Privacy Policy

1. Overview

Numia Health Inc. ("Numia Health," "we," "us," or "our") is committed to protecting the privacy of everyone who interacts with our platform. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our services.

This policy applies to two groups:

• Patients (DTC): Individuals who book at-home blood draws directly through Numia Health or numiahealth.ca.
• Partners and their patients (NaaS): Clinics, health businesses, research organizations, and digital health platforms that integrate Numia Health's collection infrastructure, and the patients they serve through our platform.

By using our platform or services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

Because Numia Health collects sensitive personal health information, we obtain express consent — an affirmative action such as a checkbox or digital signature — before collecting any health information from patients. Implied consent is not used for health data collection.

Numia Health complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, British Columbia's Personal Information Protection Act (PIPA BC).

Where Numia Health processes personal health information on behalf of a physician or health information custodian in British Columbia, we may act as an "information manager" within the meaning of BC's E-Health (Personal Health Information Access and Protection of Privacy) Act (EHIPPA). In those circumstances, our data processing activities are governed by written agreements with the relevant custodian and comply with EHIPPA s.35 requirements.

2. Definitions

The following terms are used throughout this policy:

3. Information We Collect

DTC — Direct Patients

When you book an at-home blood draw directly through Numia Health, we collect:

• Full name, date of birth, and contact information (email, phone, home address)
• Health information provided during intake, including relevant medical history and current medications
• Blood test results and biomarker data returned by our accredited Canadian partner lab
• Requisition details approved by a licensed Canadian physician in our network
• Payment information (processed securely through our third-party payment processor — we do not store full card details)
• Appointment and booking details, including date, time, and collection address
• Communications between you and Numia Health

NaaS — Partner Organizations

When your organization integrates Numia Health's collection infrastructure, we collect:

• Organization name, contact details, and authorized user information
• Patient information entered or imported into the partner portal on behalf of the patients you serve
• Booking and appointment data, including patient addresses and scheduled draw times
• Specimen tracking data, including Tube IDs and internal notes
• Portal usage and access logs

Where Numia Health processes patient personal health information on behalf of a partner, we do so as a service provider under the direction of the partner organization, which remains responsible for obtaining appropriate patient consent.

Both

Regardless of how you access our platform, we may also collect:

• Device and browser information (IP address, browser type, operating system)
• Usage data (pages visited, time on page, clicks, referral source)
• Cookie and analytics data (see Section 9)

4. How We Use Your Information

We use personal information only for the purposes for which it was collected, or as otherwise permitted by Applicable Law. These purposes include:

Service delivery

• Scheduling and confirming at-home blood draw appointments
• Facilitating physician requisition approval by an ordering provider in our network
• Coordinating sample collection, transport, and processing by our accredited Canadian partner lab
• Delivering test results to patients and/or partner organizations
• Managing the partner portal and NaaS platform functionality

Clinical and operational

• Maintaining accurate records for regulatory and quality assurance purposes
• Communicating with ordering providers regarding requisitions and results
• Supporting phlebotomist dispatch and specimen chain of custody

Business operations

• Processing payments and issuing invoices
• Responding to support inquiries and communications
• Improving the platform and services through aggregated, de-identified analytics
• Sending service-related communications (appointment confirmations, result notifications)

Marketing communications

We will only send commercial electronic messages — including newsletters, promotions, or health content — with your express consent, obtained at the point of registration or separately. Every marketing message will include a clear, functioning unsubscribe mechanism. Unsubscribe requests will be honored within 10 business days. Transactional communications such as appointment confirmations, result notifications, and billing emails do not require separate consent and are not used for promotional purposes.

5. How We Share Your Information

We do not disclose personal information to third parties except in the circumstances below:

Ordering providers

Patient personal health information is shared with the licensed Canadian physician or ordering provider in our network for the purpose of approving requisitions and reviewing results. This sharing is necessary for the delivery of the service.

Accredited Canadian partner labs

Specimen data and relevant patient information is shared with our ISO 15189-accredited Canadian partner lab for the purpose of processing blood samples and returning results. Labs are bound by confidentiality agreements and applicable privacy law.

Partner organizations (NaaS)

Where a patient books through a partner organization's portal, their booking details and test results are accessible to that partner. Where Numia Health processes patient personal health information on behalf of a partner organization, we do so as a service provider under a written Data Processing Agreement (DPA). The DPA requires the partner to obtain appropriate patient consent prior to engaging Numia's services, and governs how we handle, store, and delete that information. Numia Health remains bound by its own obligations under Applicable Law regardless of the partner's consent practices. Upon termination of a partner agreement, patient data is retained only for the period required by applicable health records legislation and then securely deleted.

Service providers

We work with third-party service providers who assist in operating our platform, including payment processors, cloud infrastructure providers, and analytics services. These providers are contractually bound to handle personal information only as directed by Numia Health and in compliance with Applicable Law.

Research organizations

Where Numia Health performs collections on behalf of research organizations operating under an approved Research Ethics Board (REB) protocol, we process personal health information strictly for the purposes described in the applicable research agreement. Research use of personal information is governed by the research organization's REB approval. Numia Health does not independently use or disclose research participant data for any other purpose.

