Q2BI's Privacy Notice

We have appointed a Data Protection Officer (DPO). If you wish to contact our DPO you can do so via: DPO@q2bi.com

Q2BI may need to update this Privacy Notice from time to time. If so, Q2BI will post its updated Privacy Notice on our website located at www.q2bi.com so users are always aware of what personally identifiable information we may collect and how we may use this information.

Q2BI encourages you to review this Privacy Notice regularly for any changes. Your continued use of this website will be subject to the then-current Privacy Notice.

Personal Information is anything that enables you to be identified or identifiable. Personal information is also called “personal data”. We collectively refer to handling, collecting, protecting, storing or otherwise using your personal information as “processing”.

You can generally visit our website without revealing any personally identifiable information about yourself. However, to access certain options we may ask you to provide certain personally identifiable information such as, your name, email address, telephone number, professional credentials. Without providing such personally identifiable information, you may be unable to access certain options and services. We (and our third-party partners) generally collect personally identifiable information about you only if you voluntarily provide it to us. You have the option not to provide any personally identifiable information, but we may not be able to provide you with the requested services.

Certain personal data, such as information about medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, is considered "Sensitive Information". Other than Sensitive Information collected through our clinical trials, as noted above, Q2BI does not collect Sensitive Information.

We may collect and process different kinds of personal data about you which we have grouped as follows:

• Contact Data: includes email address and telephone numbers.
• Identity Data: includes names and similar identifiers, title, date of birth and gender.
• Marketing and Communications Data: includes your preferences in receiving marketing from us and our partners and your communication preferences.
• Technical Data: includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website and services.
• Usage Data: includes information about how you use our products, services and website.

Subject to applicable data protection laws, we may use your Personal Information for the following purposes:

• provide you with the services and information offered through the Site.
• To contact you and respond to your requests and inquiries.
• For business administration, including answering questions or inquiries, job submissions, and statistical analysis.
• To personalize your visit to the Site and to assist you while you use the Site.
• To improve the Site by helping us understand who uses the Site.
• For fraud prevention and detection and to comply with applicable laws, regulations or codes of practice.

Where we collect and process personal data under the UK and/or EU GDPR(s) we will ensure that we have a lawful basis for doing so.

Our legal basis for collecting and using your personal information will depend on the personal information concerned and the specific context in which we collect it.

We will normally collect personal data from you on one or more of the following lawful bases:

• Consent: We may process your personal information after you have consented (agreed) to us doing so. Your consent may have been obtained by us, or by third parties on our behalf. You have the right to withdraw your consent at any time.
• Contract: We may process your personal information when we need to deliver a contractual service to you or because you have asked us to do something before entering into a contract (e.g., to provide a quote).
• Legal obligation: We may process your personal information when we need to comply with a legal obligation.
• Legitimate interest: We may process your personal information when we need to for our or another’s legitimate interests, where these interests are not overridden by your rights.

Using your Personal Information for Marketing Purposes

We will only use your personal information for marketing purposes in accordance with applicable legal requirements.

This means that if you are a consumer customer, we will only provide you with marketing materials if you have given us your prior consent (subscribed), unless we can rely on the ‘soft opt-in’.

If you choose to unsubscribe, we may retain some of your personal information to identify you, so that we can continue to honor your request and ensure that we do not continue to provide you with marketing materials.

We will not share your information with any third parties for the purposes of direct marketing.

We may provide your personally identifiable information that we collect to a parent, subsidiary or affiliate entity related to Q2BI, partner entities, and the vendors and service agencies that we may engage to assist us (Data Processors).

Where we use data processors, we have contracts in place with them to ensure that they cannot do anything with personal information we have shared with them unless we have instructed them to do it. They will hold it securely and retain it for the period we instruct them to.

Similarly, we may share your Personal Information as required or permitted by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property, or the rights, property or safety of others, including to advisers, law enforcement, judicial and regulatory authorities.

We may also transfer your Personal Information to a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets, or shares (including in connection with any bankruptcy or similar proceedings.)

The servers used in the operation of the Site automatically identify a computer by its IP address. If we, in good faith, determine that you have or are attempting to misuse or harm the Site, we may investigate and cooperate with appropriate law enforcement to protect our rights or property.

Your personal information may be transferred (sent to or accessed from) outside the country in which we collected it. Any such transfer will be only:

• To you; or
• To a recipient in a country which provides an adequate level of protection for your personal information;
• To a recipient under a contractual agreement which satisfies the relevant legal requirements for the transfer of personal information, to ensure that appropriate safeguards are in place to protect your personal information in accordance with local levels of data protection; or
• To a recipient under the EU-US Data Privacy Framework, or UK-US Data Bridge where relevant; or
• When your personal information has first been anonymized

Q2BI complies with applicable privacy laws to ensure an adequate level of data protection. You can request more information about these measures by contacting us using this information provided below.

Q2BI complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

Q2BI has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

Q2BI has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles shall govern.

To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit www.dataprivacyframework.gov.

Q2BI shall remain liable under the EU-U.S. DPF Principles and/or Swiss-U.S. DPF Principles if a third-party agent uses or discloses Personal Information received from Q2BI in a manner inconsistent with the EU-U.S. DPF Principles and/or Swiss-U.S. DPF Principles, unless Q2BI proves that it is not responsible for the event giving rise to the damage.

Upon request, Q2BI will provide individuals with reasonable access to Personal Information about them. Q2BI will also take reasonable steps to allow individuals to review Personal Information for the purposes of correcting, amending, or deleting such information in instances where Personal Information is demonstrated to be incomplete or inaccurate.

California residents have rights under the California Consumer Privacy Act (CCPA) as follows:

• The right to know about the Personal Information a business collects about them and how it is used and shared.
• The right to delete Personal Information collected from them, subject to certain exceptions.
• The right to opt out of the sale of their Personal Information.
• The right to non-discrimination for exercising their CCPA rights.

California's “Shine The Light” law permits California residents to annually request and obtain information free of charge about what Personal Information is disclosed to third parties for third-party direct marketing purposes in the preceding calendar year.

If you are a UK or EU citizen, or we process your personal data in the UK and/or EU, you have additional rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

• Your right to rectification: you have the right to ask us to rectify your information if you think it is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
• Your right to erasure: you have the right to ask us to erase your personal information in certain circumstances.
• Your right to restriction of processing: you have the right to ask us to restrict the processing of your information in certain circumstances.
• Your right to object to processing: you have the right to object to processing if we are able to process your information because the processing forms part of our public tasks or is in our legitimate interests.
• Your right to data portability: this only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organization to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into, a contract and the processing is automated.

Q2BI does not sell Personal Information. Per the CCPA, individuals can contact Q2BI at DPO@q2bi.com or at (833) 922-9988 to request access or to make inquiries regarding limiting the use and disclosure of Personal Information about them.

If you wish to exercise one of the above-mentioned rights, please send us your request via email to: DPO@q2bi.com. Individuals from the European Union, Switzerland, and UK also have the right to lodge a complaint about the processing of their Personal Information with their local data protection supervisory authority.

With respect to Personal Information transferred or received pursuant to the Data Privacy Framework, Q2BI is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. In certain instances, Q2BI may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Q2BI commits to resolve complaints about our collection or use of your personal information. Individuals from the European Union, UK, and Switzerland with inquiries or complaints regarding our notice should first contact Q2BI at:

Tel.: (833) 922-9988

Email: DPO@q2bi.com

Q2BI has further committed to refer unresolved complaints to the JAMS program, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. Contacting JAMS is at no cost to you. Under certain circumstances, an individual may choose to invoke binding arbitration to resolve any Data Privacy Framework disputes that have not been resolved by other means.