PRIVACY POLICY AND CONSENT FORM

(A) This Privacy Policy applies to the collection, use, and disclosure of personal data by Intelligent Screening Pte Ltd (Company Registration No.: 202515455D) trading as i-screen ("i-screen", "we," "us," "our"), a company incorporated in Singapore and governed by the Personal Data Protection Act 2012 (No. 26 of 2012) ("PDPA") and the Advisory Guidelines issued by the Personal Data Protection Commission ("PDPC")..

(B) i-screen is responsible for managing personal data collected through its website www.i-screen.sg (the "Website"), mobile applications, Platform, and related Services.

(C) Our Commitment: We are committed to protecting the privacy of all client information. i-screen provides wellness and educational services, clinical consultation services, and corporate health screening programs (the "Services") to individuals and businesses. These Services are delivered through various formats including online platforms, pathology testing coordination, AI-assisted health interpretations, GP consultations, and corporate wellness programs. In providing these Services, we handle Personal Data, including health-related data, in compliance with the Singapore Personal Data Protection Act 2012 (“PDPA”) and the Advisory Guidelines issued by the Personal Data Protection Commission (“PDPC”), including those applicable to the healthcare sector.

(D) Our Registered Office: 90 EU TONG SEN STREET #03-02B Singapore 059811

(E) Postal Address: 90 EU TONG SEN STREET #03-02B Singapore 059811

(F) Contact Information: info@i-screen.sg | 0290606208

(G) Health information (such as pathology results, medical history, or health questionnaire responses) is considered a special category of Personal Data under the Singapore Personal Data Protection Act 2012 (“PDPA”). We recognise the sensitivity of such information and afford it a high level of protection. We will only collect, use, and disclose health-related Personal Data with your consent, or where permitted or required by law, and strictly as necessary to support your care and wellness needs.

(H) Questions or concerns about this Privacy Policy or the management of personal data may be directed to our Privacy Officer at info@i-screen.sg.

1. LEGAL AND REGULATORY FRAMEWORK

1.1 Personal Data Protection Act (PDPA) and Healthcare Guidelines

(a) As a Singapore health service coordinator, i-screen adheres to the Personal Data Protection Act 2012 (“PDPA”) and the Advisory Guidelines issued by the Personal Data Protection Commission (“PDPC”), including those applicable to the healthcare sector. The PDPA sets out requirements for the proper collection, use, disclosure, and protection of Personal Data throughout its lifecycle, from initial collection to eventual retention and disposal.

(b) In practice, this means we: (i) Operate with openness and transparency about data management (ii) Only collect information necessary for our Services with your consent (iii) Inform you about collection purposes and uses (iv) Use and disclose information only for expected purposes or with additional consent (v) Take steps to secure your information and allow you to access and correct it (vi) Comply with the mandatory data breach notification requirements under the PDPA, including notification to affected individuals and the PDPC where applicable

1.2 Healthcare Identifiers

We ensure our practices comply with the Personal Data Protection Act 2012 (“PDPA”) and applicable Ministry of Health (“MOH”) requirements when handling patient identifiers such as NRIC numbers, FINs, or other government-issued identifiers. We only collect, use, and disclose such identifiers for purposes directly related to your healthcare management, identity verification, or as required by Singapore law and MOH guidelines (including, where applicable, participation in the National Electronic Health Record (NEHR) system).

2. SCOPE OF CLIENTS AND SERVICES COVERED

This Privacy Policy applies to all individuals who engage with i-screen's Services, including:

(a) Individual wellness clients (self-funded or family-funded pathology testing and health screening) (b) Subsidised healthcare clients (those accessing services subsidised under Ministry of Health (“MOH”) schemes or public healthcare subsidies) (c) Government assistance programme clients (clients receiving Services under national health assistance schemes such as CHAS, Pioneer Generation, or Merdeka Generation programmes) (d) Insurance clients (workers' compensation, motor vehicle accident schemes) (e) Corporate clients and employees (participating in workplace wellness programs) (f) Clinical consultation clients (accessing GP or Dietitian/DNA consultations)

Note: If you are acting on behalf of a client (as a parent/guardian, case manager, or corporate representative), this policy also covers how we handle your personal details provided in that context.

