HOW WE COLLECT DATA

We collect Usage Data and Personal Data in the following ways:

• We collect Personal Data directly from you, such as when you use StoryCatch journaling or take StoryCatch surveys, when you apply for a clinical study, when you subscribe for updates regarding our Services, and when you contact us or request information from us.

• We collect from your healthcare provider Personal Data which is included in your medical records in cases where you specifically authorize your provider to disclose such Personal Data to us.

• We collect Usage Data automatically, such as through cookies or other technologies. We may also collect certain Personal Data (i.e., Internet or other electronic network activity information) automatically through cookies or other technologies.

WHY WE PROCESS DATA

We process Usage Data to analyze the effectiveness of our Services and improve our Services, including without limitation, to optimize app features and make your use of our Services more convenient and user-friendly.

We process Personal Data for the business and commercial purposes described in the bullet points below.

• Providing our Services. To provide our Services, we may use any of the types of Personal Data described above, for example, identifiers and contact information, health and medical information, mental, emotional, and physical characteristics, and demographic information.

• Communicating with you, for example, responding to your inquiries (including unsolicited requests for information about our clinical trials information) and providing direct marketing information to you in accordance with the terms of this Notice. For these purposes, we may use identifiers and contact information and any Personal Data included within your inquiry/request to us.

• For our internal business purposes, for example, measuring the effectiveness of and improving our Services. For these purposes, we may use any of the types of Personal Data described above (but excluding Consumer Health Data), for example, identifiers and contact information and internet or other electronic network activity information.

• Protecting rights and interests, for example, protecting the health, safety, and security of Know Healthtech and its employees, and persons who receive our Services; enforcing our legal rights; and pursuing remedies or otherwise taking steps to limit damages and liabilities. For these purposes, we may use any of the types of Personal Data described above, for example, identifiers and contact information to investigate violations of our contracts, or health and medical information in the event of an emergency.

• Pursuant to your consent, for research purposes including without limitation, to enable third parties, such as researchers, statisticians, academic institutions and biopharmaceutical companies, to analyze data in connection with their research projects and/or to prepare research publications. For these purposes, we may process any of the types of Personal Data described above.

• If applicable, in relation to and to effectuate a change in control of our business, including by means of merger, acquisition or purchase of all or substantially all of our assets. For these purposes, we may process any of the types of Personal Data described above.

• As required by law and to meet our legal obligations, for example, by complying with orders from administrative or judicial authorities and complying with subpoenas and other legal process. For these purposes, we may process any of the types of Personal Data described above.

HOW WE SHARE DATA

We may share your Usage Data and Personal Data in the following ways:

• We may share Usage Data and Personal Data with vendors and service providers who work on our behalf to provide certain services in support of our business operations and/or our Services, for example, entities that provide us with data storage, data analysis, and processing, IT and data security, and legal services. When we share Personal Data with vendors and service providers, we endeavor to require that they keep your Personal Data confidential and secure and process it for limited and specified purposes.

• We may share Usage Data and Personal Data with our affiliates and subsidiaries, for example, current and future companies within the Know Healthtech family of companies.

• We may share Usage Data and Personal Data in connection with a business transfer, for example, as part of a sale, assignment, or transfer of a Know Healthtech business or asset group, or acquisition of or merger with another entity. We may also share your Personal Data in contemplation of such transactions, such as during due diligence.

• We may share Personal Data in response to requests from government or law enforcement agencies or where required or permitted by applicable laws, court orders, or government regulations, for example, in response to a subpoena or regulatory inquiry.

• We may share Personal Data to protect rights and interests, for example, when needed for corporate audits, to investigate or respond to a complaint or threat, or to exercise our legal rights.

• With your consent, we may share Personal Data (including your health-related Personal Data) with a study center where you may potentially be able to participate in a clinical research study.

Additionally, with your consent, we may deidentify or anonymize your Personal Data and share deidentified/anonymous data with third parties, such as researchers, statisticians, academic institutions, and biopharmaceutical companies, so that they may analyze such data in connection with their research projects and/or to prepare research publications.

Your Personal Data collected through StoryCatch may also be shared if you choose to share it with others (e.g., family members, friends, caregivers, etc.). You solely control whether and with whom your Personal Data is shared when customizing your StoryCatch profile access settings, and to the extent you choose to share your Personal Data within StoryCatch, you accept sole responsibility for such sharing of Personal Data.

COOKIES AND OTHER TRACKING TECHNOLOGIES

We automatically process certain types of information whenever you interact with us on our Services and in some emails we may send to you. Automatic technologies we use may include, for example, cookies and web beacons.

