Privacy Policy

1. Introduction

This Privacy Policy describes how Resonately collects and uses Personal Data about you through the use of our Website, mobile applications, and through email, text, and other electronic communications between you and Resonately.

Resonately ("Resonately," or "we," "our," or "us") respects your privacy, and we are committed to protecting it through our compliance with this policy. This Privacy Policy (our "Privacy Policy") describes the types of information we may collect from you or that you may provide when you visit or use our website located here (our "Website") or our Resonately mobile application (our "App") and our practices for collecting, using, maintaining, protecting, and disclosing that information. For purposes of this Privacy Policy, our Website, App and all related services and functionality that we provide through them are referred to as our "Digital Services".

This policy applies to information we collect:

• on our Digital Services;
• in email, text, and other electronic messages between you and our Digital Services; when you interact with our advertising and applications on third party websites and
• services, if those applications or advertising include links to this policy.

It does not apply to information collected by:

• that may link to or be accessible from or on the Digital Services.

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Digital Services. By accessing or using our Digital Services, you agree to this Privacy Policy. This Privacy Policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of our Digital Services after we make changes is deemed to be acceptance of those changes, so please check this Privacy Policy periodically for updates.

Health Information

Some information we collect constitutes or may constitute health and/or medical information, including protected health information ("PHI") under the U.S. Health Insurance Portability and Accountability Act ("HIPAA"). Resonately is not a health care provider or health insurance plan or provider. Any health care services relating to or available through our Digital Services will be provided by independent medical practitioners ("Providers"). Your Provider will provide you with a Notice of Privacy Practices describing its collection, use and disclosure of your PHI, not Resonately.

Resonately is or may be a "business associate" (as that term is used under HIPAA) that provides services to and for Providers, referred to as "covered entities" under HIPAA, and enters into business associate agreements with these covered entities. Resonately will use and disclose PHI only in accordance with the applicable business associate agreement(s), HIPAA and other applicable laws.

2. Children Under the Age of 18

Our Digital Services are not intended for children under the age of 18 and children under the age of 18 are not permitted to use our Digital Services. We will remove any information about a child under the age of 18 if we become aware of it.

Our Digital Services are not intended for children under 18 years of age without the consent of a parent or guardian. If you are under 18, we require that your parent or guardian use our Digital Services on your behalf to the extent possible. If you are under 18 and do not have parental consent, do not use or provide any information on or in our Digital Services or on or through any of their features, including your name, address, telephone number, email address, or any screen name or user name you may use. If we learn we have collected or received Personal Data from a child under 18 without verification of parental consent, we will delete that information. If you believe we might have any information from a child under 18, please contact us using our contact information below.

3. Data Controller, Data Protection Officer, and Representative

Resonately is the data controller of the Personal Data you provide on the Digital Services. Resonately has appointed a Data Protection Officer in compliance with the General Data Protection Regulation.

Resonately is the data controller of your Personal Data. Resonately has appointed a Data Protection Officer and a representative in the European Union in compliance with the General Data Protection Regulation. Resonately, its Data Protection Officer, or its representative may be contacted in any manner set forth below in the "Contact Information" Section of this Privacy Policy.

4. Lawful Basis for Processing Your Personal Data

We have a lawful basis for our processing of your Personal Data, including processing for our legitimate interests (when balanced against your rights and freedoms), to fulfill our obligations to you under a contract with you, and required by law, and with your consent.

If you are in the European Union, the processing of your Personal Data is lawful only if it is permitted under the applicable data protection laws. We have a lawful basis for each of our processing activities (except when an exception applies as described below):

• Consent. By using our Digital Services, you consent to our collection, use, and sharing of your Personal Data as described in this Privacy Policy. If you do not consent to this Privacy Policy, please do not use the Digital Services;
• Legitimate Interests. We will process your Personal Data as necessary for our legitimate interests. Our legitimate interests are balanced against your rights and freedoms and we do not process your Personal Data if your rights and freedoms outweigh our legitimate interests. Our legitimate interests are to: facilitate communication between Resonately and you; detect and correct bugs and to improve our Digital Services; safeguard our IT infrastructure and intellectual property; detect and prevent fraud and other financial crime; promote and market our business; check your credit and perform risk assessments; perform employment screening and to manage our workforce, assets, and business; develop our product and services; and to deliver telehealth services to you, including corresponding with your Provider;
• To Fulfill Our Obligations to You under our Contract. We process your Personal Data in order to fulfill our obligations to you pursuant to our contract with you to deliver our goods and services to you.
• As Required by Law. We may also process your Personal Data when we are required or permitted to by law; to comply with government inspections, audits, and other valid requests from government or other public authorities; to respond to legal process such as subpoenas; or as necessary for us to protect our interests or otherwise pursue our legal rights and remedies (for instance, when necessary to prevent or detect fraud, attacks against our network, or other criminal and tortious activities), defend litigation, and manage complaints or claims.

5. Special Categories of Information

We may process some Personal Data considered sensitive when necessary to carry out our obligations under the law or to protect our legitimate interests.

Some Personal Data processed by Resonately may be considered sensitive, including personal data that reveals your racial or ethnic origin, religious or philosophical beliefs, or personal data concerning your health or data concerning your sex life or sexual orientation or history of criminal convictions. Resonately processes this information only to the extent necessary to carry out its obligations under the law or to the extent necessary to protect Resonately's legitimate interests.

6. Automated Decisions Making

We generally do not use your Personal Data with any automated decision making processes.

Resonately does not use your Personal Data with any automated decision making process, including profiling, which may produce a legal effect concerning you or similarly significantly affect you.

7. Information We Collect About You and How We Collect It

We collect different types of information about you, including information that may directly identify you, information that is about you but individually does not personally identify you, and information that we combine with our other users. This includes information that we collect directly from you or through automated collection technologies.

Generally

We collect several types of information from and about users of our Digital Services, specifically information:

• by which you may be personally identified, such as name, postal address, billing address, finger print ID, facial ID, e-mail address, home, work, and mobile telephone numbers, date of birth, credit or debit card number (for payment purposes only), and information relating to your Provider accounts or patient portal accounts, including, but not limited to racial or ethnic origin, religious beliefs, sexual orientation and preferences, gender identity, etc ("Personal Data");
• that is about you but individually does not identify you, such as traffic data, logs, referring/exit pages, date and time of your visit to or use of our Digital Services, error information, clickstream data, and other communication data and the resources that you access and use on or through our Digital Services; or
• about your Internet connection, the equipment you use to access or use our Digital Services and usage details.

We collect this information:

• directly from you when you provide it to us;
• automatically as you navigate through or use our Digital Services. Information collected automatically may include usage details, IP addresses, your Internet activity while on our Site and others (e.g., pages viewed, clicks, scrolling and mouse-overs) and other information collected through cookies, web beacons, session replay software and other tracking technologies; and Information about your computer and internet connection, i.e. your IP address, unique device identifier, unique advertising identifier, operating system, and browser type.
• From third parties, for example, our business partners;
• through the use of the global positioning system and Cell ID ("Geolocation") which allows us to collect your precise or estimated location in real-time;
• automatically if you use your social media accounts (Facebook, Google, Discord etc.) as the means to login to our Site and use our Services; and
• from third parties, for example, our business partners.

Information You Provide to Us

The information we collect on or through our Digital Services is:

• Personal Data such as the data identified above;
• Information that you provide by filling in forms on our Digital Services. This includes information provided at the time of registering to use our Digital Services, using our services or other services available through the Digital Services, purchasing products, or requesting further services. We may also ask you for information when you report a problem with our Digital Services;
• Records and copies of your correspondence (including email addresses), if you contact us;
• Details of transactions you carry out through our Digital Services and of the fulfillment of your orders. You may be required to provide financial information before placing an order through our Digital Services.

You also may provide information to be published or displayed (hereinafter, "posted") on public areas of the Digital Services or transmitted to other users of the Digital Services or third parties (collectively, "User Contributions"). Your User Contributions are posted on and transmitted to others at your own risk. You can also share your public posts, including images and other personal and identifying information, on social media and other similar platforms, and through emails and text messages. Keep in mind that when you create public posts, other users can see and share your posts through other social media sites, and even screen shots taken before you modify or delete a post, so you should be careful and thoughtful with your public posts. Similarly, as provided in our Terms of Use you may not re-post, copy or share posts or content relating to users or other third parties in a harassing, offensive, defamatory, illegal or other inappropriate manner. Although we limit access to certain pages, please be aware that no security measures are perfect or impenetrable. Additionally, we cannot control the actions of other users of the Digital Services with whom you may choose to share your User Contributions. Third-party social media platforms have their own privacy policies, and you may be giving them permission to use your data in ways we would not. Therefore, we cannot and do not guarantee that your User Contributions will not be viewed by unauthorized persons.

Information We Collect Through Automatic Data Collection Technologies

As you navigate through and interact with our Digital Services, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, specifically:

• Usage Details. Details of your visits to our Digital Services, such as traffic data, location, logs, referring/exit pages, date and time of your visit to or use of our Digital Services, error information, clickstream data, and other communication data and the resources that you access and use on or in the Digital Services; and
• Device Information. Information about your computer, mobile device, and Internet connection, specifically your IP address, operating system, browser type, and Application version information.
• Location Data. The Digital Services, depending on the version, may collect information about the location of your device. If you do not want us to collect this information, you can chose not to enable or you can turn-off collection of location information using the privacy settings in the Digital Services or your device.

The information we collect automatically may include Personal Data or we may maintain it or associate it with Personal Data we collect in other ways or receive from third parties. It helps us to improve our Digital Services and to deliver a better and more personalized service by enabling us to:

• estimate our audience size and usage patterns;
• store information about your preferences, allowing us to customize our Digital Services according to your individual interests;
• recognize you when you return to our Digital Services.

The technologies we use for this automatic data collection may include:

• Cookies (or browser cookies). We and our service providers may use cookies, web beacons, and other technologies to receive and store certain types of information whenever you interact with our Digital Services through your computer or mobile device. A cookie is a small file or piece of data sent from a website and stored on the hard drive of your computer or mobile device. On your computer, you may refuse to accept browser cookies by activating the appropriate setting on your browser, and you may have similar capabilities on your mobile device in the preferences for your operating system or browser. However, if you select this setting you may be unable to access or use certain parts of our Digital Services. Unless you have adjusted your browser or operating system setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website or use our App.
• Google Analytics. We use Google Analytics, a web analytics service provided by Google ("Google") to collect certain information relating to your use of our Website. Google Analytics uses "cookies", which are text files placed on your computer, to help our Website analyze how users use the site. You can find out more about how Google uses data when you visit our Website by visiting "How Google uses data when you use our partners'; sites or apps", (located at www.google.com/policies/privacy/partners/). We may also use Google Analytics Advertising Features or other advertising networks to provide you with interest- based advertising based on your online activity. For more information regarding Google Analytics please visit Google's website, and pages that describe Google Analytics, such as www.google.com/analytics/learn/privacy.html.

8. How We Use Your Information

We use your Personal Data for various purposes described below, including to:

• provide our Digital Services to you;
• provide products and services to you;
• provide you with information you request from us;
• enforce our rights arising from contracts;
• notify you about changes; and
• provide you with notices about your account.

We use information that we collect about you or that you provide to us, including any Personal Data:

• to provide our Website and its functionality, contents and services to;
• to provide our App and its functionality, contents and services;
• to provide our products and services to you;
• to provide you with information, products, or services that you request from us or that may be of interest to you;
• to process, fulfill, support, and administer transactions and orders for products and services ordered by you;
• to provide you with notices about your Resonately account;
• to contact you in response to a request;
• to fulfill any other purpose for which you provide it;
• to carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection;
• to notify you about changes to our Digital Services or any products or services we offer or provide though them;
• in any other way we may describe when you provide the information; and
• for any other purpose with your consent.

We may also use your information to contact you about goods and services that may be of interest to you, including through newsletters. If you wish to opt-out of receiving such communications, you may do so at any time by clicking unsubscribe at the bottom of these communications or by visiting your Account Preferences page. For more information, see Choices About How We Use and Disclose Your Information.

Some information Resonately collects constitutes protected health information ("PHI") under the U.S. Health Insurance Portability and Accountability Act ("HIPAA"). As set forth above, your medical provider will provide you with a Notice of Privacy Practices describing its collection, use, and disclosure of your health information, not Resonately. Resonately will use and disclose PHI only as permitted in Resonately's agreements with your medical provider and we only collect the PHI we need to fully perform our services and to respond to you or your Provider. If you choose to share your data with third parties through our Digital Services, you understand that we have no liability or obligation in connection with that data. Resonately will not, and does not, have any control of data shared to others, or the sharing capabilities of third parties. We may use your PHI to contact you to the extent permitted by law, to provide requested services, to provide information to your Providers and insurers, to obtain payment for our services, to respond to your inquiries and requests, and to respond to inquiries and requests from your Providers and benefits program. We may combine your information with other information about you that is available to us, including information from other sources, such as from your Providers, insurers or benefits program, in order to maintain an accurate record of our participants. PHI will not be used for any other purpose, including marketing, without your consent.

9. Disclosure of Your Information

We do not share, sell, or otherwise disclose your Personal Data for purposes other than those outlined in this Privacy Policy.

We disclose your Personal Data to a few third parties, including:

• our affiliates and third party service providers that we use to support our business;
• to a Resonately we merge, acquire, or that buys us, or in the event of change in structure of our Resonately of any form;
• to comply with our legal obligations;
• to affiliates and third parties for their own commercial purposes;
• to enforce our rights; and
• with your consent.

We do not share, sell, or otherwise disclose your Personal Data for purposes other than those outlined in this Privacy Policy. However, we may disclose aggregated information about our users, and information that does not identify any individual, without restriction.

We may disclose Personal Data that we collect or you provide as described in this Privacy Policy:

• to affiliates, contractors, service providers, and other third parties we use to support our business. The services provided by these organizations include providing IT and infrastructure support services, and ordering, marketing, and payment processing services;
• to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Resonately about our Digital Services users are among the assets transferred;
• to fulfill the purpose for which you provide it;
• for any other purpose disclosed by us when you provide the information;
• with your consent.

We may also disclose your Personal Data:

• to comply with any court order, law, or legal process, including to respond to any government or regulatory request;
• to affiliates and third parties to market their products or services to you if you have not opted out of these disclosures. For more information, see Choices About How We Use and Disclose Your Information;
• to enforce or apply our Terms of Use and other agreements, including for billing and collection purposes; and
• if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Resonately, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

10. Choices About How We Use and Disclose Your Information

We offer you choices on how you can opt out of our use of tracking technology, disclosure of your Personal Data for our advertising to you, and other targeted advertising.

We do not control the collection and use of your information collected by third parties described above in Disclosure of Your Information. These third parties may aggregate the information they collect with information from their other customers for their own purposes.