3. COLLECTION OF PERSONAL AND HEALTH INFORMATION

3.1 Types of Personal Data Collected

We only collect personal data reasonably necessary to provide wellness and health screening services. The types of information we may collect include:

3.1.1 Identity and Contact Details (a) Legal name or consistent pseudonym (where permitted) (b) Date of birth (essential for result interpretation) (c) Address, phone number, email (d) Emergency contact information (e) Next of kin details

3.1.2 Health and Medical Information (a) Relevant health history and medical reports (b) Health questionnaire responses (c) Pathology test results and interpretations (d) Treatment notes and assessments (e) Family medical history (where relevant) (f) Information from other health professionals (with consent)

3.1.3 Financial and Funding Information (b) Government health assistance programme details (participation in MOH-funded health support programmes, where applicable) (c) Insurance claim references (e.g., health insurance, workers’ compensation, motor accident schemes) (d) Payment information and transaction history (billing details, invoices, receipts) (e) Corporate wellness programme details (coverage or entitlements under employer-sponsored health screening and wellness initiatives)

3.1.4 Account and Platform Information (a) Account activity data and preferences (b) Platform usage patterns and interactions (c) Communication preferences and history (d) Historical tracking data and trends

3.1.5 AI and Technology Data (a) Data processed through our AI interpretation systems (b) Algorithm inputs and outputs (reviewed by health professionals) (c) Platform analytics and performance data

3.2 How We Collect Information

3.2.1 Direct Collection (a) Through Account registration and service agreements (b) Via health questionnaires and assessment forms (c) During clinical consultations and health screenings (d) Through customer service interactions (e) Via our Website, mobile applications, and Platform (f) Through corporate wellness program enrollments

3.2.2 Third-Party Collection (with consent) (a) From Laboratory Partners providing test results (b) From referring healthcare providers (c) From corporate wellness program administrators (d) From government health assistance schemes or MOH-approved programmes (e.g., CHAS administrators, subsidy eligibility verification) (e) From insurance providers or case managers handling claims or benefits

3.2.3 Automated Collection (a) Website cookies and analytics data (b) Platform usage and interaction data (c) IP addresses and device information (d) Performance and system data

We collect information by lawful and fair means and will not do so in an unreasonably intrusive way. We provide clear notice about data collection at the time of collection and explain any consequences if information is not provided.

3.3 Eligibility and age restrictions

(a) The collection of personal information is neither intended for, nor directed to, persons who are under the age of eighteen (18) years old. Persons under age eighteen (18) may only use our Website with the involvement and consent of a parent or legal guardian.

(b) If you are under 18 years old, you must have a parent or legal guardian review and agree to this Privacy Policy on your behalf before you can use our Services.

4. USE OF INFORMATION (PURPOSE OF COLLECTION)

4.1 Primary Purposes

The primary purpose for collecting your information is to provide comprehensive wellness and health screening services, including:

4.1.1 Service Delivery (a) Coordinating pathology testing through Laboratory Partners (b) Providing AI-assisted health interpretations (reviewed by qualified professionals) (c) Delivering clinical consultations (GP, Dietitian/DNA services) (d) Managing corporate wellness programs (e) Facilitating medical imaging coordination (DEXA scans, calcium scoring) (f) Supporting historical tracking and trend analysis

4.1.2 Account and Communication Management (a) Creating and managing your Account (b) Scheduling appointments and sending reminders (c) Processing payments and managing subscriptions (d) Providing customer support and technical assistance (e) Sending service-related communications and updates

4.1.3 Health Professional Coordination (a) Sharing reports with referring healthcare providers (with consent) (b) Coordinating care within your treating team (c) Facilitating referrals to appropriate specialists (d) Supporting clinical decision-making and continuity of care

4.2 Secondary Purposes

We may use information for related secondary purposes that you would reasonably expect: 4.2.1 Quality Assurance and Improvement (a) Clinical audits and service quality reviews (b) AI system training and improvement (using de-identified data) (c) Platform development and enhancement (d) Customer satisfaction surveys and feedback collection

4.2.2 Regulatory and Compliance (a) Meeting reporting requirements to government funding bodies or subsidy administrators (e.g., Ministry of Health (“MOH”) for CHAS, Pioneer Generation, Merdeka Generation or other subsidy schemes) (b) Fulfilling obligations under MOH health assistance programmes and other national healthcare initiatives (c) Insurance claim processing (e.g., health insurance, workers’ compensation, motor accident claims) (d) Regulatory reporting and audit compliance with MOH, PDPC, and other applicable authorities in Singapore

4.2.3 Research and Analytics (De-identified) (a) Population health trend analysis (b) Service effectiveness research (c) Health outcome studies (d) Platform performance analytics

We will seek additional consent for any use outside these expected purposes.

