Privacy Statement

This privacy statement applies to the processing of personal data as (joint) controllers within the
meaning of the General Data Protection Regulation (“GDPR”) by the following entities:

– Cassini Technologies B.V. (KvK number: 70847932), based at Anna van Buerenplein 40 A,
2595DA The Hague
– Cassini USA Inc, located at 144 Gould Street #205, Needham, MA 02494 USA

hereinafter collectively referred to as “Cassini”. Joint controllership means that the entities above, jointly
determine the purpose and means of processing personal data. Based on internal policies, the different
roles and responsibilities of these entities are defined.

This privacy statement applies to the processing of personal data of:
I. Website visitors
II. Customers
III. Applicants
IV. Medical specialists
V. Patients
VI. Partners & distributors
VII. Suppliers

Cassini considers the protection of your privacy important. Cassini has therefore prepared, among other
things, this privacy statement. The purpose of this privacy statement is to be transparent about how
Cassini collects, uses and protects your personal data in accordance with Articles 13 and 14 of the
GDPR.

What are personal data?
Under the GDPR, personal data is any information about an identified or identifiable natural person. This
means that information is either directly about someone or can be traced back to that person.

For what purposes do we process personal data?
We process your personal data only for specified, explicit and legitimate purposes. Below you will find
more information on the different purposes for each category of data subject.

I. WEBSITE VISITORS
1. For answering your questions when you contact us, for example through the contact form on the
website

What personal data do we process for this purpose?
We only process the personal data you provide to us, for example through a web form. This may include,
for example, name, contact details and the information you provide in your message/during our contact.

2. To download a brochure, sign up for our newsletter or schedule a demo

What does this purpose entail?
We think it is important to share our knowledge. That is why we process your personal data, for example,
when you subscribe to our newsletter via our website or download our brochure. We also process your
personal data to contact you to schedule a demo. The legal basis for this purpose is your consent (article
6 paragraph 1 sub a GDPR).

What personal data do we process for this purpose?
We process your first name, e-mail address, interest, employer and position, organisation type and
country for this purpose.

3. For analysis and to develop our website, products and services (through functional and analytical
cookies)

What does this purpose entail?
We also process personal data of yours, which you provide to us indirectly. This is because our website
uses cookies for functional and analytical purposes. The functional cookies are necessary for the use of
the website.

The legal basis for analytical cookies is consent, which you give by agreeing to our cookie terms in the
cookie banner on the website (Article 6(1)(a) GDPR) or, in the case of functional cookies, our legitimate
interest in a well-functioning and secure website (Article 6(1)(f) GDPR).

What personal data do we process for this purpose?
To do so, we process your location data, IP address or app IDs, internet browser and device type and
website language.

International transfer
To process personal data through the cookies, we use Google in the United States. This means that
there is an international transfer. We have put in place appropriate safeguards by agreeing the model
contract as approved by the European Commission (Standard Contractual Clauses, C(2021)3972) with
our processor.

II. CUSTOMERS
We process personal data of customers, their employees, contact persons and third parties engaged by
them. The customer is responsible for informing third parties engaged by the customer of the content of
this privacy statement. A copy of this privacy statement can be found on our website.

1. To perform our services/agreement (day-to-day business operations)

What does this purpose entail?
For the performance of our services, including making a quotation / purchase order, financial
administration (such as invoicing, calculating and recording fees and expenses, making payments,
collecting receivables and paying our invoices), scheduling appointments and delivering goods, services
or installing software, we process personal data of the customer or her contacts. This allows us to
perform our services efficiently and effectively and maintain contact with you. The processing of personal
data for this purpose is necessary for the conclusion or performance of a contract with you (Article
6(1)(b) GDPR), our legitimate interest in the efficient and effective performance of our services (Article
6(1)(f) GDPR) and the fulfilment of our statutory administration obligations (Article 6(1)(c) GDPR).

What personal data do we process for this purpose?
For this purpose, we process your name, salutation, position, telephone number, employer, e-mail
address and other relevant information provided during the execution of the agreement.

2. For taking a course through our online environment

What does this purpose entail?
We think it is important to share our knowledge. It is therefore possible to take courses via our online
environment. For this, we process your personal data (e.g. for registration). The legal basis is our
legitimate interest to provide courses to share knowledge (Article 6(1)(f) GDPR).

What personal data do we process for this purpose?
We process your name, salutation, position, phone number, employer, e-mail address, meta data about
the course taken, such as the score and whether the course was taken.