Legal requirements

We may disclose personal information if required to do so by law, court order, or government authority, or where we believe in good faith that disclosure is necessary to protect the safety of any person or to prevent fraud.

Business transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of the transaction. We will notify affected individuals as required by Applicable Law.

6. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by Applicable Law.

• Patient health records: Retained for a minimum of 10 years following the last service interaction, or as required by applicable provincial health records legislation
• Booking and appointment data: Retained for a minimum of 7 years for audit and quality assurance purposes
• Partner account data: Retained for the duration of the partnership agreement and for a minimum of 5 years following termination
• Payment records: Retained for a minimum of 7 years in accordance with Canadian tax and financial regulations
• Usage and analytics data: Retained in aggregated, de-identified form indefinitely; identifiable usage data retained for up to 24 months

When personal information is no longer required, we securely delete or anonymize it in accordance with our data destruction procedures.

7. Security

Numia Health implements physical, organizational, and technical safeguards to protect personal information against unauthorized access, use, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Role-based access controls limiting staff access to personal information on a need-to-know basis
• Secure cloud infrastructure hosted in Canada — personal health information is stored on Canadian servers
• Regular security reviews and access audits
• Contractual data processing agreements with all third-party service providers

While we take these measures seriously, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of personal information.

Cross-border transfers

Personal health information and primary platform data is stored on Canadian servers. However, certain third-party service providers involved in payment processing and platform analytics may process data outside Canada, including in the United States. Specifically:

• Stripe (payment processing) — payment data is processed by Stripe Inc., which operates servers in the United States. Stripe is bound by contractual data processing terms and complies with applicable privacy standards. Numia Health does not store full payment card details.
• PostHog (platform analytics) — usage and interaction data collected through our analytics platform may be processed outside Canada. This data is aggregated and does not include personal health information.

When personal information is processed outside Canada, it becomes subject to the laws of the receiving jurisdiction, which may differ from Canadian privacy law. We require all third-party processors to maintain contractual safeguards consistent with PIPEDA and PIPA BC. You may request further details about our cross-border processing practices by contacting our Privacy Officer.

Phlebotomist access

Our certified mobile lab assistants (phlebotomists) are provided with the minimum information necessary to perform your collection — including your name, appointment address, and any clinically relevant notes you have provided. Phlebotomists are bound by confidentiality obligations and do not have access to your test results or payment information.

In the event of a privacy breach that poses a real risk of significant harm, we will: (a) notify affected individuals without unreasonable delay; (b) report the breach to the Office of the Privacy Commissioner of Canada as required under PIPEDA; and (c) report the breach to the BC Office of the Information and Privacy Commissioner as required under PIPA BC. We maintain an internal breach log of all breaches, regardless of assessed harm threshold.

8. Your Rights

Under PIPEDA and PIPA BC, you have the following rights regarding your personal information:

Access

You may request access to the personal information we hold about you. We will respond within 30 days of receiving a written request, or advise you in writing if we require additional time.

Correction

If you believe personal information we hold is inaccurate or incomplete, you may request a correction. We will make reasonable efforts to update records accordingly.

Withdrawal of consent

Where we rely on your consent to collect, use, or disclose your personal information, you may withdraw that consent at any time, subject to legal or contractual restrictions. Withdrawal of consent may affect our ability to provide certain services.

Deletion

You may request deletion of personal information we hold about you. We will honor deletion requests where we are not required by law to retain the information. Where legal retention requirements apply — for example, health records legislation requiring a minimum retention period — we will explain the applicable restriction in writing. Information subject to a deletion request that cannot be immediately deleted will be restricted from further use until the retention period expires.

Complaint

You have the right to make a complaint to the Privacy Commissioner of Canada or the BC Information and Privacy Commissioner if you believe your privacy rights have been violated:

• Office of the Privacy Commissioner of Canada — priv.gc.ca
• Office of the Information and Privacy Commissioner for BC — oipc.bc.ca

To exercise any of the above rights, please contact our Privacy Officer at hello@numiahealth.ca.

9. Cookies & Analytics

Numia Health uses cookies and similar tracking technologies to operate and improve our platform. These include:

Strictly necessary cookies

Required for the platform to function. These cannot be disabled. They include session management and authentication cookies.

Analytics cookies

We use analytics tools (such as PostHog) to understand how users interact with our platform. This data is collected in aggregate and used to improve service quality. Analytics cookies may be disabled through your browser settings.

Marketing cookies

We may use tracking pixels (such as the Meta Pixel) on our public-facing marketing pages to measure advertising performance. These are not placed on authenticated platform pages where personal health information is present.

You can manage your cookie preferences through your browser settings. Note that disabling certain cookies may affect platform functionality.

10. Changes to This Policy

Numia Health reserves the right to update this Privacy Policy at any time. We will post the revised policy at numiahealth.ca/privacy-policy with an updated effective date. Where changes are material, we will notify affected users by email or through a notice on the platform.

Where changes are material — including any change affecting how we collect, use, or disclose personal health information — we will seek fresh express consent from affected individuals before the change takes effect. Your continued use of the platform does not constitute consent to material changes affecting your personal health information.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer: