Privacy Policy

1.OUR COMMITMENT TO PRIVACY

Welcome to Luna Navigator (“Luna”), a platform offering a private, personalized data-enabled companion to help you better understand cancer-related information and feel more prepared throughout your journey. Luna has been developed and is offered by Navexio Inc. (“we” or “us”).

To fully support you as a member, we collect your personal information including your personal health information (“PI”). If your Luna plan includes multiple Members forming a circle of care, your trusted loved ones may access your PI.

We recognize the sensitivity of the PI we work with and are committed to maintaining its privacy and confidentiality. We strive to protect your privacy by meeting or exceeding legal requirements, including Ontario’s Personal Health Information Protection Act, where we are based, and Canada’s Personal Information Protection and Electronic Documents Act, as well as the health information protection laws of other Canadian provinces, the United States, the United Kingdom, and the European Union as applicable.

This Statement describes why we collect your PI, how we manage it and how we safeguard privacy in providing Luna services. All of our employees and contractors are bound to protect privacy and confidentiality of all PI that they may access or process.

We have appointed a Privacy Officer for all privacy matters, who can be reached at support@lunanavigator.com to answer your questions and address any concerns.

2.PERSONAL INFORMATION

PI includes any identifying information about you and includes information about your health or health care history that could identify you when used alone or with other information. While some of your PI is not personal health information, we protect all of your PI to that standard.

3.PI WE COLLECT FROM YOU

PI that we collect, use and disclose may include:

• member name, information, date of birth, medical record number;
• name and contact information of trusted loved ones;
• primary cancer, cancer type and subtype;
• diagnosis month and year;
• city, state/province, country and hospital;
• symptoms and concerns, health history, family health history, medical records;
• medications and immunizations, test results, appointment details and notes;
• information related to assessment, diagnosis, medication, and treatment; and
• credit card or other payment information.

With limited exceptions, we obtain most PI from you in the form of documents, messages, texts, files, images and other material entered into or uploaded to the Luna platform. All PI you upload to Luna is “collected” by Luna; however, you are responsible to ensure your comfort in providing this information, and when you upload it, you are consenting to share it with us. Do not include any PI that you do not want to be available to Luna. Occasionally, we may collect information about you from other sources, including your physician or other health care providers, where we have obtained your consent, or are legally permitted or required to.

Luna is offered by Navexio Inc. and as such Navexio clients may choose to integrate their data with Luna.

We will not ask you for more PI than is reasonably necessary to deliver the Luna services.

4.HOW WE USE THE PI WE COLLECT

We primarily use your PI as input to our data-enabled models that support your cancer journey. More specifically, we may use your PI to:

• provide and maintain Luna;
• process Content to extract data;
• index Content for retrieval and search purposes;
• generate responses based on your requests;
• prevent abuse and enforce security;
• test Luna models and outputs;
• obtain payment for services, including from a third party insurer;
• contact you;
• conduct quality assurance and related activities;
• comply with legal and regulatory requirements;
• conduct and publish research that does not identify any Member; and
• fulfil other purposes permitted or required by law to plan, administer and manage our operations.

If we intend to use your information for any other purpose, we will ask for consent before doing so, unless otherwise required or permitted by law. We will never sell your PI or our member list.

5.CONSENT

We will not collect, use, or disclose PI without your consent, unless otherwise required or permitted by law. Consent to the collection, use, or disclosure of PI may be express (meaning we have specifically obtained it from you) or implied (meaning we have reasonably concluded from your actions under the circumstances that you agree).

For consent to be valid, it must be knowledgeable and obtained voluntarily from a person with the capacity to consent. Knowledgeable consent means that it is reasonable under the circumstances to believe that you know the purposes for which we collect, use, or disclose your PI and that you are entitled to give or refuse your consent. If there is something you don’t understand or need more information about, talk to us.

6.SHARING PI

We will not share your PI with anyone else without your consent, although we may use sub-processors to provide the Luna services, in which case they will protect your PI to our standards.

If your services include multiple Members forming a circle of care, your trusted loved ones may be able to access your PI.

7.SAFEGUARDS AND SECURITY

We take appropriate steps to protect the PI in our custody against theft, loss or unauthorized access, use, or disclosure. We also protect the PI against unauthorized copying, modification, or disposal.

We protect your PI through physical and technological security measures and administrative controls. We use (i) reputable cloud providers with security features including file recovery, password protection, watermarking, and viewer history; (ii) firewalls and anti-virus software; and (iii) logging, auditing, and monitoring of all access to PI.

