Privacy Policy

Last Updated: 01/01/2025

BioOpt Health, Inc., together with its subsidiaries and affiliates, including Mitome (“Mitome,” "Company," "we," or "us"), owns and operates the website located at www.mito.me (the "Website") and may have previously, now or in the future own and/or operate a Company mobile application (collectively, the "Platform"). Your access and use of the Platform, any part thereof, or anythiang associated therewith, including its content ("Content"), any products or services provided through the Platform or otherwise by the Company, and any affiliated website, software, or application owned or operated by the Company (collectively, including the Platform and the Content, the " Service") are subject to this Privacy Policy unless expressly stated otherwise. Capitalized terms not otherwise defined in this Privacy Policy have the same meaning outlined in the Company Terms and Conditions ("Terms and Conditions"). Please note that “data” and “information” may be used interchangeably throughout this policy.

The Company is committed to protecting the privacy of Personal Data (i.e., information reasonably related to a specific individual). This Privacy Policy describes how we process Personal Information collected through our Platform, social media accounts, and other online interactions and communications such as email (collectively, our "Digital Properties"), in-person events and purchases, and other online and offline interactions. We are committed to respecting the privacy of users of the Service. We created this privacy policy ("Privacy Policy") to tell you how the Company collects, uses, and discloses information to provide you with the Service. The legal basis for collecting and processing your data includes consent, contract necessity, and legitimate business interests applicable to the specific processing activities described in this policy.

As with our Terms of Use, by creating, registering, or logging into an account through the Service or otherwise accessing or using the Service, you are automatically accepting and acknowledging the most recent version of this Privacy Policy. We reserve the right to update this Privacy Policy at any time to reflect changes in our Privacy Policy, including our Cookie Policy, we will post the revised Privacy Policy and update the "Last updated" date of the Privacy Policy. We will notify you of any material changes to our Cookie Policy via email or through a prominent notice on our website before the changes become effective. Previous versions of this Privacy Policy will be available upon request. Contact our customer support team at support@mito.me. In any case, we will not update this Privacy Policy more than once per quarter unless required by law.

Suppose you are using the Service for an individual other than yourself. In that case, you represent that such individual authorizes you to act on such individual's behalf and that such individual acknowledges the practices and policies outlined in this Privacy Policy.

This Privacy Notice applies to information we collect about individual consumers, such as general website visitors (“Individuals”), as well as information we collect about the personnel of our business partners, including vendors and business customers, in business-to-business interactions (“Business Contacts”). However, this Privacy Notice does not apply to:

• Information about current/former employees, applicants, and other individuals who interact with us for employment-related purposes.
• Information that is subject to the Health Insurance Portability and Accountability Act (“HIPAA”)

Whenever you interact with us on behalf of another individual or entity, such as if you refer a friend to us, you must obtain their consent (or have the legal authority without consent) to share their Personal Data with us.

Changes: We may update this Privacy Notice from time to time. Any updated Privacy Notice will be effective when posted to our Digital Properties. Please check this Privacy Notice periodically for updates.

SOURCES OF PERSONAL INFORMATION

We collect Personal Data about you from the following sources:

1. Directly from you. We may collect Personal Data you provide to us directly, such as when you contact us through our Digital Properties; interact with us in person; sign up for offers or newsletters; communicate with us; place or customize orders; or sign up for an account or other services. Please note that while some information you provide is voluntary, certain information may be mandatory for specific services or features. We will clearly indicate which information is required at the point of collection. If you choose not to provide certain personal data, you may not be able to access specific features or services, and we may be unable to fully respond to your inquiries or provide you with certain products or services.
2. Information collected automatically and through tracking technologies. We may automatically collect information or inferences about you when you interact with our Digital Properties, such as through cookies and other tracking technologies. This may include information about how you use and interact with our Digital Properties, information about your device, and internet usage information. For more information about cookies and other tracking technologies, please see our Cookie Policy.
3. From third parties. We may collect Personal Data from third parties, such as service and content providers, our affiliated companies and subsidiaries, business partners, data brokers, affiliate marketing partners, social media companies, and other parties who interact with us.
4. From publicly available sources. We may collect Personal Data about you from publicly available sources, such as public profiles and websites.
5. Our Inferences. We may infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics. For example, we use your Genetic Information to predict certain health predispositions, or we may infer your location (such as city, state, and country) based on your IP address.

We may combine information that we receive from the various sources described in this Privacy Notice, including third party sources, and use or disclose the combined information for the purposes identified below.

TYPES OF PERSONAL DATA WE COLLECT

We may collect the following types of Personal Data about you.

1. Identifiers: such as your name, email address, physical address, telephone number, business contact information, and device identifiers (e.g., cookie IDs and IP address).
2. Records about you: such as signatures; physical characteristics or a description of you; the content, timing and method of communications you have with us, such as online chats, calls, and emails; and information you share with or upload to our Digital Properties, such as reviews and comments.
3. Demographic information: such as age (including birthdates) and gender (including gender identity).
4. Self-Reported (Health-Intake) Information: information you provide to Mitome including your gender, disease conditions, health-related information, traits, ethnicity, family history, or anything else you provide to us within our Service(s). ‍
5. Biometric Information: certain Self-Reported Information you provide to us or our service providers to verify your identity using biological characteristics.
6. Genetic Information: any data, regardless of its format, that concerns a consumer's genetic characteristics. Genetic Information includes, but is not limited to: raw sequence data that results from the sequencing of a consumer's complete extracted deoxyribonucleic acid (DNA) or a portion of the extracted DNA; genotypic and phenotypic information that results from analyzing the raw sequence data; and self-reported health data that a consumer submits to a regulated entity or a small business and that is analyzed in connection with consumer's raw sequence data.
7. Sample Information, meaning information regarding any sample, such as a saliva sample that you submit for processing to be analyzed to provide you with Genetic Information, laboratory values or other data provided through our Services.
8. Commercial information: such as information related to your transactions, products or services purchased, obtained, or considered, subscription information, or other purchasing or consuming histories or tendencies.
9. Web Behavior information: such as your browsing history, search history, preference information (including marketing and purchasing preferences), account settings (including any default preferences), and other information regarding your interactions with and use of the Digital Properties. For more information about cookies and other device data, please see our Cookie Policy.
10. Non-precise geolocation data: such as approximate location derived from IP addresses.
11. Inferences: drawn from any of the information we collect about your preferences or behavior, including to assess the level of interest in our products and services based on frequency of visits and contact and determine your preferred frequency for receiving offers.

