This Privacy Policy explains nature, scope, and purpose of the processing of personal data (hereinafter: "Data") in connection with the operation of our app.

Controller

kaia health software GmbH,

Infanteriestraße 11a,

80797 Munich
E-Mail: info@kaiahealth.com

Managing Directors: Konstantin Mehl and Manuel Thurner

Impressum

Contact Data Protection Officer:

datenschutzbeauftragter@datenschutzexperte.de
www.datenschutzexperte.de

If you have questions about our privacy policy, processing in general, or the processing of your data, please contact us as above.

Definitions

Terms such as "personal data," "processing,"
"pseudonymisation," "profiling," "controller," "processor" as well as any other terms according to Art. 4 GDPR have the same meaning as defined in the GDPR.

Legal basis for processing:

When processing your personal data in the context of the purposes set out in this Policy, we may, depending on the circumstances, rely on one or more of the following legal bases:

· We have previously obtained your explicit consent to processing (this legal basis will be used only in relation to processing that is entirely voluntary - it will not be used for processing that is in any way necessary or compulsory);

· The processing is necessary in connection with a contract you conclude with us;

• The processing is required by law;

· The processing is necessary to protect the vital interests of a person; or

· We have a legitimate interest in carrying out the processing for the purpose of managing, operating, or promoting our business and this legitimate interest will not be invalidated by your interests, fundamental rights, or freedoms.

Types of processed personal data:

- User data (e.g. names, addresses).

- Contact data (e.g. e-mail, phone numbers).

- Content data (e.g. text entries, photos, videos).

- Usage data (e.g. visited websites, interest in content, access times).

- Meta/communication data (e.g. device information, IP addresses, browsing history on website).

- Payment data (payment processing of the subscription).

Special categories of personal data processed:

Health data, processing based on Art 9 (2) (a) GDPR consent.

Categories of data subjects

Visitors and users of the app (hereinafter, data subjects in general will also be called "Users").

Purpose of processing

- Create an account in the app

- Provision of the app as well as the respective functions and contents

- Answering contact inquiries and communication with users

- Range measurement/marketing

- Security measures

- Processing of the payment for the product

- Answering support requests

- Establishment, execution and termination of purchase or service contracts

- Internal anonymous aggregated studies

Processing of special personal data

We will not attempt to collect or otherwise process your special personal information except when:

· the processing is required or permitted by law (e.g. to fulfill our reporting obligations on diversity);

· the processing is necessary for the detection or prevention of crime (including the prevention of fraud, money laundering, and terrorist financing);

· the processing is necessary to establish, exercise, or defend rights; or

· we have previously, in accordance with applicable law, obtained your explicit consent to processing (as mentioned above, this legal basis is used only in relation to processing that is entirely voluntary - it is not used for processing that is in any way necessary or compulsory).

Special categories of personal data are processed in detail

- to adapt the therapy to the patient

- to remind the patient to carry out the therapy

- to store the progress within the therapy

- Individualization of the therapy

- Improvement of the product

Sources of data collection

All data is collected directly from the end user about the use of the app. When filling out feedback or self-test forms or at the end of an exercise, this information is transmitted to the Kaia server via an encrypted TLS connection and stored in an appropriately secured database.

Motion Coach

Furthermore the app contains a feature, that allows the video recording of training sessions. Such recordings are only created based on the explicit consent of the user (Art 6 (1) (a) and Art 9 (2) (a) GDPR). The video recordings are processed to improve the functionality of the app.

In particular, the following data processing procedures take place:

- Review of the recordings by individual employees and evaluation in regards to eligibility for improving the machine learning model.

- Automatic evaluation for improving the machine learning model.

- Additional analysis procedures to improve the product.

The video recordings are stored for 10 years and are not shared with third parties.

Further information about the app

Finally, our app can use push notifications to send you notifications. When you use the app for the first time, you will be asked if you want to activate these functions in your settings menu. If you do not enable or later disable these features, you may not be able to take full advantage of the app.

The information you provide when setting up your account in the app may include your name, user name, email address, gender, country of residence, telephone number, payment data and details of your condition. When you register for an account with us, you also have a unique password with which you can access your account.

Security measures

We have taken appropriate technical and organizational security measures in accordance with Art. 32 GDPR, taking into account the state of technology, implementation costs as well as nature, scope, circumstances and purposes of the processing and the different likelihood and severity of any risks to the rights and freedoms of natural persons, to protect your personal data against unintentional or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, and any other unlawful or unauthorized forms of processing under applicable law.

Such measures include in particular, ensuring confidentiality, integrity and availability of data by controlling physical access to the data, as well as the relevant access, input, disclosure, security of availability and its separation. In addition, we have established procedures that ensure the exercise of the rights of data subjects, deletion of data and reaction to data risks. In addition, we take into account the protection of personal data when developing or selecting the hardware, software and procedures in line with the principle of data protection through technology design and data protection-friendly presettings (Art. 25 GDPR).

Cooperation with processors and third parties

If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit data to them or otherwise grant them access to the data, this shall only take place on the basis of a legal permission, if you have given consent, if this is required by law or based on our legitimate interests (e.g. when involving third parties to host the servers, deliver e-mail contact forms as well as response to enquiries through the form).

