Privacy Policy

Privacy Policy:

Last Revised: October 14, 2025

Magnolia Market Access (“MMA,” “Company,” “we,” “us,” or “our”) takes your privacy seriously. MMA’s privacy policy is designed to help individuals (“you” or “your”) understand how we collect, use, and safeguard the personal or behavioral information provided (“Data”) to us and to assist you in making informed decisions when using our Site, platforms, applications, and other websites owned or controlled by us (collectively referred to as the “Services”). It also informs you how to contact us with any questions you may have and how to exercise your rights with regard to the Data we collect from or about you. For the purposes of this policy, “Site” refers to MMA’s website, which can be accessed at www.magnoliamarketaccess.com. Each website owned or controlled by MMA will have its own privacy policy that applies. You should review their policies to understand how they affect any information that you provide or are collected at that website.

MMA considers Personally Identifiable Information (“Personal Information” or “Personal Data”) to be information that clearly and directly identifies a particular individual, such as their name, email address, physical address, phone number, or government issued identifier such as a social security number. Subject to applicable laws, that which does not clearly or directly identify a particular individual MMA regards as non-Personally Identifiable Information (“non-PII”). We may use our own technologies, or the technologies of Service Providers, to help us gather and process non-PII. If MMA links non-PII to Personal Information, then MMA will treat such non-PII as Personal Information. For the purposes of this Policy, “Service Providers” refers to suppliers and contractors, including subcontractors.

This Policy does not apply to (1) Data controlled by our clients; (2) Data collected by unaffiliated sites that link to or are accessible from our Services; (3) Data our third party partners may collect directly from you and control, where applicable by law; (4) Data collected and processed by us about our employees; and, (5) non-PII derived from Personal Information, including any data that is aggregated, de-identified, or anonymized, statistical data, insights, or other predictive data that is sufficiently different from your Personal Information that it cannot be reversed engineered through reasonable means, or otherwise identified from analysis or further processing of the derived data.

INFORMATION WE MAY COLLECT FROM YOU

We will collect Data that is adequate, relevant, and reasonably necessary in relation to the purposes for which the Data is processed, as disclosed to you in this policy and prior to being used. For example, we may collect and process directly or passively the following Data from or about you:

  • Contact Information. We may collect your name, mailing address, telephone number, and email address. We may also collect your mobile phone number.
  • Account Information. We may collect your username and password, and other information used to sign up for the account, when you create an account on the Site or other platforms.
  • Device Information. We may collect the type of device you use to access the Site or other platforms. We may also collect your device hardware model and unique identifier, IP address or operating system.
  • Location Information. We may collect Data such as your general location from your device when you access our Site, platforms, or use our Services.
  • Information You Submit. We may collect Data you provide us with about you from filling out forms on our Site, creating accounts, or by corresponding with us by phone, e-mail or otherwise. Such information may include Data you provide us when you use our Site or any other websites we operate, social media functions linked to us such as LinkedIn, contact details, job applications, or problems you report to us about our Site or other platforms.
  • Other Information. We may collect Data about the browser you are using if you use our Site, social media, or other platforms. We might look at what site you came from, or what site you visit when you leave us.

HOW WE USE YOUR INFORMATION

We will use the collected Data only as relevant and reasonably necessary to correspond with you and perform our Services as contracted, permitted by law, and as disclosed in this Policy. Examples of how we may use your information:

  • To Carry Out Services. We may use your Data to carry out contractual obligations entered into between you and us or agreements we have to operate on behalf of clients to provide you with the information or Services that you requested from us.
  • To Improve Our Tools and Services. We may use your Data to make the Site, tools, and our Services better. We may also use your Data to customize your experience with us.
  • To Understand Your Interests. We may use your Data to better understand what tools, Services, and platforms interest you.
  • To Respond to Your Requests or Questions. We may use this Data to respond to your feedback or notify you of decisions, answers, and other requested or necessary correspondence based on your requests or questions.
  • To Communicate with You. We may use your Data to communicate with you about your account, our relationship with you, or communicate with you on behalf of clients. We may also contact you about this Policy or the Site’s Terms of Use.
  • For Security Purposes. We may use your Data to assist in protecting our company, clients, and consumers who use our tools and services. It may also include protecting the Site.
  • As Otherwise Permitted by Law or As We May Notify You. We may have to use your Data as required or permitted by law, and in those circumstances, where required, we will notify you in compliance with applicable laws.

