last modified: October 6, 2023

Introduction

This privacy policy (“Privacy Policy”) describes the types of information Canvas Medical, Inc.(“Canvas Medical” or “we” or “us”) may collect from you or that you may provide when you (a)visit https://www.canvasmedical.com/ (the “Site”) or other sites owned or operated by us on which this Privacy Policy appears or (b) use any services offered through the Site (collectively with the Site, the “Services”). This Privacy Policy also describes our policies and procedures for the use, maintenance and disclosure of your information.

This Privacy Policy applies to information we collect:

• On the Site.
• In email, text and other electronic messages.
• Through mobile or desktop applications you may download through the Site.

This Privacy Policy does not apply to information collected by us offline or through any other means or any third party, or by any third party, including through any application or content(such as advertising) that may link to or be accessible from or through the Site.

Please read this Privacy Policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, do not access or use the Services. By accessing or using the Services, you agree to this PrivacyPolicy. This Privacy Policy may change from time to time (see Changes to Our Privacy Policy below). Your continued use of the Services after we make changes is deemed to be acceptance of those changes, so please check the Privacy Policy periodically for updates.

Residents of California, Utah, Connecticut, and Colorado may have additional rights.  If you are a resident of one of these states or another state that has enacted consumer privacy legislation and believe you have additional rights as detailed in each respective state consumer privacy legislation please contact us to exercise those rights.

Children’s Privacy

The Services are not intended for children under 16 years of age. No one under age 16 may provide any information to or on the Site or through the Services. We do not knowingly collect personal information from children under 16. If you are under 16, do not use or provide any information on the Site or through the Services. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us using the details in the footer of this page.

Information We Collect about You and How We Collect It

While you use our Services, we may collect several types of information from and about you, and we may ask you to provide us with certain information, including personal information. Such information may include:

• Information by which you may be personally identified, such as name, postal address, email address, telephone number, job title, company name, city, state, country(“personal information”); and
• Information about your internet connection, the equipment you use to access theServices and usage details.

We collect this information:

• Directly from you when you provide it to us; or
• Automatically as you navigate through the Services. Information collected automatically may include usage details, IP addresses and information collected through cookies.

Information You Provide to Us

You may directly provide us with your personal information in the following ways:

• Website Forms. You may provide us with your personal information by filling out forms on the Site. Such information you provide may include your name, email address, job title and company name. You may also provide us with additional information in the event that we host a contest through the Site and you register for such contest. Such additional information collected through the contest registration form may include city, state, and country.
• Email Communications or Newsletters. You may provide us with your name and email address in order to receive newsletters or other communications. We may collect information from you through records and copies of our correspondence with you, including your email address.
• Feedback. You may provide us with your personal information (including contact information) when you provide feedback about the Services.
• Contacting Us. You may provide us with your personal information when you contact usor request information about us or the Services (whether by email or other means).

Information Collected Automatically

When you use the Services, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions and patterns including:

• Details of your visits to the Site, including traffic data, location data, logs and other communication data and the resources that you access and use on the Site.
• Information about your computer and internet connection, including your IP address, operating system and browser type.

The information we collect automatically does not include personal information but we may maintain it or associate it with personal information we collect in other ways. It helps us to improve the Services and deliver better and more personalized services, including by enabling us to:

• Estimate our audience size and usage patterns.
• Store information about your preferences, allowing us to customize the Services according to your individual interests.
• Recognize you when you return to the Site.
• Analyze our web page flow, customize our content, measure promotional effectiveness and promote trust and safety.
• The technologies we use for automatic data collection may include:
• Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of the Site. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to the Site.
• Cookies can be “Persistent” or “Session” cookies. Persistent cookies remain on your personal computer or mobile device when you go offline, while session cookies are deleted as soon as you close your web browser. Some persistent cookies may allow us to remember choices you make when you use the Site, and the purpose of such cookies is to provide you with a more personal experience when using the Site.
• Third Party Analytics Tools. We may also use third party analytics tools (e.g. GoogleAnalytics) that use cookies to help us analyze how users use the Services. Entities providing these devices and applications may use cookies and other tracking technologies to perform their services.
• Third parties such as advertising networks, analytics providers, and widget providers may collect information about your online activities over time and across different websites when you access or use our Site. Currently, our systems do not recognize browser “do-not-track”requests. You may, however, disable certain tracking as discussed in this section (e.g., by declining cookies), but such disabling may impair use of the Site.

