Privacy policy

INTRODUCTION

Welcome to Geron Corporation’s Privacy Policy.

Your privacy is important to us. We have developed this Privacy Policy to describe how Geron Corporation (“Geron”, “we” or “us”) collects, stores, uses, and otherwise processes personal data.

This Privacy Policy applies to the personal data we collect on our website(s) that link to this Privacy Policy, as well as through social media, marketing activities, live events, and your interactions with us (collectively, the “Service”). This Privacy Policy also explains the rights and choices available to individuals whose personal data we maintain.

Geron may provide additional or supplemental privacy policies for specific products or services. For example, we may provide additional privacy notices to you in connection with your participation in our programs, events, or other engagements with Geron. Such notices will govern our privacy practices in connection with those engagements to the extent there is any conflict between this Privacy Policy and the engagement-specific notice.

Except with respect to our participation in the Data Privacy Framework, this Privacy Policy does not apply to personal data we maintain about clinical trial participants and clinical site staff (including investigators) that we collect in connection with clinical trials. Protocols and additional privacy notices specific to our clinical trials govern our privacy practices in connection with clinical trials.

Depending on where you live, an additional privacy disclosure may apply to you:

Residents of California
Residents of other U.S. States
Residents of Washington and Nevada
Individuals located in the European Economic Area and the United Kingdom

Additionally, we have a separate disclosure for the collection and processing of Consumer Health Data, as defined by the consumer health privacy laws in Nevada and Washington, which you can find here.

SOURCES OF PERSONAL DATA

We collect personal data in the following ways:

Information you provide to us. Personal data and other information you may provide to us through the Service.
Information automatically collected. We automatically collect certain information when you visit, use, or navigate the Service, including through cookies and similar technologies.
Information that we obtain from third party sources. We may receive personal data about you from third party sources, such as public websites or social media websites. If you apply for employment with us, we may collect your personal data from references, prior employers, and background check providers.

PERSONAL DATA WE COLLECT

We may collect the following categories of personal data:

Identifiers, such as name, job title and employer name, email address, mailing address, social media handle, photograph, and phone number.
Records we maintain, including your health information, the communications that we exchange with you, your preferences for receiving our marketing communications, survey responses, and your digital or electronic signature.
Professional or employment-related information, such as professional credentials, educational and professional history, institutional affiliations, background checks, and information of the type included on a resume or curriculum vitae (such as work experience, education, salary, and languages spoken).
Non-precise geolocation data. We collect non-specific geolocation data to provide you with our Service and to better tailor our Service to you depending on your geographic region.
Internet or other electronic network activity information, such as IP Address, your device ID and operating system, your Internet service provider and location, browser type and language, website content you access, and information about the date, time and duration of your visit.

Some of the information we collect may be considered sensitive personal data under privacy laws, such as your health information.

HOW WE USE AND DISCLOSE PERSONAL DATA

We use and disclose the personal data we collect for a variety of business purposes as described in the chart below.

Business Purpose and Lawful Basis for Collection and Processing	Categories of Personal Data	Categories of Third Parties that Receive Personal Data for a Business Purpose
To manage our relationship with you, including responding to your requests or inquiries, giving you access to content or information you request, and better understanding your interests and needs. Lawful Basis: Processing is necessary to perform the contract governing our provision of our Service or to take steps that you request prior to signing up for the Service	Identifiers Records we maintain Internet or other electronic activity information Non-precise geolocation data	Service providers Professional advisors Business partners Advertising partners
To manage our recruiting and process job applications Lawful Basis: Processing is based on our legitimate interests in hiring quality candidates and, in the case of certain sensitive personal data, your consent.	Identifiers Internet or other electronic activity information Non-precise geolocation data Professional and employment-related information	Service providers Professional advisors Third parties as required by law
To analyze, personalize, and improve the Service and our business Lawful Basis: Processing is based on our legitimate interests to offer and tailor our Services to you.	Identifiers Records we maintain Internet or other electronic activity information Non-precise geolocation data	Service providers Professional advisors Business partners Advertising partners
To market and advertise our products and Service, including via email and digitally Lawful Basis: Processing is based on our legitimate interests to offer and tailor our Services to you.	Identifiers Records we maintain Internet or other electronic activity information Non-precise geolocation data	Service providers Professional advisors Business partners Advertising partners
To comply with our legal obligations, including with respect to responding to authorities or reporting to government entities Lawful Basis: Processing is necessary to comply with our legal obligations and our legitimate interests to manage our business and operations.	Identifiers Records we maintain Internet or other electronic activity information Non-precise geolocation data Professional and employment-related information	Service providers Professional advisors Third parties as required by law In connection with a business deal
To create aggregated, de-identified, or other anonymous data; once the personal data has been aggregated, de-identified, or anonymized, we may use and disclose the data without restriction and in compliance with law Lawful Basis: Processing is based on our legitimate interests improve and tailor our Services to you.	Identifiers Records we maintain Internet or other electronic activity information Non-precise geolocation data Professional and employment-related information	Service providers
To operate our business in an effective and compliant way, including to ensure you can access the Service, prevent fraud, protect our interests as a company, assess and defend claims, exercise rights and protect the rights of others, and for corporate matters like restructuring or potential reorganization or sale of our business or assets Lawful Basis: Processing is based on our legitimate interests to manage our business and operations.	Identifiers Records we maintain Internet or other electronic activity information Non-precise geolocation data Professional and employment-related information	Service providers Professional advisors Business partners Advertising partners Third parties as required by law In connection with a business deal

