Privacy and Cookie Notice

AT A GLANCE

This Privacy and Cookie Notice (the “Notice”) explains how Jonda Health Pte. Ltd. (“Jonda Health”, “we”, “us”, “our”) collects, uses, shares and protects personal data when you visit our websites at jonda.health and jonda.io (the “Websites”), enquire about or use our products, including JondaX (the “Services”), or otherwise interact with us.

In short:

• We are a B2B health technology company headquartered in Singapore. We sell to organisations and individuals building health technology, wellness or related products.
• When you visit our Websites, sign up for an account or talk to our sales team, we process limited personal data about you (name, email, organisation, account details, marketing preferences, technical data such as IP and cookies).
• Health data uploaded by our customers to JondaX is processed by us only as a Data Processor on the customer’s instructions. If you are a patient or other individual whose data is being processed through JondaX, please see Section 12 below.
• We do not sell personal data, we do not use personal data to train any large language models or generative AI models, and we use enterprise, no-training, zero-retention configurations for the AI services we use as sub-processors.
• You have rights over your personal data, including the right to access, correct and delete it. See Section 9 for how to exercise these rights.
• Questions: privacy@jonda.health.

‍

01. WHO WE ARE AND HOW TO CONTACT US

In short

Jonda Health is a Singapore company, and you can reach our Data Protection Officer at privacy@jonda.health for any privacy question. We do not currently have an EU or UK establishment, so EU and UK individuals can contact us directly until we appoint a Representative.

Jonda Health Pte. Ltd. is a private company limited by shares incorporated in the Republic of Singapore (UEN: 202139018N), with its registered office at 1 North Bridge Road, #19-09 High Street Centre, Singapore 179094.

For the purposes of the Singapore Personal Data Protection Act 2012 (“PDPA”), the EU and UK General Data Protection Regulation (“GDPR” and “UK GDPR”) and applicable US state privacy laws, Jonda Health is the “organisation”, “controller” or “business” (as the case may be) for the personal data described in this Notice, except where we expressly state that we act as a Data Processor on behalf of one of our customers.

You can contact our Data Protection Officer (“DPO”) at:

Email: privacy@jonda.health

Post: Data Protection Officer, Jonda Health Pte. Ltd., 1 North Bridge Road, #19-09 High Street Centre, Singapore 179094

Our Chief Information Security Officer is responsible for information security at Jonda Health and may be contacted via the same address.

EU and UK Representative.

Jonda Health does not currently have an establishment in the European Economic Area or the United Kingdom. Where required under Article 27 of the GDPR or the UK GDPR, we will appoint a Representative and update this Notice with their contact details. In the meantime, EU and UK individuals may contact us directly using the details above.

‍

02. WHAT THIS NOTICE COVERS

In short

This notice covers personal data we process about website visitors, prospective customers, customer authorised users, and people on our marketing list. It does not cover health data uploaded to JondaX by our customers (we process that as a Data Processor on their instructions, see Section 12), or third-party sites we link to.

This Notice covers personal data processed by Jonda Health in the following situations:

• Visitors to our Websites: people who visit jonda.health, jonda.io or any related pages.
• Prospective customers: people who fill in a contact or demo-request form, attend our webinars or events, or otherwise speak to our sales team.
• Customers and Authorised Users: people who register for or use a JondaX account in their professional or business capacity, including employees and contractors of our customer organisations.
• Recipients of marketing communications: people who have signed up for, or are otherwise lawfully sent, marketing materials by us.

This Notice does

not

cover:

• Health data uploaded to JondaX by our customers. We process such data only as a Data Processor on the customer’s instructions. The customer (as Controller) is responsible for telling its patients and other data subjects how their data is processed. See Section 12.
• Third-party websites or services. Our Websites may link to third-party sites. Those sites have their own privacy notices.

