CUDIS Privacy Policy

Introduction

At Beatbit Inc. ("we", "our", "CUDIS", “cudis”, or "us"), we prioritize your privacy and are committed to protecting the personal and sensitive information you share with us through the cudis.xyz and CUDIS Wellness App. This privacy policy outlines our data collection, usage, sharing, and retention practices, ensuring compliance with international data protection laws.

By using our app, you agree to the terms outlined in this policy. If you do not agree, please discontinue use of the app.

1. Information We Collect

Health and Fitness Data

• Activity Metrics: Information related to your fitness activities such as step count, sleep data, heart rate, exercise, HRV, RHR, blood oxygen saturation, and other wellness metrics, Here’s why we need access to these health data:

  • ActiveCaloriesBurned

    We use this to show users how many calories they burn during workouts so they can track fitness goals. Without it, core exercise tracking features would not work.

  • Distance

    Distance data lets users see how far they've run or walked everyday. It’s essential for walking/running tracking.

  • CyclingPedalingCadence / ExerciseSession

    This is needed to show users’ cycling and exercise activities. Without it, core exercise tracking features would not work.

  • StepsCadence / Steps

    We use step count and cadence to measure daily activity and help users monitor and improve their walking routines.

  • SleepSession

    Sleep data lets users view their sleep duration and patterns, helping them improve sleep quality and overall health.

  • HeartRate

    Heart rate is vital for monitoring workout intensity and heart health, and for alerting users to abnormal values.

  • OxygenSaturation

    We use this to help users monitor their blood oxygen levels during sleep and exercise, supporting respiratory and fitness health.

  • RestingHeartRate

    Resting heart rate helps users track heart health trends and fitness progress over time.

  • HeartRateVariabilityRmssd

    This data allows users to monitor stress, recovery, and readiness for exercise.

• Manually Entered Health Data: Any health-related information you choose to manually input, including diet, exercise, female health tracking, and personal wellness goals.

Personal and Device Information

• Wallet Address: For blockchain-based transactions within the app.

• Device Information: Including device type, operating system, IP address, unique device identifiers, and mobile network information.

• Physiological Profile: Including birthday, gender identity, weight, and height.

• Interaction Data: How you interact with the app, including feature usage, session times, and click paths.

• Geolocation Data: Such as GPS, IP Address, and movement on certain exercise types if you give permission for us to collect this data.

Sensitive Information

• Any other information you voluntarily provide that may be considered sensitive under privacy laws, including information related to physical or mental health.

2. How We Use Your Information

We collect and use the information for the following purposes:

• Personalization: To offer customized wellness insights and recommendations based on your health and fitness data.

• Transaction Processing: Using wallet addresses for secure transactions related to in-app purchases or blockchain activities.

• Analytics and Improvements: To understand user behavior and improve app performance, features, and user experience.

• Legal Compliance: To comply with laws, regulations, and requests from legal authorities.

• Enable Third-party Integrations and Services: We process personal data you provide to us to enable third party integrations, services, features, and offerings. For example, with your permission, our Services may integrate with third party services like Google Health Connect and Apple HealthKit, or our partners. CUDIS takes measures to help ensure third-party services protect your personal data, which means that CUDIS only processes your data with respect to third-party integrations when you choose to integrate them with our Services, or when you provide the necessary consents. We process the data we receive from these third-parties according to applicable terms, such as the Google Health Connect Permissions policy and Google Limited Use requirements, as well as relevant third-party developer license agreements, as we become aware of those policies and agreements.

3. How We Share Your Information

We take your privacy seriously and only share data in the following circumstances:

• Service Providers: We may share your data with third-party providers who assist with services such as data storage, cloud infrastructure, analytics, and customer support.

• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.

• Legal Obligations: We may share your data in response to a legal request or to comply with applicable laws.

• User Consent: We will share your information if you explicitly consent to such sharing.

We do not sell your personal or sensitive information to third parties.

4. How You May Share Personal Data Through CUDIS

Depending on your use of the Services, you may share Personal Data with:

• Other users of the Services, such as through our CUDIS sharing features, which allow you to share information and content with other users of the Service. Users are by default searchable by other users.

• Third-party social media platforms or linked accounts, devices, or features, when you choose to connect your account on those services with CUDIS or post content to social media, such as through the CUDIS sharing feature.

• The Public: When you make Personal Data visible to other users of the Services, including through the CUDIS sharing features, it may become publicly available and can be collected, viewed, and used by anyone.

• Managing Entities: If your use of the Services is on behalf of or managed by a managing entity, such as a coach, team, organizing body, or other affiliated entity, your account information and Personal Data may be shared with the managing entity subject to your consent. The managing entity will determine how the relevant information and content is shared.

• Corporate Wellness Programs: If you use the Services in connection with an employer or organizational corporate wellness program, we may share your information with that organization subject to your consent. Typically, we will share only Aggregated Data with these organizations.

5. Data Security

We are committed to ensuring the security of your data. We implement appropriate technical and organizational measures, including:

• Encryption: We encrypt sensitive data both in transit and at rest.

• Access Control: We limit access to your personal data to authorized personnel who need it to perform their duties.

• Regular Audits: We conduct regular audits of our data security practices to ensure compliance with industry standards.