We use your sensitive personal data only for legitimate business purposes, including to (i) perform services or provide goods reasonably expected by an average person; (ii) detect security incidents; (iii) resist malicious, deceptive or illegal actions; (iv) ensure the physical safety of individuals; (v) for short-term, transient use; (vi) perform or provide internal business services; or (vii) verify or maintain the quality or safety of a service or device.

We may use your personal data for reasons not described in this Privacy Policy when permitted by law and the reason is compatible with the purpose for which we collected it.

Below is a description of the third parties that may receive personal data from us for a purpose listed in the chart above:

Service providers that perform services on our behalf. It is our policy to prohibit our service providers from using your personal data for any purpose other than to provide services to us. We use the following types of service providers:
- Companies that analyze data and provide business support (such as data storage and technology services);
- Event planning and travel organizations that help facilitate our programs and services; and
- Companies that support us in product marketing and commercialization.
Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
Business partners, such as entities with whom we jointly offer services or co-sponsor events. These entities may collect data directly from you or via our Service.
Advertising partners, such as companies that help us display digital ads and track conversions.
Government or law enforcement officials or private parties as required by law, as we believe necessary or appropriate to comply with applicable law and lawful requests and legal process.
In connection with any business deal (or potential business deal) such as a merger, consolidation, sale of some or all of our business or assets, financing or acquisition, reorganization, or in the event of bankruptcy.

Please keep in mind that whenever you voluntarily make your personal data available for viewing by third parties or the public on or through our Service, that information can be seen, collected and used by others. We are not responsible for any use of such information by others.

COOKIES AND SIMILAR TECHNOLOGIES

We, our service providers, and our business partners may automatically collect information about you through the use cookies and similar technologies. These cookies help us understand how you use the Service, help you navigate between pages efficiently, remember your preferences, deliver advertisements, and generally improve your browsing experience. In addition to cookies, our Services and emails may use pixel tags (also known as web beacons and clear GIFs) to compile statistics about use of the Services, measure the success of our marketing campaigns, and indicate whether recipients of our emails open or click links within them. For more information about the cookies we use, please visit the cookie policy linked to the website you are viewing.

YOUR CHOICES AND RIGHTS

Opt out of marketing communications. You may opt out of marketing-related emails by clicking the “Unsubscribe” link at the bottom of each such email. If you opt out, you will continue to receive service-related and other non-marketing emails.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Global Privacy Control Individuals can automatically signal their privacy preferences to websites and other online services through their browser or through a browser extension called the Global Privacy Control (GPC). Depending on where you live, we may take steps to honor your preferences set by the GPC or any similar reputable universal opt-out mechanism.

Additional Privacy Rights. Depending on where you live, you may have additional choices and rights with respect to your personal data. Please review our state and region-specific disclosures below for more information. If you have a question about your rights, you may contact us at [email protected].

SECURITY

Geron takes reasonable measures to protect your personal data from unauthorized access and against loss, misuse or alteration. These security measures are designed to provide a level of security commensurate with the risk presented by our processing activities. However, security risk is inherent in all internet and information technologies, and we cannot guarantee the security of your personal data.

REGION SPECIFIC DISCLOSURES

CALIFORNIA DISCLOSURES

If you are a resident of California, this Privacy Policy describes our data collection, use, and disclosure practices over the past 12 months. In addition:

We have sold or shared, as defined by California law, the following categories of personal data with our targeted advertising service providers and partners: identifiers, internet or other electronic activity information, and non-precise geolocation data.
We do not knowingly sell personal data of minors under 18.
We do not sell personal data in exchange for monetary consideration.

