PRIVACY POLICY

[Last Modified: January 2026]

This Privacy Policy (“Privacy Policy”) governs the processing and transfer of personal data collected or

processed by Neurolief Ltd. (collectively with its subsidiaries and affiliated companies, including

Neurolief, Inc., “Company”, “we”, “us” or “our”) when we provide our relevant “services”: through the

purchase of our migraine treatment medical device (“Relivion®”), specifically the Relivion®

transcutaneous electrical nerve stimulator is indicated for the acute treatment of migraine with or without

aura in patients 18 years of age or older. It is a prescription device to be self-used at home. Or our

depression treatment medical device (“Proliv™Rx external Combined Occipital and Trigeminal Afferent

Stimulation (eCOT-AS) (“Proliv™Rx System”), specifically the Proliv™Rx System provides focal

external Combined Occipital and Trigeminal Afferent Stimulation (eCOT-AS) treatment. It is intended as

an adjunctive treatment for Major Depressive Disorder (MDD) in adults who failed to achieve satisfactory

improvement from at least one previous antidepressant medication, for use at home or in clinic. It is a

prescription-only device.(the “product/s”); using any of the products accompanying mobile applications

(each an “App”); our cloud-based platform and data management tools made available for healthcare

professionals in connection with the products (“Platform”); or accessing or using any of our related

websites, web interfaces, dashboards, and landing pages (each a “website”). This Privacy Policy is an

integral part of any other agreement between us (“Terms”). Any capitalized terms not defined herein

shall have the meanings ascribed to them in the Terms, or under the applicable privacy laws.

This Privacy Policy pertains to personal data related to anyone interested in any of our products through

the services, website visitors, patients who are using any of the products (“End-Users”), relevant clinics

and healthcare professionals treating such an End-User including their authorized users and anyone

acting on their behalf (“Healthcare Provider”), and anyone else using our services as described herein

(“you” or “your”). The Privacy Policy explains what data we may collect from you, how such data may

be used or shared with others, how we safeguard it and how you may exercise your rights related to

your Personal Data (as defined below), as required under relevant privacy regulation, including without

limitation and where applicable: the EU General Data Protection Regulation (“GDPR”), relevant US

Privacy Laws including the California Consumer Privacy Act (“CCPA”), and the Israeli Privacy Protection

Law, 1981. Any reference to the GDPR shall also include the UK Data Protection Act, 2018 (UK-GDPR).

Additional Notice to California Residents: In the event you are a California resident – please review

our CCPA Notice to learn more about our privacy practices with respect to the CCPA .

Additional Notice to Washington or Nevada State Residents: In the event you are a Washington

state resident or a Nevada State resident - please review our Washington and Nevada combined

consumer health data notice to learn more about our privacy practices with respect to the Washington

state my health my data act (“MHMDA”), and Nevada Consumer Health Data Privacy Act (“CHDPA”).

If you have any questions regarding this Privacy Policy or our data practices, you are welcome to contact

us at: dpo@neurolief.com .

DOC-000001, Version 7.0

Page 1 of 15

You are not required by law to provide us with any Personal Data. However, please note that

some of our services require the processing of certain Personal Data and without such data we

may not be able to provide you with all or part of such services (e.g., without your valid

prescription and related information we will not be able to provide you with our services).

1. POLICY AMENDMENTS:

We reserve the right to amend this Policy from time to time, at our sole discretion. The most recent

version of the Policy will always be posted on the website. The updated date of the Policy will be reflected

in the “Last Modified” heading. Subject to applicable law, any amendments to the Policy will become

effective immediately, unless we notify you otherwise. If we materially change the way in which we

process your previously collected Personal Data, we will provide you with prior notice, or where legally

required, request your consent prior to implementing such changes. We strongly encourage you to

review this Policy periodically to ensure that you understand our most updated privacy practices.

2. CONTACT INFORMATION AND DATA CONTROLLER INFORMATION:

Neurolief Ltd. is the Data Controller (as such term is defined under the GDPR or equivalent privacy

legislation) of your Personal Data collected from you as a user of our services.

You may contact us as follows:

●

By email: dpo@neurolief.com .

By Mail: 12 Giborei Israel, Netanya, 4250412, Israel.

