Privacy Policy - Holistiq

1. WHAT IS THIS PRIVACY POLICY ABOUT?

2. WHO IS RESPONSIBLE FOR PROCESSING YOUR DATA?

3. WHICH DATA CATEGORIES DO WE PROCESS?

4. FOR WHAT PURPOSES DO WE PROCESS WHAT OF YOUR DATA?

5. WHAT APPLIES TO PROFILING AND AUTOMATED DECISIONS?

6. WHERE DOES THE DATA COME FROM?

7. WHO DO WE SHARE YOUR DATA WITH?

8. WILL YOUR PERSONAL DATA ALSO GO ABROAD?

9. WHAT RIGHTS DO YOU HAVE?

10. HOW OUR WEBSITE AND OTHER DIGITAL SERVICES USE COOKIES, SIMILAR TECHNOLOGIES AND SOCIAL MEDIA PLUG-INS?

11. HOW DO WE PROCESS PERSONAL DATA ON OUR SOCIAL NETWORK SITES?

12. WHAT OTHER THINGS TO CONSIDER?

13. CAN THIS PRIVACY POLICY BE CHANGED?

1. WHAT IS THIS PRIVACY POLICY ABOUT?

Holistiq Health Group AG, based in Zurich (the “Holistiq”), (hereinafter also “we”, “us”) obtains and processes personal data, in particular personal data about our patients or customers, associated persons, contractual parties, visitors to our website. site, participants in events, recipients of newsletters and other entities or their contact persons and employees (hereinafter also “you”). In this data protection declaration we inform you about this data processing. In addition to this data protection declaration, we can inform you separately about the processing of your data (e.g. in forms or contractual conditions).

If you provide us with data about other people (e.g. family members), we assume that you are authorized to do so, that this data is correct and that you have ensured that these people are informed about this disclosure, to the extent that a legal obligation to provide information applies (e.g. by informing them this data protection declaration has been made known in advance).

2. WHO IS RESPONSIBLE FOR PROCESSING YOUR DATA?

The following is responsible under data protection law for the processing described in this data protection declaration:

Holistiq Health Group AG

Lessingstrasse 15

8002 Zurich

hello@holistiq.ch

3. WHICH DATA CATEGORIES DO WE PROCESS?

We process different categories of personal data about you. The main categories are the following:

• Master data: This is general personal data such as name, contact details, personal data, photos, customer history, powers of attorney, declarations of consent as well as information about your relationship with us (e.g. customer, supplier) as well as information about third parties (e.g. contact persons) .

• Contract and financial data: This is data that we obtain and process in the context of providing our services and when concluding contracts, such as data about contractual services or regarding the provision of services, information about reactions (e.g. information about satisfaction) and about processing (e.g. customer service) as well as data in connection with the initiation and conclusion of contracts or financial data (e.g. creditworthiness).

• Health data: Due to our medical and therapeutic offerings, we regularly process health data. This includes all information that allows conclusions to be drawn about the physical or mental state of health (e.g. analyzes of blood samples, recordings of an electrocardiogram [ECG]).

• Communication data: This is data that arises in connection with communication between us and with third parties (e.g. by email, telephone, letter or other means of communication). This includes, for example, the content of emails or letters, your contact details, peripheral communication data or even image and audio recordings of (video) telephone calls.

• Registration data: This is data that we collect as part of a registration (e.g. online, newsletter), in competitions or when redeeming vouchers, or that you provide to us (e.g. user name, email).

• Technical data: This is data that arises as part of the use of our electronic offerings (e.g. website), such as IP address, information about the operating system of your device, the region and the time of use. Technical data alone generally does not allow any conclusions to be drawn about your identity.

• Behavioral, lifestyle and preference data: This is data about your behavior, lifestyle and preferences, such as reactions to electronic communications, navigation on the website or app, your exercise and dietary habits, interactions with our Social media profiles as well as information about participation in competitions or events, etc., if necessary we also supplement and link these with information from third parties (e.g. from publicly available sources or from providers who, at your request, provide us with your wearables disclose collected data).

• Applicant data: This is data that we process as part of an application to us and that is contained, among other things, in your application documents (e.g. professional career, training and further education, references). We may also obtain data from public sources, such as work-related social networks, the Internet or the media.

• Other data: This includes, in particular, data that is processed in connection with official or judicial proceedings (e.g. files, evidence, etc.), data that is collected due to health protection (e.g. protection concepts), photos, videos or audio recordings, that we produce or receive from third parties and on which you can be recognized (e.g. at events, through security cameras, etc.), access data or rights (e.g. visitor lists), participation in events.

4. FOR WHAT PURPOSES DO WE PROCESS WHAT OF YOUR DATA?

If you use our services or purchase products, use https://www.holistiq.ch/ or other websites of ours or our apps (hereinafter collectively “website”), or otherwise have anything to do with us, we process different categories your personal data (see section 3). We may obtain and process this data in particular for the following purposes:

• Communication: In order to communicate with you and third parties via email, telephone, letter or otherwise (e.g. to answer inquiries, as part of a consultation or to initiate or process a contract), we process your data. This may also include image and audio recordings of (video) telephone calls, for example for quality assurance purposes. In the case of an audio or video recording, we will inform you separately and you are free to inform us if you do not want a recording or to end the communication. If we need or want to verify your identity, we collect additional data (e.g. a copy of an ID card).

• Initiation, conclusion, administration and processing of contracts: In connection with the provision of our services (e.g. your treatments, advice and support as well as the delivery of products) or the initiation, conclusion, administration or processing of contracts We process personal data with our customers or other contractual partners (e.g. service providers, project partners, suppliers). This includes, in particular, processing for checking creditworthiness, for patient or customer care as well as for the provision and request of contractual services (which also includes the involvement of third parties). This also includes the enforcement of legal claims from contracts (debt collection, legal proceedings, etc.), accounting, termination of contracts and public communication.

• Relationship maintenance and for marketing purposes: We also process your personal data for relationship maintenance and marketing purposes, in particular to provide our customers, other contractual partners and other interested parties with personalized advertising (e.g. on our website, in printed matter, by email or via other channels) about services, products and other news from us and from third parties (e.g. from product partners), in connection with free services (e.g. invitations, vouchers) or as part of individual marketing campaigns (e.g. events, competitions). You can reject such contacts at any time or refuse or revoke your consent to be contacted for advertising purposes by notifying us (see contact details in section 2).

• Market research, improving our services and our operations as well as product development: In order to continually improve our products and services (including our website and other electronic offerings), we collect data about your behavior and your preferences, for example by analyzing: how you navigate through our website, how you interact with our social media profiles or which services and products are requested and used by which groups of people and in what way. If necessary, we can supplement this information with information from third parties (including from publicly available sources).

• Operation of our website: In order to operate our website securely and stably, we also process personal data (especially technical data). For further information see section 10.

• Registration: In order to use certain offers and services (e.g. login areas, newsletters), you must register (directly with us or via our external login service providers). For this purpose, we process the data provided during the respective registration. We may also collect personal data about you while using the offer or service; If necessary, we will provide you with further information about the processing of this data.

• Security purposes and access controls: We obtain and process personal data to ensure and continually improve the appropriate security of our IT and our other infrastructure (e.g. buildings). This includes, for example, monitoring and controlling electronic access to our IT systems as well as physical access to our premises, analyzes and tests of our IT infrastructures, system and error checks and the creation of backup copies. For documentation and security purposes (preventive and to resolve incidents), we may also keep access logs or visitor lists for our premises.

• Compliance with laws, instructions and recommendations from authorities and internal regulations (“Compliance”): As part of compliance with laws, we can process personal data (e.g. to implement health and safety concepts, to combat money laundering or due to tax obligations). In addition, data processing may occur during internal and external investigations (e.g. by a law enforcement or supervisory authority or a commissioned private body). The legal obligations may include Swiss law, but also foreign regulations to which we are subject, as well as self-regulation, industry standards, our own corporate governance and official instructions and requests.

• Risk management and corporate governance: We obtain and process personal data as part of risk management (e.g. to protect against criminal activities) and corporate governance. This includes, among other things, our operational organization (e.g. resource planning) and corporate development (e.g. purchase and sale of parts of the company or companies).

• Job application: If you apply for a job with us, we will obtain and process the relevant data for the purpose of examining the application, carrying out the application process and, in the case of successful applications, preparing and concluding a corresponding contract.

• Other purposes: Other purposes include, for example, training and education purposes, administrative purposes (e.g. accounting) or the implementation of events. We may listen to or record telephone or video conferences for training, evidence and quality assurance purposes. In such cases, we will inform you separately (e.g. through a display during the relevant video conference) and you are free to inform us if you do not wish to be recorded or to end the communication (if you simply do not wish to have your picture recorded, please turn off your camera). We can also process personal data for the organization, implementation and follow-up of events, such as participant lists, content of presentations and discussions, but also image and audio recordings that are created during these events. The protection of other legitimate interests is also one of the other purposes that cannot be named exhaustively.

5. WHAT APPLIES TO PROFILING AND AUTOMATED DECISIONS?

We automatically evaluate certain of your personal characteristics for the purposes mentioned in section 4 using your data (“profiling”) if we want to determine preference data in order to determine misuse and security risks, to carry out statistical evaluations or for operational planning purposes. We can also create profiles for the same purposes.

In certain situations, for reasons of efficiency and consistency of decision-making processes, it may be necessary for us to automate discretionary decisions that affect you (“automated individual decisions”). If these have legal effects or possibly significant disadvantages, we will inform you and offer you a human hearing as required by law.

6. WHERE DOES THE DATA COME FROM?

• From you: You (or your device) provide us with much of the data we process (e.g. in connection with your treatment, use of our website or apps or communication with us). You are not obliged to disclose your data, with exceptions in individual cases (e.g. legal obligations). However, if, for example, you want to conclude contracts with us or use our services, you must provide us with certain data.

From third parties: We can also take data from publicly accessible sources (e.g. business registers, land registers, commercial registers, media or the Internet including social media) or receive them from (i) authorities, (ii) your work or work environment. sponsor who either has a business relationship with us or has other dealings with us, as well as (iii) other third parties (e.g. referring health professionals, people from your environment, providers who, at your request, provide us with data collected using wearables Disclose data, insurance companies, associations, contractual partners, internet analysis services, job placement platforms and other service providers). This includes in particular the following categories: general personal data (master data), contract data and other data, but also all other data categories in accordance with Section 3 as well as data from correspondence and meetings with third parties. If you work for an employer or client or someone else who has a business relationship with us or otherwise, they may also make data about you available to us.

7. WHO DO WE SHARE YOUR DATA WITH?

In connection with the purposes listed in section 4, we may transmit your personal data in particular to the following categories of recipients (of course, we comply with the regulations of medical confidentiality, to which we are subject in certain cases):

• Service providers: We work with service providers at home and abroad who (i) process data that they receive from us on our behalf (e.g. IT providers), (ii) under joint responsibility with us or (iii) under their own responsibility received or collected for us. These service providers include, for example, IT providers, advertising service providers, banks, insurance companies, debt collection companies, business information agencies, address checkers, consulting firms or lawyers). We usually agree contracts with these third parties regarding the use and protection of personal data. We use offers from Salesforce and Formstack to store and manage our documents, [link to data protection declaration].

• Customers and other contractual partners: This initially refers to our customers and other contractual partners for whom the transfer of your data results from the contract (e.g. because you work for a contractual partner or they provide services for you). This category of recipients also includes contractual partners with whom we cooperate or who advertise for us. The recipients generally process the data under their own responsibility.

• Authorities: We can pass on personal data to authorities, courts and other authorities at home and abroad if we are legally obliged or authorized to do so or if this appears necessary to protect our interests. These recipients process the data under their own responsibility.

• Other persons: This refers to other cases where the involvement of third parties results from the purposes set out in section 4. This applies, for example, to collaboration with specialist lists and hospitals (particularly for referrals to them), notifications to health insurance companies to evaluate cost approvals, delivery addressees or payment recipients specified by you, third parties in the context of representation relationships (e.g. your lawyer or your Bank) or people involved in official or court proceedings. If we work with media and send them material (e.g. photos), you may also be affected. As part of corporate development, we may sell or acquire businesses, parts of operations, assets or companies or enter into partnerships, which also involves disclosing data (including from you, e.g. as a customer or supplier or as their representative) to those involved in these transactions the people involved.

As part of communication with our competitors, industry organizations, associations and other committees, data that concerns you may also be exchanged.

All of these categories of recipients may in turn involve third parties so that your data can also become accessible to them. We can restrict processing by certain third parties (e.g. IT providers), but not that of other third parties (e.g. authorities, banks, etc.).

We also enable certain third parties to collect personal data from you on our website and on occasions on our own responsibility (e.g. media photographers, providers of tools that we have integrated on our website, etc.). To the extent that we are not significantly involved in this data collection, these third parties are solely responsible for it. If you have any concerns or want to assert your data protection rights, please contact these third parties directly. We have listed these in section 10.

8. WILL YOUR PERSONAL DATA ALSO GO ABROAD?

We process and store personal data mainly in Switzerland and the European Economic Area (EEA), in exceptional cases – for example via sub-processors of our service providers – but potentially in every country in the world.

If a recipient is located in a country without adequate data protection, we contractually oblige the recipient to comply with an adequate level of data protection (for this purpose we use the revised standard contractual clauses of the European Commission, which can be found here: https://eur-lex.europa.eu/eli /dec_impl/2021/914/oj? can be accessed; including the additions necessary for Switzerland), provided that it is not already subject to a legally recognized set of rules to ensure data protection and we cannot rely on an exception provision. An exception may apply in particular in legal proceedings abroad, but also in cases of overriding public interests, if the execution of a contract that is in your interest requires such disclosure if you have consented, or if it is not possible to obtain your consent within a reasonable period of time and the disclosure is necessary to protect your life or physical integrity or that of a third party or if it concerns data that you have made generally accessible and the processing of which you have not objected to. We may also rely on the exception for data from a legally required register (e.g. commercial register) into which we have legitimately been given access.

9. WHAT RIGHTS DO YOU HAVE?

You have certain rights in connection with our data processing. In accordance with applicable law, you can in particular request information about the processing of your personal data, have inaccurate personal data corrected, request the deletion of personal data, object to data processing, the release of certain personal data in a common electronic format or its transfer to other responsible parties demand.

If you want to exercise your rights against us, please contact us; Our contact details can be found in section 2. In order for us to rule out misuse, we must identify you (e.g. with a copy of your ID, if necessary).

Please note that conditions, exceptions or restrictions apply to these rights (e.g. to protect third parties or trade secrets). We reserve the right to black out copies or only provide extracts for data protection reasons or reasons of confidentiality.

10. HOW OUR WEBSITE AND OTHER DIGITAL SERVICES USE COOKIES, SIMILAR TECHNOLOGIES AND SOCIAL MEDIA PLUG-INS?

When you use our website (including newsletters and other digital offers), data is generated that is stored in logs (particularly technical data). We can also use cookies and similar techniques (e.g. pixel tags or fingerprints) to recognize website visitors, evaluate their behavior and recognize preferences. A cookie is a small file that is transmitted between the server and your system and allows a specific device or browser to be recognized.

You can set your browser to automatically reject, accept or delete cookies. You can also deactivate or delete cookies in individual cases. You can find out how to manage cookies in your browser in the help menu of your browser.

Both the technical data and cookies we collect generally do not contain any personal data. However, personal data that we or third-party providers commissioned by us store about you (e.g. if you have a user account with these providers) can be combined with the technical data or with the information stored in and obtained from cookies and thus possibly be linked to you personally.

We also use social media plug-ins, which are small software modules that establish a connection between your visit to our website and a third-party provider. The social media plug-in tells the third party that you have visited our website and may transmit to the third party cookies that the third party has previously placed on your web browser. For more information about how these third parties use your personal information collected through their social media plugins, please see their respective privacy policies.

We also use our own tools and third-party services (which may use cookies) on our website, in particular to improve the functionality or content of our website (e.g. integration of videos or maps), to create statistics and to place advertising.

We can currently use offers from the following service providers and advertising partners in particular, whereby their contact details and further information on individual data processing can be found in the respective data protection declaration:

• Google Analytics

Provider: Google Ireland Ltd.

Data protection declaration: https://policies.google.com/privacy?hl=de

Information about Google Analytics: https://support.google.com/analytics/answer/6004245

• Google reCAPTCHA

Provider: Google Ireland Ltd.

Data protection declaration: https://policies.google.com/privacy?hl=de

Some of the third-party providers we use may be located outside of Switzerland. Information on data disclosure abroad can be found under section 8. In terms of data protection law, they are sometimes “only” our order processors and sometimes they are responsible bodies. Further information on this can be found in the data protection declarations.

11. HOW DO WE PROCESS PERSONAL DATA ON OUR SOCIAL NETWORK SITES?

We operate pages and other online presences on social networks and other platforms operated by third parties and process data about you in this context. We receive data from you (e.g. when you communicate with us or comment on our content) and from the platforms (e.g. statistics). The platform providers may analyze your use and process this data together with other data they have about you. They also process this data for their own purposes (e.g. marketing and market research purposes and to manage their platforms), and for this purpose they act as their own controllers. For further information on processing by the platform operators, please refer to the data protection declarations of the respective platforms.

We currently use the following platforms, whereby the identity and contact details of the platform operator can be found in the data protection declaration:

• LinkedIn

https://www.linkedin.com/company/holistiqhealth

Data protection declaration: https://de.linkedin.com/legal/privacy-policy

We are entitled, but not obliged, to check third-party content before or after it is published on our online presence, to delete content without notice and, if necessary, to report it to the provider of the platform in question.

Some of the platform operators may be located outside of Switzerland. Information on data disclosure abroad can be found under Section 8.

12. WHAT OTHER THINGS TO CONSIDER?

We do not assume that the EU General Data Protection Regulation (“GDPR”) applies in our case. However, if this is the case in exceptional cases for certain data processing, then this section 12 also applies exclusively for the purposes of the GDPR and the data processing subject to it.

We base the processing of your personal data on the fact that:

• it is necessary, as described in section 4, for the initiation and conclusion of contracts and their administration and enforcement (Art. 6 Para. 1 lit. b GDPR),

• it is necessary to protect the legitimate interests of us or third parties as described in Section 3, namely for communication with you or third parties, to operate our website, to improve our electronic offers and to register for certain offers and services, for security purposes, for compliance with Swiss law and internal regulations, for our risk management and corporate governance and for other purposes such as training and education, administration, evidence and quality assurance, organization, implementation and follow-up of events and other legitimate interests (Section 4) (Art. 6 Para. 1 lit. f GDPR),

• it is required or permitted by law due to our mandate or position under the law of the EEA or a member state (Art. 6 Para. 1 lit. c GDPR) or is necessary to protect your vital interests or those of other natural persons to protect (Art. 6 Para. 1 lit. d GDPR);

• it is necessary for the performance of a task that is in the public interest or in the exercise of official authority vested in us,

• You have consented to the processing separately, for example via a corresponding declaration on our website (Art. 6 Para. 1 lit. a and Art. 9 Para. 2 lit. a GDPR).

We would like to point out that we generally process your data for as long as our processing purposes (see Section 4), the legal retention periods and our legitimate interests, in particular for documentation and evidence purposes, require or require it Storage is for technical reasons (e.g. in the case of backups or document management systems). If there are no legal or contractual obligations or technical reasons to the contrary, we will generally delete or anonymize your data after the storage or processing period has expired as part of our usual processes and in accordance with our retention policy.

If you do not provide certain personal data, this may mean that it is not possible to provide the related services or conclude a contract. We generally indicate where the personal data we request is mandatory.

The right to object to the processing of your data as set out in Section 9 applies in particular to data processing for the purpose of direct marketing.

If you do not agree with our handling of your rights or data protection, please let us know (see contact details in section 2). If you are located in the EEA, you also have the right to complain to your country’s data protection supervisory authority. A list of authorities in the EEA can be found here: https://edpb.europa.eu/about-edpb/board/members_de.

13. CAN THIS PRIVACY POLICY BE CHANGED?

This privacy policy does not form part of a contract with you. We can adapt this data protection declaration at any time. The version published on this website is the current version.

Table of contents