5. DISCLOSURE OF INFORMATION (SHARING WITH OTHERS)

5.1 Within Your Care Team

We may share relevant information with members of your healthcare team to coordinate care: (a) Referring doctors and specialists (b) Administrators of government health assistance or subsidy schemes (e.g., CHAS, Pioneer Generation, Merdeka Generation), where required for eligibility or claims (c) Insurance case managers and rehabilitation providers (d) Corporate wellness program administrators (aggregate data only) (e) Other healthcare providers involved in your care (with explicit consent)

5.2 Laboratory Partners and Service Providers

5.2.1 Independent Laboratory Partners (a) Eurofins Central Laboratory Pte Ltd (b) Healius Pathology Pty Ltd (and associated brands) (c) Nutripath Integrative Pathology Services (d) GENEWAY (Pty) Ltd (e) OmegaQuant LLC (g) MY DNA LIFE Pty Ltd (h) Other accredited laboratories as listed on our Website

We share necessary identification and health information with Laboratory Partners to facilitate testing services. These are independent entities with their own privacy obligations. These laboratories are based overseas and subject to their own local privacy laws, but we require them to provide a standard of protection comparable to the PDPA.

5.3 Funding Bodies and Government Agencies

5.3.1 Government Health Assistance and Subsidy Schemes We may share relevant information with government bodies administering national health assistance or subsidy schemes, including: (a) Community Health Assist Scheme (CHAS) administrators (b) Pioneer Generation and Merdeka Generation programme administrators (c) MediFund administrators (for means-tested financial assistance)

5.3.2 MOH and Government Agencies We may share information where required with: (a) Ministry of Health (MOH) for regulatory reporting and compliance (b) Other government agencies administering healthcare-related programmes (e.g., Health Promotion Board for screenings and preventive health initiatives) (c) Inland Revenue Authority of Singapore (IRAS) or other relevant agencies for business and tax compliance

5.3.3 Insurance Providers We may share information, with your consent, with: (a) Workers’ compensation insurers (b) Motor accident insurance schemes (c) Private health insurers

5.4 Required or Permitted by Law

We may disclose information without consent when: (a) Required by court order or subpoena (b) Mandated by law (e.g. reportable incidents, public health requirements) (c) Necessary to prevent serious threat to life, health, or safety (d) Required for law enforcement investigations (e) Needed to protect our legal rights or property

5.5 Corporate Reporting and De-identified Data

5.5.1 Corporate Wellness Programs Individual employee health information remains strictly confidential. Employers receive only: (a) Aggregate, de-identified statistical reports (b) General workforce health trends (c) Comparative analyses and benchmarking (d) Wellness program effectiveness metrics

5.5.2 Health Data Analytics We may provide de-identified Health Data to third parties for: (a) Population health research (b) Healthcare trend analysis (c) Service development and improvement (d) Academic research partnerships

6. THIRD-PARTY SERVICE PROVIDERS AND INTERNATIONAL DATA PROCESSING

6.1 Technology and Platform Providers

6.1.1 Practice Management and Communication (a) Platform hosting and maintenance providers (b) Cloud storage and backup services (c) Payment processing providers (Braintree, PayPal) (d) Email and communication services (e) Customer support platforms

6.1.2 AI and Analytics Services (a) Various AI platforms and technologies for health interpretation (b) Data analytics and reporting tools (c) Machine learning and algorithm providers (d) Third-party health databases and reference libraries

6.2 International Data Processing and Storage

Your personal data may be processed, stored, or accessed by our operational and technology contractors located in:

6.2.1 Primary Locations (a) United Kingdom: Operational staff and shared services with access to data (b) Australia: Operational support, technical support and system maintenance services (c) Indonesia: Software development and operational support

6.2.2 Cloud Service Locations Data may also be stored or processed through cloud service providers with servers in various international locations, including the United States and other countries where our technology partners operate.

6.2.3 Safeguards for International Transfers Before any international transfer, we ensure: (a) Appropriate contractual protections are in place (b) That the recipient is bound to provide a standard of protection for Personal Data that is comparable to that under the Singapore Personal Data Protection Act 2012 (“PDPA”) (c) Security requirements and compliance obligations (d) Regular monitoring and audit of international partners

6.3 Health Data Analytics and Commercial Use

We may perform data analytics on de-identified health and sensitive information that we collect for health and lifestyle trends (“Health Data”). This de-identified Health Data may be provided, by way of sale or otherwise, to third parties for research, population health analysis, and service development purposes, subject to the safeguards below.

