VERIFLY APPLICATION PRIVACY NOTICE (AIRLINE CARRIERS)

Effective Date: 22 January 2021

Date Last Updated: 15 December 2021

If you are a California resident, please click here for more information about your specific privacy rights.

If you are in the European Union, please click here for more information about your specific privacy rights.

If you are in another territorial region, please refer to Sections 16 to 19 of this Notice for more information about your specific privacy rights.

1. About Us and This Application

Daon is a privately held software company that has pioneered methods for securely and conveniently combining biometric and digital identity capabilities with large-scale deployments that span payments verification, digital banking, wealth, insurance, telecommunications, and securing borders and seamless travel. Daon creates products to help manage identities in six continents, across the full digital identity lifecycle including onboarding, authentication and recovery. Throughout the world, Daon has developed identity assurance software that allows government and commercial enterprises to establish trust that someone is who they claim to be.

The Daon VeriFly Application (“Application”) is a smart digital wellness passport that allows real-time verification of COVID-related credentials such as health questionnaires and diagnostic test results on your mobile device.

2. Our Data Values

Daon understands that you entrust us with your personal information with the expectation that it will be used only for specific purposes. We respect your expectation and place a high priority on protecting this information by limiting its use. At Daon, protecting your privacy is fundamental to the way our company and its subsidiaries conduct our business.

3. Scope of this Privacy Notice

This Privacy Notice (Notice) applies only to the personal information collected by the Application both within the Application and when accessing services online, through Daon’s websites. In the U.S. this Privacy Notice is provided by Daon Inc, in Europe it is provided by Daon Technology and in Asia and Australia it is provided by Daon (Australia) Pty Ltd., Inc (“Daon,” “us,” “we,” or “our”). We collect and process information about you as described in this Privacy Notice ("Notice"). We are committed to protecting the privacy of those with whom we interact. This Notice contains details about how we collect, use, and share Personal Information that we obtain from and about you when you use the Application to represent you have completed all COVID-related travel requirements and streamline the process for boarding certain airline carrier’s international flights. This Notice does NOT apply to any other interactions you have with Daon or the Application, such as if you provide information to obtain other passes through the Application. Please read this Notice carefully.

As part of the Application, we offer individuals a traveller verification service for air travel with certain airline carriers to destinations with COVID-19 travel restrictions. We do not warrant or otherwise guarantee that you will be able to travel to your intended destinations; that the information and data provided to us by you or on your behalf is true and accurate; or that you will not be exposed to COVID-19 when receiving arranged COVID-19 laboratory testing services, at airports, during air travel, or at your intended destination. We do not provide medical advice or services or laboratory services. Individuals with health disorders, medical conditions, or any condition requiring medical supervision, or who receive COVID-19 test results, assume full responsibility for obtaining professional medical assistance. Consult your physician or qualified health care professional regarding any symptoms, medical conditions or test results.

Without limiting anything else herein, we specifically disclaim any express or implied warranties or merchantability of fitness for any particular usage, application or purpose for the traveller verification service, and make no representations with respect to the accuracy, reliability, completeness, timeliness or usefulness of such information. You understand that the traveller verification service depends on the information provided by you or on your behalf. Without limiting anything else herein, we reserve the right to treat such information as true and accurate, and you shall be solely responsible for such information, including its accuracy. We shall not be liable to you or anyone else for any loss or injury caused in whole or in part by procuring, compiling, delivering or reporting such information through the Application. In no event, shall we be liable to you or anyone else for any decision made or action taken or not taken by you or anyone else in reliance on such information available through the Application. At all times, you remain fully responsible for ensuring you satisfy all travel requirements set by your airline carrier and your destination country.

Whenever you interact with us on behalf of another individual or entity, such as by providing or accessing Personal Information about another individual, you represent that you are authorized to share the other individual’s Personal Information and your interactions and exchanges comply with applicable data protection laws. Whenever you interact with us on behalf of a minor, such as by providing or accessing Personal Information about a minor, you represent that you are authorized to act in the capacity of a parent or guardian of the minor and consent to the processing of the minor’s Personal Information, including Protected Class information, such as health information, and the transfer of their Personal Information out of its originating country to a third party country for the purpose of providing the services in our Application. Full details of the location where data will be transferred can be found in Section 20 below. You shall have sole responsibility for any violation of privacy laws as a result of a failure to inform the other individual about how their Personal Information will be processed or to obtain any necessary consent from such individual.

