Privacy Notice

1. Updates to This Privacy Notice

We may update this Privacy Notice from time to time in our sole discretion. If we do, we'll let you know by posting the updated Privacy Notice on our website and/or by sending other communications where required by law.

2. Personal Information We Collect

We collect personal information you provide to us, personal information we collect automatically when you use the Services, and personal information from third-party sources (see Section 4 below), as described below.

Personal Information You Provide to Us Directly

We may collect personal information you provide to us.

Account Information. We may collect personal information in connection with the creation or administration of your account. This personal information may include, but is not limited to, your name, date of birth, gender, email address, phone number, payment information, and other information you store when registering and maintaining your account. To fully utilize our Services, you may be required to fill out and submit forms containing personal information such as your name, address, telephone number, social security number, health-related symptoms, and other personal information relevant to your health status, diagnosis, treatment, and insurance coverage.

Purchases. We may collect personal information and details associated with your purchases, including payment information. Any payments made via our Services are processed by third-party payment processors such as Stripe. We do not directly collect or store any payment card information entered through our Services, but we may receive information associated with your payment card information (e.g., your billing details).

Your Communications with Us. We, and our service providers, may collect the information you communicate to us, such as through email or the messaging tool within the App.

Surveys. We may contact you to participate in surveys. If you decide to participate, we may collect personal information from you in connection with the survey.

Interactive Features. We and others who use our Services may collect personal information you submit or make available through our interactive features (e.g., messaging features, commenting functionalities, forums, blogs, and social media pages) ("User Content"). Any information you provide using the public sharing features of the Services will be considered "public."

Conferences, Trade Shows, and Other Events. We may collect personal information from individuals when we attend or host conferences, trade shows, and other events.

Business Development and Strategic Partnerships. We may collect personal information from individuals and third parties to assess and pursue potential business opportunities.

Job Applications. If you apply for a job with us, we will collect any personal information you provide in connection with your application, such as your contact information, educational and employment history, and CV information.

Personal Information Collected Automatically

We may collect personal information automatically when you use the Services.

Device Information. We may collect personal information about your device, such as your Internet protocol (IP) address, user settings, cookie identifiers, other unique identifiers, browser or device information, Internet service provider, and location information (including, as applicable, approximate location derived from IP address and precise geo-location information).

Usage Information. We may collect personal information about your use of the Services, such as the pages you visit, you search for, the types of content you interact with, information about the links you click, the frequency and duration of your activities, and other information about how you use the Services.

Cookie Notice (and Other Technologies). We, as well as third parties, may use cookies, pixel tags, and other technologies ("Technologies") to automatically collect personal information through your use of the Services.

• Cookies. Cookies are small text files stored in device browsers.
• Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services collecting personal information about use of or engagement with the Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement. We may also include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.

See "Your Privacy Choices and Rights" below to understand your choices regarding these Technologies.

Personal Information Collected from Third Parties

We may collect personal information about you from third parties. For example, if you access the Services using a Third-Party Service (defined below), we may collect personal information about you from such Third-Party Service you have made available via your privacy settings. In addition, we and other third parties may upload or otherwise provide personal information about you (i.e., diagnostic testing results).

3. How We Use Personal Information

We use personal information for a variety of business purposes, including to provide the Services, for administrative purposes, and to provide you with marketing materials, as described below.

Provide the Services

We use personal information to fulfill our contract with you and provide the Services, such as:

• Managing your information;
• Providing access to certain areas, functionalities, and features of the Services;
• Delivering accurate and personalized recommendations through the use of artificial intelligence and machine learning capabilities;
• Answering requests for support;
• Communicating with you;
• Sharing personal information with third parties as needed to provide the Services;
• Processing your financial information and other payment methods for products and Services purchased;
• Reviewing applications if you apply for a job with us; and
• Allowing you to register for events.

Our services are enabled by machine-learning tools fundamental to our ability to provide real-time engagement, inform treatment approaches, and track progress. These machine-learning tools process natural language communications to support user experience and outcomes.

