Part 1: Overview
The purpose of this document is to set out Kalibra’s procedures for the protection of the Personal Data of individuals under the company’s custody or possession. It contains essential information about how and why Kalibra collects, stores, uses, discloses, transfers, and disposes of Potential Customers, Customers, Partners, Employees/Contractors, and Health Practitioners (henceforth collectively referred to as “users” or “users and prospects”) Personal Data.

This Policy takes into consideration Singapore’s Personal Data Protection Act 2012 (“PDPA”), including any amendment, replacement or re-enactment thereof for the time being in force and including any statutory instruments, rules, regulations, orders, notices, directions, consents or permissions as enacted by the authority currently charged with enforcing the provisions of the PDPA: the Personal Data Protection Commission (“PDPC”).

This policy also takes into consideration applicable laws and regulations (“applicable laws”) in any relevant jurisdiction relating to the use or processing of Personal Data including: (i) the California Consumer Privacy Act (“CCPA”), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (iii) the Swiss Federal Act on Data Protection, (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (v) the UK Data Protection Act 2018; and (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time. The terms “Data Subject”, “Personal Data”, “Personal Data Breach”, “processing”, “processor,” “controller,” and “supervisory authority” shall have the meanings set forth in the GDPR.

Part 2: Singapore Personal Data Protection Act

The PDPA establishes a data protection law in Singapore that comprises various rules governing the collection, storage use, and disclosure, transfer access to, correction, care and disposal of individuals’ Personal Data by organisations. It recognises both the rights of individuals to protect their Personal Data, including rights of access and correction and disposal, and the needs of organisations to collect, use or disclose Personal Data for legitimate and reasonable purposes. Kalibra intends to comply with all applicable provisions covering data protection by implementing suitable procedures as outlined throughout the remainder of this Policy.

Part 3: Data Protection Policy

This Policy sets out the basis upon which Kalibra may collect, use, disclose, store, transfer and dispose or otherwise Process Personal Data of our Health Practitioners, Prospects, Users, Employees and Contractors in accordance with the PDPA and other applicable laws. This Policy applies to Personal Data in our possession or under our control, including Personal Data in the possession of organisations which we have engaged for the above Purposes.

Part 4: Definitions

Throughout this Policy, unless there is something in the subject or context inconsistent therewith, the following terms shall have the following meanings:

• “Affiliates” means an entity which is directly or indirectly controlled by Kalibra. An entity that otherwise qualifies under this definition is included within the meaning of Affiliate even though it qualifies after this Policy comes into effect.
• “Third Party Service Providers” or “Partners” means any third-party provider or vendor appointed by Kalibra to assist in delivery of the Services for Kalibra’s Practitioners or Users;
• “Potential customer” or “Prospect” means any individual who has contacted Kalibra through any means to find out more about any goods or Services we provide;
• “Health Practitioner” is anyone who uses the Kalibra Pro platform to provide services to Users or Prospects
• “Data Protection Officer” or “DPO” refers to the individual appointed by Kalibra to carry out the specific duties described in section 19 of this Policy;
• “Employee/Contractor” means all individuals who may or have entered into a contract of service with Kalibra and shall include all current and former Employees;
• “Kalibra” means Kalibra Pte Ltd, a company incorporated in Singapore and registered office address of 160, Robinson Road, #14-04, Singapore 068914;
• “Customer” means any Prospective Customer who has entered into a contract with Kalibra for the supply of Our Services;
• “Personal Data” refers to data, whether true or not, about Prospects, Users, Employees and Contractors who can be identified from that data; or from that data and other information to which Kalibra has or is likely to have access;

Without limitation to the generality of section 4.8 of this Policy, for the purposes of Kalibra’s day-to-day activities and the various specific lawful purposes as set out in the PDPA, Kalibra will be specifically Processing Prospect Customers, Users, Employees and Contractors Personal Data of the following nature:

• identity card/passport numbers; fingerprints; names; dates of birth; gender; Nationalities; ages; marital status; photographs; telephone numbers; residential addresses; email addresses; debit/credit card information and bank details; and occupations.