We may update this Notice from time to time. The current Notice will be effective when posted. Please check this Notice periodically for updates. If any of the changes are unacceptable to you, you should cease interacting with us. When required under applicable law, we will notify you of any changes to this Notice by posting an update on this page. When required under applicable law, we will seek affirmative consent from you before making material changes to the way we handle Personal Information previously collected from you. If you do not provide such consent, Personal Information will continue to be used in a manner that is consistent with the version of this Notice under which it was collected.

4. Your Data Controller

For the purposes of this Notice Daon Technology is the controller for the personal information we process, unless otherwise stated. For all data protection enquiries and/or concerns in connection with your EU privacy rights please contact our Data Protection Officer at privacy@daon.com or any of the other ways to contact us at Section 13 as might apply to you.

Your Airline Carrier is the controller of any US CDC Passenger Disclosure Attestation data, where applicable, which will be processed in accordance with your Airline Carrier’s privacy policy and as provided for herein.

5. Sources of Personal Information

Personal Information refers to any information relating to an identified or identifiable natural person or household.

We collect information about you and how you interact with us in several ways, including:

1. Information you provide to us directly. We collect the information you provide to us directly, such as when you provide information in order to obtain credentials or contact us.
2. Information from third parties. With your consent, we may receive information about you from third parties, such as health test laboratories.
3. Information automatically collected or inferred from your interaction with us.We automatically collect technical information about your interactions with us (such as IP address, mobile device make, model and version, and browsing preferences).

We may combine information that we receive from the various sources described in this Notice and use or disclose it for the purposes identified below.

6. Types of Personal Information We Collect

The types of information that we may collect about you are:

1. Identifiers, such as your name, email address, picture, online identifier, internet protocol address, travel authorization confirmation reference number from destination country, or other similar identifiers. With your consent we may also process the GPS location of your device.
2. Personal information subject to the California Consumer Records Act, such as date of birth, travel authorization information, and COVID health information you provide which may include COVID tests (including date, time, and type of test), COVID vaccination information (including type and date(s)), or government COVID Digital Certificate (including COVID test information, COVID vaccine information, or medical certificate detailing previous COVID illness)
3. Protected Class and Demographic information, such as age, race, gender, nationality, and health information.
4. Commercial information and preferences, including flight information and information on the COVID testing center you used.
5. Internet or other electronic network activity information, such as information regarding your interactions with us online, through the mobile Application, and through advertisements. For more information, see Section 9 below.
6. Audio, electronic, visual, thermal, olfactory or similar information, such as call center recordings.
7. Payment and fraud detection information, such as bank account details, cardholder name, billing address, payment card details, transaction details and location.

7. How We Use Your Personal Information

We may use each category of your information described above in the following ways:

1. To enable interactions between you and us, such as to provide you with services and support your interactions with us – namely to enable you to demonstrate you have completed all COVID-related travel requirements, including obtaining a COVID vaccine or negative COVID test as required by the destination country. We may also use your information to diagnose, repair and track service and quality issues; provide requested product information; communicate with you about your account or our data practices; install and configure changes and updates to programs and technologies related to interactions with us; authenticate those who interact with us; or to respond to your requests, complaints, and inquiries; to process payments for paid services and to monitor, prevent and detect fraudulent payment transactions.
2. For our own internal business purposes, such as to evaluate or audit the usage and performance of our services and technologies; quality improvement; design new services; process and catalogue your responses to surveys or questionnaires; perform research for technological development and demonstration; conduct data analysis and testing; and to maintain proper business records and other relevant records.
3. For legal, safety, or security reasons, such as to comply with legal requirements; protect our safety, our property or rights of those who interact with us, or others; and detect, prevent, and respond to security incidents or other malicious, deceptive, fraudulent, or illegal activity.
4. In a de-identified, anonymized, or aggregated format. When converted to a de-identified, anonymized, or aggregated format, data no longer constitutes Personal Information in certain jurisdictions, and we may use this information for any purpose as legally permissible.
5. For any other purposes for which you provide consent.

8. With Whom We Share Your Personal Information

We may share your Personal Information with the categories of recipients described below:

1. Affiliates and subsidiaries: We may share your Personal Information within our group of companies, which includes parents, corporate affiliates, subsidiaries, business units and other companies that share common ownership for the purposes described above.
2. Third party service providers: We may share your Personal Information with third party service providers working on our behalf in order to facilitate our interactions with you or request or support our relationship with you, such as hosting service providers, IT providers, operating systems and platforms, internet service providers, analytics and technology development companies, and marketing providers (e.g., we may share your email address with our outbound email marketing provider). We may contract with other companies to provide certain services, including identity verification, health data review, email distribution, technology development, market research, promotions management, and payment processing. We provide these companies with only the information they need to perform their services and work with them to ensure that your privacy is respected and protected. A full list of third party service providers is available on our website.
3. Your Airline Carrier: We may share your Personal Information with your Airline Carrier to demonstrate you have completed all COVID-related travel requirements, including obtaining a COVID vaccine or negative COVID test as required by the destination country, and otherwise to facilitate your travel including using online check-in. Where we share Personal Information with your Airline Carrier, your Airline Carrier will be an independent controller of this Personal Information which it will process in accordance with its privacy policy.
4. For legal, security and safety purposes: We may share your Personal Information with third parties such as law enforcement or other government agencies to comply with law or legal requirements; to enforce or apply our Terms of Use and other agreements; and to protect our rights and our property or safety of our users or third parties. For trips to Hawaii, at your request, we will share your Personal Information (travel health requirements) with the Hawaii government Safe Travel Program, when you enter your VeriFLY unique Hawaii travel confirmation code into the Hawaii Safe Travel Program online system.
5. In connection with a corporate transaction: If we sell some or all of our assets, merge or are acquired by another entity, including through a sale or in connection with a bankruptcy, we will share your Personal Information with that entity.
6. With your consent: We may share your Personal Information with other third parties with your consent.

We may also de-identity, anonymize, or aggregate Personal Information to share with third parties for any purpose as legally permissible.

In order to provide you with the services in our Application, your personal data, including health data, may be transferred out of your originating country to a third party country. Full details of the location where data will be transferred can be found in Section 20 below.

9. How We Use Cookies and Automatic Data Collection Tools

We also collect (and may permit third parties to collect via our Application or website) information, via cookies, web beacons, pixels, tags or other tracking technologies, such as your Internet Service Provider and IP address, the date and time you access our Application or website, the pages you accessed while visiting our Application or website, and the Internet address from which you accessed our Application or website. Some cookies exist only during a single session and some are persistent over multiple sessions over time. We use these technologies to remember user preferences, maximize the performance of our Application, website and/or services, provide you with offers that may be of interest to you, measure the effectiveness of our email campaigns and to personalize online content. These cookies and other technologies may be used to track you across devices and across other apps or websites over time.

To provide you with more relevant and interesting experience, we may work with third party companies to display ads or customize the content on the Application or website and on other apps or websites. These companies may use cookies and similar tracking technologies as described in this Notice to gather information about your visits to the Application or website, as well as your visits elsewhere on the Internet. These companies use this information to provide you with more relevant advertising known as interest-based advertising. For more information about third-party advertisers and how to prevent them from using your information, please visit http://www.networkadvertising.org/choices/. This is a site offered by the Network Advertising Initiative ("NAI") that includes information on how consumers can opt-out from receiving interest-based advertising from some or all of NAI's members. The Digital Advertising Alliance (“DAA”) offers a choice mechanism with respect to certain types of data collection and use by third parties available at www.aboutads.info. Opting out of interest-based advertising will not opt you out of all advertising, but rather only interest-based advertising from us or our agents or representatives.