Please note that in certain cases, End-User’s Personal Data is processed on behalf of the relevant

Healthcare Provider, who acts as the legal controller of such data, while we merely act as a processor

or service provider. In those cases, our processing is governed by the applicable agreement with the

Healthcare Provider (including any DPA/BAA) and by the Healthcare Provider’s instructions, and this

Privacy Policy applies only to the extent we act as a Controller or as otherwise required by applicable

law. Any remainder of such End-Users’ Personal Data mentioned herein is for informational purposes

only.

Where such a Healthcare Provider is deemed a covered entity under The Health Insurance Portability

and Accountability Act of 1996 (“HIPAA”), the processing of its End-User data is subject to such

Healthcare Provider’s privacy practices notice, which its End-User is encouraged to read and be familiar

with.

Where a product is obtained through Advanced Medical DME, LLC (“DME”), any End-User’s Personal

Data processed in connection with the services is processed on behalf of DME and is subject to DME’s

instructions and privacy practices notice, as made available by DME.

3. DATA SETS WE COLLECT AND FOR WHAT PURPOSE:

Below you can find information regarding the purposes for which we process your personal data as well

as our lawful basis for processing, the definition of “personal” and “non-personal” data, and how it is

technically processed.

Non-Personal Data

During your interaction with the services, we may collect aggregated, non-personal, non-identifiable

information (“Non-Personal Data “). We are not aware of the identity of the user from which the Non-

Personal Data is collected. We collect Non-Personal Data regarding your use of the services, such as

the scope, frequency, latency, pages accessed and viewed, time and date stamp, interactions with

DOC-000001, Version 7.0

Page 2 of 15

content and materials displayed through our services, language preference, and other technical

information regarding the device used to access the services, for example type of device, type of

browser, operating system, etc.

We may sometimes process and anonymize or aggregate Personal Data and identifiable information in

a manner that shall create a new set of data that will be Non-Personal Data. Such a new data set can

no longer be associated with any identified natural person. Non-Personal Data may be used by us

without limitation and for any purpose.

If we combine Personal Data with Non-Personal Data, the combined information will be treated as

Personal Data.

Personal Data

We may also collect from you, directly or indirectly, during your access or interaction with the services,

individually identifiable information, namely information that identifies an individual or may, with

reasonable effort, be used to identify an individual (“Personal Data”). The types of Personal Data that

we collect as well as the purpose for processing and the lawfulness are specified in the table below.

Please note that under applicable US Privacy Laws, Personal Data does not include information that

cannot be reasonably linked to you, directly or indirectly, such as de-identified or aggregated data, and

information governed by other state or federal laws, such as: Health or medical information covered by

HIPAA, Personal Data covered by certain sector-specific privacy laws, including the Fair Credit

Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) and the Driver’s Privacy Protection Act of

1994, Children’s Online Policy Protection Act of 1998 (COPPA), Family Educational Rights and Privacy

Act of 1974, Securities Exchange Act of 1934, higher education data and employment data, etc.

The table below details the processing of Personal Data, the purpose, lawful basis, and processing

operations:

LAWFUL BASIS PER

DATA SET

Contact

PURPOSE AND OPERATIONS

GDPR

Customer We will use this data to respond to We process such Contact

and

Support Information:

your inquiry.

Information subject to our

legitimate interest.

If you voluntarily contact us in

order to receive our support, you The correspondence with you may

may be required to provide us be processed and stored by us to If you are an End-User

with certain Personal Data, such improve our internal operations, as approaching us with

as your name, email address, well as in the event we reasonably respect to your usage of

organization, role, state, determine it is needed for future the services, or

description of yourself (e.g., “I am assistance or to handle any dispute Healthcare Provider, the

a

interested in becoming a Relivion you might have with us.

MG user”) and any additional

data will be processed per

the contract between us.

information you decide to share We may retain and manage such

with us. Please note that the information using external services

requested Personal Information and platforms such as CRM

may vary between our different systems.

websites.