Administrative Purposes

We use personal information for various administrative purposes, such as:

• Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
• Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;
• Carrying out analytics;
• Measuring interest and engagement in the Services;
• Improving, upgrading, or enhancing the Services;
• Analyzing, improving, upgrading, and/or enhancing the Services through the use of artificial intelligence and other methods;
• Developing new products and services;
• Creating de-identified and/or aggregated information. If we create or receive de-identified information, we will not attempt to re-identify such information, unless permitted by, or required to comply with, applicable laws;
• Ensuring internal quality control and safety;
• Authenticating and verifying individual identities, including requests to exercise your rights under this Privacy Notice;
• Debugging to identify and repair errors with the Services;
• Auditing relating to interactions, transactions, and other compliance activities;
• Enforcing our agreements and policies; and
• Carrying out activities required to comply with our legal obligations.

Marketing

We may use personal information to tailor and provide you with marketing and other content. We may provide you with these materials as permitted by applicable law.

California Shine the Light: If you are a California resident, you may annually submit a request to us to find out whether we have shared your personal information with third parties for the third parties' direct marketing purposes. If you would like to submit such a request, please "Contact Us." If you have any questions about our marketing practices, you may contact us at any time as set forth in "Contact Us" below.

With Your Consent or Direction

We may use personal information for other purposes clearly disclosed to you at the time you provide personal information with your consent, such as if you opt-in to participate in research studies and research and development activities, or as otherwise directed by you.

Automated Decision Making

We may engage in automated decision making, including profiling. Mederva Health's processing of your personal information will not result in a decision based solely on automated processing that has a legal or other similarly significant effect on you unless such a decision is necessary as part of a contract we have with you, we have your consent, or we are permitted by law to engage in such automated decision making.

If you have questions about our automated decision making, you may contact us as set forth in "Contact Us" below.

4. How We Disclose Personal Information

We disclose personal information to third parties for a variety of business purposes, including to provide the Services, to protect us or others, or in the event of a major business transaction such as a merger, sale, or asset transfer, as described below. Mederva Health does not share mobile information. Mobile information will not be shared with third parties/affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Disclosures to Provide the Services

We may disclose any of the personal information we collect to the categories of third parties described below.

Service Providers. We may disclose personal information to third-party service providers assisting us with the provision of the Services. This may include, but is not limited to, service providers that provide us with hosting, customer service, analytics, marketing services, IT support, productivity tools, and related services. In addition, personal information and chat communications may be disclosed to service providers that help provide our chat features. Some of the service providers we may engage with include:

• Google Analytics. For more information about how Google uses your personal information, please visit Google Analytics' Privacy Notice. To learn more about how to opt-out of Google Analytics' use of your personal information, please click here.
• Meta. For more information about Meta's use of your personal information, please visit Meta's Data Policy. To learn more about how to opt out of Meta's use of your information, please click here while logged in to your Meta account.

Other Users You Share or Interact With. The Services may allow Mederva Health users to post User Content. User Content may be read, collected, used, and shared by other users. Please exercise caution when posting such User Content.

Third-Party Services You Share or Interact With. The Services may link to or allow you to interface, interact, share information with, direct us to share information with, access and/or use third-party websites, applications, services, products, and technology (each a "Third-Party Service"). Any personal information shared with a Third-Party Service will be subject to the Third-Party Service's privacy policy. We are not responsible for the processing of personal information by Third-Party Services.

Business Partners. We may share your personal information with business partners to provide you with a product or service you have requested. We may also share your personal information with business partners with whom we jointly offer products or services. Once your personal information is shared with our business partner, it will also be subject to our business partner's privacy policy. We are not responsible for the processing of personal information by our business partners.

Affiliates. We may share your personal information with our corporate affiliates.

Advertising Partners. We may share your personal information with third-party advertising partners. These third-party advertising partners may set Technologies and other tracking tools on our Services to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit digital properties within their networks. This practice is commonly referred to as "interest-based advertising", "personalized advertising", or "targeted advertising."

Disclosures to Protect Us or Others

We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others' rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.

Disclosure in the Event of Merger, Sale, or Other Asset Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, purchase or sale of assets, transition of service to another provider, or other similar corporate transaction, your personal information may be disclosed, sold, or transferred as part of and limited to such a transaction.

5. Your Privacy Choices and Rights

Your Privacy Choices

The privacy choices you may have about your personal information are described below:

Email Communications. If you receive an unwanted email from us, you can use the unsubscribe functionality found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails. We may also send you certain non-promotional communications regarding us and the Services, and you will not be able to opt out of those communications (e.g., communications regarding the Services or updates to this Privacy Notice).