Without limitation to the generality of the Personal Data described at section 4.9 and without prejudice to the specificity of the Personal Data described at section 4.10, for the purposes of Kalibra’s day-to-day activities and the various specific lawful purposes as set out in the PDPA and other applicable legislation, Kalibra will be specifically Processing sensitive Personal Data of the following nature:

• Blood biomarker or digital biomarker data (collectively referred to “biomarkers” henceforth) relayed to us by a Third Party
• Prospect or User’s blood test results from tests done by Kalibra laboratory partners or other institutions.
• Prospects or Users may also upload previously existing blood test results or other collections of markers or survey data obtained via their health practitioner, wearable device or insurance company.
• We may use Prospect or User’s biomarker data in a de-identified, aggregated way for Kalibra research.
• 3.10.2 (DBA) information is data related to a Prospect or User’s genotype for a specific set of genes related to healthy aging, nutrition, weight, sleep and physical activity.
• Kalibra will receive Prospect or User’s genetic or microbiome information from our specialist partners when a Prospect or User buys a third party Kalibra connected DNA or other biomarker testing product.
• When a Prospect or User purchases a testing kit, a Prospect or User will collect a marker sample using the provided collection kit and send it to our partners for marker extraction and analysis.
• If a Prospect or User purchases a genetics add-on service, a Prospect or User will provide a Prospect or User genetic data from DNA tests that a Prospect or User has previously had done.

Kalibra and its partners analyse Prospect or User’s biomarker data using an algorithm that determines a Prospect or User’s genetic or other potential for certain traits. Kalibra may use Prospect or User’s aggregated de-identified genetic data for research and development to improve future products. For research that we hope to publish in scientific publications, we will request separate permission through a Research Consent document to use Prospect or User’s de-identified Genetic Information.

Any Research Consent is optional and voluntary. A Prospect or User will not be required to agree to a Research Consent document in order to use the Platform or Services. Self-Reported Information includes information provided by the Prospect or User in Kalibra questionnaires or in any other website surveys or forms, such as sex, body weight, height, diet, etc. we may use Prospects or Users Self-Reported Information in a de-identified way for research.

User Content is all information other than Genetic Information or Self-Reported Information provided by Users of the Kalibra Services and transmitted, whether publicly or privately, to Kalibra. User content may include data, text, software, music, audio, photographs, graphics, video, messages, or other materials. For example, User content includes comments made on Kalibra blogs and emails to User support.

Behaviour Information is information on how a User uses our Platform (e.g. browser type, domains, page views, app usage etc.). We may collect this information through log files, cookies, and web beacon, analytical and advertising technologies.

Kalibra may collect non-Personal Information about a User when a User interacts with our Platform. Non-Personal Information may include User browser name, type of computer, and the files a User viewed on the Platform. Clickstream data, (i.e. a list of pages or URLs visited), and technical information about how a User connects to the Platform, such as the operating system and the internet service providers used. We may, in some cases, need to review this automatically collected data in combination with specific registration information to identify and resolve issues for individual Users, detect fraud, etc. To the extent that we link this non-Personal Information with User Personal Information, this Policy governs our use of such information.

“Platform” means a platform that uses artificial intelligence to learn about people and their behaviours in order to help them make intentional choices about their health including sleep, exercise, nutrition and work/life balance.

“Policy” means this data protection policy created by Kalibra, as may be revised, modified or otherwise updated from time to time.

“Processing” in relation to Personal Data means the carrying out of any operation or set of operations in relation to the Personal Data and includes any of the following: Collection; recording; holding; organisation, adaptation and alteration; retrieval; combination; transmission; or erasure or destruction.

“Services” means Kalibra’s Platform services including, but not limited to: AI insights and coaching for preventive health and optimizing longevity, positive habit creation, various assessments and activity/status scoring. Off the platform, Kalibra will partner up with practitioners, other platforms and medical entities to leverage their offerings in order to provide an integrated health and longevity service to its clients.

Other terms used in this Policy shall have the meanings given to them in the PDPA and other applicable laws.

Part 5: Kalibra’s Personal Data Inventory
Kalibra utilises a Data Inventory Map (“DIM”). The DIM is an inventory of the Personal Data in the possession or under the control of Kalibra. This is an integral part of the Data Protection Management Programme (“DPMP”) that we maintain to ensure compliance with the PDPA.

