PRIVACY POLICY

Privacy Notice

We at Maia Active (“we”, “us”, “our”) respect your concerns about privacy.

This Privacy Notice explains how we use any personal data we collect about you and your rights in relation to the information. "Personal data" means any information that identifies you as an individual or is capable of identifying you as an individual.

For the purpose of applicable data protection laws, including the General Data Protection Regulation (the “GDPR”), the data controller is Maia Active, a company registered in United Kingdom. Our email address is maiakhamispt@outlook.com.

Information covered by this Privacy Notice

This Privacy Notice covers all personal data collected and used by us.

This includes your name, age, postal address, email address, phone number, credit card number, details of the preferences you express to us, your comments and questions, and technical information from the devices you use to access our website. It also includes information on your body and wellbeing, including height, weight (including information on obesity), body statistics, workouts, mood, meals, nutrition and general health and wellbeing, that you decide to disclose to us on this website or through the use of our app or that is generated by the app, as well as any pictures that you choose to share with us.

Summarizing overview

Please refer to the summarizing overview below setting out the purposes, legal basis as well as applicable retention periods pertaining to the various processing activities as described in the sections above.

Processing purposes

Legal basis

Retention period

Management of your account

Article 6(1)(b) of the GDPR

36 months after your last activity

Delivery of coaching services

Articles 6(1)(b) of the GDPR

36 months after your last

1

and for health data, the legal basis is also article 9(2)(a) of the GDPR

activity – for health data and uploaded pictures, the period is instead 6 months

Marketing purposes, targeting our product to your needs (including based on a profiling of you and your activities) and customer satisfaction surveys

Article 6(1)(a) and Article 6(1)(f) of the GDPR

36 months after your last activity

Payment purposes

Article 6(1)(b) of the GDPR

60 months after your last activity

Mandatory recordkeeping

Article 6(1)(c) of the GDPR as we are required to store e.g. bookkeeping material (which may include personal data)

60 months after your last activity

Personal Data we obtain

We (and our service providers) collect this personal data from you when you:

  • purchase products or services from us, including a coaching subscription.

  • submit any information through this website.

  • create an account with us, or otherwise sign up for our services.

  • opt in to or otherwise receive marketing from us or our representatives.

  • choose to participate in our customer feedback surveys.

  • communicate with us via third-party social media websites.

  • contact us, correspond with us, or otherwise provide information to us.

    When you visit our website and/or app, we (and our service providers) may use cookies (please see our cookie policy separately on our website) and other technologies to automatically collect the following information on you:

2

• technical information, including your IP address, your login information, browser type and version, device identifier, location and time zone setting, browser plug-in types and versions, operating system and platform, page response times and download errors.

• information about your visit, including the websites you visit before and after our website and products you viewed or searched for.

• length of visits to certain pages, page interaction information (such as scrolling, clicks and mouseovers) and methods used to browse away from the page.

Within our app you may choose to:

• record a fitness activity, for example a run. You must first allow the app to access your location. Then the app will access your location data from the moment you start recording the activity until the moment you stop the recording. To ensure that your full activity is recorded, we need to continue to access the location data if the app is in the background during the activity. You can remove the permission at any time by adjusting your device settings.

• import your history of fitness activities from Apple Health or Google Fit. You must first allow the app to access your data from these sources. We will then use Google APIs to receive the information. Our use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.You can remove the permission at any time by adjusting your app settings.

While you are generally free to choose to what extent you share your personal data with us, please note that opting to not share such personal data may limit our ability to provide our service and our performance of the contract you have entered with us.

How we use the information we obtain

We use the personal data we collect from and about you for the following purposes:

  • to set up and manage your online account.

  • to provide our services to you, which may include

    • designing tailored meal and workout plans.

    • monitoring changes or adaptations in your body to improve your coaching cycle, and

      to combine information we receive and collect (e.g. from updates you provide on your body transformation) to provide you with a more personalised experience and to make informed decisions about future coaching to best facilitate your improvement. This also provides vital statistics which we use to better understand

3

the efficacy of different approaches to dieting and workouts.