If we commission third parties with the processing of data based on a so-called "processing contract," this will be done on the basis of Art. 28 GDPR.

Transmission into third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosure or transmission of data to third parties, this will only be done to fulfill our (pre-)contractual obligations, based on your consent (with corresponding precise information and specifying those third countries), if required by law or based on our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the special requirements of Art. 44 et seq. GDPR are fulfiled. This means that the processing is carried out e.g. on the basis of specific guarantees, such as the officially recognized level of data protection corresponding to that of the EU (e.g. for the US through the 'Privacy Shield') or compliance with officially recognized special contractual obligations (so-called 'standard contractual clauses').

Please note that the level of data protection of such third countries is lower than the level of protection of the European Union.

Rights of data subjects

You have the right to request confirmation as to whether relevant data are being processed and to request information about such data as well as further information and a copy of the data pursuant to Art. 15 GDPR.

Pursuant to Art. 16 GDPR you have the right to request completion of the data concerning you or correction of any incorrect data concerning you.

Pursuant to Art. 17 GDPR, you have the right to request that the relevant data will be deleted immediately or, alternatively, pursuant to Art. 18 GDPR, to request a restriction of the processing of data.

You have the right to request provision of the data concerning you that you have provided to us pursuant to Art. 20 GDPR and to request their transfer to other controllers.

You also have the right to file a complaint with the competent supervisory authority pursuant to Art. 77 GDPR.

Contact – Bavarian Data Protection Authority

Bavarian Data Protection Authority (BayLDA)

Promenade 27

91522 Ansbach, Germany

Phone: +49 (0) 981 53 1300

Fax: +49 (0) 981 53 98 1300

Email: poststelle@lda.bayern.de

Homepage: https://www.lda.bayern.de/de/kontakt.html

Right to withdraw

If certain data processing is based on your consent, you have the right to withdraw your consent at any time pursuant to Art. 7 (3) GDPR with effect for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to object

You may object to the future processing of your data at any time pursuant to Art. 21 GDPR. Such objection may be made in particular against processing for direct marketing purposes (see also below).

Direct marketing

We use your information to communicate with you and to keep you informed about our activities and events and those of third parties in which you may be interested, and to make suggestions and recommendations to you and other users of our website and app about products or services that may interest you or them (direct marketing). Our goal is to send you only direct marketing directly related to the usage of the product. We provide this information to you by email (subject to your prior consent, if required by law), push notifications on our app, targeted ads on our app and third-party platforms, text, social media or telephone.

Cookies and right to object in case of direct marketing

'Cookies' are small files that are stored on the users' computers. Different types of information can be stored by such cookies. A cookie is primarily used to store the information about a user (or the device where the cookie is stored) during or after his/her visit to an online offer. Temporary cookies, or 'session cookies' or 'transient cookies' are cookies that are deleted after a user has left a online offer and closes his/her browser. Such a cookie may store e.g. the contents of a shopping cart in an online store or a login jam. Cookies are 'permanent' or 'persistent' if they remain stored even after the browser has been closed. For example, the login status can be saved if users visit again after several days. Similarly, such a cookie can also store the users' interests, which are used for range measurement or marketing purposes. 'Third-party cookie' refers to cookies that are offered by providers other than the person responsible for operating the online offer (otherwise, if only their cookies are used, they are called 'first-party cookies').

We hereby explain in this Privacy Policy that we may use temporary and permanent cookies.

If users do not want cookies stored on their computer, they are asked to disable the relevant option in their browser's system settings. Stored cookies can be deleted in the browser's system settings. However, the exclusion of cookies can lead to functional restrictions of this online offer.

A general objection to the use of cookies used for online marketing purposes is possible for a variety of services, especially in the case of tracking, via the US website http://www.aboutads.info/choices/ or the EU site www.youronlinechoices.com/ . Furthermore, the storage of cookies can be achieved by switching them off in the browser's settings. Please note that in this case it may not be possible to use all features of this online offer.

Deletion of data

The data processed by us will be deleted pursuant to Art. 17 and 18 GDPR or their processing will be restricted. Unless explicitly stated in this Privacy Policy, the data stored by us will be deleted once they are no longer required for their intended purpose and unless the deletion conflicts with any legal storage requirements. If the data are not deleted because they are required for other and legitimate purposes, their processing will be restricted. This means that the data will be blocked and not processed for any other purposes. This applies for example to data that must be kept for commercial or tax reasons.

Hosting

We use hosting services for the purpose of providing the following services: infrastructure and platform services, computing capacity, storage and database services, security services and technical maintenance services, which we use to operate this app.

We or our hosting provider process user data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this app, based on our legitimate interests in the efficient and secure provision of this app pursuant to Art. 6 (1) (f) GDPR in conjunction with Art. 28 GDPR.

In particular, data and static resources are hosted on servers of the following providers for the following purposes:

Amazon Web Services, Inc.

