Subject Well Privacy Statement For Clinical Trial Recruitment

Effective Date: September 30, 2019

I. GENERAL

Subject Well, Inc. and its group entities (“SubjectWell”, or “we”) offer clinical trial participant
recruitment services (the “Services”). This Privacy Statement sets out how we use and protect any information
that you provide to SubjectWell in connection with the Services. In connection with the Services, you may sign
up for clinical trial matching or may otherwise become a clinical trial candidate through us. Insofar as our
Services process Personal Information, this Privacy Statement applies. If you wish to know about our privacy
practices relating to our websites, please visit our
privacy policy.

II. WHAT WE MEAN BY “PERSONAL INFORMATION”

For purposes of this Privacy Statement, “Personal Information” means any information from or about a person
that either identifies that person directly or that makes that person identifiable when it is combined with
other information from or about that person from any source.

III. WHAT PERSONAL INFORMATION DO WE COLLECT?

(1) Information You Provide to Us

In connection with the Service, or when you otherwise communicate with us, we collect information that you
provide to us directly. For example, we collect information in the following circumstances: when you sign up
for clinical trial matching, when you contact us, and when you otherwise communicate with us.

The information you provide to us directly may include, without limitation, the following information that
may, alone or in combination with other information, constitute Personal Information:

  • Information you provide via email or using the contact details listed on various parts of the website
    where this Privacy Statement appears, including your name, phone number, and any other information you
    provide to us; and
  • Information you provide in order to sign up for clinical trial opportunities, including your name, age,
    email address, your health conditions relevant to the clinical trial opportunities, or any other information
    you decide to provide us with;
  • Other information: We may also collect any other information you may want to share with us. Moreover, if
    you contact us, a record of this correspondence may be kept.

(2) Information Received From Third Parties

We may also obtain data from third-party sources such as data providers in accordance with applicable law.
Our data providers include, not by way of limitation Human API, the entity that SubjectWell partners with to
provide free patient medical record retrieval for clinical trial recruitment. For more information, please
visit https://www.humanapi.co/.

SubjectWell does not buy or sell Personal Information.

IV. PURPOSES FOR OUR COLLECTION AND USE OF PERSONAL INFORMATION

If you submit or we collect Personal Information through the Services, then such Personal Information may be
used for the following purposes: (i) to provide and administer the Services; (ii) to contact you in connection
with the Services (iii) to identify and authenticate your access to the Services that you are authorized to
access; (iv) to assess whether a clinical trial is suited for you and to contact you when a potential clinical
trial is identified and to bring you in contact with principal investigators, clinical research sites or
clinical trial service providers, using solely for these purposes the health information that is provided to
us based on your consent, and (v) for our legitimate interests of documenting and managing our internal
administration and protecting our rights and/or our property.

Once you register for our Services, you may be contacted at the phone number you provide including wireless
number, if provided, by a representative of SubjectWell or its database administrator Northwest Medical. These
calls may be generated using an automated technology.

SubjectWell only provides clinical trial participant recruitment services and is not involved in clinical
trials or informed about its results. Therefore, SubjectWell does not determine the purposes or means of the
further processing of your Personal Information, including your health information, by principal
investigators, clinical research sites or clinical trial service providers once you are brought in contact
with them.

As we need certain Personal Information for the performance of the Services, the consequence of not providing
such information might be that the Services cannot be provided as requested.

SubjectWell uses algorithms that enforce criteria to select patients for the most suitable clinical trial,
which is the service that the data subject requests from SubjectWell. The decision is therefore necessary for
the performance of the contract between the data subject and SubjectWell. Furthermore, as SubjectWell’s
patient recruitment marketplace works with an opt-in model, the patient’s decision to participate could also
be considered as providing his or her consent, which is freely given and can be withdrawn at any time by
contacting us through the contact details further below.

The logic that is used for the decision-making is created by SubjectWell employees reviewing study protocol
to define inclusion/exclusion criteria. The SubjectWell systems then enforce these criteria based on the
responses collected during the phone screening process. The most important consequences of the automated
decisions in question is that the data subject will or will not have the opportunity to participate in a
clinical trial.

In order to safeguard the data subject’s rights and freedoms and legitimate interests, the latter has the
right to obtain human intervention on the part of SubjectWell, to express his or her point of view and to
contest the decision.

In addition to the above, we use the Personal Information in order to comply with applicable laws and for our
legitimate purposes of protection our legal rights, in connection with legal claims, and for compliance,
regulatory, and investigative purposes. This may include sharing the Personal Information with third parties,
such as governmental authorities or law enforcement officials subject to applicable law.

V. WHO DO WE SHARE PERSONAL INFORMATION WITH?

We may disclose Personal Information you provide to us in and through the Services with the following
categories of third parties:

  • If you would like to participate in a clinical trial and there are matching clinical trials, we may share
    Personal Information about you with principal investigators, clinical research sites, and clinical trial
    service providers that are relevant to you;
  • Public authorities, such as law enforcement, if we are legally required to do so or if we need to protect
    our rights or the rights of third parties; and
  • Our subsidiaries and affiliates; or a subsequent owner, co-owner or operator of the Services and their
    advisors in connection with a corporate merger, consolidation, restructuring, the sale of substantially all
    of our stock and/or assets, or in connection with bankruptcy proceedings, or other corporate reorganization,
    in accordance with this Privacy Statement.

