VIWELL data protection policy

Lawful Basis and Transparency

VIWELL collects only the personal data that is necessary for the purposes described in this Privacy Policy. We process personal data on one or more lawful bases, depending on the context and applicable law, including: your consent where required; performance of a contract (or steps taken at your request VIWELL | [Privacy Policy] | Version [1.1] | Public | Page 5 of 12 before entering into a contract); compliance with legal obligations; protection of vital interests; and other bases permitted under applicable law such as public interest tasks or legitimate interests, subject to appropriate safeguards. Where we rely on consent, you may withdraw it at any time and this will not affect the lawfulness of processing before withdrawal.

Who are we

Imagine a world where every employee has access to the knowledge, resources, and tools they need to empower their best work life, every day. This is our vision at VIWELL. We believe holistic health is the right of every human being and we’ve created a way to make it accessible and sustainable for all. VIWELL is a personalized, proactive, and engaging digital wellbeing platform focused on improving the performance of your people whilst delivering growth for your organization through employee wellbeing. VIWELL combines employee support, holistic wellbeing, recognition, and rewards into a single online wellbeing solution that engages with 100% of your people. By combining Nutritional, Social, Mental, Professional, Physical, and Financial Wellbeing, we build proactive and sustainable wellbeing within the workplace worldwide, resulting in maximum engagement with an organization’s people. We are your single hub with all the solutions, tools and support you need to put employee wellbeing at the center of your business strategy. As we are a digital solution, we have global reach and can support organizations with multiple offices and locations. We look at whole person’s balance and wellbeing and that’s why we have built our entire wellbeing solution around VI (6) pillars of wellbeing; after all, as people we’re multi-dimensional so that means our solution must be too.

What personal data do we collect

VIWELL collects personal data to enable us to provide you with our products and services. Personal data collected vary with the nature of the product or service we provide or may provide you with. Commonly, this includes among others your name, contact data such as email address, phone, or mobile phone number, (business) location, and your age or date of birth. Prior to processing sensitive information, in particular health information, a clear, unambiguous, explicit and mandatory written consent is required and within the constraints of the law. You provide some of this data to us directly by subscribing to newsletters or other regular information from VIWELL, by requesting offers for products or services from us or by taking delivery from products or services we offer. We also get some of your data by using tracking cookies on our public websites.

VIWELL may request heath information only when explicitly required and after your explicit consent. Health Information are related to information created or received by health care provider health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse.

In addition, the health information requested by VIWELL may relate to your past, present, or future physical or mental health or condition.

The said information also includes individually identifiable health information, including demographic information collected from you and created or received by a health care provider, health plan, employers or health care clearing house, or relating to the past, present or future physical or mental health or condition.

What do we use personal data for

VIWELL collects only the personal data that is necessary for the purposes described in this Privacy Policy. We process personal data on one or more lawful bases, depending on the context and applicable law, including: your consent where required; performance of a contract (or steps taken at your request before entering into a contract); compliance with legal obligations; protection of vital interests; and other bases permitted under applicable law such as public interest tasks or legitimate interests, subject to appropriate safeguards. Where we rely on consent, you may withdraw it at any time, and this will not affect the lawfulness of processing before withdrawal.

We use personal data for the following purposes (as applicable):

• Assess and onboard users and organizational customers.

• Provide, operate, and improve VIWELL products and services.

• Deliver requested features, coaching, and support.

• Manage contractual relationships and billing where applicable.

• Comply with legal and regulatory obligations.

• Protect the safety, security, and integrity of our services.

Where is your personal data stored

VIWELL makes use of three main ways of processing your personal data: on-site by VIWELL in our data center, on-line with major providers, and for specific products and services using applications (cloud) provided by selected third parties. The transfer mechanisms utilized for international data transfers, such as Standard Contractual Clauses (SCCs), adequacy decisions, or binding corporate rules, are specified within General Data Protection Regulation.

VIWELL has a strict security policy to ensure adequate security of your personal data. When we use an on-line provider, we choose to work with industry leaders – or other parties who comply with countryspecific law and who have extensive security and privacy measures in place. The storage period of your personal data depends on the type of process for which it is needed. For many of our products and services, your personal data are part of a continuous process, which is why your personal data will be stored until that process terminates. In all other cases, your personal data will be deleted without undue delay when it has served its purpose, unless any kind of legal storage period is applicable.

With whom do we share personal data

VIWELL generally does not share data with others that collect and use personal data for their own (business) purposes. If needed to provide you with products and services by VIWELL, third parties may receive data from us about you. We may share your personal data with others who are related to our products and services. Personal data of a sensitive nature is generally not shared unless the strict exemptions of the law are followed or in case of emergency where your vital interests are best served by sharing relevant information. Third parties are sometimes utilized to process the data on our behalf and provide analytical information. Such third parties are expected to treat your personal information as confidential and are never authorized to utilize your data other than for our own specific purposes and are bound by obligations at least as strict as our own and within the confines of the law.

Cross-Border Data Transfers and Localization Requirements

• General Principle for International Data Transfers

  VIWELL is committed to ensuring that all transfers of personal data to countries or territories outside of the jurisdiction where the data was originally collected comply with applicable data protection laws and regulations. Personal data shall not be transferred internationally unless a high level of protection is ensured in the destination country, or through the implementation of appropriate safeguards that have been reviewed and approved by the relevant local data protection authorities, particularly The Saudi Data & Artificial Intelligence Authority in KSA.

  Transfers of personal data must be facilitated using one or more of the following mechanisms, subject to specific governmental approvals where imposed by law. And the following measures shall be taken into consideration:

  Appropriate Safeguards: Implementation of robust safeguards, such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other data transfer agreements that have been explicitly reviewed and approved by local regulators (e.g., the Saudi Data & AI Authority (SDAIA) in KSA, or the relevant authority in the UAE).

  Derogations: In the absence of an adequacy decision or appropriate safeguards, transfers shall only occur under specific, limited circumstances defined by applicable law (e.g., explicit consent of the data subject, necessity for the performance of a contract, or for important reasons of public interest).

Who can access your data

VIWELL provides limitation of access for VIWELL internally, and we expect third parties to equally limit access to your personal data on a ‘need to know, right to know’ basis. That is, only those who actively need to process your data are allowed to do so. Right to know means we only entrust working with personal data to persons we can put trust in and being entitled to access such data. We extend this towards our suppliers or third parties we work with.

Your rights as an individual

The General Data Protection Regulation (GDPR) provides you with a set of rights. These individual rights are stated in the GDPR and will be respected by VIWELL. These rights include the right to be informed where personal data are collected, the right to access and the right to rectification of your data when it is inaccurate. Also, under specific circumstances mentioned in the GDPR, you may request erasure of your personal data or restrict the processing of it. Furthermore, you have the right to object to the processing of your personal data, or to being subject to automated decision making and profiling. Lastly, you have the right to data portability. In addition to these rights, you have the right to lodge a complaint with the Data Protection Authority.

Compliance with Saudi Data & Artificial Intelligence Authority (SDAIA) Requirements .

The Company acknowledges and commits to complying with all relevant national data protection legislation within the Kingdom of Saudi Arabia (KSA), including the Personal Data Protection Law (PDPL) and its implementing regulations, as enforced by the Saudi Data & Artificial Intelligence Authority (SDAIA).

Where imposed by KSA law—specifically concerning the processing of sensitive personal data or meeting specific thresholds defined by the SDAIDA—the Company confirms it will complete or has completed the necessary registration procedures with SDAIA or its designated entity (such as the National Data Management Office), maintaining documentation of all submissions, approvals, and ongoing compliance status.

Compliance with the Health Insurance Portability and Accountability Act (HIPAA) (United States)

VIWELL operates globally and primarily aligns with international data protection frameworks such as the GDPR, UAE PDPL, and KSA PDPL. The Health Insurance Portability and Accountability Act (HIPAA) imposes specific requirements for entities within the United States that handle Protected Health Information (PHI).

Hence, HIPAA regulations apply specifically to PHI when it is created, received, maintained, or transmitted by designated "Covered Entities" (like hospitals, clinics, or health plans) or their "Business Associates" (third-party vendors like VIWELL providing services to Covered Entities) within the United States jurisdiction.

Notice of Privacy Practices (NPP): A critical and separate requirement under HIPAA is the provision of a specific "Notice of Privacy Practices" (NPP) to individuals. This document outlines how a Covered Entity may use and disclose PHI and details the individual's rights concerning their data. If you are a US based client (HIPAA Covered Entity) then specific NPP will apply to your health information.

VIWELL shall engage into a business associate agreement BAA with the covered entity. In this case VIWELL shall implement specific safeguards for PHI that meet or exceed HIPAA standards.

Jurisdictional Reliance on Local Law: The policies outlined in this global statement focus on the local data protection laws of the regions where we operate (UAE, KSA, EU). The Policy outlines that medical and health data fall under specific, stricter regulations in various jurisdictions (e.g., UAE and KSA health authorities). When U.S. HIPAA law applies to specific client relationships, those contractual terms and the U.S. federal regulations will supersede the general terms of this policy regarding the handling of that specific PHI dataset

About this privacy statement

The version of this VIWELL Privacy Statement was created in Dec 2022. We will update this privacy statement if any changes apply. If there are any material changes to the statement or in how VIWELL will use your personal data, we will either notify you by prominently posting such changes on our website or by directly sending you a notification. In the event of a conflict between this VIWELL privacy statement and the terms of any agreement(s) between a customer and VIWELL, the terms of those agreement(s) will be controlled. For certain VIWELL entities, a more specific privacy statement may be applicable and will be offered to you in case of personal data processing.

Questions about your privacy at VIWELL

For any inquiries or requests concerning the processing of personal data, the exercise of data subject rights, or compliance with local data protection regulations within the Kingdom of Saudi Arabia (KSA) and the United Arab Emirates (UAE), please contact our dedicated Regional Data Protection Officer (DPO) directly via the channels specified below.

Designated Regional DPO:

Title: Address:

Telephone:

Email: care@viwell.com

Consent

I have read and accepted the VIWELL Privacy Policy and the Privacy Code for Employee data.