Some browsers have incorporated Do Not Track (“DNT”) preferences. Most of these features, when turned on, send signals to the website you are visiting that you do not wish to have information about your online searching and browsing activities collected and used. As there is not yet a common agreement about how to interpret DNT signals, we do not honour DNT signals from website browsers at this time. However, you may refuse or delete cookies. If you refuse or delete cookies, some of our website functionality may be impaired. If you change computers, devices, or browsers, or use multiple computers, devices, or browsers, and delete your cookies, you may need to repeat this process for each computer, device, or browser. Please refer to your browser’s Help instructions to learn more about how to manage cookies and the use of other tracking technologies.

10. Security and Retention

We maintain reasonable security procedures and technical and organizational measures to protect your Personal Information against accidental or unlawful destruction, loss, disclosure, alteration, or use.

We will retain your personal information, for no longer than is necessary to enable you to use the Application, unless we need to keep your information to comply with applicable legal, regulatory, or other obligations, or the information is required for business reasons (such as to resolve disputes, provide service and enforce agreements). In any event, we will retain your information for the period stated in our retention schedule on our website, at which point Daon will take steps to securely and permanently dispose of your personal information, according to applicable laws and regulations. 

11. Children's Privacy

Interactions with us are intended for individuals 18 years of age and older. Our interactions are not directed at, marketed to, nor intended for, children under 18 years of age. We aim to ensure, though we cannot guarantee, that personal information relating to children is not inadvertently provided to us by taking reasonable measures to establish data quality. If you suspect that personal information relating to a child aged less than 18 who is under your parental control or guardianship has been provided to us, please report this to us by using one of the Contact methods at Section 13 below. In all cases where we may inadvertently be provided with personal information relating to children, the information in the relevant parts of this Notice applies to children, as well as adults.

12. External Links

When interacting with us you may encounter links to external sites or other online services, including those embedded in third party advertisements or sponsor information, that we do not control. We are not responsible for the privacy practices and data collection policies for such third-party services. You should consult the privacy statements of those third-party services for details.

13. Contact Info/Your Choices

If you have questions regarding this Notice, please contact us at:

• EMAIL: privacy@daon.com
• U.S. MAIL: 4097 Monument Corner Drive, Suite 550. Fairfax, VA 22030
• EU MAIL: IFSC House, Custom House Quay, Dublin 1, Ireland
• Australia MAIL: Suite 65, Level 1, 10-12 Lonsdale Street, Braddon ACT 2612, Australia

To opt-out of receiving promotional email messages from us, please click on the "Unsubscribe" link contained at the bottom of each email or by contacting us using the information above.

14. Your California Privacy Rights

This Section applies only to California residents whose information is subject to the California Consumer Privacy Act and supplements the information provided above.

Sources of Personal Information

The categories of sources of Personal Information are detailed in Section 6 above.

Uses of Personal Information

The business and/or commercial purposes for which we collect Personal Information are detailed in Section 7 above.

Sharing Personal Information

The categories of third parties to whom we disclose Personal Information for a business purpose are detailed in Sections 7 and 8 above and summarized below.

California Consumer Privacy Act Rights

Subject to legal limitations, certain California residents may exercise the following rights by emailing us at privacy@daon.com or by writing us at 4097 Monument Corner Drive, Suite 550. Fairfax, VA 22030.

• Right to Know.You have the right to request information about the categories of Personal Information we have collected about you, the categories of sources from which we collected the Personal Information, the purposes for collecting the Personal Information, the categories of third parties with whom we have shared your Personal Information, and the purpose for which we shared your Personal Information ("Categories Report"). You may also request information about the specific pieces of Personal Information we have collected about you ("Specific Pieces Report").
• Right to Delete. You have the right to request that we delete Personal Information that we have collected from you.
• Right to Opt Out. We do not sell Personal Information (including the Personal Information of anyone under 16 years of age). Should this change at any point in future we will update this Notice, notify you of any changes, and provide you with the appropriate mechanism to exercise your right to opt-out from the sale of your personal information.

You may submit a request to exercise your Californian privacy rights to us by using any of the contact methods at Section 13 as might apply to you. We will not discriminate against you, in any manner prohibited by applicable law, for exercising these rights.