• Cookies: A cookie is a piece of information that is placed on your computer when you access certain websites. The cookie uniquely identifies your browser to the server. Most web browsers are set up to accept cookies, though you can reset your browser to refuse all cookies or to indicate when a cookie is being sent. Note, however, that some portions of our Services may not work properly if you refuse cookies.

• Web Beacons: On certain parts of our Services or emails, we may utilize a common Internet technology called a “web beacon” (also known as a “pixel tag”, an “action tag”, or “clear GIF technology”). Web beacons help analyze the effectiveness of advertising campaigns and websites by measuring, for example, the number of visitors to a site or how many visitors clicked on key elements of a website.

Do Not Track (DNT) is a privacy preference that you can set in certain web browsers. Our Services may not recognize or respond to DNT signals, as the industry is currently working toward defining what DNT means and developing a common approach to responding to DNT signals. You can learn more about DNT here.

DATA ANALYTICS

We may use third-party analytics services (such as Google Analytics) to process Usage Data. These analytics services help us improve the quality of our Services. To learn more about Google’s privacy practices, please review the Google Privacy Policy. To prevent Google Analytics from using your information for analytics, you can install the Google Analytics Opt-Out Browser Add-on here.

INTEREST-BASED ADVERTISING

Some of our online services may integrate third-party advertising technologies that allow for the delivery of relevant content and advertising on non-Know Healthtech services that you use. The ads on third-party services may be based on various factors, such as the content of the page you are visiting, your searches, demographic data, and your activities on our websites and third-party services.

We neither have access to, nor does this Notice govern, the use of cookies or other tracking technologies that may be placed on your device to access the services by non-affiliated third parties. To learn more about certain third-party trackers used for interest-based advertising, for example, through cross-device tracking, and to exercise certain choices regarding such technologies, please visit the Digital Advertising Alliance (DAA), Network Advertising Initiative (NAI), Digital Advertising Alliance-Canada, European Interactive Digital Advertising Alliance, or your device settings if you have the DAA or other mobile app that allows you to control interest-based advertising on your device. We do not control these opt-out links or whether any particular company chooses to participate in these opt-out programs.

The opt-outs described at the links above are device- and browser-specific and may not work on all devices. If you clear cookies on your device or in your browser, you will have to go through the process of opting out again. If you choose to use any of these opt-out tools, this does not mean you will cease to see advertising. Rather, the ads you see will just not be based on your interests.

DIRECT MARKETING

As noted above, we may process certain Personal Data, including your name and contact information, to send you direct marketing communications. These marketing communications may include, for example, newsletters, updates about our Services and other promotional materials that may be of interest to you. Our marketing communications include an unsubscribe option or other method by which you can opt out of receiving further marketing communications from us. You may also contact us at privacy@knowrare.com at any time to request to opt out of receiving further marketing communications from us.

YOUR RIGHTS AND CHOICES

Depending on the jurisdiction in which you are located or reside, you may have certain rights with regard to your Personal Data. We will honor your rights in accordance with applicable laws and regulations, and we may verify your identity before responding to a request to exercise your rights. Please note that the rights described below may be subject to limitations under applicable laws and regulations.

To the extent provided for under applicable law, you may contact us at any time to:

• Ask what Personal Data we process about you;

• Request a copy of your Personal Data;

• Request that we correct inaccurate or incomplete Personal Data;

• Opt out of or suppress certain Personal Data processing;

• Request deletion of your Personal Data;

• Impose restrictions on our processing of your Personal Data; and

• Withdraw your consent to certain processing of your Personal Data.

You can exercise these rights by emailing us at privacy@knowrare.com. You may also have the right to lodge a complaint with the privacy or data protection regulator in your state or country of residence.

If you are a “Consumer” (as defined in the “Consumer Health Data” section below), please refer to the Consumer Health Data section for additional information about your rights. If you are an individual in the EU or UK using our Services, please refer to the “EU/UK Data Protection” section below for further information about your rights.

DATA SECURITY

Know Healthtech has implemented privacy and security controls designed to help protect your Personal Data. Please note, however, that no security measures are 100% effective, and we cannot guarantee absolute security of your Personal Data. We encourage you to take steps to protect yourself, for example, by not sharing login credentials to your accounts, not sending us sensitive information using unsecure methods (e.g., via unencrypted email), and protecting your devices (e.g., with passwords).

