Privacy Notice

Data controller and data processor

Medeloop serves as the data processor for most information entered into the Medeloop website, the Research Platform, and supporting systems, acting on behalf of its customers who serve as the data controllers. However, Medeloop also collects certain information directly from users for security, logging, and performance purposes, where it acts as the data controller and processor. Medeloop may engage third-party sub-processors (as detailed below) to support its operations. If you have any inquiries about the processing of your personal data, please contact us using the contact information provided in this privacy notice.

Personal information we collect

Information you provide to us

Personal information you may provide to us through the Service or otherwise includes:

• Contact data, such as your first and last name, salutation, email address, and professional title and company name.
• Research Platform only: Profile data, such as the username and password that you may set to establish an online account on the Service.
• Communications data based on our exchanges with you, including when you contact us through the Service or otherwise.
• Research data, such as the research institution with which you are affiliated, and the nature and type of research being conducted. Research Platform only: this may also include any protocols, curriculum vitae, manuscripts, institutional review board (IRB) applications, or similar documents that you upload to the Service.
• Other data not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

Automatic data collection

We, our service providers, and our business partners may automatically log information about you, your computer, and your interaction over time with the Service, our communications and other online services, such as:

• Online activity data within the website, such as pages or screens you viewed, how long you spent on a page or screen, and access times and duration of access.

Cookies and similar technologies

Some of the automatic collection described above is facilitated by the following technologies:

• Cookies, which are small text files that websites store on user devices and that allow web servers to record users' web browsing activities and remember their submissions, preferences, and login status as they navigate a site. Cookies used on our sites include both "session cookies" that are deleted when a session ends, "persistent cookies" that remain longer, "first party" cookies that we place and "third party" cookies that our third-party business partners and service providers place.
• Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data on your device outside of your browser in connection with specific applications.
• Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.

How we use your personal information

Personal data are processed using computers and technology-enabled tools in accordance with organizational policies and procedures related to the stated purposes. In certain cases, personal data may be accessible to Medeloop employees involved in the operation of the Medeloop-supporting applications. External parties, such as third-party technical service providers, hosting providers, and IT companies, may also have access to personal data as data processors or sub-processors appointed by Medeloop.

Legal Basis of Processing

Medeloop may process personal data when one of the following legal bases applies:

• Service delivery and operations. We may use your personal information to:
  • provide, operate and improve the Service and our business;
  • Research Platform only: establish and maintain your user profile on the Service;
  • Research Platform only: enable security features of the Service, such as by sending you security codes via email or SMS, and remembering devices from which you have previously logged in;
  • communicate with you about the Service, including by sending Service-related announcements, updates, security alerts, and support and administrative messages;
  • provide support for the Service, and respond to your requests, questions and feedback.
• Service improvement and analytics. We may use your personal information to analyze your usage of the Service, improve the Service, improve the rest of our business, and help us understand user activity on the Service, including which pages are most and least visited and how visitors move around the Service.
• Compliance and protection. We may use your personal information to:
  • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas, investigations or requests from government authorities;
  • protect our, your or others' rights, privacy, safety or property (including by making and defending legal claims);
  • audit our internal processes for compliance with legal and contractual requirements or our internal policies;
  • enforce the terms and conditions that govern the Service; and
  • prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
• With your consent. In some cases, we may specifically ask for your consent to collect, use or share your personal information, such as when required by law.
• To create aggregated, de-identified and/or anonymized data. We may create aggregated, de-identified and/or anonymized data from your personal information and other individuals whose personal information we collect. We make personal information into de-identified and/or anonymized data by removing information that makes the data identifiable to you. We may use this aggregated, de-identified and/or anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.
• Cookies and similar technologies. In addition to the other uses included in this section, we may use the cookies and similar technologies described above for the following purposes:
  • Technical operation. To allow the technical operation of the Service, such as by remembering your selections and preferences as you navigate the site (and, on the Research Platform, whether you are logged in when you visit password-protected areas of the Service).
  • Functionality. To enhance the performance and functionality of our services.
  • Analytics. To help us understand user activity on the Service, including which pages are most and least visited and how visitors move around the Service, as well as user interactions with our emails.
• Legitimate Interests: Processing is necessary for the legitimate interests pursued by Medeloop or a third party.

