PRIVACY POLICY FOR SIDEKICK HEALTH APPLICATION AND RESEARCH PROJECTS

This Privacy Policy describes the personal data that Sidekick Health ehf., Vallakor 4, 203 Kopavogur, as a controller ("Sidekick", " Company", "we", "us" or "our") collects from or about the users of the Sidekick Health Application (the "App") and participants in research projects conducted on behalf of Sidekick, how we use such data and to whom it is disclosed.

This Privacy Policy applies to the personal data of all individuals who are, or have been, registered as users of the App (collectively, a " user" or "you") or participate/have participated in research projects ("participants" or " you").

If you are unsure how this Privacy Policy applies to you, please contact our Data Protection Officer at privacy@sidekickhealth.com for more information.

All references in this Privacy Policy to "Sidekick", "Company", "we", "us", "our", and like terms should be interpreted accordingly.

1 What personal data is processed and why?

We collect and maintain different types of personal data about users of the App and participants. Different data may be collected and processed on different users and participants, depending on what features of the App each user decides to use or whether a user is a participant in a research project or not.

1.1 Creating an account within the App

In order to be able to use the App, users must create an account by providing certain information. Users can create an account using four different methods, but different data may be collected depending on the selected method. In connection with the sign-up process, we process the following information:

● User's contact details, including name/nickname and email.

● Password.

● User's date of birth.

● Location (if enabled in relation to move category in the App).

● Language.

● IP address, device ID and OS version.

In addition, users can choose to provide data on their height, weight, gender, profile picture, Facebook ID and Gmail ID.

1.2 Profile, health profile and screening tests

The app allows users to insert certain information, which is made accessible to the user via three different profiles; basic profile, health profile and screening tests, for the purpose of managing users' profiles and providing users with overview and feedback on their activities and goals. In connection with the profile creation, we process the following information on users:

  1. Basic profile

● Name/nickname, profile picture, gender, birth date, email and password.

  1. Health profile

● User's missions, achievements, weight, weight goal, body measurements, blood pressure, heart rate, answers and results to screening tests, and medication use.

  1. Screening tests

● Results from personality tests, information on burnout scale.

1.3 Missions

All users of the App have the option to take on missions in different categories relating to food, movement and mind. Users log relevant information relating to each mission and can receive feedback from coaches on logged information. We process the following personal data in connection with the missions:

  1. Food

● User's diet, food logs, pictures of user's meals and feedback from a coach.

  1. Move

● User's exercise logs and GPS-tracking, where activated, and feedback from a coach.

  1. Mind

● User's mindfulness exercises, subjective assessment of sleep quality, energy level and stress level and feedback from a coach.

1.4 Lifestyle programmes

The App offers specific users access to Sidekick's lifestyle programmes which enable users with certain diseases or symptoms, to log health-related information and receive feedback and chat with Sidekick's coaches. In addition, users can interact with each other via the Community feature. We may process the following data in connection with the lifestyle programmes:

● Self-reported symptoms and other self-reported outcomes.

● Adverse events.

● Guidance from coach and correspondence.

● Communications, posts, comments and likes.

1.5 Technical support

In order to provide users with technical support and enable users to receive a new password to access the App, in case they have forgotten it, we process the user's name and email as well as the user's messages and screenshots from users.

1.6 Research projects

Sidekick conducts research projects in relation to optimize its products and prove the efficacy of its products and lifestyle programmes. In addition to the data collected from participants via the App, as detailed above, Sidekick collects and processes personal data from and about participants outside the App in relation to such research projects. To enrol research participants, collect relevant information, compare test results and otherwise carry out the research, Sidekick collects and processes the following personal data:

● Participant's name, email and research ID.

● Participant's health information, including information on symptoms, test results, response to questionnaires, and adverse events.

2 Personal data origin and legal basis for processing

Generally, we collect the data directly from users. However, if users choose to use their Facebook account, Gmail account or Apple ID to create an account, some data may be collected from Facebook/Meta, Google or Apple, as applicable. Data may also be collected from Sidekick's coaches where applicable.

Data collected on participants in research projects is collected directly from participants and relevant health care providers. Participants are provided with an Informed Consent either on paper or via digital methods. The Informed Consent explains all the aspects of the research projects.

Most of the processing of personal data within the App is based on your explicit consent. When you download the App, we ask for your explicit consent for the processing of your personal data as described in this Privacy Policy. By providing such consent, you allow us to process the data you insert into the App. Users can at any time withdraw their consent. All communications with respect to such withdrawal should be addressed to Sidekick's Data Protection Officer. The processing of personal data in relation to technical support is based on our contractual obligation.

3 To whom do we disclose your personal data?

Your personal data will mainly be used to provide you with the services in the App and, where applicable, conduct the research project.

We may share your personal data with third parties, including research partners, in case a user is a research participant, with contractors, consultants and other third parties who require such data to assist us with managing our business. Third parties who provide us with information technology and other consultancy services may also have access to your data, as necessary.

In addition, your personal data may also be disclosed to third parties as permitted or required by applicable law.

Moreover, your personal data may be disclosed to third parties due to regulatory requirements or to comply with valid legal processes such as search warrants, subpoenas, or court orders. In addition, personal data may be disclosed or transferred to a third party in case of a change in ownership of Sidekick.

Where your personal data is transferred to a country outside of the EEA, and that country is not subject to an EU adequacy decision, we will ensure your data is protected by appropriate safeguards (e.g. via the use of EU-approved standard contractual clauses).

Data within the App is stored using Google Cloud SQL, whose databases are located in the EU. It can, however not be excluded that these databases are made accessible to other Google entities which are located outside the EEA. Google has EU Processor-to-Processor Standard Contractual Clauses in place for such transfers to ensure the security and integrity of the personal data transferred.

4 How long does Sidekick keep your data?

Except as otherwise permitted or required by applicable law or regulatory requirements, Sidekick is committed to retaining your personal data only for as long as necessary to fulfil the purposes for which the personal data was collected.

Most data collected via the App is retained until a user deletes its account or for two years from the user's last activity in the App.

Data processed in relation to research projects are retained for two years from the end of the research project in question.

We may retain data for longer time than specified in this section, if legally prescribed or if it is necessary to preserve and defend Sidekick's legal interests, for example, during judicial proceedings.

5 Data security

The security, integrity and confidentiality of your personal data is of vital importance to us. We have implemented appropriate technical, administrative, and physical security measures to safeguard your personal data against unauthorised access, use, alteration and disclosure, including by implementing access controls, encryption and hardware token. We regularly review our security procedures to assess whether we must implement additional measures or improve existing procedures.

6 How you can exercise your rights provided under data protection legislation

Sidekick is committed to ensuring your rights under Act No 90/2018 on Data Protection and Processing of Personal Data (" Data Protection Act").

The Data Protection Act provides individuals with certain rights over their personal data. Your right is however not absolute. There are for example instances where applicable law or regulatory requirements allow or require us to refuse to provide some, or all of the personal data that we hold about you. If we cannot comply with your request, we will endeavour to inform you of the reasons why, subject to any legal or regulatory restrictions

Right to rectification : It is important that the data we keep on our users is both accurate and current. If your personal data happens to change during your use of the App please keep us informed of such changes. You are also entitled to request rectification of inaccurate data on you. Considering the purpose of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to access to your personal data : You are entitled to request access to the personal data we process on you and request information on the processing activities undertaken by Sidekick. You may also be entitled to a copy of the personal data we process.

Right to data portability : Under certain circumstances, you may request that we send information that you have provided to us directly to you or a designated third party. This right however only applies when processing of the data is based on either your consent or our agreement with you.

Right to erasure : Under certain circumstances, you may have the right to have you data deleted, such as where the personal data is no longer necessary in relation to the purpose for which it was collected or where you withdraw your consent or where you have objected to the processing.

Right to restriction of processing : If you do not wish to have your personal data erased, but do not wish for the data to be further processed by Sidekick, you may request that the processing of the data will be restricted.

Right to withdraw consent : In case the processing of your personal data is based on consent you can withdraw your consent at any time.

Right to object to the processing : If the processing of your personal data is based on Sidekick's legitimate interests, you have the right to object to the processing, following which we must stop the processing unless we can demonstrate a compelling legitimate ground for the processing which overrides your interests.

7 Inquiries or concerns

If you have any questions about this Privacy Policy or concerns about how we manage your personal data, please contact Sidekick's Data Protection Officer ( privacy@sidekickhealth.com ). We will endeavour to answer your questions and advise you of your rights based on this Privacy Policy.

If you are unsatisfied with our response, you may be entitled to make a written submission to the respective data protection authorities, including the Icelandic Data Protection Authority ( www.personuvernd.is).

8 Revisions to this Privacy Policy

Sidekick may make changes to this Privacy Policy to reflect changes to our legal or regulatory obligations or to the manner in which we process your personal data.

Any changes to this Privacy Policy will be effective from the time they are published.

This Privacy Policy was implemented on September 1st 2022.