PRIVACY POLICY OF THE MORNING HEALTH SITE AND SERVICES

For purposes of this Privacy Policy, the capitalized terms below shall have the meanings set forth herein.

2.1. Scope. This Privacy Policy applies to Personal Data Processed by Morning Health in connection with the Site, the Services and any Self-Serve Plan, including any interaction with our marketing communications, support channels and other touchpoints.

2.2. Out of scope. This Privacy Policy does not apply to Personal Data Processed by Morning Health under a Negotiated Plan, where the data-protection regime is governed exclusively by the executed MSA, its Data Processing Agreement (Schedule B) and the relevant Order Form, which prevail in their entirety for such clients.

2.3. Third-party services. This Privacy Policy does not apply to Personal Data Processed by third parties whose services may be integrated with or accessed through the Platform (e.g., wearable devices, allied laboratories, the Payment Processor, AI providers, identity providers); such Processing is governed by the respective third party's own privacy policy.

Morning Health collects Personal Data when you provide it to us, when you use the Site or the Services, and when other sources provide it to us, as further described below.

A. Information You Provide

B. Information Collected Automatically

C. Health and Clinical Information (Self-Serve Plan specific)

When you use the Platform as a User under a Self-Serve Plan, you upload, generate or transmit Personal Data of End Users, which may include Sensitive Personal Information such as:

As the User, you are the Data Controller / Business with respect to such Personal Data of your End Users, and Morning Health acts solely as Data Processor / Service Provider Processing such data on your documented instructions and for the purposes of providing the Services (see Section 5).

D. Information from Other Sources

Morning Health may receive Personal Data from third parties, including:

Morning Health Processes Personal Data for the following purposes, subject to the applicable legal basis under the relevant data-protection regime:

4.1. To provide and operate the Services: including creating and managing Accounts, authenticating Users, delivering Platform functionality, processing payments via the Payment Processor, providing customer and technical support, and enabling integrations with third-party services authorized by the User.

4.2. To improve, develop and secure the Services: including troubleshooting, debugging, performance monitoring, security operations, fraud prevention, abuse detection, research and development, and product analytics. Morning Health may use aggregated and anonymized data (in a form that does not permit identification of any individual or of the User) for these purposes and for industry benchmarking, scientific research and reporting to investors and partners, in accordance with Clause 20 of the T&C.

4.3. To communicate with you: including transactional communications (account, billing, security, policy changes), informational communications about new features or product updates, and marketing communications (subject to your opt-out rights described in Section 11). You may unsubscribe from marketing communications at any time.

4.4. To comply with legal obligations: including responding to lawful requests from public authorities, complying with tax and accounting obligations, enforcing our agreements, defending legal claims, and exercising our legal rights.

4.5. With your consent: Morning Health Processes Personal Data on the basis of your consent where required by Applicable Law (including consent for non-strictly-necessary cookies, marketing, and certain categories of sensitive data). You may withdraw consent at any time without prejudice to Processing carried out prior to withdrawal.

4.6. AI training and evaluation — limits. Morning Health does not use User Content (including End User Personal Data uploaded through the Platform) to train, fine-tune or evaluate generally available AI models without the User's express prior consent, save for: (i) aggregated and anonymized data; and (ii) instance-specific fine-tuning expressly offered as a paid feature (see Clause 14.5 of the T&C).

5.1. Morning Health as Controller / Business. With respect to Personal Data of the User themselves (registration data, billing data, support interactions, Site usage data) and of Visitors, Morning Health acts as Data Controller / Business and determines the purposes and means of the Processing, limited to providing and operating the Site and the Services and managing the commercial relationship.

5.2. Morning Health as Processor / Service Provider. With respect to Personal Data of End Users uploaded through the Platform by a User under a Self-Serve Plan, the User acts as Data Controller / Business and Morning Health acts as Data Processor / Service Provider, Processing such Personal Data solely on the User's documented instructions (which are deemed to be the use of Platform features as documented and as configured by the User) and for the purposes of providing the Services. Morning Health shall:

5.3. User responsibilities. The User, as Data Controller / Business with respect to End User Personal Data:

6.1. Use of AI. The Platform incorporates AI models that generate AI Outputs as support tools. AI Outputs do not replace clinical judgment and are subject to the conditions of Clause 14 of the T&C and the Medical Disclaimer in Clause 15 of the T&C.

6.2. AI sub-processors. Morning Health may engage third-party AI sub-processors to provide the Services and may update, add, replace or discontinue such sub-processors from time to time at its discretion, in line with the natural evolution of a SaaS product. No specific AI sub-processor identity is guaranteed or incorporated by reference into this Privacy Policy. Upon reasonable written request to legal@morninghealth.ai, Morning Health shall make available the then-current list of material AI sub-processors, subject to confidentiality.

6.3. No training on User Content. Morning Health does not use User Content (including End User Personal Data) to train, fine-tune or evaluate generally available AI models without the User's express prior consent, save for aggregated and anonymized data and instance-specific paid fine-tuning, per Clause 14.5 of the T&C.