In addition to the rights and choices outlined above, you may also request to exercise the following privacy rights:

Right to know: The right to request to know what personal data we collected about you (categories and specific data elements), from where we collected it, why we have collected, sold, or shared it, and to whom we have disclosed it.
Right to delete: The right to request that we delete personal data we collected from you.
Right to correct: The right to correct inaccurate personal data we maintain about you.
Right to opt out: The right to opt out of certain automated processing and profiling activities, as well as the sale and sharing of your personal data for targeted advertising purposes. We do not currently engage in practices involving automated processing, profiling, or selling/sharing personal data.

To exercise these rights, you can contact us by email at [email protected] or phone at +1 (855) 437-6664. An authorized agent can make a request on your behalf. When reviewing your request, we may ask for additional information to verify your and/or your agent’s identity. We will only use the personal data provided in the verification process to verify your identity or authority to make a request and to track and document requests and our responses, unless you initially provided the information for another purpose.

We will not discriminate against you if you exercise your privacy rights.

California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal data (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we disclosed personal data in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below. You may opt out of these disclosures by writing us at [email protected] or configuring your cookie settings to reject non-essential cookies.

OTHER U.S. STATE DISCLOSURES

This Privacy Policy describes our data collection, use, and disclosure practices for residents of U.S. states. Residents of certain U.S. states, including Colorado, Delaware, Maryland, Montana, Oregon, Texas, and Virginia, may also request to exercise the following privacy rights (subject to any applicable exemptions and limitations):

Right to access: You have the right to confirm whether we are processing your personal data and to access such personal data.
Right to correct: You have the right to request that we correct inaccurate personal data that we maintain about you.
Right to delete: You have the right to request that we delete your personal data under specific circumstances.
Right to opt-out: You have the right to object or opt out of certain types of processing, including: (1) processing for the purpose of targeted advertising, (2) processing for the purpose of the sale of personal data, and (3) processing for the purpose of certain types of profiling and automated decision-making. We do not currently engage in practices involving targeted advertising, automated processing, profiling, or selling personal data on our consumer-facing websites.
Right to data portability: You have the right to request a copy of your personal data in an accessible format.
Right to appeal: If we do not grant your consumer request, you may have the right to appeal that denial.

If you are a resident of Oregon or Minnesota, you also have the right to request a list of third parties to whom we disclose personal data.

To exercise these rights, you can contact us by email at [email protected] or phone at +1 (855) 437-6664. We may take steps to verify your identity and the identity of an authorized agent (if such authorized agent is permitted by law) prior to reviewing your request. If you choose to exercise any of these rights, we will not discriminate against you in anyway. If you exercise certain rights, understand that you may be unable to use or access certain features of the Website or our services or properties.

NEVADA AND WASHINGTON DISCLOSURES

We collect consumer health information as defined by laws in Nevada and Washington. Our consumer health information disclosures can be found here.

EEA AND UK DISCLOSURES

If you are located in the EEA or UK, in addition to the rights and choices outlined above, you may also request to exercise the following privacy rights:

Right of access: Provide you access to your personal data.
Right to correct: Correct or update your personal data.
Right of deletion: Delete your personal data.
Right to data portability: Transfer your personal data in machine readable form to you or a third party of your choosing.
Right to restrict: Restrict processing of your personal data.
Right to object: Object to our reliance on our legitimate interests as the basis of our processing of your personal data.
Right to withdraw consent at any time: Where we are relying on consent to process your personal data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

You may submit these requests by contacting us at [email protected]. If permitted by law, we may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal data or response to your requests regarding your personal data, you may contact us as described above or submit a complaint to the data protection regulator in your jurisdiction. You can find your data protection regulator here.

THIRD-PARTY SITES AND SERVICES

We may provide links to third-party applications, services or websites that are not owned or operated by Geron. These links are not an endorsement, authorization, or representation that we are affiliated with that third-party. You understand that when you click on these links any data which you provide to the third party is subject to that third-party’s privacy policy and not to ours. We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions the content, safety, privacy or security of any third-party application, service or website.

DATA RETENTION

We retain your personal data for as long as needed to fulfill the purposes for which we collected it, including for the purposes of complying with our legal obligations, resolving disputes, and enforcing our agreements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. When we no longer require the personal data we have collected about you, we will either delete or anonymize it. If we anonymize your personal data (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.

OUR POLICY REGARDING CHILDREN

The Service is not intended for use by anyone under 18 years of age. We do not knowingly collect or solicit personal data from anyone under the age of 18 through our Service, or knowingly allow such persons to use our Service. In the event that we learn that we have collected personal data from a child under the age of 18 without the consent of the child’s parent or guardian as required by law through our Service, we will comply with applicable legal requirements to delete that personal data. If you believe that we might have any personal data from or about a child under the age of 18, please contact us.

