Privacy Policy — Paradromics, Inc.

Overview
This Privacy Policy describes how Paradromics, Inc. (“Paradromics”, “we”, “our”, or “us”) collects, uses, shares, discloses and otherwise processes personal and other information you may provide to us.  This Policy applies to information collected through the website www.paradromics.com (the “Site”), as well as other applications (apps), events, newsletters, communications, or services provided by or on behalf of Paradromics that link or reference this Policy (“Services”).  It does not apply to third-party platforms or other Paradromics operated websites or platforms where it is not linked or referenced. This Policy may be supplemented or amended from time to time by additional privacy notices (“Privacy Notices”) provided at the time we collect your information.  For example, certain pages of the Site may contain Privacy Notices providing more details about the information we collect on those pages, why we need that information, and choices you may have about the ways we use that information.

This Policy does not apply to our privacy practices in connection with clinical trials. Those policies are governed by the applicable clinical trial protocols and informed consents.

Information may be collected when you submit it to us through the Site or the Services or interact with us in other ways. For example, when you submit a request for information or submit a request for Paradromics to contact you. We may also request optional information from you to support our interactions with you or your use of the Site or Services.

We may collect information from the devices you use to access the Site or the Services, which may provide information to us, including the model, operating system and version, the name of the domain from which you access the Internet, your Internet Protocol (“IP”) address, and other unique device identifiers. We also collect device information like the date and time you access the Site or Services, which pages or portions of the Site you visit, the search terms you use, the links you click on, the browser you use, and your language preference. To collect much of this information, we use cookies and web analytics. Please see the section below titled Cookies and Similar Technologies for more information.

We may collect information from our vendors and service providers, such as our web hosting providers, analytics providers, and advertisers, who may provide us information about you or your use of the Site or Services. You may also give us permission to access your information from services offered by third parties. The information we obtain from third parties depends on your relationship with those third parties and the third parties’ privacy policies.

We may collect information from healthcare providers, where they provide a subset of patient information in support of patient outcome-related benchmarking, quality improvement, and comparative effectiveness analysis. Additionally, healthcare providers may provide identified patient information for patient safety and adverse event reporting purposes as required by law.

And, we may collect information from publicly available information, including the information you choose to post publicly on your social media pages.
‍
Categories of Personal Information We Collect (Examples)
We collect categories of personal information described below depending on your interaction with us:
- Identifiers: name, mailing address, email, phone, legal guardians or legally authorized representatives, caregivers, IP address, account IDs, device identifiers.
- Contact & Account Data: username, password (hashed), billing and transaction data.
- Professional & Employment Data: resume, job history, education (applicant data).
- Biographical and demographic information:  date of birth, age, gender, marital status, education history.
- Health Data: medical history, diagnoses, family medical history, physical and mental health, insurance coverage, clinical assessment data, device telemetry, device implant data, physiological readings, treatment response.
- Online Activity & Analytics: cookies, log files, analytics data, browsing behavior, ad interaction.
- Communications & Content: messages you send to us (email, chat transcripts).
- Other: any data you choose to provide in forms, uploaded documents, or clinical/research questionnaires.

We reserve the right to update or modify this Policy and any Privacy Notice, at any time and without prior notice, by posting the revised version of the Policy or Privacy Notice on this Site. These changes will only apply to the information we collect after we have posted the revised Policy or Privacy Notice. The “Last updated” date at the top of this Policy indicates when it was last revised.
‍
Scope — Who This Applies To
This Policy applies to personal information we collect through the Site and the Services when you interact with us or otherwise provide to us.
‍
How We Collect Your Personal Information
How we collect your personal information will depend upon the nature of your interaction with us.

Note on Sensitive Personal Information. Sensitive categories (social security number, driver’s license number, other specific identifying numbers, financial account information, health, neural signals, biometrics, genetic data) will only beused to the extent necessary for the services described (e.g., clinical care, device development, device safety and monitoring) unless you provide affirmative opt-in consent where required by law.

Special note about neural data. Because Paradromics designs and runs brain-computer interface (BCI) research and clinical studies, we may collect highly sensitive neural signal data. We treat such data as “sensitive personal information” under applicable state laws and apply heightened protections and disclosure inseparate informed consent documentation for participants in such research and studies.
‍
Cookies and Similar Technologies
We may usecookies, pixel tags, and similar technologies to collect information about your use of the Site and Services. Cookies are strings of information that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns. Pixel tags (also called web beacons) are small blocks of code placed on websites that allow us or a third party to see that you have looked at that page. We may use cookies and web tags to enable our servers to recognize your web browser and tell us how and when you use the websites. This information may be used by us and our service providers to analyze and track data, improve the operation of the Site and Services, and better understand your online activity. We may also use Google Analytics to evaluate website traffic and usage data to help us improve our products and services. For more information about how Google collects and processes data visit https://policies.google.com/te.... For more information about how to opt out of having your information used by Google Analytics, visit https://tools.google.com/dlpag....

Your web browser may allow you to stop accepting cookies from the Site or Services you visit, through your browser’s settings. Please note that if you do not accept cookies, the Site and/or Services may not function properly. Your web browser may also be configured to send “Do Not Track” signals to the online services that you visit. We currently do not recognize Do Not Track signals.
‍
Purposes — Why We Collect and How We Use Information
We process personal information for the following business purposes (not exhaustive):
- Provide and operate our Site and the Services, products, research/clinical programs, and services.
- Communicate with you (support, marketing if consented, notices, safety updates).
- Evaluate and enroll participants for clinical studies and provide study-related care and follow-up.
- Security, fraud detection, safety monitoring (including device safety and medical device reporting where required).
- Research, aggregated analytics, product improvement, and scientific analysis.
- Legal compliance, audits, and defense of legal claims.
- Hiring and HR processes for applicants.
- To comply with legal obligations and respond to law enforcement or regulatory requests.
- With your consent.
‍
Legal Basis and Legitimate Interests (Where Applicable)
Where applicable, we rely on the following legal bases for processing:
- Performance of a contract (to provide services, fulfill orders, run clinical studies).
- Legal compliance (to follow medical device reporting, applicable safety laws, to establish and defend our legal rights, to prevent or detect crime).
- Your consent (for marketing communications or where required for sensitive processing).
- Legitimate interests (where necessary for our interests (or those of a third party)), provided that your fundamental rights do not override such interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests.
- Public interests (where the processing is necessary to ensure high standards of quality and safety in healthcare and medical devices).
- Vital interests (where the processing is necessary to protect the life or imminent safety of you or another individual, where no other legal basis applies).

Sharing & Disclosure‍
We may disclose personal information to:
- Service providers (vendors, cloud providers, analytics, clinical labs, lawyers, bankers, auditors, insurers) under written contracts limiting use to our instructions and for provision of services to us.
- Clinical partners, hospitals, researchers and investigators as needed for research and participant care (subject to clinical agreements and consents).
- Regulatory agencies, courts, law enforcement where required by law or to protect safety.
- Business transfers in connection with mergers, sales, or bankruptcy (with notice to consumers where required).
- De-identified/ aggregate data used for research or analytics (no reasonable link to you).
- Others we have specifically identified to you at the time of collecting the information.
‍

We do not sell personal information for monetary gain.

Security & Retention
We implement reasonable administrative, technical and physical safeguards appropriate to the sensitivity of the data. For highly sensitive personal information we apply enhanced safeguards including encryption at rest and in transit, access controls, logging, and restricted project-based access.

We retain personal information only as long as necessary for the purpose collected, for legal compliance, or to fulfill our legitimate business purposes (retention periods vary by data category — contact us for specifics).

Research, De-Identification & Secondary Use
Where feasible and appropriate, we de-identify personal data for research and product improvement. De-identified data is not treated as personal information under this Policy. If we use/develop neural or health data for secondary research, we will describe that in separate research consent forms and, where required, obtain IRB approval and informed consent.

HIPAA/PHI: If you are participating in a clinical program that involves Protected Health Information (PHI), we will provide separate HIPAA notices and Business Associate Agreements (BAA) as required. This Policy does not replace HIPAA notices.

Your Privacy Rights
Some privacy laws provide certain rights to individuals regarding their privacy and their personal information. Paradromics respects your rights concerning your personal information.

In accordance with applicable laws, you may have the right to:
- Request confirmation of whether we process your personal information,
- Request information about the entities with which we have shared your personal information,
- Request to access, know, or receive a copy of your personal information,
- Request correction of inaccurate, incomplete, or out-of-date personal information,
- Object to our processing of your personal information for direct marketing,
- Oppose or object, for reasons relating to your situation, to the processing of your personal information based on our legitimate interest, unless we provide compelling legitimate grounds for the processing which override your privacy interests,
- Request (under certain circumstances) the restriction of the processing of your personal information,
- Request to limit the use and disclosure of your sensitive personal information,
- Request the anonymization or deletion of your personal information, subject to certain limitations described below,
- Revoke your consent for the processing of your personal information and request the deletion of your personal information processed with your consent, and
- Lodge a complaint with the appropriate Data Protection Authority for your jurisdiction if you have concerns about ou rpractices regarding the processing of personal information.

Validating Your Identity and/or Authorization to Request
To protect you and your personal information, requests must:
- Provide sufficient information for us to reasonably verify you are the person or an authorized representative of the person whose personal information is the subject of the request, and
- Describe your request with sufficient detail for us to properly understand, evaluate, and respond to it.

If you use anauthorized agent to submit a request on your behalf, we may verify both your and your agent’s identities as well as documentation authorizing your agent to act on your behalf. We will only use personal information collected during the verification process to verify your identity or your agent’s authority to make the request on your behalf.

Exceptions to Deletion Requests
If you request the deletion of your personal information, depending on the nature of the data, deletion may consist of erasing, aggregating, or anonymizing your information. After we receive and validate your request, we will delete and direct our service providers to delete your personal information, unless an exception applies. We may deny your deletion request, in whole or in part, if retaining the information is necessary for us or our service providers to:
- Complete the transaction for which we collected the personal information, provide a service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract with you,
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities,
- Debug to identify and repair errors that impair existing intended functionality,
- Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us or make other internal and lawful uses of that information that are compatible with the context in which you provided it, or
- Comply with a legal obligation, including maintaining a record of your request and our response.

Paradromics will not discriminate against you for exercising your privacy rights under applicable law.

Children’s Data
Please note that the Site and Services are not designed for, or directed to, children under the age of 18, and we do not knowingly collect personal information from anyone under the age 18. If we become aware that we have collected personal identifiable information from children, we will take steps to remove that information.

International Transfers
We are based in the U.S., and we store information in the U.S. If data is transferred outside the U.S., we use legally recognized transfer mechanisms and safeguards (contractual protections, approved standard contractual clauses where applicable).

How to Exercise Rights
To exercise your rights, request data access, deletion, correction, or submit complaints, you may contact us by email: privacy@paradromics.com; or mail: Paradromics, Inc., Attn: Legal Dept, 4030 W. Braker Lane, Suite 250, Austin, TX 78759.

In addition, if you do not want to receive communications from us on a going-forward basis, you may opt-out by following the instructions in the relevant electronic communication or by contacting us using the contact information provided below. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving communications from us, we may still send you important communications such as administrative messages, which you cannot opt-out of.

LG-1 v.1.