If you use your mobile device to visit, access or use the Service, then additional categories of information that we collect may include

• Your name associated with your mobile device
• Your telephone number associated with your mobile device
• Your geolocation
• Your mobile device ID information
• With your express consent, your contacts and/or contact information (e.g., names, telephone numbers, physical addresses, email addresses, photos) stored on your mobile device
• With your express consent, information about third-party software applications on your mobile device (including, without limitation, general software apps, downloadable software apps, social media apps)

HOW WE USE PERSONAL DATA

Now that we’ve covered the types of information we collect and how we collect it, let’s review how we may use it.

Sensitive Data We are committed to protecting your sensitive data, including certain Self-Reported Information, Genetic Information, and Biochemical Data (“Sensitive Data”). This data is collected and used solely for the purpose of producing your personalized health report of your Health Data. We do not use, share, or disclose this data for advertising, marketing, or any other commercial purposes. Sensitive data will only be disclosed to third-party laboratories and healthcare providers strictly as necessary to generate your report and with your express consent.

General Personal Data We may use non-sensitive personal data (e.g., email addresses, browsing behavior, or demographic details) for marketing purposes, such as sending you newsletters, promotions, and tailored offers. You can manage your marketing preferences in your account settings or by contacting us.

We collect and use your Personal Data for various purposes, including but not limited to: providing and improving our Services, communicating with you, conducting research and analysis, personalizing your experience, ensuring the security of our Site, complying with legal obligations, and, if you have given your explicit consent, for business commercial or research purposes as described in the Informed Consent. The specific purposes may vary and will always be clearly communicated at the time of data collection or in the relevant consent document.

We may use your data for the following purposes:

1. To provide you or your company products and services, such as making our Digital Properties, products and services available to you; registering, verifying, and maintaining your account with us; providing and delivering you the goods and services you request; providing customer service; administer your account; processing or fulfilling orders and transactions (including processing payments); verifying customer information and eligibility for certain programs or benefits; communicating with you (including soliciting feedback or responding to requests, complaints, and inquiries); hosting informational webinars; and providing similar services or otherwise facilitating your relationship with us, in addition to providing you with customer support.
2. To provide you with a detailed analysis and report of data related to your health, we will analyze and cross-reference all data from blood, saliva, and buccal samples to identify suboptimal nutrient status, your most important and actionable genetic idiosyncrasies, their biochemical consequences, and how those explain or relate to your concerns and goals as described in your intake form, and to derive from the intersection of all of these data the most actionable strategies you can use to improve your health and well being.
3. For our business purposes, such as operating our Digital Properties and customizing the content; maintaining internal business records, such as accounting, document management, and similar activities; enforcing our policies and rules; management reporting; auditing; and IT security and administration, developing, testing or improving the Service and content, features and/or products or services offered via the Service; identifying or creating new products, services, marketing and/or promotions for the Company or the Service; promoting and marketing the Company, the Service, and the products and/or services offered via the Service; improving user experiences with the Service; analyzing traffic to and through Service; analyzing user behavior and activity on or through the Service; conducting research and measurement activities for purposes of product and service research and development, advertising claim substantiation, market research, and other activities related to the Company, the Service or products and services offered via the Service.
4. For our internal research and product improvement purposes, such as verifying or maintaining the quality or safety of our products or services; developing and improving our products or services, including developing or training algorithms or AI tools; evaluating the effectiveness of our advertising or marketing efforts; and debugging and repairing errors with our systems, networks, and equipment.
5. For legal, safety, or security reasons, such as complying with legal, reporting, and similar requirements; investigating and responding to claims against us, our personnel, and our customers; for the establishment, exercise or defense of legal claims; protecting our, your, our customers’, and other third parties’ safety, property, or rights; detecting, preventing, and responding to security incidents and health and safety issues (including managing the spread of communicable diseases); and protecting against malicious, deceptive, fraudulent, or illegal activity.
6. In connection with a corporate transaction, such as if we acquire, or sell or transfer all or a portion of our business or assets including through a sale in connection with bankruptcy and other forms of corporate change.
7. For marketing and targeted advertising, such as marketing our products or services or those of our affiliates, business partners, or other third parties. For example, we may use non-sensitive Personal Data we collect to personalize advertising to you (including by developing product, brand, or services audiences and identifying you across devices/sites); to analyze interactions with us or our Digital Properties; or to send you newsletters, surveys, questionnaires, promotions, or information about events or webinars. You can unsubscribe to our email marketing via the link in the email, or by contacting us using the information in the Contact Information section below.
8. We may use anonymized, de-identified, or aggregated information for any purpose permitted by law.

HOW WE DISCLOSE PERSONAL DATA

Sensitive Data

Your Sensitive Data will never be disclosed to third parties for marketing, advertising, or commercial purposes. This data will only be shared with:

• Accredited laboratories and professionals to process your samples and generate your report.
• Entities required by law or legal processes, such as compliance with court orders or regulatory requirements.

We do not sell or share Sensitive Data with public databases, insurers, or employers.

General Personal Data

We may share non-sensitive Personal Data, with service providers or affiliates to improve our offerings and tailor your experience. These disclosures are strictly limited to non-sensitive data categories.