DATA RETENTION

Know Healthtech retains your Personal Data for as long as necessary for the purpose for which it was collected, unless a longer period is required to comply with applicable laws. Our retention periods vary depending on the purpose(s) for which your Personal Data was collected. Some of the criteria we use to assess appropriate retention periods include: (1) the nature of the Personal Data and the activities involved, (2) when and for how long you interact with us, and (3) our legal obligations. To provide security and business continuity we make backups of certain data, which we may retain for longer than the original data.

PRIVACY STATEMENT FOR MINORS

We do not knowingly collect Personal Data directly from children under 13 years old. In cases where we discover that we have collected Personal Data directly from a child under 13 years old, we will seek to promptly delete such Personal Data.  Please contact us at privacy@knowrare.com if you believe that we have collected Personal Data directly from any child under the age of 13.

THIRD-PARTY RESOURCES

We may provide you with links to or information about third-party resources. For example, we may provide individuals with information about patient advocacy groups, and we may provide researchers with links to clinical trial registries. Please note that we do not control the privacy policies or practices of such third parties, and we encourage you to review the privacy notices of the third parties with which you interact.

CONSUMER HEALTH DATA

We process certain Consumer Health Data subject to U.S. state consumer health data privacy laws. This section explains the rights that may be exercised by individuals pursuant to such laws. As used in this Notice, “Consumer Health Data” means information that is linked or linkable to an identified or identifiable individual who is a resident of a U.S. state with an applicable consumer health data privacy law and which information identifies the individual’s past, present or future physical or mental health status (each such individual is referred to as a “Consumer”).

To the extent of any inconsistency between terms under this Consumer Health Data section and terms elsewhere in this Notice, the terms under this Consumer Health section shall be controlling with regard to our processing of Consumer Health Data.

Categories of Consumer Health Data Collected

In connection with our Services, we may collect Consumer Health Data concerning:

• individual health conditions, treatment, diseases, or diagnoses;

• social, psychological, behavioral, or medical interventions;

• health-related surgeries or procedures;

• use or purchase of prescribed medication;

• bodily functions or vital signs;

• diagnoses or diagnostic testing, treatment, or medication;

• gender-affirming care;

• reproductive or sexual health;

• biometric information;

• genetic information;

• precise geolocation that could reasonably indicate a Consumer’s attempt to acquire or receive health services or supplies; and

• a Consumer seeking health care services.

We do not permit any third party to collect Consumer Health Data over time across different Internet websites or online services when a Consumer uses our Services.

Sources from which Consumer Health Data is Collected

We collect the categories of Consumer Health Data described above directly from Consumers.

Manner of Collecting and Processing Consumer Health Data

Consumer Health Data is collected from Consumers when they share it through use of our Services. The Consumer Health Data that we collect is stored securely on servers maintained by third-party service providers with which we contract.

Categories of Consumer Health Data Shared

We share each of the categories of Consumer Health Data noted above with the categories of third parties identified below.

Categories of Third Parties with which Consumer Health Data is Shared

We share Consumer Health Data with the following categories of third parties:

• Service providers that assist us with providing our Services

• Study centers where you may potentially be able to participate in a clinical research study, where you have consented to such sharing

Purposes of Processing Consumer Health Data

The purposes of processing Consumer Health Data are as follows:

• We process Consumer Health Data to provide our Services to you;

• We process Consumer Health Data to improve our Services or to develop new products or services; and

• With your separate consent, we anonymize your Consumer Health Data and share the anonymous data with researchers, statisticians, academic institutions, and biopharmaceutical companies so that they may analyze such data in connection with their research projects and/or prepare research publications.

Consumer Rights

Consumers have certain rights under U.S. state consumer health data privacy laws with respect to Consumer Health Data about them. Such rights may include the following:

• A Consumer may request confirmation of whether we are collecting, sharing, or selling Consumer Health Data and to access such Consumer Health Data;

• A Consumer may request a list of all third parties with whom we have shared Consumer Health Data or to whom we have sold Consumer Health Data and may also request an active email address or other online mechanism that the Consumer may use to contact these third parties;

• A Consumer may withdraw consent for our collection and sharing of Consumer Health Data;

• A Consumer may request deletion of Consumer Health Data; and

• A Consumer may request that we stop collecting, sharing, or selling Consumer Health Data.

If you are a Consumer who wishes to exercise any of the rights noted above, you may submit a request to us at privacy@knowrare.com.