The specific legal basis for processing personal data will be provided upon request, including whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Retention Time

Personal data is retained for as long as necessary to fulfill the purposes for which it was collected unless a longer retention period is required or permitted by law. The retention periods are as follows:

• Research Platform only: Personal data collected for the performance of a contract between Medeloop and a customer is retained until the contract is fully executed, or until the customer requests deletion of the data.
• Personal data collected for Medeloop's legitimate interests is retained as long as necessary to fulfill those purposes. For specific information about Medeloop's legitimate interests, please refer to the relevant sections of this document or contact us using the contact information provided in this privacy notice.
• Personal data processed based on user consent may be retained until such consent is withdrawn, provided that it is not otherwise required or permitted by law.
• Personal data may be retained for a longer period when necessary to comply with a legal obligation or a lawful order from an authority.

When we no longer require the personal information we have collected about you, we may either delete it, anonymize it, or isolate it from further processing as required or permitted by law.

The Purposes of Processing

Medeloop collects and processes personal data for the following purposes:

• Providing Services: Personal data is collected to enable Medeloop to provide its services.
• Analytics: Personal data is used for monitoring user behavior and engagement on the Medeloop website and Research Platform.
• User Database Management: Personal data is managed to create user profiles, track user activities, and improve the website and web application.
• Managing Contacts and Sending Messages: Personal data is used to manage contact lists and send communications to users.
• Displaying Content from External Platforms: Personal data is used to display external content and enable interaction with it.
• Hosting and Back-End Infrastructure: Personal data is processed and stored on hosting and back-end infrastructure to support the operation of the Medeloop website and Research Platform.
• Contacting the User: Personal data is processed to respond to user requests and inquiries.

How we share your personal information

We may share your personal information with the following parties and as otherwise described in this Privacy Policy, in other applicable notices, or at the time of collection.

• Affiliates. Our corporate parent, subsidiaries, and affiliates.
• Service providers. Third parties that provide services on our behalf or help us operate the Service or our business (such as hosting, information technology, and customer support).
• Professional advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
• Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the purposes described above.
• Business transferees. We may disclose personal information in the context of actual or prospective business transactions (e.g., investments in Medeloop, financing of Medeloop, public stock offerings, or the sale, transfer or merger of all or part of our business, assets or shares). We may also disclose your personal information to an acquirer, successor, or assignee of Medeloop as part of any merger, acquisition, sale of assets, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which personal information is transferred to one or more third parties as one of our business assets.

Your rights

Users have the following rights regarding their personal data processed by Medeloop:

• Right to Withdraw Consent: Users have the right to withdraw their consent to the processing of their personal data at any time.
• Right to Object: Users can object to the processing of their personal data based on legitimate interests.
• Right of Access: Users can request access to their personal data and obtain information about the processing activities.
• Right to Rectification: Users can request the correction or update of inaccurate or incomplete personal data.
• Right to Remove or Reject Cookies. Users can do so by following the instructions in their browser settings. Many browsers accept cookies by default until users change their settings. If users set their browser to disable cookies, the Service may not work properly. Users can also configure their device to prevent images from loading to prevent web beacons from functioning.
• Right to Restrict Processing: Users have the right to restrict the processing of their personal data under certain circumstances.
• Right to Erasure: Users can request the erasure of their personal data, subject to legal obligations or overriding legitimate grounds.
• Right to Data Portability: Users can request to receive their personal data in a structured, commonly used, and machine-readable format, and transmit it to another data controller.
• Right to Lodge a Complaint: Users have the right to lodge a complaint with a data protection authority regarding the processing of their personal data.

To exercise these rights or obtain further information, users can contact Medeloop using the contact details provided in this document.

Other sites and services

The Service may contain links to websites and other online services operated by third parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy policies of the other websites and online services you use.

Security

We employ a number of technical, organizational and physical safeguards designed to protect the personal information we collect. We follow industry best practices and standards to ensure the confidentiality, integrity, and availability of your data. Our security measures include but are not limited to:

• Encryption: We employ encryption techniques to safeguard your data during transmission and storage.
• Access Control: We restrict access to personal data to authorized personnel only, ensuring that it is accessible on a need-to-know basis.
• Regular Audits: We conduct regular security audits and assessments to identify and address any vulnerabilities or risks.
• Employee Training: Our employees undergo comprehensive data protection training to ensure they understand the importance of data security and privacy.

Children

The Service is not intended for use by anyone under 18 years of age.

Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service or other appropriate means. Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Service after the effective date of any modified Privacy Policy indicates your acknowledging that the modified Privacy Policy applies to your interactions with the Service and our business.

