Huma Privacy Policy

(formerly Medopad Privacy Policy)

Overview – the key information you should be aware of

.................................................................................

A. Who we are...................................................................................................................... 1

B. Our values and what this policy is for.......................................................................... 1

C. Who this policy applies to.............................................................................................. 2

D. What this policy contains................................................................................................2

E. Your rights to object........................................................................................................ 2

F. Legal basis for use of your personal data................................................................... 2

G. How long we store your personal information............................................................ 3

The detail - the key information you should be aware of................................................................................. 4

1. How we obtain your personal information............................................................................. 4

2. How we use your personal data............................................................................................. 4

2.1 Visitors to our website....................................................................................................... 4

2.2 Customers, and employees of customers......................................................................5

2.3 Users of the Huma app and platform.............................................................................. 7

2.4 Prospective customers to whom we send marketing communications..................... 9

2.5 Job candidates who wish to join the Huma team..........................................................9

2.6 Our suppliers, and employees of our suppliers............................................................. 9

2.7 Universal uses for your personal information.............................................................. 11

2.8 Further processing........................................................................................................... 11

3. How and why we share your personal information with others....................................... 11

4. To which countries we may transfer your personal information...................................... 12

5. Your rights................................................................................................................................ 13

6. Information on the processing of personal data of Children............................................ 13

7. Risks and how we keep your personal information secure.............................................. 14

8. Links to other websites...........................................................................................................14

9. Changes to our privacy policy...............................................................................................14

10. Further questions and how to make a complaint.............................................................14

Overview – the key information you should be aware of

A. Who we are: We are Huma Therapeutics Limited (formerly Medopad Limited), the owner and

provider of a healthcare platform which facilitates the collection and integration of patient data

from medical databases and patient devices, which may be accessed by healthcare

professionals and organisations. Our company number is 07725451 and our registered office

is 13th Floor Millbank Tower, 21-24 Millbank, London, England, SW1P 4QP. Medopad has

rebranded as Huma, and Medopad Limited has changed its legal name to Huma Therapeutics

Limited.

Huma Therapeutics Limited is the controller concerning the processing of your personal

information as described herein, and is responsible for your personal information.

Huma Therapeutics Limited may hereinafter also be referred to as “Huma”. All references in

this policy to "Company", "our", "us" or "we" refer to Huma Therapeutics Limited (formerly

Medopad Limited), or our group companies, as appropriate. All references in this policy to "our

website", refer to the website owned by us at www.huma.com (formerly www.medopad.com).

B. Our values and what this policy is for: We value your privacy and want to be accountable

and fair to you as well as transparent with you in the way that we collect and use your

personal information.

In line with these values, this privacy policy tells you what to expect when we collect and use personal

information about you. We have tried to make it easy for you to navigate so you can find the

information that is most relevant to you and our relationship with you.

We are always looking to improve the information we provide to our customers and contacts so if you

have any feedback on this privacy policy, please let us know using our contact details in section 10.

C. Who this policy applies to: This policy applies to:

1. Visitors to our website www.huma.com (formerly www.medopad.com);

2. Customers, and employees of customers;

3. Users and potential users of the Huma app and platform

4. Prospective customers (to whom we send marketing communications);

5. Job candidates who wish to join the Huma team;

6. Our suppliers, and employees of our suppliers.

Depending on our relationship, we will collect and use your personal data in different ways. Please

click on the links above to find out the information that we collect about you and how we use this

information.

D. What this policy contains: This privacy policy describes the following important topics

relating to the processing of your personal data:

1. How we obtain your personal data;

2. How we use your personal data;

3. Our legal basis for using your personal data;

4. How and why we share your personal data with others;

5. How long we store your personal data;

6. Your rights as a data subject;

7. Information on the processing of personal data of children;

8. Information on the processing of personal data in marketing;

9. To which countries we may transfer your personal data;

10. Risks and how we keep your personal data secure;

11. Links to other websites;

12. Changes to this privacy policy; and

13. Further questions and how to make a complaint.

E. Your rights to object: You have various rights in respect of our use of your personal

information as set out in section 5. We hereby want to explicitly bring to your attention wo of

the fundamental rights to be aware of:

1. you may ask us to stop using your personal information for direct-marketing purposes.

If you exercise this right, we will stop using your personal information for this purpose.