DOC-000001, Version 7.0

Page 3 of 15

Suitability Questionnaire:

We use your answers to assess your We

process

such

data

suitability for using our products, as marketing-related

In order to enable your use of our

products and services as an End-

User, you may be required to

complete an initial suitability

well as to provide you with subject to our legitimate

personalized suggestions and interest. However, any

additional marketing materials, per health-related

your consent. provided through

data

the

questionnaire

(“Suitability

Suitability Questionnaire is

Questionnaire”). As part of this

We will always do so in accordance provided per your consent.

with and to the extent permitted by You can always withdraw

process, we may collect certain

health-related

information

applicable law.

your consent. Please note

that processing activities

completed prior to your

provided by you, such as

demographic and general data

(e.g., age, gender, height and

weight), information relating to

your relevant medical condition

and symptoms (e.g., frequency

or characteristics of symptoms,

current or prior treatments or

withdrawal

cancelled.

cannot

be

medications),

information

and

your

to

general health status and the

reasons that led you to use our

services, for the purpose of

assessing whether the relevant

product is suitable for your use.

The scope and content of the

Suitability Questionnaire may

vary depending on the product.

Prescription Information

We process such health-related Our

lawful

basis

for

In relevant cases, in order to information for the purpose of processing such data is

provide our products and verifying and fulfilling prescriptions compliance with our legal

services, we may collect and and for legal compliance. We will obligation.

process prescription-related verify the prescription as well as

information, including patient keep it in our records.

identification details (such as

name, date of birth and address),

and

other

treatment-related

information.

Payment and Delivery Data:

When you, as an End-User,

order and make payment to

receive our products you will be

asked to submit delivery and

payment information data such

as your full name, address, credit

card number, etc.

We process such data for

the purpose of fulfilling our

contract with you.

We will use the information to

provide you with the products. We

may use third parties’ payment

processors and delivery vendors

and any transactions that are Certain payment data is

processed by these third-party being retained by us as

payment

processors

will

be part

of

our

legal

governed by their privacy policies

DOC-000001, Version 7.0

Page 4 of 15

***If you receive the services and terms which we recommend obligations

(e.g.,

through a Healthcare Provider or that you review.

through DME, payment details

are collected by such third party

and are subject to its privacy

policy.

bookkeeping).

App

User

Account

Basic We will process this information to We process such data

verify your identity and grant you under the contract

Information:

access to our products. As part of between us – to allow you

that we may use your email or phone to access and use the App

number as part of a Multi-Factor- as part of your product.

Any user of the products must

have an account.

End-Users:

Authorization process.

Any health-related data is

As part of your usage of our

services as an End-User we may

collect identification and contact

details (such as name, email

We may also use this information in per processed per the

order to provide you with account End-User’s consent.

management,

services as well as to send you

needed information related to

to

provide

the

We may further analyze

and process your login

data for security purposes,

address,

phone

number,

username and password), as

well as demographic and general

data (e.g., age, gender, height

and weight), information relating

provide you with our services and

which related to our business

engagement (e.g., send you a

upon

our

legitimate

interests.

In some cases, and where

required under applicable

law, using your data for

promotional purposes will

be subject to your consent.

In such instances, you

may always withdraw your

consent at any time by

welcome

message,

notify

you

to

your

relevant

medical

regarding any updates to our

services, send applicable invoices,

etc.) and additional occasional

condition and symptoms (e.g.,

frequency or characteristics of

symptoms,

current

or

prior

communications

and

updates

treatments or medications), and

other information related to your

general health status.

related to the services. Such

messages may be delivered to you

through email or SMS in accordance

with applicable law.

Healthcare

Providers:

contacting

us

or

Healthcare Providers accessing

the platform may be required to

provide professional and contact

unsubscribe

from

any

marketing list through the

you designated feature

Further,

we

may

send

information,

credentials.

and

login

promotional and marketing emails, included in such message.

to the extent we are allowed to do so

under

applicable

law

(“Direct

Marketing” as detailed hereunder).

We may also process your user’s

account

information

by

using

“cookies” (see below). However

note that we will never share any

health-related data with any third

party for any purpose other than

providing our services.