When making a request, please provide the following information:

• First and Last Name
• Email Address
• Type of request you are making

Verification: In order to exercise your rights, we will need to obtain information to locate you in our records or verify your identity depending on the nature of the request. If you are submitting a request on behalf of a household, we will need to independently verify each member of the household. For a Specific Pieces Report, we will request Personal Information sufficient to verify your identity to a reasonably high degree of certainty and will seek a signed declaration, under penalty of perjury, that you are who you say you are. In most cases, we will seek to match at least three data points to information we already have about you for this verification process. For a Categories Report or a Request to Delete, we will request Personal Information sufficient to verify your identity to a reasonable degree of certainty. In most cases, we will seek to match at least two data points to information we already have about you for this verification process.

In certain circumstances, we may require additional or different data in order to verify your identity. If you make a request (1) for a Specific Pieces Report, (2) as an authorized agent, or (3) on behalf of a household, we will contact you via email following your initial request to obtain information specifically needed for your type of request.

Authorized Agents: Authorized agents may exercise rights on behalf of consumers. If you are an Authorized Agent, we will request proof from you that you are authorized to act on behalf of the consumer (such as a written and signed authorization from the consumer) and may also seek to verify the consumer as described above, or we will accept a legal Power of Attorney under the California Probate Code. We will also require evidence of your (the agent's) identity and proof of registration with the California Secretary of State.

Timing: We will respond to Requests to Delete and Requests to Know within 45 calendar days, unless we need more time, in which case we will notify you and may take up to 90 calendar days total to respond to your request.

California Shine the Light: If you are a California resident, you may opt out of sharing your Personal Information with third parties for the third parties' direct marketing purposes. Please contact us at privacy@daon.com if you would like to do so.

15. Your EU Privacy Rights

Pursuant to the EU General Data Protection Regulation (GDPR) below is specific information which relates to the processing of personal information of data subjects who are in the EU. This section references relate to the sections above in this Notice.

Purpose of Processing

The business and/or commercial purposes for which we process personal information are detailed in the Section 7 and are part of the following general purposes: (a) performing services, (b) auditing, (c) legal and compliance, (d) quality assurance, (e) security, (f) debugging, (g) short term, transient use, (h) internal research, and (i) corporate transactions.

If we intend to process your personal information for any additional purpose(s), we will provide you with information on the other purpose(s) and seek your prior consent.

Legal Basis

The legal basis for the processing of your personal data is one of the following:

• consent, or
• to provide the service for which you entered into a contract with us when you accepted the terms and conditions of the End User Licence Agreement (EULA) when you downloaded the Application or
• to comply with a legal obligation to which we are subject.

Please note that the provision of personal information is a requirement of the contract you entered into with us when downloading the Application and is necessary to enable us to provide our services to you through the Application. Where you have provided your consent for us to process your personal information, you have the right to withdraw your consent at any time.

The legal basis for the processing of your Protected Class Information is as follows:

• Health data on the basis of your consent obtained when you uploaded the data into the Application and accepted the privacy policy; or
• Processing is necessary for reason of public interest in the area of public health

Sharing Personal Information

The categories of third parties to whom we disclose personal information for a business purpose are detailed in the Section 8 and are summarized as follows: (a) affiliates and subsidiaries, (b) third party service providers, (c) legal, safety, and security, (d) corporate transactions, (e) with third parties from whom you seek credentials, and (f) otherwise with your consent.

Transfer of Personal Information

We store your data within the European Economic Area/European Union. Personal information of EEA Citizens may be processed by Daon Inc. in the U.S., Daon (Australia) Pty Ltd. in Australia, and Daon Ltd. Belgrade in Serbia for the purpose of providing customer service and support and to enable us to provide our services to you through the Application. Full details of data transfers out of originating country can be found in Section 20.

Appropriate safeguards are in place via standard data protection clauses adopted by the EU Commission signed between Daon Inc., Daon (Australia) Pty Ltd. and Daon Ltd Belgrade with Daon Technology which will be provided on request. If we share your personal data with external third parties outside of the EEA, we use specific contracts with external third parties that are approved by the European Commission for the transfer of personal data to third countries. These contracts require the same levels of personal data protection that would apply under the GDPR. However, any transfer of your data out of the EEA may result in access to this data by local public authorities for monitoring purposes or public health, as permitted under local surveillance or public health laws. 