P.O. Box 81226, Seattle, WA 98108-1226, United States of America

DPA is available

EU-US-Privacy-Shield: https://www.privacyshield.gov/participant?id=a2zt000000000TOWQAA4

Disclosure of first name, number of active days, payment status and e-mail address for sending e-mails to:

ActiveCampaign LLC

150 North Michigan Avenue Suite 1230, Chicago, IL 60601, United States of America

DPA is available

EU-US-Privacy-Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnH6AAK

OneSignal

2194 Esperanca Avenue, Santa Clara, CA 95054, United States of America

DPA is available

Passing on Device ID or IP for analysis and improvement of the product or marketing to:

AppSee

54 W. 40th St. New York, NY 10018

DPA is available

EU-US Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TSUAAA4

Collection of access data and log files

Apptimize

330 Townsend St Suite 234, San Francisco, CA 94107, USA

DPA is available

EU-US-Privacy-Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TSUAAA4

Based on our legitimate interests within the meaning of Art. 6 (1) (f) GDPR, we or our hosting provider collect data on every access to the server where this service is located (so-called server log files). Access data includes the name of the accessed website, file, date and time of access, amount of data transferred, notification about successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address, and the requesting provider.

Data that need to be retained further for evidence purposes are exempted from deletion until final clarification of the respective incident.

Contact

When contacting us (for example, by contact form, e-mail, telephone, or via social media), the user's information will be processed to process the contact request pursuant to Art. 6 (1) (b) GDPR. The user's information may be stored in a customer relationship management system ('CRM System') or a comparable request organization.

We delete inquiries once they are no longer required. We check the necessity every two years; in addition, the legal archiving obligations apply.

Integration of services and contents of third parties

Based on our legitimate interests (i.e. interest in analysis, optimization and economic operation of our online offer within the meaning of Art. 6 (1) (f) GDPR), we use content or services offered by third-parties in our online offer in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as 'content').

Data collection by payment service providers based on our legitimate interests (i.e. interest in secure, efficient and practicable payment processing)

PayPal

kaia uses the service of the payment service provider PayPal, which is operated by PayPal, PayPal (Europe) S.à r.l. & Cie, S.C.A., 5th floor, 22-24 Boulevard Royal, L-2449, Luxembourg (hereinafter collectively "PayPal") to process payments or credits in the Kaia apps. When using PayPal for payment in the Kaia apps, personal data (in particular data concerning your PayPal account) is transmitted to PayPal. In addition, PayPal may collect personal information (such as credit card numbers) when you register with the PayPal app. PayPal is solely responsible for the processing of these data. Use of the PayPal service is fully subject to PayPal's Privacy Policy and Terms of Use. For details on PayPal's handling of your data and your rights and setting options to protect your personal data, please visit: https://www.paypal.com/de/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside.

Please note that your contractual relationship with PayPal is independent of your contractual relationship with Kaia.

Braintree

Kaia uses the service of the payment service provider braintree. braintree is a company of PayPal, Inc. which processes credit card payments. Your personal data will only be passed on to "Braintree" for the purpose of processing the online order. The data protection regulations are identical to those of Paypal. Details on data protection at Braintree can be found here:

https://www.paypal.com/us/webapps/mpp/ua/privacy-full

Other third party service providers and the purpose of the transmission of personal data:

- Onesignal for push notification delivery.

- Mailjet and ActiveCampaign for the delivery of transactional e-mails and newsletters.

- Adjust for range analysis and tracking of marketing channels.

- AppSee and Apptimize for range analysis and product improvement.

- Hetzner for the provision of server resources.

- Amazon to provide server resources.

This Privacy Policy explains nature, scope, and purpose of the processing of personal data (hereinafter: "Data") in connection with the operation of our website. As for the terminology used, e.g. "processing" or "controller," we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Controller

kaia health software GmbH,

Infanteriestraße 11a,

80797 Munich
E-Mail: info@kaiahealth.com

Managing Directors: Konstantin Mehl and Manuel Thurner

Impressum

Contact Data Protection Officer:

datenschutzbeauftragter@datenschutzexperte.de
www.datenschutzexperte.de

If you have questions about our privacy policy, processing in general, or the processing of your data, please contact us as above.

Definitions

Terms such as "personal data," "processing,"
"pseudonymization," "profiling," "controller," "processor" as well as any other terms according to
Art. 4 GDPR have the same meaning as defined in the GDPR.

Legal basis for processing

When processing your personal data in the context of the purposes set out in this Policy, we may, depending on the circumstances, rely on one or more of the following legal bases:

· We have previously obtained your explicit consent to processing (this legal basis will be used only in relation to processing that is entirely voluntary - it will not be used for processing that is in any way necessary or compulsory);

· The processing is necessary in connection with a contract you conclude with us;

• The processing is required by law;

· The processing is necessary to protect the vital interests of a person; or

· We have a legitimate interest in carrying out the processing for the purpose of managing, operating, or promoting our business and this legitimate interest will not be invalidated by your interests, fundamental rights, or freedoms.

Types of processed data

- User data (e.g. names, addresses).

- Contact data (e.g. e-mail, phone numbers).

- Content data (e.g. text entries, photos, videos).

- Usage data (e.g. visited websites, interest in content, access times).

- Meta/communication data (e.g. device information, IP addresses, browsing history on website).

Categories of data subjects

Visitors and users of the website (hereinafter, data subjects in general will also be called "Users").