  • a history of your fitness activities, including (where eligible) duration, distance,

    speed, activity type and heart rate, as well as an overview of your fitness

    progression.

  • access to the chat functionality, including a group chat with other clients, where you

    may post and communicate.

  • to provide you with information about our products and services (provided you have either

    consented to this or we by other means are allowed to reach out to you for marketing purposes) and by using your information to target our product to your needs (based on a profiling of you and your activities).

  • to send you invitations to participate in customer satisfaction surveys.

  • to process your payments.

  • to notify you of any changes to our services that may affect you.

  • to comply with our legal obligations to keep internal (financial) records.

    The legal bases for which we collect, use, transfer or disclose your personal data include:

  • the performance of our contract obligations with you (see article 6(1)(b) of the GDPR).

  • our legitimate interests (see article 6(1)(f) of the GDPR), which include: improving our offerings

    as a business; personalising our services and interactions with you, including profiling, to better meet your needs as a customer and target our product to your needs; and detecting and preventing fraud.

  • compliance with our legal obligations (see article 6(1)(c) of the GDPR).

  • to the extent we send you information on our products and services for marketing purposes,

    we will either ask for your consent (in accordance with article 6(1)(a) of the GDPR) before processing your information in this way or process your personal data based on our legitimate interests (in accordance with article 6(1)(f) of the GDPR - the legitimate interests are stated above).

    Pictures that you choose to share with Maia Active are used by us solely for tracking your progress and will never be shared on our website or social media unless you give your explicit consent hereto.

    The use of consent for processing of your health data

    In order for us to be able to deliver customized meal- and workout plans to you, we may process certain health data provided by you, including information on allergens, information that might reveal obesity or specific injuries or other relevant information related to your physical or mental health

4

status. In addition to the legal bases described above, the legal basis for our processing of your health information is Article 9 (2) (a) of the GDPR, which means that we will ask you for your explicit consent to allow us to process your health data prior to you becoming a client with us. Further, you may choose to make certain information public yourself e.g. by sharing personal information with us directly or to other people through the group chat. In this case, the legal basis is Article 9, (2) e) cf. Article 6 (1) b) of the GDPR.

You may at any time withdraw your consent to us processing your health data. However, you should be aware that if we are prevented from processing relevant personal data, including information on any allergens, information that might reveal obesity or specific injuries or other relevant information related to your physical or mental health status, we will not be able to provide you with our services (e.g. coaching as well as customized meal- and workout plans based on your unique needs).

Third Parties, including processing by Lenus eHealth ApS

The security of your personal data is extremely important to us. We do not sell your personal data to any third parties, and we never will.

Access to your personal data is only provided to carefully selected third parties, including:

  • our service providers who help us to provide our services to you, such as our infrastructure and IT service providers. These include Lenus eHealth ApS and Stripe, who support our business by providing technical infrastructure services, analysing product performance, providing technical assistance and facilitating payments. We note therefore that Lenus eHealth ApS may process your personal data as data processor on behalf of us. However, Lenus eHealth ApS may also act as an independent data controller in limited cases. You can read more about Lenus eHealth’s processing of your personal data as data controller (including cookies) here: https://lenusehealth.com/privacy-policy/. You can read more about Stripe’s processing of your personal data as a data processor here: https://stripe.com/en-dk/privacy.

  • our regulators, law enforcement agencies or other public authorities and organisations if we are required to disclose your personal data by law.

  • potential buyers and their advisors in case of a business transfer, such as in connection with a reorganisation, restructuring, merger, acquisition or transfer of assets, provided that the receiving party agrees to treat your personal data in a manner consistent with this Privacy Notice.

    Our website may, from time to time, contain links to and from the websites of our partners, or

5

affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy notices and that we have no control over how they may use your personal data. You should check the privacy notices of third party websites before you submit any personal data to them.

How long we retain your personal data for

Your personal data will only be stored for as long as necessary for the purposes for which they were collected and only to the extent permitted by applicable laws. When we no longer need to use your information, we will remove it from our systems and records and / or take steps to promptly anonymise it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which we are subject).

