Privacy Policy

PART THREE: FULL PRIVACY POLICY

Version 1.1 / Effective October 1, 2019

WE AT CIX HEALTH VALUE YOUR PRIVACY AND ARE COMMITTED TO KEEPING YOUR PERSONAL DATA CONFIDENTIAL. WE USE YOUR DATA SOLELY IN THE CONTEXT OF HELPING YOU IMPROVE YOUR HEALTH OR HELPING YOU IMPROVE THE HEALTH OF ANOTHER BY OFFERING A CONVENIENT AND HIGH QUALITY MOBILE APPLICATION AND WEB SITE WITH TOOLS THAT ALLOW USERS TO EASILY AND PURPOSEFULLY MANAGE COMPLEX MEDICAL CONDITIONS.

THIS PRIVACY POLICY APPLIES TO PERSONAL DATA CIX HEALTH COLLECTS FROM USERS OF THE CIX HEALTH APPLICATION AND CIX HEALTH’S WEB SITE (THE “APPLICATIONS”)]. “PERSONAL DATA” INCLUDES ANY INFORMATION THAT CAN BE USED ON ITS OWN OR WITH OTHER INFORMATION IN COMBINATION TO IDENTIFY OR CONTACT ONE OF OUR USERS. WE BELIEVE THAT TRANSPARENCY ABOUT THE USE OF YOUR PERSONAL DATA IS OF UTMOST IMPORTANCE. IN THIS PRIVACY POLICY, WE PROVIDE YOU DETAILED INFORMATION ABOUT OUR COLLECTION, USE, MAINTENANCE, AND DISCLOSURE OF YOUR PERSONAL DATA. THE POLICY EXPLAINS WHAT KIND OF INFORMATION WE COLLECT, WHEN AND HOW WE MIGHT USE THAT INFORMATION, HOW WE PROTECT THE INFORMATION, AND YOUR RIGHTS REGARDING YOUR PERSONAL DATA.

THE PERSONAL DATA WE COLLECT AND TRANSMIT MAY, IN SOME CIRCUMSTANCES, BE CONSIDERED “HEALTH DATA” (data related to a user’s physical or mental health). THEREFORE, OUR PRIVACY PRACTICES ARE INTENDED TO COMPLY WITH THE GENERAL DATA PROCESSING REGULATION (“GDPR”) PROVISIONS REGARDING SENSITIVE PERSONAL DATA. IN ADDITION, WE INTEND TO COMPLY WITH STATE LAW RELATED TO HEALTH DATA, WHERE APPLICABLE. FOR ADDITIONAL INFORMATION RELATED TO YOUR HEALTHCARE INFORMATION, PLEASE CONTACT OUR PRIVACY OFFICER AT PRIVACY@CIXHEALTH.COM

Please read the following carefully to understand our views and practices regarding your Personal Data and how we will treat it. For the purposes of Applicable Data Protection Laws including the European Economic Area data protection law, (the “Data Protection Law”), the data controller is:

Cix Health LLC

11325 Random Hills Road, Suite 360

Fairfax, VA 22030

BY SUBMITTING YOUR PERSONAL DATA THROUGH THIS APPLICATION, YOU ARE ACKNOWLEDGING THAT YOU HAVE READ AND AGREE TO THE TERMS OF THIS POLICY. IF YOU DO NOT AGREE, PLEASE DO NOT LOG INTO OR ACCESS THE APPLICATIONS AND DO NOT SUBMIT ANY PERSONAL DATA TO US.

PLEASE NOTE THAT WE OCCASIONALLY UPDATE THIS PRIVACY POLICY AND THAT IT IS YOUR RESPONSIBILITY TO STAY UP TO DATEWITH ANY AMENDED VERSIONS. IF WE MODIFY THE PRIVACY POLICY, WE WILL POST A LINK TO THE MODIFIED TERMS ON THE WEB SITE AND UNDER “SETTINGS” IN THE APPLICATION. WE WILL ALSO NOTIFY YOU VIA EMAIL. ANY CHANGES TO THIS PRIVACY POLICY WILL BE EFFECTIVE IMMEDIATELY UPON PROVIDING NOTICE, AND SHALL APPLY TO ALL INFORMATION WE MAINTAIN, USE, AND DISCLOSE. IF YOU CONTINUE TO USE THE APPLICATION FOLLOWING SUCH NOTICE, YOU ARE AGREEING TO THOSE CHANGES.