Disclosure Recipients

We may disclose Personal Data to third parties, in accordance with the guidelines above, including the categories of recipients described below:

1. Affiliates and subsidiaries, including parent entities, corporate affiliates, subsidiaries, business units, and other companies that share common ownership.
2. Health Care Providers and Laboratories, including independent healthcare providers and laboratories that practice through our affiliated professional entities to facilitate scheduling, testing, reporting and other purposes related to our services. We do not control the privacy practices of these providers, so we encourage you to consult their privacy notices.
3. Service providers that work on our behalf to provide the products and services you request or support our relationship with you, such as our genetic and blood testing laboratory partners, IT providers, internet service providers, web hosting providers, data analytics providers, and companies that provide business support services, financial administration, or event organization.
4. Professional consultants, such as accountants, lawyers, financial advisors, and audit firms.
5. Vendors necessary to complete transactions you request, such as shipping companies and logistics providers.
6. Law enforcement, government agencies, and other recipients for legal, security, or safety purposes, such as when we share information to comply with law or legal requirements, to enforce or apply our Terms of Use and other agreements or policies, and to protect ours, our customers, or third parties’ safety, property, or rights.
7. Other entities in connection with a corporate transaction, such as if we acquire, sell, or transfer all or a portion of our business or assets, including through a sale in connection with bankruptcy and other forms of corporate change.
8. Business partners that may use non-sensitive Personal Data for their own purposes, such as:
   • Advertisers, ad platforms and networks, and social media platforms.
   • Third parties whose cookies and tracking tools we use as described in Section 5 (Cookies and Other Tracking Technologies) below.
   • Commercial data partners to whom we make information available for their own marketing purposes.
   • Partners who collaborate with us on promotional opportunities, including co-branded products and services.
   • Where recipients use your Personal Data for their own purposes independently from us, we are not responsible for their privacy practices or personal data processing policies. You should consult the privacy notices of those third-party services for details on their practices.
9. The public, such as when you have an opportunity to make comments regarding us or our products that we may share with the public, including comments on our blog posts and reviews on our product pages. Any non-sensitive Personal Data in comments, reviews, or other content that you share in public areas of our Digital Properties may be read, collected, or used by other users or the public.
10. Entities to which you have consented to the disclosure.

COOKIES AND OTHER TRACKING TECHNOLOGIES

Our Digital Properties and authorized third parties use cookies and other tracking technologies (collectively “Cookies”) to collect information about you, your device, and how you interact with our Digital Properties. For further detail please see our Cookie Policy. This section contains additional information about:

• The types of tracking technologies we use and the purposes for which we use them.
• The types of information we collect using these technologies.
• How we disclose or make information available to others.
• Choices you may have regarding these technologies.

1. Types of cookies and tracking technologies we use
   We and the third parties that we authorize may use the following tracking technologies:
   • Cookies, which are a type of technology that install a small amount of information on a user’s computer or other device when they visit a website. Some cookies exist only during a single session, and some are persistent over multiple sessions over time.
   • Pixels, web beacons, and tags, which are types of code or transparent graphics. In addition to the uses described below, these technologies provide analytical information about the user experience and help us customize our marketing activities. In contrast to cookies, which are stored on a user’s computer hard drive, pixels, web beacons, and tags are embedded invisibly on web pages.
   • Session replay tools, which record your interactions with our Digital Properties, such as how you move throughout our Digital Properties and engage with our webforms, in order to identify and fix technical issues visitors may be having with our Digital Properties.
   • Embedded scripts and SDKs, which allow us to build and integrate custom apps and experiences on our Digital Properties.
2. Purposes for using these technologies
   • Personalization, such as remembering language preferences, pages, and products you have viewed in order to enhance and personalize your experience when you visit our Digital Properties.
   • Improving performance, such as maintaining and improving the functionality and features of our Digital Properties.
   • Analytics, such as analyzing how our websites are used. For example, we use Google Analytics to help us improve the user experience. Google Analytics may use cookies and other tracking technologies to perform their services. To learn how Google Analytics collects and processes data, please visit www.google.com/policies/privacy/partners.
   • Advertising, such as conducting advertising and content personalization on our Digital Properties and those of third parties; tracking activity over time and across different websites and other digital properties to develop a profile of your interests and advertise to you based on those interests (“interest-based advertising”); providing you with offers and online content that may be of interest to you; and measuring the effectiveness of advertising campaigns and our communications with you, including identifying how and when you engage with one of our emails.
   • Security, such as preventing fraud and malicious behavior.
   We and authorized third parties use these technologies for purposes such as:
3. Information collected
   These tracking technologies collect data about you and your device, such as your IP address, location (both approximate and precise) cookie ID, device ID, Ad ID, operating system, browser used, browser history, search history, and information about how you interact with our Digital Properties (such as pages on our Digital Properties that you have viewed and information you have submitted).
4. Disclosures of your information
   We may disclose information to third parties or allow third parties to directly collect information using these technologies on our Digital Properties, such as social media companies, advertising networks, companies that provide analytics including ad tracking and reporting, security providers, and others that help us operate our business and Digital Properties.
5. Your choices
   Some of the third parties we work with may participate with the Digital Advertising Alliance (“DAA”) and Network Advertising Initiative (“NAI”). The DAA and NAI provide mechanisms for you to opt out of interest-based advertising performed by participating members at http://www.aboutads.info/choices/ and https://optout.networkadvertising.org/. You may also click on the AboutAds icon on an advertisement and follow the instructions on how to opt out.

Please be advised that if you choose to block, reject, disable, delete or change the management settings for any or all of the aforementioned technologies and/or other tracking, data aggregation and data analysis technologies, then certain areas of the website might not function properly.

Notwithstanding the foregoing, The Company does not permit third parties or third-party cookies to access to any communications you have with the Providers, or medical information that you submit to the Providers for diagnosis and treatment purposes.

Please refer to your browser’s Help instructions to learn more about how to manage cookies and the use of other tracking technologies. If you change computers, devices, or browsers, use multiple computers, devices, or browsers, or delete your cookies, you may need to repeat this process for each computer, device, or browser. Opting out of interest-based advertising will not opt you out of all advertising, but rather only interest-based advertising from us or our agents or representatives. Some browsers have incorporated Do Not Track (“DNT”) preferences.

DATA SECURITY AND DATA RETENTION

While we maintain robust and comprehensive security safeguards, it’s important to note that no security measures or communications over the internet can be 100% secure. However, we are committed to protecting the security of your information to the best of our ability.

