1 Introduction

This Data Privacy Policy (“Policy”) describes Aclarion Inc.’s (“Aclarion”) practices relating to the processing of Personal Data that Aclarion obtains from Data Subjects located in the European Union (EU) (hereinafter “EU Personal Data”). If there is any conflict between the policies in this document and any Privacy Principles, the current local jurisdiction and its Data Privacy Laws shall govern.

Capitalized terms are defined in Section 11 of this Policy.

2 Who is responsible

Aclarion, Inc., 951 Mariners Island Blvd #300, San Mateo, USA, is responsible for the processing of personal data described in this privacy policy.

For all data protection requests, please contact:

Aclarion, Inc.

951 Mariners Island Blvd #300

San Mateo, CA 94404

USA

info@aclarion.com

Phone: (650) 241-1741

3 Renewal/Verification

Aclarion will review its Data Privacy Policy annually, unless it subsequently determines that it no longer needs such review or if it employs a different adequacy mechanism.

Prior to a review, Aclarion shall conduct a self-assessment to ensure that its attestations and assertions about its treatment of Individual Patient Personal Data are accurate and that the company has appropriately implemented these practices. Specifically, as part of the verification process, Aclarion will undertake the following:

1. Review this Policy and its publicly posted website privacy policy to ensure that these policies accurately describe the practices regarding the collection of Individual Patient Personal Data. With respect to the publicly posted website privacy policy, Aclarion will assess that it states that the policy conforms to legislated Data Privacy Principles, and that it is comprehensive, prominently displayed, completely implemented, and accessible
2. Ensure that the publicly posted privacy policy informs Individual Patients of Aclarion’s participation in the EU – GDPR (General Data Protection Regulation) and where to obtain additional information
3. Ensure that this Policy continues to comply with EU Data Privacy Principles
4. Confirm that Individual Patients are made aware of the process for addressing complaints and any independent dispute resolution process (Aclarion may do so through its publicly posted website, Individual Patient consent form, or both)
5. Review its processes and procedures for training employees about Aclarion’s participation in the EU – GDPR and the appropriate handling of Individual Patient’s Personal Data, as well as processes and procedures for disciplining employees for failure to follow this Data Privacy Policy

Aclaron will prepare an internal verification statement on an annual basis to be signed by an authorized representative of Aclarion. This statement shall be made available upon request by EU Data Subjects, or in the context of an investigation or a complaint about non-compliance.

4 Collection and Use of Personal Data, Data Integrity, and Purpose

Physicians located in the EU may collect EU Personal Data from Individual Patients, subject to such Individual Patients’ lawful consent, and may forward this Personal Data to Aclarion for the purpose of providing a NOCIGRAM-LS™ report. The following data may be obtained and transferred with an Individual Patient’s MRI/MRS record: MRI/MRS images, name, medical record number (MRN), height, weight, and age/birthdate. Per the GDPR rules, this information may be considered sensitive information.

The Physician, as data controller, determines the purposes of processing, what EU Personal Data is relevant for the purposes of processing, and the means of the processing of the EU Personal Data, and Aclarion will process said Personal Data on behalf of and under a written data processing contract concluded between Aclarion and the Physician. Aclarion will use the Personal Data transferred to Aclarion by the Physician for the sole purpose of analyzing the MRI/MRS data and providing a NOCIGRAM-LS™ report.

Aclarion will take reasonable steps to help ensure the integrity of the EU Personal Data. Aclarion and the Physician will also take reasonable steps to ensure that the EU Personal Data is reliable for its intended use, accurate, complete, and current.

5 Disclosures/Onward Transfers of Personal Data

Aclarion may engage other data processors for carrying out specific processing activities with regard to the EU Personal Data transferred by the Physician only under appropriate data processing contracts, as required by EU-GDPR and mirroring the data protection obligations that Aclarion has accepted under the data processing contract concluded between Aclarion and the Physician. Such recipients must agree to abide by confidentiality obligations and treat EU Personal Data as required under the GDPR. Aclarion will take reasonable and appropriate steps to ensure that the data processors use the EU Personal Data in accordance with the agreement and consistent with the GDPR. Should Aclarion receive notice of any unauthorized processing by the data processors, Aclarion will take reasonable and appropriate steps to stop the unauthorized processing and remediate. Aclarion will maintain copies of all of its agreements with data processors to which it transfers EU Personal Data and provide copies of the agreements to the Department of Commerce or other authorities upon request.

Aclarion engage third party service providers (data processors) that provide data storage and transfer services for the purposes of transmitting results (which include EU Personal Data) to the requesting Physician. Aclarion may also engage third party service providers (data processors) to provide it with on-site and cloud data storage services. Such third party service providers may include: Ambra Health and Amazon Web Services.

Aclarion also may only disclose EU Personal Data for other purposes when a Data Subject has consented to or requested such disclosure. Aclarion is liable for appropriate onward transfers of Personal Data to third parties.

Please be aware that Aclarion may be required to disclose EU Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

6 Data Security

Aclarion takes reasonable and appropriate measures to protect EU Personal Data from loss, misuse and unauthorized access, disclosure, alteration, and destruction. In so doing, Aclarion takes into account the risks involved in its processing of the EU Personal Data and the nature of the EU Personal Data it receives.

If Aclarion discloses EU Personal Data to a third party, Aclarion will contractually require that third party to provide the same level of protections to the EU Personal Data as required by the EU-GDPR. Aclarion requires valid SOC 2 Type II reports from all third parties that will transfer or maintain Personal Data.

Any Personal Data transferred by the Physician will be hosted by Ambra Health and AWS. The Ambra Health software transfers the data from the hospital/clinic PACS to the AWS servers where the Aclarion software also resides. The Aclarion software processes the data and Aclarion will perform a QA process on the generated report before releasing the report to be transferred back to the hospital/clinic PACS using the Ambra Health Dicom gateway software.  The Ambra Health software associates the report with the patient and adds the report to the patient record. The data resides only on these third-party systems and are not downloaded by Aclarion Employees to any other computer systems.

Both, Ambra Health and AWS, are compliant with SOC 2. SOC 2 was set up to define the criteria for how external SaaS companies should manage their customer’s data and is commonly used to demonstrate data integrity and security in a cloud environment.  SOC 2 defines criteria for managing customer data based upon five “trust service principles” – security, availability, processing integrity, confidentiality and privacy.  These reports are independent audits to look at the effectiveness of the system design and if it’s operating as designed.

7 Notification

Aclarion notifies Individual Patients about its adherence to the EU-GDPR and Principles through its publicly posted website privacy policy, available at: https://aclarion.com/ at the “EU Privacy Policy” link.  Physicians collecting Individual Patient data provide Individual Patients with access to / a copy of Aclarion’s Informed Consent form, which provides notice about Aclarion’s data processing practices and its adherence to the Data Privacy & Protection Principles. Physicians obtain Individual Patient consent to Aclarion’s Informed Consent form before disclosing EU Personal Data to Aclarion.

8 Accessing Personal Data

Aclarion personnel may access and use Personal Data only if they are authorized to do so and only for the purpose for which they are authorized.

9 Right to Access, Change, or Delete Personal Data

At any time, if the Individual Patient does not wish for their EU Personal Data to remain with Aclarion, they can contact the prescribing Physician to revoke consent for the use of their EU Personal Data to generate a NOCIGRAM-LS™ report. Upon notification of revocation of an Individual Patient’s consent, the EU Personal Data relating to the patient will be deleted from databases and file servers under Aclarion’s control without undue delay. The Individual Patient can obtain a copy of the Personal Data provided to Aclarion via the prescribing Physician. Requests for access, modification, corrections and completions can be made through the prescribing Physician or via Aclarion’s Privacy Policy Contact provided above. If the accuracy of the EU Personal Data relating to the Individual Patient should be contested, the Individual Patient may also, via the prescribing Physician, request Aclarion to restrict processing of said EU Personal Data for a period of time enabling Aclarion to verify the accuracy of the EU Personal Data.

We will not share your personal data with third parties other than our agents, or use it for a purpose other than for which it was originally collected or subsequently authorized, without your prior written consent.

10    Questions and Complaints

In compliance with the Data Privacy Principles, Aclarion commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the current EU-General Data Protection Regulation. European Union individuals with Data Privacy inquiries or complaints should first contact Aclarion at:

Aclarion, Inc.

951 Mariners Island Blvd #300

San Mateo, CA 94404

USA

info@aclarion.com

Phone: (650) 241-1741

If you have any questions about this Data Privacy Policy or about the way Aclarion uses your personal information, contact our EU-Data Privacy Officer at:

Collegium Auditores GmbH

info@collegium-auditores.de

Tel: (+49) 2241 9575935

Aclarion’s Representative in the European Union can be contacted at:

GDPR AV Services UG (limited liability)

Gerstkamp 10

48153 Münster, Germany

viedge@gdprav.com

Tel: (+49) 251 93266180

Aclarion will respond to EU Data Subject inquiries without undue delay and in any event within less than 5 days of receipt of the request. That period may be extended where necessary, taking into account the complexity and number of the inquiries

11    Policy

This Policy may be amended from time to time, consistent with the EU-GDPR and applicable data protection and data privacy laws and principles. Aclarion will make employees aware of changes to this Policy either by posting to our intranet, through email, or other means. Aclarion will notify Physicians if Aclarion makes changes that materially affect the way Personal Data that was previously collected is handled.

12    Defined Terms

Capitalized terms in this Privacy Policy have the following meanings:

“Individual Patient” means an individual patient in the EU for whom a prescribing Physician intends to receive a NOCIGRAM-LS™ Report from Aclarion. This individual patient can also be considered a “Data Subject,” depending on the circumstance.

“Data Subject” means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics.

“Employee” means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of Aclarion.

“Europe” or “European” or “EU” refers to a country in the European Union.

“Personal Data” as defined under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”, “GDPR”) means data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data does not include data that is de-identified, anonymous, or publicly available.

“Physician” means the healthcare provider providing or prescribing treatment to the patient in the EU; this includes a member of that prescribing healthcare provider’s team who is authorized to obtain consent.

“Sensitive Data” means Personal Data that discloses a Data Subject’s medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexual orientation, or trade union membership. Look also Art. 9 GDPR

“Third Party” means any individual or entity that is neither Aclarion nor an Aclarion employee, agent, contractor, or representative.