6.3.1 Third-Party Health Data Safeguards

(a) Contractual Requirements - All third-party recipients must enter into binding contractual agreements that:

(i) Strictly prohibit any attempt to re-identify de-identified data. (ii) Require maintenance of secure data environments with encryption and access controls. (iii) Limit data use to specified research or analytical purposes only. (iv) Prohibit further sale, transfer, or sharing without our explicit written consent. (v) Mandate secure deletion of data after specified retention periods. (vi) Require regular security audits and compliance reporting. (vii) Include financial penalties for contractual breaches. (viii) Require compliance with the Personal Data Protection Act 2012 (PDPA) of Singapore and any applicable Ministry of Health (MOH) or Health Sciences Authority (HSA) guidelines.

(b) De-identification processes include removal of direct identifiers and application of statistical disclosure control methods to minimise re-identification risk, in accordance with PDPC guidelines.

(c) We will conduct ongoing monitoring and audit of third-party compliance with these obligations. Third parties must demonstrate equivalent or superior privacy and security standards to those required under Singapore’s PDPA and sector-specific health data regulations.

(d) Third parties must notify us without undue delay of any data breach, and comply with the PDPA’s breach notification requirements, including notification to the Personal Data Protection Commission (PDPC) and affected individuals, where applicable.

6.4 AI Technology Providers

We utilise various artificial intelligence platforms and technologies, which may include: (a) Third-party AI interpretation systems (b) Machine learning platforms for data analysis (c) Natural language processing services (d) Health database and reference services

All AI-generated content undergoes mandatory review by qualified Singaporean or Australian health professionals before release to users.

7. CONSENT AND ACTIVE AGREEMENT

7.1 Consent Framework

Because we handle health-related Personal Data, consent is fundamental to our service delivery. Under the Singapore Personal Data Protection Act 2012 (“PDPA”), we generally require your consent to collect, use, and disclose Personal Data, including health information, unless an exception under the PDPA applies (for example, in emergencies, where required by law, or for evaluative purposes permitted by the PDPA).

7.1.1 Integrated Consent Process This Privacy Policy serves as both a privacy notice and consent mechanism. By: (a) Creating an Account on our Platform (b) Using our Services (c) Signing our Service Agreement (d) Submitting health questionnaires or forms

You actively consent to our collection, use, and disclosure of your personal data as outlined in this policy.

7.2 What You're Consenting To

7.2.1 Data Collection and Use (a) Collection of personal and health information for service delivery (b) Processing of information through our AI systems (with professional review) (c) Storage of information in secure systems and cloud platforms (d) Use of information to coordinate care and provide wellness services

7.2.2 Information Sharing (a) Sharing with Laboratory Partners for testing services (b) Communication with your healthcare team (with explicit consent) (c) Reporting to government health assistance or subsidy schemes (e.g., Community Health Assist Scheme (CHAS), Pioneer Generation, Merdeka Generation), insurance providers, or other entities administering healthcare benefits (d) Processing through third-party technology providers (e) International data processing and transfers, subject to safeguards ensuring a comparable standard of protection in line with the Singapore Personal Data Protection Act 2012 (“PDPA”)

7.2.3 Service Enhancement (a) Use of de-identified data for service improvement (b) AI system training and development (c) Quality assurance and audit activities (d) Research and analytics (anonymised data only)

7.3 Informed and Voluntary Consent

(a) Your consent must be: (i) Informed: You understand what you're agreeing to (ii) Voluntary: No pressure or coercion (iii) Current: Up-to-date and relevant to our current practices (iv) Specific: Related to the particular uses described

(b) We avoid "bundling" unnecessary consents and provide genuine choices for optional services.

7.4 Withdrawing or Modifying Consent

7.4.1 Your Right to Withdraw You may withdraw consent at any time by contacting our Privacy Officer. This may affect our ability to provide certain services.

7.4.2 Modification of Consent You can modify consent for specific uses (e.g., stopping information sharing with particular providers) while maintaining consent for core services.

7.4.3 Process for Changes (a) Written or verbal request to our team (b) Immediate cessation of affected activities (c) Clear explanation of any service limitations (d) No penalty for withdrawal decisions

8. ARTIFICIAL INTELLIGENCE TECHNOLOGY AND LIMITATIONS

8.1 AI Implementation in Our Services

8.1.1 AI-Assisted Health Interpretations We utilise sophisticated AI and machine learning technologies to assist in analysing pathology results and generating preliminary health insights. Our AI systems: (a) Process biomarker data using multiple health information sources (b) Generate educational content about test results (c) Identify patterns and trends in health data (d) Provide risk assessments and wellness recommendations

8.1.2 Professional Review Process All AI-generated content undergoes mandatory review by qualified Singaporean or Australian health professionals who: (a) Verify accuracy and clinical appropriateness (b) Modify or reject inappropriate AI recommendations (c) Ensure compliance with professional standards (d) Maintain final authority over all interpretations

8.2 AI Limitations and Risks

8.2.1 Known Limitations You acknowledge that AI systems have inherent limitations: (a) May exhibit bias based on training data (b) Cannot account for individual medical history or circumstances (c) May produce inconsistent responses to similar inputs (d) Cannot detect errors in data entry or processing (e) May occasionally "hallucinate" or provide incorrect information

8.2.2 Individual Circumstances AI interpretations cannot consider: (a) Your complete medical history (b) Current medications and treatments (c) Recent health changes or symptoms (d) Family history and genetic factors (e) Lifestyle factors and personal circumstances (f) Social determinants of health

8.3 Educational Nature of AI Content

8.3.1 Not Medical Advice Despite AI processing and professional review, all interpretations remain: (a) General educational information (b) Intended to enhance biomarker understanding (c) Designed to facilitate healthcare discussions (d) Not personalised medical advice or recommendations (e) Not substitutes for professional healthcare consultations

Your Responsibilities: You must discuss all results and interpretations with qualified healthcare professionals who can provide clinical context based on your complete health profile.

9. DATA SECURITY AND STORAGE

9.1 Security Measures

9.1.1 Technical Safeguards (a) End-to-end encryption for data transmission (b) Secure cloud storage with encryption at rest (c) Multi-factor authentication for system access (d) Regular security audits and vulnerability assessments (e) Up-to-date firewalls and intrusion detection systems (f) Secure backup and disaster recovery procedures

9.1.2 Administrative Safeguards (a) Staff training on privacy and security obligations (b) Confidentiality agreements for all personnel (c) Access controls based on need-to-know principles (d) Regular privacy and security training updates (e) Incident response and breach notification procedures (f) Vendor management and third-party security requirements

9.1.3 Physical Safeguards (a) Controlled access to facilities and systems (b) Secure storage of any physical documents (c) Secure disposal of electronic devices and media (d) Environmental controls for data centers (e) Monitoring and logging of physical access

9.2 Data Breach Response

9.2.1 Breach Prevention We implement comprehensive measures to prevent unauthorised access, but no system is 100% secure.

9.2.2 Response Procedures In the event of a data breach: (a) Immediate containment and assessment (b) Investigation of scope and impact (c) Notify affected individuals if the breach is likely to result in significant harm, in accordance with the Personal Data Protection Act 2012 (“PDPA”) (d) Report the breach to the Personal Data Protection Commission (PDPC) where required by law (e.g., if the breach is of a significant scale or likely to result in significant harm to affected individuals) (e) Implementation of remedial measures (f) Review and improvement of security measures

9.2.3 Your Rights You will be promptly notified of any serious data breach affecting your information, including: (a) Nature and scope of the breach (b) Potential risks and impacts (c) Steps taken to address the breach (d) Recommended protective actions (e) Contact information for further assistance

10. DATA RETENTION AND DESTRUCTION

10.1 Retention Periods

10.1.1 Health Records As a health service coordinator, we retain health-related Personal Data in accordance with: (a) Requirements under the Ministry of Health (MOH) regulations and directives for healthcare institutions and service providers (b) Professional and ethical standards applicable to medical practitioners and allied health professionals in Singapore (c) A minimum of 6 years from the last service date for adult clients, in line with MOH and common medical record retention practice (d) For minor clients, until at least 6 years after the last service date or until the client reaches the age of 25, whichever is later (e) Longer periods where required by law, regulation, or ongoing medical, legal, or business needs

10.1.2 Account and Transaction Data (a) Account information for active service periods (b) Payment records for taxation and audit requirements (c) Communication records for service continuity (d) Platform usage data for service improvement

10.1.3 Corporate and Employment Records (a) Employee wellness data according to workplace requirements (b) Corporate reporting data for contract periods (c) Aggregate analytics for business planning

10.2 Secure Destruction

10.2.1 Electronic Data (a) Secure deletion using certified methods (b) Overwriting of storage media (c) Destruction of backup copies (d) Certificate of destruction where required

10.2.2 Physical Records (a) Secure shredding of paper documents (b) Professional destruction services (c) Secure disposal of electronic devices (d) Chain of custody documentation

10.3 Data Minimisation We actively minimise data retention by: (a) Regular review of stored information (b) Automatic deletion of unnecessary data (c) De-identification of research data (d) Secure archiving of required records

11. ACCESS TO INFORMATION AND CORRECTIONS

11.1 Your Right to Access

11.1.1 What You Can Access (a) All personal data we hold about you (b) Details of how information has been used (c) Information about disclosures to third parties (d) Confirmation that corrections have been made

11.1.2 Access Process (a) Submit written request to Privacy Officer (b) Identity verification (for security) (c) Response within 30 days (d) Information provided in requested format (e) No fee for standard requests

11.2 Correction Rights

11.2.1 When to Request Corrections (a) Information is inaccurate or out-of-date (b) Records contain errors or omissions (c) Personal details have changed (d) Health information is incorrect

11.2.2 Correction Process (a) Submit correction request with supporting evidence (b) Investigation and verification of changes (c) Updates made to relevant systems (d) Notification of changes to relevant third parties (e) Documentation of correction history

11.3 Limitations on Access

11.3.1 Rare Exceptions Access may be limited if: (a) Serious threat to life, health, or safety (b) Unreasonable impact on others' privacy (c) Frivolous or vexatious requests (d) Legal proceedings or investigations (e) Law enforcement requirements

Written explanation provided for any access limitations.

11.4 Third-Party Website Links

(a) Our Website may contain links to the websites of other organisations which may be of interest to you. Their inclusion cannot be taken to imply any endorsement or validation by us of the content of the third party website.

(b) Linked websites are responsible for their own privacy practices, and you should check those websites for their respective privacy policies, practices or statements. We are not responsible, nor do we accept any liability, for the conduct of organisations linked to our Website.

12. CORPORATE SERVICES AND EMPLOYEE PRIVACY

12.1 Employee Privacy Protection

12.1.1 Individual Confidentiality (a) Employee health information never disclosed to employers (b) Individual test results remain strictly confidential (c) No identification of specific employees in reporting (d) Complete control over personal health data sharing

12.1.2 Aggregate Reporting Only Employers receive only: (a) De-identified statistical summaries (b) General workforce health trends (c) Comparative industry benchmarking (d) Wellness program effectiveness metrics (e) Population-level insights and recommendations

12.2 Employee Rights and Choices

12.2.1 Voluntary Participation (a) No requirement to participate in wellness programs (b) Individual choice in sharing personal results (c) Opt-out options for all corporate communications (d) No employment consequences for non-participation

12.2.2 Data Control (a) Individual access to personal health data (b) Choice in healthcare provider communications (c) Control over follow-up services and referrals (d) Right to withdraw from corporate programs

12.3 Corporate Client Obligations

12.3.1 Privacy Protection Requirements Corporate clients must: (a) Respect employee privacy choices (b) Not request individual health information (c) Use aggregate data responsibly (d) Comply with workplace privacy laws (e) Support employee wellness voluntarily

13. CONSENT FOR SPECIFIC SERVICES

13.1 Clinical Consultation Services

13.1.1 GP Consultations By booking GP consultation services, you consent to: (a) Sharing relevant health information with the consulting physician (b) Potential diagnoses and medical recommendations (c) Prescription services and specialist referrals (d) Follow-up communications and care coordination

13.1.2 Dietitian/DNA Consultations Consent includes: (a) Review of genetic and nutritional data (b) Personalised dietary and lifestyle recommendations (c) Coordination with other healthcare providers (d) Ongoing support and follow-up services

13.2 AI-Assisted Interpretations

13.2.1 AI Processing Consent You consent to: (a) Processing of your health data through AI systems (b) Generation of preliminary interpretations and insights (c) Professional review and modification of AI content (d) Use of anonymised data for AI system improvement

13.2.2 Understanding AI Limitations You acknowledge: (a) AI interpretations are educational, not medical advice (b) Professional review does not guarantee accuracy (c) Individual circumstances may not be considered (d) Healthcare professional consultation is recommended

13.3 Corporate Wellness Programs

13.3.1 Employee Participation Participation in corporate wellness programmes is voluntary and subject to the employee’s informed and independent consent. Employers or corporate representatives cannot provide consent on behalf of employees for the collection, use, or disclosure of their Personal Data, including health-related information. Consent must be given directly by the employee through their personal engagement with i-screen’s platform or services, and must comply with the requirements of the Personal Data Protection Act 2012 (“PDPA”) and the Advisory Guidelines issued by the Personal Data Protection Commission (“PDPC”), including those applicable to the employment and healthcare sectors.

Consent covers: (a) Health screening and assessment participation (b) Aggregate data inclusion in corporate reporting (c) Wellness program communications and resources (d) Optional follow-up services and referrals

13.3.2 Data Usage Understanding that: (a) Individual results remain confidential and are never disclosed to employers (b) Aggregate data helps improve workplace wellness (c) Participation is voluntary and can be withdrawn (d) No individual identification in corporate reports or analytics

14. BUSINESS TRANSFERS AND CORPORATE TRANSACTIONS

If we merge with, or are acquired by, another company or organisation, or sell all or a portion of our assets, you consent to your personal information being disclosed to our advisers and any prospective purchaser or any prospective purchaser's adviser. Your personal information may be among the assets transferred in such transactions. However, personal information will always remain subject to this Privacy Policy or a privacy policy with substantially equivalent terms. You will be notified via email and/or prominent notice on our Website of any change in ownership or control of your personal information.

15. YOUR LEGAL RIGHTS

15.1 Privacy Rights Under Singapore Law

15.1.1 Access Rights Under the Personal Data Protection Act 2012 (“PDPA”), you have the right to: (a) Request access to your Personal Data that we hold (b) Understand how your Personal Data has been or may have been used or disclosed by us within a reasonable period before your request (c) Receive your Personal Data in a reasonably accessible format, where feasible (d) Request correction of your Personal Data to ensure accuracy and completeness

15.1.2 Correction Rights (a) Request correction of inaccurate information (b) Add statements about disputed information (c) Have corrections communicated to relevant third parties (d) Receive confirmation of corrections made

15.1.3 Erasure Rights Request deletion of Personal Data that is no longer necessary for business or legal purposes, subject to statutory retention requirements

15.1.4 Limitations on Information Deletion (a) While we will delete your personal information upon request where legally permissible, we are not responsible for removing your personal information from the lists of any third party who has previously been provided your information in accordance with this Privacy Policy. These third parties may include, but are not limited to, reference laboratories and service providers who have their own data retention obligations

(b) You may need to contact these third parties directly to request deletion of your information from their systems.

15.2 Complaint and Review Rights

15.2.1 Internal Complaints You have the right to: (a) Lodge complaints about privacy practices (b) Request investigation of privacy concerns (c) Receive written responses to complaints (d) Have complaints escalated if unsatisfied

15.2.2 External Review If you remain unsatisfied after our internal review, you may: (a) Complain to the Personal Data Protection Commission (PDPC) (b) Seek independent review of our data protection practices by the PDPC (c) Access dispute resolution or mediation services where appropriate (e.g., via the PDPC or Singapore Mediation Centre) (d) Pursue legal remedies under the Personal Data Protection Act 2012 (“PDPA”) or other applicable Singapore law

15.3 Consent Management Rights

15.3.1 Consent Control (a) Withdraw consent for specific uses (b) Modify consent for particular services (c) Understand consequences of consent withdrawal (d) Receive clear explanations of consent requirements

15.3.2 Choice and Control (a) Opt-out of marketing communications (b) Choose pseudonymous service options (where available) (c) Control information sharing preferences (d) Access alternative service arrangements

16. OPT-OUT RIGHTS AND PREFERENCES

16.1 Communication Preferences

15.1.1 Marketing and Newsletters (a) Opt-out of promotional communications (b) Unsubscribe from newsletters and updates (c) Choose communication frequency preferences (d) Select preferred communication channels

16.1.2 Service Communications Essential service communications cannot be opted out but you can: (a) Choose delivery method preferences (b) Update contact information (c) Request accessible formats (d) Designate preferred contacts

16.2 Data Usage Preferences

16.2.1 Research and Analytics (a) Opt-out of de-identified research participation (b) Exclude data from aggregate analytics (c) Choose not to participate in service improvement (d) Request removal from marketing databases

16.2.2 AI System Improvement (a) Opt-out of AI training data inclusion (b) Request non-AI interpretation services where available (c) Choose traditional interpretation methods (d) Access alternative service arrangements

16.3 Service Participation Choices

16.3.1 Corporate Programs (a) Withdraw from workplace wellness programs (b) Opt-out of corporate communications (c) Choose individual service arrangements (d) Request confidential service delivery

