CyMedica Orthopedics | Provider Portal

CYMEDICA e-vive™ MOBILE APP & PROVIDER PORTAL PRIVACY POLICY

Effective Date: June 07, 2022

CyMedica Orthopedics, Inc. ("CyMedica" “we” “us” or “our”) respects the privacy of Users of our Mobile Medical App (“CyMedica e-vive™ App” or “App”) and the CyMedica Provider Portal (the “Provider Portal”), and the following privacy policy (the “Policy”) applies to your use of this App, the Provider Portal, the CyMedica website (the “Website”) and/or other related services that CyMedica provides (the “Services”). We at CyMedica value keeping your personal information confidential and using it solely in the context of our mission to enable you to become fully engaged in your healthcare in order to aid you and your healthcare providers (“Providers”) in making informed decisions about your care. The purpose of this Policy is to inform our Users (“you,” “your” or “User”) about the types of information we gather about you when you download, install and use our App, how we may use that information, with whom it is shared, what choices you have regarding our use of your information, and how you may access some of the information you provide to us. Capitalized terms not defined in this Privacy Policy are defined in the applicable terms of use, which are accessible via your account.

The Provider Portal and App offer two types of functions: (i) Review and analysis of patient data concerning electrical stimulation, range of motion, and other relevant health data (Health Data Features); and (ii) those that are intended to be used for educational, recreational, and non-medical purposes (Wellness Data Features). The Wellness Data Features are not intended for the purpose of diagnosis, treatment, or identification of any particular disease, condition or function of the body.

Health Data Features: The e-vive™ System, which is used in conjunction with the Provider Portal and App, is a prescription medical device cleared by the Food and Drug Administration (“FDA”) in the USA and is intended to be used under the direction of a healthcare provider. Please refer to the User Manual for more information regarding the intended use of e-vive™ System. The electrical stimulation features of the App, which is intended for use as an accessory to the e-vive™ System and other medical devices, is the only feature intended for and approved for medical use.

Wellness Data Features: The App offers features that allow patients and Providers to set personal goals and track progress related to muscle stimulation, range of motion, activity level, and post-operative pain levels. In addition, the App provides Users with simple tools to organize and track post-surgical health information, and is intended to help patient or Users store, document, display, show, transfer, or communicate their rehabilitation progress to their Providers who have created accounts on the Provider Portal. These features are informational only and are not intended for use in the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, nor are they intended to affect the structure or any function of the body.

PLEASE READ THE FOLLOWING CAREFULLY TO UNDERSTAND OUR VIEWS AND PRACTICES REGARDING YOUR PERSONAL INFORMATION AND HOW WE WILL TREAT IT.

For the purposes of Applicable Data Protection Laws including the European Economic Area data protection law (the “Data Protection Law”):

Non-Provider Users: The data controller is: CyMedica Orthopedics, Inc. 2120 East 6^th Street, Ste. 8, Tempe, AZ 85288

Provider Users: The data controllers are YOUR healthcare provider and CyMedica Orthopedics, Inc. 2120 East 6^th Street, Ste. 8, Tempe, AZ 85288

Data Protection Officer: Kereshmeh Shahriari <kereshmeh@cymedicaortho.com>

BY SUBMITTING YOUR PERSONAL INFORMATION THROUGH THIS APP, YOU ARE ACKNOWLEDGING THAT YOU HAVE READ AND AGREE TO THE TERMS OF THIS PRIVACY POLICY. IF YOU DO NOT AGREE, PLEASE DO NOT LOG INTO OR ACCESS THE APP OR SERVICES AND DO NOT SUBMIT ANY INFORMATION TO US.

Access to and use of the Services by a Provider who is a CyMedica customer (a “Customer”) and such Customer’s Authorized Users is subject to and governed by the agreement between CyMedica and the applicable Customer executed by authorized representatives of each party (the “Customer Agreement”). CyMedica may collect, use and disclose information from a Customer and such Customer’s authorized users as set forth in the Customer Agreement. If you would like more information about the Services or becoming a Customer, please contact us at cutomerservice@cymedicaortho.com.

If you are a patient, have received a CyMedica e-vive™ device (the “Device”) and would like to make the data that the Device and App collect (“Health and Wellness Data”) available to your healthcare provider(s) through the mobile app, you will be required to agree to the Terms of Use for the mobile app and this Privacy Policy.