DOC-000001, Version 7.0

Page 5 of 15

Intake and Initial Training We use this information in order to: We

process

(i) complete intake and account Onboarding and

setup processes; (ii)

configuration necessary

initial training performance

Intake,

Initial

Data:

provide Training Information as

As part of the intake, onboarding,

onboarding,

assistance,

for

of

the

our

setup

and

initial

training

and

processes associated with the

Services and the Products, we

regarding the technical operation of contract with you and for

the Products and Services; (iii) our legitimate interests in

may

information provided by you or

generated during such

collect

and

process

deliver

technical

support

and providing,

maintaining,

troubleshooting; (iv) document and and

improving the

manage support and onboarding Services.

interactions. This may include

contact and scheduling details,

interactions;

onboarding, support, and service related data is processed

operations; and (vi) comply with in this context, such

and processing is based on

(v)

improve

our To the extent that health-

account

identifiers,

basic

demographic

information,

applicable

regulatory

safety,

quality,

device,

App

and

data,

and

Platform

technical

documentation your consent. You may

withdraw your consent at

configuration

identifiers,

requirements.

records

of

Such information may be stored, any time; however, please

analyzed, and managed using note that withdrawal of

internal systems and third-party consent may limit our

service providers (such as helpdesk, ability to provide certain

communications with our support

or onboarding teams (including

call

notes,

tickets,

or

correspondence). Depending on

the context and the information

you choose to share, this may

CRM, or support management Services

or

support-

platforms), in accordance with this related functionalities, and

Privacy Policy and applicable law.

does not affect processing

activities lawfully carried

also

include

health-related

information provided in the

course of setup, guidance, or

technical assistance.

out

prior

to

such

withdrawal.

Regulatory,

Safety

and We use this information to: (i) Processing is necessary

Medical Event Reporting Data assess, document, investigate, and for compliance with legal

(Vigilance and Post-Market respond to adverse events, safety obligations applicable to

Surveillance):

signals, and regulatory incidents; (ii) medical

device

and,

comply with applicable medical manufacturers,

As part of our obligations as a

medical device manufacturer, we

may collect, process, and retain

information relating to safety,

regulatory, quality, and medical

device

including reporting obligations to is involved, for reasons of

competent authorities, notified public interest in the area

bodies, or regulatory agencies (such of public health and

as FDA or EU authorities); (iii) ensuring high standards of

maintain and improve the safety, quality and safety of

performance, and quality of the medical devices as well as

Products and Services; (iv) conduct for the establishment,

post-market surveillance, vigilance exercise, or defense of

activities, and corrective or legal, as applicable.

preventive actions; and (v) maintain

legally required records and

documentation.

laws

and

regulations, where health-related data

events

Products and the Services. This

may include reports or

notifications concerning adverse

events, serious incidents,

suspected device malfunctions,

safety complaints, technical

issues with potential clinical

impact, product deficiencies,

associated with

the

usage deviations, and other

DOC-000001, Version 7.0

Page 6 of 15

information

vigilance,

required

for Such data may be shared, where

post-market required, with regulatory authorities,

quality notified bodies, auditors, and other

surveillance,

management, and regulatory authorized

compliance purposes. Such compliance and safety purposes

information may be provided and in accordance with applicable

parties,

strictly

for

directly

by

End

Users, law.

Providers,

Healthcare

distributors, or other third parties,

or generated through internal

monitoring, investigations, or

follow-up activities.

Product Usage Data:

We will use this information in order We process such data for

to provide you with our services.

the purpose of performing

our contract with you.

End Users:

As part of your usage of our

services as an End-User, we

may retain, keep and manage

information relating to your

interaction with the products,

including your usage patterns,

products’

configurations

and

management data, your intended

goals and progress as reflected

through your use of the products,

and

any

other

information

collected and processed as part

of your use of any of our

products,

including

the

our

synchronization between

medical

devices

and

accompanying

application.

mobile

Healthcare Providers:

If you access and use our

platform as Healthcare

a

Provider, we may collect and

process information relating to

your

including

contact details as well as

use

of

the

platform,

identification

and

professional

information.

or

clinical

site

DOC-000001, Version 7.0

Page 7 of 15

Health Related Data:

We collect and process

such Health-Related Data

to provide you with our

services, per your consent

We process such information and

analyze it to provide you with

personalized insights and enhance

your experience using our products.

As part of providing you as an

End-User with our services we

may collect and process certain

Health-Related Data, including

information relating to your

symptoms or condition (e.g.,

provided

during

your

registration

including

process,

information

We never share Health Related

Data with Third Parties for

marketing purposes, unless we

make sure through contractual

arrangements that their usage of

derived from your use of

our products. You may

withdraw consent at any

intensity,

duration

or

characteristics), background or

contextual information relevant

to your use (e.g., triggers or

actions taken), treatment-related

time,

note

however,

please

that processing

such

data

is

limited

in

activities completed prior

to your withdrawal cannot

be cancelled.

accordance with applicable law.

feedback

(e.g.,

perceived

effectiveness or responses), and

responses

to

during

in-app

use

assessments

We may also use health-

(including PHQ9 questionnaire),

as well as any other information

related data in

a

de-

identified and aggregated

you

choose

to

provide

form

for

research,

and product

voluntarily.

analytics,

improvement.

