Subject Well Privacy Notice

Last Updated Date: July 9, 2020

I. GENERAL

Subject Well, Inc. and its group entities (“SubjectWell”, “we”, or “us”) offer clinical trial participant
recruitment services (the “Services”). This Privacy Policy sets out how we use and protect your Personal
Information and your rights and choices with regard to that information. This Privacy Policy applies to
Personal Information collected by or on behalf of SubjectWell, including information collected through our
website https://www.subjectwell.com and mobile versions of our
websites (the “Site”) or anywhere else we display this Privacy Policy. It also applies to information
collected by email, phone, or other offline communication mechanisms. For information on how we handle
information collected from registered end users or applicants for the Services, please refer to our
recruiting websites at: https://www.trialhero.com
and https://www.trials.world.

By visiting or using the Site, you accept and consent to the terms of this Privacy Policy in effect at the
time of your visit or use.

II. WHAT WE MEAN BY “PERSONAL INFORMATION”

For purposes of this Privacy Policy, “Personal Information” means information that directly or indirectly
identifies you or can be used to identify you as an individual.

III. WHAT PERSONAL INFORMATION DO WE COLLECT?

(1) Information You Provide to Us

When you use the Site or otherwise communicate or interact with us, we collect information that you provide
to us directly. For example, we collect information in the following circumstances: when you contact us;
when you inquire about or apply for a job; and when you otherwise communicate with us. You may choose whether or
not to provide or disclose your Personal Information in connection with your use of the Site. If you choose not
to provide the Personal Information we request, you may still visit and use parts of the Site, but may be
unable to access or use certain features of the Site.

The Personal Information you provide to us may include the following:

  • Information you provide via email, through our ‘Contact’ section or form on the site, or using contact
    details listed on various parts of the Site, including your business type, name, company name, business e-mail
    and phone number, and any other information you decide to provide;
  • If you are one of our customers, suppliers, or prospects, or interested in serving as an investigator of
    a clinical trial, we may collect or process limited Personal Information in the course of our business
    relations with you. For example, when you engage us for our Services, sign up for a webcast, request a
    demo, or the like. Such Personal Information may include your name, company name, business title, order
    details, and business contact details (e-mail address, telephone number, address);
  • If you are a job applicant or candidate and apply for an employment opportunity with us, you may provide
    your name, e-mail, phone number, name of a referral (if applicable), educational background, employment
    history, indication of shift preferences, or any other information you choose to provide via your resume
    or submission; and
  • We may also collect any other information you may want to share with us. Moreover, if you contact us, a
    record of such correspondence may be kept.

(2) Information Collected Automatically

Certain information is collected automatically on the Site by means of various software tools. We have a
legitimate interest in using such information to assist in client log-in, systems administration purposes,
information security and abuse prevention, to track user trends, and to analyze the effectiveness of the
Site. Alone or in combination with other information, such automatically collected information may
constitute Personal Information. Some of our service providers (described in Section V., below) may use
cookies or other methods to gather information regarding your use of the Site and to track your activities
over time and across sites to provide advertising services to us.