Text/SMS Messages. If you receive an unwanted promotional or informational text/SMS message from us, you may opt out of receiving future text/SMS messages from us by following the instructions in the text/SMS message you have received from us or by otherwise contacting us as set forth in "Contact Us" below. Mederva Health does not share mobile information. We do not share, sell, or rent your mobile information with third parties for their marketing or promotional purposes. All text messaging originator opt-in data and consent will not be shared with any third parties.

Mobile Devices. We may send you push notifications through our mobile application. You may opt out from receiving these push notifications by changing the settings on your mobile device. With your consent, we may also collect precise location-based information via our mobile application. You may opt out of this collection by changing the settings on your mobile device. To request deletion of your account, please use the standard deletion functionality available via the Services or contact us using the information set forth in "Contact Us" below.

Do Not Track signals and Global Privacy Control. Certain web browsers and other programs may transmit "do-not-track" "opt-out" signals, also called a Global Privacy Control (or "GPC") signal. For users accessing our websites from U.S. states with laws requiring recognition of GPC Signals, we will recognize and apply the GPC Signal to inactivate all the cookies for that website, except for cookies necessary for the website to operate. For more information about the Global Privacy Control, please visit https://globalprivacycontrol.org.

Cookies. You may stop or restrict the placement of Technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, the Services may not work properly. Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt-out of certain tracking on some mobile applications by following the instructions for Android, iOS, and others. Please note you must separately opt out in each browser and on each device.

Your Privacy Rights

In accordance with applicable law, you may have the right to:

• Confirm Whether We Are Processing Your Personal Information;
• Request Access to or Portability of Your Personal Information;
• Request Correction of Your Personal Information;
• Request Deletion of Your Personal Information;
• Request Restriction of or Object to our Processing of Your Personal Information;
• Request to Opt-Out of Certain Processing Activities including, as applicable, if we process your personal information for "targeted advertising", if we "sell" your personal information, or if we engage in "profiling" in furtherance of certain "decisions that produce legal or similarly significant effects" concerning you; and
• Withdraw Your Consent to our Processing of Your Personal Information. Please note that your withdrawal will only take effect for future processing and will not affect the lawfulness of processing before the withdrawal.

If you would like to exercise any of these rights, please contact us as set forth in "Contact Us" below. We will process such requests in accordance with applicable laws.

Consumer Health Privacy Laws

If you are a consumer residing in a U.S. state with a comprehensive consumer health data privacy law, such as the state of Washington or Nevada, please review our Annex A – Supplemental Consumer Health Data Privacy Statement for our privacy practices related to consumer health data.

6. International Transfers of Personal Information

All personal information processed by us may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States or other countries, which may have data protection laws different from the laws where you live.

7. Retention of Personal Data

We store the personal information we collect as described in this Privacy Notice for as long as you use the Services, or as necessary to fulfill the purpose(s) for which it was collected, provide the Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws, unless you ask us to delete or transfer such information by contacting us as set forth in "Contact Us" below.

To determine the appropriate retention period for personal data, we may consider applicable legal requirements, the amount, nature, and sensitivity of the personal data, certain risk factors, the purposes for which we process your personal data, and whether we can achieve those purposes through other means.

8. Children's Personal Information

The Services are not directed to individuals under 18 (or other age as required by local law outside the United States) and we do not knowingly collect personal information from children. We may collect information from employers about members of all ages to determine eligibility for our services.

If you are a parent or guardian and believe your child has uploaded personal information to the Services in violation of applicable law, you may contact us as described in "Contact Us" below.

9. Third-Party Websites/Applications

The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing personal information to third-party websites or applications is at your own risk.

10. Contact Us

If you have any questions about our privacy practices or this Privacy Notice, or to exercise your rights as detailed in this Privacy Notice, please contact us at:

Annex A – Supplemental U.S. Consumer Health Data Privacy Statement

This Supplemental Consumer Health Data Privacy Statement ("Consumer Health Data Privacy Statement") supplements Mederva Health's Privacy Notice and applies only to personal information we process that is "consumer health data" subject to the Washington My Health My Data Act ("MHMDA") or Nevada Consumer Health Data Privacy Law ("NVCHDPL").

Terms used in this Supplemental Consumer Health Data Privacy Statement defined in MHMDA or NVCHDPL will have the meaning set forth in those laws to the extent such laws are applicable.

Consumer Health Data We Collect

Under the MHMDA, "consumer health data" is defined as "personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status."

Under NVCHDPL, "consumer health data" is defined as "personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer."

Because consumer health data is defined very broadly, many of the categories of personal information we collect under our Privacy Notice may also be considered consumer health data.

Examples of consumer health data you may provide to us, or that we may otherwise collect, may include:

• Information that could identify your attempt to seek health care services or information;
• Information about your health-related conditions, symptoms, status, diagnoses, disease, testing, or treatments;
• Information about social, psychological, behavioral, and medical interventions;
• Information about use or purchase of prescribed medication;
• Information about measurements of bodily functions, vital signs, symptoms, or characteristics;
• Information about diagnoses or diagnostic testing, treatment, or medication;
• Information about surgeries or other health-related procedures;
• Reproductive or sexual health information;
• Information about gender-affirming care;
• Information about your access to healthcare, including location information;
• Information processed to associate or identify an individual with the data listed above; and
• Information related to the precise (geo)location information of a consumer used to indicate an attempt by a consumer to receive health care services or products.

Why We Collect and Use Consumer Health Data

We collect and use consumer health data for the purposes and in the manner described in the "How We Use Personal Information" section of our Privacy Notice.

Primarily, we collect and use consumer health data as reasonably necessary to provide you with the products or Services you have requested or authorized. This may include delivering and operating the products or Services and their features, personalization of certain product or Services features, ensuring the secure and reliable operation of the products or Services and the systems that support them, troubleshooting and improving the products and Services, and other essential business operations that support the provision of the products and Services.

Sharing of Consumer Health Data

We may share each of the categories of consumer health data described above for the purposes described above and in the "How We Use Personal Information" section of our Privacy Notice.

We only share or disclose your consumer health data as needed to provide you with the products or services that you request, or with your explicit consent.

How to Exercise Your Rights

MHMDA and NVCHDPL provide consumers with certain rights with respect to consumer health data.

Under MHMDA, consumers have the right to: (i) confirm whether Mederva Health is collecting, sharing, or selling consumer health data and to access such data; (ii) withdraw consent from Mederva Health's collection and sharing of consumer health data; and (iii) request Mederva Health delete consumer health data.

Under NVCHDPL, consumers have the right to: (i) confirm whether Mederva Health is collecting, sharing or selling consumer health data; (ii) have Mederva Health provide the consumer with a list of all third parties with whom Mederva Health has shared consumer health data; (iii) request that Mederva Health cease collecting, sharing, or selling consumer health data; and (iv) request that Mederva Health delete consumer health data.

You may exercise such rights by following the instructions found under the "Your Privacy Choices and Rights" section of our Privacy Notice.

If your request to exercise a right under MHMDA or NVCHDPL is denied, you may appeal that decision by contacting us at: privacy@medervahealth.com.

Annex B – Consumer Health Data Authorization

This Consumer Health Data Privacy Authorization ("Authorization") supplements Mederva Health's Privacy Notice, and the Mederva Health cookie banner and applies only to "consumer health data" subject to the Washington My Health My Data Act ("MHMDA") or Nevada Consumer Health Data Privacy Law ("NVCHDPL") (as applicable).

If you opt-in to "personalized marketing" through the www.medervahealth.com cookie banner, you allow Mederva Health to "sell" your consumer health data as described below:

• Specific consumer health data intended for "sale": Consumer health data collected via cookies and similar technologies including but not limited to browsing activity on the Mederva Health website; however, consumer health data does not include PHI of current or potential Mederva Health users.
• Purpose of the "sale" of consumer health data: To tailor and deliver personalized advertisements to you.
• How consumer health data purchasers gather and use the data: Consumer health data purchasers will gather the data via cookies and other tracking technologies when you visit the Mederva Health website. These purchasers may use the data to assist us to deliver personalized advertisements to you and in accordance with their privacy policies.

Please note:

• The provision of goods or services may not be conditioned upon you accepting the terms of this authorization.
• Purchasers may redisclose the consumer health data sold under this authorization and such data may no longer be protected by the MHMDA and/or NVCHDPL.
• You may revoke this authorization at any time through the Mederva Health cookie banner.
• A revocation will not impact previously sold consumer health data. In addition, if you use different browsers or devices, you must indicate your choices on each browser/device used to access privacy@medervahealth.com.
• This authorization will expire one (1) year after accepting it.