Data controller and data processor

Medeloop serves as the data processor for most information entered into the Medeloop mobile application, acting on behalf of its customers who serve as the data controllers. However, Medeloop also collects certain information directly from users for security, logging, and application performance purposes, where it acts as the data controller and processor. Medeloop may engage third-party sub-processors (as detailed below) to support its operations. If you have any inquiries about the processing of your personal data, please contact us using the contact information provided in this privacy notice.

Personal information we collect

Information you provide to us

Personal information you may provide to us through the Service or otherwise includes:

• Contact data, such as your first and last name, email address, mailing address, and phone number.
• Demographic data, such as your city, state, country of residence, postal code, and age.
• Profile data, such as the username and password that you may set to establish an online account on the Service.
• Communications data based on our exchanges with you, including when you contact us through the Service, social media, or otherwise.
• User-generated content data, such as photos, images, music, videos, comments, questions, messages, works of authorship, and other content or information that you generate, transmit, or otherwise make available on the Service, as well as associated metadata. Metadata includes information on how, when, where and by whom a piece of content was collected and how that content has been formatted or edited. Metadata also includes information that users can add or can have added to their content, such as keywords, geographical or location information, and other similar data.
• Relationship data, such as familial or other relationships to third parties whose personal information you may provide to us, such as legal guardian, child, or emergency contact information. Please do not share information about others with us unless you have the legal right or their permission to do so.
• Health related data, such as medical conditions, symptoms, dietary information, lifestyle preferences, exercise habits, mental health concerns, genetic testing results, and any other information that you voluntarily provide via the Services or when you choose to share activity data from your device (e.g., your phone's accelerometer) or link other third-party platforms or activity trackers to the Services, such as Apple Health.
• Other data not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

Third-party sources

We may combine personal information we receive from you with personal information we obtain from other sources, such as:

• Research institutions, such as the entity that referred you to the Service (e.g., your contact information, health insurance information, and other similar information).
• Electronic Medical Records, such as the relevant electronic medical record database(s) that you choose to connect to the Services.

Automatic data collection

We and our service providers may automatically log information about you, your mobile device, and your interaction over time with the Service, our communications and other online services, such as:

• Device data, such as your mobile device's operating system type and version, manufacturer and model language settings, and general location information such as city, state or geographic area.
• Online activity data within the app, such as pages or screens you viewed, how long you spent on a page or screen and access times and duration of access.
• Precise geolocation data when you authorize our mobile application to access your device's location.

Health Data accessed in the apps

The Medeloop and Mensana participant mobile apps may access categories of Health Data on iOS and Android. The specific data depends on your device, the integrations you connect, and the permissions you grant. You can revoke permissions or disconnect integrations at any time in your device settings or in-app settings.

How we access Health Data

• From your device's health platform, such as Apple Health (HealthKit) on iOS or Health Connect on Android, with your permission. Data may originate from sensors on your device or from other apps and devices you have allowed to write into Apple Health or Health Connect.
• From connected wearable devices and services, for example Fitbit, after you authorize the connection.
• From information you enter directly in the app, for example when you log a symptom, record a medication, track a meal, update your profile, or complete a survey.

Categories of Health Data we may access

• Activity and fitness: steps, distance traveled (walking, running, cycling), workouts and exercise sessions (type, duration, time), calories burned (active and total energy expenditure).
• Heart and circulation: heart rate, resting heart rate, heart rate variability, blood pressure, blood oxygen saturation (SpO₂).
• Respiration and temperature: respiratory rate, body temperature.
• Body measurements: weight, height, body fat percentage, body mass index (BMI), basal metabolic rate.
• Nutrition and hydration: food and beverage intake (calories and macronutrients such as carbohydrates, protein, and fat), hydration / fluid intake.
• Sleep: sleep duration, sleep stages and quality (often available through connected services such as Fitbit).

Health Data you provide directly

• Symptoms: name, severity, timing, notes, and optional photos or attachments.
• Medications: name, dosage, frequency, route, ingredients, timing, and notes.
• Nutrition: meals and beverages, portion size, calories, macronutrients, date/time, and optional photos.
• Profile information: date of birth, height, weight, biological sex, gender identity, ethnicity, race, and address.
• Surveys and assessments: responses to in-app surveys, which may include self-reported symptoms, sleep, weight, and other health-related information.

How we use Health Data

• Provide and operate app features.
• Enable participation in research studies and programs.
• Analyze health trends and generate insights.
• Improve the functionality and performance of our services.