CAPITALIZED TERMS, IF NOT DEFINED IN THIS PRIVACY POLICY, ARE DEFINED IN THE TERMS OF USE, WHICH IS ACCESSIBLE HERE.

In case you have any questions or concerns after reading this Privacy Policy, please do not hesitate to contact us at privacy@cixhealth.com.  We appreciate your feedback.

Responsible Entity

Cix Health (“We”, “Us”, “the Company”) is the controller of your Personal Data and may process this data in accordance with the Privacy Policy. If we are processing Personal Data on behalf of a third party that is not an agent or affiliate of Company, the terms of this Privacy Policy do not apply—instead, the terms of that third party’s privacy policy will apply. You can contact Us with any questions about our Privacy Policy at privacy@cixhealth.com. You can reach our data protection officer at privacy@cixhealth.com.

Links to Other Sites

Our Applications may contain links to websites and services that are owned or operated by third parties (each, a “Third-party Service”). Any information that you provide on or to a Third-party Service or that is collected by a Third-party Service is provided directly to the owner or operator of the Third-party Service and is subject to the owner’s or operator’s privacy policy. We’re not responsible for the content, privacy or security practices and policies of any Third-party Service. To protect your information, we recommend that you carefully review the privacy policies of all Third-party Services that

you access.

 What Personal Data do we collect?

We collect “PERSONAL DATA”, which includes any information that can be used on its own or with other information in combination to identify or contact an individual. In some cases, this Personal Data may be or may include healthcare information or “protected health information”. The types of Personal Data we collect are described below. If you are entering Personal Data of someone other than yourself, you MUST be legally authorized to share that information with Cix Health. You CANNOT share information with us without such authorization. By continuing to use the Services, you represent and warrant that you are legally authorized to share with us all of the information that you share with us.

Demographic Data

We collect demographic information, such as Your name, date of birth, gender, phone number, postal and e­mail address]. Primarily, the collection of Your Personal Data assists us in creating Your User Account, which You can use to securely to manage Your healthcare information. We also use your demographic data for the purposes of providing health and wellness related reminders.

Payment Data

If You make purchases via our Applications, We may require that you provide to Us your financial and billing information, such as billing name and address, credit card number or bank account information.

Support Data

If You contact Cix Health for support or to lodge a complaint, We may collect technical or other information from you through log files and other technologies, some of which may qualify as Personal Data. (e.g., IP address). Such information will be used for the purposes of troubleshooting, customer support, software updates, and improvement of the Application and related services in accordance with this Privacy Policy. Calls with Cix Health may be recorded or monitored for training, quality assurance, customer service, and reference purposes.

Device, Telephone, and ISP Data

We use common information-gathering tools, such as log files, cookies, web beacons, and similar technologies to automatically collect information, which may contain Personal Data, from Your computer or mobile device as you navigate our Applications , or interact with emails We have sent You. The information We collect may include Your Internet Protocol (IP) address (or proxy server), device and application identification numbers, location, browser type, Internet service provider and/or mobile carrier, the pages and files you viewed, Your searches, Your operating system and system configuration information, and date/time stamps associated with Your usage. This information is used to analyze overall trends, to help Us provide and improve our Applications and to guarantee their security and continued proper functioning.

Health Data

In addition to demographic information, We may collect information regarding your health conditions, medications, labs and vitals information, medical appointments, insurance provider, health care provider and care team info, and treatment plans. In some cases, this information is collected from You—in others, we will receive information from third parties You have authorized to share information with Us. We collect this information to help users store and manage information regarding their health.

Third Party Data Sources

We collect information about you from other sources, including third parties with whom Your User Account is associated (“Third Party User”). For instance, within a family, the parents and children may have associated accounts. The parents can add Personal Data about the children, and vice versa–even where the user accounts are separate—if such accounts are linked. We may also collect information from third party sources from whom we have purchased Personal Data, and combine this information with Personal Data provided by you. In particular, we may import medical record information from third parties to help us to show You a more complete medical history. For instance, we may use a third party data source that can tell us about the type of medications you might be taking, or your adherence to a refill schedule.

NOTE: If you believe your Personal Data has been shared with Cix Health without your permission, please Contact Us immediately at support@cixhealth.com.

How will We use Your Personal Data?

We process Your Personal Data for purposes based on legitimate business interests, meeting Our contractual obligations to You, complying with Our legal obligations, and/or Your consent. We only use or disclose Your Personal Data when it is legally mandated or where it is necessary to fulfill the purposes described herein. Where required by law, We will ask for Your prior consent before doing so.

Specifically, we process Your Personal Data for the following legitimate business purposes:

• To fulfill our obligations to You under the Terms of Use or another applicable services agreement

• To communicate with You about and manage Your User Account

• To properly store and track Your data within our system

• To respond to lawful requests from public and government authorities, and to comply with applicable state/federal law, including cooperation with judicial proceedings or court orders.

• To protect our rights, privacy, safety or property, and/or that of you or others by providing proper notices, pursuing available legal remedies, and acting to limit Our damages

• To handle technical support and other requests from You

• To enforce and ensure your compliance with our Terms of Use or the terms of any other applicable services agreement We have with You

• To manage and improve our operations and the Applications, including the development of additional functionality

• To manage payment processing

• To evaluate the quality of service You receive, identify usage trends, and thereby improve Your user experience

• To keep our Applications safe and secure for You and for Us

• To send You product, service and new feature information and/or information about changes to our terms, conditions, and policies (with your consent, if required by law)

• To allow us to pursue available remedies or limit the damages that we may sustain

• To provide access to a third party user (with your consent), to enable that individual to monitor your progress and overall condition and to follow up with you, as they deem appropriate (e.g., you can give access to your caregiver, parent, child, or spouse).

• To send you marketing communications, including newsletters, new product offerings, SMS messages, and push notifications about Cix Health and its affiliates and partners (with your consent, if required by law).

• To aggregate and anonymize Your data for the purposes stated above.

**You can opt-out of receiving promotional emails by changing the notification preferences in your

account settings or by unsubscribing via the “Unsubscribe” link in any Cix Health email. Opting-out of these emails will not end transmission of important service-related emails that are necessary to your use of the Applications.

Where is your Personal Data processed?

Personal Data Cix Health collects through the Application will be stored on secure servers in the United States, even if you are accessing the Applications from outside the United States. Your country’s data protection laws may not apply, and may be more stringent than those to which Cix Health is legally subject. Personal Data may be transmitted to third parties, which parties may store or maintain the data on their secure servers. These third parties are not permitted to transfer your Personal Data outside of the United States.

Will We share your Personal Data with anyone else?

Yes, with any third party with whom Your User Account is connected via the Application (“Third Party User”).

We will share information you enter into the Applications, as well as any reports generated by the Applications based on the information you enter, with the Third Party User with whom Your User Account is connected via the Applications. If Your User Account is linked with a Third Party User’s account, that user will also have access to the information You choose to share with them (e.g., conditions, medications, care team, insurance information). If, at any point, You want to deny access to one or more Third Party Users, You can do so by removing or modifying sharing permissions and access controls via Settings within the Application. If a Third Party User has created a user account for You which includes your Personal Data, and that Third Party User does NOT have permission to share this data, please email privacy@cixhealth.comIMMEDIATELY.

Yes, with third parties that help us power our Application

Cix Health has a limited number of service providers and other third parties (“Business Partners”) that help us run various aspects of our business. These Business Partners are contractually bound to protect Your Personal Data and to use it only for the limited purpose(s) for which it is shared. Business Partners’ use of Personal Data may include, but is not limited to, the provision of services such as data hosting, IT services, customer service, and billing management.

