10X DECODE Privacy Notice

Important information and who we are

REVIV Digital Limited, operating in partnership with 10X Health and trading under the 10X DECODE brand (collectively "we", "us" or "our"), respects your privacy and is committed to protecting your personal data. This Privacy Notice ("Notice") is designed to inform you of how we collect, use and look after your personal data when you access and use the subscribed services we provide via the 10X DECODE platform, or otherwise interact with us in the ordinary course of operating our business ("you", "your") (regardless of where in the world you are located), and to tell you about privacy rights that may be available to you.

It is important that you read this Notice together with any other privacy or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This Notice may be supplemental to other notices and policies but is not intended to override them.

Our products and services are not intended to be used by children and we do not knowingly collect data relating to children.

Data controller

REVIV Digital Ltd is the primary controller of your personal data. As a company based in the United Kingdom, we are subject to UK and in some cases EU data protection law, including the UK / EU GDPR (as applicable) ("GDPR") and the UK Data Protection Act 2018.

In addition, we may share your personal data with affiliates within our group of companies and the 10X Health group. Some of those affiliates may also act as controllers of your personal data in which case this Notice applies and is provided for and on behalf of those affiliates. This includes:

• REVIV Technology Limited
• REVIV Global Limited
• REVIV UK Limited
• REVIV Capital Limited
• REVIV Management LLC
• 10X Health System

The data we collect about you and how we use it

Personal data, or personal information, means any information that relates to an identified or identifiable individual. It does not, however, include anonymous data which does not relate to an identified or identifiable individual. There may be cases where we anonymise personal data, for example when conducting statistical analysis, and in such cases data protection laws no longer apply to the processing of that data.

We may collect the following types of your personal data:

• Your name
• Your business contact details (including telephone number and email address)
• The nature and location of your engagement
• Details of relevant medical licences and other professional qualifications
• Billing and financial information (including account and payment details)
• Login credentials (including username and password)
• Technical information (including your IP address, geolocation, device ID and telemetry data)
• Details of communications with us relating to your use of our services or platform, including the contents of such communications and your communication preferences We use this information for the following purposes:

We use this information for the following purposes:

• Verifying your identity as an authorised user and your ability to meet applicable eligibility criteria, including by reference to professional qualifications and licenses held
• Providing you with access to subscribed services and our platform
• Communicating with you in relation to your use of subscribed services and our platform
• Monitoring and enabling the effective provision and use of our services and platform, including through conducting data analytics and making improvements to our services and platform, to ensure and enhance security, performance and the quality of your user experience
• For administrative, financial and other business purposes, including to improve efficiency, enable effective business operations, and promote and protect our brands
• Communicating with you based on your preferences in relation to our services and platform, including by issuing surveys, promotions, newsletters and details of other services under the 10X DECODE, 10X Health, or REVIV brands that may be of interest to you
• Where appropriate, for the establishment, exercise or defence of legal claims, or to comply with our legal obligations (including where necessary in providing lawful cooperation to a relevant supervisory, regulatory or governmental authority, and law enforcement agencies)

We do not process any sensitive personal data (including "special category" personal data or criminal offence data, as defined under the GDPR in conjunction with applicable regulatory guidance) about you.

Legal basis for processing

Where the GDPR applies to our processing of your personal data, we will only process that data where we have a legal basis.

The bases that we may rely on in this context include:

• Where necessary to enter into or perform a contract with you.
• Where necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests, including:
  • to enhance the functionality and security of our services and platform;
  • to enable and improve the administration and operation of our business;
  • to enable us to enter into and comply with our contractual obligations;
  • to enable the effective promotion of our business, including by engaging with you and by initiating direct marketing communications, where permitted; and
  • to facilitate the protection of our business and brand, including by taking or defending legal action.
• Where we need to comply with a legal obligation.
• In other limited cases, with your specific consent.

Please note that in any case where we rely on your consent, you may withdraw your consent at any time by emailing us at support@revivme.com or by using other means that we make available to you (for example, by using unsubscribe links provided in email communications). When you withdraw your consent, we will stop any processing of your personal data based on that consent however this will not affect the lawfulness of any processing carried out before you withdrew your consent.

