NexJ Connected Wellness Privacy Notice

Introduction

NexJ Health is committed to protecting your privacy. This privacy notice applies to the data collected by NexJ Health through NexJ Connected Wellness. It does not apply to data collected by NexJ Health through other online or offline NexJ Health sites, products or services.

NexJ Connected Wellness is a personal health platform that lets you gather, edit, add to, store, and share health information online. With NexJ Connected Wellness, you can control your own health records. You can also share your health information with family, friends, health care professionals, mobile phone applications, health related devices, and online tools.

You can choose to share information with separate applications that can connect with or run on NexJ Connected Wellness ("Applications") to use, edit and add to your health record. Applications can help you manage your information and find relevant health information.

You can choose to share specific information (or all information) with:

• Other people (such as friends and family)

• Applications (such as Applications that add data to your health records, provide information to your healthcare provider, or use some of your health records to provide information to you about managing your health)

Please read the NexJ Connected Wellness - End User Terms of Use.

1. Collection of your personal information

NexJ Connected Wellness asks you to enter an identifier and password to sign in. The first time you sign in to Connected Wellness you may be asked to provide personal information such as name, date of birth, email, and residential address. Depending on which features you use, you may be asked for additional information for that feature (such as the name of your health care provider or insurance information).

NexJ Health may use the email address you provide to send you an email requesting that you validate your email address, to include in sharing invitations you send through Connected Wellness and to send you NexJ Connected Wellness notifications, such as email notification that information or messages are available to you on NexJ Connected Wellness. As described in their privacy statements, Applications you authorize may also use your email address.

NexJ Connected Wellness allows you to manage one or more health records, such as the ones you create for yourself and your family members. Generally, you choose what information to put in your records. Depending on the Applications that you use on NexJ Connected Wellness you may be asked to consent to the release of a copy of medical records or information from a health care organization or provider. When you consent to the release of a copy of medical records or information to NexJ Connected Wellness, the health care organization or provider remains the custodian of the original records and you are responsible for managing the copy released to NexJ Connected Wellness. Examples of the types of information you can store in your health record on NexJ Connected Wellness include:

• Discharge summaries from hospitalizations

• Transitional care management plans created after your release from hospital

• Health care appointment details

• eConsult information in preparation for medical appointments

• Pictures of meals and food you've eaten

• Fitness related activities such as aerobic sessions

• Measurements such as blood glucose, weight and blood pressure

• Lab results

• Medications

• Health history

You can use Applications to enter a wide range of health information into your health record. You can give Applications permission to view, add, modify, and/or delete information in a record. Some Applications store their own copy of the information they access. If an Application has its own privacy statement, NexJ Connected Wellness will provide you a link to such privacy statement at the time you are authorized to access the Application. Please read the Application's privacy statement for information such as where and how the Application may use, store and transfer your information; what additional information it may collect; how you can review, edit and delete the information it holds and other choices you may have.

You can also store files, and can add or edit some information directly when logged into NexJ Connected Wellness.

By default, you are the custodian of any records you create on NexJ Connected Wellness. You may invite additional people to be custodians. Some of the information you store in the records you manage may be highly sensitive, so you need to consider carefully with whom you choose to share the information.

2. Sharing your Personal Health Information

A key value of NexJ Connected Wellness is the ability to share your health information with people and services who can help you meet your health-related goals. For example, you can share health information from records you control:

• To get your primary physician's assistance with a transitional care management plan after your release from hospital

• To get family members to help you manage your health

• To use products and services that can improve or monitor your health

• To provide health information to a health coach who can assist you in meeting health and fitness goals

You can share information in a health record you are custodian of with another person by sending a sharing invitation via email through NexJ Connected Wellness. If the person accepts your sharing invitation and has or creates a NexJ Connected Wellness account, you have given him or her access to that information. You can add or remove people from sharing your account.

