Privacy Statement

Dated: January 27, 2023

Apellis Pharmaceuticals, Inc. and its subsidiaries (“we”, “us”, and “our”) recognize the importance of and are committed to respecting and protecting your privacy. This Privacy Statement applies to our collection and use of personal information through our websites (the “Site”) and through our offline business-related interactions with you.

Please read this Privacy Statement carefully in order to understand how we process personal information. If you do not agree with our use of your personal information as described in this Privacy Statement, please do not use the Site or otherwise provide personal information to us.

Because of our commitment to the protection of your personal information, we evaluate our privacy policies and procedures to implement improvements. If we make material changes to this Privacy Statement, we will notify you by means of a prominent notice on this Site.

Personal Information We Collect

Whose Personal Information We Collect

We collect personal information about the following types of individuals: clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, website users, job applicants, and other individuals who interact with us, our service providers or business partners.

How We Collect Personal Information

We collect personal information:

• Directly from individuals
• Through our Sites
• From healthcare professionals
• From contract research organizations and clinical trial investigators
• From individuals enrolled in clinical trials
• From government agencies or public records
• From third party service providers or business partners
• From industry and patient groups and associations
• From social media or other public forums (including adverse event information or product quality complaints)

Types of Personal Information We Collect

We may collect the following types of personal information:

Health and medical information, such as information about physical and mental health conditions and diagnoses, treatments for medical conditions, genetic information, family medical history, and medications an individual may take, including the dosage, timing, and frequency, that we collect in connection with managing clinical trials, conducting research, providing patient support programs, managing compassionate use and expanded access programs, and tracking adverse event reports;

Contact information (personal and business), such as name, job title and employer name, email address, mailing address, phone number, and emergency contact information;

Biographical and demographic information, such as age, date of birth, gender, marital status, ethnicity, and information regarding any parents or legal guardians;

Professional credentials, such as educational and professional history, institutional affiliations, and other information you include on a CV or resume;

Payment-related information, such as when we need to pay for professional services that individuals may provide to us, such as tax identification number and financial account information;

Engagement data, such as information about the programs and activities in which you have participated, your prescribing of our products, your use of our products and the agreements you have executed with us;

Digital information, such as your photograph, social media handle or digital or electronic signature;

Publicly available information, such as comments describing support for and experience with our products, and other information you publish on social media;

Correspondence and other information you provide to us, including in emails, on phone calls, and in market research surveys;

Data collected automatically by us, our service providers, and third-party partners, who may automatically log information about you, your computer or mobile devices, and your activity over time on the Sites and other online services, such as:

• Device data that is collected automatically (such as your IP address, your device’s operating system, your Internet service provider and location, browser type and language, your unique device ID (persistent/non-persistent), hardware type, medial access control address and the website you visited before browsing to our Sites); and
• Online activity data that is collected automatically (such as information about the Site content you access) and information about the date, time and duration of your visit to our Sites.

Profession and employment data of Job Applicants. When visiting the careers portion of our Sites, we collect the information that you provide to us in connection with your job application. This includes business and personal contact information, professional credentials and skills, educational and work history, and other information of the type that may be included in a resume. This may also include diversity information that you voluntarily provide.

How We Use Personal Information

We use personal information for the following purposes and as otherwise described in this Privacy Statement or at the time of collection:

To communicate with you, including to:

• Provide you with investor, media or other materials;
• Send you copies of our press releases or other information;
• Send you surveys or other marketing communications; and
• Respond to your comments, questions, and service-related requests.

To perform and administer clinical trials, research and product-improvement activities, including to:

• Staff and manage clinical trials, including by recruiting investigators and participants;
• Track and respond to safety and product quality concerns (including product recalls);
• Support public health initiatives, symposia, conferences, and scientific, educational, and volunteer events;
• Define and manage appropriate patient engagement activities, and patient support programs (including to provide co-pay and other financial assistance where available);
• Identify and engage thought leaders and external experts; and
• Attribute authorship to academic and promotional materials.

To provide payments, including to:

• Pay for services that physicians, researchers, and other individuals may provide to us.

For compliance, fraud prevention, and safety. We may also use personal information as we believe necessary or appropriate to:

• Comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
• Comply with regulatory monitoring and reporting obligations, such as those related to adverse events, safety, and financial disclosures;
• Protect our rights, privacy, safety or property, and/or that of you or others; and
• Protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

To facilitate our recruitment activities, including to:

• Process employment applications, such as by evaluating a job candidate for an employment activity, and monitoring recruitment statistics.

How We Share Personal Information

Affiliates. We may share personal information with our corporate parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Statement.

Service providers. We may engage other companies and individuals to perform services on our behalf, including:

• Companies that analyze data and provide business support (such as data storage and technology services);
• Companies that support the quality and safety of our products;
• Event planning and travel organizations that help facilitate our programs and services;
• Companies that assist us in clinical research and development activities; and
• Companies that support us in marketing and commercializing our products.

These service providers may have access to personal information in connection with performing services on our behalf. These service providers may use your information only as directed by Apellis and in a manner consistent with this Privacy Statement, and are prohibited from using or disclosing your information for any other purpose.

Professional advisors. We may disclose personal information to professional advisors, such as lawyers, bankers, auditors, and insurers, where necessary in the course of the professional services that they render to us.

Research and business partners. We may also share personal information with healthcare professionals, researchers, institutions, academics, public health organizations, and publishers for purposes consistent with this Privacy Statement. We may disclose personal information to partners or collaborators in connection with the research and development of our products.

Compliance, fraud prevention and safety. We may share personal information for the compliance, fraud prevention, and safety purposes described above.

Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, including personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution. In such a case, we will make reasonable efforts to require the recipient to honor this Privacy Statement.

Why We Process Personal Information

In this section, we identify the lawful ground we rely on for processing personal information.

Consent: If Apellis relies on consent for the processing of personal information, we will provide transparent notice of the purposes for which we seek such consent prior to the time we collect your personal information. Where Apellis relies on consent, you will be entitled to withdraw that consent at any time. If Apellis wishes to process any special categories of personal information, such as health data, Apellis will obtain your explicit consent for such processing.

Contractual Necessity: Apellis processes personal information to fulfill our contracts with our business partners and service providers, such as for rendering payment or communicating with health care professionals or consultants.

Legal Obligation: Apellis processes personal information as specifically required by applicable legal obligations, such as laws and regulations that require Apellis to process personal information for purposes of obtaining medical research approvals and spend transparency disclosures.

Public Interest: Apellis processes personal information for scientific or historical research purposes, or statistical purposes in the public interest, as authorized by applicable law. If Apellis wishes to process any special categories of personal information, it may do so when necessary for scientific research purposes, medical diagnosis, or the protection of vital interests.

Legitimate Interests: Apellis processes personal information subject to its own legitimate interests, such as to develop, administer and support Research; to operate, evaluate and improve our business; to facilitate and manage patient advocacy and engagement programs; to promote scholarly research; to support our recruitment activities; or to facilitate a sale of assets or merger or acquisition.

It may be also necessary for Apellis to process personal information to establish, exercise or defend against fraud, illegal activity, and claims and other liabilities, including by enforcing the Terms of Use that govern the services we provide.

Compatible Purposes: Apellis may also process personal information for purposes that are compatible with those described above. Such purposes may include scientific research.

Data Retention

We retain personal information for as long as is necessary to accomplish the purposes for which it was collected, unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights.

The criteria used to determine the period for which personal information about you will be stored varies depending on the legal basis under which we process such personal information:

Consent: For the period of time necessary to fulfill the underlying agreement with you, subject to your right, under certain circumstances, to have certain personal information about you erased (see Your Rights above).

Contractual Necessity: For the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the limitation period for legal claims that could arise from the contractual relationship.

Legal Obligation: For the duration of time we are legally obligated to keep the information.

Public Interest: For the period of time necessary to fulfill the purposes of the business process in the public interest and for any period of time that may be required to document the public interest.

Legitimate Interests: For a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the data subjects.

We may face any threat of legal claim and in that case, we may need to apply a “legal hold” that retains information beyond our typical retention period. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.

International Data Transfers

Apellis uses servers and other storage facilities in the United States and EU. Apellis may transfer personal information outside of its country of origin for the purposes, and in the manner, set out in this privacy statement, including for processing and storage by service providers and affiliates in connection with such purposes. In all situations, Apellis takes reasonable steps to ensure that your privacy is protected. Such steps include, but are not limited to, implementing privacy, security, and contractual controls, as well as steps noted in this privacy statement, as required by applicable law.

Apellis endeavors to obtain assurances from its service providers and affiliates that they will safeguard personal information consistent with this privacy statement. An example of appropriate assurances that may be provided by service providers and affiliates includes a contractual obligation that they provide at least the same level of protection as is required by Apellis’ privacy principles set out in this privacy statement. Where Apellis has knowledge that a service provider or affiliate is using or disclosing personal information in a manner contrary to this privacy statement, Apellis will take appropriate steps to prevent or stop the use or disclosure.

Security of Your Personal Information

The security of your personal information is important to us. We take reasonable steps, including technical, administrative and physical safeguards, designed to protect the personal information submitted to us from loss, misuse and unauthorized access, disclosure, alteration and destruction. However, no method of security or method of transmission over the Internet is entirely secure. You should always use caution when transmitting personal information over the Internet.