In addition, please note that if you do not provide us with certain information when requested, this could prevent us from complying with legal obligations or with our contractual obligations to you.

Disclosures of personal data

We may disclose your personal data to the selected third parties as set out below:

• third-party service providers including suppliers of IT infrastructure and other technical services, service providers used to facilitate billing and payment processing and companies that provide marketing or other advertising-related services on our behalf;
• group companies named in this Notice, for administrative and operational purposes;
• government bodies and dispute resolution and law enforcement organisations, including relevant tax authorities, regulators, the police and courts;
• Our professional advisers, including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
• Other third parties, including in the context of sale, acquisition, transfer or merger of business or assets, where personal data must be shared with the seller or purchaser and their respective professional advisors.

Some of the third parties listed above will be controllers of your personal data in their own right, with their own privacy notice setting out how they will process your personal data and their own compliance obligations under data protection legislation. Others will be our processors, who process your personal data on our behalf and as we instruct them to do so.

International transfers

Some recipients of your personal data may be based outside the UK / European Economic Area ("EEA") and could involve transfer of data to countries that have differing standards of protection for personal data.

Whenever we transfer your personal data out of the UK / EEA and the GDPR applies to that processing, we will look to ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries or recipients that have been deemed to provide an adequate level of protection for personal data by the relevant governmental or supervisory authority, including under the EU / UD Data Privacy Framework and the UK / US Data Bridge.
• Where we use certain service providers, we may use specific contracts approved by the relevant governmental or supervisory authority, including EU Standard Contractual Clauses approved for use by the European Commission and/or the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK / EEA.

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

However, and subject to the above, we will generally keep your information for 6 years after you cease using relevant REVIV services, following which your personal data will be permanently deleted.

Material changes

If we make any material changes to the terms of this Notice then we will take appropriate steps to notify you of this.

We keep our privacy policy under regular review. Historic versions can be obtained by contacting us.

Your obligations in relation to your personal data

It is important that the personal data we hold about you is accurate and current. Please ensure that any information you provide to use is accurate and keep us informed if your personal data changes during your relationship with us.

Third-party links

To the extent that we include links to third-party websites, plug-ins and applications within our services, please be advised that clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy notices. When you leave our platform, we encourage you to read the privacy notices of any third parties that may collect and process your personal data, so that you are fully informed of your rights in this regard.

Marketing

We may send marketing communications by email, subject to applicable legal requirements and your stated communicated preferences.

Every marketing email we send will include an unsubscribe link in the footer that you can click to opt-out from receiving further communications of the same type and/or subject matter. We will not sell your contact information to third parties.

Individual rights

Under certain circumstances, you may have rights under the GDPR in relation to your personal data. Where applicable, this includes the right:

• to obtain access to your personal data - you may request information on how your personal data is handled by us and request a copy of such personal data;
• to request us to correct or update your personal data if it is inaccurate or out of date;
• to object to the processing of your personal data where we rely on legitimate interests as our justification, unless we demonstrate compelling legitimate grounds which override your right to object or the processing is necessary for the establishment, exercise or defence of legal claims;
• to erase your personal data held by us where the personal data is no longer necessary in relation to the purposes for which it was collected, in certain circumstances where you have objected to the processing of such personal data, or where the personal data has been unlawfully processed;
• to restrict processing by us (i.e. the processing will be limited to storage only) where you oppose deletion of your personal data and prefer restriction of processing instead, or where you object to the processing by us on the where we rely on legitimate interests as our justification;
• to transmit personal data you submitted to us back to you or to another organisation in certain circumstances;
• where we are relying on your consent, to withdraw your consent at any time; and
• where the GDPR applies, to complain to the relevant supervisory authority in your jurisdiction, although we would always appreciate the chance to deal with your concerns in the first instance.

Please note that you will not have to pay a fee to access your personal data (or to exercise any of the other rights listed above). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.

Alternatively, we could refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to clarify its scope.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

If you would like to exercise any of your rights, or if you have questions about this Notice or our privacy practices, please email, call or write to us using the contact details given below.

Contact Us

You can write to us at our UK address which is: REVIV Digital Ltd, 10a Little Peter Street, Manchester, England, M15 4PS

You can also email us at: support@revivme.com