We adhere to the retention periods listed in the below table. As a general rule, we erase or anonymise your personal data according to the time limits stated below unless it is necessary that we continue to store them.

Processing purposes

Retention period

Management of your account

36 months after your last activity

Delivery of coaching services

36 months after your last activity (except health information and uploaded pictures, which is only 6 months)

Marketing purposes, targeting our product to your needs (including based on a profiling of you and your activities) and customer satisfaction surveys

36 months after your last activity

Mandatory recordkeeping including payments

60 months after the end of the fiscal year of your last activity

Any health information as well as uploaded body images will however always be deleted 6 months after your last activity.

6

Third country data transfers

The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"), which does not offer an equivalent level of protection of the personal data to that guaranteed within the EEA. It may also be processed by staff operating outside the EEA and who work for us or for one of our service providers.

The countries outside the EEA where personal data about you may be transferred and stored include USA.

We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Privacy Notice and applicable data protection laws, including, where relevant, entering into EU standard contractual clauses (or equivalent measures) with the party outside the EEA receiving the personal data in accordance with Article 46(2)(c) of the GDPR. You can find a copy of the EU standard contractual clauses by clicking here.

Keeping your information secure

We have implemented technical and organisational security measures in order to safeguard personal data in our custody and control. Such measures we have implemented include, limiting access to personal data only to employees and authorised service providers who need to know such information for the purposes described in this Privacy Notice, as well as other technical, administrative and physical safeguards.

To provide you with increased security, certain personal data stored in your online account is only accessible via your username and password. You are responsible for maintaining the confidentiality of your online account credentials, and we strongly recommend that you do not disclose your online account username or password to anyone. We will never ask you for your password in any unsolicited communication. Please notify us immediately (see "Contact us" section below) of any unauthorised use of your online account credentials or any other suspected breach of security.

Your Personal Data Rights

You have various rights in connection with our processing of your personal data:

  • Access. You have the right to request a copy of the personal data we are processing about you, which we will provide back to you in electronic form.

  • Rectification. You have the right for any incomplete or inaccurate personal data that we

7

process about you to be rectified.

  • Deletion. You have the right to request that we delete personal data that we process about

    you, except we are not obligated to do so if we need to retain such data in order to comply

    with a legal obligation or to establish, exercise or defend legal claims.

  • Restriction. You have the right to restrict our processing of your personal data where you

    believe such data to be inaccurate, our processing is unlawful or that we no longer need to process such data for a particular purpose. Where we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it, we would mark stored personal data with the aim of limiting particular processing for particular purposes in accordance with your request, or otherwise restrict its processing.

  • Objection. Where the legal justification for our processing of your personal data is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim.

  • Withdrawing Consent. Where we process certain personal data on the basis of your consent, you have the right to withdraw your consent, including with regard to direct marketing. In relation to the consequences of your withdrawal of consent for us to process your health data, please see above under “The use of consent for processing of your health data”.

    If you wish to exercise one or more of the above rights, please contact us with your request at maiakhamispt@outlook.com, and include your name, email and postal address, as well as your specific request and any other information we may need in order to provide or otherwise process your request.

    In some situations, we may impose limitations on your rights, as permitted by law. Before we can provide you with any information or correct any inaccuracies, where there are reasonable grounds for doubting your identity, we may ask you to verify your identity and/or provide other details to help us respond to your request. Nonetheless, verification of identity shall be carried out by cross-checking information we already hold from you. For the exercise of your rights, please contact us using the contact information provided below in the “How to Contact Us” section.

    In all cases, you have a right to file a complaint with the local data protection authority if you believe that we have not complied with applicable data protection laws. If you reside in the EU or EEA, you can find the contact details of your local data protection authority by clicking on this link.

8

How to contact us

If you have any questions about this Privacy Notice and/or about the privacy policies and practices of our service providers, please contact us at maiakhamispt@outlook.com.

Last updated: 04/01/2023