  • Log Files On the Site. The information inside the log files includes internet protocol (“IP”)
    addresses, type of browser, Internet Service Provider (“ISP”), date/time stamp, referring/exit pages,
    clicked pages and other information your browser may send to us about your use of the Site.
  • Cookies. We use cookies to make interactions with the Site easy and meaningful. When you visit
    the Site, our servers may send a cookie to your computer. We may use cookies that are session-based and
    persistent. Session cookies exist only during one session. They disappear from your computer when you
    close your browser software or turn off your computer. Persistent cookies remain on your computer after
    you close your browser or turn off your computer. Please note that if you disable your web browser’s
    ability to accept cookies, you will be able to navigate the Site, but you may not be able to use all of
    the features of the Site. The following sets out how we may use different categories of cookies and your
    options for managing cookie settings:
Type of Cookies Description Managing Settings
Required cookies Required cookies enable you to navigate the Site and use its features, such as accessing secure
areas of the Site and using our services. If you have chosen to identify yourself to us, we use cookies
containing encrypted information to allow us to uniquely identify you. Each time you log into our Site, a
cookie containing an encrypted, unique identifier that is tied to your account is placed on your browser.
These cookies allow us to uniquely identify you when you are logged into the Site and to process your
online transactions and requests.
Because required cookies are essential to operate the Site, there is no option to opt out of these
cookies.
Performance cookies These cookies collect information about how you use our Site, including which pages you go to most
often and if they receive error messages from certain pages. These cookies do not collect information
that individually identifies you. Information is only used to improve how the Site functions and
performs. From time-to-time, we may engage service providers to track and analyze usage and volume
statistical information relating to individuals who visit the Site. We may also utilize Flash cookies
for these purposes.
To learn how to opt out of performance cookies using your browser settings, click
here. To learn how to manage privacy and storage
settings for Flash cookies, click
here.
Functionality cookies Functionality cookies allow our Site to remember information you have entered or choices you make
(such as your username, language, or your region) and provide enhanced, more personal features. These
cookies also enable you to optimize your use of the Site after logging in. These cookies can also be
used to remember changes you have made to text size, fonts and other parts of web pages that you can
customize. We may use local shared objects, also known as Flash cookies, to store your preferences or
display content based upon what you view on the Site to personalize your visit.
To learn how to opt out of functionality cookies using your browser settings, click
here. To learn how to manage privacy and storage
settings for Flash cookies, click
here.
Targeting or Advertising cookies From time-to-time, we may engage service providers to track and analyze usage and volume statistical
information from individuals who visit the Site. We sometimes use cookies delivered by service
providers to track the performance of our advertisements. For example, these cookies remember which browsers
have visited the Site. By way of example, as you browse the Site, advertising cookies may be placed on
your computer so that we can understand what you are interested in. Our advertising partners then enable
us to present you with advertising on other sites based on your previous interaction with the Site.
Service providers, with whom we partner to provide certain features on the Site or to display advertising
based upon your web browsing activity, use Flash cookies to collect and store information. Flash cookies
are different from browser cookies because of the amount of, type of, and how data is stored.
To learn more about these and other advertising networks and their opt out instructions, click
here. To
learn how to manage privacy and storage settings for Flash cookies, click
here.
  • Analytics. The Site also uses Google Analytics. By using cookies, Google Analytics collects and
    stores data such as time of visit, pages visited, time spent on each page of the Site, the IP address, and the
    type of operating system used in the devices used to access the Site. By using a browser plugin available at
    http://www.google.com/ads/preferences/plugin/
    provided by Google, you can opt out of Google Analytics.

(3) Do-Not-Track Signals

Some browsers have a “Do-Not-Track” feature that lets you tell websites that you do not want to have your
online activities tracked. When you choose to turn on the Do-Not-Track setting in your browser, your
browser sends a signal to websites, analytics companies, ad networks, plug-in providers, and other web
services that you may encounter while browsing the Internet, instructing them to stop tracking your
activity via cookies or other online tracking technologies. The Site does not currently respond to browser
based Do-Not-Track signals. For information regarding Do-Not-Track and how to enable this setting if
available on your devices, please see https://allaboutdnt.com.

IV. PURPOSES FOR OUR COLLECTION AND USE OF PERSONAL INFORMATION

We may use Personal Information obtained through the Services in the following ways:

  • To provide the Services;
  • To provide, analyze, administer, develop, and improve the Site or our Services;
  • To contact you in connection with the Site, our Services, and notifications, services, programs or
    offerings for which you may have registered;
  • To send you updates and promotional materials for which you have registered;
  • To assess the qualifications, backgrounds and candidacy of job applicants and candidates;
  • To identify and authenticate your access to the parts of the Site and Services that you are authorized
    to access;
  • For our legitimate interests of documenting and managing our internal administration;
  • To protect the rights and/or our property and to ensure the technical functionality and security of the
    Site or Services; and
  • To comply with applicable laws and for our legitimate purposes of protecting our legal rights, in
    connection with legal claims or enforcement of contracts, and for compliance, regulatory, and investigative
    purposes. This may include sharing the Personal Information with third parties, such as governmental
    authorities or law enforcement officials, subject to applicable law.