‍

03. PERSONAL DATA WE COLLECT

In short

We collect what you give us (account, billing and contact details, communications, marketing preferences), what is collected automatically when you use our website or product (technical data, cookies, product usage), and information from our sales and marketing platforms or public business sources. We do not ordinarily process special-category data such as your own health data when you are using our website or account.

We collect the following categories of personal data, depending on how you interact with us:

3.1 Information you give us

• Account and contact information: name, work email, organisation name, job title, country, telephone number (if you provide it).
• Authentication information: account credentials (passwords are stored in hashed form; we do not have access to your plaintext password).
• Billing information: billing contact details, billing address, tax identification numbers. Payment card details are entered directly with our payment processor and are not stored by us.
• Communications: the content of emails, support messages, demo enquiries and other communications you send to us.
• Marketing preferences: your preferences regarding receipt of marketing communications.

3.2 Information collected automatically

• Technical data: IP address, device and browser identifiers, operating system, language settings, time zone, referring URL, pages visited, time spent on pages, and other diagnostic data.
• Cookies and similar technologies: as described in Section 11 below.
• Product usage data: information about how you use the Services, including features used, transformations performed, error logs and audit logs (used for security, performance, billing and product improvement). When set up, we may use product analytics tools (such as Amplitude or similar) to understand and improve the Services.

3.3 Information from third parties

• Sales and marketing platforms: information about prospects from our customer relationship management system (currently Pipedrive), event registrations, business contact databases or referrals.
• Public sources: publicly available business information (such as LinkedIn profile information you have made public) that we use for due diligence on prospective customers.

Sensitive or special category data.

In the ordinary course of operating our Websites and accounts, we do not ask for or knowingly process special categories of personal data (such as your own health data, biometric data or political opinions) about you as a Website visitor, prospect or Customer Authorised User. The processing of health data uploaded to JondaX by our customers is covered separately and is governed by our Data Processing Addendum.

‍

04. HOW AND WHY WE USE PERSONAL DATA

In short

This section maps every purpose we use your data for to the legal basis we rely on under GDPR, UK GDPR and PDPA. Most of it is the everyday business of running a B2B service: operating the website, responding to enquiries, providing the product, billing, support, and improving what we build. You have a right to object to processing based on legitimate interests, see Section 9.

The table below summarises the purposes for which we process personal data, the categories of data involved, and the legal bases on which we rely under the GDPR and UK GDPR. For the PDPA, we rely on consent (express or deemed) or one of the bases set out in the First or Second Schedule to the PDPA, including legitimate interests, contractual necessity, and legal obligation.

Our legitimate interests, where we rely on them, are: operating a sustainable business, providing reliable Services to our customers, communicating with prospects and customers in a B2B context, securing our infrastructure, improving our products, and protecting our legal rights. We have considered, in each case, whether these interests are overridden by the rights and interests of the individuals concerned, and have determined that they are not. You have a right to object to processing based on legitimate interests, see Section 9.

‍

05. AI, DE-IDENTIFICATION AND SERVICE IMPROVEMENT

In short

We do not sell personal data, and we do not use your personal data to train large language models or generative AI. The third-party AI providers we use (currently OpenAI, Anthropic and Google Gemini) sit on enterprise endpoints with no-training and zero-retention configurations, and are contractually prohibited from using anything we send them to train their models. We do derive de-identified, aggregated insights to operate and improve the service, but we do not sell, license, publish or research with those insights.

Jonda Health uses artificial intelligence and large language model technology in the operation of the Services. We want to be specific about what we do and do not do:

• We do not sell personal data. Full stop.
• We do not use your personal data to train large language models or generative AI models. Where the Services use third-party AI providers (currently OpenAI, Anthropic and Google Gemini, among others), we use only enterprise endpoints with no-training and zero-retention configurations. Each of these providers is contractually prohibited from using data we send to them to train or improve their models.
• Customer Data is processed under our DPA. Health data uploaded to the Services by our customers is processed only on customer instructions, in accordance with our Data Processing Addendum.
• De-identified, aggregated learnings. As permitted by the DPA, we derive de-identified, aggregated insights from the data processed in the Services (for example, knowledge of new biomarkers and reference ranges, or aggregate counts of records processed) and use those insights to operate, maintain, secure and improve the Services for all customers. We do not sell, license, publish or use such de-identified insights for research.
• No automated decision-making with legal effects. We do not make automated decisions about you that produce legal or similarly significant effects on you within the meaning of Article 22 GDPR.