Part 6: Collection of Personal Data
For explanatory purposes, Kalibra collects Personal Data of its Prospects and Users in the following ways:

• When a Prospect submits any form, including but not limited to User inquiry forms or other forms relating to any of our Services;
• When a Prospect or User has a conversation with our Chatbot service, or a Kalibra affiliated coach;
• When a Prospect or User enters into any agreement or provides other documentation or information in respect of their interactions with us, or when they use our Services;
• When a user connects a third party data source (e.g. a wearable device) to our platform
• When a Prospect or User interacts with our staff, including Kalibra service officers, for example, via telephone calls (which may be recorded), letters, face-to-face meetings, social media platforms and emails;
• Via interaction with our websites or use Services on our websites and Platform;
• Via a request that Kalibra contacts a Prospective Customer or request that a Prospective Customer be included in an email or other mailing list;
• When a Prospective Customer or User responds to our promotions, initiatives or to any request for additional Personal Data;
• Via submission of an employment application or when provision of documents or information including a resume and/or CVs in connection with any appointment as an officer, director, representative or any other position;
• When a Prospect or User is contacted by, and responds to, Kalibra marketing representatives and Kalibra service officers;
• When Kalibra seeks information about, and receives Personal Data in connection with a relationship with us, including for our products and Services or job applications, for example, from business partners, public agencies, ex-employer, referral intermediaries and the relevant authorities; or
• When a Prospect or User submits their Personal Data to us for any other reasons.

When an individual browses our website, the individual generally does so anonymously. Please see Part 15 below for information on cookies and other technologies which we have implemented on our website and apps. We do not, at our website, automatically collect Personal Data unless a Prospect provides such information to us. If a Prospect or User provides us with any Personal Data relating to a third party (e.g. information of their spouse, children, parents, and/or employees), by submitting such information to Kalibra, they represent to Kalibra that they have obtained the consent of the third party to provide Kalibra with their Personal Data for the respective purposes.

Prospects and Users should ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on a Prospect or User’s part to do so may result in Kalibra’s inability to provide the Services requested, or delays in providing Services requested, or processing applications. Unless otherwise permitted under the provisions of the PDPA, or any other laws, regulations and guidelines, Kalibra shall not collect Personal Data without the consent of the Prospect or User.

Part 7: Processing of Personal Data
As a legal requirement under the PDPA, Kalibra is required to ensure all Prospects, Users, Employees and Contractors Personal Data is Processed in such a way that at least one of the following bases applies:

• The Prospect, User, Employee/Contractor has given consent to the Processing of his or her Personal Data for one or more specific purposes;
• The Processing is necessary for the performance of a contract to which the User, Employee or Contractor is party with Kalibra or in order to take steps at the request of the Prospect, User, Employee or Contractor prior to entering into a contract with Kalibra;
• The Processing is necessary for compliance with a legal obligation to which we are subject;
• The Processing is necessary for the protection of the vital interests of the Prospect, User, Employee or Contractor or another natural person; or the Processing is necessary for the purposes of the legitimate interests pursued by Kalibra or by a third party.

Part 8: Purposes of Processing Personal Data
Kalibra collects, uses and discloses Personal Data of Prospects, Users, Employees/Contractors (including former Prospects, Users, Employees and Employees/Contractors) unless otherwise required under the PDPA) for the following purposes:

• Prospect and User service and support (including but not limited to Prospect and User relationship management, screenings or checkups, contacting a Prospect or User regarding medical reports and results, providing follow-up calls, providing a Prospect or User with administrative support;
• Administering and processing Prospect and User requests including creating and maintaining profiles of our Prospects and Users in our system database for administrative purposes (including tracking Prospects and Users attendance at various Kalibra Affiliates’ facilities);
• Personalising Prospect and User experiences at Kalibra’s touchpoints and conducting market research, understanding and analysing Prospect and User behaviour, location, preferences and demographics in order to improve our service offerings;
• Liaising with third party specialists including medical personnel such as doctors, clinics, hospitals and/or medical institutions in relation to Prospect and User health care (including by providing them with access to Prospect and User Personal Data with a Prospect and User’s permission);
• Uses our mobile applications (such as the Kalibra app) or online registration and payments systems, displaying a Prospect and User’s biomarker data, sending a Prospect or User health-related notifications, and facilitating the provision of our services to a Prospect or User; or Purposes which are reasonably related to the aforesaid.

If an individual is a prospective or confirmed Third Party Provider of Kalibra, their Personal Data will be processed for the following purposes:

• Assessing Third Party Provider organisation’s suitability as an external service provider or vendor for Kalibra;
• Managing project tenders and quotations, processing orders or managing the supply of Services;
• Creating and maintaining profiles of our Third Party Provider in our system database;
• Processing and payment of Third Party Provider invoices and bills;
• Facilities management (including but not limited to issuing visitor access passes and facilitating security clearance);
• And/or any other purposes which are reasonably related to the aforesaid.

Where an Employee or Freelancer submits an application to us as a candidate for employment, contractor, internships or scholarships, their Personal Data will be Processed by Kalibra for the following purposes:

• Conducting interviews;
• Processing an Employee or Freelancer’s application (including but not limited to pre-recruitment checks involving Employee or Freelancer’s qualifications and facilitating interviews);
• Obtaining references and for background screening;
• Assessing Employee or Freelancer’s suitability for the position applied for;
• Enrolling successful candidates as our Employees and Freelancers and facilitating human resource planning and management (including but not limited to preparing letters of employment, name cards and building access passes); and/or any other purposes which are reasonably related to the aforesaid.

Where an individual is an existing Employee or Freelancer of Kalibra, their Personal Data will be Processed by Kalibra for the following purposes:

• Remuneration reviewing salaries and bonuses, conducting salary benchmarking reviews, staff appraisals and evaluation, as well as recognising individuals for their services and conferring awards;
• Staff orientation and entry processing;
• Administrative and support processes relating to the Employees or Freelancers employment, including its management and termination, as well as staff benefits, including travel, manpower, business continuity and logistics management or support, processing expense claims, medical insurance applications, medical screenings and immunisations, leave administration, long-term incentive plans, training, learning and talent development, and planning and organising corporate events;
• Providing an Employee or Freelancer with tools and/or facilities to enable or facilitate the performance of his/her duties;
• Facilitating professional accreditation and complying with compliance audits;
• Compiling and publishing internal directories and emergency contact lists for business continuity;
• Managing corporate social responsibility projects;
• Conducting analytics and research for human resource planning and management, and for Kalibra to review, develop, optimise and
• Improve work-related practices, environment and productivity;
• Ensuring that the administrative and business operations of Kalibra function in a secure, efficient and effective manner (including but not limited to examining or monitoring any computer software and/or hardware installed within Kalibra, Employee or Freelancer work emails and personal digital and storage devices);
• Compliance with any applicable rules, laws and regulations, codes of practice or guidelines or to assist in law enforcement and investigations by relevant authorities (including but not limited to disclosures to regulatory bodies, conducting audit checks or surveillance and investigation);
• Administering cessation processes; and/or any other purposes which are reasonably related to the aforesaid.

In additional to the general purposes of Processing of Prospects, Users, Third Party Providers, Employees and Freelancers Personal Data as stated within section 8 of this Policy, Kalibra also Processes Personal Data of its Prospects, Users, Employees and Freelancers for the following additional purposes:

• Taking or filming photographs and videos for corporate publicity or marketing purposes, and featuring Prospect, User, Employee and Freelancer photographs and/or testimonials in our articles and publicity materials;
• Providing or marketing services and benefits to a Prospects and Users, including promotions, service upgrades, loyalty, reward and/or Usership programmes (including affiliate programs) and sending of healthcare-related updates, event invitations, newsletters and marketing and promotional information to a Prospect or User pursuant to such Usership programmes);
• Organising roadshows, tours, campaigns (including health check or vaccination campaigns) and promotional or events and administering contests and competitions;
• Matching Personal Data with other data collected for other purposes and from other sources (including third parties) in connection with the provision or offering of Services;
• Sending details of services, clinic updates, health-related information and rewards, either to our Prospect or Users generally, or which we have identified may be of interest to a Prospect;
• Conducting market research, aggregating and analysing Prospect and User profiles and data to determine health-related patterns and trends, understanding and analysing Prospect and User behaviour, location, preferences and demographics for us to offer a Prospect or User other products and services as well as special offers and marketing programmes which may be relevant to a Prospect or User’s preferences and profile; and/or any other purposes which are reasonably related to the aforesaid.

If a Prospect or User has provided us with Singapore telephone number(s) and have indicated consent to receiving marketing or promotional information via the Singapore telephone number(s), then from time to time, Kalibra may contact the Prospect or User using such Singapore telephone number(s) (including via voice calls, text, social media, fax or other means) with information about our products and services.

In relation to particular Services or in a Prospect or User’s interactions with us, we may also have specifically notified a Prospect or User of other purposes for which we collect, use or disclose their Personal Data. If so, we will collect, use and disclose the Prospect or User’s Personal Data for these additional purposes as well, unless we have specifically notified a Prospect or User otherwise.

Unless permitted under the PDPA or any other laws, regulations and guidelines, Kalibra shall not use or disclose the Personal Data for any other purpose, without first identifying and documenting the other purpose and obtaining the consent of the affected Prospect, User, Employee or Freelancer.

The purposes listed in the above sections may continue to apply even in situations where a User, Employee or Freelancer’s relationship with Kalibra (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under any contract with a User, Employee or Freelancer).

Part 9: Withdrawal of Consent
Consent received expressly or impliedly by a Prospect, User, Employee or Freelancer of Kalibra for Personal Data Processing purposes stated within Part 7 of this Policy will remain valid until such time that it is withdrawn by a Prospect, User, Employee or Freelancer in writing addressed to Kalibra’s Data Protection Officer whose details are to be found within section 19.3 of this Policy.

Upon receipt of a Prospect, User, Employee or Freelancer’s written request to withdraw their consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within 30 business days of receiving it.

If consent is withdrawn by an Employee or Freelancer, Kalibra may need to discontinue his/her employment with the company. If consent is withdrawn by a Prospect or User, Kalibra may no longer be able to provide the requested products or services and our relationship with the Prospect or User may have to be terminated. Withdrawing consent does not affect Kalibra’s right to continue to collect, use and disclose Personal Data where such collection, use and disclose without consent is permitted or required under applicable laws.

A Prospect or User may delete their account at any time by accessing our App or by visiting https://kalibra.ai/. Once deleted, a Prospect or User’s data, including a Prospect or User’s account, username, or any other related content, cannot be restored.

Content a Prospect or User has shared with others, exported from the service, or that others have copied may also remain visible after a Prospect or User has deleted a Prospect or User account or deleted the information from their own profile. A Prospect or User’s public profiles may be displayed in search engine results until the search engine refreshes its cache.

Part 10: Protection of Personal Data
Kalibra places great importance on ensuring the security of our Prospects, Users, Employees and Freelancers Personal Data against risks of unauthorised access, collection, use, disclosure, copying, modification, disposal or destruction. Kalibra has implemented security measures which include appropriate administrative, physical and technical measures such as up-to-date antivirus protection, encryption and the use of privacy filters to secure all storage and transmission of Personal Data by us, and disclosing Personal Data both internally and to our authorised third party service providers and agents only on a need-to-know basis.

Kalibra will regularly review and implement appropriate security measures when processing and retaining Personal Data. While acknowledging that security cannot be guaranteed and that no method of transmission over the Internet or method of electronic storage is completely secure, Kalibra strives to protect the security of our information and is constantly reviewing and enhancing the company’s information security measures.

Employees of Kalibra are required to handle the Personal Data securely and with strict confidentiality, failing which they may be subject to disciplinary action. Further, Kalibra will impose compliance with data confidentiality requirements on our agents, third party service providers, consultants and professional advisors in our working relationships and/ or agreements with these parties.

Kalibra’s Users should recognize that protecting Personal Information is their responsibility. We ask all Users to safeguard User’s password, secret questions and answers, and other authentication information a User uses to access our Services. Users should not disclose their authentication information to any third party. Users should also immediately notify us of any unauthorized use of a Users password. We cannot secure Personal Information that a Customer or User releases on their own or that a User requests us to release. A User may choose to disclose, through other means not associated with us, any part of their Personal Information and/or Genetic Information. A User may share this information with friends or family Users, groups of individuals, third-party service providers, doctors or other health care professionals, or other individuals. We recommend that all Users make such choices carefully.

Part 11: Disclosure of Personal Data
Kalibra and its Affiliates will take reasonable steps to protect Personal Data against unauthorised disclosure. Subject to the provisions of any applicable law, Personal Data may be disclosed, for the purposes listed in Section 8 of this Policy to the following entities or parties, whether they are located overseas or in Singapore:

• Amongst Kalibra group Users and Affiliates (including their coaching staff and medical practitioners);
  companies providing services relating to insurance to Kalibra;
• Agents contractors, sub-contractors or third party service providers who provide operational services to Kalibra, such as courier services, telecommunications, information technology, payment, printing, billing, debt recovery, processing, technical services, transportation, training, market research, call centre, security, or other services to Kalibra;
• Vendors or third party service providers and our marketing and business partners in connection with marketing promotions, products and services;
• Our corporate Users.
• Any business partner, investor, assignee or transferee (actual or prospective) to facilitate business asset transactions (which may extend to any merger, acquisition or asset sale);
• External credit card companies, other financial institutions and their respective service providers;
  our advisers such as consultants, auditors and lawyers;
• Relevant government ministries, regulators, statutory boards or authorities or law enforcement agencies to comply with any laws, rules, guidelines and regulations or schemes imposed by any governmental authority (including the Ministry of Health); and/or
  any other party to whom a User authorises us to disclose Personal Data to.

Part 12: Access and Correction to Personal Data
A User may make a request to access his/her Personal Data which is in Kalibra’s possession or control. The User must complete a data access request (“DAR”) form which a User may fill out providing all necessary information as prescribed in the DAR form. We do not charge a fee for a DAR request in normal circumstances although we may charge a reasonable fee for further copies of information already provided or for requests that are manifesting unfounded or excessive, particularly where those requests are repetitive.

Kalibra aims to revert within 30 days from the receipt of the DAR request. If Kalibra is unable to comply with the DAR requirements within the said time frame, Kalibra will have to inform the User the reasonably soonest time by which a response will be provided in relation to the request.

A User may make a request for correction of his/her Personal Data which is in Kalibra’s possession or control. The User should contact Kalibra’s Data Protection Officer whose details are contained within section 19 of this Policy.

A User may make a request for transfer of his/her Personal Data which is in Kalibra’s possession or control. The User should contact Kalibra’s Data Protection Officer whose details are contained within section 19 of this Policy. To the extent required by PDPA, upon request by a User, Kalibra shall provide information relating to how the User’s Personal Data has been or may have been used or disclosed within a year before the date of such request. Kalibra may also provide a standard list of possible third parties as part of its response to all access requests for information relating to the disclosure of Personal Data during such a period.

Employees who wish to access or correct their Personal Data should contact the HR Department of Kalibra. Potential Employees who were subsequently not employed by Kalibra or former Employees of Kalibra should complete the DAR/DCR form as mentioned in section 10 above (as the case may be).

Kalibra may not be able to provide access to all of the Personal Data that we hold about an individual. For example, Kalibra may not provide access to Personal Data if such provision could reveal Personal Data about another individual, if such information is subject to legal privilege or if provision will be contrary to national interest or where such refusal is permitted under the PDPA. If access to Personal Data cannot be provided, the reasons for denying access will be provided to User within 30 days of receipt of the DAR form, subject to any legal or regulatory constraints.

Part 13: Retention and Disposal of Personal Data
Kalibra retains such Personal Data as may be required for business or legal purposes, and such purposes do vary according to the circumstances.

Kalibra does not retain Personal Data (and in particular sensitive personal data) for any longer than necessary. The length of time over which Personal Data may be retained is dependent upon the circumstances including why the personal information was obtained in the first place.

Whilst Kalibra will securely dispose of or anonymise Personal Data which it can reasonably determine is no longer needed and does not generally hold on to Personal Data “just in case”, it is in the interests of any caregiver or person treating a Prospect or User to be able to refer to a complete set of biomarker records to avoid risks to health and safety of a Prospect or User.

With respect to the biomarker records of a Prospect or User, unless specific contrary instructions from the Prospect or User are received, Kalibra may (but is not obliged to) retain such medical records for as long as Kalibra may be potentially consulted for further follow up by (or on behalf of) the Prospect or User even where such consultation may not occur until after a substantial period of time or there is no current or present indication that the Prospect or User may well return for further consultation or follow up.

A Prospect or User has the right to request that we dispose of the Personal Data we hold about them in the following circumstances:

• Where it is no longer necessary for us to retain that personal data having regard to the purpose for which it was originally collected or processed;
• Where the Prospect or User wishes to withdraw consent to holding and Processing of Personal Data previously given to Kalibra;
• Where the Prospect or User objects to us holding and Processing their Personal Data and no overriding legitimate interest permitting Kalibra to continue doing so exists;
• The Personal Data of the Prospect or User has been Processed unlawfully; or Kalibra needs to dispose the personal data in order to comply with a particular legal obligation.

Unless Kalibra has reasonable grounds for refusing to erase Personal Data, all erasure requests shall be complied with within one month from the receipt of the Prospect or User’s request. In the event that any Personal Data that is to be disposed in response to a Prospect or User’s request has been disclosed to Affiliates or third parties, those Affiliates or third parties will be informed of the disposal unless to do so is impossible or would require disproportionate effort.

Part 14: Storage of Personal Data
Kalibra will ensure that all electronic copies of Prospects and Users Personal Data will be stored securely using passwords and appropriate data encryption. Suitable backups will be made of all Personal Data that is stored electronically. We will store two (2) backup copies on different storage media. All backups will also be encrypted.

Prospects and Users Personal Data will not be transferred to any device personally belonging to any personnel of Kalibra.

Part 15: Use of Cookies, Web Beacons and Similar Technologies
When a Prospect or User visits or interacts with out sites, Services, Kalibra or our authorized service providers may use cookies, web beacons, and other similar technologies for collecting and storing information to help provide Prospects and Users with a better, faster and safer web experience. The information collected by us or our authorised service providers may recognise a visitor as a unique user and may collect information such as how a visitor arrives at our sites, what kind of browser a visitor is on, what operating system a visitor is using, a visitor’s IP address and a visitor’s click stream information and time stamp (for example, which pages they have viewed, the time the pages were accessed and the time spent per web page).

The use of cookies, web beacons and similar technologies by us on our website has different functions. They are either necessary for the functioning of our Services, help us improve our performance, or serve to provide a User with extra functionalities. They may also be used to deliver content that is more relevant to a User’s interests, or to target advertising to a Prospect or User on or off our sites.

Cookies – Small text files (typically made up of letters and numbers) placed in the memory of a Prospect or Users browser or device when a Prospect or User visits a website or views a message. Cookies allow a website to recognize a particular device or browser. There are several types of cookies: Session cookies expire at the end of a Prospect or User’s browser session and allow us to link a Prospect or User’s actions during that particular browser session. Persistent cookies are stored on a Prospect or User’s devices in between browser sessions, allowing us to reUser a Prospect or User’s preferences or actions across multiple sites. First party cookies are set by the site a Prospect or User is visiting. Third party cookies are set by a third-party site separate from the site a Prospect or User is visiting. Cookies can be disabled or removed by tools that are available in most commercial browsers. The preferences for each browser a Prospect or User uses will need to be set separately and different browsers offer different functionality and options.

Web beacons – small graphic images (also known as “pixel tags” or “clear GIFs”) may be included on our sites and services. Web beacons typically work in conjunction with cookies to profile each unique user and user behavior.

Similar technologies – technologies that store information in Prospect or User’s browser or device utilizing local shared objects or local storage, such as flash cookies, HTML 5 cookies, and other web application software methods. These technologies can operate across all Prospect or User’s browsers.

We offer certain site features and services that are available only through the use of these technologies. Prospects and Users are always free to block, delete, or disable these technologies based on their browser functionalities. However, if a Prospect or User declines cookies or other similar technologies, a Prospect of User may not be able to take advantage of certain site features or service tools. For more information on how a Prospect or User can block, delete, or disable these technologies, please review browser settings.

Our website may contain links to other websites operated by third parties, including for example our business partners. We are not responsible for the data protection practices of websites operated by third parties that are linked to our website. We encourage Prospects and Users to learn about the data protection practices of such third party websites. Some of these third party websites may be co-branded with our logo or trademark, even though they are not operated or maintained by us. Once a Prospect or User has left our website, a Prospect or User should check the applicable Data Privacy Policy of the third party website to determine how they will handle any information they collect from a Prospect or User.

Part 16: Transfers of Personal Data outside of Singapore
Kalibra currently processes all user data at cloud service providers based the Netherlands or Singapore. Users unilaterally determine what personally identifiable (PII) data they share with Kalibra.

We will take steps to ensure that Personal Data continues to receive a standard of protection that is at least comparable to that provided under the PDPA.

By using our Services and submitting Personal Data, a prospect or user agrees to the transfer, storage, and/or processing of a Prospect or User’s Personal Data in Singapore or the Netherlands. Where and as required, we will seek a Prospect or User’s express consent as outlined in this Policy.

Part 17: Training
We will ensure that all personnel of Kalibra receive adequate training as to their data protection responsibilities and as to how to act and respond as and when they receive requests for matters such as subject access requests, objections and requests for erasure and rectification. Those whose roles require regular access to Personal Data, or who are responsible for implementing this Policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and hot to comply with them.

Part 18: Data Breaches
A data breach is any loss of data or information in whatever form it is held and by whatever means the data was lost including data that is destroyed or rendered unusable. It may take many different forms, including:

• Loss or theft of data or equipment on which Personal Data is stored;
• Unauthorised access to or use of Personal Data either by a User of staff or third party such as from hacking;
• Loss of data resulting from an equipment or systems (including hardware and software) failure;
• Human error, such as accidental deletion or alteration of data; and/or
• Deliberate attacks on IT systems, such as hacking, viruses and phishing scams.

Kalibra will ensure that any data breach which results, or is likely to result in, significant harm to an affected individual or is otherwise of a significant scale is notified within seventy-two (72) hours to the PDPC and within a reasonable amount of time as may be practicable to all Prospects or Users affected by the data breach.

Part 19: Data protection management programme (“DPMP”) and Data Protection Officer
Under the PDPA, organisations are required to develop and implement policies and practices that are necessary for the organisation to comply with the PDPA (i.e. Personal Data protection policies and practices). The DPMP is a data protection framework that helps organisations establish a robust data protection infrastructure. It covers management policies and processes for the handling of Personal Data, as well as defining roles and responsibilities of the people in the company in relation to Personal Data protection. As a company incorporated in Singapore, Kalibra is required by the PDPA to designate one or more individuals to act as the data protection officer (“DPO”) of the company. The DPO is in charge of ensuring that the organisation complies with the PDPA. This is part of the Accountability Obligation of organisations under the PDPA.

Mr. Guillaume Belanger has been appointed as our DPO, and is also Kalibra’s EU-based representative. He is responsible for informing and advising us on our data protection obligations, for monitoring compliance and for ensuring that we comply with our obligations in accordance with this Policy. Comments or queries concerning this Policy should be addressed to him at +6531293788 or at support@kalibra.ai

The DPO will deal with issues relating to this Policy and the application of data protection law including:

• Issues relating to the correct lawful basis to be applied to Personal Data collected, held or processed and in particular when consent or legitimate interest is being relied upon;
• Issues relating to the use to which data can be put having regard to the purpose for which it was acquired;
• Issues relating to the periods for which Personal Data is retained;
• Privacy notices and when these are required;
• Subject access requests as set out in Part V of the PDPA;
• Actual or suspected data breaches or issues relating to security arrangements;
• Sharing data with third parties and transferring data from outside Singapore;
• Where processing uses new technologies and is likely to result in a high risk to the rights and freedoms of natural persons and a data protection impact assessment is required;
• In relation to automated processing, including profiling or automated decision making; and
• In relation to information which is deemed to be special category data or data relating to children (for the avoidance of doubt, Kalibra’s products and services are not designed and aimed at children under the age of 18 and it is Kalibra’s policy to immediately delete children’s Personal Data where this is discovered to be the case).

Part 20: Sub-processors
The Customer provides its prior, general authorization for Kalibra to appoint Processors to process the Customer Personal Data, provided that Kalibra shall ensure that the terms on which it appoints such processors comply with Data Protection Laws, and are consistent with the obligations imposed on Kalibra. Kalibra shall remain responsible for the acts and omission of any such Processor as if they were the acts and omissions of Kalibra.

Kalibra has currently appointed, as Sub-Processors, the third parties listed in the table below. Kalibra will notify Customer if Kalibra adds or replaces any Sub-Processors listed in the table below least 30 days prior to any such changes.

Customers can opt-in to receive such emails by contacting support@kalibra.ai. Kalibra will include substantially the same protections for Customer Personal Data as those in the DPA.