HOW WE SHARE YOUR INFORMATION

We may share your Data with our clients, Service Providers, and business partners, through contractual obligations and requirements by law, and only on a need-to-know basis. We may share your Data with members of our group, which means our affiliates, subsidiaries, and any applicable holding companies (“Group”) to ensure we can appropriately and necessarily perform our Services and will do so while maintaining and upholding this Policy and applicable laws. Affiliates include any subsidiaries, joint venture partners, or other companies that we control or that are under common control with us.

We may disclose your Data for business purposes to the following categories of third parties: Service Providers and our successors as further discussed below. Third parties that we may disclose your Data to are required by law and contractual agreements to keep your Data confidential and secure, and to only use it and disclose it for purposes as appropriate and necessary to carry out Services, in compliance with applicable laws. We do not disclose Data about you to any third parties except as stated in this Policy or as notified to you, or as otherwise permitted, authorized, or required by law. We are not responsible and do not accept liability should you disclose your Data to third parties. Additionally, we have not sold Personal Information to third parties, and we do not sell Personal Information to third parties.

Examples of how we may share your information:

  • Internally. We may share your Data within our company or Group, or employees, as needed to provide services, information, or correspondence to you or on behalf of our clients.
  • With Our Clients. We may share your Data that we collect in services on behalf of our clients back to our clients as contracted, which we will do in compliance with this Policy and applicable laws.
  • With Our Service Providers. We may share your Data with those third parties who perform Services on our behalf and with whom we have a contract that includes
    appropriate privacy obligations.
  • With Any Successors to All or Part of Our Business or One of Our Brands. For example, if MMA merges with, acquires, or is acquired, or sells a brand or part of its business to another business entity. This may include an asset sale, corporate reorganization, or other change of control. We may transfer our client and customer information as part of such a transaction or as stand-alone assets. You hereby consent to such transfers and MMA may assign and transfer all of the rights, benefits, duties, and obligations of this Policy, under the circumstances described in this paragraph.
  • To Comply with the Law or To Protect Ourselves. For example, this could include responding to a court order or subpoena. It could also include sharing Data if a
    government agency or investigatory body requests, or regulatory due diligence requests and activities. We might share Data when we are investigating potential fraud. Such uses shall only be as necessary or appropriate, and only as permitted under applicable law: (a) to comply with legal process; (b) to respond to requests from public and government authorities, including public and government authorities outside your country of residence; (c) to protect our operations or those of our Group, including in connection with investigating security incidents; or (d) to protect our rights, privacy, safety or property, and/or that of our Group, you, or others.
  • For Such Other Purposes as You May Consent. We may share your Data in instances that may not be stated in this Policy but that may be authorized by your consent and in compliance with applicable laws.

CHOICES REGARDING YOUR INFORMATION

Subject to applicable laws, MMA will offer you the opportunity to choose (opt-out) whether your Data is (a) to be disclosed to a third party, (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by you, or (c) any targeted advertising or profiling that produces legal or similarly significant effects.

  • For Clients: MMA will provide you with information about whether we hold any of your Personal Information. To review and update your Personal Information to ensure it is accurate, contact us at [email protected]. We will respond to all requests for access, correct inaccurate data, update information, or delete information within 30 business days or as required by law.

Cookies & Similar Technologies

As many websites, Our Site collects certain Data and stores it in log files. We sometimes collect Data about visitors’ behavior during their visits to our Site to help us provide better Services and to improve the quality of your Site experience. Our Site, online Services, platforms, may use cookies and other technologies such as pixel tags (known as web beacons), among other things, to track the actions of users. “Cookies” are small, often encrypted text files that contain small amounts of information that are stored on your device’s browser directory. These technologies help us to better understand user behavior including for security and fraud prevention purposes.

Your browser may give you the ability to control cookies or other tracking tools. How you do so depends on the type of tracking tool. If you do not want information collected through the use of cookies, there is a simple procedure in most browsers that allows you to automatically decline cookies or be given the choice of declining or accepting the transfer to your computer of a cookie(s) from a particular site. For additional information and assistance regarding cookies, you may also wish to refer to this page. If, however, you do not accept cookies, you may experience some inconvenience in your use of Services. By using our Site, platforms, or Services, you consent to our use of cookies, including third party cookies.

If you would like to opt out of Google’s use of interest-based advertising and remarketing cookies, please visit Google’s Ad Settings page. In addition, you may also opt out of third-party vendors’ Internet-based advertising cookies by visiting this page.

Various browsers, such as Microsoft Edge, Firefox, Chrome, and Safari, offer a “do not track” or “DNT” option that relies on a technology known as a DNT header, which sends a signal to Web sites visited by the user about the user’s browser DNT preference setting. MMA does not currently commit to responding to browsers’ DNT signals, in part, because no common industry standard or consistent interpretation of user intent for DNT has been adopted by industry groups, technology companies, or regulators.

YOUR RIGHTS REGARDING YOUR INFORMATION

You have certain rights when it comes to the handling of your Personal Information. If you wish to exercise any of these Data rights, please contact us at the information provided in the “How to Contact Us” section below. We will try to comply with your request as soon as reasonably practicable and in compliance with applicable laws. Where appropriate and required, we will transmit the amended information to third parties having access to your Personal Information.

  • Right to Access: If you ask us, we will confirm whether we are processing your Personal Information and, if so, provide you with a copy of all Personal Information you are lawfully entitled to receive along with certain other details. If you require additional copies, we may charge a reasonable fee. In addition, you may request the categories of third parties with whom we share that Personal Information, if we disclose your Personal Information, and then identify the Personal Information categories that each category of recipient obtained.
  • Right to Request Rectification: If you believe your Personal Information is inaccurate or incomplete, you are entitled to request that we correct or complete it. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Information so you can contact them directly.
  • Right to Erasure: You may ask us to delete or remove your Personal Information, such as where you withdraw your consent, where applicable. If we share your data with others, we will tell them about the erasure where possible. We have no current plans to share your Personal Information except as described in this Policy. But, should we ever share your Personal Information, if you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Information with so you can contact them directly.
  • Right to Restrict Processing: You may ask us to restrict or ‘block’ the processing of your Personal Information in certain circumstances, such as where you contest the accuracy of the data or object to us processing it (please read below for information on your right to object). We will tell you before we lift any restriction on processing. If we share your Personal Information with others, we will tell them about the restriction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Information so you can contact them directly.
  • Right to Data Portability: You have the right to obtain your Personal Information from us that you consented to give us or that was provided to us as necessary in connection with our contract with you, and that is processed by us by automated means. We will give you your Personal Information in a structured, commonly used, and machine readable format. You may reuse it elsewhere.
  • Right to Object: You may ask us at any time to stop processing your Personal Information, and, subject to laws or necessary requirements to maintain the Personal Information, we will do so, such as on the basis of our legitimate interests or for direct marking purposes.
  • Right to Withdraw Consent: If we rely on your consent to process your Personal Information, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect any processing of your data before we received notice that you wished to withdraw consent.
  • Right to Lodge a Complaint with the Data Protection Authority: If you have a concern about our privacy practices, including the way MMA handles your Personal Information, you can report it to the data protection authority that is authorized to hear those concerns.
  • Right to Non-discrimination for Exercising CA Resident Rights. We will not discriminate against you for exercising your California Consumer Privacy Act rights. We will not deny you goods or services; charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; provide you a different level or quality of goods or services; or, suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
  • Right to Appeal: If your request to exercise one of your rights set forth above is denied, we will provide you with an explanation in a reasonable time, in compliance with applicable laws. If you disagree with our decision, you can appeal the denial by contacting us in the “How to Contact Us” section at the end of this Policy. We will respond to your appeal in a timely and reasonable manner in compliance with applicable laws.

We may deny your request to exercise any of your Data rights above if any such exercise of those rights might prevent MMA from:

  • Complying with legal obligations.
  • Detecting security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debugging products to identify and repair errors that impair existing intended functionality.
  • Making other internal and lawful uses of that information that are compatible with the context in which you provided it.

DATA PRIVACY FRAMEWORK CERTIFICATION

MMA participates in and complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. MMA has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. MMA has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/ and the Data Privacy Framework List.

For purposes of DPF compliance enforcement, MMA acknowledges it is subject to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC). MMA may be required to disclose Personal Data in response to lawful requests by public authorities. MMA has liability for onward transfers to third parties unless we can prove we were not a party to the events giving rise to the damages. Additionally, an individual may be allowed to invoke binding arbitration to resolve disputes under certain limited conditions. Further details regarding onward transfers to third-parties, lawful disclosures, your DPF rights to Personal Data, complaints, and binding arbitration are below.

Consistent with the DPF Principles, MMA may disclose Personal Data to subcontractors and third-party agents who assist us in providing Services to customers or clients. Before disclosing Personal Data to a subcontractor or third-party agent, MMA will ensure it has explicit permission from the individual and will obtain assurances from the recipient that it will: (a) use the Personal Data only to assist MMA in providing the Services; (b) provide at least the same level of protection for Personal Data as required by the DPF Principles; and (c) notify MMA if the recipient is no longer able to provide the required protections. Upon notice, MMA will act promptly to stop and remediate unauthorized processing of Personal Data. MMA will remain liable for onward transfers to its subcontractors and third-party agents.

MMA may also be required to disclose, and may disclose, Personal Data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. To the extent permitted, MMA will inform its relevant individual before making such disclosure and provide it with a reasonable opportunity to object to such disclosure. MMA will not otherwise disclose Personal Data to third parties.

Pursuant to the DPF, individuals whose Personal Data is transferred to us under the DPF have the right to obtain our confirmation of whether we maintain Personal Data relating to them in the United States. They also have the right to access, correct, amend, or delete the data we hold about them as further detailed throughout this privacy policy and under “Choices Regarding Your Information” and “Your Rights.” An individual who seeks access to their data, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the DPF should contact our Privacy Officer at [email protected].

Complaints- Data Privacy Framework

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, MMA commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data. EEA, UK, and Swiss individuals with inquiries or complaints regarding our handling of Personal Data should first contact MMA’s Privacy Officer by emailing [email protected], or by phone through our toll-free number +1-855-566-3282. We will take steps to investigate and to promptly respond within forty-five (45) days from receipt to issues arising out of a failure to comply with the DPF Principles. 

If you do not receive timely acknowledgment of your complaint from us or if you are not satisfied with our response, you may bring unresolved Data Privacy Framework complaints to our independent resource mechanism, third-party United States based dispute resolution provider, the International Centre for Dispute Resolution/American Arbitration Association (“ICDR-AAA”). Please contact or visit ICDR-AAA Services for more information or to file a complaint. The services of the American Arbitration Association are provided at no cost to you (free of charge). You can also contact them by mail at:

International Centre for Dispute Resolution
Case Filing Services
1101 Laurel Oak Road, Suite 100
Voorhees, NJ 08043
United States

Phone: 1-212-484-4181 or
Email: [email protected]

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms as described in Annex I to the DPF Principles.

This DPF section may be amended from time to time, consistent with the requirements of the DPF Principles.

SECURITY

MMA uses administrative, physical, and technical safeguards that are reasonable and appropriate for the protection of the Data in our custody or control. Measures may include, but are not limited to, the encryption of communications via secure sockets layer (SSL), encryption of information while it is in storage, firewalls, access controls, separation of duties, and similar security protocols. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Site or platforms, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

We limit access to your Data to our Group, employees, Service Providers, and others described in this Policy, as applicable, who we believe reasonably need to come into contact with that Data to provide our Services or in order to do their jobs. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. Once we have received your Data, we will use strict procedures and security features to try to prevent unauthorized access. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us in accordance with the “Contacting Us” section below.

RETENTION

We will retain your Data for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

LOCATION

As our operations are conducted from the United States (US), all Data that we collect is used and stored in the US, is subject to US laws, and may be subject to disclosure to US governments, courts, or law enforcement or regulatory agencies pursuant to those laws. If you are accessing our Site or platforms from or in another country with laws governing data collection and use, please note that your Data will be transmitted to our servers in the US. The United States may have data protection laws less stringent than or otherwise different from the laws in effect in the country in which you are located. In the event you are a non-US citizen, as applicable and permitted by law, you consent to the processing of your Data in accordance with this Policy.

LINKS

This Policy does not address, and we are not responsible for, the privacy, information, or other practices of any third parties, including any third party operating any site or service to which may be linked. The inclusion of a link on our Site or platforms does not imply endorsement of the linked site or Service by us or by our Group. In addition, we do not accept responsibility or liability for the information collection, use, disclosure or security policies or practices of other organizations, such as social media platform providers, operating system providers, wireless service providers or device manufacturers, including with respect to any Data you disclose to other organizations through or in connection with our Site or Services. Please check these policies before you submit any Data to these websites.

MINORS

MMA never knowingly collects or maintains Data from minors, and no part of our Site is structured to attract minors. If you become aware that we have collected Data for any individual under the age of 13, please contact us using one of the methods in the “How to Contact Us” section and inform us that such collection has occurred. If we become aware that we have collected Data from an individual under the age of 13, we will immediately delete such Data.

HOW TO CONTACT US

Any questions or concerns regarding handling of Personal Information by MMA or related to collection, process, revocation, amendment, transfer, or disclosure of your Personal Information, or this Policy, should be directed by email to [email protected]. If you prefer, please feel free to contact us by phone at our toll-free number +1-855-566-3282. Alternatively, you may write us through regular mail at following address:

Magnolia Market Access
Privacy Officer
200 Crossing Blvd
Suite 7000
Bridgewater, NJ 08807

CHANGES TO THIS POLICY

We keep this Privacy Policy under regular review, and we will place any updates on this Site. We will notify you of any material changes to our Policy as required by law. By continuing to use our Site and Services after a revision takes effect, it is considered that you have read and understand the changes.