To ensure the security of your Personal Data, we employ industry-standard encryption protocols. The Company employs strict access control measures to ensure that only authorized personnel can access Personal Data. These measures include role-based access controls, multi-factor authentication, and regular access reviews. All access to Personal Data is logged and monitored to detect and prevent unauthorized access attempts.

In the event of a data breach, we have established procedures to respond promptly and effectively. Our response includes immediately investigating the incident, containing the breach, and notifying affected individuals and relevant authorities as required by applicable laws. We will provide timely updates and guidance to affected individuals on steps they can take to protect themselves. In the event of a security incident, we have established a clear process for internal reporting and response. All employees are required to immediately report any suspected or confirmed security breaches to our dedicated security team through our secure incident reporting system. Our team will then assess the situation, take necessary containment measures, and notify affected parties as required by applicable laws.

To maintain the integrity of our data protection measures, we conduct comprehensive security audits on a quarterly basis. These audits cover all aspects of our data handling processes, including but not limited to access controls, encryption practices, and third-party service provider compliance. Additionally, we engage independent third-party auditors annually to perform a thorough assessment of our security posture and data protection practices. Additionally, to ensure the highest standards of data protection, we provide regular training to our staff on data security and privacy responsibilities.

All third-party service providers with access to Personal Data are subject to rigorous security requirements and a comprehensive vetting process. This process includes security assessments, contractual obligations for data protection, and regular compliance audits. We ensure that these providers maintain security standards that are at least as stringent as our own.

To protect your Personal Data, we use industry-standard encryption protocols for all data transmissions between our systems and external parties. Additionally, we implement strong encryption measures for all data stored in our systems or at rest.

Your Personal Data will be retained as long as necessary to fulfil the purposes we have outlined above unless we are required to do otherwise by applicable law. The retention period for different categories of personal data is determined based on the following criteria: (1) Contact information: retained for the duration of our business relationship plus 2 years; (2) Financial information: retained for 7 years as required by tax laws; (3) Usage data: retained for 3 years to improve our services; (4) Health-related data: retained for 10 years as required by healthcare regulations. These retention periods ensure that we can provide you with the products or services you have requested, maintain our business relationship, improve our business over time, ensure the ongoing legality, safety and security of our services and relationships, and comply with legal requirements. Once you have terminated your relationship with us, we may retain your Personal Data in our systems and records for these specified periods to ensure the fulfillment of any surviving provisions in terminated contracts, comply with legal requirements, or for other legitimate business purposes. However, we will respect your rights under applicable data protection laws, including your right to have your data deleted upon request, subject to certain exceptions.

We may also retain certain data in anonymized form for analytical purposes to improve our services. When data is retained for analytics, we implement strict safeguards, including data anonymization and access controls, to protect your privacy.

After the retention period ends, we employ a secure data deletion process. This process involves: (1) Identifying data that has reached the end of its retention period; (2) Permanently erasing electronic records using industry-standard data wiping techniques; (3) Securely shredding or incinerating physical records; and (4) Confirming the complete deletion of data across all our systems and backups. The affiliated healthcare providers and/or laboratories follow similar secure deletion processes for any information they hold. This ensures that your data is completely and irreversibly removed from our systems once it is no longer needed. The affiliated healthcare providers and/or laboratories may dispose of or delete any such information at any time, except as set forth in any other agreement or document executed by the affiliated healthcare providers and/or laboratories or as required by law. We have implemented an automated system to ensure that Personal Data is deleted after the applicable retention period expires.

You have the right to delete your Personal Data. To exercise this right, please submit a request via email to support@mito.me with the subject line "Data Deletion Request." In your request, please specify the Personal Data you wish to have deleted. Upon receiving your request, we will verify your identity to ensure the security of your data. Once verified, we will process your deletion request within 30 days, subject to any legal obligations that may require us to retain certain information. We will notify you once the deletion process is complete. Please note that in some cases, we may need to retain certain information to comply with legal requirements or to protect our rights. In such cases, we will inform you of the specific reasons for retaining the data.

YOUR PRIVACY SETTINGS AND CONTROLS

It’s your data, and we make it easy to make decisions and certain choices about it. We do not make choices on your behalf for the privacy settings described below. Below are the types of controls you have in your Account Settings and we’ve listed what it means to opt-out or to opt-in:

Storing your sample

• Opt-out: No, I do not want my sample stored. If you choose to discard your sample, it will be securely destroyed after the lab completes its analysis, subject to laboratory legal and regulatory requirements. Note, a discard choice cannot be reversed.
• Opt-in: Yes, I want my sample stored. Learn more about Biobanking.

Viewing your health reports

• Opt-out: No, I do not want to receive my health reports.
• Opt-in: Yes, I do want to receive health reports, if available.

Personalized recommendations

• Opt-out: No, I do not want to receive Personalized Recommendations based on my sensitive data categories.
• Opt-in: Yes, I want to receive Personalized Recommendations to receive custom health and wellness recommendations, offers, and other information based on my sensitive data categories.

Communications preferences

• Opt-out: Please don’t contact me for promotional purposes. In addition to changing your preferences via Account Settings or your device, you can also click the “unsubscribe” button at the bottom of promotional email communications.
• Opt-in: Yes, you can contact me (such as through email, in-product notifications, or push notifications) for product or promotional purposes.

Research participation

• Opt-out: I don’t want to participate in Mitome Research. If you experience difficulties changing your consent status in Account Settings, contact us at support@mito.me. You can change your mind any time about your participation, however any research involving your data that has already been performed or published prior to your withdrawal from Mitome Research will not be reversed, undone, or withdrawn.
• Opt-in: Yes, I’d like to participate in Mitome Research.

You can also:

Access & Download: You can access and download your Personal Data processed by Mitome. Please note, if you lose access to your account, we require that you submit additional information to verify your identity before providing access or otherwise releasing information to you.

Correct Information: You can correct your Registration Information and modify Self-Reported Information entered into surveys.

Delete your Account: You can delete your account within your Account Settings at any time. Upon account deletion, we will automatically opt you out of Research and discard your sample.

