Privacy Statement

Welcome to Spiraldot Health, Inc. ("SDH," "we," "us," "our"). This Privacy Statement describes treatment-related and other individually identifiable information we collect, including health information we collect when patients enroll in clinical trials, managed access or patient support programs, or investigational studies through our services, or information we collect from their treating physicians when they access and use our services.

This Privacy Statement explains the purposes of our data collection practices, describes limits on how we can use and disclose the information we collect, and describes the rights of patients and their treating physicians with respect to those uses and disclosures. It also describes our commitments to be transparent with our stakeholders about our data practices.

If you have any questions or concerns about this Privacy Statement, please contact us at privacy@spiraldot.com.

We use the following definitions in this Privacy Statement to ensure consistency in how we manage and communicate our data practices.

Medical information relating to patient health status and/or the delivery of healthcare. Sources include:

• Electronic health records
• Claims and billing activities
• Product, disease, and vital statistics registries
• Patient-generated data, including in home-use settings
• Data gathered from other sources that can inform health status, such as mobile devices
• Medical records and data captured during clinical trials or investigational studies

A structured representation of the health information we collect that enables further analysis and machine learning, and satisfies regulatory reporting standards to support the development of real-world evidence.

Clinical evidence regarding the usage and potential benefits or risks of a medical product derived from the analysis of RWD, including data from randomized clinical trials, large simple trials, pragmatic trials, and observational studies.

Information or data that can be used to identify an individual.

Information or data from which personal identifiers have been stripped. We may apply additional measures to further safeguard privacy, prevent re-identification, and comply with applicable laws.

We create and apply unique pseudonyms as a way to de-identify information and data. Pseudonyms do not include any individually identifiable information and are one measure we use to manage data, maintain data quality and integrity, and safeguard patient privacy.

SDH creates and collects unique identifiers for individuals that create account credentials to use our services, which may include identifiers from the devices, browsers, and operating systems that account holders use when they access our services.

Our purpose is to help more patients with known or suspected cancer get access to potentially life-saving therapies, and to accelerate the treatment research and development lifecycle. We accomplish this by helping patients and their treating physicians identify and select therapies based on evidence of potential benefit.

Patients that we help connect to a given therapy enroll in one of our programs and other studies or trials that we design or identify for their participation. As part of the informed consent process, research participants direct SDH to collect, use and disclose their health information for the permitted purposes outlined in this Privacy Statement.

SDH does not disclose individually identifiable health information or RWD with trial or study sponsors, and we implement measures that control and limit the disclosure of individually identifiable information or data with other third parties.

We only collect health information when we have a legal basis for doing so. Most of the time, we collect health information at the direction of and with the consent of Clinical Practitioners.

Most of the health information we collect is considered "protected health information" under HIPAA (the Health Insurance Portability and Accountability Act of 1996, as amended by HITECH). HIPAA is a federal medical privacy law that applies to covered health care providers, health plans, and any entity that creates, receives, maintains, or transmits protected health information on their behalf.

If we collect health information at the direction of patients, we do so as the patient's designated third-party requester under the HIPAA "right of access," consistent with a Clinician's direct request or clinical review board, ethics committee, or other entity empowered by local regulations to authorize the use of data for clinical application.

When we collect health information without a patient's consent, we may be doing so as a service provider or vendor of a HIPAA covered entity, acting as a "business associate." In these situations, our data practices are governed by HIPAA and other applicable state medical privacy laws.

When we help administer a study or trial, we collect health information according to the protocols for the study or trial, governed by an institutional review board and widely recognized best practice guidelines and laws.

When you use the SDH website, we may collect technical and navigational information about your visit, such as computer browser type, Internet protocol address, pages visited, and average time spent on the site. This information is used to improve our site design and functionality.

We may also use tracking technologies, such as cookies or web beacons, to improve site experience. We may share information about website use with service providers assisting us in analyzing or operating the site; however, these service providers are contractually prohibited from using that information for any other purpose.

You may reset your web browser to refuse all cookies or indicate when a cookie is being sent—however, certain features of our site or services may not work if you delete or disable cookies.

Note: Third parties, like advertising networks and analytics companies, may collect information about your online activities over time and across multiple platforms. We are not responsible for third party tracking technologies. We encourage you to review the privacy policies of these third parties.