Purpose of processing

- Provision of the website as well as the respective functions and contents

- Responding to contact requests and communicating with Users

- Security measures

- Reach measurement/marketing

Processing of special personal data

We will not attempt to collect or otherwise process your sensitive personal information except when:

· the processing is required or permitted by law (e.g. to fulfill our reporting obligations on diversity);

· the processing is necessary for the detection or prevention of crime (including the prevention of fraud, money laundering, and terrorist financing);

· the processing is necessary to establish, exercise, or defend rights; or

· we have previously, in accordance with applicable law, obtained your explicit consent to processing (as mentioned above, this legal basis is used only in relation to processing that is entirely voluntary - it is not used for processing that is in any way necessary or compulsory).

Sources of data collection

We collect data directly from the user of the website, based either on the information actively sent to kaia or through the website visit as such or through voluntary self-declarations in an online form.

Security measures

We have taken appropriate technical and organizational security measures in accordance with Art. 32 GDPR, taking into account the state of technology, implementation costs as well as nature, scope, circumstances and purposes of the processing and the different likelihood and severity of any risks to the rights and freedoms of natural persons, to protect your personal data against unintentional or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, and any other unlawful or unauthorized forms of processing under applicable law.

Such measures include in particular, ensuring confidentiality, integrity and availability of data by controlling physical access to the data, as well as the relevant access, input, disclosure, security of availability and its separation. In addition, we have established procedures that ensure the exercise of the rights of data subjects, deletion of data and reaction to data risks. In addition, we take into account the protection of personal data when developing or selecting the hardware, software and procedures in line with the principle of data protection through technology design and data protection-friendly presetting’s (Art. 25 GDPR).

Cooperation with processors and third parties

If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit data to them or otherwise grant them access to the data, this shall only take place on the basis of a legal permission, if you have given consent, if this is required by law or based on our legitimate interests (e.g. when involving third parties to host the servers, deliver e-mail contact forms as well as response to enquiries through the form).

If we commission third parties with the processing of data based on a so-called "processing contract," this will be done on the basis of Art. 28 GDPR.

Transmission into third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosure or transmission of data to third parties, this will only be done to fulfill our (pre-)contractual obligations, based on your consent (with corresponding precise information and specifying those third countries), if required by law or based on our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the special requirements of Art. 44 et seq. GDPR are fulfilled. This means that the processing is carried out e.g. on the basis of specific guarantees, such as the officially recognized level of data protection corresponding to that of the EU (e.g. for the US through the 'Privacy Shield') or compliance with officially recognized special contractual obligations (so-called 'standard contractual clauses').

Please note that the level of data protection of such third countries is lower than the level of protection of the European Union.

Rights of data subjects

You have the right to request confirmation as to whether relevant data are being processed and to request information about such data as well as further information and a copy of the data pursuant to Art. 15 GDPR.

Pursuant to Art. 16 GDPR you have the right to request completion of the data concerning you or correction of any incorrect data concerning you.

Pursuant to Art. 17 GDPR, you have the right to request that the relevant data will be deleted immediately or, alternatively, pursuant to Art. 18 GDPR, to request a restriction of the processing of data.

You have the right to request provision of the data concerning you that you have provided to us pursuant to Art. 20 GDPR and to request their transfer to other controllers.

You also have the right to file a complaint with the competent supervisory authority pursuant to Art. 77 GDPR.

Contact – Bavarian Data Protection Authority

Bavarian Data Protection Authority (BayLDA)

Promenade 27

91522 Ansbach, Germany

Phone: +49 (0) 981 53 1300

Fax: +49 (0) 981 53 98 1300

Email: poststelle@lda.bayern.de

Homepage: https://www.lda.bayern.de/de/kontakt.html

Right to withdraw

If certain data processing is based on your consent, you have the right to withdraw your consent at any time pursuant to Art. 7 (3) GDPR with effect for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to object

You may object to the future processing of your data at any time pursuant to Art. 21 GDPR. Such objection may be made in particular against processing for direct marketing purposes (see also below).

Direct marketing

We use your information to communicate with you and to keep you informed about our activities and events and those of third parties in which you may be interested, and to make suggestions and recommendations to you and other users of our website and app about products or services that may interest you or them (direct marketing). We provide this information to you by email (subject to your prior consent, if required by law), push notifications on our app, targeted ads on our app and third-party platforms, text, social media or telephone.

Cookies and right to object in case of direct marketing

'Cookies' are small files that are stored on the users' computers. Different types of information can be stored by such cookies. A cookie is primarily used to store the information about a user (or the device where the cookie is stored) during or after his/her visit to a website. Temporary cookies, or 'session cookies' or 'transient cookies' are cookies that are deleted after a user has left a website and closes his/her browser. Such a cookie may store e.g. the contents of a shopping cart in an online store or a login jam. Cookies are 'permanent' or 'persistent' if they remain stored even after the browser has been closed. For example, the login status can be saved if users visit again after several days. Similarly, such a cookie can also store the users' interests, which are used for range measurement or marketing purposes. 'Third-party cookie' refers to cookies that are offered by providers other than the person responsible for operating the website (otherwise, if only their cookies are used, they are called 'first-party cookies').

We hereby explain in this Privacy Policy that we may use temporary and permanent cookies.

If users do not want cookies stored on their computer, they are asked to disable the relevant option in their browser's system settings. Stored cookies can be deleted in the browser's system settings. However, the exclusion of cookies can lead to functional restrictions of this website.