Keep in mind this process cannot be canceled, undone, withdrawn, or reversed, and your account deletion is subject to retention requirements and certain exceptions.

TRANSACTIONS

In connection with any transaction that you conduct through the Service (e.g., the purchase or sale of any products or services on or through the Service), you may be asked to supply certain information relevant to the transaction, including, without limitation, your credit card number and expiration date, your billing address, your shipping address, your phone number and/or your email address. By submitting such information, you grant the Company without charge the irrevocable, unencumbered, universe-wide and perpetual right to provide such information to third parties (e.g., payment processing companies, buyers on the Service, sellers on the Service) for the purpose of facilitating the transaction.

All credit card, debit card and other monetary transactions on or through the Service occur through an online payment processing application(s) accessible through the Service. This online payment processing application(s) is provided by tje Company’s third-party online payment processing vendor (the "Payment Processor"). Additional information about the Payment Processor, its privacy policy and its information security measures (collectively, the "Payment Processor Policies") should be available on the Payment Processor’s website or by contacting the Payment Processor directly. Reference is made to the Payment Processor’s Policies for informational purposes only and are in no way incorporated into or made a part of this Privacy Policy. The Company's relationship with Payment Processor, if any, is merely contractual in nature, as Payment Processor is nothing more than a third-party vendor to the Company, and is in no way subject to the Company's direction or control; thus, their relationship is not, and should not be construed as, one of fiduciaries, franchisors-franchisees, agents-principals, employers-employees, partners, joint venturers or the like.

EXTERNAL LINKS

Our Digital Properties may contain links to external sites or other online services that we do not control, including those embedded in third party advertisements or sponsor information. We are not responsible for the privacy practices or data collection policies of such third-party services. You should consult the privacy notices of those third-party services for details on their practices.

JURISDICTIONAL ISSUES

The Service may only be used within certain states within the United States as described in our Terms and Conditions. Accordingly, this Privacy Policy, and our collection, use, and disclosure of your information, is governed by U.S. law.

INTERNATIONAL DATA TRANSFERS

For international transfers of your Personal Data, we will obtain your explicit consent before transferring your data to countries outside your jurisdiction, unless another legal basis for the transfer applies. For data transfers from the European Union, we ensure compliance with the General Data Protection Regulation (GDPR) and implement appropriate safeguards.

We conduct transfer impact assessments before any international transfer of Personal Data to ensure that adequate safeguards are in place to protect your data in accordance with applicable data protection laws. These assessments help us evaluate and mitigate any risks associated with cross-border data transfers. We comply with all applicable country-specific legal requirements for international data transfers. This may include, but is not limited to, implementing standard contractual clauses, binding corporate rules, or other approved transfer mechanisms as required by the laws of your jurisdiction and the destination country. We regularly review and update our practices to ensure compliance with evolving international data transfer regulations.

Where applicable, we adhere to adequacy decisions made by the European Commission regarding the appropriate level of data protection in third countries. This ensures that data transfers to these countries are conducted in compliance with EU data protection laws.

We will notify data subjects about the international transfer of their personal data, including the recipients or categories of recipients, and the countries or international organizations to which the data is transferred. This notification will be provided at the time of data collection or before the first transfer occurs.

To protect your personal data during international transfers, we implement appropriate safeguards such as encryption, pseudonymization, and access controls. We also ensure that recipients of your data are bound by contractual obligations to maintain the confidentiality and security of the transferred data. These measures are regularly reviewed and updated to ensure ongoing protection of your information.

Partners who collaborate with us on promotional opportunities, including co-branded products and services. This may include international partners who may receive your Personal Data as part of these collaborations, subject to appropriate safeguards and data protection measures.

In cases where we rely on your consent for international data transfers, you have the right to withdraw your consent at any time. If you choose to withdraw your consent, we will cease transferring your Personal Data internationally, unless another legal basis for the transfer applies. Please note that withdrawing your consent does not affect the lawfulness of processing based on consent before its withdrawal. To withdraw your consent or exercise any of your data protection rights, please contact us using the information provided in the "Contact Us" section of this policy.

THIRD PARTIES

This Privacy Policy does not address or apply to, and we are not responsible for, the privacy, information or other practices of any third parties, including, without limitation, the providers, the manufacturer of your mobile device, and any other third-party mobile application or website to which our Service may contain a link. These third parties may at times gather information from or about you. We do not control and are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of each website and application you visit and use.

MISCELLANEOUS

We strive to use reasonable physical, technical and administrative measures to protect information under our control. However, you must keep your Account password secure and your Account confidential, and you are responsible for any and all use of your Account. If you have reason to believe that the security of your Account has been compromised, please notify us immediately in accordance with the "Contacting Us" section below.

When using the Service, you may choose not to provide us with certain information, but this may limit the features you are able to use or may prevent you from using the Service all together. You may also choose to opt out of receiving certain communications (e.g., newsletters, promotions) by emailing us your preference. Please note that even if you opt out, we may still send you service-related communications.

We do not currently respond to web browser "do not track" signals or other mechanisms that provide a method to opt out of the collection of information across the networks of websites and online services in which we participate. If we do so in the future, we will describe how we do so in this Privacy Policy.

CONTACT INFORMATION

If you have questions regarding this Privacy Notice, please contact us via email at support@mito.me or by mail at: Mitome, 9825 Ne 2nd Ave #530114, Miami, FL 33153.

As required by applicable data protection laws, we have appointed a Data Protection Officer (DPO) to oversee our data protection practices. You can contact our DPO at support@mito.me. For concerns related to data protection compliance, you may also contact the relevant regulatory authority. In the United States, this is typically the Federal Trade Commission (FTC), which can be reached at https://www.ftc.gov/contact.

PRIVACY NOTICE FOR RESIDENTS OF CALIFORNIA, COLORADO, AND OTHER U.S. STATES

This Privacy Notice for U.S. State Residents applies to residents of California, Washington, Colorado, Virginia, Utah, and Connecticut and contains information required by the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act, the Colorado Privacy Act (“CPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Utah Consumer Privacy Act (“UCPA”), the Washington My Health My Data Act (“MHMDA”), and the Connecticut Data Privacy Act (“CTDPA”) (collectively, “U.S. State Data Protection Laws”), as amended or replaced from time to time, along with any implementing regulations, and supplements our Privacy Policy.