3. Communication purposes, including customer service

What does this purpose entail?
Our website contains our contact details and we use web forms. This allows you to contact us. When
you contact us and/or fill in a web form, we process the personal data you provide in order to contact
you and answer your question. In addition, contact during the course of our services may also be
important or occur in other areas, for example to handle questions about the software or our agreement.
The legal basis for this processing lies in our legitimate interest to contact you in response to your query
(article 6 paragraph 1 sub f GDPR).

What personal data do we process for this purpose?
We process your name, address, phone number, e-mail address, any job title and the information you
provide in your message/during our contact for this purpose.

4. Marketing

What does this purpose entail?
If you give us your consent, we may use your personal data for Cassini’s marketing activities. For
example, we may send you marketing emails (our newsletter). Should you no longer wish to receive our
marketing messages or newsletter, you can use the opt-out at the bottom of the e-mail. The legal basis
for this processing our legitimate interest to undertake marketing activities (Article 6(1)(f) GDPR).

What personal data do we process for this purpose?
We process your e-mail address, name, employer, position, phone number and e-mail pixel (reading
behaviour) for this purpose.

III. APPLICANTS

1. For a responsible, effective and efficient recruitment and selection process

What does this purpose entail?
To recruit and select new employees or contractors (self-employed persons without staff who perform
temporary work on an interim basis by means of an assignment agreement), we process personal data.
We do this to assess whether the applicant or contractor is suitable for the open position.

These personal data are kept as standard for up to two months after the closing date of the vacancy.
This way, we can still speak to you in detail if you have questions about the outcome of your application
during this period. If the application results in an appointment, the relevant personal data are retained
in accordance with our retention policy and our privacy statement for employees and/or contractors.

The legal basis is our legitimate interest in carrying out the recruitment and selection procedure
efficiently and to be able to speak to applicants with any questions about the outcome of the application
(Article 6(1)(f) GDPR). If, after the recruitment and selection procedure, we proceed to the conclusion
of an employment or commission contract, we may process additional personal data in preparation for
the performance of the contract (Article 6(1)(b) GDPR) and to comply with other legal requirements
(Article 6(1)(c) GDPR).

What personal data do we process for this purpose?
We process your contact details (such as name and address, e-mail address and telephone number),
personal data from your CV and motivation letter, diplomas, an interview report, if relevant a salary
proposal, results of an assessment (intelligence and personality) and in some cases the data as a result
of calling up the references you provided.

2. Saving your CV for suitable vacancies in the future

What does this purpose entail?
In order to contact you in the future if we appear to have a suitable vacancy, we process your personal
data. The legal basis for this is our legitimate interest to find suitable employees for future vacancies
(Article 6(1)(f) GDPR).

What personal data do we process for this purpose?
To this end, we process your contact details (such as name and address, e-mail address and telephone
number), the personal data from your CV and motivation letter.

IV. MEDICAL SPECIALISTS

1. Clinical studies
What does this purpose entail?

To conduct clinical studies, we also process the personal data of medical specialists involved in these
studies. The legal basis for this purpose is the execution of the agreement we conclude with the
organisations we conduct clinical research with (Article 6(1)(b) GDPR).

What personal data do we process for this purpose?
We process your e-mail address, name, employer, position and phone number for this purpose.

V. PATIENTS

1. As part of a clinical study under the supervision of a physician
Data that we process as part of a clinical trial will in principle not contain personal data. In exceptional
cases, a limited amount of data may qualify as personal data. Depending on the specific agreements
with the healthcare institution with which we conduct the study, we may process that data as a processor
or joint controller. If we are joint controllers, we will jointly ensure, in agreement with the relevant
healthcare institution, the correct and full compliance with the transparency obligations under the GDPR.
In that context, we will also be able to further explain at that time which personal data we process in the
context of the relevant study.

VI. PARTNERS & DISTRIBUTORS

1. Executing the agreement (day-to-day operations including updates on new developments and
marketing materials)

What does this purpose entail?
For the execution and settlement of our agreements with partners and distributors, we process your
personal data. These personal data help us to provide the right information in connection with updates
of new developments etc. and to keep our administration up to date. The legal basis for processing
personal data for this purpose is the conclusion or performance of an agreement (Article 6(1)(b) GDPR).

What personal data do we process for this purpose?
For this purpose, we process your name, salutation, position, telephone number, Chamber of Commerce
number, employer, email address, address details, account and VAT numbers and other relevant
information provided during the execution of the agreement.

2. For maintaining a good relationship

What does this purpose entail?
We consider it important to maintain a good relationship with our partners and distributors. Therefore,
we process your personal data, for example, to evaluate our services, to provide you with training
material and/or cources or to send a gift. The legal basis for maintaining a good relationship lies in our
legitimate interest to maintain the relationship with our suppliers (Article 6(1)(f) GDPR).