A general objection to the use of cookies used for online marketing purposes is possible for a variety of services, especially in the case of tracking, via the US website http://www.aboutads.info/choices/ or the EU site www.youronlinechoices.com/ . Furthermore, the storage of cookies can be achieved by switching them off in the browser's settings. Please note that in this case it may not be possible to use all features of this website.

Deletion of data

The data processed by us will be deleted pursuant to Art. 17 and 18 GDPR or their processing will be restricted. Unless explicitly stated in this Privacy Policy, the data stored by us will be deleted once they are no longer required for their intended purpose and unless the deletion conflicts with any legal storage requirements. If the data are not deleted because they are required for other and legitimate purposes, their processing will be restricted. This means that the data will be blocked and not processed for any other purposes. This applies for example to data that must be kept for commercial or tax reasons.

Hosting

We use hosting services for the purpose of providing the following services: infrastructure and platform services, computing capacity, storage and database services, security services and technical maintenance services, which we use to operate this website.

We or our hosting provider process user data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this website, based on our legitimate interests in the efficient and secure provision of this website pursuant to Art. 6 (1) (f) GDPR in conjunction with Art. 28 GDPR (conclusion of processing agreement and ensuring that our hosting provider – DigitalOcean LLC with seat in the USA, is EU-US Privacy Shield-certified).

Collection of access data and log files

Based on our legitimate interests within the meaning of Art. 6 (1) (f) GDPR, we or our hosting provider collect data on every access to the server where this service is located (so-called server log files). Access data includes the name of the accessed website, file, date and time of access, amount of data transferred, notification about successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address, and the requesting provider.

Data that need to be retained further for evidence purposes are exempted from deletion until final clarification of the respective incident.

Contact

When contacting us (for example, by contact form, e-mail, telephone, or via social media), the user's information will be processed to process the contact request pursuant to Art. 6 (1) (b) GDPR. The user's information may be stored in a customer relationship management system ('CRM System') or a comparable request organization.

We delete inquiries once they are no longer required. We check the necessity every two years; in addition, the legal archiving obligations apply.

Integration of services and contents of third parties

Based on our legitimate interests (i.e. interest in analysis, optimization and economic operation of our online offer within the meaning of Art. 6 (1) (f) GDPR), we use content or services offered by third-parties in our online offer in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as 'content').

This always requires that the third-party providers of such content can detect the users' IP address as they could not send the content to their browser without the IP address. The IP address is therefore required for the display of this content. We endeavor to use only those contents whose providers use the IP address solely for the delivery of the contents. Third party providers may also use so-called pixel tags (invisible graphics, also referred to as 'web beacons') for statistical or marketing purposes. 'Pixel tags' may be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymized information may also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring websites, time of visit and other information regarding the use of our online offer, or be linked to such information from other sources.

Outbrain Inc.

Based on our legitimate interests (i.e. interest in analysis, optimization, and economic operation of our website within the meaning of Art. 6 (1) (f) GDPR), we use the service provider Outbrain Inc., 39 West 13th Street, 3rd floor, New York, NY 10011 with seat in the USA for the purpose of pseudonymized marketing tracking. Outbrain shows performance-based ad contents on partner websites to relevant target groups.

The required pseudonymized information about your use of our website will be stored on a server in the USA. The processed data may be used to create usage profiles of users, which will be used only for analysis purposes and not for advertising purposes. For further information, please see the Privacy Policy of Outbrain Inc. at: https://automattic.com/privacy/ and the explanatory note on Jetpack-Cookies: https://jetpack.com/support/cookies/ .

Facebook Custom Audience

In addition, we may also use Facebook Custom Audience and related Facebook tools to offer you advertising on other websites (including social media networks such as Facebook). Facebook Custom Audience is a tool provided by Facebook that connects a kaia customer/visitor with a Facebook user to advertise on the Facebook platform. To do so, we share your information with such third-party providers (e.g. Facebook) and use cookies or similar technologies on our website to analyze the effectiveness of our advertising on other websites. For more information about the use of data by Facebook, please click on the following link: https://www.facebook.com/ads/about . You may withdraw your consent to the use of your data for such purposes at any time by contacting us by e-mail at service@kaiahealth.com.

Facebook

We use the "Conversion Tracking-Pixel" of Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA. This allows users' behavior to be tracked after they have been redirected to the provider's website by clicking on a Facebook ad. This process is designed to evaluate the effectiveness of Facebook ads for statistical and market research purposes and may help to optimize future advertising efforts. The data collected is anonymous to us, so it does not give us any indication of the identity of the users. However, Facebook stores and processes the data so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with the Facebook Data Usage Guidelines (https://www.facebook.com/about/privacy/). You can allow Facebook and its partners to serve ads on and off Facebook. A cookie may also be stored on your computer for these purposes. Consent to the use of the visitor action pixel may only be given by users who are over 16 years of age. If you are younger, please ask your legal guardian for permission. If you do not wish to consent, we ask you to revoke your consent on the pages of Facebook.