Data Retention

We will retain your personal information, for no longer than is necessary to enable you to use the Application, and to comply with our legal obligations, resolve disputes, enforce our agreements and for other business reasons permitted by applicable laws and regulations. In any event, we will retain your information for the period stated in our retention schedule, at which point Daon will take steps to securely and permanently dispose of your personal information, according to applicable laws and regulations. 

Data Subject Rights

If you wish to access, correct, delete or update your personal information, restrict or object to processing or exercise a right to data portability (where technically feasible) please refer to the functionality available within the Application on the user profile page or email us at privacy@daon.com. We will respond to reasonable requests in accordance with relevant data protection laws.

Automated Individual Decision-Making

If you choose to share a government Digital COVID Certificate with us, or for your health test laboratory to share your health information with us directly, you consent to our use of individual automated decision making using your special category health data, to determine whether you have met the travel health requirements for your travel destination. If you do not consent or would like to obtain human intervention, please select the alternative method in the Application to provide your COVID health information.

Compliance

We work to high standards when it comes to processing your personal information. If you have any queries or concerns about our approach to protecting your information, we welcome the opportunity to make things right for you and encourage you to contact us by one of the methods at Section 13.

If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority.

16. Your EMEA (Non-EU) Privacy Rights

For the purposes of relevant data protection laws and regulations applicable across Europe, Middle East, and Africa (EMEA) region excluding the European Union (EU), below is specific information which relates to the processing of personal information of data subjects located in countries where the Application is available. This section references relate to the sections above in this Notice. The information provided at Section 15 above applies to individuals in EMEA unless otherwise specified with respect to named countries below.

16.1. Israel

Pursuant to the Protection of Privacy Law and associated Regulations the privacy rights outlined at Section 15 above apply to individuals in Israel subject to the specific information below which exclusively relates to the processing of personal information of data subjects who are in Israel. This section references relate to the sections above in this Notice.

Legal Basis

The legal basis for the processing of your personal data is one of the following:

• consent, or
• appropriate notice has been provided to or made available to the data subject; or
• the personal data is necessary to comply with a legal obligation

The legal basis for the processing of your Protected Class Information is as follows:

• Health data on the basis of your explicit consent obtained when you uploaded the data into the Application and accepted the privacy policy and consent form;
• Processing is necessary for reason of public interest in the area of public health.

Data Subject Rights

If you wish to access or to correct your personal information, please refer to the functionality available within the Application on the user profile page or email us at privacy@daon.com. We will respond to reasonable requests in accordance with relevant data protection laws.

Transfer of Personal Information

We store your data within the European Economic Area/European Union. Personal information of Israeli Citizens may be processed by Daon Inc. in the U.S., Daon (Australia) Pty Ltd. in Australia, and Daon Ltd. Belgrade in Serbia for the purpose of providing customer service and support and to enable us to provide our services to you through the Application. Full details of data transfers out of originating country can be found in Section 20.

Appropriate safeguards are in place via derogations such as obtaining your consent, or relying on contractual performance or necessity to establish, exercise, or defend legal claims or other legal mechanisms designed to protect your personal data to standards equivalent to Israeli data protection law, such as entering into a data processing agreement with the recipient of your data abroad. 

16.2. Switzerland

Pursuant to the Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection applicable in Switzerland at the time of writing, Section 15 applies to Swiss data subjects in its entirety subject to the following provision.

Data Subject Rights

If you wish to access, correct, delete or update your personal information, or restrict or object to processing please refer to the functionality available within the Application on the user profile page or email us at privacy@daon.com. We will respond to reasonable requests in accordance with relevant data protection laws.

17. Your Canadian Privacy Rights

Pursuant to the Personal Information Protection and Electronic Documents Act (PIPEDA) the privacy rights outlined at Section 15 above apply to individuals in Canada subject to the specific information below which exclusively relates to the processing of personal information of data subjects who are in Canada. This section references relate to the sections above in this Notice.