Yes, with third parties and the government when legal or enforcement issues arise

We may share your Personal Data, if reasonable and necessary, to (i) comply with legal processes or enforceable governmental requests, or as otherwise required by law; (ii) cooperate with third parties in

investigating acts in violation of this Agreement; or (iii) bring legal action against someone who may be violating the Terms of Use or who may be causing intentional or unintentional injury or interference to the rights or property of Cix Health or any third party, including other users.

Yes, with third parties that provide advisory services

We may share Your Personal Data with Our lawyers, auditors, accountants, or banks, when We have a legitimate business interest in doing so.

Yes, with third parties in the event of a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of Cix Health’s corporate entity, assets, or stock (including in connection with any bankruptcy or similar proceedings)

If We share Your Personal Data with a third party other than as provided above, You will be notified at the time of data collection or transfer, and You will have the option of not permitting the transfer.

Anonymized Data

We may, from time to time, rent or sell aggregated data and/or other information that does not contain any personal identifiers (i.e., if the information has been anonymized by stripping out identifiers such as name, address, phone number, etc.). The purpose of this type of disclosure is to provide better services to our users through (1) identifying trends and patterns to help deliver more accurate insights for our users; and (2) improving the accuracy and performance of our analytics engine. Once Your data is anonymized, it is no longer Personal Data, and We are not restricted in Our use of that data for any purpose.

How long do We retain Personal Data?

We will retain your Personal Data for as long as you maintain a User Account and up to ten (10) years after the account is closed. The exact period of retention will depend on the type of Personal Data, our contractual obligation to You, and applicable law. We keep your Personal Data for as long as necessary to fulfill the purpose for which it was collected, unless otherwise required or necessary pursuant to a legitimate business purpose outlined herein. At the end of the applicable retention period, We will remove your Personal Data from our databases and will request that our Business Partners remove your Personal Data from their databases. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further processing of such data. We retain anonymized data indefinitely. Contact Us at privacy@cixhealth.com regarding the applicable data retention period for your Personal Data.

NOTE: Once we disclose your Personal Data to third parties, we may not be able to access that Personal Data any longer and cannot force the deletion or modification of any such information by the parties to whom we have made those disclosures. Written requests for deletion of Personal Data other than as described should be directed to privacy@cixhealth.com.

WHAT IS YOUR COOKIE POLICY?

Cookies are small files that a web server sends to your computer or device when you visit a web site that uses cookies to keep track of your activity on that site. They hold a small amount of data specific to that web site, which can later be used to help remember information you enter into the site (like your email or other contact info), preferences selected, and movement within the site. If you return to the previously visited web site (and your browser has cookies enabled), the web browser sends the small file to the web server, which tells it what activity you engaged in the last time you used the site, and the server can use the cookie to do things like expedite logging in and retrieving user data and keeping your browser session secure.

We use cookies and other technologies to, among other things, better serve you with more tailored information, and to facilitate efficient and secure access to the Applications. We use two types of cookies: essential and non-essential cookies. Essential cookies are those necessary for use to provide services to you.  All other cookies are non-essential. We use two types of non-essential cookies: (1) cookies used to analyze your behavior on a website (“Analytics Cookies”); and (2) cookies used to provide you enhanced functionality (“Functional cookies”). We have provided, below, a full list of our cookies, categorized as described above. We have described the purpose of each, whether they are Cix Health or Third Party cookies, and how to withdraw consent to their use. We have also indicated which cookies are “session cookies” (which last for as long as you keep your browser open) and “persistent cookies” (which remain on your hard drive until you delete them or they expire).

We may also collect information using pixel tags, web beacons, clear GIFs or other similar technologies. These may be used in connection with some Site pages and HTML formatted email messages to, among other things, track the actions of Site users and email recipients, and compile statistics about Site usage and response rates.

Essential Cookies:

Cookie Name, Who Controls It, and DurationPurposeInformation CollectedHow to Withdraw Consentauth-tokens-token

Cix Health

8 weeks

To authenticate you when you sign into the service.A generated token that allows the server to identify you.Do not use our Service if you do not want to receive this cookie.auth-tokens-refresh

Cix Health

16 weeks

To refresh your authentication token when it expires.A generated token that lets you stay logged in.Do not use our Service if you do not want to receive this cookie.Unsubscribe-token

Cix Health

8 weeks

Used to temporarily store information needed to unsubscribe a user from Cix Health emails.A generated token that lets you unsubscribe from emails.Do not use our service and do not unsubscribe from automated emails if you do not want this cookie.