Google Analytics

Based on our legitimate interests (i.e. interest in analysis, optimization, and economic operation of our website within the meaning of Art. 6 (1) (f) GDPR), we use Google Analytics, a web analytics service of Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ('Google'). Google uses cookies. The information generated by the cookie about the use of the website by the users will be as a rule transmitted to a Google server in the USA and stored there.

Google is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection law ( https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active ).

Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer, and to provide us with further services related to the use of this online offer and the use of the internet. The processed data may be used to create pseudonymized usage profiles of users.

We use Google Analytics only with activated IP anonymization. This means that the user's IP address will be shortened by Google within Member States of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

The IP address transmitted by the user's browser will not be merged with other Google data. Users can prevent the storage of cookies by selecting the relevant settings in their browser software; users may also prevent Google from collecting of the data generated by the cookie and related to their use of the online offer and processing of such data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de .

For more information about the use of data by Google, settings and objection options, please refer to Google's Privacy Policy ( https://policies.google.com/technologies/ads ) as well as to the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated ).

LinkedIn

Features and contents of the LinkedIn service offered by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland, may be incorporated into our online offer. This may include e.g. content such as images, videos, or text and buttons that users use to express their appreciation of the content, subscribe to the creator of this content or subscribe to our posts. If the users are members of the LinkedIn platform, LinkedIn may assign the retrieval to the aforementioned contents and functions to the profiles of the users. LinkedIn is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection law ( https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active ).

Privacy Policy of LinkedIn: https://www.linkedin.com/legal/privacy-policy.

Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out .

Last Updated: February 6, 2017

Kaia is committed to protecting and respecting your privacy.

This Privacy Policy describes how we collect, use, protect and share information about you, as an individual, that we obtain when you access and use our Platform (defined below), including when you register for and use the App, create a profile, submit information and updates about your condition, participate in contests or promotions, or submit questions or feedback. This privacy policy also governs the collection and use of information when you use any of our Apps, as a part of our Platform, although we may provide additional notice and choice options within the App itself.

In addition, this Privacy Policy applies to information that we obtain when you communicate or interact with us outside of the Platform, including by e-mail, telephone and otherwise.

For purposes of this Privacy Policy, the following defined terms mean:

• "App" refers to any downloadable application (including, a mobile application) owned or operated by Kaia. References to the "App" include any and all features, functionality, tools and content available on or through each such application.
• "Content" refers to any and all information, videos, text, photos and other content provided or made available by Kaia on or through the Platform, including information, videos, text, photos and other content relating to physical conditions and/or exercise regimens.
• "Kaia" "we," or "us" refer to Kaia Health Inc. and our officers, directors, employees, contractors and agents. To the extent applicable, they also refer to our affiliates, service providers and licensors, and their respective officers, directors, employees, contractors and agents.
• "Platform" refers, collectively, to any and all Websites, Apps and Content made available to you by Kaia, including any related services and promotions, and any software and technology used to provide any of the foregoing.
• "Users" means any and all persons that access or use the Platform. References to "access" and/or "use" of the Platform (and any variations thereof) include the acts of accessing or browsing the Platform, and accessing or using the Content.
• "Website" refers to any website owned or operated by Kaia (including the websites currently located at https://www.kaiahealth.com/ and https://app.kaiahealth.com/). References to the "Website" include any and all features, functionality, tools and content available on or through each such website.

Please read this Privacy Policy carefully to understand how we will treat your information before you access or use our Platform or communicate with us outside of the Platform.

BY ACCESSING OR USING OUR PLATFORM OR COMMUNICATING WITH US OUTSIDE OF THE PLATFORM, YOU ARE ACCEPTING AND CONSENTING TO THE PRACTICES DESCRIBED IN THIS PRIVACY POLICY, WHICH MAY BE UPDATED AND AMENDED FROM TIME TO TIME. IF YOU DO NOT AGREE TO THE TERMS OF THIS PRIVACY POLICY, YOU MUST NOT ACCESS OR USE OUR PLATFORM OR COMMUNICATE WITH US.

Information You Provide to Us

We collect and store information that you provide directly to us, including when you register for the App, create a profile, submit information and updates about your condition, when you update your e-mail preferences, respond to a survey, contact us with questions or comments, or provide other feedback.

We will not ask for or request sensitive information such, as government identifiers, or financial information, except in connection with payments. Please do not provide this information to us, including through e-mails, feedback forms or otherwise.

Information Collected While Using Our Platform

We also collect and store certain technical information when you access, browse and use our Platform. This technical information helps us operate our Platform and provide access to you, and includes standard information about visits and system capabilities, such as:

• information about the device(s) you use to access our Platform, including MAC address, IP address, browser type and version, location, time zone setting, browser plug-in types and versions, operating system and platform, device type, and device identifiers;
• information about your visits to the Platform and Content, including the full URL clickstream to, through, and from the Platform (including date and time);
• information we need and use to facilitate your use of our Platform (including to provide access to third-party websites and services), such as URL requests, destination IP addresses, or device configuration details;
• pages you view, Content you select to view, length of time viewing content; and
• page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), your engagement with certain variable/dynamic elements of a page and methods used to browse away from the page.

We may also collect information using cookies and beacons. (See Cookies and Beacons below.)

Information Collected from Other Sources

On occasion, we may combine or compare data we have collected from you with information collected from other third-party sources and add it to the information you have provided.