We do not sell your Health Data. When you participate in a research study or program, Health Data may also be used and shared as described in your informed consent and any study-specific or supplemental privacy notice provided for that study.

Your control over Health Data

• You decide what to share when connecting Apple Health, Health Connect, or a wearable service.
• You can revoke access at any time in your device settings or by disconnecting integrations.
• You can delete data you entered (such as symptoms, medications, meals, and surveys) from your account.
• You can close your account, which removes your data in accordance with our retention policy and any applicable study obligations.

How we use your personal information

Personal data is processed using computers and technology-enabled tools in accordance with organizational policies and procedures related to the stated purposes. In certain cases, personal data may be accessible to Medeloop employees involved in the operation of the Medeloop mobile application and supporting applications. External parties, such as third-party technical service providers, hosting providers, and IT companies, may also have access to personal data as data processors or sub-processors appointed by Medeloop.

Legal Basis of Processing

Medeloop may process personal data when one of the following legal bases applies:

• Service delivery and operations. We may use your personal information to:
  • provide, operate, and improve the Service and our business;
  • establish and maintain your user profile on the Service;
  • enable security features of the Service, such as by sending you security codes via email or SMS, and remembering devices from which you have previously logged in;
  • communicate with you about the Service, including by sending Service-related announcements, updates, security alerts, and support and administrative messages;
  • provide support for the Service, and respond to your requests, questions and feedback.
• Service improvement and analytics. We may use your personal information to analyze your usage of the Service, improve the Service, improve the rest of our business, and help us understand user activity on the Service.
• Compliance and protection. We may use your personal information to:
  • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas, investigations or requests from government authorities;
  • protect our, your or others' rights, privacy, safety or property (including by making and defending legal claims);
  • audit our internal processes for compliance with legal and contractual requirements or our internal policies;
  • enforce the terms and conditions that govern the Service; and
  • prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
• With your consent. In some cases, we may specifically ask for your consent to collect, use or share your personal information, such as when required by law.
• To create aggregated, de-identified and/or anonymized data. We may create aggregated, de-identified and/or anonymized data from your personal information and other individuals whose personal information we collect. We make personal information into de-identified and/or anonymized data by removing information that makes the data identifiable to you. We may use this aggregated, de-identified and/or anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.
• Legitimate Interests: Processing is necessary for the legitimate interests pursued by Medeloop or a third party.

The specific legal basis for processing personal data will be provided upon request, including whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

International data transfer

We are headquartered in the United States and may use third-party sub-processors that operate in other countries. Your personal information (e.g., photos of food) may be transferred to countries where privacy laws may not be as protective as those in your state, province, or country.

Retention Time

Personal data is retained for as long as necessary to fulfill the purposes for which it was collected unless a longer retention period is required or permitted by law. The retention periods are as follows:

• Personal data collected for the performance of a contract between Medeloop and a customer is retained until the contract is fully executed, or until the customer requests deletion of the data.
• Personal data collected for Medeloop's legitimate interests is retained as long as necessary to fulfill those purposes. For specific information about Medeloop's legitimate interests, please refer to the relevant sections of this document or contact us using the contact information provided in this privacy notice.
• Personal data processed based on user consent may be retained until such consent is withdrawn, provided that it is not otherwise required or permitted by law.
• Personal data may be retained for a longer period when necessary to comply with a legal obligation or a lawful order from an authority.

When we no longer require the personal information we have collected about you, we may either delete it, anonymize it, or isolate it from further processing as required or permitted by law.

The Purposes of Processing

Medeloop collects and processes personal data for the following purposes:

• Providing Services: Personal data is collected to enable Medeloop to provide its services.
• Analytics: Personal data is used for monitoring user behavior and engagement on the Medeloop mobile application.
• User Database Management: Personal data is managed to create user profiles, track user activities, and improve the mobile application.
• Managing Contacts and Sending Messages: Personal data is used to manage contact lists and send communications to users.
• Displaying Content from External Platforms: Personal data is used to display external content and enable interaction with it.
• Hosting and Back-End Infrastructure: Personal data is processed and stored on hosting and back-end infrastructure to support the operation of the Medeloop application.
• Contacting the User: Personal data is processed to respond to user requests and inquiries.

