Privacy Policy

CARDIOL THERAPEUTICS INC.

PRIVACY POLICY

Last Updated: June 16, 2026

Cardiol Therapeutics Inc. and its affiliates (“Company,” “we,” “us,” or “our”) respect your privacy and are committed to protecting personal information entrusted to us. This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information through our websites, digital services, investor and media communications, and related interactions (collectively, the “Services”).

This Privacy Policy is intended to be transparent and easy to understand. It also describes the choices and rights that may be available to you depending on where you are located and the nature of your relationship with us.

If you do not agree with this Privacy Policy, please do not use the Services.

1. Scope

This Privacy Policy applies to personal information we collect:

  • through our website and related online services
  • when you contact us by email, web form, telephone, or otherwise
  • when you subscribe to press releases, investor updates, newsletters, or other communications
  • when you interact with us in connection with clinical, scientific, medical, regulatory, investor, or business inquiries
  • through cookies, analytics, and similar technologies, subject to applicable consent requirements

This Privacy Policy does not apply to third-party websites, platforms, or services that we do not own or control, even if they are linked from our website.

2. Personal Information We Collect

Depending on how you interact with us, we may collect the following categories of personal information:

A. Information you provide directly

  • name
  • email address
  • telephone number
  • company, institution, title, or affiliation
  • mailing address
  • correspondence and inquiry details
  • communication preferences
  • any other information you choose to provide to us

B. Website and device information

When you visit our website, we may automatically collect information such as:

  • IP address
  • browser type and version
  • device identifiers
  • operating system
  • language preferences
  • referring URLs
  • date/time stamps
  • pages viewed
  • clicks, browsing paths, and interaction data
  • similar usage or diagnostic information

C. Cookie, analytics, and similar technology data

We and our service providers may use cookies, pixels, tags, scripts, SDKs, and similar technologies to do any or all the following:

  • operate and secure the website
  • remember your settings
  • measure traffic and website performance
  • understand how users interact with our Services
  • improve website design, usability, and content

Where required by applicable law, we will seek your consent before using non-essential cookies or similar technologies.

D. Health-related or sensitive information

In limited circumstances, you may provide information that is health-related or otherwise sensitive (for example, through medical information inquiries, adverse event reporting, clinical or regulatory contact processes, or other directed communications). We ask that you provide only the information reasonably necessary for your inquiry or interaction.

Where we collect or receive health-related information, we will handle it with safeguards and controls appropriate to its sensitivity and in accordance with applicable law and our internal governance processes. See Section 9 (Health Information and Sensitive Information) for additional details regarding how such information is handled.

3. How We Use Personal Information

We may use personal information for any or all the following purposes:

  • to operate, maintain, and improve the Services
  • to respond to your requests, questions, and communications
  • to provide investor relations, media, scientific, medical, or corporate information you request
  • to send newsletters, press releases, alerts, or other communications you have requested or consented to receive
  • to administer subscriptions, events, surveys, and related engagement activities
  • to monitor website performance, diagnose technical issues, and improve user experience
  • to detect, prevent, investigate, and respond to fraud, security incidents, misuse, or unlawful activity
  • to protect the rights, safety, property, and security of individuals, our organization, and others
  • to comply with legal, regulatory, contractual, reporting, pharmacovigilance, safety, records-management, and audit obligations
  • to establish, exercise, or defend legal claims
  • for any other purpose disclosed at the time of collection or otherwise permitted or required by law

We may also aggregate or de-identify information so that it no longer identifies an individual. We may use such information for lawful business purposes, including analytics, service improvement, research, benchmarking, and reporting. Where we de-identify or anonymize information, we will take reasonable measures designed to ensure that the information cannot be re-identified, and we will not attempt to re-identify such information except as permitted by law.

4. Legal Bases for Processing (where applicable)

If the European or UK GDPR or similar laws apply, we process personal data on one or more of the following legal bases:

  • with your consent
  • in the performance of a contract or to take steps at your request before entering into a contract
  • in compliance with legal obligations
  • in accordance with our legitimate interests (such as operating and improving our Services, securing our systems, responding to inquiries, and managing our business), provided those interests are not overridden by your rights
  • where applicable, reasons of public interest in the area of public health, scientific research, or the establishment, exercise, or defence of legal claims

Where we rely on consent, you may withdraw it at any time, subject to legal or contractual restrictions and reasonable notice.

5. SMS, Email, and Marketing Communications

If you subscribe to receive our communications, we may send you updates such as press releases, investor information, newsletters, event notices, or other communications consistent with your preferences and applicable law.

You may unsubscribe from marketing or promotional communications at any time by either of the following two methods:

  • using the unsubscribe link included in the message
  • contacting us using the details set out below

Please note that we may still send you non-promotional communications, including responses to your inquiries, transaction-related messages, security notices, or legally required notices. We will only send you electronic communications in accordance with applicable anti-spam laws, including obtaining consent where required.

6. Cookies and Similar Technologies

We use cookies and similar technologies for one or more reasons, including to:

  • ensure the website functions properly
  • remember preferences and settings
  • understand traffic and usage patterns
  • improve performance and user experience
  • support analytics and security functions

A. Cookie Choices

Where required by law, our cookie banner or consent manager will allow you to:

  • accept all cookies
  • reject non-essential cookies
  • customize your preferences by category

You may also manage cookies through your browser settings. Please note that disabling certain cookies may affect website functionality.

B. Global Privacy Control and Similar Preference Signals

Where required by applicable law, we will honour recognized browser-based privacy preference signals in accordance with applicable legal requirements and our technical capabilities.

7. Disclosure of Personal Information

We may disclose personal information to the following categories of recipients, where appropriate and lawful:

  • affiliates and related companies
  • service providers and vendors who help us operate the Services or our business (such as website hosting, IT, analytics, CRM, email distribution, professional advisers, cloud services, and security providers)
  • regulatory authorities, courts, law enforcement agencies, public authorities, or other third parties where required or permitted by law
  • auditors, insurers, financing counterparties, and professional advisers
  • parties involved in a corporate transaction, reorganization, financing, acquisition, merger, disposition, or similar event
  • other parties with your consent or at your direction

We require service providers that process personal information on our behalf to protect it appropriately and to use it only for authorized purposes.

We do not sell personal information for monetary consideration. We also do not “sell” or “share” personal information for cross-context behavioural advertising as those terms may be defined under applicable privacy laws, except where permitted by law and clearly disclosed. If our practices change, we will update this Privacy Policy and any required notices accordingly.

8. International and Cross-Border Transfers

We may store or process personal information in Canada, the United States, the European Union, or other jurisdictions where we or our service providers operate.

As a result, personal information may be accessible to courts, law enforcement, national security authorities, or regulators in those jurisdictions in accordance with their laws.

Where applicable, and particularly for transfers of personal data subject to the GDPR, we take steps designed to ensure appropriate safeguards are in place, such as contractual protections or other lawful transfer mechanisms recognized by applicable law.

Where personal information is transferred outside of Canada, it may be subject to the laws of foreign jurisdictions, including lawful access by courts, law enforcement, and national security authorities. By using our Services or providing information to us, you acknowledge that your information may be processed in other jurisdictions as described in this Privacy Policy.

9. Health Information and Sensitive Information

Where we collect or receive personal health information, medical information, or other sensitive personal information, we will:

  • limit collection to what is reasonably necessary for the relevant purpose
  • use and disclose it only for lawful and appropriate purposes
  • restrict access on a need-to-know basis
  • apply safeguards proportionate to its sensitivity
  • retain it only as long as reasonably necessary and legally required

Nothing in this Privacy Policy is intended to expand legal obligations beyond those that apply to us. If we act in a role governed by specific health privacy laws, contractual obligations, or regulatory requirements, we will handle relevant information in accordance with those obligations.

If we act for or on behalf of a health information custodian, covered entity, business associate, research institution, investigator, or other regulated party, additional privacy notices, consents, contracts, or statements of information practices may apply.

10. HIPAA Notice

If and only to the extent that we are acting as a HIPAA covered entity or business associate in relation to particular information or services, protected health information (“PHI”) will be handled in accordance with applicable HIPAA requirements and any relevant notices, authorizations, and contractual arrangements.

Where required, we will enter into appropriate contractual arrangements with service providers and other parties that create, receive, maintain, or transmit PHI on our behalf.

If HIPAA does not apply to a particular interaction, communication, or dataset, references in this Privacy Policy to health-related information should not be interpreted as creating HIPAA rights where none exist.

11. Data Retention

We retain personal information only for as long as reasonably necessary for the purposes described in this Privacy Policy, including:

  • to provide the Services and respond to requests
  • to maintain subscriptions and communication records
  • to meet legal, accounting, tax, regulatory, safety, and records-retention obligations
  • to resolve disputes
  • to enforce agreements or protect our rights

Retention periods may vary depending on the nature of the information, legal requirements, and the context in which it was collected. When personal information is no longer required, we will securely delete, anonymize, or otherwise dispose of it in accordance with applicable law and our records-management practices.

12. Security Safeguards

We use administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, loss, theft, or destruction. These safeguards may include, as appropriate:

  • access controls
  • role-based permissions
  • encryption in transit and, where appropriate, at rest
  • logging and monitoring
  • vendor diligence and contractual controls
  • secure development and change-management practices
  • incident response procedures
  • workforce confidentiality and training measures

Although we take reasonable steps to protect personal information, no system can be guaranteed to be completely secure. You should use caution when transmitting information electronically.

13. Your Rights and Choices

Under Canadian privacy laws, you have the right to request access to and correction of personal information that we hold about you, subject to limited exceptions. Depending on your location and the applicable law, you may have the right to do any or all the following:

  • request access to personal information we hold about you
  • request correction of inaccurate or incomplete personal information
  • request deletion of personal information in certain circumstances
  • request restriction of processing in certain circumstances
  • object to certain processing, including certain processing based on legitimate interests
  • withdraw consent, where processing is based on consent
  • request portability of certain personal data
  • lodge a complaint with a supervisory authority or privacy regulator
  • complain to us directly using the contact information below

We may need to verify your identity before responding to a request. We may also decline or limit a request where permitted or required by law.

Where personal information relates to clinical, research, medical, or regulated records, additional statutory, ethical, regulatory, or contractual considerations may apply.

14. Children’s Privacy

Our website is not intended for children under the age of 16, and we do not knowingly collect personal information directly from children under 16 through the website unless clearly indicated in the context of a specific lawful program, study, or service and subject to appropriate consent and governance measures.

If you believe a child under 16 has provided us with personal information without appropriate authorization, please contact us and we will review the matter promptly and will take appropriate steps, where required, to delete such information.

15. Third-Party Websites and Services

Our website may contain links to third-party websites, services, publications, investor platforms, recruitment systems, or social media features. We are not responsible for the privacy, security, or content practices of those third parties. We encourage you to review their privacy notices before providing information.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technologies, legal requirements, or business operations. When we do, we will post the updated version on this page and revise the “Last Updated” date above. Where required by law, we will provide additional notice or obtain consent for material changes.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:

Chief Privacy Officer

Cardiol Therapeutics Inc.

602-2265 Upper Middle Road East

Oakville, ON, Canada

L6H 0G5

Email: privacy@cardiolrx.com

Tel: +1-289-910-0856

If applicable, you may also contact our Data Protection Officer or EU/UK representative using the contact information made available for your jurisdiction.

2026 Cardiol Therapeutics. All right reserved.