Third parties that are unaffiliated with us may also collect information about you, including tracking your browsing history, when you use our Platform. We do not have control over these third-party collection practices and advise you to adjust the settings of your browsers or install plug-ins and add-ins if you wish to minimize these third-party collections.

We may use any of the information we collect to:

• allow us to operate our Platform, including payment processing, Platform administration, internal operations, troubleshooting, data analysis, testing, research, statistical and survey purposes;
• manage your access to our Platform;
• send you information that enables you to use our Platform;
• contact you directly about activity on your account;
• create reports for our affiliates, licensors, service providers and Users or prospective Users that may include aggregate information about the use of various aspects of the Platform;
• comply with laws and regulations;
• carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including billing and collection;
• notify you about changes to our Platform;
• protect the integrity and maintain the security of our Platform, including secured areas of the Platform;
• in any other way that we describe when you provide the information; and
• for any other purpose for which you may provide consent.

In some cases, how we treat and use information will depend on the type of information. Some of the information we collect through your use of our Platform or communications with us, such as your name, address, phone number, e-mail address, billing information associated with your account may personally identify you. We will treat this information as “Personally Identifiable Information.” We will also treat as Personally Identifiable Information any non-identifiable information that is combined with Personally Identifiable Information.

We may use your information, including Personally Identifiable Information, to:

• respond to your requests, feedback or questions, including by telephone, text (SMS) or email;
• provide you with information about Content, products or services, from us or third parties, that may interest you; and
• send you e-mails about updates, information, or alerts regarding our Platform.

We may use technical information or non-Personally Identifiable Information to:

• evaluate and improve our Platform and present content in the best way for you and for your device(s);
• serve advertisements on or through our Platform; and
• measure or understand the effectiveness of advertising we serve to you and other Users like you, and to deliver relevant advertising to you and other Users like you.

We may also combine technical information or non-Personally Identifiable Information about your use of our Platform with similar information that we obtain from other Users to use in an aggregate or anonymous manner for similar purposes.

We will not sell your Personally Identifiable Information or share your Personally Identifiable Information with third parties for the third party's own direct marketing purposes without your express consent. Please note that if you click on or otherwise interact with an advertisement on our Platform, however, the advertiser may assume that you meet its target criteria, even though we have not shared your Personally Identifiable Information.

We may share information, including Personally Identifiable Information, with our licensors, service providers and agents to the extent reasonably necessary to operate and provide our Platform to you. For example, we use a third-party provider for e-mail and cannot communicate with you by e-mail without disclosing your e-mail address to our third-party e-mail provider. We do not permit these third parties to use any information we share for any purpose other than to support us and our efforts to operate and provide our Platform to you.

We may share any information, including Personally Identifiable Information with:

• our subsidiaries and affiliates;
• our service providers and subcontractors to the extent reasonably necessary to enable us operate and provide our Platform to you;
• a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which Personally Identifiable Information held by us about our Users is among the assets transferred;
• you, upon your written request; and
• other third parties with your express consent.

We may also disclose your Personally Identifiable Information:

• to comply with any court order, law or legal process, including to respond to any government or regulatory request;
• to investigate potential unauthorized access or misuse of our Platform or otherwise enforce our Terms of Use, Supplemental Terms (as defined below), Platform Rules (as defined below) other agreements;
• to protect our assets or rights, including for billing and collection purposes;
• if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Kaia, our Users or others, including exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction; and
• for any other purpose disclosed by us when you provide the information.

We may share non-Personally Identifiable Information, aggregate or anonymous data:

• with analytics, search engine, or other service providers that help us improve our Platform;
• with other Users or prospective Users of the Platform; and
• to advertisers and advertising networks to select and serve relevant advertisements.

In the event that we receive a request from a governmental entity to provide it with your Personally Identifiable Information, we will make reasonable attempts to notify you of such request, to the extent reasonably possible and legally permissible.

We may use cookies, beacons and similar technologies, now or in the future, to support the functionality of our Platform. This provides a better experience when you visit our Platform and allows us to improve our Content and Platform.

• Browser Cookies. A browser cookie is a small file placed on the hard drive of your computer. That cookie then communicates with servers, ours or those of other companies that we authorize to collect data for us, and allows recognition of your personal computer. We associate cookies with Personally Identifiable Information only if you use the automatic recognition capabilities on restricted areas of the Platform, view Content, use the personalization services available as part of the Platform, or ask us to contact you with additional marketing information. We do not otherwise collect Personally Identifiable Information from browser cookies and we do not associate browser cookies with your Personally Identifiable Information.

You may use the tools available on your computer or other device to set your browser to refuse or disable all or some browser cookies, or to alert you when cookies are being set. However, if you refuse or disable all browser cookies, you may be unable to access certain parts or use certain features or functionality of our Platform.

You may choose whether to activate automatic recognition when you register for an account. After registration, you may disable the persistent cookie that supports recognition using the tools in your browser. If you choose to disable the cookies that support automatic recognition, you will need to re-enter your User ID and password each time you access a gated portion of the Platform.

Unless you have adjusted your browser settings so that it refuses all cookies, we may use cookies when you direct your browser to our Platform.