If you’ve made a request to exercise any of your rights noted above and we deny the request, you have the right to appeal that denial. If you would like to appeal a denial of your request, please contact us at privacy@knowrare.com. When you contact us to appeal the denial, please describe the specific reasons why you believe your request should be granted. Within 45 days of our receipt of your appeal, we will respond in writing describing any action taken or not taken on your appeal, including a written explanation of the reason for our decision. If your appeal is denied, we will notify you of a method through which you may contact the attorney general in your state to submit a complaint.

EU/UK DATA PROTECTION

In addition to other terms and conditions of this Notice, the following terms apply to individuals who use our Services in the European Union (EU) or United Kingdom (UK).

Know Healthtech is a “controller” of Personal Data that you share through your use of our Services (i.e., Know Healthtech is the entity that determines the purposes and means of processing such Personal Data).

As described in this Notice, we process this Personal Data for various purposes, including without limitation, to provide our Services. Please refer to the section above titled “Why We Process Data” for a full description of the purposes for which we process Personal Data. Additionally, for information about the categories of recipients of your Personal Data, please refer to the “How We Share Data” section above, and for information about our retention of Personal Data, please refer to the “Data Retention” section above.

We may process Personal Data on one or more of the following legal bases:

• Your consent;

• When processing the Personal Data is necessary for compliance with a legal obligation to which we are subject;

• When processing the Personal Data is necessary for purposes of carrying out our legitimate interests in maintaining network and information security and detecting and preventing against fraud and other malicious activity in relation to our Services, where such interests are not are overridden by your interests or fundamental rights and freedoms;

• When processing the Personal Data is necessary in order to protect the vital interests of the subject of the Personal Data or of another natural person;

• When processing the Personal Data is necessary for scientific research purposes based on EU law, Member State law or applicable law in the UK;

• When processing the Personal Data is necessary for the establishment, exercise or defense of legal claims; and/or

• When our processing relates to Personal Data which has been made public by the subject of the Personal Data.

As a subject of Personal Data (“data subject”), you have the right to request access to, rectification of, erasure of, and/or restriction of processing of your Personal Data. You also have the right to object to further processing of your Personal Data or to request that your Personal Data be transferred to another controller. To exercise any of these rights, you may contact us at privacy@knowrare.com. We will respond to you as required by applicable law.

If our processing of your Personal Data is based on your consent, you may withdraw your consent to such processing at any time by contacting us at privacy@knowrare.com, however, your withdrawal will not affect the lawfulness of processing that occurred before our receipt of your withdrawal.

You are not required to provide us with your Personal Data, but if you choose not to provide your Personal Data, you may not be able to use some or all of our Services.

As needed in connection with providing our Services or carrying out other purposes described in this Notice, we may transfer Personal Data from the European Economic Area (EEA) or UK to the United States and we may engage in such transfers on one or more of the following bases:

• Your explicit consent to the transfer. In the event we rely on your explicit consent for transferring your Personal Data, please note that neither the European Commission nor the UK government has determined that the United States offers an adequate level of protection of Personal Data. Your Personal Data may therefore be at greater risk once it is transferred to the United States due to the absence of this determination of an adequate level of protection and lack of safeguards to protect the Personal Data. Despite the foregoing, we will take reasonable and appropriate measures to protect your Personal Data in accordance with the terms of this Notice. You have the right to withdraw your consent to the transfer of your Personal Data, and if you wish to exercise this right, you may contact us at privacy@knowrare.com;

• Standard data protection clauses which set forth certain protections to be applied to the Personal Data being transferred. In the event we use such standard data protection clauses, you may contact us at privacy@knowrare.com to request a copy of these clauses;

• Where the transfer is necessary for the establishment, exercise or defense of legal claims; and

• Where the transfer is necessary in order to protect your or another person’s vital interests, and where you are physically or legally incapable of giving consent.

If you have a concern with how your Personal Data is processed, you may lodge a complaint with a data protection authority in the country in which you are located. A list of EU data protection authorities and their contact information can be found here: https://edpb.europa.eu/about-edpb/board/members_en. If you are in the UK, you may contact the UK Information Commissioner’s Office at: https://ico.org.uk/make-a-complaint/. You may also contact us at privacy@knowrare.com so that we may attempt to address your concern.

UPDATES TO THIS PRIVACY NOTICE

We may change this Notice from time to time, and we will post any changes to this Notice online. The date on which this notice was last updated is included at the beginning of this Notice. We may not notify you individually of any changes to this Notice, so you should check back occasionally to ensure that you are aware of the most recent version.

HOW TO CONTACT US

Questions or comments about our privacy practices may be directed as follows:

privacy@knowrare.com