Despite these measures, no security protocol is 100% secure. We encourage users to take steps to protect their own data, such as using strong passwords and enabling two-factor authentication where available.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy or as required by law. The specific retention period may vary depending on the type of data:

• Health Data: Retained for as long as you use the app to allow for continuous wellness insights.

• Personal Information: Retained until your account is deleted or upon your request.

• Legal Requirements: Some data may be retained for longer periods as required by legal obligations.

7. User Control and Data Deletion

You have control over the data you provide and can exercise the following rights:

• Access and Correction: You may request access to or correction of your personal data at any time.

• Data Deletion: You can request the deletion of your account and data by contacting us at [support@cudis.xyz]. We will process your request in accordance with applicable laws.

8. Children’s Privacy

Our app is not intended for use by children under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child under the age of 18, please contact us at [support@cudis.xyz] so we can take appropriate action.

9. International Data Transfers

We may transfer your data to servers located outside of your country of residence. When we do so, we ensure that appropriate safeguards are in place, in accordance with applicable data protection laws.

10. CUDIS AI Coach & Third-Party AI Technology

CUDIS AI Coach is a generative AI feature that is intended to help you understand and make progress toward your goals, decipher CUDIS concepts, and provide educational guidance, integrating with the rest of the CUDIS experience. CUDIS AI Coach combines your unique, anonymized CUDIS metrics with the science of CUDIS to help optimize your health, fitness, and performance.

If you use CUDIS AI Coach, please note that CUDIS AI Coach leverages third-party AI technology provided by our LLM partner. This technology is trained on real-world data to generate intelligent and personalized responses in conversations with users. Responses are based on your requests and relevant information collected through your CUDIS metrics.

We require our LLM partner to use your anonymized CUDIS metrics only for the purpose of generating responses. Our LLM partner has a “Zero-Retention/Zero Training Policy” with respect to your CUDIS metrics, meaning they will not store, retain, or use your metrics for any training purposes.

CUDIS may retain the history of your conversations with CUDIS AI Coach to ensure you continue to have access to previous conversations. You may delete your CUDIS AI Coach chat data by contacting us.

11. Your Choices

• Access, update, or delete: You may access, edit, or delete certain information through your account settings. You may request full deletion of your account and data by contacting us.

• Privacy Settings: You can modify privacy settings under “Integrations & Privacy” in the app.

• Geolocation Data: You can enable or disable location services on your device.

• Wellness Data: You can stop the collection of wellness data by un-pairing your CUDIS device.

• CUDIS AI Coach: You may enable, disable, or interact with this feature as you choose.

• Do Not Track: The Services do not support “Do Not Track” requests at this time.

12. Other Sites and Services

The Services may contain links to third-party websites or online services. These are not endorsements, and we are not responsible for their actions. You should review their privacy notices to understand how they handle your data.

13. Contact Information

If you have any questions or concerns about this privacy policy or how we handle your personal information, please contact us at:

• Email: [support@cudis.xyz]

• Mailing Address: Beatbit Inc., 1234 Wellness Drive, Miami, FL 33101

14. Changes to This Privacy Policy

We reserve the right to update or modify this policy at any time. If we make material changes, we will notify you via email or within the app prior to the change becoming effective. Please review this policy periodically for any updates.

Update Date: October 8, 2024

PRIVACY NOTICE FOR CALIFORNIA RESIDENTS

We are providing this supplemental privacy notice to consumers in California, pursuant to the California Consumer Privacy Act of 2018 (the “CCPA”).

We do not sell Personal Data. As we explain in this Privacy Policy, we use Cookies and other tracking technologies to analyze website and application traffic and use, and to facilitate advertising. To limit use of Cookies and other tracking technologies, please reach out to us. You may also direct us to share your data, as described in the “How You May Share Personal Data Through CUDIS” section of the Privacy Policy.

California Privacy Rights. If you are a California resident, you have the following rights:

• Information: The Privacy Policy describes the types of Personal Data we collect in the “Information We Collect” section above. We describe the purposes for which we use and share this data in the “How We Use Your Information” section above and the “How We Share Your Information” section above.

• Access: You can request a copy of the personal information that we maintain about you.

• Deletion: You can ask to delete the personal information that we have collected from you.

• Opt-out of sale of your Personal Data: We do not sell Personal Data. We offer instructions on how to limit online tracking, please contact us at[support@cudis.xyz].

Please note that the CCPA limits these rights by, for example, prohibiting businesses from providing certain sensitive information in response to an access request and limiting the circumstances in which they must comply with a deletion request.

You are entitled to exercise the rights described above free from discrimination.

Exercising Your Rights. To exercise these rights, you can submit requests as follows:

• To request access to or deletion of Personal Data collected via your use of the Services, please either email us at [support@cudis.xyz].

• To verify your identity prior to responding to your requests, we may ask you to confirm information that we have on file about you or your interactions with us. Where we ask for additional Personal Data to verify your identity, we will only use it to verify your identity or your authority to make the request on behalf of another consumer.

• Authorized agents: California residents can empower an “authorized agent” to submit requests on the resident’s behalf. Your authorized agent may submit requests in the same manner, although we may require the agent to present signed written permission to act on your behalf, and you may also be required to independently verify your identity with us and confirm that you have provided the agent permission to submit the request.

PRIVACY NOTICE FOR EUROPEAN RESIDENTS

If you are a resident of the European Economic Area, the United Kingdom, or Switzerland (collectively, “Europe”), you may have additional rights under the General Data Protection Regulation (the “GDPR”) or other European data protection legislation.

Controller and European Representatives. Beatbit, Inc. will be the controller of your Personal Data processed in connection with the Services.

Legal Bases for Processing. The “How We Use Your Information” section above explains how we use your Personal Data. We will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for processing include consent, contractual necessity and our “legitimate interests” or the legitimate interest of others but will depend on the type of Personal Data and the specific context in which we process it. However, the legal bases we typically rely on for each category of processing activity are set out below.

• Service delivery: Processing is necessary to perform our contract, or to take steps that you request prior to engaging our Services. Where we cannot process your Personal Data as required to operate the Services on the grounds of contractual necessity, we process your personal information for this purpose based on our legitimate interest in providing you with the products or Services you access and request.

• Research and development: These activities constitute our legitimate interests.

• Marketing and advertising: Processing is based on your consent where that consent is required by applicable law. Where such consent is not required by applicable law, we process your personal information for these purposes based on our legitimate interests in promoting our business.

• Compliance and protection: From time to time, we may also need to process Personal Data to comply with a legal obligation, if it is necessary to protect the vital interests of you or other data subjects, or if it is necessary for a task carried out in the public interest.

• Consent: To the extent that Wellness Data that we collect is considered health data or another special category of Personal Data subject to the GDPR, we ask for your explicit consent to process this data. You can use your account settings and tools to withdraw your consent at any time, including by unpairing your CUDIS Ring, stopping use of a feature, removing our access to a Third-Party service, or deleting your data or your account. In addition, in some cases, such as when you direct us to share it, we process Personal Data based on the consent you expressly grant to us at the time we collect such data. When we process Personal Data based on your consent, you have the right to withdraw it any time in the manner indicated at the time you give consent or in as listed in our Services.

We may use your Personal Data for reasons not described in this Privacy Policy where permitted by law and where the reason is compatible with the purpose for which we collected it. If we need to use your Personal Data for an unrelated purpose, we will notify you and explain the applicable legal basis.

Retention. To determine the appropriate retention period for your Personal Data, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Data Subject Rights. You have certain rights with respect to your Personal Data, including:

• Access. You can request more information about the Personal Data we hold about you and request a copy of such Personal Data.

• Rectification. If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. You can also correct some of this information directly by logging into your account.

• Erasure. You can request that we erase some or all of your Personal Data from our systems.

• Withdrawal of consent. If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilize some or all of our Services.

• Portability. You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the data to another controller where technically feasible.

• Objection. You can contact us at[support@cudis.xyz] to let us know that you object to the further use or disclosure of your Personal Data for certain purposes, such as for direct marketing purposes.

• Restriction of processing. You can ask us to restrict further processing of your Personal Data.

• Right to file a complaint. You have the right to lodge a complaint about our practices with respect to your Personal Data with the supervisory authority of your country or European Economic Area Member State.

For more information about these rights, or to submit a request, please email us. Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it jeopardizes the rights of others, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need you to provide us with additional information, which may include Personal Data, if necessary to verify your identity and the nature of your request.

Processing of Personal Data in the United States. To provide the Services, we will process your Personal Data in the United States, where CUDIS is based. If such processing involves the transfer of Personal Data to the U.S. in a manner governed by European data protection law, the transfer will be performed pursuant to the applicable requirements of the law, such as standard contractual clauses, the individual’s consent, or other circumstances permitted by European data protection law.

Privacy Shield Certification. CUDIS certified to the EU-U.S. Privacy Shield Framework set forth by the U.S. Department of Commerce regarding the collection and use of Personal Data transferred from the EU to the U.S. For more information about the Privacy Shield Program, and to view our certification, please visit www.privacyshield.gov.

Although CUDIS no longer relies on the Privacy Shield Framework to facilitate cross-border data transfers, CUDIS remains committed to the Privacy Shield Principles of (1) notice, (2) consent, (3) accountability for onward transfer, (4) security, (5) data integrity and purpose limitation, (6) access, and (7) recourse, enforcement, and liability with respect to all Personal Data received from within the EU in reliance on the Privacy Shield before it was invalidated. The Privacy Shield Principles require that we remain potentially liable if any Third-Party processing Personal Data on our behalf fails to comply with these Privacy Shield Principles (except to the extent we are not responsible for the event giving rise to any alleged damage). Our compliance with the Privacy Shield is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Please contact us at[support@cudis.xyz] with any questions or concerns relating to our Privacy Shield Certification. If you do not receive timely acknowledgment of your Privacy Shield-related complaint from us, or if we have not resolved your complaint, you may also resolve a Privacy Shield-related complaint through JAMS, an alternative dispute resolution provider located in the United States. You can visit https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim for more information or to file a complaint, at no cost to you. Under certain conditions, you may also be entitled to invoke binding arbitration for complaints not resolved by other means.

If you have any questions about this section or our data practices generally, please contact us at [support@cudis.xyz] or using the contact information above.

PRIVACY NOTICE FOR QATAR RESIDENTS

Data Subject Rights

If you reside in Qatar, you have the following rights:

• right to protection and lawful processing;

• right to withdraw consent;

• right to object to processing in certain circumstances;

• right to erasure;

• right to request correction;

• right to be notified of processing;

• right to be notified of inaccurate disclosure; and

• right to access personal data.

If you reside in Qatar, you have the right to lodge a complaint with a supervisory authority, in addition to other rights set out in the Privacy Notice. The details of the supervisory authority are as follows:

National Cyber Governance and Assurance Affairs

Email: privacy@ncsa.gov.qa.

Basis of Lawful Processing

CUDIS processes End User Personal Data on the following grounds:

• Consent: When you have provided your consent or, in the case of sensitive personal information, when you have provided your explicit consent, to our collection of your information and we have obtained permission from the supervisory authority set out above;

• Legitimate interests: When CUDIS has a legitimate business or commercial reason for using your information, and your interests and your fundamental rights do not override those interests. We have carried out balancing tests for all the data processing we carry out on the basis of our legitimate interests. You can obtain information on any of our balancing tests by contacting us using the details set out later in this notice; and/or

• Legal obligation:

  When we need to comply with a legal or regulatory obligation.

  • Before collecting or using any special categories of data (referred to as sensitive personal information in the Privacy Notice), we will only use that information:

    • With your explicit consent; and

    • After having obtained the permission of the supervisory authority set out above.

CUDIS may process your Personal Data on more than one ground depending on the reason or grounds for using your Personal Data. Please contact us at [support@cudis.xyz] if you need details about the specific grounds we are relying on to process your Personal Data.

Personal Data of Children

If you are under the age of 18, please do not attempt to register for the Services or send any Personal Data about yourself to CUDIS. If we learn that we have collected Personal Data from an unauthorized minor, we will promptly delete that information from our platform. If you believe that an unauthorized minor may have provided us Personal Data, please contact us at [support@cudis.xyz].

Security Measures

CUDIS ensures that adequate security measure comprising industry-standard encryption, regular cybersecurity assessments, continuity and disaster recovery testing, and robust access controls are implemented to protect the confidentiality, integrity, and availability of your personal information are implemented. Please contact us if you want more information on how we protect your personal information.

Transfer of Personal Data

In order to provide the Services, CUDIS will transfer your Personal Data to the United States. CUDIS will ensure that adequate safeguards are implemented if and when we need to transfer Personal Data outside of Qatar so that a similar degree of protection is afforded to it. Please contact us if you want more information on how we transfer and protect your Personal Data outside of Qatar.

PRIVACY NOTICE FOR BRAZIL RESIDENTS

If: (a) you are a Brazilian resident; (b) your Personal Information was collected in Brazil (e.g. you were located in Brazil at the moment that your Personal Information was collected); or (c) the data processing activities are being performed in Brazil, this section is applicable to you.

Controller. CUDIS, Inc. will be the controller of your Personal Data processed in connection with the Services. Our contact information is as follows:

Legal Bases for Processing. The “How We Use Your Information” section above explains how we use your Personal Data. We will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for processing include consent, performance of an agreement and our “legitimate interests” but will depend on the type of Personal Data and the specific context in which we process it. However, the legal bases we typically rely on for each category of processing activity are set out below.

• Service delivery: Processing is necessary to perform our contract, or to take steps that you request prior to engaging our Services. Where we cannot process your Personal Data as required to operate the Services on the grounds of performance of an agreement, we process your personal information for this purpose based on our legitimate interest in providing you with the products or Services you access and request.

• Research and development: Processing is based on our legitimate interests.

• Marketing and advertising: Processing is based on your consent where that consent is required by applicable law. Where such consent is not required by applicable law, we process your personal information for these purposes based on our legitimate interests in promoting our business.

• Compliance and protection: From time to time, we may also need to process Personal Data to comply with a legal obligation, if it is necessary to protect the vital interests of you or other data subjects, or if it is necessary for a task carried out in the public interest.

• Consent: To the extent that Wellness Data that we collect is considered health data or another special category of Personal Data, we ask for your explicit consent to process this data. You can use your account settings and tools to withdraw your consent at any time, including by unpairing your CUDIS Ring, stopping use of a feature, removing our access to a Third-Party service, or deleting your data or your account. In addition, in some cases, such as when you direct us to share it, we process Personal Data based on the consent you expressly grant to us at the time we collect such data. When we process Personal Data based on your consent, you have the right to withdraw it any time in the manner indicated at the time you give consent or in as listed in our Services.

We may use your Personal Data for reasons not described in this Privacy Policy where permitted by law and where the reason is compatible with the purpose for which we collected it. If we need to use your Personal Data for an unrelated purpose, we will notify you and explain the applicable legal basis.

Data Subject Rights. You have certain rights with respect to your Personal Data, including:

• Right to confirmation: You have the right to obtain confirmation of the existence of the processing activity of your Personal Data. If CUDIS processes your Personal Data, you will also have the right to access such Personal Data, i.e. to obtain a simplified or complete statement about the categories of Personal Data processed, the source of the data, and the processing purposes. If your Personal Data is processed based on your consent, or on a contract entered into by you with CUDIS. You also have the right to obtain a full copy of the Personal Data that is processed based on consent or on a contract.

• Right to correction: You have the right to request the correction of incomplete, inaccurate, or outdated data about you.

• Right to anonymization, blocking or deletion: In certain cases, when your Personal Data is unnecessary, excessive or is processed in non-compliance with the LGPD, you have the right to request the anonymization, blocking or deletion of this data.

• Right to data portability: In certain cases, as defined and to the extent required by the Brazilian Data Protection Authority (ANPD), and always respecting CUDIS trade secrets, you have the right to the portability of your Personal Data to another service provider to the extent technically feasible.

• Right to deletion: In cases where your data is processed based on your consent, you have the right to request the deletion of such Personal Data, except in cases where CUDIS has the right to retain the data under the LGPD.

• Right to information on data recipients: You have the right to obtain information about the public and private entities with which CUDIS has shared your Personal Data.

• Right to refuse and revoke consent: Whenever we ask for your consent to process your Personal Data, you have the right to refuse consent. We will always inform you about this right, and about the consequences if you prefer not to provide consent. Furthermore, whenever you consent to the processing of your Personal Data for a specific purpose, you may revoke your consent at any time. In that case, all processing activities carried out up to the date of revocation of consent will be ratified.

• Right to petition the ANPD: You have the right to lodge a complaint against CUDIS before the ANPD in relation to your Personal Data.

• Right to object to unlawful processing: You have the right to object to any processing activity of your Personal Data that violates the provisions of the LGPD.

• Right to review decisions solely based on automated processing: You have the right to request a review of decisions made solely on the basis of automated processing of Personal Data that affect your interests, including decisions intended to define your personal, professional, consumer and credit profile or aspects of your personality.

For more information about these rights, or to submit a request, please email [support@cudis.xyz]. Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it jeopardizes the rights of others, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need you to provide us with additional information, which may include Personal Data, if necessary to verify your identity and the nature of your request.

Personal Data of Minors

If you are under the age of 18, please do not attempt to register for the Services or send any Personal Data about yourself to CUDIS. If we learn that we have collected Personal Data from an unauthorized minor, we will promptly delete that information from our platform. If you believe that an unauthorized minor may have provided us Personal Data, please contact us at [support@cudis.xyz].

International Transfer of Personal Data

Some of the third parties that have access to your Personal Data may be located in other countries or may process data outside Brazil. The level of data protection in the other country may not be equivalent to the level of protection in Brazil. Where we transfer Personal Data to a country that doesn't provide an adequate level of protection, we’ll only do so under appropriate safeguards to protect your Personal Data.

PRIVACY NOTICE FOR INDIA RESIDENTS

If you reside in India, you may have additional rights under applicable data protection laws.

Your Responsibility to Ensure Completeness, Accuracy and Consistency

By using our Services, you represent, warrant, and undertake to ensure that the Personal Data you provide directly to us (such as when completing your profile) is complete, accurate and consistent.

Our Responsibility for Data Processors

We are responsible for compliance with applicable data protection laws by our data processors.

Restricted Countries and Territories

We will not transfer your Personal Data to any country or territory outside India, where such transfer is restricted as per applicable law.

Grievance Redressal

If you have any questions, concerns, complaints or grievances regarding our privacy policies or our processing of Personal Data, please write to us at [support@cudis.xyz].

In the event we do not address your grievances, you may approach the Data Protection Board of India to make a complaint.

Data Subject Rights

Access. You may access:

• A summary of your Personal Data being processed by us along with information on the processing activities undertaken by us with respect to your Personal Data.

• Subject to applicable law, the identities of the third parties with whom we have shared your Personal Data along with a description of such Personal Data.

• Any other information relating to your personal data we may be required to share in accordance with applicable law.

You may submit a request to access your Personal Data in the manner described above, through the procedure prescribed under applicable law.

Correct, complete or update. You may correct inaccurate or misleading Personal Data, complete incomplete Personal Data and update Personal Data by contacting us at [support@cudis.xyz].

Withdraw consent to processing of your Personal Data. Where consent is the basis for our processing of your Personal Data, when you log into your account, you may withdraw such consent and we will, within a reasonable time and subject to applicable law, cease to process your Personal Data. However, you may no longer have access to the Services in the event you withdraw your consent to us processing your Personal Data. Upon withdrawal of your consent to us processing your Personal Data, we will also, unless we are required to retain your Personal Data for compliance with applicable law, erase your Personal Data, but may retain Aggregated Data or De-identified Data derived from or incorporating your Personal Data that does not identify you.

Erase your Personal Data. You may submit a request to erase your Personal Data in our possession, through the procedure prescribed under applicable law. Upon receipt of such request, unless we are required to retain your Personal Data for compliance with applicable law, we will erase your Personal Data, but may retain Aggregated Data or De-identified Data derived from or incorporating your Personal Data that does not identify you.

Right to nominate. You may submit a request, through the procedure prescribed under applicable law, to nominate an individual who shall, in the event of your death or incapacity, exercise your rights with respect to us processing your Personal Data.

Data Retention

We retain Personal Data for as long as reasonably necessary for the purposes described in this Privacy Policy, or as required by applicable law (e.g., for tax, legal, accounting, or other purposes), whichever is longer.

Personal Data of Children

If you are under the age of 18, please do not attempt to register for the Services or send any Personal Data about yourself to CUDIS. If we learn that we have collected Personal Data from an unauthorized minor, we will promptly delete that information from our platform. If you believe that an unauthorized minor may have provided us Personal Data, please contact us at [support@cudis.xyz].

PRIVACY NOTICE FOR ISRAEL RESIDENTS

If you are a resident of Israel, you are not obligated by law to provide us with your Personal Data, and any collection of Personal Data is subject to your consent that may be implied from your interaction with us or your use of the Services.

CUDIS Coach & Third-Party AI Technology

As long as you use our Service and as CUDIS requires in light of its legitimate business needs and legal requirements it is subject to, CUDIS may retain the history of your conversations with CUDIS Coach to ensure you continue to have access to previous conversations while using the feature.

Your Choices: Marketing Communications. We will request your consent to send you marketing materials. We will also give you the ability to opt-out of marketing-related emails and other communications by contacting us at [support@cudis.xyz], or by following the opt-out or unsubscribe instructions contained in the marketing-related message. Please note that emails related to the Services you are provided with by CUDIS will not be considered as Marketing Communications but as Service Related Communications, and therefore shall not be subject to this section.

PRIVACY NOTICE FOR JAPAN RESIDENTS

We are providing this supplemental privacy notice to consumers in Japan, pursuant to the Act on the Protection of Personal Information (the “APPI”).

Exercising your Rights

To exercise your rights including the right to access, the right to rectification, the right to erasure, the right to request for disclosure of records of third party transfers, you can email us at [support@cudis.xyz]. To verify your identity prior to responding to your requests, we may ask you to confirm information that we have on file about you or your interactions with us. Where we ask for additional Personal Data to verify your identity, we will only use it to verify your identity or your authority to make the request on behalf of another consumer.

PRIVACY NOTICE FOR MEXICO RESIDENTS

Personal data we collect. If you are a resident of Mexico, CUDIS will obtain your express consent to collect and process Wellness Data, which is considered "sensitive personal data", such as resting heart rate, heart rate variability, skin temperature, blood oxygen saturation level and acceleration; metadata on workouts and sleep; the type of physical activity you engage in and the duration of your activity; data reflecting strain and recovery; your physiological profile, including birthday, gender identity, weight, height, fitness/athlete level (e.g., professional or recreational); and details you choose to submit about your diet, medications, and female health tracking. We may use certain of this information to customize your experience with us as part of our Services.

Direct marketing and advertising. Processing your personal data for the purpose of direct marketing and advertising is not necessary for the existence, maintenance, and compliance of the legal relationship you have with us, and you always have the choice not to receive marketing information. We give you the ability to opt-out of marketing-related emails and other communications by contacting us at [support@cudis.xyz], or by following the opt-out or unsubscribe instructions contained in the marketing-related message. You cannot opt-out of receiving certain non-marketing emails regarding the Service.

How we share personal data. With your consent, we may share your personal data with advertising partners that may collect information on our website through Cookies and other automated technologies, including for the interest-based advertising purposes described above. We do not share your Wellness Data with advertising partners.

How you may share personal data through CUDIS. Depending on your use of the Services, you may share Personal Data with:

• Other users of the Services, such as through our CUDIS sharing features, which allow you to share information and content with other users of the Service, and users are by default searchable by other users;

• Third-party social media platforms, or linked accounts, devices, or features, when you choose to connect your account on those services with CUDIS or post content to social media, such as through the CUDIS sharing feature;

• The Public. When you make Personal Data visible to other users of the Services, including through the CUDIS sharing features, it may become publicly available and can be collected, viewed, and used by anyone;

• Managing entities. If your use of the Services is on behalf of or managed by a managing entity, such as a coach, team, organizing body, or other entity with which you are affiliated, your account information and Personal Data may be shared with the managing entity subject to your consent, and you hereby consent to that managing entity allowing that information to be publicly shared, subject to any features of the Services that expressly override that control. The managing entity will determine how the relevant information and content is shared; and

• Corporate wellness programs. If you use the Services in connection with an employer or organizational corporate wellness program, we may share your information with that organization subject to your consent. Typically, we will share only Aggregated Data with these organizations.

It is noted that any of the transfers referred to above may be national or international.

Data Subject Rights

If you reside in Mexico, you have the following rights.

• Right of access: you can request a copy of the personal data we hold about you.

• Right of rectification: you can request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where it is incomplete.

• Right of cancellation: you can request that the personal data we hold about you be cancelled.

• Right of opposition: you have a right to oppose the processing of your personal data for specific purposes.

• Right to withdraw consent: you are entitled to withdraw your consent to that processing at any time. If you withdraw your consent, this will not mean any processing we carried out prior to your withdrawal is invalid.

If you decide to exercise any of these rights, please contact us as described in section 14. We will provide you with the following: (i) documents and information that should accompany the application, including documents to evidence your identity or your representative's capacity; (ii) timeframes to receive a response from us regarding any request; (iii) the means of reproduction we will use to provide you with the requested information.

Available options for you to limit the usage or disclosure of your personal data

If you wish to explore the options to limit how we use and disclose your personal data so that we do not process your data for a particular purpose, please contact us as described in the section 14.

PRIVACY NOTICE FOR SINGAPORE RESIDENTS

Direct marketing and advertising. With your consent, we may use data from the Personal Data we collect, including Wellness Data and certain data collected when you browse our website, to send you direct offers, marketing messages or advertise the Services or other CUDIS product offerings.

Marketing communications. We give you the ability to withdraw your consent and opt-out of marketing-related emails and other communications by contacting us at [support@cudis.xyz], or by following the opt-out or unsubscribe instructions contained in the marketing-related message. You cannot opt-out of receiving certain non-marketing emails regarding the Service.

PRIVACY NOTICE FOR SOUTH AFRICA RESIDENTS

Data Subject Rights

If you are a resident of South Africa, you may have additional rights under the Protection of Personal Information Act, 2013 (POPIA) or other data protection legislation, including:

• Access. You can request more information about the Personal Data we hold about you and request a copy of such Personal Data. You can also access certain of your Personal Data by logging into your account or contacting us at [support@cudis.xyz].

• Rectification. If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. You can also correct some of this information directly by logging into your account.

• Erasure. You can request that we erase some or all of your Personal Data from our systems.

• Withdrawal of consent. If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilize some or all of our Services.

• Objection. You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes, such as for direct marketing purposes.

• Restriction of processing. You can ask us to restrict further processing of your Personal Data.

• Right to file a complaint. You have the right to lodge a complaint about our practices with respect to your Personal Data with the Information Regulator at the following email address: popiacomplaints@inforegulator.org.za.

Direct marketing and advertising

With your consent, we may use data from the Personal Data we collect, including Wellness Data and certain data collected when you browse our website, to send you direct offers, marketing messages or advertise the Services or other CUDIS product offerings.

Marketing communications

We give you the ability to withdraw your consent and opt-out of marketing-related emails and other communications by contacting us at [support@cudis.xyz], or by following the opt-out or unsubscribe instructions contained in the marketing-related message. You cannot opt-out of receiving certain non-marketing emails regarding the Service.

Transfer of Personal Data

In order to provide the Services, CUDIS will transfer your Personal Data to the United States. CUDIS will ensure that adequate safeguards are implemented if and when we need to transfer Personal Data outside of South Africa.

PRIVACY NOTICE FOR SOUTH KOREA RESIDENTS

For Korean data subjects, the Personal Information Protection Act (“PIPA”) of Korea and other laws and/or regulations regarding data privacy in Korea apply.

Legal Basis for Processing

We process your Personal Data pursuant to the following legal bases for the purposes stated in 5. HOW WE USE PERSONAL DATA of this Privacy Policy.

Transfer of Personal Data

Notwithstanding “How We Share Your Information” in this Privacy Policy, the following provisions will apply to Korean data subjects.

We collect and process Personal Data in United States.

We share your Personal Data with third parties below.

Cross-Border Transfer (Provision·Outsourcing·Store) to Third Parties

Note: Outsourcing refers to personal data transfers to service providers of CUDIS for the benefit and business purpose of CUDIS consistent with the original purposes for the collection/use of personal data.

You have the right to object to the cross-border transfer of your Personal Data by us as above by submitting a request to [support@cudis.xyz], in which case your ability to use the Services will cease.

Periods of Retention of Personal Data

Notwithstanding 11. DATA SECURITY AND RETENTION OF PERSONAL DATA of this Privacy Policy, if required to retain Personal Data pursuant to applicable Korean laws, such as those set out below, we will retain Personal Data for at least the retention periods and purposes prescribed.

• Records on contracts or withdrawal of offers and the like: 5 years (as required under the Act on Consumer Protection, etc. in E-commerce)

• Records on payment settlement and supply of goods, etc.: 5 years (as required under the Act on Consumer Protection, etc. in E-commerce)

• Records on processing of customer disputes and complaints: 3 years (as required under the Act on Consumer Protection, etc. in E-commerce)

• Records on access: 3 months (as required under the Communications Secrecy Protection Act)

Destruction of Personal Data

We retain your Personal Data until your request of deletion or account withdrawal and delete it through standard delete functions of CUDIS systems and vendor systems. We may need to retain certain Personal Data in our records as legally permitted, as well as Aggregated Data or De-identified Data derived from or incorporating your Personal Data that does not identify you after you update or delete it.

Rights and Obligations as a Data Subject and How to Exercise Them

If you are under 18, do not use the Service. If we learn that we have collected Personal Data from a child under the age of 18, we will delete that information as quickly as possible. If you believe that a child under the age of 18 may have provided us Personal Data, please contact us at [support@cudis.xyz].

Notwithstanding Article “Your Choices” above of this Privacy Policy, you and your legal guardian may exercise your rights within the scope recognized under the Korean Personal Information Protection Act, including the right to request access to, correction of and deletion of, and suspension of processing of the Personal Data we hold about you. You and your legal guardian may also exercise your right of withdrawal of consent to processing of Personal Data.

You may exercise your rights by contacting us at [support@cudis.xyz].

Security Measures Implemented by CUDIS

Notwithstanding Article 11. DATA SECURITY AND RETENTION OF PERSONAL DATA of the Privacy Policy, the following provisions will apply to customers located or residing in the Republic of Korea.

CUDIS implements the following technical, managerial, and physical measures necessary to ensure the security of Personal Data.

• Managerial measures: Designation of a DPO, regular training of employees on protection of Personal Data, etc.

• Technical measures: Management of the right to access the Personal Data processing system, installation of an access control system, installation of security programs, etc.

• Physical measures: Restriction on access to Personal Data storage mediums such as the computer room and data storage room, etc.

DPO or Department Responsible for Privacy Inquiries

You can reach us at [support@cudis.xyz].

PRIVACY NOTICE FOR TAIWAN RESIDENTS

How We Share Personal Data

Personal Data that we collect may be stored, processed in, or transferred between parties located outside your jurisdiction, including the United States, Germany, Japan, United Kingdom, France, Canada, and India. We take reasonable steps to ensure that the parties responsible for the storage of Personal Data on overseas servers adhere to this Privacy Policy.

Your Choices

Access, update, or delete. In addition to the right to request access to or a full deletion of your account and corresponding data, you may request a copy of Personal Data and that CUDIS ceases processing or use of Personal Data by contacting [support@cudis.xyz].

DEFINITIONS

We use some specifically defined terms in our Privacy Policy and when we communicate about our Privacy Policy. We want to be clear on how the terms we use are defined to help you better understand our policies.

Aggregated Data: Aggregated Data is data that has undergone a process whereby raw data is gathered and expressed in a summary form for statistical analysis. Raw data can be aggregated over a given time period, across individuals, or both, to provide statistics such as average, minimum, maximum, sum, and count. After the data is aggregated analysis can be performed to gain insights about particular data sets. When data is aggregated across a number of individuals, the resulting aggregation is considered anonymized such that it is no longer Personal Data.

CCPA: The California Consumer Privacy Act, or CCPA, is a state law that provides California consumers with robust data privacy rights. These rights include the right to know, the right to delete, and the right to opt-out of “sale” of personal information that businesses collect, as well as additional protections for minors. A “sale” under the CCPA is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or to a third party for monetary or other valuable consideration.”

Cookies: Cookies are small files which are stored on a user’s computer. They are designed to hold a modest amount of data specific to a particular user and website and can be accessed either by the web server or the user computer. This allows the server to deliver a page tailored to a particular user, or the page itself can contain some script which is aware of the data in the cookie and is therefore able to carry information from one visit to the website (or related site) to the next.

De-Identified Data: De-Identified Data is data where all the personally identifiable information has been removed, rendering the data anonymous by stripping out information that would allow an individual’s identity to be determined from the remaining data. Data is “de-identified” to protect the privacy and identity of individuals associated with the data. De-identified Data is no longer Personal Data.

GDPR: The General Data Protection Regulation, or GDPR, is a data privacy and security regulation under European law that sets guidelines for the collection and processing of personal information from individuals who live in the European Economic Area, Switzerland, and United Kingdom (collectively, “Europe” or “European”). The GDPR provides data protection rights to European residents and applies to any organization that offers goods or services to individuals in Europe, even if that organization is not based in Europe.

IP Address: An IP Address is a unique address that identifies a device on the internet or a local network. It allows a system to be recognized by other systems connected via the internet protocol. An IP Address may be considered Personal Data and is at times used by advertisers to serve interest-based ads.

IP Address: An IP Address is a unique address that identifies a device on the internet or a local network. It allows a system to be recognized by other systems connected via the internet protocol. An IP Address may be considered Personal Data and is at times used by advertisers to serve interest-based ads.

Personal Data: Personal Data is any data that identifies or relates to you as a particular individual, including information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws, rules, or regulations.

Services: Services means, collectively, our websites and mobile apps, any software embedded within the CUDIS Ring, and any features, content, or applications offered, from time to time, by CUDIS in connection therewith.

Third Parties: Third Parties in the context of the relationship between CUDIS, CUDIS Members (our end users), and third parties are entities or businesses involved in an arrangement, contract, deal, or transaction but are not one of the principals (i.e., CUDIS or CUDIS Members). We use Third Parties to enable us to do business with our members, such as charging for transactions or storing data. Third Parties also include advertisers that serve interest-based ads to visitors to our website.

CUDIS AI Coach: The CUDIS AI Coach is an advanced generative AI feature that helps members understand and make progress to their goals, deciphers CUDIS concepts, and provides educational guidance, and integrates with the rest of the CUDIS experience.

CUDIS Ring: Your CUDIS Ring is a wearable sensor that, when used in connection with the Services, collects certain types of Personal Data.

CUDIS, we, us, our: The terms “CUDIS,” “cudis,” “we,” “us,” or “our” mean CUDIS, Inc., and each of its wholly owned subsidiaries.

Wellness Data: Wellness Data is (a) data collected by your CUDIS Ring and sent to the CUDIS platform, including your heart rate, heart rate variability, sleep duration, respiratory rate, skin temperature, blood oxygen saturation level, and data such as the type of activity you engage in and the duration of your physical activity; and (b) any additional information you chose to enter during the use of our Services, such as information about your health and wellness, including information collected from accounts, devices, or features that you link with your CUDIS account.