• Flash Cookies. Certain features of our Platform may use local stored objects called flash cookies to collect and store information about your preferences and navigation to, from and on our Platform. We also include cookies in our third-party hosted video players to count the number of unique viewers who see a video and to provide aggregate reporting. The cookies do not identify you as an individual or track your online behavior. We do not collect Personally Identifiable Information from flash cookies and we will not associate them with your Personally Identifiable Information.

Flash cookies are not managed by the same browser settings as are used for browser cookies. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe's website. If you disable or refuse Flash cookies, please note that some parts of our Platform may be inaccessible or may not function properly.

• Our Platform and e-mails may contain small electronic files known as beacons (also referred to as web beacons, clear GIFs, pixel tags and single-pixel GIFs) that permit us to, for example, count Users who have visited those pages or opened an e-mail and for other website-related statistics. Beacons in e-mail marketing campaigns allow us to track your responses and your interests in our content, offerings and web pages. You may use the tools in your device to disable these technologies as well.

You may have the opportunity to receive certain communications from us related to our Platform. If you provide us with your e-mail address in order to receive communications, you can opt out of marketing e-mails at any time by following the instructions at the bottom of our e-mails and adjusting your e-mail preferences. Please note that certain e-mails may be necessary for the operation of our Platform. You will continue to receive these e-mails, if appropriate, even if you unsubscribe from our optional communications.

Certain websites you visit may provide options regarding advertisements you receive. For more information or to opt out of certain online behavioral advertising, please visit http://www.aboutads.info.

Some browsers support a “Do Not Track” feature, which is intended to be a signal to websites that you do not wish to be tracked across different websites you visit. Our Platform does not currently change the way they operate based upon detection of a Do Not Track or similar signal.

Please note that we cannot control how third-party websites or online services you visit through our Platform respond to Do Not Track signals. Check the privacy policies of those third parties for information on their privacy practices.

You may opt out of our direct telemarketing contacts by requesting us to remove you from our direct telemarking list. Please note that opting out from our direct telemarketing contacts does not limit us from contacting you for other purposes, including those contacts that are reasonably necessary to provide you with our Platform. If you decide to opt out of our direct telemarketing contacts, allow a reasonable time for us to process your request, and do not hesitate to contact us at Privacy@kaiahealth.com if you encounter any problems with your request. The FTC also maintain a National Do Not Call Registry at www.donotcall.gov/register/reg.aspx. By registering your number with the FTC may also limit our direct marketing contacts to that number.

The accuracy of the information we have about you is very important. Users may update their information at any time on the account registration page. Otherwise, to review or correct your Personally Identifiable Information, you may contact us at Privacy@kaiahealth.com.

The security of your information is important to Kaia, and we have established reasonable administrative, technical, and physical safeguards designed to protect Personally Identifiable Information against loss, alteration, unauthorized access, theft, misuse or disclosure. Unfortunately, no system can guarantee complete security of your information. As a result, Kaia cannot ensure or warrant the your information, including your Personally Identifiable Information, is secure from unauthorized third parties. Thus, your use of the Platform and communication with us about them is at your own risk.

You are responsible for protecting your User ID(s) and password(s) and for the security of information that you transmit to us over the internet.

Our Platform is directed to, and is intended for use only by persons who are 18 years of age or older. We do not knowingly collect information from children under 18. If you are under 18 years of age, you are not permitted to register for an account or otherwise submit any personally identifiable information to us, including your name, address or e-mail address. If we discover that we have collected any personally identifiable information from a child under the age of 18, we will suspend the associated account and remove that information from our database as soon as possible. By registering for an account or submitting any personally identifiable information to us, you represent and warrant that you are 18 years of age or older.

Our Platform may contain links to third-party websites and services, including those of our partners and advertisers. Please note that these websites and services may have their own privacy policies. This Privacy Policy applies to Kaia and our Platform only. We do not accept any responsibility or liability for the policies or practices of any third parties. If you chose to access any websites or services linked from our Platform, please check the applicable policies before you use or submit any personal data to such website or service.

Your use of our Platform may be governed by our Terms of Use located at www.kaiahealth.com/terms/terms_of_use the supplemental terms that govern certain of the features, functionality, tools, content and promotions available on or through the Platform (the "Supplemental Terms"), and any and all policies and rules referenced herein or therein, posted on the Platform, or otherwise communicated to our Users (the "Platform Rules"). In the event that the provisions of any such agreement that are specific to a particular Website or App differ from or conflict with the provisions of this Privacy Policy, the terms specific to that Website or App will apply.

We may change this Privacy Policy from time to time to align with changes to our business practices and/or changes to our legal requirements. We will post the updated Privacy Policy on this page (www.kaiahealth.com/terms/privacy), and will indicate that the updates have been made by changing the effective date first written above. We urge you to check back periodically to check whether there have been updates to our Privacy Policy.

Your continued use of the Platform or communication with us after the updated Privacy Policy has been posted (or any other indication of your consent) will constitute your acceptance of the updated Privacy Policy.

Please note that we may condition your continued access to our Platform on your consent to changes to this Privacy Policy.

If you have questions, comments or requests relating to this Privacy Policy, please e-mail us at Privacy@kaiahealth.com, or write to us at:

Privacy Requests

Kaia Health Inc.

177 Huntington Avenue

Boston, MA 02115