You can also share personal information and health information with Applications. You decide which Applications you want to use. You may need to agree to additional terms of use, an additional privacy statement and new financial terms before using a new Application. You can revoke an Application's access to your data at any time. The access you grant to an Application through NexJ Connected Wellness is active until you revoke it.

3. Accuracy of your Personal Information

NexJ Health works hard to ensure that the information within NexJ Connected Wellness is accurate. Nevertheless, participants should be vigilant of the accuracy of their own data. The method for updating information depends on the information source.

Personal health information within NexJ Connected Wellness is entered via one of:

• Entered by the Participant themselves,

• Entered by a person whom the Participant has granted access,

• Entered by their Health Care Provider, or

• Imported from a Health Care Provider system via system integration.

In the case of self-entered information, the Participant can correct the information themselves.

In the case of information entered by the Health Care Provider or a system integrated to NexJ Connected Wellness, the Participant must make the change request through the originating Health Care Provider or their Organization. Contacting the information source is necessary because NexJ Connected Wellness does not modify or provide edit capabilities for information received from other systems.

4. Processing of Personal Information

The legal basis for the collection and processing of any person information or data is to meet NexJ Health’s contractual obligations to you, service providers and employees. NexJ Health uses personal information collected through NexJ Connected Wellness, including health information, to provide NexJ Connected Wellness service, and as described in this privacy notice and the end user terms of use and in the terms of use and privacy statements of NexJ Connected Wellness Applications that you use.

In support of these uses NexJ Health may use and process personal information and data for the following purposes:

• To provide you with the health coaching and patient health management services offered by the NexJ Connected Wellness Platform

• To analyze and optimize information and data in order to improve the NexJ Connected Wellness platform and the services provided

• To provide you with important information about NexJ Connected Wellness and Applications, including critical updates and notifications

• To send you newsletters if you opt-in

• To display relevant advertisements if you opt in

• To assist us with complying with applicable laws

NexJ Health occasionally hires other companies and contractors to provide limited services on our behalf, such as security audits for example. NexJ Health gives those companies and contractors access only to the personal information they need to provide the services. NexJ Health requires these companies and contractors to maintain the confidentiality of the information and prohibit them from using the information for any other purpose. These companies and contractors are also required to follow our policies and procedures related to the treatment of personal information and health information.

NexJ Health may access and/or disclose your personal information if NexJ Health believes such action is necessary to: (a) comply with the law or legal process served on NexJ Health; (b) protect and defend the rights or property of NexJ Health (including the enforcement of our agreements); or (c) act in urgent circumstances to protect the personal safety and welfare of NexJ Connected Wellness users or members of the public.

4.1 Data Subject Rights

At any point while NexJ Health is in possession of or is processing your persona data or information, all Data Subjects have the following rights:

• Transfer personal data from one electronic processing system to and into another electronic processing system;

• Know what data has been collected about you and how such data has been processed;

• Make changes to inaccurate data;

• Withdraw consent to have your data processed and to have your personal data deleted. Note that NexJ Health may be obligated to retain certain personal data on behalf of health professionals in order to comply with applicable laws;

• Be informed, in clear and plain language, of what data is being collected and processed.

• The right to know whether data concerning you is being processed and if so, the right to access it;

• The right to limit the scope of processing of your personal data. Limiting the scope of processing may impact your ability to use the NexJ Connected Wellness Platform;

• The right to object to having your personal data processed. Objecting to having your personal data processed will impact your ability to use the NexJ Connected Platform;

• The right to not be subject to processing done solely on an automated basis (i.e., profiling).

Furthermore, you can request the following information:

• Identity and the contact details of the person or organisation that has determined how and why to process your data.

• Contact details of the Data Protection Officer, where applicable.

• The purpose of the processing as well as the legal basis for processing.

• If the processing is based on the legitimate interests of NexJ Health or a third party such as one of its clients, information about those interests.

• The categories of personal data collected, stored and processed.

• Recipient(s) or categories of recipients to whom the data are/will be disclosed.