This policy, together with the Mitome Privacy Policy, includes the information and disclosures we are required to provide to you under U.S. State Data Protection Laws. You should read them both carefully.

Mitome applies certain privacy controls to all U.S. customers. For example, all customers can request a copy of their data, request deletion, and control their privacy settings in their Account Settings. This notice makes sure we cover state-specific requirements. In the event of any conflict between the terms of this notice and the Privacy Policy, the terms of this notice prevail.

Here is a summary before we dive into the details:

• You have the right to know whether we sell or share your Personal Data and opt-out of a sale or sharing of your Personal Data with a third party.
• You have the right to receive an overview of the Personal Data we collect, how we use it, and who we share it with.
• You have a right to limit use and sharing of your sensitive Personal Data.
• You have the right to access your Personal Data and get a copy of it.
• You have the right to correct inaccurate Personal Data.
• You have the right to delete your Personal Data.
• You or your authorized agent can always contact us if you have a question at support@mito.me.

When we talk about “Personal Data” in this notice, we mean any information that identifies, relates to, describes, is capable of being associated with you, or could reasonably be linked, directly or indirectly, with you, and as otherwise defined in the U.S. State Data Protection Laws. The U.S. State Data Protection Laws do not consider publicly available information, deidentified, or aggregate consumer information as “Personal Data.”

We will not attempt to reidentify deidentified information (except as necessary to test our deidentification processes to ensure no individuals can be identified) and will use it only in deidentified form.

Let’s start with your privacy rights first. You have the right to:

• Know what Personal Data we collect, use, disclose, share, or sell.
• Receive a copy of your Personal Data.
• Correct inaccurate Personal Data.
• Delete your Personal Data.
• Receive your Personal Data in a portable and, if technically feasible, in a readily usable format.
• Opt out of targeted advertising, the sale or sharing of your Personal Data with third parties, and/or profiling in the furtherance of decisions that produce legal or similarly significant effects. Please see our Cookie Policy for more information.
• Limit the use and sharing of your sensitive Personal Data. Sensitive Personal Data includes, but is not limited to, Personal Data that reveals your racial or ethnic origin, religious beliefs, mental or health conditions or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic data, precise geolocation, or as otherwise defined in applicable U.S. State Data Protection Laws. Your Mitome intake form, Genetic Information, and other Self-Reported Information likely include sensitive personal data.
• Not receive discriminatory treatment if you exercise your privacy rights.
• California Shine the Light: If you are a California resident, you may opt out of sharing your Personal Data subject to California Civil Code §1798.83 (the “Shine the Light law”) with third parties for those third parties’ direct marketing purposes by emailing our team at support@mito.me.

We make it easy to exercise your rights to know, correct, and delete your Personal Data by making them available through your Account Settings. To access Account Settings, you must login to your Mitome account.

If you do not have a Mitome account and would like to make a privacy rights request, or to appeal an action we made related to your privacy request, you can email us at support@mito.me with the subject line “Privacy Rights Request”. We will require some additional information to verify your identity in order to process your request. Alternatively, you may exercise your privacy rights through an authorized agent. If you use an authorized agent, we will require you to verify your identity and confirm that you have provided the authorized agent permission to submit the request on your behalf.

We will respond to your request within 45 days, and in more difficult cases we may extend our response time by another 45 days. The easiest way to exercise your rights is through your Account Settings so we can quickly verify your identity. Your rights under the U.S. State Data Protection Laws are not absolute and Mitome may exercise limitations or exemptions as permitted by the U.S. State Data Protection Laws.

Notice of Right to Opt-Out of Sale/Sharing

Like many websites, Mitome uses cookies (including other tracking technologies) for targeted or cross-context behavioral advertising. Cookies require your Web-Behavior Information to work.

Under the CCPA, this use of your data for cross-context behavioral advertising may constitute a “sale” or “sharing” of personal data. We let advertising providers collect identifiers (IP addresses, cookie IDs, and mobile IDs), activity data (browsing, clicks, app usage), device data, and geolocation data through our sites and apps when you use our online service. In the past 12 months, these categories of personal data may have been “sold” or “shared” as defined under CCPA. We do not have actual knowledge of selling or sharing personal data of users under the age of 16.

Mitome believes in providing you with a frictionless experience by responding to Global Privacy Control (“GPC”) signals sent by your browser or mobile device. A GPC is a signal from your browser that notifies us of your privacy preferences, such as whether or not you want us to drop cookies on your device. To check your GPC preferences, check out the settings or extensions in your browser or mobile device. Learn more about GPC. Otherwise you can always opt-out of cross-context behavioral or targeted advertising any time via Account Settings.

Notice of Financial Incentive

We may provide special offers and benefits to certain customers. For example, a customer may be invited to get a free kit via a discount code or special promotion. Such offers and benefits are voluntary and customers can choose not to accept the free kit. If a customer accepts a free kit, they can choose to close their account at any time via Account Settings or by contacting us at support@mito.me. We collect the same Personal Data from a customer with a free kit as a customer who purchased their kit from us. Both customers’ Personal Data will be handled as detailed in this Policy.

While we do not assign a monetary value to the personal data we collect from a customer with a free kit, we do receive value in the form of customer loyalty, Research participation (if they choose to opt-in to Research), and increased engagement. The value of the personal data that we collect is reasonably related to the expenses related to our offering to you. This value will vary by customer depending on their engagement on the Mitome Services, and many other factors.

File a complaint under the California Genetic Information Privacy Act or the Virginia Genetic Information Privacy Act

We encourage you to reach out to us with any complaints or concerns at support@mito.me. Residents of the state of California or the state of Virginia may also file complaints if they believe certain rights were infringed under the California Genetic Information Privacy Act or the Virginia Genetic Information Privacy Act.

If you are a California resident, you may file a complaint with the California Attorney General, or your California county district attorney. Residents of cities with more than 750,000 residents may file a complaint with their city attorney, and residents of cities with full-time city prosecutors may file a complaint with their city prosecutor. If you wish to file a complaint with your district attorney, city attorney, or city prosecutor, contact their local office for more information.

If you are a Virginia resident, you may file a complaint with the Virginia Attorney General, or contact the Virginia Consumers Protection Hotline at 1-800-552-9963.

Information We Collect

As detailed in our Privacy Statement, we collect Personal Data for various purposes with privacy principles in mind.

Below, we describe the categories of Personal Data as defined under the CCPA for California residents, and may include reference to certain key definitions from our Privacy Statement. Some of the categories below require separate opt-in consent and these categories do not necessarily reflect all of the types of information that we may collect about you. We will provide you a separate notice if we collect any additional Personal Data about you. Some Personal Data included in the categories may overlap with other categories.

In the last twelve (12) months, we have collected the following categories of Personal Data:

• Identifiers: Registration Information and information contained in Web-Behavior Information and/or User Content such as your name, display name, address, online identifier, IP address, email address, username, or other similar identifiers.
• Personal information categories listed in the California Customer Records provisions: Certain information from Registration Information (including payment information), certain User Content (such as your name, address, or phone number), and/or certain Self-Reported Information (such as details about your employment or education).
• Characteristics of protected classifications under California or federal law: Certain information from Registration Information, Self-Reported Information, and/or User Content, such as your age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, and genetic information (including familial genetic information). You can review protected classes under California law here.
• Commercial information: Certain information from Self-Reported Information and/or User Content such as products or Services purchased, obtained, or considered, survey responses regarding past purchasing history, information about products you purchased or considered, or other purchasing or consuming histories or tendencies.
• Audio, electronic, visual, thermal, olfactory, or similar information: Certain information from Self-Reported Information and/or User Content you provide to us through surveys or other engagement on our platform, such as when you upload a profile picture.
• Professional or employment-related information: Certain information from Self-Reported Information and/or User Content such as education, household income, occupation, and other professional information. This information can be collected when you apply for a job with Mitome, fill out a survey, or otherwise engage with us.
• Biometric information: Certain information from Self-Reported Information and/or User Content such as physiological, behavioral, and biological characteristics that can be used to establish an individual’s identity. To the extent we collect this information, we collect it directly from you when you choose to share it with us.
• Internet or other electronic network activity information: Web-Behavior Information such as data generated from your use of our Services and collected through log files, cookies, web beacons, and similar technologies. Such information may include your browser type, domains, page views, how long you spent on a page or feature of the website, or other data about your engagement with our Services.
• Geolocation data: Web-Behavior Information that includes the identification or estimation of physical location or movement.
• Inferences drawn from other personal information: Inferences and Derived Data includes any information, data, assumptions, or conclusions Mitome infers based on analyses of facts, evidence, or another source of information or data. Mitome may derive Genetic Information, such as imputed genotype data, genetic risk scores, and phenotypes (which are observable characteristics or traits). Generally this information is created by Mitome and not collected directly from you. Mitome may derive information from data that was collected in relation to our genetic testing services, directly from you, or through tracking technology.
• Sensitive personal information: Genetic and Biochemical Information, and certain Registration Information, Sample Information, and Self-Reported Information may be considered “sensitive.” This includes data that reveals your: social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to your account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; mail, email, and/or text messaging contents where Mitome is not an intended recipient; and genetic data.

Mitome may access publicly available information or public records from federal, state, or local government records (e.g., vital records, census data).

How We Use Your Personal Data

As defined under the CCPA for California residents, Mitome may use Personal Data listed above for the purposes described below or at your direction. Such purposes include:

• Providing Services: To provide our Services to you, including maintaining or servicing your account, providing customer service, processing or fulfilling orders and transactions, and more.
• Audit: Auditing related to a current interaction and concurrent transactions, or compliance with applicable laws or standards.
• Security and Integrity: Detecting security incidents, maintaining integrity, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
• Debugging: Debugging to identify and repair errors that impair existing intended functionality.
• Transient Use: Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of your current interaction with our business, provided that your Personal Data is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside the current interaction. This use is limited to non-sensitive Personal Data.
• Advertising and Marketing: To provide advertising and marketing to you, including cross-context behavioral advertising. Check out our Cookie Policy for more information on how we use your Web-Behavior Information for cross-context behavioral advertising. This use is limited to non-sensitive Personal Data.
• Research and Development: Internal research that Mitome performs to improve and develop its products and services.
• Quality Assurance and Product Improvement: Activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by Mitome, and otherwise to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by Mitome.

If you have given your explicit consent, for example via a data transfer authorization or other consent document, we may use, disclose, or share your Personal Data for commercial or research purposes to third parties. The purpose, such as recruitment for external research or participation in Mitome Research, may vary and will be described in the consent at that time.

We do not use or disclose sensitive Personal Data for purposes other than the business purposes permitted by CCPA, which include, for example, to perform our services, to detect and prevent security incidents, to perform services on behalf of the business, and other purposes as allowed by CCPA. When sharing data with third parties, we may anonymize or de-identify the information where appropriate and feasible to protect your privacy. However, some services may require the use of identifiable information. In such cases, we ensure that appropriate safeguards are in place to protect your data.

Washington Consumer Health Data Privacy Policy

If you are a Washington resident, the Washington My Health My Data Act (“WAMHMD”) requires us to provide you with the following additional information about: (1) the categories of “Consumer Health Data” (as defined in the WAMHMDA) we collect including how we use the data; (2) the categories of sources from which the consumer health data are collected (3) the categories of consumer health data that are shared; (4) a list of the categories of third parties and specific affiliates with whom we share the consumer health data; and (5) how a consumer can exercise the rights provided by the act. Please see the following chart for the information:

Your Rights

• You have the right to confirm whether we collect your Consumer Health Data, how we use it, and whether we shared or sold it, including the contact information of any third parties to whom we shared or sold your Consumer Health Data. You also have the right to obtain a copy of that Consumer Health Data free of charge.
• You have the right to withdraw your consent from our collection and sharing of Consumer Health Data.
• You have the right to have your Consumer Health Data deleted.