7.1. Sensitive nature. Personal Data Processed through the Platform may include Sensitive Personal Information, particularly health data, biomarker information, laboratory results and wearable-device data of End Users.

7.2. User as Controller. The User is the sole responsible party for obtaining prior, express and informed consent (or relying on another lawful basis valid under Applicable Law) from each End User for the Processing of Sensitive Personal Information, including under articles 5 and 6 of Colombian Law 1581 of 2012, the CCPA/CPRA sensitive personal information provisions, and any analogous provisions.

7.3. No BAA or bespoke DPA under Self-Serve. Morning Health does not enter into Business Associate Agreements under HIPAA, bespoke Data Processing Agreements with custom terms, or analogous specific data-protection contracts under any Self-Serve Plan. Users requiring such formal contractual instruments must upgrade to a Negotiated Plan and execute the MSA + Schedule B (DPA), per Clause 19.5 of the T&C.

7.4. No medical services. Morning Health does not provide medical, healthcare, diagnostic, treatment, prescription or clinical services; the Platform is solely a technology tool to support licensed professionals (see Clause 15 of the T&C).

Morning Health may disclose Personal Data to the following categories of recipients:

8.1. Service Providers and Sub-processors: including (i) cloud and hosting providers; (ii) the Payment Processor (currently Stripe, Inc.); (iii) email, support and CRM platforms; (iv) analytics and monitoring providers; (v) security and fraud-prevention providers; (vi) AI sub-processors per Section 6.2; (vii) identity providers if you authenticate through them.

8.2. Affiliates: entities under common ownership or control with HumanoLab LLC, subject to confidentiality and protection equivalent to this Privacy Policy.

8.3. Allied laboratories: where the User has enabled the laboratory-tests feature, Morning Health shares the strictly necessary information with the allied laboratory selected by the User to facilitate the scheduling and delivery of laboratory tests to End Users (see Clause 16.3 of the T&C).

8.4. Legal and compliance disclosures: Morning Health may disclose Personal Data when, in good faith, it believes such disclosure is necessary to: (i) comply with Applicable Law, court order, subpoena or government request; (ii) enforce the T&C, the AUP or this Privacy Policy; (iii) protect the rights, property or safety of Morning Health, its Users, End Users or others; (iv) investigate or prevent fraud, security incidents or other illegal activity.

8.5. Business transactions: in the event of a merger, acquisition, financing, reorganization, bankruptcy, receivership or sale of all or substantially all of Morning Health's assets, Personal Data may be transferred to the successor or acquirer as part of such transaction, subject to confidentiality and to this Privacy Policy.

8.6. With consent. Morning Health may disclose Personal Data to other recipients with your consent or at your direction.

8.7. No sale of Personal Data. Morning Health does not sell Personal Data in the traditional sense (i.e., for monetary consideration). Certain disclosures to advertising and analytics partners may be deemed "sales" or "sharing" under the CCPA/CPRA; see Section 12.3 for your opt-out rights.

9.1. Cross-border transfers. Personal Data may be transferred to, stored in and Processed in the United States (the country of incorporation of HumanoLab LLC) and any other jurisdiction in which Morning Health, its Affiliates or its Sub-processors operate. Such jurisdictions may have data-protection laws that differ from, and may offer less protection than, those of the User's or End User's jurisdiction.

9.2. Safeguards. Where Personal Data of Data Subjects in Colombia or other jurisdictions with cross-border-transfer restrictions is transferred outside the relevant jurisdiction, Morning Health implements appropriate safeguards, which may include, by way of illustration and not limitation: (i) the safeguards required by Colombian Law 1581 of 2012 and SIC Circular 005 of 2017 for international transfers; and (ii) such other mechanisms recognized by Applicable Law from time to time.

9.3. Information available. A description of the safeguards applicable to a specific transfer may be requested at legal@morninghealth.ai.

10.1. Use. The Site uses cookies, pixels, local storage and similar technologies for purposes that may include: strictly necessary functions, security, preferences, analytics and (where applicable) marketing.

10.2. Cookie Policy. Detailed information on cookies and tracking technologies, the categories used, and how to control them is available in our Cookie Policy at morninghealth.ai/en/cookies, incorporated herein by reference.

10.3. Consent. Where required by Applicable Law, Morning Health collects prior, granular consent for non-strictly-necessary cookies through the cookie banner displayed on the Site.

10.4. Do Not Track / GPC. Morning Health honors legally recognized opt-out preference signals (such as the Global Privacy Control) where Applicable Law requires it. Morning Health does not currently respond to generic "Do Not Track" browser signals.

11.1. Marketing communications. You may opt out of marketing emails at any time by using the unsubscribe link in any marketing communication or by contacting us at privacy@morninghealth.ai. Transactional and service-related communications cannot be opted out of for as long as you have an active Account.

11.2. Push notifications. You may disable push notifications through the settings of your mobile device.

11.3. Cookies. You may manage cookie preferences through the cookie banner and your browser settings, per Section 10.

11.4. Withdrawal of consent. Where Processing is based on consent, you may withdraw consent at any time without prejudice to Processing carried out before withdrawal.

11.5. Account closure. You may close your Account at any time per Clause 29 of the T&C; effects of termination on Personal Data are described in Section 13 of this Privacy Policy and in Clause 22 of the T&C.

Depending on the User's or Data Subject's jurisdiction, the rights below may apply. Where two or more regimes apply concurrently, Morning Health shall apply the higher protection standard to the extent reasonably feasible.

12.1. General rights. Subject to Applicable Law, you have the right to: Access, Rectify, Delete, Restrict or object to Processing, Portability, Withdraw consent, Lodge a complaint, and Not be subject to discrimination for exercising your rights.

12.2. Colombia — Habeas Data Regime (Law 1581 of 2012). Data Subjects in Colombia have, in particular, the rights to: know, update and rectify their Personal Data; request proof of the consent provided; be informed about the use of their Personal Data; file complaints before the Superintendence of Industry and Commerce (SIC); revoke consent and/or request deletion; access their Personal Data free of charge. Requests may be submitted to privacy@morninghealth.ai.

12.3. California — CCPA/CPRA. California residents have the rights to: Know, Access, Delete, Correct, Opt out of the "sale" or "sharing" of Personal Data, Limit the use of Sensitive Personal Information, and Non-discrimination. Morning Health does not sell Personal Data in the traditional sense. You may opt out by contacting privacy@morninghealth.ai or by using the "Do Not Sell or Share My Info" link on the Site footer.

12.4. Other jurisdictions. Data Subjects in other jurisdictions may have analogous rights under their Applicable Law.

12.5. How to exercise. Requests may be submitted in writing to privacy@morninghealth.ai, with a copy to legal@morninghealth.ai. Morning Health shall respond within the timelines required by Applicable Law.

13.1. Active Account. Personal Data is retained for as long as the Account is active, plus the additional periods set forth in this Section.

13.2. Post-termination. Following Account closure or termination, User Content (including End User Personal Data) remains exportable for thirty (30) calendar days per Clause 22 of the T&C, after which it shall be deleted, except: (i) data retained by legal or regulatory obligation; (ii) backups in the ordinary course subsequently overwritten; (iii) aggregated and anonymized data under Clause 20 of the T&C.

13.3. Marketing data. Marketing-related Personal Data is retained for as long as you have not opted out, plus a reasonable period thereafter for compliance and recordkeeping.

13.4. Legal records. Personal Data necessary to demonstrate compliance with Applicable Law (including consent records, tax records and litigation files) is retained for the periods required by such law.

14.1. Technical and organizational measures. Morning Health implements reasonable industry-standard technical and organizational measures to protect Personal Data, aligned with frameworks such as ISO 27001 and SOC 2 where applicable, including (by way of illustration and not limitation) encryption in transit (TLS) and at rest where appropriate, access controls, role-based authorization, logging and monitoring, vulnerability management, secure development practices, vendor due diligence and incident-response procedures.

14.2. No absolute warranty. No system is 100% secure. To the maximum extent permitted by Applicable Law, Morning Health does not warrant absolute security and shall not be liable for unauthorized access caused by factors beyond its reasonable control, in line with Clauses 23–25 of the T&C.

14.3. Incident notification. In the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of Data Subjects, Morning Health shall notify affected Users, supervisory authorities and Data Subjects to the extent and in the manner required by Applicable Law.

15.1. The Services are intended for adult professionals and are not directed at children under 18 (or the age of majority in the User's jurisdiction, if higher). Morning Health does not knowingly collect Personal Data of children for the purpose of creating an Account under any Self-Serve Plan.

15.2. End Users who are minors. Where the User, as a professional, treats minor End Users and uploads their Personal Data to the Platform, the User is solely responsible for obtaining the consent of the holder of parental responsibility (or otherwise complying with the lawful basis required by Applicable Law) for such Processing.

16.1. The Site and the Platform may contain links to, or integrations with, third-party websites and applications (including wearable-device manufacturers, allied laboratories, the Payment Processor, AI providers and identity providers). Such third parties are independent of Morning Health and their Processing of Personal Data is governed by their own privacy policies, which Morning Health does not control and is not responsible for.

17.1. Morning Health may modify this Privacy Policy from time to time, in line with the natural evolution of a SaaS product and its regulatory environment, by publishing a new version on the Site with an updated Effective Date. Where a modification materially reduces Data Subjects' rights or materially expands Morning Health's Processing activities, Morning Health shall use commercially reasonable efforts to notify affected Users with reasonable prior notice, including, where commercially feasible, by email and/or in-product notice. Non-material changes may take effect upon publication. Continued use of the Site or the Services after the new Effective Date constitutes binding acceptance of the updated Privacy Policy. This Section operates consistently with Clause 3.4 of the T&C.

18.1. Privacy matters. Privacy-related inquiries, Data Subject requests and complaints may be addressed to:

18.2. Data Protection Officer. Morning Health shall designate a Data Protection Officer where required by Applicable Law and publish their contact details on the Site once designated.