Legal Basis

In addition to Section 15, we may rely on the following legal basis for the processing of your personal data:

• Appropriate notice has been provided or made available to you.

The legal basis for the processing of your Protected Class Information is as follows:

• Health data on the basis of your explicit consent obtained when you uploaded the data into the Application and accepted the privacy policy and consent form;

Data Subject Rights

If you wish to access, correct, delete or update your personal information, or restrict or object to processing please refer to the functionality available within the Application on the user profile page or email us at privacy@daon.com. We will respond to reasonable requests in accordance with relevant data protection laws.

Transfer of Personal Information

We store your data within the European Economic Area/European Union.

Personal information of Canadian individuals may be processed by Daon Inc. in the U.S., Daon (Australia) Pty Ltd. in Australia, and Daon Ltd. Belgrade in Serbia for the purpose of providing customer service and support and to enable us to provide our services to you through the Application. Full details of data transfers out of originating country can be found in Section 20.

Appropriate safeguards are in place via standard data protection clauses adopted by the EU Commission signed between Daon Inc., Daon (Australia) Pty Ltd. and Daon Ltd. Belgrade with Daon Technology which will be provided on request. If we share your personal data with external third parties outside of the EEA we use specific contracts with external third parties that are approved by the European Commission for the transfer of personal data to third countries in order to ensure equivalent levels of protection of your personal information.

Compliance

We work to high standards when it comes to processing your personal information. If you have any queries or concerns about our approach to protecting your information, we welcome the opportunity to make things right for you and encourage you to contact us by one of the methods at Section 13.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant national data protection authority depending on the province where you are located, including the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta, Office of the Information and Privacy Commissioner for British Columbia, and the Quebec Information Access Commission.

18. Your APAC Privacy Rights

Pursuant to applicable laws and regulations across the countries in the Asia-Pacific (APAC) region where the Application is available, the privacy rights outlined at Section 15 above apply to individuals located in these countries subject to the specific information below which exclusively relates to the processing of personal information of data subjects who are in APAC. This section references relate to the sections above in this Notice. The Application is not currently available in, and our interactions are not directed at, marketed to, nor intended for citizens of, China or South Korea. The primary applicable laws and regulations for countries where the Application is available in APAC include, but are not limited to:

• Australia – The Privacy Act 1988, Spam Act 2003, and Do Not Call Register Act 2006;
• New Zealand – The Privacy Act 1993;
• Hong Kong – The Personal Data Privacy Ordinance (PDPO);
• Japan – The Act on the Protection of Personal Information (APPI), Supplementary Rules under the Act on the Protection of Personal Information for Handling of Personal Data Transferred from the EU based on an Adequacy Decision, Basic Policy for protecting Personal Information, and the Enforcement Regulation and Order;

Legal Basis

The legal basis for the processing of your personal data is one of the following, depending on the purpose of processing it in accordance with applicable laws and regulations in the respective countries where the Application is available in the APAC region:

• consent, or
• appropriate notice has been provided or made available to you, or
• to provide the service for which you entered into a contract with us when you accepted the terms and conditions of the EULA when you downloaded the Application or
• to comply with a legal obligation to which we are subject.

Please note that the provision of personal information is a requirement of the contract you entered into with us when downloading the Application and is necessary to enable us to provide our services to you through the Application. Where you have provided your consent for us to process your personal information, you have the right to withdraw your consent at any time.

Where the specific country where you are located recognises the concept of Protected Class Information or equivalent, the legal basis for processing such information about you is one of the following, in accordance with applicable laws and regulations:

• Health data on the basis of your (explicit or implied) consent obtained when you uploaded the data into the Application, and accepted the privacy policy and/or consent form; or
• Processing is necessary for reason of public interest in the area of public health.

Transfer of Personal Information

We store your data within the European Economic Area/European Union and may need to disclose your personal information to data processors in accordance with Section 8 above.

