Carbon Health Privacy Policy

Last modified: January 26, 2022

Carbon Health Technologies, Inc. (“Carbon Health” “we,” “our,” or “us”) is committed to protecting your privacy.

You and your data are not our product. Our business is your health, not your data. We do not sell your data.

To understand how Carbon Health protects your privacy, we suggest that you start by reading our Privacy Overview,
which is a summary of our privacy protections as represented by this document. The Privacy Overview is organized
to present answers for privacy concerns that are most regularly discussed with us, and it also links to our full
Privacy Policy below. We recommend that you carefully review the full policy.

Privacy Overview

Keeping Your Data Yours

Do we sell personal information? No

Do we sell Protected Health Information (“PHI”)? No

Do we sell aggregate or de-identified healthcare information? No

Do we use Protected Health Information (“PHI”) for advertising or marketing purposes? No

Do we delete personal information received by our Website upon request? Yes,
where allowed by law.

Respecting Your Protected Health Information

Do we employ protections specific to Protected Health Information (“PHI”)? Yes

Do we abide by healthcare laws for the preservation of healthcare information? Yes

Do we share healthcare information with your employer or your school? Only with your explicit, signed, authorization.

Do we delete healthcare information collected from our Website and Application upon request?Yes, where allowed by law.

Do we allow you to download, receive copies of, and where appropriate make corrections to your Protected Health
Information (“PHI”)? Yes

Our Privacy Tooling, Your Privacy Choices

Is your healthcare data, your Protected Health Information (“PHI”), protected by default? Yes.

Do we provide the same stringent protections for all users, from individuals to large enterprises? Yes

Do we allow users to opt-out of receiving advertising or marketing content? Yes

Do we delete non-healthcare information collected from our Website upon request? Yes, where allowed by law.

Do we use non-healthcare information collected from our Website for advertising or marketing purposes? Yes

Do we allow users to opt-out of receiving targeted advertising or marketing content? Yes

Do we allow users to opt-out of receiving Carbon Health promotional emails? Yes

Tracking Technologies, Analytics, and Customer Engagement

Do we use Cookies (or browser cookies) to receive and store certain types of information? Yes

Do we allow users to refuse to accept browser cookies by activating the appropriate setting in their web browser
or mobile device? Yes

Do we use web analytics services to help us analyze your use of our Website, and to help us identify and address
technical issues? Yes

Do we use customer engagement platforms to help us improve our services? Yes.

Do we allow users to opt-out of receiving targeted advertising or marketing content? Yes

Hardware and Smartphone Device Features

Do our applications leverage hardware and smartphone device features? Yes

1. Introduction

Carbon Health Technologies, Inc. (“Carbon Health,” “we,” “our,” or “us”) respects your privacy, and we are
committed to protecting it through our compliance with this policy and also through our compliance with our
Notice of Privacy Practices (“HIPAA Privacy Practices”, “Notice of HIPAA Privacy Practices”).

This Privacy Policy (our “Privacy Policy”) describes the types of information we may receive from you or that you
may provide when you visit the website carbonhealth.com (our “Website”) and the Carbon Health applications
(collectively, our “Application”) and our practices for collecting, using, maintaining, protecting, and
disclosing that information.

This Policy does not define how we ensure our adherence to Federal and State laws regarding your Protected Health
Information, including the Health Insurance and Portability Act of 1996 (“HIPAA”). Our policies regarding the
processing of your Protected Health Information (“PHI”) are covered in our Notice of Privacy Practices (“HIPAA
Privacy Practices”). Our HIPAA Privacy Practices define how we preserve the privacy of your Protected Health
Information, and you should refer to that document, not this one, regarding all processes associated with your
healthcare records and other PHI.

Carbon Health websites and applications, including carbonhealth.com that do not require secure accounts and
authentication, do not host Protected Health Information (“PHI”). Our websites and applications that do not host
PHI are available to everyone on the internet, and represent information made generally available by us, and
these sites receive information made available by visitors and users.

While it is important to understand the difference between the content generally
exchanged between us and users of our websites and applications that do not require you to have an account, and
the information shared by, and with, Carbon Health through our private sites and applications that require
authorized accounts, for all personal information you share with us the following holds true:

We do not sell any personal information that may have been received by any Carbon Health websites or
applications you may have visited or otherwise used.