Processing and Sharing of Personal Data

Medeloop engages various services and third-party processors to support its operations. The following provides information on the processing of personal data, the involved services, and the third-party processors:

• Content from External Platforms:
  • 21 CFR part 11 e-consent (DocuSign)
  • Computer vision SDK for food identification (Passio)
  • EMR access API (1Up Health)
• Hosting and Back-End Infrastructure:
  • Database, application, and API hosting (AWS)
• External data services:
  • Environmental data based on location (Ambee)

For detailed information about each service and third-party processor, please refer to the corresponding sections of this privacy notice.

How we share your personal information

We may share your personal information with the following parties and as otherwise described in this Privacy Policy, in other applicable notices, or at the time of collection.

Affiliates. Our corporate parent, subsidiaries, and affiliates.

Service providers. Third parties that provide services on our behalf or help us operate the Service or our business (such as hosting, information technology, and customer support).

Research institutions. We may share your personal information solely with the research institutions that are conducting the study in which the patient is enrolled, for their own research purposes.

Professional advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.

Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the Compliance and protection purposes described above.

Business transferees. We may disclose personal information in the context of actual or prospective business transactions (e.g., investments in Medeloop, financing of Medeloop, public stock offerings, or the sale, transfer or merger of all or part of our business, assets or shares), for example, we may need to share certain personal information with prospective counterparties and their advisers. We may also disclose your personal information to an acquirer, successor, or assignee of Medeloop as part of any merger, acquisition, sale of assets, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which personal information is transferred to one or more third parties as one of our business assets.

Other users. Your profile and other user-generated content data are visible to other users of the Service. For example, other users of the Service may have access to your information if you chose to make your profile or other personal information available to them through the Service, such as when you provide comments, send messages, or share other content. This information can be seen, collected and used by others, including being cached, copied, screen captured or stored elsewhere by others, and we are not responsible for any such use of this information.

Your rights

Users have the following rights regarding their personal data processed by Medeloop:

• Right to Withdraw Consent: Users have the right to withdraw their consent to the processing of their personal data at any time.
• Right to Object: Users can object to the processing of their personal data based on legitimate interests.
• Right of Access: Users can request access to their personal data and obtain information about the processing activities.
• Right to Rectification: Users can request the correction or update of inaccurate or incomplete personal data.
• Right to Restrict Processing: Users have the right to restrict the processing of their personal data under certain circumstances.
• Right to Erasure: Users can request the erasure of their personal data, subject to legal obligations or overriding legitimate grounds.
• Right to Data Portability: Users can request to receive their personal data in a structured, commonly used, and machine-readable format, and transmit it to another data controller.
• Right to Lodge a Complaint: Users have the right to lodge a complaint with a data protection authority regarding the processing of their personal data.

To exercise these rights or obtain further information, users can contact Medeloop using the contact details provided in this document.

Account deletion

To delete your Medeloop account and request removal of your data:

1. Send an email to privacy@medeloop.ai from your registered email address.
2. Include "Account Deletion Request" in the subject line.
3. Provide your full name and username in the email body.

Upon receiving your request:

• We will process your account deletion within 30 days.
• Your personal profile information will be permanently deleted.
• Your user-generated content will be removed from our active systems.
• Health-related data will be handled according to applicable regulations and any informed consent forms that you signed.
• De-identified / anonymized data may be retained for analytical purposes as described in our retention policy.

You will receive confirmation when your account deletion is complete.

Other sites and services

The Service may contain links to websites and other online services operated by third parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy policies of the other websites and online services you use.

Security

We employ a number of technical, organizational and physical safeguards designed to protect the personal information we collect. We follow industry best practices and standards to ensure the confidentiality, integrity, and availability of your data. Our security measures include but are not limited to:

• Encryption: We employ encryption techniques to safeguard your data during transmission and storage.
• Access Control: We restrict access to personal data to authorized personnel only, ensuring that it is accessible on a need-to-know basis.
• Regular Audits: We conduct regular security audits and assessments to identify and address any vulnerabilities or risks.
• Employee Training: Our employees undergo comprehensive data protection training to ensure they understand the importance of data security and privacy.

We are committed to continuously enhancing our security practices and staying up to date with the latest industry standards to provide a secure environment for your personal data. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal information.

Children

The Service is intended for use by anyone, including those under 18 years of age. If you are a parent or guardian of a child from whom you believe we have collected personal information in a manner prohibited by law, please contact us. If we learn that we have collected personal information through the Service from a child without the consent of the child's parent or guardian as required by law, we will comply with applicable legal requirements to delete the information.

Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service or other appropriate means. Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Service after the effective date of any modified Privacy Policy indicates your acknowledging that the modified Privacy Policy applies to your interactions with the Service and our business.