Privacy Notice

Effective as of May 21, 2026

This Privacy Notice (“Notice”) describes what personally identifiable information (“Personal Data”) MapLight Therapeutics, Inc. (“MapLight,” “we”, “us”, “our”) collects, how we use it, who we disclose it to and why, the measures we take to protect your Personal Data, and what privacy rights you may have under applicable data protection and privacy laws. We take the protection of Personal Data very seriously.

Accordion Content

This Notice describes how MapLight handles Personal Data that we receive:

  • through our website and any other digital properties that link to this Notice (collectively, the “Site”);
  • through social media, our marketing activities, our live events and other promotional activities;
  • from our service providers in connection with performance of a contract; or
  • from our business partners, and any other party that we engage for the purposes of establishing, developing, maintaining, facilitating, managing, or otherwise furthering a business relationship.

MapLight may provide additional or supplemental privacy notices to individuals for the specific purpose of processing Personal Data at the time we collect such Personal Data.

This Notice does not apply to:

  • any Personal Data processed in connection with our clinical trials which is governed by our Clinical Trial Privacy Notice;
  • Personal Data of job applicants, employees, contractors, directors, officers, and other staff of MapLight; or
  • to information that does not constitute Personal Data.

If we do not maintain information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual or household, such information is not considered Personal Data.  This Notice will not apply to our processing of that information.

Within the scope of this Notice, MapLight generally acts as a data controller for the Personal Data processed. This means that we alone determine the purpose and means of the processing of your Personal Data.

Personal Data you provide to us. Personal Data you may provide to us through the Site or otherwise includes:

  • Contact data, such as your first and last name, salutation, email address, billing and mailing address, professional title and company name, and phone number.
  • Communications that we exchange with you, including when you contact us through the Site, email, social media, or otherwise, including the contents of messages you may send us.
  • Marketing data, such as your preferences for receiving our marketing communications and details about your engagement with them.
  • Other data not specifically listed here, which we will use as described in this Notice or as otherwise disclosed at the time of collection.

Third-party sources. We may combine Personal Data we receive from you with Personal Data we obtain from other sources, such as:

  • Public sources, such as government agencies, public records, social media platforms, and other publicly available sources.
  • Service providers and Business partners, such as joint marketing partners and event cosponsors.

Device and online activity data collection.  We, our service providers, and our business partners may log information about you, your computer or mobile device, and your interaction over time with the Site, our communications, and other online services, such as:

  • Device data, such as your computer’s or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers, language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G).
  • Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Site, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access.
  • Location data when you authorize the Site to access your device’s location.

Some of the data collection from devices and online activity described in the “Categories of Personal Data” section, above, is facilitated by the following technologies:

  • Cookies, which are small text files that websites store on user devices and that allow web servers to record users’ web browsing activities and remember their submissions, preferences, and login status as they navigate a site. Cookies used on our sites include both “session cookies” that are deleted when a session ends, “persistent cookies” that remain longer, “first party” cookies that we place and “third party” cookies that our third-party business partners and service providers place.
  • Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data on your device outside of your browser in connection with specific applications.
  • Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.

For more information about our use of tracking technologies, please see the Cookie Notice, a link to which is located in the footer of our website.

We may use your Personal Data for the following purposes or as otherwise described at the time of collection:

Site delivery.  We may use your Personal Data to:

  • provide, operate and improve the Site and our business;
  • communicate with you about the Site and our business, including by sending announcements, updates, security alerts, and support and administrative messages;
  • understand your needs and interests, and personalize your experience with the Site and our communications; and
  • provide support for the Site, and respond to your requests, questions and feedback.

Research and development.  We may use your Personal Data for research and development purposes, including to analyze and improve the Site and our business.

Marketing and advertising.  With your consent, we, our service providers and our third-party advertising partners may collect and use your Personal Data for marketing and advertising purposes:

  • Interest-based advertising. Our third-party advertising partners may use cookies and similar technologies to collect information about your interaction (including the data described in the device and online data collection section above) with the Site, our communications and other online services over time, and use that information to serve online ads that they think will interest you.  This is called interest-based advertising. You can learn more about your choices for limiting interest-based advertising in the “Your Privacy Rights” section below.

Compliance and protection.  We may use your Personal Data to:

  • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
  • respond to a request from or communication by you regarding your Personal Data processed by us, including your rights regarding your Personal Data under applicable laws;
  • protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
  • audit our internal processes for compliance with legal and contractual requirements or our internal policies;
  • enforce the terms and conditions that govern the Site; and
  • prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.

Contract performance. We may receive Personal Data of individuals working with our service providers or business partners:

  • in connection with performance of a contract;
  • to provide you with information you request from us;
  • to respond to your requests or questions regarding our business operations; and
  • to communicate with you.

Creating anonymous, aggregated or de-identified data.  We may create anonymous, aggregated or de-identified data from your Personal Data and other individuals whose Personal Data we process.  We may use this anonymous, aggregated or de-identified data and share it with third parties for our lawful business purposes, including to analyze and improve the Site and promote our business.

We may process your Personal Data on the basis of:

  • Consent: We process Personal Data based on your consent;
  • Contract: We process Personal Data because it is necessary for the performance of the contracts between MapLight and its service providers or business partners, including communicating with you about the performance of the relevant services and products;
  • Legitimate Interest: We process your Personal Data based on our legitimate interests in facilitating the operation of our business;
  • Compliance with Legal Obligations: We process Personal Data in order to comply with applicable laws and regulations;
  • Any other grounds as required or permitted by applicable laws.

When we process your Personal Data based on your consent, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds.

When we process your Personal Data in connection with a contract we may have with you, we process such Personal Data in order to carry out the contract. Without that such Personal Data, we would not be able to fulfill our contractual obligation to you.

Where we process Personal Data on the basis of our legitimate interests, we will always do so after a careful assessment which requires balancing your right to privacy and our legitimate interests.

We will retain your Personal Data for the period of time necessary to fulfil the purposes for which we collected it or as required to comply with applicable laws and regulations, whichever is longer.

We may share your Personal Data with the following parties and as otherwise described in this Privacy Notice.

Affiliates.  Our corporate parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Notice.

Service providers.  Third parties that provide services on our behalf or help us operate the Site or our business (such as hosting, information technology, customer support, email delivery, marketing, consumer research and website analytics). Our service providers are contractually obligated to implement appropriate technical and organizational measures to protect the confidentiality and security of Personal Data and ensure the protection of the rights of data subjects. Unless otherwise required by applicable laws, our service providers are prohibited from using or disclosing Personal Data for any purpose other than in accordance with MapLight’s documented instructions and carrying out the services that they are performing for us. MapLight remains liable for the protection of your Personal Data that we transfer to our service providers, except to the extent that we are not responsible for an event giving rise to any unauthorized or improper processing.

Advertising partners.  Third-party advertising companies for the interest-based advertising purposes described above.

Business and marketing partners. Third parties with whom we co-sponsor events or promotions, with whom we jointly offer products or services, or whose products or services may be of interest to you.

Professional advisors.  Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.

Authorities and others. Law enforcement, regulators, or other competent government authorities, to the extent necessary to comply with applicable laws, regulations and rules (including, without limitation, federal, state, or local laws). To the extent required by law, or if we have a good-faith belief that we need to disclose your Personal Data in order to comply with official investigations, court order, subpoenas, search warrants, or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties). If we have to disclose your Personal Data to regulators, competent authorities, or governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.

Business transferees.  Acquirers and other relevant participants in business transactions (or negotiations of or due diligence for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests in, MapLight or our affiliates (including, in connection with a bankruptcy or similar proceedings).

Subject to applicable data privacy laws, you may have certain rights to know, access, update, correct, delete, port, and restrict processing of your Personal Data.

For security purposes, we will verify your identity when you request to exercise your data privacy rights. For certain types of requests, we may also need to ask you for additional information to verify your identity. Once we have verified your identity (or your authorized agent, as applicable), we will respond to your request as appropriate.  

Your rights over your Personal Data depends on the data privacy law applicable where you reside. We provide individuals with choices and control over their own Personal Data. Should you have questions or concerns about this Notice, data protection, your Personal Data, or should you wish to submit a verifiable consumer request, you may contact us using the contact information listed below. We will not discriminate against anyone who makes such a request.

You have the following rights:

Right of Access and Review: If you are a data subject about whom we store Personal Data, you may have a right to request access to, and the opportunity to update, correct, or delete such Personal Data. To submit such requests or raise any other questions, please contact us at the contact information provided below.

Right of Choice: You may opt out of having your Personal Data shared with third parties by us, and you may revoke consent to share your Personal Data with third parties, where consent was the basis for processing your Personal Data, except as required by law. You may also have the right to opt out if your Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized. To do this, you may send your request using the contact information provided below.

Right to Withdraw Consent: You have the right to withdraw consent to processing your Personal Data. Withdrawing consent does not affect the lawfulness of processing based on consent prior to the withdrawal. To do this, you may send your request using the contact information provided below.

Right to Data Portability: You have the right to request/claim that your Personal Data be provided to you in a structured, commonly-used and machine-readable format and to transfer that data to another party e.g. service provider. This applies to Personal Data for which processing is based on your consent and the processing carried out by automated means. Where feasible, you can also request/claim that the Personal Data be transferred directly from our systems to those of another provider.

Right to Lodge a Complaint with a Supervisory Authority: If the EU or UK General Data Protection Regulation (GDPR) applies to our processing of your Personal Data, you have the right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work, or of the alleged infringement of the GDPR. In the UK, you can lodge a complaint with the UK Information Commissioner’s Office. In Switzerland, you can lodge a complaint with the Swiss Federal Data Protection and Information Commissioner.

Advertising choices.  You can limit use of your Personal Data for interest-based advertising by:

  • Managing your consent setting. Withdraw your consent for use of marketing tracking technologies. You can do this by visiting the cookie notice located in the footer of our website.
  • Adjusting your browser settings. Blocking third-party cookies in your browser settings.
  • Adjusting your privacy browsers/plug-ins. By using privacy browsers or ad-blocking browser plug-ins that let you block tracking technologies.
  • Opting Out of Ad industry tools. Opting out of interest-based ads from companies participating in the following industry opt-out programs:

You will need to apply these opt-out settings on each device from which you wish to opt-out.

We cannot offer any assurances as to whether the companies we work with participate in the opt-out programs described above.

Configuring Do Not Track.  Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit.  We currently do not respond to “Do Not Track” or similar signals.  To find out more about “Do Not Track,” please visit https://www.allaboutdnt.com.

Declining to provide information. We need to collect Personal Data to engage in a business relationship with you or the company you work with.  If you do not provide the information we identify as required or mandatory, we may not be able to enter into a business relationship with you or the company you work with.

MapLight complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. MapLight has certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of Personal Data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU U.S. DPF. MapLight has also certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.

MapLight is responsible for the processing of Personal Data it receives, under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF, and subsequently transfers to a third party acting as an agent on its behalf. We comply with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF for all onward transfers of Personal Data from the EU, UK and Switzerland, including the onward transfer liability provisions.

To learn more about the Data Privacy Framework Program- visit https://www.dataprivacyframework.gov/s/. To view MapLight’s certification, look for MapLight Therapeutics, Inc. here https://www.dataprivacyframework.gov/list.

MapLight acknowledges the right of EU, UK and Swiss individuals to access their Personal Data pursuant to the Data Privacy Framework and will grant individuals reasonable access to Personal Data we received pursuant to the Data Privacy Framework Principles. In addition, MapLight will take reasonable steps to permit individuals to correct, amend, or delete such information that is demonstrated to be inaccurate or processed in violation of the Principles. An individual may request to access their Personal Data, or otherwise correct, amend, or delete their Personal Data in line with the EU-U.S. (and its UK Extension) and Swiss-U.S. DPF Principles by contacting us at the contact information provided below.

Dispute Resolution

In compliance with the DPF, MapLight commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, should first contact MapLight using the contact details below.