V. WHO DO WE SHARE PERSONAL INFORMATION WITH?

We may disclose Personal Information you provide to us or that we collect automatically on the Site or in and
through the Services with the following categories of third parties:

  • Service providers, such as data storage service providers, marketing service providers, and
    communications service providers that help us operate our business or provide services on our behalf;
  • Public authorities, such as law enforcement, if we are legally required to do so or if we need to for
    national security or to protect our rights or the rights of third parties;
  • Our subsidiaries and affiliates for our business operations; and
  • A subsequent owner, co-owner or operator of the Site and their advisors in connection with a corporate
    merger, consolidation, restructuring, the sale of substantially all of our stock and/or assets, or in connection
    with bankruptcy proceedings, or other corporate reorganization, in accordance with this Privacy Policy.

VI. COMMUNICATION PREFERENCES

With your consent (unless otherwise permitted by applicable law) we use the Personal Information you provide
us to send you information on our products and Services and other information based on the interests that you
have indicated to us. You have the right to opt out of getting those messages. If you do not wish to receive
these messages, click the unsubscribe link in your email. Please note that these selections are not permanent;
they may be changed in the event you register for other Services or communications and consent to receive
marketing messages. Please also note that even if you unsubscribe from commercial email messages, we may still email
you non-marketing emails related to your account or the Services for which you have registered. You may also
email us at privacy@subjectwell.com for assistance.

VII. THIRD-PARTY PRACTICES

The Site may contain links to other sites, which are not owned or operated by us or our affiliates. We
provide such links only as a convenience, and the inclusion of a link on the Site does not imply our endorsement of
the linked site. Other sites may also reference or link to our Site. If you provide any Personal Information
through a third-party website, your transaction will occur on such third party’s website (not our Site) and the
Personal Information you provide will be collected by, and controlled by the privacy policy of, that third
party. We are not responsible for the privacy practices or the content of such third-party websites, including
such websites’ use of any Personal Information that you provide to them.

VIII. NOTICE TO CALIFORNIA RESIDENTS

The information in this section applies to residents of California. Please contact us at
privacy@subjectwell.com if you have any questions about this Privacy
Policy, including this section specific to California residents, or if you would like a printed copy of this
Privacy Policy. You may also print a copy of this Privacy Policy by selecting the “Print” button in your web browser.

(1) How We Collect and Use Personal Information

In accordance with the California Consumer Privacy Act of 2018 (“CCPA”), this section describes the Personal
Information we collected about California residents in the last 12 months, the sources of that information,
our business or commercial purposes for collecting the information, and the third parties with whom we shared
that information. Please refer to the corresponding sections of this policy above for details on the
following:

(2) Your Rights and How to Exercise Them

Under the CCPA, California residents have certain rights with regard to their Personal Information. Those
rights may only apply in certain circumstances and may be subject to limitations or exceptions. A summary of
those rights is provided below as well as information on how to exercise your rights. Please note that we will
require certain identifying information about you as necessary for us to verify your request in accordance with
applicable law.