Cookies and Other Similar Technologies

What is a Cookie?

A cookie is a text file containing small amounts of information stored on your computer’s hard drive when you visit a webpage. Session cookies are erased when the user closes the web browser or browser tab. Persistent cookies remain on your hard drive until they expire or are deleted. Cookies will also be set by third parties operating on our behalf (e.g., to help us analyze web traffic or to improve your web navigation experience).

Types of cookies we use

We use the following types of cookies on our Website to help us analyze web traffic, to improve your web experience:

• Strictly necessary cookies, which are essential in order to enable you to move around the website and use its features.
• Performance cookies, which collect information about how you use the website, for instance which pages you visit most often.
• Functionality cookies, which allow the website to remember choices you make (e.g. remembering your user name, language or the region you are in) and provide enhanced, more personal features.

Google Analytics

We use Google Analytics, a web analytics service provided by Google, Inc. (“Google”), to collect information about how our visitors use and navigate our site. Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. We use this information to report and analyse the usage of the site to improve the usage of the homepage for visitors. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information to evaluate your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser.

However, please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

For more details on how Google processes your data, please visit Google’s Privacy policy.

Google Analytics collects information anonymously. However, you can opt-out of being tracked by Google Analytics across all websites you use by installing the Google Analytics Opt-out Browser Add-on. To opt-out of being tracked by Google Analytics across all websites visit https://tools.google.com/dlpage/gaoptout (compatible with Chrome, Internet Explorer 8–11, Safari, Firefox and Opera)

How to accept, control and delete our cookies

Some cookies are strictly necessary for the correct functioning of this website and do not require user’s consent, such as those ensuring that the content of a page loads quickly and effectively by distributing the workload across numerous computers or else those providing security.

Other cookies are still reasonably necessary or important, but they are not strictly essential and, therefore, require user’s consent. For these cookies (i.e. performance and functionality), we request your consent (by the “accept all” button in our cookie banner or through your browser cookie settings) before placing them on your device.

If you do not wish to give consent or wish to withdraw your consent to any non-essential cookies at any time, you will need to delete and block or disable cookies via your browser settings. These settings are usually found in the ‘options’ or ‘preferences’ menu of your internet browser. Otherwise, you should use the ‘help’ option in your internet browser for more details or you can click on one of the links below to go directly to the user manual for your browser:

• Mozilla Firefox
• Google Chrome
• Safari
• Opera
• Internet Explorer

To opt-out of Google Analytics, go to https://tools.google.com/dlpage/gaoptout

Please note that disabling or blocking some or all the categories of cookies will affect the functionality of the website and may impact your access and experience with our website and the services we can offer.

Any of your cookies preferences are limited to this website only and not to other third-party-owned websites or any other web pages, which may be hyperlinked to this website. For more information on cookies used by those websites, please refer to the specific privacy notice or cookie policy of those websites.

Children’s Privacy

Our Site is not directed to, and we do not intend to or knowingly collect personal information online from, children under the age of majority in the countries where the Site is accessed and used without appropriate consent. If you are under the age of majority in your country, do not provide us with any personal information either directly or by other means. If you learn that a child has accessed or used the Site without parental permission, please contact us as set forth in the Contact Us section below.

Links to Third-Party Services

We may provide links to other websites, services, and applications that are not operated or controlled by us (“Third-Party Services”). This privacy statement does not apply to the Third-Party Services. We encourage you to review and understand the privacy practices of any Third-Party Services before providing any information to or through them. Your interactions with these features are governed by the privacy policy of the Third-Party Service that provides the feature.

US State Supplemental Privacy Notice to Residents of California, Colorado, Connecticut, Virginia, and Utah

If you are a resident of California, Colorado, Connecticut, Virginia, or Utah, this notice applies to you and supplements Apellis’s Website Privacy Statement. This notice is intended to provide certain information to you as required by the California Consumer Privacy Act of 2018, as amended (“CCPA”), the Colorado Privacy Act of 2021 (the “CPA”), the Virginia Consumer Data Protection Act of 2021 (the “VCDPA”), the Utah Consumer Privacy Act of 2022 (the “UCPA”), and the Connecticut Data Privacy Act of 2022 (“CDPA”).

Categories of Personal Information We Collect, and How We Use and Share that Information

The section, above, entitled “Personal Information We Collect” outlines the categories of personal information we may have collected during the 12-month period prior to the effective date of this Privacy Statement as well as how we use and share that information.