If for any reason we decline a request you make while exercising these rights, you have the right to appeal our decision. If you are a Washington resident, you may file a complaint with the Washington Attorney General, or contact the Washington Consumers Protection Hotline at 1-800-551-4636.

To exercise any of these rights, you may utilize the controls in your Account Settings or email support@mito.me.

Changes to this notice

Mitome will periodically review and update this notice. We recommend visiting this page to stay aware of any changes. If we modify this notice, we will make the revised notice available through our website.

PRIVACY NOTICE FOR CHILDREN (YOUNGER THAN 18)

The Site is not directed at, marketed to, nor intended for, children under 18 years of age. As a general rule, we do not knowingly collect any information, including Personal Data, from children under 18 years of age. If you believe that we have inadvertently collected Personal Data from a child under the age of 18, please contact us at the address in the Contact Information section below, and we will take prompt steps to delete the information.

Our Site is intended for use by individuals who are at least 18 years of age or such older age as may be required by applicable state laws in the jurisdiction in which an individual utilizes the Service. The Site and Service is not designed or intended to attract, and is not directed to, children under eighteen (18) years of age. If we obtain actual knowledge that we have collected personal data through the Site from a minor, we will use reasonable efforts to refrain from further using such personal data or maintaining it in retrievable form.

Notwithstanding the foregoing, the Site and Services provided by Mitome are not designed for, intended to attract, or directed towards minors under the age of 18 years. However, Mitome acknowledges that there may be instances where the collection of personal data from minors is necessary for the utilization of the Site or Services under the consent or request of the parent or legal guardian of such minors. In such cases, Mitome will only collect personal data from minors upon receiving express written consent from a parent or legal guardian of the minor. This consent will authorize the minor's access and use of the Site or Services, as well as for Mitome, to process the minor's personal data as described in this Privacy Policy.

The Children's Online Privacy Protection Act of 1998 and its rules (collectively, "COPPA") require us to inform parents and legal guardians (as used in this section, "Parents") about our practices for collecting, using, and disclosing personal data from persons under the age of 18 ("Children"). It also requires us to obtain verifiable consent from a child's parent for collecting, using, and disclosing the child's personal data.

This section notifies parents of:

• The types of information we may collect from children.
• How we use the information we collect.
• Our practices for disclosing that information.
• Our practices for notifying and obtaining parents' consent when we collect personal data from children, including how a parent may revoke consent.
• All operators that collect or maintain information from children through this Website or Service.

This section only applies to children under the age of 18 and supplements the other provisions of this Privacy Policy. Only the other provisions of this Privacy Policy apply to teens and adults.

Terms that are defined in the general Privacy Policy have the same meanings as used in this Privacy Policy for Children Under the Age of 18.

Information We Collect from Children

Children can access many parts of the Website/App/Service and its content and use many of its features without providing us with personal data. However, some content and features are available only to registered users or require us to collect certain information, including personal data, from them. In addition, we use certain technologies, such as cookies, to automatically collect information from our users (including children) when they visit or use the Website/App/Service.

We only collect as much information about a child as is reasonably necessary for the child to participate in an activity, and we do not condition his or her participation on the disclosure of more personal data than is reasonably necessary.

Information We Collect Directly

A minor or their respective guardian or parent must provide us with the following information to register with this website: the child's first name, birth date, and a parent's email address. We also require the child to create a member name and password. We may request additional information from your child, but this information is optional. We specify whether information is required or optional when we request it.

Automatic Information Collection and Tracking

We use technology to automatically collect information from our users, including children, when they access and navigate through the Website/App/Service and use certain of its features. The information we collect through these technologies may include:

• One or more persistent identifiers that can be used to recognize a user over time and across different websites and online services.
• Information that identifies a device's location (geolocation information).

We also may combine non-personal data we collect through these technologies with personal data about you or your child that we collect online.

For information about our automatic information collection practices, including how you can opt out of certain information collection, see the "Automatic Information Collection and Tracking" and "Choices About How We Use and Disclose Your Information" sections of our Privacy Policy.

How We Use Your Child's Information

We use the personal data we collect from your child to:

• register him or her with the Site/Service;
• communicate with him or her about activities or features of the Website/App/Service that may be of interest;

We use the information we collect automatically through technology and other non-personal information we collect to improve our Website/App/Service and to deliver a better and more personalized experience by enabling us to:

• Estimate our audience size and usage patterns.
• Store information about the child's preferences, allowing us to customize the content according to individual interests.
• Speed up your child's searches.

Our Practices for Disclosing Children's Information

We do not share, sell, rent, or transfer children's personal data other than as described in this section.

We may disclose aggregated information about many of our users, and information that does not identify any individual or device. In addition, we may disclose children's personal data:

• To third parties we use to support the internal operations of our Website/App/Service and who are bound by contractual or other obligations to use the information only for such purpose and to keep the information confidential.
• If we are required to do so by law or legal process, such as to comply with any court order or subpoena or to respond to any government or regulatory request.

If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Mitome our customers or others, including to:

• protect the safety of a child;
• protect the safety and security of the [Website/App/Service]; or
• enable us to take precautions against liability.
• to law enforcement agencies or for an investigation related to public safety.

If Mitome is involved in a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Mitome’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding or event, we may transfer the personal data we have collected or maintain to the buyer or other successor.

Accessing and Correcting Your Child's Personal Data

At any time, you may review the child's personal data maintained by us, require us to correct or delete the personal data, and/or refuse to permit us from further collecting or using the child's information.

You can review, change, or delete your child's personal data by: Logging into your child's account and visiting the account profile page, or sending us an email at support@mito.me. To protect your privacy and security, we may require you to take certain steps or provide additional information to verify your identity before we provide any information or make corrections.

Operators That Collect or Maintain Information from Children

No other third-party operators may collect or maintain personal data from children through the Website/App/Service.

Changes to this notice

Mitome will periodically review and update this notice. We recommend visiting this page to stay aware of any changes. If we modify this notice, we will make the revised notice available through our website.