In addition, we strive to provide you with choices regarding the Personal Data you provide to us. We have created mechanisms to provide you with control over your Personal Data:

• Tracking Technologies and Advertising. You can set your browser or operating to refuse all or some cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of our Digital Services may then be inaccessible or not function properly
• Promotional Offers from Resonately. If you do not wish to have your email address used by Resonately to promote our own products and services, you can opt-out at any time by clicking the unsubscribe link at the bottom of any email or other marketing communications you receive from us or logging onto your Account Preferences page. This opt out does not apply to information provided to Resonately as a result of a product purchase, or your use of our services. You may have other options with respect to marketing and communication preferences through our Digital Services.
• Disclosure of Your Information to Affiliates and Third Parties. By using our Digital Services, you consent to our sharing of your Personal Data with our affiliates and third parties for their promotional purposes. If you wish to unsubscribe from such affiliate and third parties' promotions, you can do so by clicking the unsubscribe link at the bottom of any email or other marketing communications you receive from them. If you wish to opt-out of such sharing, please email us privacy@getresonately.com
• Targeted Advertising. To learn more about interest-based advertisements and your opt-out rights and options, visit the Digital Advertising Alliance and the Network Advertising Initiative. Please note that if you choose to opt out, you will continue to see ads, but they will not be based on your online activity. We do not control third parties' collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. You can also opt out of receiving targeted ads from members of the NAI on its website.

11. Your Rights Regarding Your Information and Accessing and Correcting Your Information

You may have certain rights under applicable data protection laws, including the right to access and update your Personal Data, restrict how it is used, transfer certain Personal Data to another controller, withdraw your consent at any time, and the right to have us erase certain Personal Data about you. You also have the right to complain to a supervisory authority about our processing of your Personal Data.

Applicable data protection laws may provide you with certain rights with regards to our processing of your Personal Data.

• Access and Update. You can review and change your Personal Data by logging into the Digital Services and visiting your "Profile" page. You may also notify us through the Contact Information below of any changes or errors in any Personal Data we have about you to ensure that it is complete, accurate, and as current as possible. We may also not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect.
• Restrictions. You have the right to restrict our processing of your Personal Data under certain circumstances. In particular, you can request we restrict our use of it if you contest its accuracy, if the processing of your Personal Data is determined to be unlawful, or if we no longer need your Personal Data for processing but we have retained it as permitted by law.
• Portability. To the extent the Personal Data you provide Resonately is processed based on your consent or that we process it through automated means, you have the right to request that we provide you a copy of, or access to, all or part of such Personal Data in structured, commonly used and machine-readable format. You also have the right to request that we transmit this Personal Data to another controller, when technically feasible.
• Withdrawal of Consent. To the extent that our processing of your Personal Data is based on your consent, you may withdraw your consent at any time by closing your account. Withdrawing your consent will not, however, affect the lawfulness of the processing based on your consent before its withdrawal, and will not affect the lawfulness of our continued processing that is based on any other lawful basis for processing your Personal Data.
• Right to be Forgotten. You have the right to request that we delete all of your Personal Data. We cannot delete your Personal Data except by also deleting your user account, and we will only delete your account when we no longer have a lawful basis for processing your Personal Data or after a final determination that your Personal Data was unlawfully processed. We may not accommodate a request to erase information if we believe the deletion would violate any law or legal requirement or cause the information to be incorrect. In all other cases, we will retain your Personal Data as set forth in this policy. In addition, we cannot completely delete your Personal Data as some data may rest in previous backups. These will be retained for the periods set forth in our disaster recovery policies.
• Deleting Your Account and Data. Resonately gives you the ability to permanently delete your Resonately account at any time for any reason. When your Resonately account is deleted, your details in the data associated with your account are permanently deleted, subject to our legal records retention obligations under applicable law. If you delete your account, you will not be able to access any data, content or services that were associated with your account. Messages and content posted publicly are permanently deleted. You will not be able to receive any messages relating to your account. Accordingly, you should copy or backup any data associated with your account that you wish to retain and reference in the future.
• How to Delete Your Account and Data. You can delete your account and associated data using the functionality available in our App. Specifically, you can navigate to the Personal Info section of your Profile, click Delete Account, and follow the confirmation prompts. After you request deletion of your Resonately account, we reserve the right to verify that you are the account-holder who made the request. After this verification is complete, account details and data associated with your account are permanently deleted from our servers. When you delete your account, we make our best effort to delete all personal data associated with your account. However, we are required to retain certain medical records (e.g., direct messages from providers), and past transaction information for financial reporting and legal purposes. We may also be required to retain certain information to comply with legal contracts, legal proceedings or other legal purposes. We also may retain a way to contact you in the future if necessary for legal, operational or compliance purposes.
• Complaints. You have the right to lodge a complaint with the applicable supervisory authority in the country you live in, the country you work in, or the country where you believe your rights under applicable data protection laws have been violated. However, before doing so, we request that you contact us directly in order to give us an opportunity to work directly with you to resolve any concerns about your privacy.
• How You May Exercise Your Rights. You may exercise any of the above rights by contacting us through any of the methods listed under Contact Information below and through the live chat feature of our Digital Services. If you contact us to exercise any of the foregoing rights, we may ask you for additional information to verify your identity. We reserve the right to limit or deny your request if you have failed to provide sufficient information to verify your identity or to satisfy our legal and business requirements. Please note that if you make unfounded, repetitive, or excessive requests (as determined in our reasonable discretion) to access your Personal Data, you may be charged a fee subject to a maximum set by applicable law.

12. Do Not Track Signals

We currently do not use automated data collection technologies to track you across websites. We currently do not honor do-not-track signals that may be sent by some browsers.

Some web browsers permit you to broadcast a signal to websites and online services indicating a preference that they "do not track" your online activities. At this time, we do not honor such signals, but we currently do not use automated data collection technologies to collect information about your online activities over time and across third party websites or other online services (behavioral advertising).

13. Data Security

Information transmitted over the Internet is not completely secure, but we do our best to protect your Personal Data. You can help protect your Personal Data and other information by keeping your password to our Digital Services confidential.

We have implemented measures designed to secure your Personal Data from accidental loss and from unauthorized access, use, alteration, and disclosure. We use encryption technology for information sent and received by us.

The safety and security of your information also depends on you. Where you have chosen a password for the use of our Digital Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we do our best to protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted to, on or through our Digital Services. Any transmission of Personal Data is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website, in your operating system, or in the App.

14. California Privacy Rights for California Residents

Under some circumstances, California law may provide you with the right to obtain a list of third parties (if any) that we provide your Personal Data to for their own direct marketing purposes.

California Civil Code Section 1798.83 (California's "Shine the Light" law) permits users of our Digital Services that are California residents and who provide Personal Data in obtaining products and services for personal, family, or household use to request certain information regarding our disclosure of Personal Data to third parties for their own direct marketing purposes. If applicable, this information would include the categories of Personal Data and the names and addresses of those businesses with which we shared your Personal Data with for the immediately prior calendar year (e.g. requests made in 2020 will receive information regarding such activities in 2019). You may request this information once per calendar year. To make such a request, please contact us using the Contact Information below.

15. Changes to Our Privacy Policy

We will post any changes to our Privacy Policy on our Website. If we make material changes to our Privacy Policy, we may notify you of such changes through your contact information and invite you to review (and accept, if necessary) the changes.

We may change this Privacy Policy at any time. It is our policy to post any changes we make to our Privacy Policy on this page with a notice that the Privacy Policy has been updated on the Website's home page or the App's home screen. If we make material changes to how we treat our users' Personal Data, we will notify you by email to the email address specified in your account and/or through a notice on the Website's home page or the App's home screen. The date this Privacy Policy was last revised is identified at the top of the page. You are responsible for ensuring we have an upto- date active and deliverable email address for you, and for periodically accessing the App or visiting our Website and reviewing this Privacy Policy to check for any changes.

16. Contact Information

You may contact us through the contact information below.

If you have any questions, concerns, complaints or suggestions regarding our Privacy Policy or otherwise need to contact us, you may contact us at the contact information below or through the "Contact Us" page on or in our Digital Services.