In addition, health-related and

usage data is collected

automatically through the

products and accompanying

applications. For example, in

Relivion®,

include

such

data

may

intensity,

scalp

impedance, modulation, posture

or mobility during use.

The scope and type of health-

related data collected may vary

depending on the product and

the manner of use.

Health Related Data

Processed on Behalf of our

Healthcare Providers:

Such data is processed by

us in our capacity as a

Data Processor, under the

legal basis established by

the relevant Healthcare

Provider.

We process such data solely on

behalf of the relevant Healthcare

Provider and in accordance with

their instructions.

We may collect, retain, analyze,

and otherwise process health

related Data relating to End-

Users who are using any of our

products through Healthcare

Providers.

Apple Health (HealthKit) Data We use such data solely to enable Processing is based on

and Google Health Connect: synchronization between the your consent, provided

If an End-User chooses to enable products and Apple Health or through

integration with Apple Health Google Health Connect and to

your

device

DOC-000001, Version 7.0

Page 8 of 15

(HealthKit) or Google Health provide

you with

the

related settings, which may be

withdrawn at any time.

Connect, we may collect and functionality as part of the services.

process certain health data via

Apple’s or Google’s authorized

APIs, as permitted by our End-

User.

Direct Marketing:

We will use this information to keep We process such data

As a user, we will send you you updated with offers and content subject to our legitimate

materials and marketing content such as updates, new capabilities interest.

through the email information and features, and to send you You can opt-out at any

you

provided

during

your invoices

and

supporting time

through

the

registration.

documentation.

"unsubscribe" link within

the email or by contacting

Any marketing communications are us directly.

sent only based on non-Apple However

certain

Health (HealthKit) and non-Google operational content, such

Health Connect data.

as invoices, will still be

sent.

We will always do so in accordance

with and to the extent permitted by

applicable law.

Please note that the actual processing operation for each purpose of use and lawful basis detailed in

the table above may differ. Such processing operation usually includes a set of operations made by

automated means, such as collection, storage, use, disclosure by transmission, erasure, or destruction.

The transfer of Personal Data to third-party countries, as further detailed in the Data Transfer Section

below, is based on the same lawful basis as stipulated in the table above.

In addition, we may use certain Personal Data to prevent potentially prohibited or illegal activities, fraud,

misappropriation, infringements, identity theft, and any other misuse of the services and to enforce the

Terms, as well as to protect the security or integrity of our databases, services, and the website, and to

take precautions against legal liability. Such processing is based on our legitimate interests.

4. HOW WE COLLECT YOUR INFORMATION:

Depending on the nature of your interaction with us, we may collect the above detailed information from

you, as follows:

•

Automatically – we may use cookies (as elaborated in the section below) or similar tracking

technologies (such as pixels, tags, agent, etc.) to gather some information automatically, or

automatically through the use of our products.

Provided by you or about you voluntarily – we will collect information if and when you choose to

provide us with the information, such as when you use our product and services and when granting your

consent, e.g., for collection of health related data or enabling integrations such as Apple Health

(HealthKit) and Google Health Connect, etc.

DOC-000001, Version 7.0

Page 9 of 15

•

Provided from third parties – where permitted under applicable law and subject to your consent for

cookie usage, we may enrich the Personal Data collected about you with data provided by third parties.

Provided by the Healthcare Provider – Please note that as explained above, we may collect and

gather certain information pertaining to the Healthcare Providers’ End-Users on such Healthcare

Providers’ behalf. Healthcare providers are solely responsible for ensuring the proper disclosures and

consent required for such third-party integrations.

5. COOKIES

When you access or use our services, we may use “cookies” or similar tracking technologies, which

store certain information on your device (i.e., locally stored). The use of cookies is standard industry-

wide practice. A “cookie” is a small piece of information that a website assigns and stores on your

computer while you are viewing a website. Cookies are used by us for various purposes, including

allowing you to navigate between pages efficiently, as well as for statistical purposes, analytic purposes

and advertising. You can find more information about our use of cookies here: www.allaboutcookies.org.