2. you may ask us to consider any valid objections which you have to our use of your

personal information where we process your personal information on the basis of our,

or another person's, legitimate interest. You can find out more information in section 5.

F. Legal basis for use of your personal data

1. The legal bases for using your personal information as set out in this privacy policy

are as follows:

a. our use of your personal information is necessary to perform our obligations under

any contract with you (for example, to comply with the terms of use of our app,

platform or website which you accept by registering for app and platform or

browsing our website); or

b. our use of your personal information is necessary for complying with our legal

obligations (for example, due to tax retention periods); or

c. where neither (a) nor (b) apply, use of your personal information is necessary for

our legitimate interests or the legitimate interests of others (for example, to ensure

the security of our website). Our legitimate interests may be to:

• run, grow and develop our business (as well as the businesses of our

group companies);

• operate and improve our website and the Huma app and platform;

• select appropriately skilled and qualified suppliers;

• ensure a safe environment for our residents and suppliers;

• carry out marketing, market research and business development;

• place, track and ensure fulfilment of orders with our suppliers; and

• for internal group administrative purposes.

If we rely on our (or another person's) legitimate interests for using your personal

information, we will undertake a balancing test to ensure that our (or the other

person's) legitimate interests are not outweighed by your interests or fundamental

rights and freedoms which require protection of the personal information. You can

ask us for information on this balancing test by using the contact details in section

10.

2. We may use your special categories of data (such as health and wellbeing

information) where you have provided your consent (which you may withdraw at any

time after giving it, as described below). This includes all data you or your named

clinician, healthcare professional or healthcare organisation provide to us in order to

use it within the Huma app and platform.

3. We may process your personal information in some cases for marketing purposes on

the basis of your consent (which you may withdraw at any time after giving it, as

described below).

4. If we rely on your consent for us to use your personal information in a particular way,

but you later change your mind, you may withdraw your consent by contacting us at

privacy@huma.com or privacy@medopad.com and we will stop doing so. However, if

you withdraw your consent, this may impact the ability for us to be able to provide the

Huma app and platform and associated services to you (for example, if those services

require use of your special categories of data such as health information).

G. How long we store your personal information

We keep your personal information for no longer than necessary for the purposes for which

the personal information is processed. The length of time for which we retain personal

information depends on the purposes for which we collect and use it and/or as required to

comply with applicable laws and to establish, exercise or defend our legal rights.

The detail - the key information you should be aware of

1. How we obtain your personal information

1.1 You may provide us with your personal information voluntarily (section 1.2). We may also

receive information about you from third parties such marketing agencies, market research

companies, our suppliers, contractors and consultants, Huma group companies, public websites and

public agencies, which we refer to as "third party sources" or "suppliers" throughout this policy.

1.2 You may give us personal information about yourself by using the online forms provided on

our website, setting up an account with us or in our app, using bulletin boards or forums on our

website, or by contacting us by phone, email or other means. This includes, for example, where you

provide your personal information to us in order to receive products, deliveries, information or services

from us. If you are a supplier, you may also give us personal information about you when you are

offering or providing services to us.

2. How we use your personal data

Please go to the section or sections below that best describes our relationship with you to find out the

information that we collect about you and how we use this information. Any information that we refer to

as "personal information" throughout this policy constitutes “personal data”.

2.1 Visitors to our website

a. Visiting our website

Categories of personal data

• Technical information. This includes: the Internet Protocol (IP) address used to

connect your computer to the internet address; the website address and country from

which you access information; the files requested; browser type and version; browser

plug-in types and versions; operating system; and platform. We use this personal

information to administer our website, to measure the efficiency of our systems and to

undertake an analysis on the locations from which people access our webpages; and

• Information about your visit and your behaviour on our website (for example,

the pages that you click on). This may include the website you visit before and after

visiting our website (including date and time), time and length of visits to certain

pages, page interaction information (such as scrolling, clicks, and mouse-overs),

methods used to browse away from the page, traffic data, location data, weblogs and

other communication data and information provided when requesting further service or

downloads.

Purposes of the processing: We will collect, use and store the personal information listed

above for the following reasons:

• to allow you to access and use our website;

• for improvement and maintenance of our website and to provide technical support for

our website;

• to ensure the security of our website;

• to recognise you when you return to our website, to store information about your

preferences, and to allow us to customise the website according to your individual

interests; and

• to evaluate your visit to the website and prepare reports or compile statistics to

understand the type of people who use our website, how they use our website and to

make our website more intuitive. Such details will be anonymised as far as reasonably

possible and you will not be identifiable from the information collected.

