RULES FOR THE PROCESSING AND PROTECTION OF PERSONAL DATA IN CONNECTION WITH THE USE OF THE MEDDI MD

(hereinafter referred to as the "Rules")

The company MEDDI hub a.s., Na Florenci 2116/15, Nové Město, 110 00 Prague 1, ID No.: 062 30 458, registered with the Municipal Court in Prague, insert B 25071, email: info@meddihub.com (hereinafter also referred to as "Operator" or "Data Controller") is the Operator of the MEDDI MD application, available via the Internet server www.meddiapp.com or as a mobile application for download on Google Play and the App Store (hereinafter referred to as "App"). The App is an online platform for the provision of health and health-related services, enabling electronic communication between Health Service Providers or Therapy Service Providers on the one hand and registered users on the other hand (hereinafter referred to as "Service Recipients"). The subject of this communication is usually professional consultations and expert opinions concerning the health of Service Recipients, with encrypted secure transmission of data and other information in the context of such interactions.

These Rules govern all processing of Users' personal data when using the Application, unless otherwise agreed by the parties. These Rules supplement the MEDDI MD Terms and Conditions, which are available on the Application or on the website www.meddi.com (hereinafter referred to as the "T&C"). Capitalized terms in these Rules have the same meaning as assigned to them in the T&C, unless these Rules expressly provide otherwise.

The controller has appointed a data protection officer. The contact details of the data protection officer are:

• Name of the delegate: Barbora Žochová
• Email: dpo@meddi.com

1. Who processes your personal data
   (data controller)
   

   The personal data of Users are processed by the Operator (identification data are listed above).

2. How we obtain this personal data
   (sources of personal data)
   

   The Operator processes personal data obtained from Users (Data Subjects) both in the context of setting up a User account in the Application (i.e. during registration in the Application) and in the subsequent use of the Application by the User.

3. What personal data is processed
   (categories of personal data)
   

   These Rules apply exclusively to the handling of data of Users who are natural persons. The Operator, as Data Controller, processes:

   1. identification (in particular name, surname, and residential address) and contact (in particular e-mail address, telephone number) personal data of Users, to the extent specified in the registration form during the creation (registration) and administration of individual User accounts in the Application,

   2. other personal data of Users obtained by the Data Controller when the User uses the Application, e.g. in the context of Offers or Requests.

   Based on the User's consent granted in the Application, the location data of the device used may be processed in order to offer more relevant Offers and Requests.

   If the User discloses any personal data of third parties in the Application, the User is obliged to do so only if the conditions set out in the relevant legal regulations are met, including in particular, if necessary, obtaining consent to the processing of personal data from these parties.

   If the User discloses any personal data in the Application that is not required by the Operator, the User does so entirely voluntarily. The Operator is not obliged to search for such personal data and notify the User of its disclosure or to destroy such personal data due to privacy and technical complexity.

   The Operator monitors and stores records of User activity and interactions with content placed in the Application for the purpose of storing, managing and archiving them for further use by the User in the Application, in particular to satisfy Offers and Requests, including the possible conclusion of the relevant contract between the User and the Service Recipients through the Application. In addition, records of User activity are stored in order to increase the efficiency of the search for Service Recipients, to customize the content of the Application and to monitor User preferences within the selected region. Thus, data on the frequency of visits to the Application, passwords searched and displayed Offers and Requests and actions performed within the User's account are tracked.

4. How we use personal data
   (purposes of processing personal data)
   
   1. Processing for the purpose of conclusion and performance of the Contract
      

      The data controller will process

      • Personal data specified in point III. a) for the creation of a User account (registration) and subsequent management of the User's User account in the Application,
      • The personal data referred to in III. b) for the purpose of storage, management and archiving for further use at the User's request in the Application,
      • Personal data referred to in III. a) and III. b). for the purpose of fulfilling other contractual obligations of the Controller towards Users or Providers arising from the Contract, in particular the T&C.

      The Operator uses personal data for the purpose of fulfilling its contractual obligations towards Users and Service Recipients as regulated in particular in the T&C. Personal data is thus used to enable the viewing of the content of the Application, the management of the User's account, the placement of Offers and Requests and the interaction between the User and the Operator and between Users and Service Recipients with each other to satisfy their Offers and/or Requests. At the same time, personal data is processed for the purpose of User support, or for other purposes regulated in the T&C. The processing of personal data for these purposes is carried out by the Operator only to the extent strictly necessary.

      Providers are provided with personal data disclosed by the User to the extent necessary for the negotiation and performance of the contract between Users and Providers through or with the help of the Application only after the User discloses such personal data himself or after he approves the interaction with another User.

   2. Processing for marketing purposes
      

      The Operator uses the User's contacts for marketing and sending commercial communications only if the User grants the Operator his/her express consent to use the contact details for marketing purposes. The User gives his/her consent at the time of registration or later via his/her User account. This consent is confirmed by the User via his/her e-mail.

      As part of its marketing activities, the Operator contacts the User with information about news regarding the Application and its features.

      For communication in this case, the Operator uses the telephone number and/or e-mail address of the Users, which the User fills in the Application for this purpose, or sends messages directly via the Application.

      The provision of data for these purposes is entirely voluntary. You can withdraw your consent to the processing of personal data for marketing purposes or change your preferences regarding the communications sent to you at any time by clicking on the link at the end of each e-mail message and selecting the appropriate settings or by sending a request to the Operator's e-mail address.

5. On the basis of which we process personal data
   (legal titles for processing personal data)
   

   The Operator processes personal data in the operation of the Application under the following titles:

   • Conclusion and performance of the Contract - Users' personal data are processed to the extent necessary for the conclusion, performance and, if necessary, enforcement of claims arising from the Contract concluded with the Operator;
   • Consent - The Operator is entitled to process personal data if you have given your explicit consent for processing for a specific purpose, for the duration of the validity of such consent or until the withdrawal of such consent; processing of personal data on the basis of consent occurs in particular when processing personal data for the purposes of marketing activities;
   • Legitimate interests of the Operator - personal data may also be processed in cases where certain processing is a legitimate interest of the Operator and at the same time such processing does not adversely affect the User's rights and freedoms to privacy protection; the processing of personal data may occur in particular for the purpose of ensuring the protection and security of Users.
6. Who we provide your personal data to
   (recipients of personal data)
   

   The Operator processes personal data only by employees (who are in an employment or similar contractual relationship with the Operator) and persons cooperating with the Operator on the basis of civil law contracts.

   The operator transfers personal data to other controllers or processors only if this is necessary for the fulfilment of the individual purposes of processing, in accordance with the relevant legal title for the processing of personal data. In particular, the Operator transfers personal data to external legal, economic and accounting advisors, external entities providing server, cloud or IT services to the Data Controller, entities operating payment instruments, e.g. GOPAY, etc. Personal data may also be transferred to the relevant public authorities on the basis of legal regulations.

   The Operator does not transfer the processed personal data to a third country or an international organization.

7. Period of processing of personal data
   

   Personal data, in particular the basic personal data obtained during registration and data on the progress of the Offer, are processed for 6 months after the expiry of the registration, in particular for the purpose of processing complaints. If the legislation provides for a longer period in a specific case, the personal data is processed for this period (for example, personal data on the invoice - these are processed for 5 years).

8. Automated individual decision-making, including profiling
   

   The processing of personal data will not involve automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR.

9. Cookies
   

   The Operator does not store data or access data stored on Users' end devices in an automated manner, even when storing technical files.

10. How personal data is secured
    

    The handling of personal data is carried out in full compliance with applicable data protection legislation. When processing personal data, the operator places great emphasis on the technical and organizational security of the processed data. The Operator has put in place and maintains the necessary appropriate technical and organisational measures, internal controls and processes to guarantee information security in accordance with best business practice, corresponding to the potential risk to the User. The Operator takes into account the state of technological development in order to protect the User's personal data from accidental loss, destruction, alteration, unauthorized disclosure or access. These measures may include, but are not limited to, physical security measures, taking reasonable steps to ensure accountability and training of employees who have access to User Data, regular backups, data recovery and incident management procedures, software protection of devices on which Personal Data is stored, and other measures.

    In order to ensure compliance with the Rules, an internal directive on personal data protection has been adopted, on the basis of which the Operator has implemented organizational and technical security measures to protect the personal data processed.

    All personal data is stored on electronic storage. Access to the storage is also password protected and encrypted communication with the database. Within the Operator, only those who have an immediate need to handle the personal data have access to it.