Section 1. Changes to Policy

Please note that we occasionally update this Policy and that it is your responsibility to stay up to date with any amended versions. If we modify this Policy, we will notify you of the changes through either a pop-up notice in the APP, an email notification, an in-service notice or other reasonable means. You can store this policy and/or any amended version(s) digitally, print it, or save it in any other way. Any changes to this privacy policy will be effective immediately upon providing notice to you, and shall apply to all information we maintain, use and disclose. If you continue to use the APP following such notice, you are agreeing to those changes.

Section 2. Collection of Personal Information

THIS PRIVACY POLICY APPLIES TO PERSONAL INFORMATION COLLECTED BY CYMEDICA IN CONNECTION WITH THE SERVICES. “PERSONAL INFORMATION” INCLUDES ANY INFORMATION THAT CAN BE USED ON ITS OWN OR WITH OTHER INFORMATION TO IDENTIFY OR CONTACT A SINGLE PERSON OR TO IDENTIFY AN INDIVIDUAL IN CONTEXT. IF WE CAN LINK PARTICULAR INFORMATION (DIRECTLY OR INDIRECTLY) TO AN INDIVIDUAL, WE WILL CONSIDER THIS INFORMATION “PERSONAL INFORMATION,” AND WE WILL PROTECT IT.

BECAUSE THE PERSONAL INFORMATION WE COLLECT AND TRANSMIT MAY INCLUDE HEALTHCARE INFORMATION, INCLUDING MEDICAL INFORMATION, OUR PRIVACY PRACTICES ARE INTENDED TO COMPLY WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (“HIPAA”). WE WILL MAINTAIN THE PRIVACY OF YOUR HEALTH INFORMATION AS REQUIRED BY HIPAA AND THE REGULATIONS PROMULGATED UNDER THAT ACT. FOR ADDITIONAL INFORMATION RELATED TO YOUR HEALTHCARE INFORMATION, PLEASE CONTACT US AT customerservice@cymedicaortho.com.

All transmissions of Personal Information by the App are securely encrypted using TLS v1.2 over HTTPS in-transit, as required by the law. If you are a Patient, you do not need to use all of the features offered in this App.

Section 3. What information do you collect and why?

Personal Data that You Provide Through the Services

We collect Personal Information (e.g. demographic information) from you when you provide such information, such as when you create a proﬁle on the Services, use the Devices in connection with the Services, contact us with inquiries, enter information into our Website contact form, respond to one of our surveys or use certain features of the Services. We use this information to create your account and provide you with the Services.

For Patients: In addition to demographic information, if you are a Patient, we may ask you to provide your contact preferences, certain contact information, such as your email address, mobile telephone number, and physical address, and other Health Data and Wellness Data to us in order to create your account and provide you with the Services. Such Health Data and Wellness Data may include your information about your health conditions, movement, pain, and electrical stimulation. We collect this information to provide you more customized Services and to communicate information to your healthcare provider.

Where possible CyMedica collects Personal Information, we make an eﬀort to provide a link to this Privacy Policy.

Section 4. How do you use my Personal Information?

When you click “I agree” on the App Terms and Conditions or the Provider Portal Terms and Conditions, you explicitly agree to this Privacy Policy and consent to the use of the Personal Information you provide via the App. You confirm that you have the legal authority to consent to CyMedica processing all health information you provide, including by obtaining the explicit consent of all other persons whose health data you may provide. That includes storing, using and disclosing the data in accordance with this Policy.

When you do provide us with Personal Information, we may use your Personal Information for five (5) general reasons:

1. To provide you with the Services.

2. To send you information about CyMedica.

3. We may use your information in aggregate form to help us evaluate and modify our Services or related marketing materials.*

4. To customize our marketing communications (depending on the Personal Information we have about you) by sending you information that we believe will be to your benefit.