There are several types of cookies, including without limitation:

•

Essential, Functionality, Operation & Security Cookies. These cookies are essential for enabling

visitor movement around the website, for the website to function properly, and for security purposes (i.e.,

used to authenticate visitors, prevent fraudulent use, and protect visitor data from unauthorized parties).

This category of cookies either cannot be disabled, or if disabled, certain features of the website may

not work.

Analytic, Measurement & Performance Cookies. These cookies are used to collect information about

how visitors use our website, in order to improve our website, content, and the way we offer them, as

well as assess the performance of the content and marketing campaigns. These cookies enable us, for

example, to assess the number of visitors who have viewed a certain page as well as their country of

origin. It enables our website to remember information that changes the way it behaves or looks, such

as your preferred language.

•

Preference, Targeting & Advertising Cookies. These cookies are used to advertise across the internet

and to display relevant ads tailored to visitors based on the parts of the website they have visited (e.g.,

the cookie will indicate you have visited a certain webpage and will show you ads relating to that

webpage).

You may find more information about the cookies we use as well as opt-out from cookies or

change your preferences at any time by using the cookies setting tool available on the footer of

our website.

Where we use third-party advertising cookies, such third-party may independently collect, through the

use of such tracking technologies, some or all types of Personal Data detailed above, as well as

additional data sets, including to combine such information with other information they have

independently collected relating to your online activities across their network of websites, for the purpose

of enhanced targeting functionality and delivering personalized ads, as well as providing aggregated

analytics related to the performance of our advertising campaign you interacted with. These third parties

collect and use this information under their own privacy policies, and we are not responsible for their

privacy practices.

DOC-000001, Version 7.0

Page 10 of 15

Although we do not sell your personal information for profit, we do engage in targeted advertising on the

website, this type of advertising activity may be considered a “sale” of Personal Data under certain US

Privacy Laws and may also be referred to as “targeted advertising”. Please note that even if you opt-out

you may still see personalized ads based on information other companies and ad networks have

collected about you, if you have not opted out of sharing with them.

For IBA opt out options on desktop and mobile websites, please visit:

Digital Advertising Alliance (US) https://www.aboutads.info/choices/

Digital Advertising Alliance (Canada) https://youradchoices.ca/en/tools

Digital Advertising Alliance (EU) https://www.youronlinechoices.com/

Network Advertising Initiative https://optout.networkadvertising.org/?c=1

•

We also honor browser-based opt-out signals, such as the Global Privacy Control (GPC) and Universal

Opt-Out Mechanisms (UOOM), by automatically disabling non-essential cookies when such signals are

detected.

6. DATA SHARING:

We share your data with third parties, including our partners or service providers that help us operate

and make the most of the website. You can find here information about the categories of such third-

party recipients.

Categories of Recipients Additional Information

Our

Affiliated We may share Personal Data with our affiliated companies and

subsidiaries in order to provide joint services, for example, marketing,

improving our services, etc.

Companies

Our Service Providers

We share your Personal Data with our trusted service providers and

business partners that perform business operations for us on our behalf

(as data processors) and pursuant to our instructions.

This includes the following categories of service providers:

AI/ML systems, who help us improve our services;

Advertising and marketing service providers, who help us with

advertising measurements, email marketing, etc.;

Data storage providers, with whom we entrust the hosting and storage

of our data;

Consent Manager (CMP), an external service that provides us with the

ability to allow website visitors to control and manage their cookies

preferences and consent;

General IT and SaaS providers – providing us with IT systems for the

management of our daily conduct;

Data analytics and data management providers, who help us

improve, personalize and enhance our operation.

DOC-000001, Version 7.0

Page 11 of 15

Categories of Recipients Additional Information

Data security partners, who help us detect and prevent potentially

illegal acts, violations of our policies, fraud and/or data security breaches

and ensure compliance with legal obligations.

Legal

and

Law We may disclose certain Personal Data to law enforcement,

governmental agencies, or authorized third parties, in response to a

verified request relating to criminal investigations or alleged illegal

activity or any other activity that may expose us, you, or any other visitor

to legal liability, and solely to the extent necessary to comply with such

purpose.

Enforcement

We may further share data with relevant authorities as required per our

Regulatory, Safety and Medical Event Reporting obligations.

Corporate Transactions

In the event of a corporate transaction (e.g., sale of a substantial part of

our business, merger, consolidation, or asset sale) we will share the

Personal Data we store with our acquiring company.

In any such case, we will oblige the acquiring company to assume the

rights and obligations as described in our Privacy Policy.

Healthcare Providers

Provided you are an End-User using our services under a Healthcare

Provider, we may share your information with such Healthcare Provider,

as the Data Controller of such data. Such sharing is not deemed as a

transfer of data made on our behalf but simply as providing your relevant

Healthcare Provider with the data they legally own, according to their

instructions. Any further use of such data is upon the relevant Healthcare

Provider’s exclusive responsibility.

Apple Health (HealthKit) We may share certain health data with Apple or Google, via Apple Health

or

Google

Health (HealthKit) or Google Health Connect, only if you choose to enable such

integration and solely for the purpose of synchronizing data with your

Apple Health or Google Health Connect account.

Connect

Apple and Google both act as Data Controllers with respect to such data,

and any sharing is subject to your explicit consent and Apple’s or

Google’s applicable privacy policies.

Such data is not used for advertising purposes and is not sold or shared

with third-party advertising platforms, data brokers or information

resellers.

When we share information with service providers, we ensure they only have access to such information

that is strictly necessary for us to operate the services. These parties are required to secure the data

they receive and to use the data for pre-agreed purposes only while ensuring compliance with all

applicable data protection regulations (however, such service providers may use certain data for their

own benefit subject to separate terms agreed upon with you or per your consent, as well as in the case

of using merely Non-Personal Data).

Please note that in case you act as an End-User under a Healthcare Provider, all your product’s

information will be available and transparent to your Healthcare Provider, as the Data Controller of the

data.

DOC-000001, Version 7.0

Page 12 of 15

7. DATA RETENTION:

In general, we retain the Personal Data we collect for as long as it remains necessary for the purposes

set forth above, all under the applicable regulation, or until you express your preference to opt-out, where

applicable.

The circumstances in which we will retain your Personal Information include: (i) where we are required

to do so in accordance with legal requirements, or (ii) for us to have an accurate record of your interaction

with us in the event of any inquiries or contact requests, or (iii) if we reasonably believe there is a

prospect of litigation relating to your Personal Data. Please note that except as required by applicable

law, we will not be obliged to retain your data for a particular period, and we may delete it for any reason

and at any time, without providing you with prior notice of our intention to do so.

Further, retention periods of Healthcare Providers, Apple Health (HealthKit) or Google Health Connect

data are set by the relevant Healthcare Provider, Apple or Google as the Data Controller of such data,

per its business needs, legal obligations and other considerations upon their sole discretion.

8. SECURITY MEASURES:

We take great care in implementing physical, technical, and administrative security measures for the

website and services, that we believe comply with applicable regulation and industry standards to

prevent your information from being accessed without the proper authorization, improperly used or

disclosed, unlawfully destructed, or accidentally lost.

If you feel that your privacy was not dealt with properly or was dealt with in a way that was in breach of

our Privacy Policy or if you become aware of a third party’s attempt to gain unauthorized access to any

of your Personal Data, please contact us at our email.

9. INTERNATIONAL DATA TRANSFER:

Due to our global business operation, we may store or process your Personal Data in several territories,

including, for example in Israel, the UK, EU, US or in other countries (whether directly or indirectly

through the use of our vendors). Thus, your Personal Data may be transferred to and processed in

countries other than the country from which you accessed our websites or otherwise the country of your

jurisdiction. We will take appropriate measures to ensure that your Personal Data receives an adequate

level of data protection upon its transfer in accordance with applicable law.

Further, when Personal Data collected within the EU is transferred outside the EU (and not to a recipient

in a country that the European Commission has decided provides adequate protection) it shall be

transferred under the provisions of the standard contractual clauses approved by the European Union.

If you would like to understand more about these arrangements and your rights in connection therewith,

please contact us at our email.

In addition, some of the third parties used for cookies management on our website may store and

process data globally, including in the US (e.g., Google Analytics servers). When granting consent for

such cookies, you hereby acknowledge and approve such cross-border transfer, in accordance with

such third party’s privacy practices.

10. YOUR RIGHTS

Data protection and privacy laws may grant you certain rights with regards to your Personal Data, all

according to your jurisdiction. The rights may include one or all of the following: (i) request to amend

your Personal Data we store accessing; (ii) review and access your Personal Data that we hold; (iii)

DOC-000001, Version 7.0

Page 13 of 15

request to delete your Personal Data that we hold (as long as we do not have a legitimate reason for

retaining the data); (iv) restrict or object to the processing of your Personal Data; (v) exercise your right

of data portability; (vi) contact to a supervisory authority in your jurisdiction and file a complaint; and (vii)

withdraw your consent (to the extent applicable).

If you wish to submit a request to exercise your rights, please fill out the Data Subject Request Form

(“DSR”) available HERE and send it to our email at: dpo@neurolief.com .

When you contact us and request to exercise your rights regarding your Personal Data, we will require

certain information from you in order to verify your identity and locate your data and that the process of

locating and deleting the data may take reasonable time and effort, as required or permitted under

applicable law. Data privacy and related laws in your jurisdiction may provide you with different or

additional rights related to the data we collect from you, which may also apply.

In certain circumstances, and subject to applicable US Privacy Laws, you may permit an authorized

agent to submit requests on your behalf. For more information, please refer to our DSR form.

You have the right to lodge a complaint with the EU Member State supervisory authority if you

are not satisfied with the way in which we handled the complaint.

Any inquiry about exercising your rights as an End-User acting under a Healthcare Provider should be

referred to the relevant Healthcare Provider acting as the Data Controller of such data.

Additionally, in accordance with applicable US Privacy Laws, if we decline to take action on your request,

we will inform you within 45ꢀdays (Colorado residents) or 60ꢀdays (all other U.S. jurisdictions) of receipt.

Our response will include a justification for the decision and an explanation about your right to lodge an

appeal. If you wish to do so, please send your appeal request with a summary of the request and decision

you want to appeal to: dpo@neurolief.com . We will respond to appeals within 45ꢀdays (one 15‑day

extension possible where reasonably necessary).

If you are not happy with our response, depending on your jurisdiction, you may have the right to lodge

a complaint against us with the relevant State’s Attorney General:

•

Colorado Attorney General as follows: Colorado AG at https://coag.gov/file-complaint.

Connecticut Attorney General at link: https://www.dir.ct.gov/ag/complaint / or by phone (860) 808-5318.

Virginia Attorney General at https://www.oag.state.va.us/consumercomplaintform .

Utah Attorney General at https://www.attorneygeneral.utah.gov/contact/complaint-form/.

Texas Attorney General at https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-

complaint.

•

Oregon Attorney General at https://www.doj.state.or.us/consumer-protection/contact-us/.

Montana Attorney General at https://dojmt.gov/consumer/consumer-complaints/.

DOC-000001, Version 7.0

Page 14 of 15

•

Nebraska Attorney General https://ago.nebraska.gov/constituent-complaint-form.

New Jersey Attorney General at https://www.njoag.gov/contact/file-a-complaint/.

New Hampshire Attorney General at https://onlineforms.nh.gov/app/#/formversion/e0c5d644-c9d8-

4056-a7cc-24d29c446fcb.

•

Delaware Attorney General at https://attorneygeneral.delaware.gov/fraud/cmu/complaint/.

Iowa Attorney General at https://www.iowaattorneygeneral.gov/for-consumers/file-a-consumer-

complaint.

•

Tennessee: https://www.tn.gov/attorneygeneral/consumer-affairs.html/.

11. THIRD PARTY WEBSITES:

Our Privacy Policy only addresses the use and disclosure of Personal Data we collect from you. To the

extent that you disclose your Personal Data to other parties via the website (e.g., by clicking on a link to

any other website or location), different rules may apply to their use or disclosure of the Personal Data

you disclose to them, and this Privacy Policy does not apply to any such third-party products and

services. You agree that we shall have no liability whatsoever with respect to such third-party sites and

your usage of them.

12. ELIGIBILITY AND CHILDREN PRIVACY:

Our services are not directed nor intended for use by children, and we do not knowingly process, sell or

share children’s information. We will discard any information that we receive from a user who is

considered a "child" immediately upon our discovery that such a user shared information with us. Please

contact us at: dpo@neurolief.com if you have reason to believe that a child has shared any information

with us.

DOC-000001, Version 7.0

Page 15 of 15