If DPF-related complaints, cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/

Binding Arbitration

If your dispute or complaint related to your Personal Data that we received in reliance on the Data Privacy Framework cannot be resolved by us, nor through the dispute resolution mechanism mentioned above, you may have the right to require that we enter into binding arbitration with you under the Data Privacy Framework “Recourse, Enforcement and Liability” Principle and Annex I of the Data Privacy Framework.

U.S. Regulatory Oversight

MapLight is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

This Site may contain links to websites, mobile applications, and other online services operated by third parties.  In addition, our content may be integrated into web pages or other online services that are not associated with us.  These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party.  We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy notices of the other websites, mobile applications and online services you use.

We employ a number of technical, organizational and physical safeguards designed to protect the Personal Data we process. We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing. This includes unauthorized access, disclosure, alteration, or destruction. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your Personal Data.

We are headquartered in the United States and may use service providers that operate in other countries. Your Personal Data will be transferred to the United States and may be transferred to the following other countries: United Kingdom, the European Economic Area (EEA), Canada, Republic of Korea, India, Republic of Serbia, Ukraine, and Turkey, where privacy laws may not be as protective as those in your state, province, or country. We will only transfer your Personal Data to third parties in those countries which are recognized as providing an adequate level of protection for Personal Data, or who provide appropriate safeguards to protect your Personal Data.

For Data Subjects in the EEA and UK

For transfers of Personal Data to third countries outside the European Economic Area (EEA) or the United Kingdom (UK), we use safeguards like the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, the European Union Standard Contractual Clauses with necessary adjustments for transfers from the UK, or use specific transfer instruments like the UK International Data Transfer Agreement.

For Data Subjects in Switzerland

For transfers of Personal Data to third countries outside Switzerland, we use safeguards like the Swiss-U.S. Data Privacy Framework and the Standard Contractual Clauses adopted by the Swiss Federal Data Protection and Information Commissioner.

Additional information for Data Subjects in the Republic of Korea

For Data Subjects located in the Republic of Korea, Personal Data are transferred to third parties located in the counties listed in this section above, in compliance with Article 28-8(3) of the Korean Personal Information Protection Act. You may refuse international data transfers by contacting our Data Protection Officer, VeraSafe, by sending an email to experts@verasafe.com, or by using the contact information below.

The Site is not intended for use by anyone under 18 years of age. If you are a parent or guardian of a child from whom you believe we have collected Personal Data in a manner prohibited by law, please contact us.  If we learn that we have collected Personal Data from a child without the consent of the child’s parent or guardian as required by law, we will comply with applicable legal requirements to delete the information.

We reserve the right to modify this Notice at any time. If we make material changes to this Notice, we will notify you by updating the date of this Notice and posting it on the Site.  Any modifications to this Notice will be effective upon our posting the modified version. In all cases, your use of the Site or if you engage in a business relationship with us after the effective date of any modified Notice indicates your acceptance of the modified Notice.

If you have any questions about this Notice or our processing of your Personal Data, you may contact us via email, mail or phone. Please allow up to four weeks for a reply.

MapLight

Privacy Officers: Jayson Walker and Adam Camiel
Email: DPO@MapLightRX.com
Mail: 2400 District Avenue, Burlington, MA 01803
Phone: +1 650 839 4379

While you may contact us at any time, you may also contact our data protection representative and data protection officer about matters related to the processing of your Personal Data.

  • European Union Representative

We have appointed VeraSafe as our representative in the EU for data protection matters. To contact VeraSafe, please use this contact form: https://verasafe.com/public-resources/contact-data-protection-representative/

Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd.
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland

  • United Kingdom Representative

VeraSafe has also been appointed as our representative in the United Kingdom for data protection matters. To make an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at +44 (20) 4532 2003.

Alternatively, VeraSafe can be contacted at:
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom

  • Data Protection Officer

We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:

VeraSafe
100 M Street S.E., Suite 600
Washington, D.C. 20003 USA
+1 (617) 398-7067
experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/
Toll-free: 1-888-376-1079