  • Right to Know: You have the right to ask us to tell you the categories of Personal Information
    we collected, the purposes for which we collected, sold or disclosed that information, and the
    categories of third parties to whom we disclosed the information in the last 12 months. To
    exercise this right, please complete our online form available
    here
    or email your request to privacy@subjectwell.com and include
    “Disclosure Request” in the subject line of your message.
  • Right to Access: You have the right to request access to the specific pieces of Personal
    Information we collected, used, disclosed and/or sold about you in the last 12 months. To exercise
    this right, please complete our online form
    here
    or email your request to privacy@subjectwell.com and include
    “Access Request” in the subject line of your message.
  • Right to Delete: You have the right to request us to delete the Personal Information we have
    collected or maintain about you. Please note that certain exceptions may apply to your right to
    delete information, such as when we must retain Personal Information as required or permitted by
    law and we will maintain a copy of your deletion request. We will notify you if any such
    exceptions apply to your request. To exercise this right, please complete our online form
    available
    here
    or email us at privacy@subjectwell.com and include “Deletion
    Request” in the subject line of your message.
  • Right to Opt Out of Sale: You have the right to opt out or ask us not to sell your Personal
    Information. Please note that we do not sell your Personal Information. However, please note that
    we do use and share your information in order to help match you with clinical trials and provide
    our Services per your request.

We will not discriminate against you for exercising any of the rights noted above. However, we may offer
certain financial incentives, charge reasonable fees related to your requests, or deny your right to know, right to
access, or right to deletion in accordance with applicable law.

You can exercise these rights yourself or you can designate an authorized agent to make a request on your
behalf. If you would like an authorized agent to submit a request on your behalf, please send us an email at
privacy@subjectwell.com for instructions and details on proof
and information required for use of an authorized agent.

(3) How We Disclose Information

  • We disclosed personal information to third parties for business purposes during the last 12
    months. For more information on the categories of information we disclosed and to whom it was
    disclosed, see Sections III. and V. above.
  • We do not sell your personal information or the personal information of minors under age 16.

(4) Third-Party Marketing Disclosure

Under California Civil Code § 1798.83, California residents with whom we have a business relationship can
request information about the types of personal information, if any, we shared with third parties for the
direct marketing purposes of the third parties and the identities of the third parties with whom we shared such
information in the immediately preceding 12 months. We do not share your Personal Information with third
parties in this manner and have not done so in the last 12 months. You may request more information by contacting us
using the contact information at the bottom of this Privacy Policy.

IX. INDIVIDUAL RIGHTS – USERS IN THE EEA OR SWITZERLAND

Where we process Personal Information pertaining to individual located in the European Economic Area (“EEA”)
or Switzerland, those individuals are entitled to ask us for an overview of the Personal Information we have
about them and also to access, correct or delete certain Personal Information, restrict processing of their
Personal Information, or to ask us to transfer Personal Information to other organizations. Certain individuals can
also object to some processing of their Personal Information and, where we have asked for their consent, they can
withdraw their consent at any time. Insofar as Personal Information about them is processed, certain
individuals also have a right to know more about the protection we apply when transferring Personal
Information to areas outside the EEA.

Note that we are not legally obligated to agree to such requests in all circumstances, and in certain
circumstances, agreeing to a request may be infeasible – for example, a deletion request when we are
required by law to maintain the Personal Information. Please also note that we are not able to act on any of
the above requests if we are not in a position to identify an individual filing such request.

Where applicable, these rights can be exercised by completing the request form available
here:
or by sending us an email through the contact details further below. Depending on where you live, you may have
a right to lodge a complaint with a supervisory authority or other regulatory agency if you believe that we
have violated any of the rights concerning your Personal Information. We encourage you to first reach out to us
at privacy@subjectwell.com so we have an opportunity to address
your concerns directly before you do so. We are committed to compliance with the General Data Protection
Regulation (“GDPR”) where applicable, so please contact us through the details listed below if you have any
questions about these rights.

X. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

SubjectWell is a U.S.-based company with domestic and international business clients. As a result, Personal
Information that we collect through the Site may be transferred to our U.S. offices to permit us to comply
with our legal and contractual obligations, to provide information and services to prospective and current
clients, and to perform related business activities. In addition, we may work with third-party service
providers in the U.S. and in other countries to support our business activities. Thus, Personal Information
may be transferred to, stored on servers in, and accessed from the U.S. and countries other than the country
in which the Personal Information was initially collected. In all such instances, we use, transfer, and
disclose Personal Information solely for the purposes described in this Privacy Policy.