We use health information to create de-identified RWD and RWE, to improve our treatment matching algorithms, to deliver our services, and to support other activities consistent with the business purposes described in this Privacy Statement. Specifically, we use information to:

• Deliver and manage account holder access to our online services
• Send communications to account holders and provide customer service and technical support
• Bill and collect payment for our services
• Carry out our contractual obligations
• Evaluate and improve our services
• Maintain the security of our services and safeguard the privacy of individually identifiable information
• Enforce our agreements and policies

We consider individually identifiable information and data that we receive to be confidential. We do not disclose individually identifiable information or data without a legal basis for doing so. Our business does not involve the sale of individually identifiable information or data for marketing purposes.

We share the minimum necessary individually identifiable information with third-party service providers of technology, hosting, payment processing, analytics, and customer support. These providers are required by contract to keep information confidential and are only authorized to use it for specified purposes consistent with this Privacy Statement.

We share individually identifiable RWD and RWE with the treating physicians of patients enrolled through SDH in a clinical trial or study.

We share individually identifiable RWD and RWE with other physicians, clinical trial teams, and with any other third parties a research participant designates, including friends and family members involved in the research participant's care.

We share de-identified RWD and RWE with biotech companies, drug manufacturers, clinical laboratories, and other entities that sponsor a patient's participation in a clinical trial or study.

If directed by a research participant or treating physician, we share individually identifiable RWD and de-identified RWE with health plans, typically to support requests for coverage of off-label therapies.

We share de-identified RWD and RWE with organizations that pay or subsidize costs of a patient's participation in a clinical trial or study, including non-profit foundations and patient advocacy organizations.

If a treating physician subscribes to SDH's virtual tumor board services, we may disclose case summaries or other reports containing de-identified RWD to other tumor board participants.

We share de-identified RWD and RWE with clinical researchers at universities, academic medical centers, biotechnology companies, drug manufacturers, and other similar enterprises.

We may publish or permit the publication of de-identified RWD or RWE when it supports the dissemination of generalized scientific knowledge.

We resist disclosing individually identifiable information to law enforcement or regulatory authorities unless required by law, valid court order, subpoena, or search warrant. We closely scrutinize all such requests and, where feasible, attempt to comply using only de-identified information.

If we enter into a merger, acquisition, or sale of all or a controlling interest of our assets, the information and data we maintain will likely be part of the assets transferred. We will attempt to notify research participants and account holders and use reasonable best efforts to ensure the successor entity maintains commitments consistent with this Privacy Statement.

We implement industry-leading safeguards to protect our information systems from unauthorized access, disclosure, use, modification, and loss. Information security measures include secure storage, encryption of digital records in transit and at rest, periodic log reviews, and system backups.

We regularly review our data protection practices and maintain a formal training program to ensure our workforce understands their responsibilities for safeguarding information.

Despite these measures, we cannot guarantee that individually identifiable information will be absolutely safe from interception or intrusion. Account holders and patients acknowledge they consent to our collection and maintenance of individually identifiable information at their own risk.

If we believe the security of a patient's or account holder's information may have been compromised, we will notify the impacted parties via email. Notifications will include a description of what happened, types of information involved, steps individuals should take, and contact information for questions. You may contact privacy@spiraldot.com to request notification by first class mail instead.

In general, we retain de-identified information or data in perpetuity. We retain individually identifiable information and data for as long as needed to maintain our information systems and comply with applicable laws.

Given the complexity of our production environment and security measures in place, it is not feasible for us to destroy all data, particularly such created pursuant to standard electronic backup and archival procedures. However, personnel with access to these retained copies are restricted and monitored, and access is limited strictly to the extent necessary for information technology or legal duties. All individually identifiable information that is not destroyed remains subject to the Privacy Statement concurrently in effect.

Research participants can exercise any of the following rights by contacting privacy@spiraldot.com. We acknowledge emails within one business day and allow up to ten (10) business days to make a determination after verifying identification.

• Request a copy of their PCS — a report populated with the research participant's individually identifiable RWD, including extracts from their health information.
• Request amendment, correction, or deletion of PCS information — if a research participant believes information in their case summary is not accurate, timely, complete, or relevant.
• Direct SDH to share a copy of their PCS with third parties — at any time, subject to feasibility while a clinical trial or study is ongoing.
• Restrict access to copies of their PCS — direct SDH not to share a PCS with a third party, or to stop sharing updates with a third party.
• Revoke SDH's authorization to continue requesting health information — this will not impact current trial enrollment but may limit future participation.
• Request that health information be deleted — subject to regulatory recordkeeping requirements. SDH may retain a de-identified copy for research purposes.
• Request an accounting of disclosures to third parties — an accounting of referenced PCS activities made at the direction of the patient or their treating physicians.

We reserve the right to change this Privacy Statement. If we make material changes, we will notify you by updating the "Effective Date" at the top of this document and posting the new policy on our website. Your continued use of our Services after any changes to this Privacy Statement signifies your acceptance of the new terms.

SDH may allow individuals recognized as a patient's "personal representative" or "legal guardian" under applicable state law to give consent for the patient to become a research participant. SDH recognizes parents of children under the age of majority in the state where they live, or the holder of a medical power of attorney as personal representatives, absent actual knowledge to the contrary. SDH reserves the right to verify the identity and authority of individuals holding themselves out as personal representatives.

We do not knowingly market to or solicit information from children under the age of 13. A parent or personal representative of a patient under the applicable legal age of consent must give consent for the patient to become a research participant. If we obtain actual knowledge that we have collected individually identifiable health information about a minor without their legal representative's consent, we will use reasonable efforts to refrain from further using such information and take steps to delete it as feasible.

We may provide additional privacy notices that supplement or amend the disclosures contained in this Privacy Statement when account holders or patients access services of SDH not described here. Those notices control with respect to the services they reference when they conflict or are inconsistent with this Privacy Statement.

As a general practice, SDH seeks to store and process personal data within the region in which it was collected. We do not routinely transfer individually identifiable health information, RWD, or RWE across regional boundaries except:

• At the documented direction of an authorized customer, healthcare provider, sponsor, or research organization;
• As necessary to support approved clinical care, research, study, or trial workflows;
• To authorized service providers or sub-processors operating under contractual confidentiality and data protection obligations; or
• As otherwise required or permitted by applicable law.

Where permitted by law, SDH may transfer or process de-identified, aggregated, or anonymized data outside the region in which it was collected.

If personal data is transferred across borders from jurisdictions with transfer restrictions (such as the EEA, United Kingdom, or Switzerland), SDH implements appropriate safeguards consistent with applicable law, which may include:

• Adequacy decisions recognized by applicable regulators;
• Standard Contractual Clauses (SCCs);
• Binding Corporate Rules (BCRs), where applicable; or
• Other lawful transfer mechanisms recognized under applicable privacy and data protection laws.

Regardless of where personal data is processed, SDH maintains administrative, technical, and organizational safeguards designed to protect personal data during storage, use, and transfer.

If you are located in the EEA, United Kingdom, or Switzerland, SDH processes personal data in accordance with applicable data protection laws, including the GDPR (EU) 2016/679, the UK GDPR, and related implementing legislation.

SDH generally acts solely as a processor, service provider, or sub-processor, processing personal data only on the documented instructions of healthcare providers, research organizations, study sponsors, or other authorized controllers.

Where SDH processes personal data directly or independently, legal bases may include:

• Data subject consent;
• Performance of a contract;
• Compliance with legal obligations;
• Protection of vital interests;
• Legitimate interests pursued by SDH or authorized third parties, where permitted by law; or
• Scientific, medical, or healthcare research authorized under applicable law.

Subject to applicable law, individuals may have rights to:

• Access personal data;
• Correct inaccurate information;
• Request deletion or restriction of processing;
• Object to certain processing activities;
• Request portability of personal data; and
• Withdraw consent where processing relies on consent.

Because SDH generally acts as a processor or service provider, requests regarding personal data may be directed to the relevant healthcare provider, sponsor, research organization, or other controller responsible for the data.

SDH engages authorized sub-processors only after appropriate diligence and contractual safeguards are implemented, including data protection agreements and appropriate security requirements. Information regarding current authorized sub-processors may be requested by contacting privacy@spiraldot.com.

Under California Civil Code Sections 1798.83–1798.84, California residents are entitled to ask us, once per year, for a notice identifying categories of information shared with affiliates and/or third parties for marketing purposes. SDH does not currently have any affiliates and does not use individually identifiable information or data for marketing purposes.

This Privacy Statement is available in English. Please contact help@spiraldot.com if you experience difficulty reading it or accessing any of our services.

California residents can request a disclosure in machine-readable format of the categories and specific pieces of individually identifiable information collected about you and your household during the preceding 12 months (limit two times per 12-month period).

SDH does not sell any individually identifiable information or data, or use it for marketing purposes.

California residents may request that their personal information be deleted. For more information, see Section 10 (Patient Rights) above.

A summary of material changes to this Privacy Statement will be documented here in accordance with the current policy and any future changes in policy and/or services.