Analytics Cookies:

Cookie Name, Who Controls It, and DurationPurposeInformation CollectedHow to Withdraw Consentanalytics

Cix Health

Permanent

For correlating website visitors before and after they login or register for Cix HealthRandomly generated code. No information is collected.Do not use Cix Health if you do not wish to receive this cookie.UTM_

Cix Health

For tracking what marketing campaign a visitor to the site came from.No information is collected or stored in these cookies.Do not use Cix Health if you do not wish to receive this cookie.

How can You “Opt Out” of Cookies

If you prefer, you can usually choose to set your browser to remove cookies and reject cookies. If you enable a do not track (DNT) signal or otherwise configure your browser to prevent Cix Health from collecting cookies, You will need to re­enter your user name each time you visit the login page. Such action could also affect certain features or services of our Applications.

You may opt-out from the collection of non-essential device and usage data on your web by managing your cookies at the individual browser level. Click here for ways to erase cookies from your computer and to prevent cookies from being created on your browser. Please note, however, that by blocking or deleting cookies and similar technologies used on our websites, You may not be able to take full advantage of the websites.

How do We protect Your Personal Data?

Cix Health is committed to protecting the security and confidentiality of your Personal Data. We use a combination of reasonable physical, technical, and administrative security controls to maintain the security and integrity of your Personal Data, to protect against any anticipated threats or hazards to the security or integrity of such information, and to protect against unauthorized access to or use of such information in our possession or control that could result in substantial harm or inconvenience to you. However, Internet data transmissions, whether wired or wireless, cannot be guaranteed to be 100% secure. As a result, we cannot ensure the security of information you transmit to us. By using the Applications, you are assuming this risk.

Safeguards

The information collected by Cix Health and stored on secure servers, is protected by a combination of technical, administrative, and physical security safeguards, such as authentication, encryption, backups, and access controls. If Cix Health learns of a security concern, we may attempt to notify you and provide information on protective steps, if available, through the e­mail address that you have provided to us or by an in­app notification. Depending on where you live, you may have a legal right to receive such notices in writing.

You are solely responsible for protecting information entered or generated via the Applications that is stored on Your device and/or removable device storage. Cix Health has no access to or control over Your device’s security settings, and it is up to You to implement any device­level security features and protections You feel are appropriate (e.g., password protection, encryption, remote wipe capability, etc.). We recommend that You take any and all appropriate steps to secure any device that You use to access Our Application.

We recommend that you take any and all appropriate steps to secure any device that you use to access our Application.

NOTWITHSTANDING ANY OF THE STEPS TAKEN BY US, IT IS NOT POSSIBLE TO GUARANTEE THE SECURITY OR INTEGRITY OF DATA TRANSMITTED OVER THE INTERNET. THERE IS NO GUARANTEE THAT YOUR PERSONAL DATA WILL NOT BE ACCESSED, DISCLOSED, ALTERED, OR DESTROYED BY BREACH OF ANY OF OUR PHYSICAL, TECHNICAL, OR ADMINISTRATIVE SAFEGUARDS. THEREFORE, WE DO NOT AND CANNOT ENSURE OR WARRANT THE SECURITY OR INTEGRITY OF ANY PERSONAL DATA YOU TRANSMIT TO US AND YOU TRANSMIT SUCH PERSONAL DATA AT YOUR OWN RISK.

How can You Protect Your Personal Data?

In addition to securing your device, as discussed above, We will NEVER send you an e­mail requesting confidential information such as account numbers, usernames, passwords, or social security numbers, and You should NEVER respond to any e­mail requesting such information. If You receive such an e­mail purportedly from Cix Health, DO NOT RESPOND to the e­mail and DO NOT click on any links and/or open any attachments in the e­mail, and notify Cix Health support at privacy@cixhealth.com OR 2400 Old Brick Road, STE 337, Glen Allen, VA 23060.

You are responsible for taking reasonable precautions to protect Your user ID, password, and other User Account information from disclosure to third parties, and You are not permitted to circumvent the use of required encryption technologies. You should immediately notify Cix Health at privacy@cixhealth.com if You know of or suspect any unauthorized use or disclosure of Your user ID, password, and/or other User Account information, or any other security concern.

Your rights

You have certain rights relating to your Personal Data, subject to local data protection laws. These rights may include:

• to access your Personal Data held by us

• to erase/delete your Personal Data, to the extent permitted by applicable data protection laws

• to receive communications related to the processing of your personal data that are concise, transparent, intelligible and easily accessible;

• to restrict the processing of your Personal Data to the extent permitted by law (while we verify or investigate your concerns with this information, for example);

• to object to the further processing of your Personal Data, including the right to object to marketing;

• to request that your Personal Data be transferred to a third party, if possible;

• to receive your Personal Data in a structured, commonly used and machine-readable format

• to lodge a complaint with a supervisory authority

• to rectify inaccurate Personal Data and, taking into account the purpose of processing the Personal Data, ensure it is complete

• to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects (“Automated Decision-Making”); and

• to opt out of allowing Cix Health to store, process, or disclose your Personal Data with third parties.

To opt out of allowing Cix Health to store, process, or share your Personal Data with a third party, please send an e-mail to support@cixhealth.com with your request.

Where the processing of Your Personal Data by Cix Health is based on consent, You have the right to withdraw that consent at any time by emailing Us at privacy@cixhealth.com.

You can exercise the rights listed above at any time by contacting us at privacy@cixhealth.com.

How do You update, correct, or delete Personal Data?

You can change your e­mail address and other contact information in Settings (within the Application). If you need to make changes or corrections to other information, you can do so by (1) navigating to the page containing the information you’d like to modify or delete, and (2) selecting “Edit”, and (3) deleting , adding to, or modifying the text in the appropriate editing box. Please note that in order to comply with certain requests to limit use of Your Personal Data, we may need to terminate your account and Your ability to access and use the Services, and You agree that We will not be liable to you for such termination or for any refunds of prepaid fees paid by You. You can deactivate your account by emailing Us at info@cixhealth.com.

Although We will use reasonable efforts to do so, You understand that it may not be technologically possible to remove from our systems every record of your Personal Data. The need to back up our systems to protect information from inadvertent loss means a copy of your Personal Data may exist in a non­erasable form that will be difficult or impossible for us to locate or remove.

Can You “OPT­OUT” of receiving communications from Us?

We pledge not to market third party services to you without your consent. We only send e­mails to you regarding your Cix Health account and services unless we have your express consent to do so. You can choose to filter these e­mails using your e­mail client settings, but we do not provide an option for you to opt out of these e­mails. You can opt out of some emails by making a different selection for user notification in Settings.

Information submission by minors

We do not knowingly collect Personal Data from individuals under the age of 18 and the Applications are not directed to individuals under the age of 13. We request that these individuals not establish user accounts or provide Personal Data to Us. (NOTE: Adults may choose to input Personal Data belonging to their children, who may be below the age of 18, but our Applications are not meant for minor users.) If we learn that Personal Data has been collected from users less than 18 years of age, We will deactivate the account and take reasonable measures to promptly delete such data from Our records. If You are aware of a user under the age of 13 using the Applications, please contact us at info@cixhealth.com

If you are a resident of California, under the age of 18 and have registered for an account with us, you may ask us to remove content or information that you have posted to our websites.

California Residents

California residents may request and obtain from us, once a year, free of charge, a list of third parties, if any, to which we disclosed their Personal Data for direct marketing purposes during the preceding calendar year and the categories of Personal Data shared with those third parties. If you are a California resident and wish to obtain that information, please submit your request by sending us an email at privacy@cixhealth.com with “California Privacy Rights” in the subject line.

Contact Us

If you have any questions about this Privacy Policy, please contact us by email privacy@cixhealth.com or please write to: Cix Health, Inc., 2400 Old Brick Road, STE 337, Glen Allen, VA 23060. Please note that email communications are not always secure; so please do not include sensitive information in your emails to us.