We store your data within the European Economic Area/European Union. Personal Information of individuals who are located in the APAC region may be processed by Daon Inc. in the U.S., Daon (Australia) Pty Ltd. in Australia, and Daon Ltd. Belgrade in Serbia for the purpose of providing customer service and support and to enable us provide our services to you through the Application. Full details of data transfers out of originating country can be found in Section 20.

Appropriate safeguards are in place via standard data protection clauses adopted by the EU Commission signed between Daon Inc., Daon (Australia) Pty Ltd. and Daon Ltd. Belgrade with Daon Technology which will be provided on request. If we share your personal data with external third parties outside of the EEA we use specific contracts with external third parties that are approved by the European Commission for the transfer of personal data to third countries in order to ensure equivalent levels of protection of your personal information.

Data Subject Rights

Depending on the specific APAC country where you are located, you may be able to exercise a range of rights in connection with your personal information. The privacy rights available to you under applicable laws and regulations are listed below for each country within the APAC region where the Application is available.

If you wish to exercise your privacy rights, please refer to the functionality available within the Application on the user profile page or email us at privacy@daon.com. We will respond to reasonable requests in accordance with relevant data protection laws.

19. Your Privacy Rights: Latin America and the Caribbean

Pursuant to applicable laws and regulations across Latin American and Caribbean countries and territories where the Application is available, the privacy rights outlined at Section 15 above apply to individuals located in these countries or territories, subject to the specific information below which exclusively relates to the processing of personal information of data subjects who are present in Latin America, including Central and South America and the Caribbean regions. This section references relate to the sections above in this Notice.

Legal Basis

The legal basis for the processing of your personal data is one of the following:

• consent, or
• to provide the service for which you entered into a contract with us when you accepted the terms and conditions of the EULA when you downloaded the Application or
• to comply with a legal obligation to which we are subject.

Please note that the provision of personal information is a requirement of the contract you entered into with us when downloading the Application and is necessary to enable us to provide our services to you through the Application. Where you have provided your consent for us to process your personal information, you have the right to withdraw your consent at any time.

The legal basis for the processing of your Protected Class Information is as following:

• Health data on the basis of your (explicit or implied) consent obtained when you uploaded the data into the Application, and accepted the privacy policy and/or consent form; or
• Processing is necessary for reason of public interest in the area of public health

Transfer of Personal Information

We store your data within the European Economic Area/European Union. Personal Information of individuals who are located in Latin America or the Caribbean may be processed by Daon Inc. in the U.S., Daon (Australia) Pty Ltd. in Australia, and Daon Ltd. Belgrade in Serbia, for the purpose of providing customer service and support and to enable us to provide our services to you through the Application. Full details of data transfers out of originating country can be found in Section 20.

Appropriate safeguards are in place via standard data protection clauses adopted by the EU Commission signed between Daon Inc., Daon (Australia) Pty Ltd. and Daon Ltd. Belgrade with Daon Technology which will be provided on request. If we share your personal data with external third parties outside of the EEA we use specific contracts with external third parties that are approved by the European Commission for the transfer of personal data to third countries in order to ensure equivalent levels of protection of your personal information. Where mandated by applicable laws and regulations, we will request you to expressly provide your consent prior to effecting a transfer of your personal information outside the country where you are located.

Data Subject Rights

Depending on the specific country or territory where you are located in Latin America or the Caribbean you may be able to exercise a range of rights in connection with your personal information. The privacy rights available to you under applicable laws and regulations are listed below for each country within Latin America and the Caribbean where the Application is accessible.

If you wish to exercise your privacy rights, please refer to the functionality available within the Application on the user profile page or email us at privacy@daon.com. We will respond to reasonable requests in accordance with relevant data protection laws.

Note that the countries marked by “n/a” as ‘not applicable’ have not implemented data protection legislation that has entered into force at the time of writing.

20. Transfer of Personal Data out of Originating Country

In some instances, we may need to transfer your data from the originating country to a third-party country for processing. In this case we will request you to expressly provide your consent prior to effecting a transfer of your personal information. The location of this transfer will depend on your originating country as well as the purpose for processing your data. The table below provides full details of the countries where your data will be transferred, depending on your originating country: