BIORASI PRIVACY POLICY

Effective Date: August 18, 2025

Biorasi, LLC, operating through its affiliates and representative offices located throughout the world (collectively, “Biorasi” or the “Company”) is strongly committed to protecting your privacy and has implemented the below to ensure all personally identifiable information you provide is protected.

Information We Collect

We collect information you provide directly to us, such as when you create an account, contact us, or use our services. This may include:

• Contact Information: Name, email address, phone number, mailing address
• Professional Information: Job title, company, professional credentials
• Account Information: Username, password, preferences
• Communication Data: Messages, inquiries, feedback you send to us
• Technical Information: IP address, browser type, device information, usage data

Sensitive Personal Information: In certain jurisdictions, we may collect sensitive personal information including health information, biometric data, or precise geolocation data. We will only collect such information with your explicit consent or as otherwise permitted by applicable law.

Legal Basis for Processing: We process your personal information based on the following legal grounds:

• Your consent (which you may withdraw at any time)
• Performance of a contract with you
• Compliance with legal obligations
• Legitimate business interests (where not overridden by your privacy rights)
• Protection of vital interests

How We May Use Your Information

We may use the information we collect to:

• Provide, maintain, and improve our services
• Process transactions and send related information
• Send technical notices, updates, security alerts, and support messages
• Respond to your comments, questions, and customer service requests
• Communicate with you about products, services, and events
• Monitor and analyze trends, usage, and activities
• Detect, investigate, and prevent fraudulent transactions and other illegal activities
• Comply with legal obligations and protect our rights

Information Sharing

We may share your personal information in the following circumstances:

• Service Providers: With third-party vendors, consultants, and other service providers who need access to such information to carry out work on our behalf
• Business Transfers: In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business
• Legal Requirements: When required by law or to respond to legal process
• Protection of Rights: To protect the rights, property, and safety of Biorasi, our users, or others
• Consent: With your consent or at your direction

International Data Transfers

When we transfer personal data outside your country of residence, we implement appropriate safeguards:

Transfer Mechanisms:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms
• Adequacy Decisions: Transfers to countries with adequate protection
• Binding Corporate Rules: Internal data protection rules (where applicable)
• Consent: Your explicit consent for specific transfers
• Contractual Necessity: Transfers necessary for contract performance

Countries: We may transfer data to the United States, Germany, India, Ukraine, and other countries where our service providers operate.

Transfer Locations: We transfer personal data to the following regions for business operations:

• United States (headquarters and data processing)
• Germany (European operations via Biorasi GmbH)
• India (operations via Biorasi Clinical Services Pvt. Ltd.)
• Ukraine (representative office operations)

Safeguards: All transfers include appropriate technical and organizational measures to protect your data, including encryption, access controls, data processing agreements, and regular security assessments.

Your Rights: You may request information about specific transfers affecting your data and object to transfers where legally permitted.

Your Privacy Rights

Depending on your location, you may have the following rights:

Universal Rights:

• Access: Request copies of your personal information
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your personal information
• Restriction: Request limitation of processing
• Objection: Object to processing based on legitimate interests
• Portability: Receive your data in a structured, machine-readable format
• Withdraw Consent: Withdraw consent at any time (where processing is based on consent)

How to Exercise Rights: Contact us at dpo@biorasi.com. We will respond within the timeframes required by applicable law (typically 30 days).

Verification: We may request additional information to verify your identity before processing requests.

No Discrimination: We will not discriminate against you for exercising your privacy rights.

European Union (GDPR) Rights

If you are located in the European Union, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to lodge a complaint with a supervisory authority
• Right to object to processing for direct marketing purposes
• Rights related to automated decision-making and profiling
• Right to appoint a representative for data protection matters

Our EU representative can be contacted through our German affiliate, Biorasi GmbH.

California Privacy Rights (CCPA/CPRA)

California Residents: If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Your Rights Include:

• Right to Know: Request disclosure of personal information collected, used, disclosed, or sold
• Right to Delete: Request deletion of personal information we have collected
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the sale or sharing of personal information
• Right to Limit: Limit use and disclosure of sensitive personal information
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights

To exercise any of these rights, contact us at dpo@biorasi.com.

Categories of Personal Information: We collect identifiers, commercial information, internet activity, professional information, and inferences drawn from this data.

Do Not Sell or Share: We do not sell personal information. We may share personal information with service providers for business purposes.

Korea Privacy Rights (PIPA)

Korea Residents: If you are located in Korea, we comply with the Personal Information Protection Act (PIPA):

Cross-Border Transfers: We obtain your separate consent before transferring personal information outside Korea, except where permitted by law.

Data Subject Rights: You may request access, correction, deletion, or suspension of processing of your personal information.

Local Representative: Our Korean operations can be contacted through dpo@biorasi.com.

Japan Privacy Rights (APPI)

Japan Residents: If you are located in Japan, we comply with the Act on Protection of Personal Information (APPI):

Consent Requirements: We obtain your consent for cross-border transfers to countries without adequacy decisions.

Individual Rights: You may request disclosure, correction, addition, deletion, suspension of use, or suspension of provision to third parties.

Complaint Handling: You may file complaints with the Personal Information Protection Commission.

India Privacy Rights (DPDP Act)

India Residents: If you are located in India, we comply with the Digital Personal Data Protection Act, 2023:

Data Principal Rights: You may request confirmation of processing, correction, completion, updating, and erasure of personal data.

Consent Requirements: We process personal data based on your free, specific, informed, and unambiguous consent.

Data Breach Notification: We will notify you of data breaches that may cause harm within the timeframes specified by law.

Cookies and Tracking Technologies

We use cookies, pixels, and similar technologies to enhance your experience and analyze website usage.

Cookie Categories:

• Essential Cookies: Required for website functionality (no consent required)
• Analytics Cookies: Help us understand website usage and performance
• Marketing Cookies: Used for advertising and personalized content
• Preference Cookies: Remember your settings and preferences

Your Cookie Choices:

• Browser Settings: Configure your browser to block or delete cookies
• Cookie Preference Center: Manage cookie preferences through our cookie banner
• Opt-Out Tools: Use industry opt-out tools for advertising cookies

Third-Party Cookies: We may allow third parties to place cookies for analytics and advertising purposes. These are governed by third-party privacy policies.

Cookie Retention: Cookies are retained for varying periods depending on their purpose, typically from session-based to 2 years.

Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Access controls and authentication systems
• Regular security assessments and audits
• Employee training on data protection
• Incident response procedures

However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

Data Retention

We retain personal information for specific periods based on:

Retention Periods:

• Account Information: 7 years after account closure
• Marketing Communications: Until you unsubscribe plus 3 years
• Website Analytics: 26 months from collection
• Legal Compliance: As required by applicable laws (typically 7-10 years for clinical research records)
• Legitimate Business Interests: Up to 7 years for business relationship records

Deletion Process: At the end of retention periods, we securely delete or anonymize personal information using industry-standard methods.

Legal Holds: We may retain information longer when required by legal proceedings, regulatory investigations, or other legal obligations.

Children’s Privacy

We are committed to protecting children’s privacy:

Age Restrictions: Our services are not directed to individuals under 16 years of age (or the applicable age of consent in your jurisdiction).

Parental Consent: If we learn we have collected information from a child under the applicable age without parental consent, we will delete such information promptly.

Jurisdiction Variations: Age thresholds vary by jurisdiction (13 in the US, 16 in the EU, 14 in Korea, etc.). We comply with the applicable age requirements in your location.

Data Breach Notification

In the event of a data breach affecting your personal information:

Regulatory Notification: We will notify relevant authorities within 72 hours where required by law.

Individual Notification: We will notify affected individuals without undue delay when the breach is likely to result in high risk to your rights and freedoms.

Notification Method: We will notify you via email, postal mail, or prominent website notice, as appropriate.

Notification Content: Our notification will include the nature of the breach, likely consequences, and measures taken to address the breach and mitigate harm.

Jurisdiction-Specific Requirements: We comply with breach notification requirements in all jurisdictions where we operate, including varying timeframes and thresholds.

Changes to This Privacy Policy

We may update this privacy policy from time to time. We will notify you of any changes by posting the new privacy policy on this page and updating the “Effective Date” at the top of this policy. We encourage you to review this privacy policy periodically for any changes.