‍

06. WHO WE SHARE PERSONAL DATA WITH

In short

We share personal data only with service providers and sub-processors we need to run the business (a current list lives at jonda.health/legal/subprocessors), professional advisers under duties of confidentiality, authorities where legally required, and any party in a corporate transaction. We do not share or disclose personal data to anyone for their own marketing purposes.

We share personal data only as necessary for the purposes set out in Section 4. The categories of recipients are:

• Service providers and sub-processors: we use carefully selected third-party providers to host and run our infrastructure, deliver email, run analytics, and provide the AI capabilities of the Services. A current list of sub-processors used in the Services is maintained at jonda.health/legal/subprocessors. Our other corporate service providers include payment processors, email and productivity providers, our CRM (currently Pipedrive), and accounting and tax advisers.
• Professional advisers: lawyers, auditors, insurers and other professional advisers who help us run our business under duties of confidentiality.
• Authorities and regulators: where required by law, in response to a valid legal request, or to protect our rights or those of third parties.
• Corporate transactions: in connection with a merger, acquisition, financing, reorganisation or sale of business, in which case we will require the recipient to honour this Notice or notify you of any material change.

We do not share or disclose personal data to any third party for that party’s own marketing purposes.

‍

07. INTERNATIONAL DATA TRANSFERS

In short

Our corporate data sits in Singapore. Customer Data uploaded to JondaX sits in the region the customer chooses (Singapore, EU or US for Starter and Growth, locally deployed for Enterprise). When personal data has to cross borders, we apply the standard safeguards: Standard Contractual Clauses for transfers from the EEA, the UK Addendum for transfers from the UK, and equivalent contractual obligations for transfers from Singapore. You can ask for a copy of the safeguards at privacy@jonda.health.

Jonda Health is headquartered in Singapore, and our corporate data (such as CRM data, sales records and internal business data) is held in Singapore.

Customer Data uploaded to the Services is held in the region selected by the Customer (Singapore, the European Union, or the United States for the Starter and Growth tiers; or in a locally deployed environment for Enterprise customers). The transfer mechanisms applicable to Customer Data are set out in the DPA.

Where we transfer personal data outside the country where you are located, for example, where we use service providers based in another country, we apply appropriate safeguards as required by applicable law:

• Transfers from the EEA: we rely on the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914) or another lawful transfer mechanism.
• Transfers from the United Kingdom: we rely on the UK International Data Transfer Addendum or another lawful transfer mechanism.
• Transfers from Singapore: we ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection at least comparable to the PDPA.

You can ask for a copy of the safeguards that apply by emailing privacy@jonda.health.

‍

08. HOW LONG WE KEEP PERSONAL DATA

In short

We keep data only as long as we need it for the purpose we collected it for, plus any legal retention obligations. The table below sets the standard periods: account data is held for the subscription plus six years; Customer Data is returned or deleted within 30 days of termination; sales records up to three years from last meaningful contact; billing and tax records as required by Singapore tax law; security logs up to two years.

We keep personal data for no longer than is necessary for the purposes for which it was collected and as required by law. Our standard retention periods are set out below; we may retain data for longer where required to comply with a legal obligation, to resolve disputes, or to enforce our agreements.

‍

09. YOUR RIGHTS

In short

Depending on where you are, you have rights to access, correct, delete, restrict or port your personal data, to object to processing based on legitimate interests, to withdraw consent, to opt out of marketing, and to complain to a regulator. California and Washington residents have additional rights set out in the sub-sections below. To exercise any of these rights, email privacy@jonda.health and we will verify your identity and respond within the time limits set by applicable law.

Depending on where you are located and which laws apply, you have some or all of the following rights in relation to the personal data we hold about you:

• Access. Ask us to confirm whether we process personal data about you and to provide you with a copy.
• Correction. Ask us to correct personal data that is inaccurate or incomplete.
• Deletion. Ask us to delete personal data, subject to certain exceptions (for example, where we are required to keep it by law).
• Restriction and objection. Ask us to restrict our use of your personal data, or object to our processing where we rely on legitimate interests.
• Portability. Ask us to provide certain personal data in a structured, machine-readable format, or to transmit it to another controller, where technically feasible.
• Withdraw consent. Where we rely on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Marketing opt-out. You can opt out of marketing communications at any time using the unsubscribe link in any marketing email or by contacting us.
• Complain to a regulator. You can complain to the Personal Data Protection Commission of Singapore, the Information Commissioner’s Office in the UK, your local EU supervisory authority, or your applicable US state authority. We would, however, appreciate the chance to address your concerns first, please contact privacy@jonda.health.

9.1 Additional rights for California residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), including:

• the right to know the categories and specific pieces of personal information we have collected about you, the sources, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it;
• the right to delete personal information we have collected from you, subject to exceptions;
• the right to correct inaccurate personal information;
• the right to opt out of the “sale” or “sharing” of personal information, and to limit the use of sensitive personal information; and
• the right not to receive discriminatory treatment for exercising your rights.

We do not sell personal information and we do not share personal information for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA.

In the past twelve (12) months, we have collected the categories of personal information identified in Section 3 of this Notice, for the purposes set out in Section 4, from the sources described in Section 3, and have disclosed those categories to the recipients described in Section 6.

9.2 Additional rights for Washington residents

If you are a Washington resident, the Washington My Health My Data Act (“MHMDA”) gives you specific rights in relation to “consumer health data”. Jonda Health does not, in the ordinary course of its Website and corporate processing, collect consumer health data of Washington residents directly. Where consumer health data is processed through the Services on behalf of one of our customers, that customer is responsible for providing notice and obtaining consent. If you believe your consumer health data is being processed by Jonda Health and you wish to exercise your rights under MHMDA, please contact us at privacy@jonda.health and we will direct you appropriately or assist as required.

9.3 How to exercise your rights

To exercise any of these rights, please email privacy@jonda.health. We will verify your identity in a manner appropriate to the request and respond within the time limits set by applicable law (typically thirty (30) days, with a possible extension where permitted).

You may use an authorised agent to submit a request on your behalf. We may require evidence of the authorisation.

There is no fee for exercising your rights, except where the law allows us to charge a reasonable fee for manifestly unfounded or excessive requests.

‍

10. HOW WE PROTECT PERSONAL DATA

In short

We are certified to ISO/IEC 27001 in respect of the Services. Our protections include encryption in transit and at rest, role-based access controls and multi-factor authentication for administrators, network segmentation, vulnerability management and regular penetration testing, monitoring and incident response, personnel training, and documented business continuity plans. No system is fully secure, but we will notify you and the relevant authorities of a data breach where law requires it.

Jonda Health is certified to ISO/IEC 27001 in respect of the Services and operates an information security management system designed to protect personal data against unauthorised access, alteration, disclosure or destruction. Our technical and organisational measures include:

• encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
• role-based access controls and multi-factor authentication for administrative access;
• network segmentation, vulnerability management and regular penetration testing;
• logging, monitoring and incident response procedures;
• personnel training and confidentiality obligations; and
• documented business continuity and disaster recovery arrangements.

No system can be guaranteed to be one hundred percent secure. If we become aware of a personal data breach affecting your personal data, we will notify you and the relevant authorities where required by applicable law.

‍

11. COOKIES AND SIMILAR TECHNOLOGIES

In short

We use cookies on our website. The strictly necessary ones are always on (you cannot log in or have a session without them). Analytics and advertising cookies require your consent and are not currently active. You can manage your preferences in our cookie banner or in your browser. We do not currently respond to “Do Not Track” signals (no consistent industry standard exists), but we do honour Global Privacy Control signals where law requires it.

We use cookies and similar technologies on our Websites. A cookie is a small text file placed on your device by a website you visit. Cookies allow websites to recognise your device and remember information about your visit (for example, your preferences and settings).

We use the following categories of cookies:

‍

11.1 Managing your cookie preferences

Where consent is required, our cookie banner gives you the option to accept or reject categories of cookies. You can change your preferences at any time by accessing the cookie settings on our Websites.

Most browsers also allow you to control cookies through their settings. Please note that if you disable strictly necessary cookies, the Websites or Services may not function properly.

Do Not Track signals.

Some browsers offer a “Do Not Track” feature. Because no consistent industry standard has been adopted, our Websites do not currently respond to Do Not Track signals. We do honour Global Privacy Control signals where required by applicable law.

‍

12. IF YOU ARE A PATIENT OR DATA SUBJECT WHOSE DATA IS PROCESSED THROUGH JONDAX

In short

If you are a patient, research participant or other individual whose health data is being processed through JondaX by one of our customers (a hospital, clinic, lab or health-tech provider), they are the Controller and the right place to direct questions about your data. We act only as a Data Processor on their instructions, in line with our DPA. We apply de-identification, redaction and pseudonymisation as part of the service. If you cannot reach our customer, you can contact us at privacy@jonda.health and we will route your request or assist where required by law.

Jonda Health is a B2B platform. We do not provide JondaX directly to patients or other individuals as consumers.

If you are a patient, research participant or other individual whose health data is being processed through JondaX by one of our customers (for example, a hospital, clinic, laboratory or health-tech provider), then:

• Our customer is the Controller. They decide what data is processed and why. You should contact them directly with questions about how your data is processed, to exercise your rights, or to make a complaint.
• We act as a Data Processor. We process your data only on the customer’s instructions, in accordance with our Data Processing Addendum, which includes safeguards required by applicable law (including HIPAA, GDPR, the UK GDPR and the PDPA) and a 24-hour breach-notification commitment.
• We apply de-identification. As part of the Services we apply de-identification, redaction and pseudonymisation methodologies to data uploaded to the platform, including the methodologies described in our DPA.
• If you cannot reach our customer, you may contact us at privacy@jonda.health and we will, where reasonably possible, route your request to the relevant customer or assist as required by law.

‍

13. CHILDREN

In short

Our website and product are not directed to children, and we do not knowingly collect personal data from anyone under 16. If you think we have, please email privacy@jonda.health and we will investigate.

Our Websites and Services are not directed to children, and we do not knowingly collect personal data directly from children under the age of sixteen (16). If you believe we have collected personal data from a child, please contact privacy@jonda.health and we will investigate and, where appropriate, delete the data.

‍

14. CHANGES TO THIS NOTICE

In short

We may update this notice. The date at the top tells you when it was last updated. For material changes, we will give you additional notice (a prominent banner on the website, or an email to customers and account holders), and we will seek your consent where law requires it.

We may update this Notice from time to time. The date at the top of this Notice indicates when it was last updated. If we make material changes, we will provide additional notice (for example, by posting a prominent notice on our Websites or by emailing customers and account holders). Where required by applicable law, we will obtain your consent to material changes.

‍

15. HOW TO CONTACT US

In short

Privacy questions go to privacy@jonda.health, or by post to our Singapore registered office, marked for the Data Protection Officer.

If you have questions or concerns about this Notice or about how we process your personal data, please contact us:

Email: privacy@jonda.health

Post: Data Protection Officer, Jonda Health Pte. Ltd., 1 North Bridge Road, #19-09 High Street Centre, Singapore 179094