VII. SUPPLIERS

1. To settle agreements, such as orders and commissions (day-to-day business)

What does this purpose entail?
For the execution and settlement of our orders and assignments with you as a supplier, we process
personal data of (employees of) our suppliers. This personal data helps us to provide you with the right
information for placing an order or placing an order. The legal basis for processing personal data for this
purpose is the conclusion or performance of a contract (Article 6(1)(b) GDPR).

What personal data do we process for this purpose?
For this purpose, we process your name, salutation, position, telephone number, Chamber of Commerce
number, employer, e-mail address, address details, account and VAT numbers and other relevant
information provided during the execution of the agreement.

2. Communication purposes

What does this purpose entail?
To communicate with you as a supplier or partner, we process personal data about you. We do this to
make contact with you run smoothly.
The processing of personal data for this purpose is based on Cassini’s legitimate interest to
communicate with you (Article 6(1)(f) GDPR).

What personal data do we process for this purpose?
We process your name, address details, phone number, e-mail and possibly position for this purpose.

Your rights
You have the right to be properly informed about what we do with your data and why we need your data.
We do this through this privacy statement. In addition to the right to be transparently informed, you have
the following rights:
• Right to access (if you want to know what personal data we collect from you);
• Right to rectification (we are happy to amend any personal data that is no longer correct);
• Right to be forgotten (in some cases, you can ask us to delete your personal data);
• Right to restrict processing (in some cases, you may ask us to restrict the processing of your
personal data);
• Under circumstances, right to data portability (if you want, we can transfer your personal data
to another party or give you a copy of your personal data);
• Right to object (in some cases, you may object to the use of your personal data).

If you wish to exercise any of your rights, please contact us by emailing info@cassini-technologies.com.
To prevent abuse, we may ask you to adequately identify yourself before we process your request.
Circumstances may arise which prevent us from fulfilling or not fully fulfilling your request. If such a
circumstance arises, we will notify you. We will always respond to your request within one month.

With whom do we share personal data?
Cassini does not sell or trade your personal data to any third party. Cassini may be required by specific
laws and regulations to provide certain personal data to third parties, such as government agencies. In
addition, we may share your personal data with third parties to protect our own rights or those of others.

Internally, only employees of ours have access to personal data to the extent relevant to their work (on
a need-to-know basis) and all our employees have a confidentiality clause in their employment contract.

We also engage processors who process personal data on our behalf. We conclude processing
agreements with them that meet the requirements of the GDPR. For example, with regard to reporting
data breaches and taking appropriate technical and organisational measures. In addition, personal data
may be shared with:
• The healthcare institution that supports us in conducting the clinical trials.
• A dispute resolution institute and/or competent judicial authority. This may apply to personal data of
clients and/or third parties.
• Potential new shareholders and their advisers.
• IT service providers. While maintaining, managing and supporting our systems and applications,
they may have limited access to various personal data.
• Other service providers involved in our services, such as external consultants, lawyers and
accountants. This may apply to clients and/or third parties.
• Bailiffs and administrators. To these we provide your name and contact details, financial data and
employment details. This may apply to clients, third parties and/or job applicants.
• Insurers. To this, we leave your name, contact details and financial data.

How long do we keep your personal data?
We keep your personal data for as long as necessary for the purpose for which we use your personal
data and/or as long as the law requires us to keep the personal data. Exactly how long varies. From a
few months to many years, for example because it is necessary for our accounting purposes. We have
defined the retention periods for each processing activity in our retention policy. We retain personal data
of job applicants for up to 4 weeks after the recruitment and selection procedure. With your consent, we
keep your data for an additional 12 months for any future vacancies.

Consent
If we process your data on the basis of your consent, you always have the right to withdraw your consent.
This can easily be done by sending an e-mail to info@cassini-technologies.com. In that case, if we have
no other basis for processing, we will no longer use your data for this purpose.

How do we protect your data?
Under Article 32 GDPR, we are obliged to take appropriate technical and organisational measures to
prevent the loss of personal data or unlawful processing. So we have taken physical, administrative,
organisational and technical measures. Periodically, we evaluate the technical and organisational
measures and adjust them if necessary. Our organisation is set up in such a way that we do everything
possible to prevent data leaks. If there is a data breach, we will act in accordance with the data breach
protocol.

Contact and complaints
If you have any questions about this privacy statement or wish to exercise your rights as a data subject,
please contact us at info@cassini-technologies.com.

In case of complaints about, for example, how we use your data or how we respond to privacy-related
questions, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

The Hague, May 2024