    Within the framework of these measures, all employees of the Operator and persons cooperating with the Operator on the basis of civil law contracts are bound by the obligation of confidentiality. The Operator also requires the same level of protection in the processing of personal data from external processors.

11. What rights the User has in relation to the processing and protection of personal data
    

    You may exercise the following rights with the Operator in relation to the processing of your personal data under the conditions set out in Articles 15 to 22 of the GDPR.

    • Right to withdraw consent to the processing of personal data
      

      You may withdraw your voluntary consent to the processing of personal data at any time free of charge. Withdrawal of consent does not affect the processing of personal data that the Operator processes on the basis of a legal title other than consent, i.e. in particular if the processing is necessary for the performance of a contract, legal obligation or for other reasons specified in applicable law.

    • Right of access to personal data processed
      

      Within the framework of the right of access to personal data, you can obtain the following information: whether your personal data are processed by the Operator, for what purpose and what personal data are processed, whether personal data are transferred to other recipients, for how long personal data are processed and information about your rights in relation to the processed personal data. At the same time, you have the possibility to obtain a copy of your personal data processed.

    • Right to rectification of personal data processed
      

      As part of the right to rectification of processed personal data, you have the right to request the rectification or completion of your incorrectly or incompletely processed personal data. We take reasonable measures to ensure that you can keep your personal data accurate and up to date. You can always contact us to ask if we are still processing your personal data.

    • Right to erasure of personal data processed
      

      If you contact us with such a request, we will promptly delete any personal data we hold about you unless we no longer need your personal data to perform our contractual or legal obligations or to protect our legitimate interests as described above. You are always entitled to request the deletion of the personal data processed, provided that the legal basis for the Operator's processing is your prior consent.

    • Right to restriction of processing of personal data
      

      You are entitled to request the Operator to limit the scope of processing of your personal data in the following cases: (i) you contest the accuracy of the personal data processed - the processing may be limited until a decision is made, (ii) the processing is unlawful but you only request the limitation of the processing, not the complete erasure, (iii) the Operator no longer needs the personal data solely for the establishment, exercise or defence of its legal claims, or (iv) you have objected to the processing of your personal data and this request has not yet been settled by the Operator.

    • Right to portability of processed personal data
      

      You are entitled to request the Operator to transmit your processed personal data in a structured, commonly used and machine-readable format for the purpose of their subsequent transmission to another controller. Alternatively, you have the right to request, in technically feasible cases, that they be transmitted directly to another controller. This right may only be exercised on condition that such a request does not adversely affect the rights and freedoms of others and is technically feasible.

    • Right to object to the processing of personal data
      

      You are entitled to object in cases where the processing of your personal data is carried out by the Operator on the basis of the legal title "legitimate interests of the controller" pursuant to Article 6(1)(f) GDPR. The Operator is not entitled to further process your personal data after you have objected, unless it demonstrates compelling legitimate grounds for further processing that override your interests, rights and freedoms or demonstrates the necessity of further processing for the establishment, exercise or defence of legal claims. If the personal data is processed for direct marketing purposes, you may object at any time and the Operator will no longer process the personal data for this purpose.

      You are entitled to exercise the above rights with the Operator in the following ways:

      • a request in written documentary form (with a certified signature) delivered to the Operator's address; or
      • a request in written electronic form (e-mail with a recognized electronic signature) delivered to the Operator's e-mail address; or
      • a request in written electronic form (data message) delivered to the Operator's data box; or
      • requests in written electronic form from the email address provided in your user profile.

      According to the legislation (Article 12 GDPR), the Operator is obliged to uniquely identify the applicant when dealing with the request. If the application is submitted in a form other than that required above, you will be asked by the Operator to identify yourself unambiguously by providing proof of identity or resubmitting the application using one of the methods required above. This is a precautionary security measure to prevent unauthorized persons from accessing your personal data.

    • Complaint against the processing of personal data
      

      If you believe that the processing of your personal data by the Operator has violated the rules of personal data protection set forth in the legislation (GDPR), you have the right to file a complaint against such processing with the Office for Personal Data Protection, located at Pplk. Sochor 27, 170 00 Prague 7.

12. Update of the rules on processing and protection of personal data
    

    We may modify or update these Rules from time to time. Any changes to these Rules will become effective when posted on the Application.

These Rules come into force and effect on 19. 12. 2025.