Privacy Policy

1. IMPORTANT NOTICE

Rari Laboratory provides laboratory services that are designed to help patients and their providers identify and assess their state of health through the use of laboratory testing, while delivering these results in a safe and secure manner (collectively “Services”).

Rari Laboratory respects your privacy. This Privacy Notice sets out how Rari Laboratory collects and processes your personal data when you access and use our Services.

This Privacy Notice also provides certain information that is legally required and lists certain of your rights in relation to your personal data under applicable law.

Additionally, we may amend this Privacy Notice from time to time and encourage you to check our Privacy Notice regularly to understand how we may process your Personal Data.

2. INFORMATION ABOUT DATA TYPES AND USE

2.1. Data Types

This Privacy Notice relates to personal data about you and your interaction with our Services. “Personal Data” is information that can be used to identify you, directly or indirectly, alone, or together with other information. Personal Data includes such things as: your full name, email address, phone number, mailing address and certain cookie &/or network identifiers.

Rari Laboratory collects, uses, and discloses Personal Data as outlined in this Privacy Policy, including to operate and improve the products offered our customers; for internal advertising and marketing purposes; and to provide you, the customer the Services you have requested.

2.2. How We Collect Data

When you register for an account or interact with or utilise our Products or Services.

We collect Data when you use or interact with our Site and Services, including when you register with us, browse our products online, or make purchases from us. This Personal Data may include name, address, phone number, username and password, email address, date of birth, location data, and payment information.

We collect Personal Data when you communicate with us or sign up to receive promotional materials, sign up for webinars or request other general information.

Rari Laboratory does not purchase or otherwise obtain data about you from third-party sources to help us provide and improve the Services and for marketing and advertising.

We may collect certain Personal Data using cookies and other technologies, such as web beacons, device IDs, geolocation, HTML5 local storage, Flash cookies, and IP addresses. We specifically use browser cookies for different purposes, including cookies that are strictly necessary for functionality and cookies that are used for personalization, performance/analytics, and advertising. Our Use of Cookies section contains more information and options to control or opt-out of certain data collection or uses.

Users Under 18 Years of Age If you become aware that an individual under 18 years of age has provided us with Personal Data without parental consent, please contact us at contact@raridx.com. If we become aware that an individual under 18 has provided us with Personal Data without parental consent, we will take steps to remove the data as permitted by law.

2.3. Why We Collect and Process Your Personal Data

We need to process certain of your Personal Data in order to fulfil our contractual obligations to you and to provide you with the Services. Where we ask for your consent to process your Personal Data, you have the right to withdraw such consent as described in this Privacy Notice. Please note, however, we may be unable to provide you certain Services that require the use of Personal Data.

Please note that even where your consent would otherwise be required, we may nevertheless process your Personal Data in accordance with our legitimate interests under applicable law, as described in this Privacy Notice.

2.4. How We Disclose Personal Data

We may disclose your Personal Data as described in this Privacy Notice, including:

To Service Providers and Vendors With business partners and vendors to effectively deliver our laboratory Services to our providers and patients. For example, an EHR (electronic health record) provider who delivers test results directly to health care providers and patients, on our behalf. For Advertising and Marketing

Rari Laboratory does not share or sell any personal information to third party companies to be used for external marketing purposes. Rari Laboratory does not host third party or interest-based advertising on our Sites. For more information on how data is disclosed for advertising see Advertising and Analytics section of this Privacy Notice.

For Legal Compliance, Law Enforcement, and Public Safety Purposes Last Rev. 10.24.2018 Rari Laboratory Privacy Practices As permitted by law, with law enforcement, government or regulatory bodies, lawful authorities, or other authorized third parties in order to comply with laws, regulators, court orders, matters of national security or other legal obligations

or to assist in an investigation, to protect and defend our rights and property, or the rights or safety of third parties, to

enforce our Terms of Use, this Privacy Notice, or agreements with third parties, or for crime-prevention purposes.

Actual or Contemplated Sale, Acquisition, or Reorganization

At some future date, Rari may in connection with a contemplated reorganization or an actual reorganization of our

business, in connection with financing, a sale, acquisition or other transaction involving the disposal of all or part of our

business or assets, including for the purpose of permitting the due diligence required to decide whether to proceed with

a transaction.

3. USE OF COOKIES

The Site uses cookies to improve user experience.

A “cookie” is a small text file that a web server stores in browser software. A browser sends cookies to a server when the

browser makes a connection to the server (for example, when requesting a web page from the same domain that

created the cookie). The purpose of cookies is to remember the browser over time and distinguish one browser instance

(or user) from all others. Some cookies and other technologies may serve to recall Personal Data previously indicated by

a web user. Most browsers allow you to control cookies, including whether or not to accept them, and how to remove

them. Cookies can remember login information, preferences, and shopping cart contents. Other cookies, often placed by

our partners or other third parties, are used for analytics, marketing, or advertising.

Cookies, as well as other tracking technologies, such as HTML5 local storage, Local Shared Objects (such as “Flash”

cookies), web beacons, and similar mechanisms, may record information such as Internet domain and host names;

Internet protocol (IP) addresses; browser software and operating system types; clickstream patterns; and dates and

times that our Site is accessed.

Cookies used for analytics may use non-Personal Data that is not directly linked to you. We use analytics technologies to

improve our Site and Services.

Users are advised that if they wish to deny the use and saving of cookies from the Site on to their computer’s hard drive,

they should take necessary steps within their web browser’s settings to block all cookies from the Site and its external

serving vendors. Please note that if you choose to erase or block your cookies, you will need to re-enter your original

user ID and password to gain access to certain parts of the Site. For information on how to disable cookies, refer to your

browser’s documentation.

4. ADVERTISING AND ANALYTICS

Interest-based advertising is advertising that is targeted to you based on your web browsing and app usage over time.

We utilize various types of de-identified information to enable interest-based advertising. You have the option to restrict

the use of information for interest-based advertising and to opt-out of receiving interest-based ads.

As an alternative, you can also elect to block browser cookies from first parties (such as those from our website) and

browser cookies from third parties (such as advertisers) by using the cookie blocking options built into your browser

software. If you block browser cookies, some parts of our website may not function correctly. Also, blocking cookies will

not stop third-parties from collecting IP address, data stored in “Flash” cookies, and certain other types of technical

information that may uniquely identify your browser.

Last Rev. 10.24.2018 Laboratory Privacy Practices

5. SOCIAL NETWORK WIDGETS

Our Site may include social network sharing widgets that may provide information to their associated social networks or

third-parties about your interactions with our web pages that you visit, even if you do not click on or otherwise interact

with the plug-in or widget. Information is transmitted from your browser and may include an identifier assigned by the

social network or third party, information about your browser type, operating system, device type, IP address, and the

URL of the web page where widget appears. If you use social network tools or visit social networking sites, you should

read their privacy disclosures, to learn what information they collect, use, and share.

6. DE-IDENTIFIED OR ANONYMIZED DATA

We may create de-identified or anonymous data from Personal Data by excluding data components (such as your name,

email address, or linkable tracking ID) that makes the data personally identifiable to you or through obfuscation or

through other means. Our use of anonymized data is not restricted by this Privacy Notice.

7. DATA RETENTION

We will retain your Personal Data for as long as long as you maintain an account or as otherwise necessary to provide

you the Services. We will also retain your Personal Data as necessary to comply with our legal obligations, resolve

disputes, and enforce our agreements.

Where we no longer need to process your Personal Data for the purposes set out in this Privacy Notice, we will delete

your Personal Data from our systems.

Where permissible, we will also delete your Personal Data upon your request, as further described in the Data Subject

Access, Modification, and Deletion Rights section of this Privacy Notice.

8. STORAGE OF PERSONAL DATA

Rari Laboratory and our associated Services and systems may be stored on servers in the United States. If you are

located outside of the United States, please be aware that Personal Data we collect will be processed and stored in the

United States, a jurisdiction in which the data protection and privacy laws may not offer the same level of protection as

those in the country where you reside or are a citizen.

By using our Services and/or submitting your Personal Data, you agree to the transfer, storage, and/or processing of

your Personal Data in the United States.

9. SECURITY SAFEGUARDS AND LINKS TO OTHER WEBSITES

We implement appropriate technical and organizational safeguards to protect against unauthorized or unlawful

processing of Personal Data and against the accidental loss, destruction, or damage of Personal Data. Please be advised,

however, that we cannot fully eliminate security risks associated with the storage and transmission of Personal Data.

This Privacy Notice only applies to our Site. Our Site or Services may provide a link or otherwise provide access to

another website, mobile application, or Internet location (collectively “Third-Party Sites”). We provide these links merely

for your convenience. We have no control over, do not review, and are not responsible for Third-Party Sites, their

content, or any goods or services available through the Third-Party Sites. Our Privacy Policy does not apply to Third-Party

Sites, and any data you provide to Third-Party Sites, you provide at your own risk. We encourage you to review the

privacy policies of any Third-Party Sites with which you choose to interact.

9.2. Matters That May Require Consent

In cases where we are not already authorized to process the Personal Data under applicable law, we may ask for your

consent to process your Personal Data, including:

Marketing

We may ask for your consent to contact you by telephone, SMS, post and/or email about other offers, products,

promotions, developments or services which we think may be of interest to you and for other marketing purposes.

Research

We may ask for your consent to use your Personal Data for research purposes.

Cookies

The Site uses cookies to improve user experience.

9.3. Withdrawing Your Consent

You may at any time withdraw the consent you provide for the processing of your Personal Data for the purposes set

forth in this Privacy Notice by contacting us at contact@raridx.com provided that we are not required by applicable law or

professional standards to retain such information.

If you want to stop receiving future marketing messages and materials, you can do so by clicking the “unsubscribe” or

“opt-out” link included in our email marketing message.

SECTION 4:

HIPAA PRIVACY PRACTICES

This notice describes how health information about you may be used and disclosed and how you can get access to this

information. Please review it carefully.

With your consent, the laboratory is permitted by federal privacy laws to make uses and disclosures of your health

information for purposes of treatment, payment and health care operations. Protected health information is the

information we create and obtain in providing our services to you. Such information may include documentation of your

symptoms, test results, diagnoses, and treatment. It also includes billing documents related to those services.

Use of personal health information for treatment purposes:

We may use your health information to provide laboratory test reports to you or your health care provider. We may

disclose your health information to doctors, nurses, medical technicians, midwives, pharmacists or others who are

involved with your care. For example: a nurse may call from your physician’s office to obtain test results on your

physician’s behalf. We will release the requested information to the nurse.

Use of personal health information for payment purposes:

We may use and disclose your health information for payment purposes, including determinations of eligibility and

coverage utilization activities. For example: we may need to give your insurance company information about the tests

performed in order to obtain payment.

Use of personal health information for health care operations:

We obtain services from our insurers or other business associates such as quality assessment, quality improvement,

outcome evaluation, protocol and guidelines development, training programs, credentialing, medical review, legal

services and insurance. We will share information about you with such insurers or other business associates as

necessary to obtain these services. For example: we may use your health information in the course of evaluating our

customer service. In addition, we may remove information that identifies you from your health information so this de-

identified information can be used for research purposes.

10. Your Rights Regarding Your Protected Health Information:

The health and billing records we maintain are the physical property of the laboratory. The information in it, however,

belongs to you. You have a right to:

• Receive a notice that tells you how your health information may be used and shared.

• Decide if you want to give permission before your health information can be used or shared for certain

purposes. However, we may not grant the request.

• Ask that incorrect or incomplete information be removed or changed in your health records.

• Ask that your information not be shared with certain people, groups or companies.

• Ask to be contacted at different places or in different ways, such as through your office or by mail.

• Ask to see and get a copy of your health information.

• File complaints if you believe your health information was used or shared in such a way that is not allowed by

law or you were not allowed to exercise your rights.

HIPAA provides an exemption 45 CFR §164.524(a)(1)(iii) in relation to CLIA (Clinical Laboratory Improvement

Amendments) 42 CFR § 493.3(a)(2) as described below: CLIA certified laboratories that are also covered entities are not

required to provide individuals with a right of access to or a right to inspect and obtain copies of their private health

information if the disclosure of the information to the individual would be prohibited by CLIA. CLIA requires laboratories

to release test results only to “authorized persons” and, if applicable, the individual responsible for using the test results

and the laboratory that initially requested the test. “Authorized person” means an individual authorized under State law

to order tests or receive test results or both.

10.2 Our Responsibilities:

The laboratory is required to:

• Maintain the privacy of your health information as required by law;

• Provide you with a notice of our duties and privacy practices as to the information we collect and maintain

about you;

• Abide by the terms of this Notice;

• Notify you if we cannot accommodate a requested restriction or request; and

• Accommodate your reasonable requests regarding methods to communicate health information with you.

We reserve the right to amend, change, or eliminate provisions in our privacy practices and access practices and to

enact new provisions regarding the protected health information we maintain. If our information practices change, we

will amend our Notice. You are entitled to receive a revised copy of the Notice by calling and requesting a copy of our

Notice.

10.3 To Request Information or File a Complaint:

If you have questions, would like additional information, or want to report a problem regarding the handling of your

information, you may contact us via e-mail at contact@raridx.com or by phone at (866) 600-1636. Additionally, if you

believe your privacy rights have been violated, you may file a written complaint by e-mail or mail to Rari Laboratory. You

may also file a complaint by:

• Mail or e-mail it to the US Secretary of Health and Human Service

o We cannot, and will not, require you to waive the right to file a complaint with the Secretary of Health &

Human Services (HHS) as a condition of receiving services from the laboratory.

o We cannot, and will not, retaliate against you for filing a complaint with the Secretary.

10.4 Other Disclosures and Uses Notification

• We may disclose your protected health information for law enforcement purposes as required by law, such as

when required by a court order, or in cases involving felony prosecutions, or to the extent an individual is in the

custody of law enforcement.

• Federal law allows us to release your protected health information to appropriate health oversight agencies or

for health oversight activities.

• We may contact you as part of our marketing efforts as permitted by applicable law.

• Other uses and disclosures besides those identified in this Notice will be made only as otherwise authorized by

law or with your written authorization and you may revoke the authorization as previously provided.

10.5 Contact Us

For questions regarding this Privacy Notice, please contact us at: contact@raridx.com.