XI. TRANSFERS OF PERSONAL INFORMATION FROM THE EEA OR SWITZERLAND TO THE UNITED STATES

Subject Well, Inc. participates in and has certified to the EU-U.S. Privacy Shield Framework and Swiss-U.S.
Privacy Shield Framework (collectively, “Privacy Shield”) as set forth by the U.S. Department of Commerce
regarding the collection, use, and retention of Personal Information from European Union (the “EU”) or EEA
member countries and Switzerland. SubjectWell has certified to the Department of Commerce that it adheres to
the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity
and Purpose Limitation, Access, and Recourse, Enforcement, and Liability. A violation of our commitment to
Privacy Shield may be investigated by the Federal Trade Commission and/or the United States Department of
Commerce. If there is any conflict between the policies in this Privacy Policy and the Privacy Shield
Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and
to view our certification page, to the extent available, please visit
https://www.privacyshield.gov.

In compliance with the Privacy Shield Principles, SubjectWell commits to resolve complaints about your
privacy and our collection or use of Personal Information about you. Persons in the EEA or Switzerland who
have inquiries or complaints regarding this Statement should first contact us via email at:
privacy@subjectwell.com. SubjectWell has committed to refer
unresolved privacy complaints under the EU-U.S. Privacy Shield Principles to
JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely
acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit
https://www.jamsadr.com/eu-us-privacy-shield for
more information and to file a complaint.

These recourse mechanisms are available at no cost to you. Damages may be awarded in accordance with
applicable law. Please note that if your complaint is not resolved through these channels, under limited
circumstances, a binding arbitration option may be available before a Privacy Shield Panel. Pursuant to the
Privacy Shield, SubjectWell remains potentially liable for the transfer of Personal Information to third
parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.

In cases of onward transfer to third parties of Personal Information of individuals in the EEA or Switzerland
received pursuant to the EU-U.S. and Switzerland-U.S. Privacy Shield, SubjectWell is potentially liable.

XII. DATA RETENTION

We keep Personal Information for as long as it is needed to fulfill the purposes for which it was collected,
to provide our Services, to deal with possible legal claims, to comply with our business interests and/or to
abide by all applicable laws. Thereafter, we either delete Personal Information about you or de-identify it.
Please note that even if you request the deletion of Personal Information about you, we may be required (by
law or otherwise) to retain the Personal Information and not delete it. However, once those requirements are
removed, we will delete Personal Information about you in accordance with your request.

XIII. DATA SECURITY

We follow generally accepted industry standards to protect the Personal Information we collect or process
through the Site. However, no method of transmission over the Internet, or method of electronic storage, is
100% secure. Therefore, while we strive to use commercially acceptable means to protect Personal Information,
we cannot guarantee its absolute security.

XIV. CHILDREN

The Site is not intended for children under the age of 13. Accordingly, we do not intend to collect Personal
Information from anyone we know to be under 13 years of age through the Site. If we become aware that a
child under age 13 has provided Personal Information through the Site, we will delete such information from our
files.

XV. CHANGES TO THE PRIVACY POLICY

This Privacy Policy may change from time to time, effective from the date mentioned in the updated version of
the Privacy Policy. Please check the Site periodically to review such changes in the Privacy Policy. We may
email periodic reminders of our agreements and policies in the event of a material change.

XVI. CONTACT US

If you have any questions about this Privacy Policy or about our privacy or data security
practices, please contact us or our Data Protection Officer via the following:

E-mail: privacy@subjectwell.com
Address: 7000 N MoPac Expy
Ste 330
Austin, TX 78731
USA

You can also contact our representative in the European Union:

European Data Protection Office (EDPO):
Name: Lucia Canga Roza
E-mail: lucia.canga@edpo.brussels
Phone number: +32 499 24 28 45