Effective on: November 1, 2025

This Privacy Policy (“Policy”) explains how Smart Tech and Logistics Limited ("Company", "we," "us," or "our"), collects, uses, discloses, and safeguards your personal information when you visit our website or use our services. This Policy forms part of and is incorporated by reference into our Terms and Conditions.

This Policy applies to the MEDO mobile application, its associated websites, and any services offered through them. By creating an account or using MEDO, you acknowledge and consent that Smart Tech and Logistics Limited acts as the data controller for the collection and processing of your personal information, including certain health-related data, as described in this Policy and in accordance with applicable law.

For users located in the European Economic Area (EEA) and the United Kingdom (UK), this Policy also explains how we comply with the General Data Protection Regulation (GDPR) and the UK-GDPR.

When you create an account or use the App, we collect the information you voluntarily provide, such as your name, email address, and other details needed to operate your account and the service. You may also upload health-related documents, including X-rays or MRIs, laboratory summaries, vaccination records, prescriptions, clinical discharge notes, or wellness tracker reports, blood-test results and other health records, so that the App can analyze and explain them using AI-assisted tools.

We automatically collect certain technical and usage data from your device, such as device type, operating system, IP address, and App interaction metrics. We do not collect web-browsing history outside the App. We may use cookies and similar technologies as described in Section VI.

We use your personal and health information to operate and improve the App and to provide you with the services you request. Specifically, we process information to analyze uploaded health-related documents, generate AI-based insights, personalize your user experience, and maintain your account. We also use information to troubleshoot issues, measure usage, enhance features, and ensure platform security.

Certain processing is required for legal and regulatory compliance, such as responding to lawful requests, maintaining audit logs, or protecting against misuse. We may send you administrative notices, respond to inquiries, and provide customer support. We do not use protected health information or other sensitive data for advertising or profiling without your explicit consent where required by law.

The Company is not a HIPAA-covered entity and MEDO is not a medical device. We act as a Business Associate only when we are required to execute a written Business Associate Agreement (BAA) with a HIPAA-covered entity by law. Under a BAA, we access and use only the minimum necessary protected health information (PHI), for example, limited scheduling or document-processing data and we safeguard that information using administrative, technical, and physical controls that align with HIPAA standards.

To the extent Company collects consumer health data that is not subject to HIPAA, it will comply with the Federal Trade Commission’s Health Breach Notification Rule and with applicable state consumer health data and privacy laws, including rights to access, delete, or opt out where required. To the extent we handle ‘medical information’ as defined by California’s CMIA outside HIPAA scope, we will comply with CMIA confidentiality and breach obligations.

If a security incident constitutes a “breach” under U.S. federal or state law, we will notify affected individuals and the relevant authority as required by law.

The Company does not collect, retain or sell PHI or consumer health data for advertising purposes. The Company does not share such information for targeted advertising without your express written consent, where required by law. We may share personal information for cross-context behavioral advertising only with your opt-in consent. California residents can opt out at ‘Do Not Sell or Share My Personal Information’ and can ‘Limit the Use of My Sensitive Personal Information.’ We honor Global Privacy Control signals

If you suspect a data security incident, please contact the Company at [privacy@domain.com]. Do not include PHI or other sensitive data in such emails.

Subprocessors that handle PHI or other health data are contractually required to maintain equivalent privacy and security standards and to sign data-processing agreements incorporating Standard Contractual Clauses (SCCs) where required for cross-border transfers. If there is any inconsistency between this Policy and a BAA or a medical group’s Notice of Privacy Practices, the document providing stronger protection for PHI will control.

For individuals in the EEA or UK, we process personal data under the GDPR/UK-GDPR.

If you provide us with your credit card information, the information is encrypted using secure socket layer technology (SSL) and stored with a AES-256 encryption. Although no method of transmission over the Internet or electronic storage is 100% secure, we follow all PCI-DSS requirements and implement additional generally accepted industry standards.

All processing is performed in accordance with the highest security regulations.

V. California Notice at Collection

This Notice is provided pursuant to the California Consumer Privacy Act (as amended by the CPRA). It explains the categories of personal information we collect, the purposes for which we use it, our retention practices, and your rights to opt out.

We use this information to operate and improve our services, communicate with you, fulfill transactions, personalize your experience, and comply with legal and security obligations. We retain information only as long as reasonably necessary to fulfill these purposes or as required by law. Uploaded health-related documents are stored for analysis and your ongoing access history, after which they may be archived or deleted in accordance with our retention policy.

The App may use cookies and similar technologies (functional tokens analytics SDKs, such as Firebase Analytics or Azure Application Insights) for security and performance analytics only. They may collect limited App-usage information (such as error logs or performance metrics) but do not track your activity outside the App. If consumer health data laws consider this kind of tracking to be sensitive, the company will obtain your consent before enabling such technologies.Users may manage analytics or tracking preferences through the App’s settings menu or device privacy controls. The company does not disclose PHI to third party analytics or advertising platforms. Tracking technologies are disabled on authenticated pages and on any page that collects health information unless we have a BAA with the vendor or the data is de-identified per HIPAA.

We retain personal information only as long as reasonably necessary to provide services, meet legal obligations, resolve disputes, and enforce our agreements. Retention periods vary depending on the category of information and applicable laws.

If we are required by law or contract to retain certain records, we will do so securely and limit access to those records until destruction is permitted.

We maintain a records-retention schedule that specifies legal and operational retention periods for each category of data.

We do not sell personal information. We may share limited data for cross-context behavioral advertising only with your opt-in consent. California residents may exercise rights to access, correct, delete, or limit the use of sensitive information by contacting [privacy@domain.com] or by using the “Do Not Sell or Share My Personal Information” link in the App. We honor Global Privacy Control (GPC) signals.

Generally, the third-party providers we use will only collect, use, and disclose your information as necessary to perform specific services they provide to us. These providers are bound by written agreements requiring confidentiality and data-processing terms consistent with GDPR and U.S. privacy laws, HIPAA-level safeguards where applicable, and compliance with Standard Contractual Clauses (SCCs) or other approved transfer mechanisms for data exported outside the EEA or UK.

Keep in mind that some providers may be located in, or have facilities in, a different jurisdiction than you or us. If your data is transferred outside your country, we implement appropriate safeguards to protect it in accordance with applicable laws.

IX. Your Rights

Depending on your location, you may have rights to access, correct, delete, or export your personal data. You can exercise these rights by contacting [privacy@domain.com]. We verify each request and respond within legally required timeframes. We may retain limited information to comply with legal or contractual obligations.

EU and UK users may exercise rights under Articles 15 to 21 of the GDPR/UK-GDPR by contacting the same email address. All requests are processed free of charge within statutory deadlines.

X. Managing and Deleting your Personal Data:

You can request to edit, update, access, or delete your information by emailing us at [privacy@domain.com]. We will respond within timelines required by applicable law and will delete or de-identify personal data as required. We do not retain data longer than necessary for its intended purpose or as required by law.

Unless retention is required by law, we delete or de-identify personal data within 30 days after it is no longer needed for its original purpose or a legitimate business purpose, including (a) when the data is no longer necessary to provide our services, (b) when your account with us is deleted, or (c) when deletion is otherwise required by law.

California residents have additional rights regarding sensitive personal information and may request to limit its use by emailing [privacy@domain.com].

We do not knowingly allow children under the age of 13 to create their own accounts or to use the App independently, and we do not knowingly collect personal information directly from children. If we learn that personal information has been submitted to us by a child without verified parental consent, we will delete that information promptly. Parents or guardians who have created an account on behalf of a minor may review, correct, or delete their child’s information at any time by contacting [privacy@domain.com] or through the account interface, and we will respond within the timelines required by applicable law.

All health-related or personal information about a child that is provided by a parent or guardian is protected in the same way as any other information under this Policy. We do not use children’s data for advertising, profiling, or any commercial purpose beyond providing the requested service. If a parent or guardian deletes their account or requests deletion of their child’s information, we will remove the child’s registration information, uploaded documents, and related activity data, subject to any legal or contractual record-retention requirements.

If you believe that we may have collected a child’s personal information in error or without proper authorization, please contact us immediately at [privacy@domain.com] so that we can investigate and take appropriate action.

XII. Changes to this Policy

We reserve the right to modify this Policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on the App. Material changes will be announced via an in-App banner or notification at least 30 days before the new Policy takes effect. Continued use of the App after having been informed of any such changes to these conditions implies acceptance of the revised Policy. This Policy is an integral part of our Terms of Use.

If our Company is acquired or merged with another company, we may disclose your Personal Data with our prospective or actual purchasers, investors, or successor entities in connection with a contemplated reorganization or an actual reorganization of our business, in connection with financing, a sale, or other transaction involving the disposal of all or part of our business or assets, including for the purpose of permitting the due diligence required to decide whether to proceed with a transaction, pursuant to assurances of sufficient data handling practices and safeguards.

Residents of the European Economic Area: Our disclosure is limited to situations where we are permitted to do so under applicable European and national data protection laws and regulations.

If you would like to access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information, contact us at email address [privacy@domain.com].

We have a Data Protection Officer/Representative who is responsible for matters relating to privacy and data protection. This Data Protection Officer can be reached at the following email address: [privacy@domain.com].

A. Headings and Interpretation

Section headings are for convenience only and do not affect interpretation. References to parties, persons, entities, or corporations include appropriate gender and number as needed.

B. No Waiver

Failure to enforce any provision of this Policy does not constitute a waiver of that provision or any other provision in the Policy.