Sensitive Personal Information

When we collect medical information or financial details, we are deemed to be collecting data that is “sensitive” under state privacy laws. Where legally required, we will obtain your consent to collect this information. For our California users, we do not use or disclose sensitive personal information for any purpose other than as permitted by law, such as to provide our Service to you, to detect security incidents, and protect against malicious or fraudulent actions, nor do we use or disclose such information to build a profile about you.

Your rights

Subject to certain limitations, you have the following rights with respect to the personal information that we collect about you:

1. Right to Know
   You have the right to request that we disclose certain information to you about our collection of your personal information. Upon our receipt of your verified request, we will provide you with:

• The categories of personal information we have collected about you.
• The categories of sources from which we have collected your personal information.
• Our business or commercial purpose for collecting your personal information.
• The categories of third parties with whom we have shared your personal information.
• The specific pieces of personal information we have collected about you.You have the right to request that we disclose certain information to you about our disclosures and sales of your personal information; however, Apellis does not sell personal information. Upon our receipt of your verified request, we will provide you with:

• The categories of personal information we have collected about you; and
• The categories of personal information that we disclosed about you for a business purpose.

2. Right to Opt-Out of Targeted Advertising or Sale
   You have the right to opt-out of the sale of your personal information; however, Apellis does not sell Personal Information.

3. Right to Delete
   You have the right at any time to request that we delete your personal information.

4. Right to Correct
   You can ask us to correct inaccurate personal information that we have about you.

5. Right to Nondiscrimination
   We will not discriminate against you for exercising your rights. This generally means we will not deny you goods or services, charge different prices or rates, provide a different level of service or quality of goods, or suggest that you might receive a different price or level of quality for goods.

To request access to or deletion of personal information:

• email privacy@apellis.com

Depending on the nature of your request, we may have to verify your identity when you contact us. We do this by attempting to match the identifying information that you provide to the personal information maintained by Apellis, if any.

We endeavor to respond to your request as soon as we can. If we are not able to respond to your request within 45 days, we will let you know that we may require additional time (up to 90 total days).

You may also use an authorized agent to exercise your rights on your behalf. If you wish to use an authorized agent, we require that your authorized agent provides written proof to us that they are authorized to act on your behalf, and we may also require your authorized agent to verify their own identity.

Appeals

Residents of Colorado, Connecticut, and Virginia can appeal a refusal to take action on a request by contacting us by email at privacy@apellis.com.

Updates to our Privacy Statement

Apellis is continually improving and adding new functionality and features to the Site. Because of these ongoing improvements, changes in the law and the changing nature of technology, Apellis’ data practices will change from time to time. Accordingly, this Privacy Statement is subject to occasional revisions. We will notify you of changes by posting the new Privacy Statement on the Sites and updating the effective date of the Privacy Statement. Such changes to the Privacy Statement will become effective when posted. You acknowledge and agree that it is your responsibility to review this Privacy Statement periodically and become aware of modifications.

The updated Privacy Statement will be effective as of the “Effective Date” date listed at the top of the Privacy Statement.

Contact Information

If you have any questions about this Privacy Statement or concerns about the way Apellis processes your personal information, or require assistance in managing your privacy choices, please get in touch with us at:

Apellis Pharmaceuticals, Inc.
Privacy Office
100 Fifth Ave. Waltham MA 02145, U.S.
Email: privacy@apellis.com

For purposes of European data protection laws, Apellis Pharmaceuticals, Inc. is the data controller: i.e., the company responsible for controlling the processing of personal information covered by this Privacy Statement. Apellis’ Data Protection Officer can be reached at privacy@apellis.com.

Identity verification. The CCPA requires us to verify the identity of the individual submitting a request to access or delete personal information before providing a substantive response to the request.

Authorized agents. California residents can empower an “authorized agent” to submit requests on their behalf. We will require the authorized agent to have a written authorization confirming that authority.

EU Supplement

For individuals in the European Economic Area or Switzerland, then this Supplement may apply in addition to the above.

Transfers of your personal information may be made to entities located outside the European Economic Area, including entities located in the United States, for processing consistent with the purposes above. Apellis will implement appropriate contractual measures to ensure that the relevant Apellis companies and third parties outside the European Economic Area provide an adequate level of protection to your personal information as set out in this privacy statement and as required by applicable law.

For the processing of personal information relating to the European Economic Area, Apellis has assigned a data protection officer responsible for overseeing our compliance with EU data protection law, whom you may contact at privacy@apellis.com in case of any questions or concerns regarding the processing of your personal information.

If Apellis’ processing of your Personal Information is covered by EU law, you may also lodge a complaint with the corresponding data protection supervisory authority in your country of residence. You can find the relevant supervisory authority name and contact details under https://edpb.europa.eu/about-edpb/about-edpb/members_en.