INTERNATIONAL TRANSFER

We are headquartered in the United States and may use service providers that operate in other countries. Your personal data may be transferred to the United States or other locations where privacy laws may not be as protective as those in your state, province, or country.

Please note that these countries and jurisdictions may not have the same data protection laws as your own jurisdiction. Regardless, we take reasonable steps to maintain adequate safeguards to enable transfer of personal data to the U.S. and other jurisdictions. If we transfer your personal data from the EEA and/or Switzerland to a country outside of it, we will apply additional safeguards as appropriate depending upon the legal mechanism(s) used to transfer your personal data.

For personal data subject to Swiss privacy laws Geron transfers the personal data to the following countries:

U.S. (transfer mechanism: Swiss-U.S. Data Privacy Framework and EU Commission Approved Standard Contractual Clauses (where applicable))
United Kingdom (transfer mechanism: EU Commission Adequacy Decision)

If you have questions about the mechanism(s) upon which we rely for the transfer of your personal data, please contact us.

DATA PRIVACY FRAMEWORK

Geron complies with the (i) EU-U.S. Data Privacy Framework (EU-U.S. DPF), and (ii) the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (collectively, the “Data Privacy Framework”) as set forth by the U.S. Department of Commerce. Geron has certified to the U.S. Department of Commerce that it adheres to (i) the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the EU in reliance on the EU-U.S. DPF, and (ii) to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF (collectively, the “DPF Principles”). If there is any conflict between the terms in this Privacy Policy (or the relevant applicable privacy notice that also addresses the Data Privacy Framework and is provided to individuals such as in the context of clinical trials in the informed consent forms or privacy notices to clinical trial staff (including investigators)) and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles shall govern. To learn more about the Data Privacy Framework, and to view our certification, please visit the Data Privacy Framework website.

With respect to personal data received or transferred pursuant to the Data Privacy Framework, the U.S. Federal Trade Commission has jurisdiction over Geron’s compliance with the Data Privacy Framework.

Geron may collect, use, and disclose categories of personal data received in reliance upon the Data Privacy Framework for the purposes as described in this Privacy Policy. The types of third parties to which Geron may share personal data received in reliance on the Data Privacy Framework and for which purposes are set out in the section of this Privacy Policy entitled “HOW WE USE AND DISCLOSE PERSONAL DATA.” If recipients to whom Geron has disclosed personal data in reliance upon the Data Privacy Framework process it in a manner that does not comply with the DPF Principles, Geron may be liable for such acts or omissions.

Depending upon the context in which Geron processes personal data received in reliance upon the Data Privacy Framework, relevant individuals may have rights to access personal data about them, and choices to limit the use and disclosure of their personal data. Please submit a written request to exercise your rights or choices to the contact information provided in this Privacy Policy (see the section entitled “CONTACT INFORMATION”). We may request specific information from you to confirm your identity in an effort to respond to your request.

Geron may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the Data Privacy Framework, Geron commits to resolve complaints about its collection or use of your personal data. EEA and Swiss individuals with inquiries or complaints regarding the handling of personal data received in reliance on the Data Privacy Framework should first submit inquiries to Geron as specified in the Contact Information of Data Controller section of this Privacy Policy.

In compliance with the Data Privacy Framework, Geron commits to refer unresolved complaints concerning our handling of personal data received in reliance on the Data Privacy Framework to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework for more information or to file a complaint. The services of JAMS are provided at no cost to you.

In compliance with the UK Extension to the EU-U.S. DPF, Geron commits to cooperate and comply respectively with the advice of the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

Additionally, under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. For more information on this option, please see the Data Privacy Framework website: Annex I.

CHANGES TO THIS POLICY

We may update this Privacy Policy to reflect changes to our data and personal data privacy practices. If we make any material changes to this Privacy Policy we will take appropriate steps to notify you of such changes. We encourage you to periodically review this page for the latest information on our privacy practices.

CONTACT INFORMATION

Geron Corporation is the controller of your personal data covered by this Privacy Policy. You can contact us at:

Geron Corporation
919 E. Hillsdale Blvd., Suite 250
Foster City, CA 94404
Attn: Legal Department

Data Protection Officer. You may contact our data protection officer at [email protected].

Data Protection Representative. You may contact our EU and UK Representative via email, webform or physical mailing address. The contact information for our data representatives in the UK, EU and Switzerland are as follows:

UK: DataRep, BPM 335368, 372 Old Street, EC1V 9AU, London, United Kingdom
EU: DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Switzerland: DataRep, Leutschenbachstrasse 95, ZURICH, 8050, Switzerland

Please refer to this document for additional information about our Representatives.

Last updated: November 26, 2025