Legal basis for the processing: We process your personal information based upon our

legitimate interests to

• run, grow and develop our business (as well as the businesses of our group

companies);

• operate and improve our website and the Huma app and platform;

• carry out marketing, market research and business development;

• for internal group administrative purposes

b. Contacting us through our website

Categories of personal data: We may process through our website your name and contact

data, if so required also information concerning your employment relationship or your date of

birth as well as information you provide to us throughout our correspondence.

Purposes of the processing: We will collect, use and store the personal information listed

above for the following reasons:

• to allow you to provide information on projects on which you are working and on which

you would like to inquire;

• to register to receive sales or other notifications and materials;

• to receive enquiries from you through the website about our website, app and

associated services;

Legal basis for the processing: Processing your personal information for the purpose of

contacting us will be on the basis of your voluntarily given consent, or such processing may be

necessary in order to handle (pre-)contractual enquiries.

Retention period: We will delete the data collected and processed in the context of our

correspondence upon completion of your request, unless we have a legal retention obligation

to observe.

Please see sections 2.7 and 2.8 for more details about how we use your personal information.

2.2 Customers, and employees of customers

a. Conclusion and performance of contracts

Categories of personal data: We may process your name and contact data, if so required

also information concerning your employment relationship or your date of birth, contract and

payment information as well as information you provide to us throughout our correspondence.

In some cases, we may also process access data to our products or services that have been

provided to you or generated by you.

Special categories of personal data: Some of the personal information that we collect about

you or which you provide to us about you or your family members may be special categories

of data. Special categories of data include information about physical and mental health,

sexual orientation, racial or ethnic origin, political opinions, philosophical belief, trade union

membership and biometric data.

Source of personal data: We may receive some of your personal information from third

parties, such as from other customers or clinicians where you use the Huma app, platform or

other related interface.

Purposes of the processing: We will collect, use and store the personal information listed

above for the following reasons:

• to provide you with our interfaces, which help you manage our services;

• to facilitate deliveries of data, new products and services to you;

• to deal with any enquiries or issues you have about our the Huma app, platform and

associated services that you request from us, our app which helps you manage our

services, and about our products and services;

• to send you certain communications (including by email or post) about our products

and services such as administrative messages (for example, setting out changes to

our terms and conditions and keeping you informed about our fees and charges);

Legal basis for the processing: The processing is necessary for the handling of (pre-

)contractual enquiries or for the conclusion and performance of contractual relationships to

which you are a party. If you are not yourself a party to a contract with us, but an employee of

one of our customers, we process your personal data on the basis of our legitimate interest to

run, grow and develop our business (as well as the businesses of our group companies). We

process special categories of personal data exclusively on the basis of your consent.

Retention period: The data collected and processed within the scope of contractual

relationships with us will be deleted upon completion of your request, if necessary after the

expiry of contractual warranty and/or liability periods as well as statutory retention periods.

Insofar as the processing of personal data is based on your consent, we will delete this data if

you revoke your consent to us.

b. Improving our products and services

Categories of personal data: In addition to the data mentioned in lit. a, we may also process

the following personal data:

• information about the provision of existing or potential projects or studies using or

developing new elements of the Huma app and platform, and the associated services

we provide (or may provide) to you including (but not limited to):

A. information needed to provide the services to you, or develop future services

(including information on joining forms, order details, order history and

payment details);

B. customer/patient/clinician services information; and

C. customer/patient/clinician relationship management and marketing information;

• information you provide to help us provide you with improved service, for example if

we ask you to fill in a survey or questionnaire.

Special categories of personal data: Some of the personal information that we collect about

you or which you provide to us about you or your family members may be special categories

of data. Special categories of data include information about physical and mental health,

sexual orientation, racial or ethnic origin, political opinions, philosophical belief, trade union

membership and biometric data.

Source of personal data: We may receive some of your personal information from third

parties, such as from other customers or clinicians where you use the Huma app, platform or

other related interface.

Purposes of the processing: We will collect, use and store the personal information listed

above for the following reasons:

• to carry out statistical analysis, product research and feedback and market research

on people who may be interested in our existing or new Huma products and services;

and

• if it is in our legitimate interests for business development and marketing purposes, to

contact you (including by telephone or post) with information about our products and

services or the products and services of our suppliers which either you request, or

which we feel will be of interest to you; and

• if you are a sole trader or a non-limited liability partnership and if you have consented,

to contact you by email with information about our products and services or the

products and services of our suppliers which either you request, or which we feel will

be of interest to you.

