Last Updated: April 7, 2026

This Privacy Policy sets forth the practices of Viridian Therapeutics, Inc. (“Viridian”, “we”, or “us”) regarding the collection, use, disclosure and other processing of information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a natural person or household, such as a name, postal address, e-mail address, telephone number (“Personal Information”), that you may provide or we may otherwise collect and process in the following circumstances:

When you visit the Viridian website, www.viridiantherapeutics.com (the “Website”) or any other online service that links to this Privacy Policy.
If you enroll or participate in our patient engagement activities and/or patient services programs.
When you visit our offices or attend a Viridian event, contact us, or otherwise interact with us.
In any other situation in which this Privacy Policy is provided to you.

Please note that Personal Information does not include aggregated information that is maintained in a form that is not reasonably capable of being associated with or linked to an individual. Viridian may create anonymized or aggregated data and use it for legitimate purposes (e.g. to improve products or research), ensuring it contains no identifiable information.

The Privacy Policy also describes your privacy rights in connection with Personal Information we collect about you, including the rights of residents of California, Connecticut, Texas and Nebraska and individuals located in the European Economic Area (“EEA”) or the United Kingdom (“UK”). For purposes of EEA and UK data protection laws, we are the controller of Personal Information processed in the context of this Privacy Policy.

This Privacy Policy does not apply to the personal information we collect from healthcare professionals. Click here to see our Privacy Notice for Healthcare Professionals.

By accessing the Website, you agree to our Terms of Use, including the collection and use of your Personal Information as described in this Privacy Policy.

Click here to see our separate Consumer Health Data Privacy Notices applicable to residents of Nevada and Washington state.

Click here to see our separate Mobile Text Message Terms and Conditions.

Notice at Collection: Personal Information We Collect

We collect the following categories of Personal Information:

Personal identifiers: name, date of birth, gender, email address, postal address, telephone number, (electronic) signatures.
Government identifiers: government-issued identification numbers (e.g., national ID or Social Security number)*.
Financial and reimbursement information: payment and account details (e.g., bank account information) *, insurance information (e.g., health insurer and policy number), and other financial information needed for reimbursement or compensation.
Medical information: self-reported medical conditions or diagnoses (e.g., provided via patient services programs)*.
Internet and other electronic activity information: device and browser type and version, operating system, IP address, and information about your use and interaction with our Website.
Publicly available information: such as content you post on public forums or social media, photographs, or other information about you available from public websites or public records.
Audio/visual information: audio recordings of calls with patients, voicemail messages, photographs or video footage at our events or on our premises, including security camera images.
Inferences generated from the above categories of Personal Information (for example, profiles or preferences inferred about you), which may include sensitive information or inferences.

Categories of Personal Information above marked with an asterisk (*) represent sensitive data categories.

Notice at Collection: Purposes for Collection of Personal Information / How We Use Your Personal Information

Set out below is a description of why we collect and how we use your Personal Information (“Processing Purposes”), and, for individuals located in the EEA or the UK, the legal bases we rely on for each processing activity.

Categories of Personal Information	Processing Purposes	Legal Basis (where you are in the EEA or the UK)
Personal identifiers; Internet and other electronic activity information	To provide you with information about Viridian: to send news and notify you about updates to our Website, products and/or the services.	For service-related communications: To pursue our legitimate interests to operate our business, and to manage and administer our relationship with you. For direct marketing communications: With your consent (to the extent required by applicable law) or otherwise, to pursue our legitimate interests to promote our products and services. You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in such communications. You may not opt-out of service-related communications (e.g., updates to features of the Website, technical and security notices).
Personal identifiers; Medical information; Internet and other electronic activity information.	Direct advertising: to provide you with information about the services and products we provide.	With your consent (to the extent required by applicable law) or otherwise, to pursue our legitimate interests to promote our products and services.
Personal identifiers; Internet and other electronic activity information.	Personalization: to administer, analyze, improve and personalize our Website (including, testing, troubleshooting and research) to enhance your user experience.	To pursue our legitimate interests to to improve and personalize our Website, products, and services.
Personal identifiers; Internet and other electronic activity information	Network and Information Security: to ensure the security of our systems and Website, including monitoring access to prevent cyber-attacks, unauthorized use, fraud or other crime, and to protect Personal Information.	To pursue our legitimate interests to ensure our systems and Website are secure and proper use of our systems and Website in compliance with our Terms of Use.
Personal identifiers; Professional information	Facilitate events and programs for attendees: handling event registrations, travel arrangements, and follow-up communications for attendees of our scientific or patient-support events.	To pursue our legitimate interests to operate our business and to manage and administer our relationships with you in a professional capacity.
Personal identifiers; Professional information	Stakeholder engagement: to interact and collaborate with patient advocacy organizations, industry groups, and other public stakeholders (for example, coordinating joint initiatives or programs with such organizations and maintaining our relationships with them).	To pursue our legitimate interests to engage with and support the broader healthcare and patient community as part of our mission.
Personal identifiers; Medical information	Patient services program administration: to operate and provide our patient services programs and patient engagement initiatives, including offering services, resources, and communications in support of patients.	To pursue our legitimate interests to support patients and improve patient outcomes as part of our business objectives. With your consent (to the extent required by applicable law).
Personal identifiers; Financial and reimbursement information; Medical information	Processing patient services enrolment forms: to support patients in the U.S. with reimbursement or support for prescribed medications.	N/A – U.S. only
Personal identifiers	Visiting: to provide you with access to our facilities and to our Wi-Fi networks when you visit us.	To pursue our legitimate interests to operate our business and manage our relationship with you by enabling facility access. We may also request your consent prior to granting you access to our facilities or Wi-Fi, where required.
Personal identifiers	Transactions: To enable any due diligence and other appraisals or evaluations for any actual or proposed merger, acquisition, financing transaction or joint venture contemplated by Viridian.	To pursue our legitimate interests to efficiently administer and prepare for the management of our business affairs.
Personal identifiers; Professional information; Medical information	Adverse event and product complaint reporting: to monitor the safety and quality of our products, including documenting and reporting adverse events, side effects, or product quality complaints to regulatory authorities, and to address and follow up on such issues.	To comply with our legal obligations (e.g., pharmacovigilance, product safety, and other drug safety reporting requirements).
Personal identifiers; Internet and other electronic activity information.	Legal Claims and Proceedings: to defend and enforce our rights (for example, in the context of legal claims, lawsuits, or regulatory investigations involving Viridian), and to manage regulatory matters, investigations, data breaches, or data subject requests.	To comply with our legal obligations (e.g., our legal duties in litigation, investigations, and responding to data subject rights). In such cases, if you do not provide this Personal Information when requested, we may not be able to comply with our legal obligations and we may have to terminate our relationship with you. To pursue our legitimate interests to enforce or defend our rights and interests. As necessary.

If you are in the EEA or the UK, you have a right to object to the processing of your Personal Information where that processing is carried out for our legitimate interests. Please note, however, that we may not be able to fulfill such requests in all instances.

Notice at Collection: Categories of Personal Information We Sell or Share or Use for Targeted Advertising

When we engage in digital advertising in the United States, we may sell the following categories of Personal Information (according to the broad definition of “sell” under select state privacy laws), share them for purposes of cross-context behavioural advertising, or use them for targeted advertising: personal identifiers (including IP address, mobile advertising IDs), medical information, and internet or other electronic activity information.

These categories of Personal Information are sold to or shared for cross-context behavioural advertising or targeted advertising with advertising networks, data brokers and other companies that facilitate or engage in digital advertising. We engage in such sales and sharing to facilitate personalized advertising, including to advise you about new treatment options and other products and services. We do so by allowing third parties to place cookies or other tracking technologies on our Websites and in our advertisements which may collect information about your interactions with our Websites, advertisements, and your online activities over time and across different websites or applications. Please note that in some jurisdictions in which we operate, we do not engage in these practices. For more information about the use of cookies and other tracking technologies, see the Cookies and Other Technologies section below.

To opt out of such sales and sharing and the use of your Personal Information for targeted advertising, click here.