16.3.2 Third-Party Sharing (a) Limit information sharing with healthcare providers (b) Choose specific consent for each disclosure (c) Opt-out of certain Laboratory Partner communications (d) Control referral and follow-up services

17. COMPLAINTS AND FEEDBACK

17.1 Internal Complaint Process

17.1.1 How to Complain Contact our Privacy Officer at: (a) Email: info@i-screen.sg (b) Mail: 90 EU TONG SEN STREET #03-02B Singapore 059811 Information to Include (a) Description of privacy concern (b) Dates and circumstances involved (c) Desired resolution or outcome (d) Supporting documentation if available

17.2 Investigation Process

17.2.1 Our Response (a) Acknowledgment within 48 hours (b) Investigation within 30 days (c) Written response with findings (d) Implementation of corrective measures (e) Follow-up to ensure satisfaction

17.2.2 Resolution Options (a) Correction of information or practices (b) Policy updates and improvements (c) Staff training and education (d) System enhancements for prevention (e) Compensation where appropriate

17.3 External Complaints

17.3.1 Personal Data Protection Commission (PDPC) If you believe your data protection concerns have not been properly addressed by us, you may contact the PDPC: (a) Website: www.pdpc.gov.sg (b) Phone: +65 6377 3131 (c) Mail: 10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438

17.3.2 When to Contact PDPC You may contact the Personal Data Protection Commission (PDPC) if: (a) You are unsatisfied with our internal response to your data protection concern (b) You believe a serious data breach involving your Personal Data has occurred (c) You suspect systemic issues in how we handle Personal Data in breach of the Personal Data Protection Act 2012 (PDPA) (d) You require an independent review or enforcement action by the PDPC

18. CONTACT INFORMATION

18.1 Privacy Officer Contact

18.1.1 Primary Contact (a) Email: info@i-screen.sg (b) Mail: 90 EU TONG SEN STREET #03-02B Singapore 059811

18.2 Business Contact Information

18.2.1 Intelligent Screening Pte Ltd trading as i-screen (a) Company Registration No.: 202515455D (b) Registered Office: 90 EU TONG SEN STREET #03-02B Singapore 059811 (c) Website: www.i-screen.sg

18.3 Response Timeframes

(a) General Inquiries: 2-5 business days (b) Privacy Complaints: 30 days maximum (c) Access Requests: 30 days maximum (d) Correction Requests: 30 days maximum (e) Urgent Matters: 24-48 hours

19. POLICY UPDATES AND CHANGES

19.1 Policy Review

This Privacy Policy is reviewed regularly and updated as necessary to reflect: (a) Changes in services and technology (b) Updates to privacy laws and regulations (c) Improvements in privacy practices (d) Feedback from clients and stakeholders

19.2 Notification of Changes

19.2.1 Material Changes (a) 30 days advance notice via email (b) Prominent notice on Website and Platform (c) Clear explanation of changes and impacts (d) Opportunity to review and provide feedback (e) Option to withdraw consent if unsatisfied

19.2.2 Minor Changes (a) Notice on Website and Platform (b) Inclusion in next service communication (c) Updated policy available online (d) No impact on existing service arrangements

19.3 Consent to Changes

19.3.1 Ongoing Consent Continued use of our Services after policy updates constitutes acceptance, except for material changes requiring active consent.

19.3.2 Active Consent Required for (a) Significant changes to data uses (b) New third-party sharing arrangements (c) Changes to international data processing (d) Modifications to consent withdrawal rights

20. FINAL ACKNOWLEDGMENTS

20.1 Policy Integration

This Privacy Policy forms an integral part of our Terms and Conditions and Service Agreements. All related documents should be read together for complete understanding of our privacy practices.

20.2 Governing Law

This Privacy Policy is governed by the laws of Singapore, including the Personal Data Protection Act 2012 (“PDPA”) and any applicable regulations, advisory guidelines issued by the Personal Data Protection Commission (PDPC), and relevant Ministry of Health (“MOH”) directives relating to the handling of health information.

20.3 Contact for Clarification

If any aspect of this Privacy Policy requires clarification or if you need assistance understanding your rights and choices, please contact our Privacy Officer who will provide explanation in accessible formats.

Last Updated: 20th August 2025 Effective Date: This Privacy Policy is effective immediately for all new users and upon next service use for existing users.

By creating an Account, using our Services, or engaging with our Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and consent to our collection, use, and disclosure of your personal data as described herein.