We also abide by Canadian laws that require us to impose restrictions on the availability and use of Luna in of our platform in, and to residents of, certain sanctioned regions and countries.

All of our employees and contractors must comply with our internal privacy policy and certify their compliance annually.

Please note however, that despite our efforts, we cannot guarantee the security of any PI.

8.ELECTRONIC COMMUNICATIONS

Because of the significant privacy risks associated with e-mail and text messaging, you will provide your PI by uploading it to the Luna platform. We do not accept receipt of any PI by email or text.

We will obtain your consent in advance if there is a need to communicate in this manner other than as described above.

9.RETENTION AND DESTRUCTION

We retain your PI for the later of:

• 10 years from the date your subscription has ended; or
• any minimum retention period required by law.

Your PI will not be deleted without the approval of our Privacy Officer, even if you have requested such deletion, since we must always meet our legal obligations to retain PI.

We will archive your records once we no longer actively support you, and these will only be accessible by our Privacy Officer.

If you want your PI to be maintained after you no longer use Luna services, you can indicate that to us.

When we destroy PI, we will take reasonable steps to ensure secure and permanent destruction, whether physical or electronic. If we engage a third party to destroy PI, we will enter into a written agreement that sets out the requirements for secure disposal and requires it to certify that secure disposal has occurred. We maintain a record of all PI that has been destroyed, including the date and manner of destruction.

10.PRIVACY BREACHES

Should we suspect or discover that your PI has been stolen, lost or subject to unauthorized use, access, disclosure, copying, or modification, our first priority will be to identify and contain the breach, assess the harm, and then investigate and remediate so we can minimize harm to you and the risk of similar breaches in the future. If your PI may have been lost or subject to unauthorized access, use or disclosure, we will notify you at the first reasonable opportunity.

11.ACCESS TO PI

You have a general right to access all your PI that you have provided to us.

If you want to access or obtain a copy of such PI, make your request in writing to our Privacy Officer at support@lunanavigator.com. The request must include details about who you are, the records you are seeking and the time frame of those records. The Privacy Officer will give you a copy of the records requested or make an appointment to review the records with you. Our Privacy Officer will always be present when you review original records.

Your right to access your PI is not absolute, and may be denied if:

• the information does not exist or cannot be found;
• denial of access is required or authorized by law; or
• the request is frivolous, vexatious, or made in bad faith.

All PI access requests will be addressed no later than 30 days from the date of the request. If the Privacy Officer refuses access to your records, they will provide you with an explanation.

To protect privacy, we must verify your identity before providing access. We may charge a reasonable cost recovery fee for making PI available and/or providing copies of records. If we choose to do so, we will advise you of the fee in advance of processing your request.

12.KEEPING PI ACCURATE

We take all reasonable steps to ensure all PI is as accurate, complete, and current as necessary to provide Luna services.

We will not routinely conduct updates on PI in our custody, and you are responsible to ensure the accuracy, completeness and currency of your PI. The quality of support that Luna can provide rests directly on the PI it processes.

If you believe your PI is inaccurate, incomplete, or outdated, you may make a written request to the Privacy Officer at support@lunanavigator.com to correct it.

However, we may refuse to correct PI where:

• the record containing the PI was not originally created by us and we do not have sufficient knowledge, expertise, or authority to correct it;
• the request pertains to a professional opinion or observation that a health care provider has made in good faith; or
• the request is frivolous, vexatious, or made in bad faith.

All requests to correct PI will be addressed no later than 30 days after receiving the request. If a correction request is denied, we will provide an explanation for the refusal, and you will be entitled to prepare a short statement of disagreement to append to your record. In addition, you have the right to make a complaint about the refusal to the Information and Privacy Commissioner of Ontario or the data protection authority of your province, state or country.

13.QUESTIONS/CONCERNS/COMPLAINTS

If you have any questions or concerns about the collection, use, disclosure, or protection of your PI, contact our Privacy Officer at support@lunanavigator.com.

We will investigate all written privacy concerns. If a concern has merit, we will take appropriate measures, including, if necessary, disciplinary action and/or amending our privacy practices or safeguards.

If we are not able to address your concern, or if you require further information regarding privacy in Ontario, you may contact the Information and Privacy Commissioner of Ontario. If you are outside of Ontario, contact the data protection authority of your province, state, or country.