Furthermore, we have committed that:

• We will not sell any of your personal information from our websites or applications whether they are
  freely/publicly available or if they require accounts.
• We will not sell any of your Protected Health Information (“PHI”).
• We will not sell your data in any form, even if de-identified to an extent ensuring there is no reasonable
  basis to believe it could be used to identify an individual, including you.
• To understand how Protected Health Information (“PHI”) may be used and disclosed by Carbon Health please
  refer to our Notice of Privacy Practices (“HIPAA Privacy Practices”).

In addition to these protections that we provide for all data, we do also employ a great number of additional
privacy measures and restrictions specific to your PHI as detailed in ourHIPAA Privacy Practices. Please reference that policy for
information about the care and handling of your Protected Health Information.

This Privacy Policy applies to information that is not Protected Health Information, and which we may collect:

• on our Website and Application that do not require you to have an account;
• in email, text, and other electronic messages between you and our Website and Application that do not
  require you to have an account;
• when you interact with our advertising and applications on third party websites and services, if those
  applications or advertising include links to this policy.

This policy does not apply to information collected by:

• Third party websites, products, or services, even if they link to our Applications or Websites
• Third party websites, products, or services (including advertising), that we may link to from our Public
  Websites
• Data that may be collected by us offline.

Please read this document carefully to understand our policies and practices regarding your information that is
not Protected Health Information, and how we will treat it. If you do not agree with our policies and practices,
your choice is not to use our Website and Applications. By accessing or using our Website and/or Application,
you agree to this Privacy Policy. This Privacy Policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of our Website or Application
after we make changes is deemed to be acceptance of those changes, so please check this Privacy Policy
periodically for updates.

2. Children Under the Age of 18

If you are under the age of eighteen (18) and wish to create an account with Carbon Health, your parent or legal
guardian must create the account, submit your Personal Data, and agree to these Terms of Use on your behalf. If
you are under the age of 13, you may only use our services or access our Website or Application with the
supervision and consent of your parents or legal guardians, including the Provider consultation services. If we
learn that we have collected personal information from someone under the age of 13 that was not provided with
the supervision and consent of the minor’s parents or legal guardian, we will promptly delete that information.
If you believe we have impermissibly collected personal information from someone under the age of 13, please
contact us at privacy@carbonhealth.com or call us at
1-844-234-7741.

3. Information We Collect About You and How We Collect It

Generally

We collect several types of information from and about users (collectively, “Personal Data”) of our
Website and Application that do not require you to have an account. As noted above, all information collected
from our websites and applications that do require accounts and secure authentication, and all healthcare data,
is considered Protected Health Information by Carbon Health and you should refer to our HIPAA Privacy Practices to understand our care and handling of that
information. This policy describes our processing of Personal Data that is not PHI, but which may include
information:

• by which you may be personally identified, such as name, address, e-mail address, telephone numbers, date of
  birth, bank account numbers, credit or debit card number (for payment purposes only), driver’s license
  numbers or other government issued identification (to verify age and identity), images and video of you;
• about your Internet connection, the equipment you use to access our Website or use our Application and usage
  details, such as traffic data, logs, referring/exit pages, date and time of your visit to our Website or use
  of our Application, error information, clickstream data, and other communication data and the resources that
  you access and use on the Website or through our Application.

We collect this information:

• directly from you when you provide it to us;
• automatically as you navigate through the Website or use our Application. Information collected
  automatically may include usage details, IP addresses, and information collected through cookies and other
  tracking technologies; and
• From third parties, for example, our business partners.

Information You Provide to Us

The information we collect on or through our Website or through our Application that do not require you to have
an account includes:

• information that you provide by filling in forms on our Website or the Application. This includes
  information provided at the time of registering to use our Website or Application, purchasing some products,
  or requesting some services. We may also ask you for information when you report a problem with our Website
  or Application;
• records and copies of your correspondence (including email addresses), if you contact us; and
• details of non-healthcare transactions you carry out through our Website or through the Application and of
  the fulfillment of your orders. You may be required to provide financial information before placing an order
  through our Website or Application.

You also may provide information to be published or displayed (hereinafter,
“posted”) on public areas of the Website or Application or transmitted to other users of the Website or
Application or third parties (collectively, “User Contributions”). Your User Contributions are posted on
our Website or Application and transmitted to others by your own actions, and at your own risk. Although we
limit access to certain pages, please be aware that no security measures are perfect or impenetrable.
Additionally, we cannot control the actions of other users of the Website and Application with whom you may
choose to share your User Contributions. Therefore, we cannot and do not guarantee that your User Contributions
will not be viewed by unauthorized persons.

Information We Collect Through Automatic Data Collection Technologies

As you navigate through and interact with our Website and Application, we may use automatic data collection
technologies to collect certain information about your equipment, browsing actions, and patterns, specifically:

• details of your visits to our Website or Application, such as traffic data, location, logs, referring/exit
  pages, date and time of your visit to our Website or use of our Application, error information, clickstream
  data, and other communication data and the resources that you access and use on the Website or in the
  Application; and
• information about your computer, mobile device, and Internet connection, specifically your IP address,
  operating system, browser type, and Application version information.

The information we collect automatically may include Personal Data or we may maintain it or associate it with
Personal Data we collect in other ways or receive from third parties. We will not share any of your Protected
Health Information (“PHI”) with third parties except as detailed in our HIPAA Privacy Practices. Our use of automatic data collection
technologies defined in this policy does not change any of the protections applied to your PHI and you should
refer to our HIPAA Privacy Practices and not this document to understand
how your PHI is protected. We employ automatic data collection technologies to help us to improve our
Website and Application and to deliver a better and more personalized service as they enable us to:

• estimate our audience size and usage patterns;
• improve our product and services offering;
• store information about your preferences, allowing us to customize our Website and our Application according
  to your individual interests;
• recognize you when you return to our Website and our Application.

The technologies we use for this automatic data collection may include:

• Cookies (or browser cookies). We and our service providers may use cookies and other technologies to
  receive and store certain types of information whenever you interact with our Website and Application
  through your computer or mobile device. A “cookie” is a small piece of data sent from a website and stored
  on the user’s computer by the user’s web browser while the user is browsing. On your computer, you may
  refuse to accept browser cookies by activating the appropriate setting on your browser, and you may have
  similar capabilities on your mobile device in the preferences for your operating system or browser. However,
  if you select this setting you may be unable to access certain parts of our Website or use certain parts of
  our Application. Unless you have adjusted your browser or operating system setting so that it will refuse
  cookies, our system will issue cookies when you direct your browser to our Website or use our Application.
• Google Analytics. We use Google Analytics, a web analytics service provided by Google, Inc.
  (“Google”) to collect certain information relating to your use of the Website. Google Analytics uses
  cookies to help the Website analyze how users use the site. You can find out more about how Google uses data
  when you visit our Website by visiting “How Google uses data when you use our partners’ sites or apps”,
  (located atwww.google.com/policies/privacy/partners/).
  We may also use Google Analytics Advertising Features or other advertising networks to provide you with
  interest-based advertising based on your online activity. For more information regarding Google Analytics
  please visit Google’s website, and pages that describe Google Analytics, such as www.google.com/analytics/learn/privacy.html.
• Customer Engagement Platforms. We may use customer engagement platforms to help us improve
  our services: to help us identify problems with how we present or collect data; to help inform users of
  services and features available to them; to help improve site content.
• Hardware and Smartphone Device Features. Our healthcare applications can use
  hardware and smartphone device features made available by the Windows, MacOS, Apple iOS, and Google Android
  operating systems, providing functionality that empowers your healthcare journey:
  • To help you find a nearby pharmacy, you can permit access to your device location data.
  • To enable a telehealth visit from the comfort of your own home, you can allow the applications to
    access your device camera and microphone.
  • To help secure your account, or to receive an SMS notification of an upcoming appointment, you may
    choose to share your phone number with the applications.
  • To allow you to add to, update, or otherwise augment your healthcare record, you can enable the
    applications to upload specific files, images, as well as audio and video files, by permitting the
    app to access files stored on your device. Including but not limited to: Allowing the app access to
    your camera roll or photo storage, allowing the app access to your local drive/files.
  • To enable connections to your Home Health devices, such as a heart rate monitor or a blood glucose
    monitor, Bluetooth and WiFi features can be shared with the applications.
  • To share step counter and other health data with your healthcare provider, you can enable the
    applications to access such data on smartphones that support these features.
  • To be notified of health events that affect you, such as when your healthcare record has been
    updated, or new lab results have been received, you can enable push notifications to be received by
    the mobile applications.

4. How We Use Your Information

Carbon Health will use and disclose Protected Health Information only as permitted in Carbon Health’s HIPAA Privacy Practices or in agreements with other medical
providers, including your own medical provider (if you do not use a Carbon Health Provider) and we only collect
the PHI we need to fully perform our services and to respond to you or your Provider. The care and handling of
PHI, whether by Carbon Health (or your own medical provider if you do not use a Carbon Health Provider) must be
defined by a Notice of Privacy Practices (“HIPAA Privacy Practices”) describing the collection, use, and
disclosure of your health information. If you do not use a Carbon Health Provider, please ask your provider to
provide you with their Notice of Privacy Practices(“HIPAA Privacy Practices”).

To understand how Carbon Health may use Protected Health Information (“PHI”) please refer to our HIPAA Privacy Practices and not this Policy. The Carbon Health HIPAA Privacy Practices do not apply to healthcare workers that are
not provided by Carbon Health

For clarity, our use of any information we collect that constitutes Protected Health Information (“PHI”) under
the U.S. Health Insurance Portability and Accountability Act (“HIPAA”) is described in our HIPAA Privacy Practices and not this Policy.

Data we receive that is not PHI may include information that we collect about you or that you provide to us,
including any Personal Data used:

• to present our Website and its contents to you;
• to present our Application;
• to provide our products and services to you;
• to provide you with information, products, or services that you request from us or that may be of interest
  to you;
• to process, fulfill, support, and administer transactions and orders for products and services ordered by
  you;
• to provide you with notices about your Carbon Health account;
• to contact you in response to a request;
• to administer surveys and solicit feedback;
• to fulfill any other purpose for which you provide it;
• to carry out our obligations and enforce our rights arising from any contracts entered into between you and
  us, including for billing and collection;
• to notify you about changes to our Website, our Application, or any products or services we offer or provide
  though them;
• in any other way we may describe when you provide the information; and
• for any other purpose with your consent.

We will not use Protected Health Information (“PHI”) for any purpose that is not defined in our HIPAA Privacy Practices, including advertising or marketing
purposes, without your consent.

We may use your information that is not PHI to contact you about goods and
services that may be of interest to you, including through newsletters. If you wish to opt-out of receiving such
communications, you may do so at any time by clicking unsubscribe at the bottom of these communications, by
visiting your Account page, or by reaching out to our support team available from support@carbonhealth.com. For
more information, see Choices About How We Use and Disclose Your
Information.

5. Disclosure of Your Information

We do not sell Personal Data. We do not share or otherwise disclose your Personal Data for purposes other than
those outlined in this Privacy Policy. We will not use Protected Health Information (“PHI”) for any purpose
that is not defined in our HIPAA Privacy Practices, including
advertising or marketing purposes, without your consent. We may disclose aggregated information about
our users, and information that does not identify any individual, without restriction.

We may disclose Personal Data we collect, or you provide, that is not Protected Health Information as described
in this Privacy Policy:

• to contractors, service providers, and other third parties we use to support our business. The services
  provided by these organizations include providing IT and infrastructure support services, and ordering,
  marketing, and payment processing services;
• to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization,
  dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part
  of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Carbon Health about our
  Website and Application users are among the assets transferred;
• to fulfill the purpose for which you provide it. For example, we may disclose your personal information to a
  Provider;
• for any other purpose disclosed by us when you provide the information;
• with your consent.

We may also disclose your Personal Data:

• to comply with any court order, law, or legal process, including to respond to any government or regulatory
  request;
• to affiliates and third parties to market their products or services to you if you have not opted out of
  these disclosures. For more information, see Choices About How We Use
  and Disclose Your Information;
• to enforce or apply our Terms of Use and other agreements, including for billing
  and collection purposes; and
• if we believe disclosure is necessary or appropriate to protect the rights, property, or
  safety of Carbon Health, our customers, or others. This includes exchanging information with other companies
  and organizations for the purposes of fraud protection and credit risk reduction.

6. Choices About How We Use and Disclose Your Information

We do not sell Personal Data. We do not share or otherwise disclose your Personal Data for purposes other than
those outlined in this Privacy Policy. We will not use Protected Health Information (“PHI”) for any purpose that
is not defined in our HIPAA Privacy Practices, including advertising
or marketing purposes, without your consent.

We do not control the collection and use of your Personal Data that is not Protected Health Information defined
in our HIPAA Privacy Practices, and which may be collected by third
parties as described above in the Disclosure of Your Information section
of this Policy. These third parties may aggregate the information they collect with information from
their other customers for their own purposes.

We strive to provide you with choices regarding the Personal Data you provide to us. We have created mechanisms
to provide you with control over your Personal Data:

• Tracking Technologies and Advertising. You can set your browser or operating system to refuse all or
  some cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note
  that some parts of our Website or Application may then be inaccessible or not function properly
• Promotional Offers from Carbon Health. If you do not wish to have your email address used by Carbon
  Health to promote our own products and services, you can opt-out at any time by clicking the unsubscribe
  link at the bottom of any email or other marketing communications you receive from us, or by adjusting
  settings found when logged onto your Account page. This opt out does not apply to information provided to
  Carbon Health as a result of a product purchase, or your use of our services.
• Targeted Advertising. To learn more about interest-based advertisements and your
  opt-out rights and options, visit the Digital Advertising Alliance
  and the Network Advertising Initiative (NAI) websites (www.aboutads.info and www.networkadvertising.org). Please note that if you choose
  to opt out, you will continue to see ads, but they will not be based on your online activity. We do not
  control third parties’ collection or use of your information to serve interest-based advertising. However,
  these third parties may provide you with ways to choose not to have your information collected or used in
  this way. You can also opt out of receiving targeted ads from members of the NAI on its website.

7. Your Rights Regarding Your Information and Accessing and Correcting Your Information

You can review and change your Personal Data by logging into our Website or Application and visiting either the
Settings or Account sections of our Application or Website. You may also notify us through the Contact Information below of any changes or errors in any Personal Data we
have about you to ensure that it is complete, accurate, and as current as possible or to delete your account. We
cannot delete your personal information except by also deleting your account with us. We may also not be able to
accommodate your request if we believe it would violate any law or legal requirement or cause the information to
be incorrect.

With respect to any Protected Health Information that Carbon Health may obtain, you have certain rights under
HIPAA to access your data, to restrict use and disclosure of it, to request communication methods, to request
corrections to your data, to receive an accounting of disclosures and to receive notice of any breach. To
understand your rights regarding your Protected Health Information please see our HIPAA Privacy Practices, or if you do not use a Carbon Health
Provider, please ask your Provider for their Notice of Privacy
Practices (“HIPAA Privacy Practices”), for more information.

8. Do Not Track Signals

We also may use automated data collection technologies to collect information about your online activities over
time and across third-party websites or other online services (behavioral tracking). Some web browsers permit
you to broadcast a signal to websites and online services indicating a preference that they “do not track” your
online activities. At this time, we do not honor such signals, and we do not modify what information we collect
or how we use that information based upon whether such a signal is broadcast or received by us.

9. Data Security

We have implemented measures designed to secure your Personal Data from accidental loss and from unauthorized
access, use, alteration, and disclosure. We use encryption technology for information sent and received by us.
We also employ other security practices, such as data segmentation, access log collection, automated monitoring,
and other security controls.

The safety and security of your information also depends on you. Where you have chosen a password for the use of
our Website or Application, you are responsible for keeping this password confidential. We ask you not to share
your password with anyone.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we work
diligently to try and protect your Personal Data, we cannot guarantee the security of your Personal Data
transmitted to our Website or on or through our Application. Any transmission of Personal Data is at your own
risk. We are not responsible for circumvention of any privacy settings or security measures contained on the
Website, in your operating system, or in the Application.