VI. INDIVIDUAL RIGHTS

Where we process Personal Information, individuals are entitled to ask us for an overview of the Personal
Information we have about them and also to access, correct or delete certain Personal Information, restrict
processing of their Personal Information, or to ask us to transfer some of Personal Information to other
organizations. Certain individuals can also object to some processing of their Personal Information, e.g.
processing based on our legitimate interest, and, where we have asked for their consent, they can withdraw
their consent at any time. Insofar as Personal Information about them is processed, certain individuals also
have a right to know more about the protection we apply when transferring Personal Information to non-European
Economic Area countries.

Note that we are not legally obligated to agree to such requests in all circumstances, and in certain
circumstances, agreeing to a request may be infeasible – for example, a deletion request when we are required
by law to maintain the Personal Information. Please also note that we are not able to act on any of the above
requests if we are not in a position to identify an individual filing such request.

Where applicable, these rights can be exercised by sending us an email through the contact details further
below. Depending on where you live, you may have a right to lodge a complaint with a supervisory authority or
other regulatory agency if you believe that we have violated any of the rights concerning Personal Information
about you. We encourage you to first reach out to us at
privacy@subjectwell.com so we have an opportunity to address your
concerns directly before you do so. We are committed to compliance with the General Data Protection Regulation
(“GDPR”) where applicable, so please contact us through the details listed below if you have any questions
about these rights.

VII. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

SubjectWell is a U.S.-based company with domestic and international business clients. As a result, Personal
Information that we collect through the Services may be transferred to our U.S. offices to permit us to comply
with our legal and contractual obligations, to provide information and services to prospective and current
clients, and to perform related business activities. In addition, we may work with third-party service
providers in the U.S. and in other countries to support our business activities. Thus, Personal Information
may be transferred to, stored on servers in, and accessed from the United States and countries other than the
country in which the Personal Information was initially collected. In all such instances, we use, transfer,
and disclose Personal Information solely for the purposes described in this Privacy Statement.

VIII. TRANSFERS OF PERSONAL INFORMATION FROM THE EU OR SWITZERLAND TO THE UNITED STATES

SubjectWell complies with the EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework
(collectively, “Privacy Shield”) as set forth by the US Department of Commerce regarding the collection, use,
and retention of Personal Information from European Union (the “EU”) member countries and Switzerland.
SubjectWell has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of
Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access,
and Recourse, Enforcement, and Liability. A violation of our commitment to Privacy Shield may be investigated
by the Federal Trade Commission and/or the United States Department of Commerce. If there is any conflict
between the policies in this Privacy Statement and the Privacy Shield Principles, the Privacy Shield
Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page,
to the extent available, please visit
https://www.privacyshield.gov or
https://www.privacyshield.gov/participant?id=a2zt0000000PKQpAAO&status=Active.

In compliance with the Privacy Shield Principles, SubjectWell commits to resolve complaints about your
privacy and our collection or use of Personal Information about you. Persons from the EU or Switzerland who
have inquiries or complaints regarding this Statement should first contact us via email at:
privacy@subjectwell.com.

SubjectWell has committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to
JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely
acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit
https://www.jamsadr.com/eu-us-privacy-shield
for more information and to file a complaint.

These recourse mechanisms are available at no cost to you. Damages may be awarded in accordance with
applicable law. Please note that if your complaint is not resolved through these channels, under limited
circumstances, a binding arbitration option may be available before a Privacy Shield Panel. Pursuant to the
Privacy Shield, SubjectWell remains potentially liable for the transfer of Personal Information to third
parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.

In cases of onward transfer to third parties of Personal Information of EU individuals received pursuant to
the EU-US and Switzerland-US Privacy Shield, SubjectWell is potentially liable.

IX. DATA RETENTION

If for seven (7) years we do not find any potential clinical trials for you and we do not attempt to contact
you, or if you request your Personal Information to be deleted, we will remove Personal Information about you
from our database. Please note that even if you request the deletion of Personal Information about you, we may
be required (by law or otherwise) to retain the Personal Information and not delete it. However, once those
requirements are removed, we will delete Personal Information about you in accordance with your request.

X. DATA SECURITY

The security of Personal Information is important to us. We follow generally accepted industry standards to
protect the Personal Information submitted to us, both during transmission and once we receive it. However, no
method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we
strive to use commercially acceptable means to protect Personal Information, we cannot guarantee its absolute
security.

XI. CHILDREN

The Services are not intended for children under the age of 13. Accordingly, we do not intend to collect
Personal Information from anyone we know to be under 13 years of age.

XII. CHANGES TO THE PRIVACY STATEMENT

This Privacy Statement may change from time to time, effective from the date mentioned in the updated version
of the Privacy Statement. Please check the website where this Privacy Statement appears periodically to review
such changes in the Privacy Statement. We may email periodic reminders of our agreements and policies in the
event of a change.

XIII. CONTACT US

If you have any questions or concerns about this Privacy Statement or about SubjectWell’s privacy or data
security practices, please contact us or our Data Protection Officer via the following:

E-mail: privacy@subjectwell.com

Address:

7000 N MoPac Expy

Ste 330

Austin, TX 78731

USA

You can also contact our representative in the European Union:

European Data Protection Office (EDPO):
Name: Lucia Canga Roza
E-mail: lucia.canga@edpo.brussels
Phone number: +32 499 24 28 45