How We Use Your Information

• We use information that we collect about you or that you provide to us, including any personal information:
• To present the Site and its contents to you (including the Services).
• To provide you with information, products or services that you request from us.
• To send you newsletters or promotional materials.
• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including any contest terms and conditions.
• To notify you about changes to the Site or Services.
• To understand and analyze usage trends and preferences of our users, to improve the Services and to improve fraud detection and information security.
• To evaluate your eligibility for participation in any Canvas Medical-sponsored contest.
• To communicate with you and fulfill prize distribution, in the event you are selected as the winner of a Canvas Medical-sponsored contest.
• To comply with legal requirements, defend or exercise legal claims, response to law enforcement or governmental investigations or requests and protect our rights and the rights and safety of our users and others.
• In any other way we may describe when you provide the information.
• To fulfill any other purpose for which you provide it.
• For any other purpose with your consent.Disclosure of Your InformationWe may disclose aggregated information about our users without restriction. We may disclose your information, including information that we collect or you provide, as described in this Privacy Policy:
• To our subsidiaries and affiliates.
• To contractors, service providers and other third parties we use to support our business.
• To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of Canvas Medical’s assets, whether as a going concern or as part of a bankruptcy, liquidation or similar proceeding, in which personal information held by Canvas Medical about users of ourServices is among the assets transferred.
• To comply with any court order, law or legal process, including to respond to any government or regulatory request.
• If we believe disclosure is necessary or appropriate to protect the rights, property or safety of Canvas Medical, our customers or others.
• For any other purpose disclosed by us when you provide the information.
• To fulfill the purpose for which you provide it.
• With your consent.
• You may decline to share certain information with us, in which case we may not be able to provide to you some of the features and functionalities of the Services. If you do not wish to receive email offers or newsletters from us, you can opt-out of receiving email information from us by using the unsubscribe process at the bottom of the email. Although your changes are reflected promptly in active user databases, we may retain all information you submit for a variety of purposes, including backups and archiving, prevention of fraud and abuse, and analytics.

Transfer of Your Information

Your personal information is processed at Canvas Medical’s operating offices and in any other places where the parties involved in the processing are located. Such information may be transferred to and maintained on computers or servers (including those of our cloud providers)located in a governmental jurisdiction where applicable data protection laws may differ from those of your jurisdiction. Your submission of your personal information to us represents your agreement to such transfer. No transfer of your personal information will occur to another country without adequate controls in place to address the security of your personal information.

Patient Information

We do not request any patient information through the Site. However, certain web-based services provided by us may involve access to, and the processing of, patient information, and some of our users – such as healthcare providers – may be subject to laws and regulations governing the use and disclosure of health information they create or receive, including theHealth Insurance Portability and Accountability Act of 1996, as amended from time to time, together with the regulations adopted thereunder (“HIPAA”). Such patient or health information may be considered Protected Health Information (“PHI”) as that term is defined in the HealthInsurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (“HIPAA”). Such information may also be regulated by certain state laws. When we store, process or transmit PHI on behalf of a healthcare provider, we do so as its “business associate” (as defined by HIPAA). For the purpose of this Privacy Policy, the term “health care provider” means any user who is a “health care provider” (as defined by HIPAA) or any user who is a member of such health care provider's “workforce” (as also defined by HIPAA).This Privacy Policy does not apply to our use and disclosure of PHI. If you have any questions or concerns regarding PHI you believe may be processed by us or the Services, please contact the health care provider customer with whom you have a relationship directly.

Third Party Links

The Site may contain links to third-party websites and applications. Any access to or use of such linked websites is not governed by this Privacy Policy, but instead is governed by the privacy policies of such third party websites. We are not responsible for the information practices of such third party websites.

Data Security

We have implemented measures designed to protect your information from accidental loss and from unauthorized access, use, alteration and disclosure. However, no security measures are perfect or impenetrable, and the transmission of information via the Internet is not completely secure. As such, we cannot ensure or warrant the security of any information you transmit to us through the Services, and you do so at your own risk. We cannot guarantee that such information may not be accessed, disclosed, altered or destroyed by breach of any of our safeguards, and we cannot control the actions of other users or third parties with whom you may choose to share your information. Any transmission of your personal information is at your own risk. We are not responsible for the circumvention of any privacy settings or security measures contained on the Site.

Changes to Our Privacy Policy

The Privacy Policy is current as of the “Last Updated” date set forth above. We may change thisPrivacy Policy from time to time, so please be sure to check back periodically. If we make any changes to this Privacy Policy that materially affect our practices with regard to personal information we have previously collected from you, we may notify you through a notice on theSite or another notification method. You are responsible for periodically visiting the Site and this Privacy Policy to check for any changes.