10. California Residents

Carbon Health has committed to honor the terms of the California Consumer Privacy Act of 2018 (CCPA) in the care
and handling of your Personal Data that is not Protected Health Information protected by other laws. The CCPA
expressly excludes personal information collected, processed, sold, or disclosed pursuant to certain
sector-specific privacy laws, including medical information governed by the California Confidentiality of
Medical Information Act (CMIA), protected health information collected by a covered entity or business associate
governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), or a provider of health
care governed by the CMIA or covered entity governed by HIPAA to the extent the provider or covered entity
maintains patient information in the same manner as medical information or protected health information under
the CMIA or HIPAA, respectively. This Policy does not define how we ensure our adherence to Federal and State
laws regarding your Protected Health Information, including the Health Insurance and Portability Act of 1996
(“HIPAA”). Our policies regarding the processing of your Protected Health Information (“PHI”) are covered in our
Notice of Privacy Practices (“HIPAA Privacy Practices”). Our HIPAA Privacy Practicesdefine how we preserve the privacy of your
Protected Health Information, and you should refer to that document, not this one, regarding all processes
associated with your healthcare records and other PHI.

For clarity, Protected Health Information (“PHI”) collected by Carbon Health falls under the CCPA exclusions, and
is generally exempt from the CCPA, and is instead protected by our adherence to our HIPAA Privacy Practices.

The CCPA does provide you with rights regarding your data that is not covered by healthcare related exemptions,
the handling of which is defined in our HIPAA Privacy Practices.

Your CCPA Granted Rights and How to Exercise Them

Your right to know the personal information we collect from you and how we may share or otherwise disclose
it.

The CCPA gives you the right to know the personal information we may have collected about you, and you may
request that we disclose this to you by contacting us through the channels defined in the Contact Information section of this document. This CCPA protected right will
be upheld once we receive and confirm the validity of your request.

Carbon Health does not sell Personal Data. We do not share or otherwise disclose your Personal Data for purposes
other than those outlined in this Privacy Policy. We will not use Protected Health Information (“PHI”) for any
purpose that is not defined in our HIPAA Privacy Practices. Protected
Health Information (“PHI”) collected by Carbon Health falls under the CCPA exclusions, and is generally exempt
from the CCPA, and is instead protected by our adherence to our HIPAA
Privacy Practices. The CCPA does apply to Personal Data that we collect, or you provide, as described in
this Privacy Policy, and which we may disclose. You have the right to request that we provide a means to
download your personal information that we have collected that is not exempt from the CCPA. If you make such a
request regarding data that is not PHI exempted from the CCPA, we will include a list of the categories of
personal information that we may have disclosed about you, as well as the categories of third parties to whom
your personal information may have been disclosed. To understand how we protect your PHI that is exempted from
the CCPA, please refer to our HIPAA Privacy Practices.

Contacting Us to Request a CCPA Disclosure

You may contact us through the channels defined in the Contact Information
section of this document to request a disclosure of your Personal Data that is protected by the CCPA.

The CCPA ensures that you have the right to make a request for such a disclosure twice in any 12-month period.
Carbon Health will make the requested disclosure within 45 days of receiving your request, unless we determine
the need for, and then request an extension. If we determine that we have a reasonably defined need for a 45-day
extension, we will notify you of the extension within the initial 45-day period.

Right of deletion

You have the right to request that we delete your personal information. Any such request is subject to certain
exceptions, including Federal and State laws regarding your Protected Health Information, as with the Health
Insurance and Portability Act of 1996 (“HIPAA”). Upon receipt of a deletion request from you, we will validate
the request, and then delete your personal information, as well as direct our service providers to delete any of
your personal information, unless an exception applies. To request deletion of personal information protected by
the CCPA, you may contact us through the channels defined in the Contact Information section of this document.

Right to non-discrimination

You have the right not to receive any discriminatory treatment as a result of any choice or action on your part
to exercise your privacy rights as provided by the CCPA.

Disclosures About Your Personal Information Protected by CCPA

Categories of information we collect and disclose for a business purpose

The following categories of personal information, as defined in the CCPA, are collected from you in connection
with your use of the Carbon Health Website and Application. To understand our collection, use, and disclosure of
your Protected Health Information (“PHI”) please refer to our HIPAA
Privacy Practices and not this document. Protected Health Information (“PHI”) collected by Carbon Health
falls under the CCPA exclusions, and is generally exempt from the CCPA. Personal Information that we may have
disclosed in the last twelve months that does not fall under protections documented in our HIPAA Privacy Practices, and information which is not exempt from the
CCPA, includes the following categories of personal information used for a business purpose:

• Identifiers, such as your first and last name, Internet Protocol address, email address, and other similar
  identifiers.
• Personal information categories listed in the California Customer Records provisions, including physical
  characteristics, such as weight, and payment information, such as your credit card number.
• Characteristics of protected classifications under California or federal law, such as your gender and age.
• Commercial information, such as the record of purchase of your Summit membership.
• Biometric information, such as your exercise data.
• Internet or other electronic network activity information, such as session logs.
• Geolocation data, such as the physical location of your recorded activity.
• Electronic, visual, or similar information, such as photos.
• Inferences drawn from any of the above information to create a profile reflecting your preferences,
  characteristics, behavior, abilities, and aptitudes, such as Relative Effort.

According to California law, the CCPA does not apply to, and personal information does not include:

• Publicly available information from government records.
• De-identified or aggregated consumer information.

Other disclosures about your personal information

This Policy does not define how we ensure our adherence to Federal and State laws regarding your Protected Health
Information, including the Health Insurance and Portability Act of 1996 (“HIPAA”). Our policies regarding the
processing of your Protected Health Information (“PHI”) are covered in our Notice of Privacy Practices (“HIPAA Privacy Practices”). This Privacy Policy defines additional
disclosures about your personal information that CCPA requirements ensure are provided to you. Please read the
whole of this Privacy Policy and also our HIPAA Privacy Practices to understand the various sources including
our Website and Application from which we collect your personal information, the business or commercial purposes
for which we collect your personal information, and the categories of third parties with whom we share your
personal information.

How to contact us

If you have questions about your rights or our disclosures under the CCPA, you may reach us through the channels
defined in the Contact Information section of this document.

Further, note that information regarding Carbon Health job applicants, employees, owners, directors, officers, or
contractors, emergency contact information from the same, and information necessary for Carbon Health to
administer benefits to the same, and information Carbon Health obtains from a consumer acting on behalf of a
company and whose communications with Carbon Health occur solely within the context of Carbon Health conducting
due diligence regarding, or providing or receiving a product or service to or from another company, are
generally exempt from much of CCPA, as different rules, laws, and regulations apply to your Protected Health
Information. To understand your rights regarding your Protected Health Information please see our HIPAA Privacy Practices, or if you do not use a Carbon Health
Provider, please ask your Provider for their Notice of Privacy
Practices (“HIPAA Privacy Practices”), for more information.
If you have questions about any of the foregoing, please contact us using the information set forth below
underContact Information.

11. Changes to Our Privacy Policy

We will not weaken the privacy protections applied to your Personal Data as defined in this Privacy Policy
without first notifying you. We reserve the right to make changes to this Privacy Policy at any time. It is our
policy to post any changes we make to our Privacy Policy on this page with a notice that the Privacy Policy has
been updated on the Website’s home page or the Application’s home screen. If we make material changes to how we
treat our users’ Personal Data, we will notify you by sending email to the email address specified in your
account or through a notice on the Website’s home page or the Application’s home screen. To understand your
rights regarding your Protected Health Information please see our HIPAA
Privacy Practices, or if you do not use a Carbon Health Provider, please ask your Provider for their Notice of Privacy Practices (“HIPAA Privacy Practices”), for more information. The date this
Privacy Policy was last revised is identified at the top of the page. You are responsible for ensuring we have
an up-to-date active and deliverable email address for you, and for periodically accessing the Application or
visiting our Website and reviewing this Privacy Policy to check for any changes.

12. Contact Information

If you have any questions, concerns, complaints or suggestions regarding our Privacy Policy or otherwise need to
contact us, you may contact us at the contact information below or through the “Contact Us” page on our Website
or in the Application.