Legal basis for the processing: The processing is partly necessary for the handling of (pre-)

contractual enquiries or for the conclusion and performance of contractual relationships to

which

you are a party. If you are not yourself a party to a contract with us, but an employee of one of

our customers, we process your personal data on the basis of our legitimate interest to run,

grow and develop our business (as well as the businesses of our group companies) as well as

to carry out marketing, market research and business development. We process special

categories of personal data exclusively on the basis of your consent.

Retention period: The data collected and processed within the scope of contractual

relationships with us will be deleted upon completion of your request, if necessary after the

expiry of contractual warranty and/or liability periods as well as statutory retention periods.

Insofar as the processing of personal data is based on your consent, we will delete this data if

you revoke your consent to us.

Please see sections 2.7 and 2.8 for more details about how we use your personal information.

c. Information we need to provide services to you. We need certain types of personal

information so that we can provide services to you and perform contractual and other legal

obligations that we have to you. If you do not provide us with such personal information, or if

you ask us to delete it, you may no longer be able to access Huma app and/or platform for

receipt of the Huma services.

2.3 Users of the Huma app and platform

Categories of personal data: When registering for or using the Huma app or platform we

may, in addition to the data mentioned in section 2.2, collect and use the following information

about you (and we may use any of the following information in the ways explained below):

The information that is collected will depend on the nature of your condition and the purpose

for which you are using the Huma app. This could include data that is manually input by you,

including into data forms, surveys or questionnaires to be filled by you, or which is collected

via a connected device such as a wearable monitoring device

• your sex;

• your height, weight and other physical characteristics;

• information about your mental and physical health and wellbeing;

• your medical records and other documentation related to your medical history;

• the name, address, telephone number and email address of any doctor, care provider

or healthcare professional and their associated healthcare organisation;

• user name and password for access to the Huma app and/or platform;

• information about the Huma services we provide to you;

• details of your leisure activities and interests;

• information about your preferences;

• location data sent from the Huma app or platform.

Huma’s use and transfer of information received from Google APIs to any other app will

adhere to Google API Services User Data Policy, including the Limited Use requirements.

This applies to categories of personal data as well as special categories of personal data.

Special categories of personal data: Some of the personal information that we collect about

you or which you provide to us about you or your family members may be special categories

of data. Special categories of data include information about physical and mental health,

sexual orientation, racial or ethnic origin, political opinions, philosophical belief, trade union

membership and biometric data.

Source of personal data: We receive your personal information from you (including from

apps or devices that you have connected with the Huma app) and from your named clinician,

healthcare professional or healthcare organisation which collects and stores your medical

records and associated information.

Purposes of the processing: We will collect, use and store the personal information listed

above – always depending on the concrete set-up of the respective Huma app and your

declaration of consent – for the following reasons:

• to provide the Huma app and platform to you;

• to help you manage your profile, preferences and other choices in relation to the

Huma app and platform and associated services or to send you push notifications;

• to contact your named clinician or healthcare professional to obtain access to and

upload your medical records and other documentation relating to your medical history

to the Huma app and platform;

• to track your activity levels;

• to record and collate your symptoms, mood, change in any physical or mental

characteristics;

• to enable named clinicians or healthcare professional to access your medical records

and other logged information via the Huma app or platform in order to provide you with

care or treatment or any other recommended course of action;

• to suggest appropriate projects or initiatives operated or developed by Huma or third

parties;

• for the purpose of anonymising certain categories of that personal information,

aggregating that anonymised data with the anonymised data of other users of the

Huma app or platform and the provision of that data to third parties in order for those

third parties to collect, use and store that data for research into medical conditions,

trends and the development, adherence and efficacy of treatments.

Huma, thereby, helps patients to share information with health professionals. The data allows

people to track their own health and their clinical team to monitor them, e.g. to reduce the risk

of exposure to infections and improve overall efficiencies. This information includes health

data, such as your symptoms and heartrate, and is gathered when you answer questions, fill

out forms or allow us to link with other devices or apps. Your clinical team is also using Huma

software, which is connected to the app. Through this software, your clinical team will be able

to see all information that you upload to the app, or that are collected through devices you

have connected with the app. In particular, your clinical team will receive your health data

(such as possible symptoms of a specific medical condition).

Huma will only access your data for support purposes. Huma’s support team will only be able

to see your basic, non-sensitive personal data, (such as your name and email) so they can

help you use the app. The app treats your health data confidentially. Access to your name (or

other information which identifies you personally) is restricted so that only people at Huma

who need to see it can have access.

With your consent, we and your clinical team may use anonymised health data for research

purposes. Upon anonymisation, such data may be shared with third parties worldwide for

research purposes, and the research results may be used for respective own purposes. This

includes the development and distribution of digital biomarkers and digital therapeutics. These

recipients will not be able to identify you as a person. Personal data will never be sold by

Huma to third parties.

Legal basis for the processing: The processing is partly necessary for the handling of (pre-)

contractual enquiries or for the conclusion and performance of contractual relationships to

which you are a party. If you are not yourself a party to a contract with us, but an employee of

one of our customers, we process your personal data on the basis of our legitimate interest to

run, grow and develop our business (as well as the businesses of our group companies),

operate and improve our website and the Huma app and platform as well as to carry out

marketing, market research and business development. We process special categories of

personal data exclusively on the basis of your consent.

Please note that you may at any time disable push notifications in a Huma app by respectively

changing the settings of the app and/or your mobile device.

Retention period: The data collected and processed within the scope of contractual

relationships with us will be deleted upon completion of your request, if necessary after the

expiry of contractual warranty and/or liability periods as well as statutory retention periods.

Insofar as the processing of personal data is based on your consent, we will delete this data if

you revoke your consent to us.

Please see sections 2.7 and 2.8 for more details about how we use your personal information.

2.4 Prospective customers to whom we send marketing communications

Categories of personal data: We may process your name and contact data, if so required

also information about your preferences.

Source of personal information. We may receive some of your personal information from

third parties, such as marketing agencies.

Purposes of the processing: We will collect, use and store the personal information listed

above to contact you with information about our products and services which either you

request, or which we feel will be of interest to you (including newsletters).

Legal basis for the processing: We collect, use and store the personal information listed

above, if you have consented or, otherwise, if it is in our legitimate interests, for business

development and marketing purposes.

Retention period: We delete your data, if you withdraw your consent to us or object to the

processing. Please note that we may further store your data upon withdrawal or objection, if

this is required to serve our legitimate interest in ensuring adherence to your withdrawal or

objection (e.g. by keeping a blacklist).

Please see sections 2.7 and 2.8 for more details about how we use your personal information.

2.5 Job candidates who wish to join the Huma team

Categories of personal data: We may process your name and contact data as well as CVs

and information about your employment history and other contact details of references you

may have provided to us. Depending on the nature of the role and the applicable jurisdiction,

from time to time, we may also collect sensitive personal information about you, such as

information about your health, background check information, including criminal history, and

whether you are a member of any professional or trade associations.

Special categories of personal data: Some of the personal information that we collect about

you or which you provide to us about you or your family members may be special categories

of data. Special categories of data include information about physical and mental health,

sexual orientation, racial or ethnic origin, political opinions, philosophical belief, trade union

membership and biometric data.

Sources of personal data: We may receive some of your personal information from third

parties, such as recruitment agencies or through referrals.

Purposes of the processing: We will collect, use and store the personal information listed

above to assess your suitability for any vacant roles, to contact you with information about our

company, products and services, recruitment process and progress of your application which

either you request, or which we feel will be of interest to you.

Legal basis for the processing: The processing is partly necessary for the handling of (pre-)

contractual enquiries or for the conclusion and performance of contractual relationships to

which you are a party. If you are not yourself a party to a contract with us, but an employee of

one of our customers, we process your personal data on the basis of our legitimate interest to

run, grow and develop our business (as well as the businesses of our group companies) as

well as to carry out marketing, market research and business development. We process

special categories of personal data exclusively on the basis of your consent.

Retention period: We delete your data, if you withdraw your consent to us or object to the

processing. Please note that we may further store your data upon withdrawal or objection, if

this is required to serve our legitimate interest in ensuring adherence to your withdrawal or

objection (e.g. by keeping a blacklist). If the processing is related to a specific job application

procedure, we will store your personal information until the procedure is closed and for a

limited period thereafter on the basis of our legitimate interest to defend ourselves against

claims related to the job application procedure.

Please see sections 2.7 and 2.8 for more details about how we use your personal information.

2.6 Our suppliers, and employees of our suppliers

Categories of personal data: We may process the following information about you:

• your name including your title;

• work contact information (phone number, postal address, mailing address, email

address);

• your job title;

• information provided when you correspond with us;

• any updates to information provided to us;

• personal information we collect about you from third party sources such as LinkedIn:

• CVs, pitch and tender information;

• proof of identification and address;

• visa or work permit documentation;

• details of compensation, expense claims and bank details;

• information required to access company systems and applications (such as system ID).

Special categories of personal data: Some of the personal information that we collect about

you or which you provide to us about you or your family members may be special categories

of data. Special categories of data include information about physical and mental health,

sexual orientation, racial or ethnic origin, political opinions, philosophical belief, trade union

membership and biometric data. Sources of personal data: We may receive some of your

personal information from third party sources, such as your employer or your employer's

company website. We may also collect this personal information from publicly available

sources, such as LinkedIn.

Purposes of the processing: We may collect, use and store the personal information listed

above for the following reasons:

• to enable us to purchase and receive products and services from you (including

supplier due diligence, payment and expense reporting and financial audits);

• to deal with enquiries from you;

• to confirm information on CVs and performance reference checks, to assess you or

your employer's suitability to work for us;

• for equal opportunities monitoring;

• for health and safety records and management; and

• for security vetting and criminal records checks (where applicable and allowed by law).

Legal basis for the processing: The processing is partly necessary for the handling of (pre-)

contractual enquiries or for the conclusion and performance of contractual relationships to

which you are a party. If you are not yourself a party to a contract with us, but an employee of

one of our customers, we process your personal data on the basis of our legitimate interests

• run, grow and develop our business (as well as the businesses of our group companies);

• select appropriately skilled and qualified suppliers;

• ensure a safe environment for our residents and suppliers;

• place, track and ensure fulfilment of orders with our suppliers; and

• carry out marketing, market research and business development.

We process special categories of personal data exclusively on the basis of your consent.

Retention period: The data collected and processed within the scope of contractual

relationships with us will be deleted upon completion of your request, if necessary after the

expiry of contractual warranty and/or liability periods as well as statutory retention periods.

Insofar as the processing of personal data is based on your consent, we will delete this data if

you revoke your consent to us.

Please see sections 2.7 and 2.8 for more details about how we use your personal information.

Information we need to provide services to you. Please note that we need certain types of

personal information so that you or your employer can provide services to us. If you do not provide us

with such personal information, or if you or your employer ask us to delete it, you may no longer be

able to provide services to us.

2.7 Universal uses for your personal information

Whatever our relationship with you is, we may also collect, use and store your personal information for

the following additional reasons:

a. to deal with any enquiries or issues you have about how we collect, store and use your

personal information, or any requests made by you for a copy of the information we hold about

you;

b. for internal corporate reporting, business administration, ensuring adequate insurance

coverage for our business, ensuring the security of company facilities, research and

development, and to identify and implement business efficiencies. We may process your

personal information for these purposes where it is in our legitimate interests to do so;

c. to comply with any procedures, laws and regulations which apply to us – this may include

where we reasonably consider it is in our legitimate interests or the legitimate interests of

others to comply, as well as where we are legally required to do so; and

d. to establish, exercise or defend our legal rights – this may include where we reasonably

consider it is in our legitimate interests or the legitimate interests of others, as well as where

we are legally required to do so.

2.8 Further processing

Before using your personal information for any purposes which fall outside those set out in this section

2, we will undertake an analysis to establish if our new use of your personal information is compatible

with the purposes set out in this section 2. Please contact us using the details in section 10 if you want

further information on the analysis we will undertake.

3. How and why we share your personal information with others

3.1 We may share your personal information with our group companies where it is in our

legitimate interests to do so for internal administrative purposes (for example, for corporate strategy,

compliance, auditing and monitoring, research and development, machine learning and quality

assurance). If the processing is based upon your consent, we will only share your personal data with

third parties (with the exception of processors) if you have also declared your express consent thereto;

this specifically applies to the processing of special categories of personal data (such as health data).

3.2 We will share your personal information with the following third parties or categories of third

parties and data processors:

a. Amazon Web Servers (“AWS”), who provides you with the Huma app and platform on our

behalf and host our website.

b. we may share anonymised and aggregated statistical information with our suppliers to

demonstrate what interest there has been in any marketing campaigns we have assisted our

suppliers in carrying out;

c. we may also share anonymised data collected through the Huma app and platform,

aggregated with the anonymised data of other users of the Huma app or platform, with third

parties such as life sciences companies, health care organisations and insurance companies,

in order for those third parties to collect, use and store that data for research into medical

conditions, trends and the development, adherence and efficacy of treatments;

d. for the purposes of performing any contracts we have agreed on or you have requested, our

other service providers and sub-contractors, including payment processors, utility providers,

suppliers of technical and support services, insurers, logistic providers, and cloud service

providers;

e. for the purposes of performing any contracts we have agreed on or you have requested,

public agencies and the emergency services;

f. companies that assist in our marketing, advertising and promotional activities, such as

marketing automation platforms;

g. upon your express consent, analytics and search engine providers that assist us in the

improvement and optimisation of our website.

3.3 We will always ensure that any third parties with whom we share your personal information are

subject to privacy and security obligations consistent with this privacy policy and applicable laws.

3.4 We will also disclose your personal information to third parties:

a. where it is in our legitimate interests to do so to run, grow and develop our business:

• if we sell or buy any business or assets, we may disclose your personal information to

the prospective seller or buyer of such business or assets;

• if substantially all of our or any of our affiliates' assets are acquired by a third party, in

which case personal information held by us will be one of the transferred assets;

b. if we are under a duty to disclose or share your personal information in order to comply with

any legal obligation, any lawful request from government or law enforcement officials and as

may be required to meet national security or law enforcement requirements or prevent illegal

activity;

c. in order to enforce or apply our terms of use, our terms and conditions for customers or any

other agreement or to respond to any claims, to protect our rights or the rights of a third party,

to protect the safety of any person or to prevent any illegal activity; or

d. to protect the rights, property, or safety of Huma, our staff, our customers or other persons.

This may include exchanging personal information with other organisations for the purposes of

fraud protection and credit risk reduction.

3.5 We may also disclose and use anonymised, aggregated reporting and statistics about users of

our app, platform, website or associated services for the purpose of internal reporting or reporting to

our group or other third parties, and for our marketing and promotion purposes. None of these

anonymised, aggregated reports or statistics will enable our users to be personally identified.

3.6 Save as expressly detailed above, we will never share, sell or rent any of your personal

information to any third party without notifying you and, where necessary, obtaining your consent. If

you have given your consent for us to use your personal information in a particular way, but later

change your mind, you should contact us and we will stop doing so.

4. To which countries we may transfer your personal information

4.1 Your personal information may be used, stored and/or accessed by staff operating outside the

EEA working for us, other members of our group or suppliers. Further details on to whom your

personal information may be disclosed are set out in section 3.

4.2 If we transfer any personal information about you to countries outside the EEA, we will take

appropriate measures to ensure that the respective recipient protects your personal information

adequately in accordance with this privacy policy. These measures may include the following permitted

in Articles 45 and 46 of the General Data Protection Regulation:

a. in the case of US based entities, entering into European Commission approved standard

contractual arrangements with them, or ensuring they have signed up to the EU-US Privacy

Shield (see further https://www.privacyshield.gov/welcome); or

b. in the case of entities based in other countries outside the EEA, entering into European

Commission approved standard contractual arrangements with them.

4.3 Further details on the steps we take to protect your personal information, in these cases is

available from us on request by contacting us by email at privacy@huma.com or

privacy@medopad.com at any time.

5. Your rights

5.1 You have certain rights in relation to your personal information. If you would like further

information in relation to these or would like to exercise any of them, please contact us via email at

privacy@huma.com or privacy@medopad.com at any time. You have the following rights:

a. Right of access. You have a right of access to any personal information we hold about you.

You can ask us for a copy of your personal information; confirmation as to whether your

personal information is being used by us; details about how and why it is being used; and

details of the safeguards which are in place if we transfer your information outside of the

European Economic Area ("EEA").

b. Right to update your information. You have a right to request an update to any of your

personal information which is out of date or incorrect.

c. Right to delete your information. You have a right to ask us to delete any personal

information which we are holding about you in certain specific circumstances. You can ask us

for further information on these specific circumstances by contacting us using the details in

section 10. We will pass your request onto other recipients of your personal information unless

that is impossible or involves disproportionate effort. You can ask us who the recipients are,

using the contact details in section 10.

d. Right to restrict use of your information: You have a right to ask us to restrict the way that

we process your personal information in certain specific circumstances. You can ask us for

further information on these specific circumstances by contacting us using the details in

section

10. We will pass your request onto other recipients of your personal information unless that is

impossible or involves disproportionate effort. You can ask us who the recipients are using the

contact details in section 10.

e. Right to stop marketing: You have a right to ask us to stop using your personal information

for direct marketing purposes. If you exercise this right, we will stop using your personal

information for this purpose.

f. Right to data portability: You have a right to ask us to provide your personal information in a

structured, commonly used and machine-readable format to you or a third party provider of

services named by you. This right only applies where we use your personal information on the

basis of your consent or performance of a contract; and where our use of your information is

carried out by automated means.

g. Right to object: You have a right to ask us to consider any valid objections which you have to

our use of your personal information where we process your personal information on the basis

of our or another person's legitimate interest.

5.2 We will consider all such requests and provide our response within a reasonable period (and

in any event within one month of your request unless we tell you we are entitled to a longer period

under applicable law). Please note, however, that certain personal information may be exempt from

such requests in certain circumstances, for example if we need to keep using the information to

comply with our own legal obligations or to establish, exercise or defend legal claims.

5.3 If an exception applies, we will tell you this when responding to your request. We may request

you provide us with information necessary to confirm your identity before responding to any request

you make.

6. Information on the processing of personal data of Children

6.1 You must be aged 18 or over to purchase products or services from us. Our website and

services are not directed at children and we do not knowingly collect any personal information from

children without express consent from a parent or guardian.

6.2 If you are a child and we learn that we have inadvertently obtained personal information from

you from our websites, or from any other source, then we will delete that information as soon as

possible.

6.3 Please contact us at privacy@huma.com or privacy@medopad.com if you are aware that we

may have inadvertently collected personal information from a child.

7. Risks and how we keep your personal information secure

7.1 The main risk of our processing of your personal information is if it is lost, stolen or misused.

This could lead to your personal information being in the hands of someone else who may use it

fraudulently or make public, information that you would prefer to keep private.

7.2 For this reason, Huma is committed to protecting your personal information from loss, theft

and misuse. We take all reasonable precautions to safeguard the confidentiality of your personal

information, including through use of appropriate organisational and technical measures.

7.3 In the course of provision of your personal information to us, your personal information may be

transferred over the internet. Although we make every effort to protect the personal information which

you provide to us, the transmission of information over the internet is not completely secure. Please

keep that in mind when providing data to us using the Internet. Once we have received your personal

information, we will use strict procedures and security features to prevent unauthorized access to it.

7.4 Where we have given you (or where you have chosen) a password which enables you to

access your online account, you are responsible for keeping this password confidential. We ask you

not to share a password with anyone.

8. Links to other websites

Our website may contain hyperlinks to websites that are not operated by us. These hyperlinks are

provided for your reference and convenience only and do not imply any endorsement of the activities

of such third-party websites or any association with their operators. This privacy policy only applies to

the personal information that we collect or which we receive from third party sources, and we cannot

be responsible for personal information about you that is collected and stored by third parties. Third

party websites have their own terms and conditions and privacy policies, and you should read these

carefully before you submit any personal information to these websites. We do not endorse or

otherwise accept any responsibility or liability for the content of such third party websites or third party

terms and conditions or policies.

9. Changes to our privacy policy

We may update our privacy policy from time to time. Any changes we make to our privacy policy in the

future will be posted on this page and, where appropriate, notified to you by post or email. Please

check back frequently to see any updates or changes to our privacy policy.

10. Further questions and how to make a complaint

10.1 If you have any queries or complaints about our collection, use or Retention of your personal

information, or if you wish to exercise any of your rights in relation to your personal information, please

contact privacy@huma.com or privacy@medopad.com. We will investigate and attempt to resolve any

such complaint or dispute regarding the use or disclosure of your personal information.

10.2 In accordance with Article 77 of the General Data Protection Regulation, you may also make a

complaint to the Information Commissioner's Office, or the data protection regulator in the country

where you usually live or work, or where an alleged infringement of the General Data Protection

Regulation has taken place. Alternatively, you may seek a remedy through the courts if you believe

your rights have been breached.

The practices described in this privacy policy statement are current as of 21 May 2020.