5. To provide technical and sales support.

*Aggregated Personal Data:In an ongoing eﬀort to better understand and serve our Users and communities of patients with certain health conditions, CyMedica conducts research on its user demographics and behavior based on the Personal Information we collect from you and the other information provided to us. This research may be compiled and analyzed, and published on an aggregate basis, and CyMedica may share this research and related information in aggregated, de-identiﬁed and/or anonymized format with its aﬃliates, agents and other healthcare research and services entities, including without limitation insurance and pharmaceutical companies. For the avoidance of doubt, this aggregate information does not identify you personally. CyMedica may also disclose aggregated, de-identiﬁed and/or anonymized information in order to describe our business and the Services to current and prospective business partners and Customers, and to other third parties for other lawful purposes.

If you provide an email address, then you may receive announcements or information about CyMedica. You can always choose not to be contacted or to "opt-out" of further contact or solicitations from CyMedica by following the instructions in the email.

Monitoring

CyMedica and its affiliates and agents are permitted, but not obligated, to review and/or retain information and/or communications stored and/or transmitted using the Services (“User Content”). We may monitor User Content for data collection purposes and/or to evaluate the quality of service you receive, your compliance with the applicable terms of use, the security of the Services, or for other reasons. Your authorized healthcare providers may also monitor User Content in order to monitor your progress and overall condition and to follow up with you, as they deem appropriate in their independent judgment as your healthcare providers. With your prior consent, your authorized healthcare providers may bill your health insurance company for accessing and reviewing your data.

You agree that such monitoring or health insurance billing activities, if in compliance with applicable privacy laws, will not entitle you to any cause of action or other right with respect to the manner in which CyMedica or its affiliates or agents monitor your communications and enforces or fails to enforce the terms of this agreement. In no event will CyMedica or any of its affiliates or agents be liable for any costs, damages, expenses, or any other liabilities incurred by you as a result of monitoring or health insurance billing activities by CyMedica or its affiliates or agents.

Section 5. What other information do you collect?

In order to provide you the Services, we will collect certain information about service performance, your devices and your use of the Services. We will automatically upload this information from your Device(s). Any individual identification information transmissions will be secured and encrypted following all applicable privacy laws to maintain privacy whilst providing the Services. Anonymized usage data may be transmitted, which will generally not identify you, and may include information such as the version of the App (if applicable) you have downloaded and installed on your device, IP address, and other information that is not Personal Information.

In order to record and provide feedback from the CyMedica e-vive^TM device, we may collect certain information transmitted directly by the device.

Section 6. Where is my Personal Information stored and/or processed?

Information CyMedica collects through the services will be stored on private servers located in the United States. The e-vive APP is native to phone (or tablet), meaning information you (User) enter in the APP is stored directly on the device encrypted. All information transmitted or received between the APP and CyMedica servers are encrypted in-transit using Secure-HTTP (HTTPS TLS v1.2). All Personal Information and Protected Health Information (e-PHI) is stored encrypted using SHA-256 ciphers at rest.

Section 7. Will you share my information with anyone else?

CyMedica takes its responsibility to keep your information private very seriously. We consider your use of the Services to be private. However, we may access or disclose information about you or your account under the following limited circumstances:

With Our Customers: If you are a patient, we will share your Personal Information and Health and Wellness Data with your authorized healthcare provider(s). This will enable your provider(s) to track your Health and Wellness Data and combine such Health and Wellness Data with other information about you that your provider obtains in providing healthcare services to you.

Operations and Maintenance Contractors: CyMedica may share your Personal Information with third party contractors as is necessary to respond to your requests for products and information, unless you have opted-out of receiving information. Third party contractors may access your Personal Information to send you this information on behalf of CyMedica. CyMedica also may hire third party technology providers to host, develop, maintain, or upgrade this App, and to store your Personal Information. When we share your information with third parties working on our behalf, they are required to abide by our Privacy Policy.

In the Event of a Business Transfer: We might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, Personal Information may be part of the transferred assets.

Legal Authorities: CyMedica may disclose Personal Information when required by law or legal process; when necessary to protect and defend the rights or property of CyMedica or when necessary to protect the personal safety of CyMedica Users and customers.

Aggregate Information: Aggregate information does not contain any Personal Information about our Users. From time to time, CyMedica may share aggregate, non-personal information App usage with third parties, including government agencies, advertisers and our partners.

Section 8. How long will you retain my information?

We store your Personal Information for as long as you maintain an account and up to five (5) years after the account is closed. At the end of this five-year period, we may remove your Personal Information from our databases and will request that our business partners remove your Personal Information from their databases. However, once we disclose your Personal Information to third parties, we may not be able to access that Personal Information any longer and cannot force the deletion or modification of any such information by the parties to whom we have made those disclosures. Written requests for deletion of Personal Information other than as described should be directed to customerservice@cymedicaortho.com. We retain anonymized data indefinitely.

Section 9. What is your cookie policy?

In operating the Services, we may use cookies, web beacons and similar technologies. A cookie is a piece of information that the computer that hosts our Services gives to your browser when you access the Services. Our cookies help provide additional functionality to the Services and help us analyze Services usage more accurately for research and marketing purposes. In all cases in which we use cookies, we will not collect Personal Information except with your permission. We recommend that you leave cookies turned on because they allow you to take advantage of some of the Services’ features. In addition to cookies, we may use web beacons (also known as “clear GIFs”) to measure traﬃc to or from the Services and related browsing behavior and to improve your experience when using the Services.

We use two types of cookies: essential and non-essential cookies. Essential cookies are those necessary for use to provide Services to you. All of our Provide Portal cookies are Essential cookies, and without them we would not be able to provide the Services to you. As such, if you do not have your cookies turned on, you will be unable to use the Services. We have provided, below, a full list of our cookies and we have described the purposes of each.

Provider Portal Cookies

Cookie Name, Who Controls It, and Duration

Purpose

Information Collected

How to Withdraw Consent

XSRF TOKEN

CyMedica

5 minutes

To protect against cross-site request forgery.

None

Do not use our Service if you do not want to receive this cookie.

cymedica_sc

CyMedica

Never (programmatically after 15 minutes of inactivity)

To store User’s session key

None

Do not use our Service if you do not want to receive this cookie.

CyMedica Website Cookies

Cookie Type, Who Controls It, and Duration	Purpose	Information Collected	How to Withdraw Consent
Necessary, CyMedica, 29 days	Basic navigation, improve website’s security, prevent spam on website forms.	None	N/A
Statistical, Google Analytics, Typekit.net, 2 years	To understand how visitors interact with website by collecting and reporting information anonymously.	No Personal Information. Following information for analytical purpose: - Time of visit - Referring website - Type of browser - Type of operating system - Flash version, Javascript support, screen resolution, color processing ability Network location	Cookie consent banner
Marketing, Google, Bing, Facebook, doubleclick.net 2 years	To track visitors across websites, support marketing and advertising campaigns.	No Personal Information. Stores tracking anonymous user ID to support advertising across websites.	Cookie consent banner

Section 10. Account Termination

If your account is terminated for any reason, either by you or CyMedica, we may permanently delete your data from our servers in accordance with applicable law and regulations. CyMedica is under no obligation to return data to you after your account is canceled. If data is stored with an expiration date, we may also delete the data as of that date. Data that is deleted may be irretrievable.

Section 8. Children's Online Privacy

We do not knowingly collect or maintain personal information from children under the age of eighteen (18) and Services are not directed to individuals under the age of thirteen (13). If you are under the age of thirteen (13), you should not furnish us with any identifiable information about yourself without a parent’s consent. If we learn that personally identifiable information of persons under eighteen (13) years of age has been collected via the App without parental consent, we will take the appropriate steps to delete this information.

If you are aware of a user under the age of 13, please contact us at customerservice@cymedicaortho.com.

Section 9. Communications from CyMedica

We may use the e-mail addresses you provided when you created your App Account to occasionally deliver information relevant to you, benefits, promotions, surveys and notification of other relevant items. If you send us an e-mail with questions or comments, we may use the Personal Information you provide to respond to your questions or comments, and we may save your questions or comments for future reference. However, we will provide you with the option to change your preferences and opt-out of receiving those communications.

You may request at any time that we not e-mail you in the future by clicking the “unsubscribe” link which is included at the bottom of any e-mail communication that you receive from us and hitting send, or by contacting us at unsubscribe@cymedicaortho.com. When contacting us by e-mail, please insert “UNSUBSCRIBE” in the subject line and the body of the message. If you unsubscribe, you should assume that your request has been received and is being processed. Please allow ten (10) business days from when the request was received to complete the removal of your e-mail address from our database as some of our promotions may have been in process before submitting such request we will make reasonable efforts to discontinue these e-mail communications as soon as practicable.

Section 10. How do you protect my Personal Information?

CyMedica has taken reasonable security measures to protect against the loss, misuse and alteration of information under our control. We use a combination of reasonable physical, technical, and administrative security controls to maintain the security and integrity of your Personal Information, to protect against any anticipated threats or hazards to the security or integrity of such information, and to protect against unauthorized access to or use of such information in our possession or control that could result in substantial harm or inconvenience to you. However, it is not possible to guarantee the security or integrity of information disclosed online. Because no physical or electronic security is impenetrable, by using the Services, you agree to assume all risks in connection with the information sent to us or collected by us when using the Services. We recommend that you take any and all appropriate steps to secure any device that you use to access the Services.

NOTWITHSTANDING ANY OF THE STEPS WE TAKE, IT IS NOT POSSIBLE TO GUARANTEE THE SECURITY OR INTEGRITY OF DATA TRANSMITTED OVER THE INTERNET. THERE IS NO GUARANTEE THAT YOUR INFORMATION WILL NOT BE ACCESSED, DISCLOSED, ALTERED, OR DESTROYED BY BREACH OF ANY OF OUR PHYSICAL, TECHNICAL, OR ADMINISTRATIVE SAFEGUARDS. THEREFORE, WE DO NOT AND CANNOT ENSURE OR WARRANT THE SECURITY OR INTEGRITY OF ANY INFORMATION YOU TRANSMIT TO US AND YOU TRANSMIT SUCH INFORMATION AT YOUR OWN RISK.

Section 11. How can I protect my Personal Information?

We will NEVER send you an e-mail requesting confidential information such as account numbers, usernames, passwords, or social security numbers, and you should NEVER respond to any e-mail requesting such information. If you receive such an e-mail purportedly from CyMedica, DO NOT RESPOND to the e-mail and DO NOT CLICK on any links and/or open any attachments in the e-mail, and notify CyMedica support at customerservice@cymedicaortho.com.

You are responsible for taking reasonable precautions to protect your user information (PIN/or password), Device ID, etc.) from disclosure to third parties, and you are not permitted to circumvent the use of required encryption technologies. You should immediately notify CyMedica at customerservice@cymedicaortho.com if you know of or suspect any unauthorized use or disclosure of your user information, or any other security concern.

EU Data Subject Rights

If you are an EU data subject, you have the following rights under certain circumstances:

● to receive communications related to the processing of your personal data that are concise, transparent, intelligible and easily accessible;

● to be provided with a copy of your personal data held by us;

● to request the rectification or erasure of your personal data held by us without undue delay;

● to request that we restrict the processing of your personal data (while we verify or investigate your concerns with this information, for example);

● to object to the further processing of your personal data, including the right to object to marketing;

● to request that your personal data be moved to a third party;

● to receive your personal data in a structured, commonly used and machine-readable format;

● to lodge a complaint with a supervisory authority.

Where our processing of your Personal Information is based on consent, you have the right to withdraw that consent without detriment at any time by contacting us at customerservice@cymedicaortho.com. You can also exercise the rights listed above at any time by contacting us at customerservice@cymedicaortho.com.

Section 12. How can I update, correct, or delete my Personal Information?

You may review, request corrections, ask that we delete, or refuse further collection or use of the Personal Information CyMedica collects from you. You may do this by contacting CyMedica using the contact information provided at the end of this document.

Section 13. Consent to Receive Notices Via the App

By using the App or submitting Personal Information via the App, you are agreeing that CyMedica may deliver all privacy, terms and conditions, and opt out notices to you in the manners described in this Privacy Policy.

Section 14. Limitation of Liability

YOU UNDERSTAND AND AGREE THAT ANY DISPUTE OVER PRIVACY IS SUBJECT TO THE TERMS AND CONDITIONS OF THE APPLICABLE SERVICES (INCLUDING ANY INDEMNIFICATION AND LIMITATIONS ON DAMAGES CONTAINED THEREIN).

Section 15. Contacting CyMedica

If you have any questions about this Policy, please feel free to contact us at customerservice@cymedicaortho.com.

CY-0300-004 Rev. G