We do not sell or share for cross-context behavioural advertising or use for targeted advertising any of the other categories of Personal Information we collect.

Notice at Collection: Retention Periods

We retain the categories of Personal Information we collect for as long as we need for a legitimate business purpose. The criteria used to determine the retention periods include: (i) how long the Personal Information is needed to provide the Services and operate the business; (ii) the type of Personal Information collected; and (iii) whether we are subject to a legal, contractual or similar obligation to retain the Personal Information (e.g., mandatory data retention laws, government orders to preserve data relevant to an investigation, or data that must be retained for the purposes of litigation or disputes).

Sources From Which We Collect Personal Information

We may collect your Personal Information directly from you e.g., through the Website or your interactions with us. We may also obtain your Personal Information from third parties and publicly available sources. This includes, for example, information from:

HCPs or partners (including reports of adverse events or product complaints).
Industry and patient groups or associations (such as event organizers or advocacy organizations).
Public records or government agencies.
Other third-party sources like service providers, data brokers, ad networks and social media providers, data aggregators, and business partners with whom we work

Cookies and Other Technologies

We use “cookies” and other similar technologies, some of which are essential for our Website to function. Cookies are small, sometimes encrypted, text files that are stored on computer hard drives by websites that you visit. They are used to help users navigate websites efficiently as well as to provide information to the owner of the website, and for digital advertising.

If you are in the EEA or the UK, we will only use non-essential cookies if you provide your opt-in consent through our cookie banner or preference tool. For information on the cookies that we use on the Website and the purposes for which we use them in the EEA or the UK, please see our Cookie Policy.

We use Google Analytics to evaluate the use and performance of our Website (in some jurisdictions, only with your consent). Google Analytics uses cookies and other identifiers to collect information, such as how often users visit a website, what webpages they visit on a website, and what other websites they visited prior to visiting a website. To learn more about how Google Analytics collects Personal Information, please see Google’s Privacy Policy.

No Profiling to Facilitate Decisions with Legal or Other Significant Effects

We do not engage in the automated processing of Personal Information to create profiles about individuals that are used in furtherance of decisions with legal or other similarly significant effects, such as the provision or denial of medical services; financial or lending services, housing, insurance, or access to essential goods or services.

Disclosure of Your Personal Information for Business Purposes – Categories of Personal Information

We have disclosed the following categories of Personal Information to service providers and data processors for a business purpose:

Personal identifiers: Name, email address, home address, telephone numbers, gender, IP address

Government identifiers: government-issued identification numbers

Financial and reimbursement information: payment and account details, insurance information (health insurer and policy number), and other financial information needed for reimbursement or compensation

Medical information: self-reported medical conditions or diagnoses

Internet and other electronic activity information: Device and browser type and version, operating system; your use and interaction with our Websites.

Inferences

Disclosure of Your Personal Information for Business Purposes – Purposes for Disclosure

We may disclose or make available Personal Information to service providers or data processors for the following business purposes: to facilitate email communications; manage contacts; manage our Websites, operate our IT systems and secure our systems; operate our patient services and patient engagement programs; prevent fraud and other illegal activities; for marketing and analytics. We also permit our service providers to have access to certain types of Personal Information to provide patient services programs and patient engagement initiatives patient support and patient access services and for analytics.

We may also disclose or provide your Personal Information if we believe in good faith that such disclosure is necessary to (a) comply with relevant laws or to respond to a court order, regulatory request, or other legal process or similar legal process or government request; (b) to enforce any agreement we may have entered into with you and to enforce the Privacy Policy; (c) to protect and defend the rights or property of us, other users of our Website, or third parties, including to law enforcement agencies, and judicial and regulatory authorities; and (d) in the event of an actual or potential sale, merger, reorganization of our entity or other restructuring.

International Transfers of Personal Information

All Personal Information collected may be processed in the U.S. Where we disclose Personal Information originating in the EEA/UK to a third party (e.g., a service provider) located outside of the EEA/UK we will as deemed necessary, enter into an appropriate data transfer agreement (e.g., the EU Standard Contractual Clauses and, for the UK, the International Data Transfer Agreement or UK Addendum to the Standard Contractual Clauses) with that third party, seek to rely on the third party’s Binding Corporate Rules, or otherwise make the transfer in reliance on a derogation under EEA/UK data protection laws (e.g., where the transfer is necessary for the defense of legal claims). If you would like further information in relation to, or a copy of, the relevant safeguards, you can contact us using the details set out below.

Links to Third Party Websites

Our Website may contain social media buttons or links to third-party websites, which may have privacy policies that differ from our own. We are not responsible for the activities and practices that take place on those social media platforms or third-party websites.

Consequences of not Providing Personal Information

Where we require your Personal Information to comply with our legal or contractual obligations, failure to provide this Personal Information could mean we may not be able to comply with our legal obligations and we may have to terminate our relationship with you.

Personal Information of Children

We do not intentionally or knowingly collect or maintain information from persons under the age of 16. If you are under the age of 16, you should not use this Website or submit any Personal Information to us (including via this Website). Please contact us at privacy@nullviridiantherapeutics.com if you believe that any Personal Information has been submitted to us without parental or guardian consent.

Security and Confidentiality

Viridian is committed to protecting the security and privacy of your information stored by implementing standard security safeguards. However, no company, including Viridian, can fully eliminate security risks associated with Personal Information. Thus, while Viridian uses reasonable efforts to protect your Personal Information, we cannot guarantee its absolute security.

Your Data Privacy Rights

1. EEA/UK Data Privacy Rights

If you are in the EEA or the UK, you have the following data privacy rights which may be subject to certain limitations / restrictions:

The right to request access to your Personal Information.
The right to request that your Personal Information be corrected or deleted.
The right to request that we restrict our processing of your Personal Information.
The right to object to the processing of your Personal Information where it is carried out (i) for our legitimate interests – unless we can demonstrate compelling legitimate grounds for the processing; and/or (ii) for direct marketing purposes.
The right to withdraw consent to the processing of your Personal Information.
The right to request that Personal Information be provided to you or a third party in a machine-readable format.

Please contact us using the details set out below in case you wish to exercise any of the above rights.

You also have the right to file a complaint with the competent data protection authority if you have any reason to believe we have not properly handled your Personal Information or have not respected your rights.

2. US State Data Privacy Rights

We provide residents of the following states with rights under their state’s privacy law with respect to the Personal Information we may collect about them: California, Connecticut (with respect to health data), Texas, and Nebraska. The rights provided under these various state laws are similar in many respects, with some differences from state to state. We list below the rights that may be available under applicable state data privacy laws.

Right to Know: The right to confirm whether we are processing a resident’s Personal Information and to access such data.

California’s privacy law gives residents the right to request the following additional information collected since January 1, 2022: Categories of Personal Information we have collected about them; categories of sources from which such Personal Information was collected; categories of Personal Information that the business sold or disclosed for a business purpose about the consumer; categories of third parties to whom the Personal Information was sold or disclosed for a business purpose; and the business or commercial purpose for collecting or selling your Personal Information.

Right to Access / Copy: The right to access or request a copy of the Personal Information we have collected from the resident, subject to certain exceptions.

Right to Delete: The right to request deletion of their Personal Information that we have collected from or about the resident and to have such information deleted, subject to certain exceptions.

Right to Correct: The right to request that we correct inaccuracies in the resident’s Personal Information, taking into account the nature of personal data and purposes of processing such information.

Rights to Opt Out: Various rights to request that we stop using the resident’s Personal Information for one or more of the following purposes:

Sale of Personal Information: The right to request that we stop selling f their Personal Information, consistent with the definition of “sale” in each law.
Targeted Advertising: The right to request that we stop processing their Personal Information for targeted advertising, subject to exceptions in some state laws.
Sharing for Cross-Context Behavioural Advertising: California’s law provides the right to request that we stop sharing Personal Information for cross-context behavioural advertising.

Please note, California’s law is the only law that applies to all state residents, irrespective of the context in which they interact with us (e.g., a customer, a business contact, a vendor). Laws in other states apply only to people when acting in an individual or household context.

Consumer Rights Under U.S. State Consumer Health Data Privacy Laws

We have a separate Consumer Health Data Privacy Notice that relates to rights provided under consumer health data privacy laws in Nevada and Washington state to residents of those states acting in an individual or household context with respect to their consumer health data. Washington’s law may also apply to individuals whose consumer health data is processed in that state. You can access our Consumer Health Data Privacy Notices here.

California Shine the Light

With reference to California Civil Code Section 1798.83, also known as the “Shine the Light” law, we allow California residents to opt out of the disclosure of Personal Information to third parties for those third parties’ direct marketing purposes. To exercise that opt-out option, please click here.

Exercising Your Rights and How We Will Respond

We will respond to requests from residents of states with data privacy laws that apply to us and will do so with respect to the rights that are provided under the requestor’s state law as of the effective date of that law.

To exercise rights to know, access/copy, delete, correct, or to ask a question, email us at privacy@nullviridiantherapeutics.com or use the contact details set out at the end of this Privacy Policy.

To exercise opt-out rights, you or your agent may submit your request here.

Opt-out Preference Signals and Do Not Track

An opt-out preference signal is sent by a platform, technology, or mechanism on behalf of consumers and communicates a consumer’s choice to opt out of the sale and sharing of Personal Information for cross-context behavioral advertising with all businesses that recognize the signal, without having to make individualized requests. The signal can be set on certain browsers or through opt-out plug-in tools.

We recognize the Global Privacy Control signal for IP addresses from California, Nebraska and Texas and do so at the browser level; it does not apply to Personal Information we may collect offline or that we may associate only with your name or email address. If you would like more information about opt-out preference signals, including how to use them, the Global Privacy Control website has such information (https://globalprivacycontrol.org/).

We do not respond to the DNT or “Do Not Track” signal.

Verification of Identity – Access, Deletion or Correction Requests

We will ask you for identifying information and attempt to match it to information that we maintain about you. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to your request. We will notify you to explain the basis of the denial.

Exercising Your Rights Using Authorized Agents

Agents may submit opt-out requests on behalf of individuals under several state data privacy laws; this is not an option that is available under Texas law. California residents can designate an agent to submit all other types of requests. If the agent submits an opt-out request on your behalf, the agent will need to provide us with your signed permission indicating the agent has been authorized to submit the opt-out request on your behalf. Agents can submit opt-out requests here.

If you are a California resident and you use an agent to submit other types of requests, the agent will need to provide us with your signed permission indicating the agent has been authorized to submit the request on your behalf. You will also be required to verify your identity directly with us or confirm with us that you provided the agent with permission to submit the request. Agents can submit requests on behalf of California residents (other than opt-out requests) by emailing privacy@nullviridiantherapeutics.com.

Please note that this subsection does not apply when an agent is authorized to act on your behalf pursuant to a valid power of attorney. Any such requests will be processed in accordance with state law pertaining to powers of attorney.

Non-Discrimination

If you exercise any of the rights explained in this Privacy Policy, we will continue to treat you fairly.

Changes to Our Privacy Policy

Viridian reserves the right to make additions, deletions or modifications to this Privacy Policy from time to time. If we make any material changes in the way we use or share your Personal Information, we will notify you by posting a notice on our Website prior to the change becoming effective. We encourage you to refer to this Privacy Policy on an ongoing basis, so you understand our current privacy practices.

Contact Us

Please contact us at privacy@nullviridiantherapeutics.com or the address or phone number provided below if you have any questions about this Privacy Policy, including requests relating to exercising any of your data privacy rights.

Viridian Therapeutics, Inc.
Attn: Data Protection Officer
221 Crescent Street
Suite 103A
Waltham, MA 02453

T: +1 617 272 4600

Please note that communications to this email address will not constitute legal notice to us or any of our officers, employees, agents or representatives in any situation where notice to us is required by contract or any law or regulation.

Data Protection Representative: GDPR-DataRep@nullviridiantherapeutics.com