1.Aggregate Information: information that has been combined with that of other users and analyzed or evaluated as a whole, such that no specific individual may be
reasonably identified.

2. De-identified Information: information that has been stripped of your Registration Information (e.g., your name and contact information) and other identifying data such that you cannot reasonably be identified as an individual, also known as pseudonymized information.

3. Individual-level Information: information about a single individual's genotypes, diseases or other traits/characteristics, but which is not necessarily tied to Registration Information.

4. Personal Information: information that can be used to identify you, either alone or in combination with other information. truGeny collects and stores the following types of Personal Information:

1. Registration Information: information you provide about yourself when registering for and/or purchasing our Services (e.g. name, email, address, user ID and
   password, and payment information).

2. Genetic Information: information regarding your genotypes (i.e. the As, Ts, Cs, and Gs at particular locations in your genome), generated through processing of
   your saliva by truGeny or by its contractors, successors, or assignees; or otherwise processed by and/or contributed to truGeny.

3. Self-Reported Information: information you provide directly to us, including your disease conditions, other health-related information, personal traits, ethnicity,
   family history, and other information that you enter into surveys, forms, or features while signed in to your truGeny account.

4.  Sensitive Information: information about your health, Genetic Information, and certain Self-Reported Information such as racial and ethnic origin, sexual orientation,
   and political affiliation.

5. User Content: all information, data, text, software, music, audio, photographs, graphics, video, messages, or other materials - other than Genetic Information
   and Self-Reported Information-generated by users of truGeny Services and transmitted, whether publicly or privately, to or through truGeny

6. Web-Behavior Information: information on how you use truGeny Services collected through log files, cookies, web beacons, and similar technologies, (e.g., browser
   type, domains, page views).

truGeny incorporates explicit security reviews in the software development lifecycle, quality assurance testing and operational deployment.

Registration Information is stripped from Sensitive Information, including Genetic and Self-Reported Information. This data is then assigned a randomly generated ID so an individual cannot reasonably be identified.

truGeny uses industry standard security measures to encrypt Sensitive Information both at rest and in transit.

truGeny ensures processing, production, and research environments are separated and access is restricted. Data, including Registration Information, Genetic Information, and Self-Reported Information are segmented across logical database systems to further prevent re-identifiability.

We limit access to Personal Information to authorized personnel, based on job function and role. truGeny access controls include multi-factor authentication, single sign-on, and strict least-privileged authorization policy.

truGeny uses state of the art intrusion detection and prevention measures to stop any potential attacks against its networks. We have integrated continuous vulnerability scanning in our processes and regularly engage third party security experts to conduct penetration tests.

truGeny maintains a formal incident management program designed to ensure the secure, continuous delivery of its Services. truGeny has implemented an incident management program using industry best practices, including guidance from the National Institute of Standards and Technology (NIST).

truGeny requires service providers to implement and maintain accepted industry standard administrative, physical and technical safeguards to protect Personal Information

truGeny participates in and has certified its compliance with both the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union (EU), European Economic Area (EEA), and Switzerland to the United States, respectively. truGeny is committed to subjecting all Personal Information received from the EU member countries, EEA and Switzerland, in reliance on the Privacy Shield Frameworks, to the Framework's applicable Principles. If there is any conflict between the terms in this Privacy Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit U.S. Department of Commerce's Privacy Shield List. (https://www.privacyshield.gov/list) truGeny is responsible for the processing of Personal Information it receives, under the Privacy Shield Frameworks, or subsequently transfers to a third party acting as an agent on its behalf. truGeny complies with the Privacy Shield Principles for all onward transfers of Personal Information from the EU, EEA and Switzerland, including the onward transfer liability provisions. With respect to Personal Information received or transferred pursuant to the Privacy Shield Frameworks, truGeny is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, truGeny may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

We are the “controller” with respect to your Personal Information because we determine the means and purposes of processing your information when using our Services.

We describe how we process your Personal Information in Sections 2 through 4 of this Privacy Statement. We may process your Personal Information if you consent to the processing, to satisfy our legal obligations, if it is necessary to carry out our obligations arising from any contracts we entered with you or to take steps at your request prior to entering into a contract with you, or for our legitimate interests to protect our property, rights or safety of truGeny, our customers or others.