• How long the data will be stored.

• Details of your rights to correct, erase, restrict or object to such processing.

• Information about your right to withdraw consent at any time.

• How to lodge a complaint with the Office of the Information Commissioner (Data Protection Regulator) or Personal Data Protection Commission (PDPC).

• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.

• The source of personal data if it wasn’t collected directly from you.

• Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

To access personal data held, identification will be required

NexJ Health will accept the following forms of identification when information on your personal data is requested. A copy of your driver’s license, passport, birth certificate and utility bill, bank statement, or credit card statement not older than three months old. A minimum of one piece of photographic identification listed above and a supporting document is required. If NexJ Health is dissatisfied with the quality, further information may be sought before personal data can be released.

All requests should be made to dataprotection@nexjhealth.com with subject: Data Access Request.

4.2 Complaints

If you wish to make a complaint about how your personal data is being processed by NexJ or its partners, you have the right to complain. Please refer to Section 12 for Enforcement of this Privacy Statement and Contact Information. If you do not get a response within 30 days, you can complain to your local supervisory authority.

5. Aggregated, De-Identified and Anonymized Personal Information

NexJ Health may process aggregated information from NexJ Connected Wellness and Applications to improve the quality of NexJ Connected Wellness and for marketing NexJ Connected Wellness and Applications (e.g. to inform prospective platform sponsors and subscribers about NexJ Connected Wellness use). Aggregated information is not associated with any individual user and no user can be identified from it. De-Identified and Anonymized information may be shared with public health organizations, government, medical researchers and healthcare providers and companies for research and statistical purposes. NexJ Health contracts with these organizations to prevent them from attempting to identify you based on this information. NexJ Health may also use de-identified and anonymized information for research and statistical purposes and to improve the quality of NexJ Connected Wellness.

6. How NexJ Health Safeguards your Confidential Information

NexJ Connected Wellness is a secure cloud-based platform accessible from a desktop browser or mobile device. All applications access the NexJ Connected Wellness cloud through an Application Programming Interface (API) and pass through a perimeter security gateway to ensure that only authenticated users can access the system. The security gateway also protects against malicious attacks, viruses and malware.

If a NexJ Connected Wellness user (e.g. participant) has a relationship with another NexJ Connected Wellness user, as may be the case between a patient and a healthcare professional, and if those users intend to communicate data from their own clinical systems (for example, another EMR, or EHR, external to NexJ Connected Wellness), then NexJ Connected Wellness may exchange data with those external systems. Such communication is performed over a secure connection.

6.1 Who Can Access Your Personal Health Information?

Only individuals that have been given explicit access by the participant (i.e. patient) can view the participant's personal health information. This is based on the participant's defined Circle of Care - anyone the participant chooses to invite to support and participate in their own health and wellness, such as healthcare providers, family, friends, and advocates. Providers can invite participants to join the platform. Providers can only access health information from participants they have invited to the platform, or from those participants that have added that provider to their Circle of Care.

NexJ Connected Wellness has been designed from the ground-up to protect Personal Health Information (PHI) to the utmost degree. Our NexJ Health operational and support processes are designed with protection of PHI in mind as well.

The following safeguards are in place:

• Data is stored in encrypted format in the NexJ Connected Wellness database

• Data is stored in the jurisdiction in which it is collected

• The purpose of the processing as well as the legal basis for processing.

• If the processing is based on the legitimate interests of NexJ Health or a third party such as one of its clients, information about those interests.

• The categories of personal data collected, stored and processed.

• Recipient(s) or categories of recipients to whom the data are/will be disclosed.

• How long the data will be stored.

• Details of your rights to correct, erase, restrict or object to such processing.

• Information about your right to withdraw consent at any time.

• How to lodge a complaint with the Office of the Information Commissioner (Data Protection Regulator) or Personal Data Protection Commission (PDPC).

• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.

• The source of personal data if it wasn’t collected directly from you.

• Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.