Data Privacy Policy

Settlex Technology Inc are committed to managing Personal Data securely and effectively. This Policy provides guidelines to Settlex Teammates handling Personal Data, including through the collection, use, disclosure of, and any other Processing operation carried out with Personal Data in accordance with the requirements and guidance provided by applicable data protection regimes and the competent Data Protection Authorities. For the purposes of this Policy Personal Data refers to any information relating to an individual who can be identified whether directly or indirectly. For customers, Personal Data or Information includes, but is not limited to any individually identifiable information that is maintained or transmitted about a Customer in any form, including electronic. This Policy should be read in conjunction with the Appendix which provides additional information about defined terms used throughout this Policy. Settlex may supplement or amend this Policy by additional policies and guidelines from time to time.

This Policy aims to protect the confidentiality and integrity of all Personal Data that is processed by Settlex, including data relating to Settlex Teammates, Third Parties, suppliers and customers. This Policy further aims to align Personal Data handling practices within Settlex to the data protection regimes and laws applicable to us, applicable codes, guidelines, our Core Values and our Data Protection Principles outlined below.

1.1. This Policy explains when and how Personal Data may be collected, shared, and otherwise processed by Settlex Teammates regardless of the media on which such data is held. 1.2. All core sections of this Policy apply to all Settlex Teammates regardless of the geographic location where they are based. 1.3. It is the responsibility of all Settlex Teammates to assist in the protection of Personal Data. Teammates must read, understand and comply with this when processing Personal Data on Settlex's behalf and attend training on its requirements. This Policy sets out what we expect from Teammates for Settlex to comply with applicable law. Compliance with this Policy and applicable supporting policies is mandatory. Any breach of this Policy may result in disciplinary action. 1.4. Settlex Teammates must only collect, access, use, disclose or otherwise handle Personal Data or Information: 1.1.1. as permitted under the applicable laws; 1.1.2. in a manner consistent with this Policy; and 1.1.3. as may be strictly necessary to enable them to perform the specific duties corresponding to their respective roles within Settlex.

2.1 In the normal course of its business activities, Settlex collects and processes different categories of Personal Data about individuals with whom we have a relationship, including Teammates, customers, and Third Parties ("Data Subjects"). 2.2 All activities carried out by Teammates on behalf of or in the course of their employment by Settlex that involve Processing Personal Data or Information must comply with the relevant data protection principles described below 2.3 The Data Protection Principles applicable to Settlex are outlined below. 2.3.1. Lawfulness, Fairness, and Transparency: Personal Data is processed lawfully and fairly in relation to Data Subjects. Data Subjects are informed in clearly understandable language that is easily accessible to them about the Processing of their Personal Data by or on behalf of Settlex through appropriate Privacy Notices; 2.3.2. Purpose Limitation: Personal Data is only collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes for which it was collected; 2.3.3. Data Minimisation: Only Personal Data that is relevant and limited to what is necessary in order to fulfil the purposes for which it is collected is processed; 2.3.4. Accuracy: All reasonable measures are taken to ensure the quality and accuracy of the Personal Data we hold by ensuring, where necessary, that it is kept up to date and further by providing individuals with the right to access and, where necessary, to rectify, complete, and update Personal Data concerning them; 2.3.5. Storage Limitation: Personal Data is not retained for longer than it is necessary for the purposes for which it was collected; 2.3.6. Integrity and Confidentiality: Processing is carried out in a manner that provides appropriate security of the Personal Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures. 2.3.7. Accountability: Settlex is also responsible for documenting and evidencing compliance with Section 2.3. above.

3.1. Settlex may collect and process the following non-exhaustive categories of Personal Data in connection with normal business activities, including: 3.1.1. Master data: first name and family name, middle name, preferred first name, address and address details including address types (such as Home or Additional), municipality/city, postal code, country ISO Code, email address and email type (Work, Home, Additional), telephone number and phone type (Work, Home, Additional), international phone code, area code, phone device description, data of birth, gender, national ID and ID type code; 3.1.2. Financial data: bank account, credit or debit card, credit reports and other financial data appropriate to support business transactions; 3.1.3. Candidate and Employment data: including, but not limited to, right to work documentation (such as passport, driving licence, and/or visa information), biographical information (such as employment and education history), professional reference information, and criminal offences and conviction data; 3.1.4. Contractual data: Personal Data related to contracts with an individual; 3.1.5. Health data: diagnoses, test results, Clinical Customer Imaging, Non-Clinical Customer Imaging, treatment protocols, medications, statements or information in medical file, insurance information, occupational health data, sickness absence, adverse occurrences; 3.1.6. Emergency contact information: first name and family name, and contact information (if provided by the Customer or employee) of a next-of-kin to be contacted in an emergency; 3.1.7. Performance data: performance scores, development objectives and personal achievements of Teammates; 3.1.8. Training data: records of training courses attended by Teammates and qualifications achieved; 3.1.9. Monitoring data: statistics and logs of Settlex IT system activity and website usage; and 3.1.10. Compliance data: background verification check results (including against international sanctions, exposed persons or export controls registers), complaints or claims, investigations and hotline and other compliance monitoring, reporting and remediation information. 3.2. Some of these categories may be considered special category or sensitive data that will require special handling. See Appendix 3 for Country-specific definitions and requirements.

4.1. Settlex processes Personal Data to provide health care services, to perform medical activities, to provide management, strategic and corporate services, to keep and to manage medical records and to settle with any national government agency or fund for health care services provided. 4.2. Additionally, Settlex processes Personal Data for operational business purposes, including: 2.4.1. to schedule appointments; 2.4.2. to conduct internal proceedings or investigations aimed at ensuring compliance of Settlex Teammates with the law, this Policy and the supporting policies below; 2.4.3. to monitor and improve the quality of services provided by Settlex, including monitoring of telephone conversations or other communications and verifying the satisfaction of customers with the Settlex's services; 2.4.4. within Settlex or Settlex's parent company Settlex, Inc. including management reporting; 2.4.5. for analysing clinic performance (using Pseudonymized or Anonymized Data, if necessary); 2.4.6. for organising and holding internal Settlex events; 2.4.7. to celebrate Teammate professional milestones; 2.4.8. for internal Teammate communication and team building purposes; and/or 2.4.9. for the purposes of establishing, exercising and defending legal claims 2.4.10. for maintaining the security and integrity of Settlex premises and clinics. 4.3. Settlex may also use Personal Data to create Anonymized Data that is not considered individually identifiable health information. If such data is shared with any Third Party, Settlex will take reasonable and appropriate steps to ensure that any identifiers of the Data Subjects and of third parties related to the Data Subjects such as relatives, employers, or household members have been completely removed and that there is no risk that any Data Subject remains identifiable despite the removal of those direct identifiers.

5.1 Processing Personal Data relating to Data Subjects for the Purposes outlined above Settlex relies on different legal bases in each jurisdiction. These do vary widely across jurisdictions, but in general most jurisdictions rely on the following lawful basis: 5.1.1 Consent: the individual has given clear consent to process their personal data for a specific purpose. This may be explicit or implicit consent depending on the processing activity and the definition varies by market. 5.1.2 Performance of a contract: the processing is necessary for a contract with the individual, or because they have asked to take specific steps before entering into a contract. 5.1.3 Legal obligation: the processing is necessary to comply with the law (not including contractual obligations). 5.1.4 Public interest: the processing is necessary to perform a task in the public interest, and the task or function has a clear basis in law. 5.2 Other lawful basis that are relied upon by Settlex in some jurisdictions, include: 5.2.1 Legitimate interest: the processing is necessary for Settlex's legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. 5.3 These are set out in more detail in Appendix 3 indicating the lawful basis that can be applied for each jurisdiction based on the laws and regulations applicable to Settlex.

6.1 Settlex may need to collect and process Clinical Customer Imaging for diagnostic, treatment, and continuing professional education purposes. Settlex may also need to process Non-Clinical Customer Imaging for the purposes described above. All Teammates who in the course of the normal business activities of Settlex collect and/or otherwise process Clinical and/or Non-Clinical Customer Imaging are expected to observe the principles outlined in the Settlex Handling Customer Imaging Job Aide in addition to the general guidelines for handling Personal Data outlined in this Policy.

7.1. Settlex will retain Personal Data for the period defined by Settlex's Global Records Retention Schedule and Settlex's Records Management Policy. Upon reaching the relevant retention periods, Settlex will securely dispose of Personal Data in accordance with Settlex's IT Policy and Acceptable Use Policy. 7.2. In some cases, it will be necessary for Settlex to continue Processing certain Personal Data after Data Subjects have stopped receiving services from Settlex. However, Settlex will not keep Personal Data for longer than is required or permitted by applicable law as defined in Settlex's Retention Schedule.

8.1.1. Under applicable data protection laws and regulations all Data Subjects who are located in the UK have the following rights under certain circumstances relating to their Personal Data: 8.1.2. Right to information: the right to be informed about Settlex 's collection and use of their Personal Data; 8.1.3. Right of access: the right to request access to (and receive a copy of) their Personal Data; 8.1.4. Right to rectification: the right to have their Personal Data updated if it is inaccurate or incomplete; 8.1.5. Right to be forgotten: the right to request erasure of their Personal Data if it is no longer required for business purposes; 8.1.6. Right to restrict Processing: the right to request the restriction or suppression of their Personal Data. 8.1.7. Right to object: the right to object to the Processing of their Personal Data by Settlex ; 8.1.8. Right to data portability: the right to obtain and reuse their provided Personal Data for their own purposes across different services; 8.1.9. Right to withdraw consent: the right to withdraw consent previously provided for Settlex to process their Personal Data; 8.1.10. Automated decision-making including profiling: the right not to be subject to a decision based solely on automated Processing, including profiling which produces legal effects or significantly affects them. 8.1.11. Right to complain: the right to lodge a complaint with the competent data protection authorities. 8.2. All data protection-related requests received by Settlex Employees in any format, whether in connection with the Data Subject Rights outlined above or any other data protection matters must be immediately notified to the Compliance and Governance Director by the Contact methods outlined in Section 11 below.

9.1. Settlex protects and secures Personal Data using a range of technical and organisational measures. 9.2. When implementing any new administration processes, systems or technology, Employees must make sure the risks associated with any change in the collection, use, storage, transfer or disclosure of Personal Data or are fully assessed through completion of a Data Protection Impact Assessment ("DPIA") in accordance applicable laws. 9.3. For further detailed guidance regarding the technical and organisational security measures implemented by Settlex to ensure the protection of Personal Data and/or the responsibilities of Employees with regards to the same, we encourage you to contact the Compliance and Governance Director by any of the Contact methods outlined in Section 11 below.

Settlex recognizes that responsible data governance must include ethical considerations beyond compliance. This framework guides ethical decisions around data and aligns with our organizational values. 10.1 Ethical Principles: - Fairness: Ensure data is used in ways that do not create or reinforce bias or discrimination. - Transparency: Be clear and open with data subjects about how their data is collected, processed, and used. - Accountability: Take responsibility for decisions and actions regarding data processing. - Respect for Individual Rights: Uphold data subjects' rights including autonomy, dignity, and consent. 10.2. Guidance for Ethical Data Use: - Always evaluate the intent and impact of data use. - Perform bias assessments on datasets and algorithms to identify and mitigate unfair treatment. - Ensure meaningful consent is obtained and maintained. - Maintain transparency for automated decision-making and provide explanation mechanisms. - Prioritize privacy-by-design in all data initiatives. These principles apply to all data-related activities and complement our legal obligations outlined in this policy.

Settlex has implemented procedures to manage any suspected Personal Data incident, including Personal Data Breaches, and will notify Data Subjects or any applicable regulator where legally required or otherwise appropriate to do so. 11.1 Settlex is subject to strict timelines for responding to a Personal Data Breach where the rights and freedoms of affected individuals may be impacted. A Personal Data Breach has a wide definition and could include any scenario where Personal Data is: . 11.2.1 accessed by an unauthorised Third party (such as hacking/cyberattacks); . 11.2.2 sent or otherwise disclosed to an incorrect recipient; . 11.2.3 lost or stolen; . 11.2.4 altered without permission; or . 11.2.5 unavailable for significant periods of time (except for routine maintenance). .11.3 It is important that you report any suspected Personal Data Breach immediately to the Compliance and Governance Director by using the Contact methods outlined in section 11 of this Policy.

12.1 Employees are expected to report any possible violations of this Policy. 12.2 If you have any general queries or questions about this Policy, please contact the Chief Technology Officer at feranmi@trysettle.com. 12.3 Suspected Personal Data Breaches should be reported to the Chief Technology Officer at feranmi@trysettle.com

- Anonymised Data – Information which does not relate to an identified or identifiable individual or Personal Data which has been rendered anonymous in such a manner that an individual is no longer identifiable. Personal Data that is anonymised when direct and indirect identifiers are completely removed from the dataset. - Data Protection Impact Assessment (DPIA) – tools and assessments used to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programmes involving the Processing of Personal Data. - Data Subject – An identifiable natural person whose Personal Data is being collected, held, or processed. - Data Subject Rights – The set of rights provided to Data Subjects pursuant to applicable data protection laws and regulations, as detailed in the respective In-Country sections of this Policy. - IT Resources - All hardware and software including, but not limited to, host computers, files, applications, communications, email, fax, intranet, print servers, Workstations, stand-alone computers, laptops, handhelds, mobile phones, printers, software, hubs, switches, routers, cables, and all other internal and external computer and communications resources and devices which may receive, transmit, and/or store Settlex Personal Data. - Personal Data/Information - Any information relating to an identified or identifiable natural person ("Data Subject") who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, email address, location or date of birth of that natural person. - Privacy Notices – separate notices setting out information that may be provided to Data Subjects when Settlex collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy) or they may be stand-alone privacy statements covering Processing related to a specific purpose. - Processing – Any operation performed on Personal Data, whether manually or by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. - Personal Data Breach – any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data. The loss or Unauthorised Use or Disclosure of Personal Data is a Personal Data Breach. - Pseudonymised Data – Personal Data that is considered pseudonymized when the identifiers outlined in connection with Anonymised Data are kept separately (instead of being completely removed), and appropriate measures are taken to ensure that the Pseudonymised Data is not attributed to a Data Subject. Pseudonymised Data is considered Personal Data and is subject to applicable data protection laws and regulations. - Sensitive Data – Personal Data revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. - Employee – Settlex employees regardless of the type of engagement model or agreement (including full-time, part-time employees, interns, independent contractors) and other persons who, in the performance of work for Settlex, process Personal Data on Settlex 's behalf, whether or not they are paid by Settlex . - Third Party – A non-Settlex enterprise, agency, or organisation or an unauthorised user. - Unauthorised Use or Disclosure – Any acquisition, access, use, or disclosure of Personal Data that is not permitted by applicable law, or Settlex privacy policies and procedures.