Visitors from Outside the United States

The Site is controlled and operated by Canvas Medical in the United States, which may have less protections than your jurisdiction of residence. If you choose to access the Site from outside the United States, you acknowledge that you will be transferring your information, including personal information, outside of those regions to the United States for storage and processing, as necessary to provide the Services to you.

Contact Us

Please contact us with any questions or comments about this Privacy Policy, our privacy practices or your personal information by using the details in the footer of this page.

NOTICE TO EU DATA SUBJECTS

The terms of this “Notice to EU Data Subjects” (“EU Notice”) and rights granted here under apply solely to individuals located in the European Economic Area or the United Kingdom. Any terms not defined in this EU Notice shall have the meaning ascribed to them in the Privacy Policy. For purposes of this EU Notice, Canvas Medical is the controller and responsible for any information relating to an identified or identifiable natural person (i.e. a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person) (“Personal Data”). The registered office of Canvas Medical is located at 220Montgomery Street, Suite 991 San Francisco, California 94104.

1. Collection, Use, Disclosure and Transfer of Personal Data

We may collect, use and disclose your Personal Data in accordance with the terms of thePrivacy Policy. If we transfer your Personal Data to countries outside of the European EconomicArea or the United Kingdom, we will ensure that such data is transferred in accordance with thePrivacy Policy and this EU Notice, and as permitted by the applicable laws on data protection.

2. Sensitive data

Some of the information you provide us may constitute sensitive data as defined in by theEuropean Union General Data Protection Regulation (“GDPR”) (also referred to as special categories of Personal Data), including government-issued identification documents or health-related data.

3. Legal basis for processing

We are required to inform you of the legal basis of our processing of your Personal Data, which is described in the table below. Our basis varies depending on the specific purpose for which we use Personal Data. If you have questions about the legal basis under which we process yourPersonal Data, contact us using the details in the footer of this page.

4. Your rights

Under the GDPR, you have the below rights regarding your Personal Data, and you may ask us to take the following actions in relation to your Personal Data that we hold:

(a) Access. You have the right to access your Personal Data and confirm if we are processing it and the purposes of the processing.

(b) Correct. You have the right to update or correct inaccuracies in your Personal Data.

(c) Delete. You have the right to ask us to delete your Personal Data, which may be exercised, among other reasons, (i) when your Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) when you withdraw consent from the purposes for which we processed it and where we have no other legal ground for processing; (iii) when you object to processing and we have no overriding legitimate grounds for the processing; or (iv) when your Personal Data has been unlawfully processed.

(d) Restrict. You have the right to restrict the processing of your Personal Data, including where the processing is unlawful or when the accuracy of your Personal Data is contested.

(e) Data Portability. You have the right to data portability of your Personal Data, where technically feasible, including the right to transfer a machine-readable copy of yourPersonal Data to you or a third party of your choice.

(f) Object. You have the right to object to our processing of your Personal Data, including processing for direct marketing purposes, and our reliance on our legitimate interests as the basis of our processing of your Personal Data.

(g) Opt-out. You have the right to opt-out of receiving direct marketing communications which you have previously consented to receive. However, we may continue to send youServices-related and other non-marketing communications.

You can exercise your rights outlined above and submit these requests by using the details in the footer of this page. Please include a detailed description of the right that you are exercising and the action that you are requesting that we take. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will provide an explanation, subject to legal restrictions. If you would like to submit a complaint about our use of yourPersonal Data or response to your requests regarding your Personal Data, you may contact us by using the details in the footer of this page.While we encourage you to contact us directly and allow us to work with you to address your concerns, you also have the right to lodge a complaint before the Data Protection Authority in the EU Member State where you reside, work or the place of the alleged infringement. For theUnited Kingdom you can contact the Information Commissioner Office (https://ico.org.uk/).

5. Retention of Your Personal Data

(a) Canvas Medical will retain your Personal Data only for as long as is necessary for the purposes set out in the Privacy Policy. We will retain and use your Personal Data to the

extent necessary to comply with our legal obligations (for example, if we are required to retain your Personal Data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

(b) To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

(c) Canvas Medical will also retain data collected automatically, either generated by the use of the Services or from the Services infrastructure itself (for example, the duration of a page visit) (“Usage Data”) for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Services, or we are legally obligated to retain this data for longer time periods.