Framework (DPF)

We comply with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce for handling personal data received from the EU, UK (and Gibraltar), and Switzerland.

We have certified to the U.S. Department of Commerce that we adhere to the Data Privacy Framework Principles. In cases where there is a conflict between this Privacy Notice and the Data Privacy Framework Principles, the Principles shall govern. Learn more about the Data Privacy Framework program.

• Data Privacy Framework (DPF) Program website: https://www.dataprivacyframework.gov

Your Rights Under the Data Privacy Framework

If you are an EU, UK or Swiss resident, you have the right to:
Confirm whether we maintain personal information about you in the United States.
Request access to, correct of, or deletion of your personal information.

To exercise these rights, submit a request to dpo@evergenbio.com. We will respond within a reasonable timeframe.

If we transfer your information to a third-party agent in the United States, and they process your data in a manner inconsistent with the Data Privacy Framework Principles, we remain liable unless we can prove we are not responsible for the event leading to the change.

Opt-Out and Dispute Resolution

We provide an opt-out choice, or opt-in for sensitive data, before sharing your information with third parties beyond our agents or using it for purposes different from those originally collected. To limit the use and disclosure of your personal information, please submit a request to dpo@evergenbio.com.

We commit to resolving complaints regarding privacy and data use under the Data Privacy Framework Principles. If you have inquiries or complaints, contact us at dpo@evergenbio.com.

If your Data Privacy Framework complaint cannot be resolved through our internal process, you may invoke binding arbitration under certain conditions.

We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). In some cases, we may be required to disclose personal information in response to lawful requests by public authorities, including those related to national security or law enforcement.

For additional details, refer to the following sections of this Privacy Notice:

• WHAT INFORMATION DO WE COLLECT? Learn about the types of personal data we collect.
• HOW DO WE PROCESS YOUR INFORMATION? Understand the purposes for processing your data.
• WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION? See the third parties with whom we may share data.
• WHAT ARE YOUR PRIVACY RIGHTS? Review your rights to access and control your personal data.

8. How long do we keep your information?

In Short: We retain your information only as long as necessary to fulfill the purposes outlined in this Privacy Notice, unless otherwise required by law.

We will keep your personal information only for as long as it is necessary to:

• Fulfill the purposes described in this Privacy Notice.
• Comply with legal, tax, accounting, or regulatory requirements.
• Resolve disputes and enforce our agreements.

When we no longer have a legitimate business need to process your personal information, we will:

• Delete or anonymize the information.
• Securely store and restrict access if immediate deletion is not possible (e.g., due to legal retention requirements or secure backup archives).

We apply appropriate safeguards to ensure that retained information is protected and used only for legitimate purposes.

9. How do we keep your information safe?

In Short: We protect your personal information using a system of organizational and technical security measures.

We have implemented appropriate and reasonable security measures to protect your personal information from unauthorized access, loss, misuse or disclosure.  These safeguards include:

• Technical protections – Encryption, firewalls, access controls, and secure servers to protect data in transit and at rest.
• Organizational safeguards – Access restrictions, employee training, and security protocols to prevent unauthorized use or disclosure.

Despite our best efforts, no security system is entirely foolproof, an unauthorized access, data loss/breaches or cyber threats may still occur.

To help protect your personal information:

• Use a secure network when accessing our services.
• Create strong, unique passwords and enable multi-factor authentication where available.
• Be cautious when sharing personal information online.
• Understand the risks – While we take extensive security measures, transmitting personal information to and from our services is at your own risk, as outlined in our Terms of Use.

If you suspect any unauthorized access or security concerns, please contact us immediately.

10. Do we collect information from minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We have implemented appropriate and reasonable security measures to protect your personal information from unauthorized access, loss, misuse or disclosure.  These safeguards include:

If we become aware that we have collected personal information from a child under 18, we will:

• Deactivate the account (if applicable)
• Organizational safeguards – Access restrictions, employee training, and security protocols to prevent unauthorized use or disclosure.

If you believe we have collected personal information from a minor under 18, please contact us at immediately at dpo@evergenbio.com so we can take appropriate action.

11. What are your privacy rights?

In Short: Depending on your state of residence in the U.S. or in certain regions, such as the European Economic Area (EEA), United Kingdom (UK), Switzerland, and Canada, you have rights that provide greater access to and control over your personal information. You may review, modify, or request the deletion of your data at any time, subject to applicable laws.

In some regions (such the EEA, UK, Switzerland, and Canada), you may have the right to:

• Access and obtain a copy of your personal information.
• Request correction (rectification) or deletion (erasure) of your personal information.
• Restrict processing of your personal information.
• Request data portability, where applicable.
• Object to the processing of your personal information in certain circumstances.
• Not be subject to automated decision-making.

You can exercise these rights by contacting us using the details provided in "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?". We will assess and respond to your request in accordance with applicable data protection laws.

How to File a Complaint

HR data: In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, we commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

Non-HR/personal data: In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, we commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

If you believe we are unlawfully processing your personal information, you have the right to lodge a complaint with your local data protection authority:

• EEA or UK: Contact your Member State’s data protection authority or the UK ICO.
• Switzerland: Contact the FDPIC.

Withdrawing your consent

If we rely on your consent to process your personal information, you have the right to withdraw your consent at any time. You do this by contacting us using the contact details provided in "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?"

Important Note: Withdrawing consent will not affect the lawfulness of processing conducted before the withdrawal. Additionally, in certain cases where we process your information on other legal grounds, withdrawal may not impact ongoing processing.

Opting out of marketing and promotional communications

You can unsubscribe from our marketing communications at any time by:

• Clicking on the unsubscribe link in or emails.
• Contacting us via the details provided in "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?"

Even after opting out, we may still send you non-marketing communications, such as:

• Service-related notifications necessary for account administration.
• Responses to service requests or other essential communications.

Cookies and similar technologies

Most Web browsers accept cookies by default. If you prefer, you can adjust your browser settings to remove or reject cookies. Be aware that doing so may impact certain features or functionality of our services.

For more details, please refer to our Cookie Policy.

If you have any questions or concerns about your privacy rights, contact us at dpo@evergenbio.com.

12. Controls for Do-not-Track features

In Short: We do not currently respond to Do-Not-Track (DNT) signals due to the lack of an industry-wide standard.

Most web browsers, some mobile operating systems, and certain mobile applications include a Do-Not-Track ("DNT") feature, allowing you to signal your privacy preference to prevent tracking of your online browsing activities.

However, there is currently no uniform standard for recognizing and implementing DNT signals. As such, we do not currently respond to DNT browser signals or similar automated mechanisms. If an industry standard for online tracking is established that we are required to follow, we will update this Privacy Notice accordingly.

You can exercise these rights by contacting us using the details provided in "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?". We will assess and respond to your request in accordance with applicable data protection laws.

California Compliance

California law requires us to disclose how we handle web browser signals. Because there is no established legal or industry standard for recognizing DNT requests, we do not currently respond to them.

13. Do United States residents have specific privacy rights?

In Short: If you reside in California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia, you may have rights regarding your personal information, including the right to access, withdraw you consent, correct, obtain a copy of, or request deletion of your data. These rights may be subject to legal limitations.

Categories of Personal Information We Collect

In the past twelve (12) months, we have collected the following categories of personal information:

You can exercise these rights by contacting us using the details provided in "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?". We will assess and respond to your request in accordance with applicable data protection laws.

We may also collect additional personal information through:

• Employee records (payroll, benefits, tax reporting).
• Recruitment & hiring processes (background checks, job applications).
• Workplace compliance & legal requirements (safety, disciplinary records).
• Customer support interactions (phone, email, or in-person communications).
• Surveys, contests, and marketing promotions.
• Service facilitation and inquiry responses.

We retain collected information as needed to provide our services for:

• Category A & B - As long as the user has an account with us.
• Category H, I, J & L – As required by employment laws or HR policies.

For more details, refer to:

• WHAT INFORMATION DO WE COLLECT?
• HOW DO WE PROCESS YOUR INFORMATION?
• WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

Sharing of Personal Information

We may disclose personal information to service providers under a written contract. However, in the past 12 months, we have not disclosed, sold, or shared personal information for business or commercial purposes. We do not intend to sell or share personal information in the future.

Your Privacy Rights

You may have the following rights under certain U.S. state data protection laws:

• Right to know if we process your data.
• Right to access your personal data.
• Right to correct inaccuracies.
• Right to delete personal data.
• Right to obtain a copy of personal data you previously provided.
• Right to non-discrimination for exercising your rights.
• Right to opt out of:
  
• Targeted advertising (or "sharing" as defined under California privacy law).
  
• Sale of personal data.
  
• Profiling that has legal or significant effects.
  

Depending on where you live, you may also have:

• Right to access categories of processed data (Minnesota law).
• Right to obtain a list of data recipients (California & Delaware law).
• Right to obtain a list of specific third parties to whom data was disclosed (Minnesota & Oregon law).
• Right to review, understand, question, and correct profiling (Minnesota law).
• Right to limit use, sharing, or disclosure of sensitive personal data (California law).
• Right to opt out of voice/facial recognition data collection (Florida law).

How to Exercise Your Rights

To submit a request, contact us at:

Data Protection Officer
Evergen
11621 Research Circle
Alachua, FL 32615dpo@evergenbio.com

We will honor your opt-out preferences signaled through Global Privacy Control (GPC) settings in your browser.

You may designate an authorized agent to make requests on your behalf. We may required verification of both your identity and the agent’s authorization.

Request Verification

Upon receiving a request, we will:

• Verify your identity using available data.
• Request additional information if necessary for security or fraud prevention.
• Require written, signed authorization if submitted by an agent.

Appeals

If we decline your request, you may appeal our decision by emailing dpo@evergenbio.com. If your appeal is denied, you may file a complaint with your state Attorney General’s office.

California "Shine The Light" Law

Under California Civil Code Section 1798.83, also known as the “Shine the Light” law, California residents may request, once a year and free of charge:

• Categories of personal information disclosed for direct marketing.
• Names and addresses of third parties with whom information was shared in the past calendar year.

To submit a request, contact us via HOW CAN YOU CONTACT US ABOUT THIS NOTICE?.

14. Do any other regions have specific privacy rights?

In Short: Depending on the country you reside in, you may have additional privacy rights.

New Zealand

We collect and process personal information in accordance with New Zealand's Privacy Act 2020 (Privacy Act).

This Privacy Notice satisfies the notice requirements under the Privacy Act, including details on:

• The personal information we collect and its sources.
• The purposes for which we collect and process personal information.
• The categories of recipients with whom we may share personal information.

If you do not wish to provide the personal information required for a specific purpose, it may affect our ability to:

• Offer certain products or services.
• Respond to or assist with your requests.

Under the Privacy Act 2020, you have the right to:

• Access the personal information we hold about you.
• Request corrections to any inaccurate or incomplete personal information.

To exercise these rights, please contact us using the details provided in "HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?"

If you believe we are unlawfully processing your personal information, you may submit a complaint to the Office of the New Zealand Privacy Commissioner via privacy.org.nz.

15. Do we make updates to this notice?

In Short: Yes, we update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time to reflect changes in laws, industry practices, or our data processing activities. Any updates will be identified by the "Revised" date at the top of this Privacy Notice.

If we make material changes, we may notify you by:

• Posting a prominent notice on our website or services.
• Sending a direct notification, where required by law.

We encourage you to review this Privacy Notice periodically to stay informed about how we protect your information.

16. How can you contact Us about this Notice?

If you have questions or comments about this Privacy Notice, you may contact our Data Protection Officer (DPO) at:

Data Protection Officer
Evergen
11621 Research Circle
Alachua, FL 32615
dpo@evergenbio.com

We will respond to your inquiries in accordance with applicable data protection laws.

17. How can you review, update, or delete the data we collect from you?

Depending on the laws of your country or U.S. state of residence, you may have the right to:

• Access the personal information we have collected about you.
• Receive details about how we process your personal information.
• Correct inaccuracies in your personal information.
• Request deletion of your personal information.
• Limit the use or disclosure of your personal information.
• Withdraw your consent to our processing of your personal information (where applicable).

These rights may be subject to legal limitations based on applicable privacy laws.

To request to review, update, or delete your personal information, please submit a data subject access request by contacting dpo@evergenbio.com.