We will obtain your consent where required to send you marketing communications using electronic means. You may withdraw your consent at any time within your Account Settings or by emailing privacy@trugeny.com (mailto:privacy@trugeny.com) We will only contact you by electronic means (email, push notification, SMS, etc.) with information about our Services that are similar to those which were the subject of a previous sale or negotiations of a sale to you. We will only share your Personal Information with third parties for marketing purposes with your explicit consent. If you do not want us to use your Personal Information in this way, please review and update your Account Settings as necessary or contact us at privacy@trugeny.com (mailto:privacy@trugeny.com). You may raise such objection with regard to initial or further processing for purposes of direct marketing at any time and free of charge. The withdrawal of your consent will not affect the lawfulness of processing based on consent before its withdrawal. Other marketing activities will happen based on the legitimate interests of truGeny. E.g., where we tailor marketing communications or send targeted marketing messages via post, phone or social media and other third party platforms; and in providing existing customers with information (via email or other channels) about similar products and services.

You can exercise your privacy rights by following the instructions below or contacting us at privacy@trugeny.com. (mailto:privacy@trugeny.com) We will handle your request under applicable law. When you make a request, we may verify your identity to protect your privacy and security. Right to withdraw consent. To the extent truGeny requests and you provide your consent to the processing of your Personal Information, you can withdraw your consent at any time. Your withdrawal will not affect the lawfulness of our processing based on consent before your withdrawal. Right of access to and rectification of your Personal Information. Our site allows you to access and rectify certain Registration Information within your Account Settings, and your Self-Reported Information by going to the surveys page. You can download your raw Genetic Information within your Account Settings or by going to the applicable tool in "Tools". If you would like to access or rectify any other information, contact Customer Care and we will do our best to assist you without undue delay. We may reject part or all of your request if responding to your request could adversely affect the rights and freedoms of others. Right to erasure (or, "Right to be Forgotten"). As explained under Section 5.d. ("Account Deletion"), we allow our customers to delete theiraccounts at any time. You can request erasure of Personal Information that: (a) is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (b) was collected in relation to processing to which you previously consented, but later withdrew such consent; or (c) was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing. If we have made your Personal Information public and we are required to erase such Personal Information, we will take reasonable steps, including technical measures, to inform controllers that are processing any links to or copies or replications of your Personal Information of your erasure request. Our assistance with your request for erasure is subject to limitations by relevant data protection laws, available technology and the cost of implementation.

Right to data portability. If we process your Personal Information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your Personal Information in a structured, commonly used and machine-readable format, and to have us transfer your Personal Information directly to another controller, where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others. A "controller" is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of your Personal Information.

Right to restriction of our processing. You can restrict our processing of your Personal Information where one of the following applies: (a) you dispute the accuracy of Personal Information processed by truGeny (for a period enabling us to verify its accuracy); (b) the processing is unlawful and you oppose the erasure of the Personal Information and request the restriction of its use instead; (c) truGeny no longer needs the Personal Information for the purposes of the processing, but it is required by you for the establishment, exercise or defense of legal claims; and (d) you have objected to certain processing relying on legitimate interest, pending the verification whether truGeny's legitimate grounds override your rights. Restricted Personal Information shall only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will notify you if the restriction is lifted. Notification of erasure, rectification and restriction. We will provide notice to each recipient that we disclosed your Personal Information to regarding any rectification or erasure of Personal Information or restriction of processing, unless you initiated the disclosure or providing notice proves impossible or involves disproportionate effort. Upon your request, we will share the list of recipients with you. Right to object to processing. Where the processing of your Personal Information is based on consent, contract, or legitimate interests described under the Legal Bases for Processing heading above, you may restrict or object, at any time, to the processing of your Personal Information as permitted by applicable law. We may continue to process your Personal Information if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law. Automated individual decision-making, including profiling. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you, except as allowed under applicable data protection laws. Retention of your Personal Information. Unless you make a request for us to delete your account or delete certain Personal Information (i.e., User Content, etc.), we will store your Personal Information as long as your account is open. If you request to delete your account, we will take the steps described under “Your Choices – Account Deletion” and delete all your Personal Information, unless a longer retention period is required or permitted by law. The rights described above may be limited by local laws. Further, your right of access and deletion is not absolute and may not be available if fulfillment of such right would, among other things: cause interference with execution and enforcement of the law and legal private rights (such as in the case of the investigation or detection of legal claims or the right to a fair trial); breach or prejudice the rights of confidentiality and security of others; prejudice security or grievance investigations, corporate re-organizations, future and ongoing negotiations with third parties, the compliance with regulatory requirements relating to economic and financial management; or otherwise violate the interests of others or where the burden or cost of providing access would be disproportionate.