Privacy Policy

Magistra Health B.V. ("Magistra", "we", "us", or "our"), registered in the Netherlands, operates the website magistra.health (the "Platform"). We act as a technology intermediary that connects patients with independent licensed healthcare providers and pharmacies for personalised weight management programmes. This Privacy Policy explains how we collect, use, store, share and protect your personal data when you use our Platform, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Dutch Uitvoeringswet Algemene Verordening Gegevensbescherming ("UAVG"), and where applicable the Wet op de Geneeskundige Behandelingsovereenkomst ("WGBO"). By using our Platform, you acknowledge that you have read and understood this Privacy Policy. We will always ask for your explicit consent before processing your personal data, including any special categories of data (health data).

The data controller for the purposes of the GDPR is: Magistra Health B.V. Registered in the Netherlands Website: magistra.health Email: privacy@magistra.health We have designated a Data Protection Officer (DPO) who can be reached at: dpo@magistra.health

We collect the following categories of personal data: a) Identity and Contact Data - Full name - Email address - Phone number - Postal address - Date of birth b) Health Questionnaire Data (Special Category Data under Article 9 GDPR) - Height, weight, and BMI - Medical conditions and health history - Current medications - Known allergies - Other health-related responses provided in our questionnaire c) Technical and Usage Data - IP address (anonymised where possible) - Browser type and version - Device information - Pages visited and time spent on the Platform - Cookies and similar technologies (see Section 10) d) Communication Data - Records of correspondence with us via email or through the Platform

We process your personal data on the following legal bases under GDPR: a) Explicit Consent (Article 6(1)(a) and Article 9(2)(a) GDPR) For all health data and special category data, we rely on your explicit, informed, freely given, and specific consent. You provide this consent when you complete our health questionnaire and explicitly agree to the processing of your health data. You may withdraw your consent at any time (see Section 8). b) Health Data Processing (Article 9(2)(h) GDPR) Processing of health data that is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services, on the basis of Union or Member State law (including the WGBO). This provides an additional lawful basis for the processing of special category health data through our Platform. c) Performance of a Contract (Article 6(1)(b) GDPR) Processing necessary for the performance of the service you have requested through our Platform, including matching you with an independent licensed prescriber and authorised pharmacy. d) Legitimate Interest (Article 6(1)(f) GDPR) For Platform security, fraud prevention, and service improvement, where our interests do not override your fundamental rights and freedoms. e) Legal Obligation (Article 6(1)(c) GDPR) Where we are required by Dutch or EU law to process or retain certain data.

We use your personal data for the following purposes: - To match you with an appropriate independent licensed prescriber and authorised pharmacy based on your health questionnaire responses - To facilitate communication between you and your matched healthcare providers - To manage your account and provide customer support - To send you information about your personalised programme (with your consent) - To improve and develop our Platform - To comply with legal and regulatory obligations - To detect and prevent fraud or security incidents Important: Magistra is a technology platform, not a healthcare provider. We do not provide medical advice, diagnoses, or treatment. All clinical decisions are made by independent licensed prescribers, and all dispensing is performed by independent authorised pharmacies.

We share your personal data only with the following categories of recipients, and only to the extent necessary for providing your personalised programme: a) Independent Prescribers Your health questionnaire responses and personal details are shared with the independent prescriber matched with you, solely for the purpose of clinical assessment and prescribing. b) Independent Authorised Pharmacies Your prescription details and delivery information are shared with the authorised pharmacy matched with you, solely for the purpose of dispensing and delivering your prescribed medication. c) Service Providers We use carefully selected third-party service providers who process data on our behalf (as data processors), including: - Supabase (EU region) for database hosting - Vercel (EU region) for website hosting - Payment processors for transaction handling All data processors are bound by data processing agreements in accordance with Article 28 GDPR. d) Legal and Regulatory Bodies We may disclose data where required by law, regulation, or court order, including to the Autoriteit Persoonsgegevens. We do NOT sell your personal data to any third party. We do NOT share your data for marketing purposes with third parties.

Your personal data is stored and processed exclusively within the European Union. Our infrastructure providers (Supabase and Vercel) are configured to use EU-based data centres. In the unlikely event that a data transfer outside the EU/EEA is required, we will ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

Under the GDPR and the UAVG, you have the following rights: a) Right of Access (Article 15 GDPR) You have the right to request a copy of the personal data we hold about you. b) Right to Rectification (Article 16 GDPR) You have the right to request correction of inaccurate personal data. c) Right to Erasure (Article 17 GDPR) You have the right to request deletion of your personal data, subject to legal retention obligations. d) Right to Data Portability (Article 20 GDPR) You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. e) Right to Object (Article 21 GDPR) You have the right to object to processing based on legitimate interests. f) Right to Withdraw Consent (Article 7(3) GDPR) You have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. g) Right to Restriction of Processing (Article 18 GDPR) You have the right to request restriction of processing in certain circumstances. To exercise any of these rights, please contact us at privacy@magistra.health. We will respond to your request within 30 days, in accordance with GDPR requirements.

We retain your personal data as follows: - Health questionnaire data and programme data: for the duration of your active programme plus 2 years after completion or account closure, after which it is permanently deleted. - Account data (name, email, contact details): for the duration of your account plus 2 years after closure. - Technical and usage data: maximum 12 months from collection, in anonymised or pseudonymised form where possible. - Communication records: for the duration of your account plus 2 years after closure. Where Dutch law or the WGBO requires longer retention (for example, certain medical records), we will comply with those requirements and inform you accordingly. After the applicable retention period, data is permanently and irreversibly deleted from our systems and those of our data processors.

Our Platform uses cookies and similar technologies. We categorise these as follows: a) Strictly Necessary Cookies Required for the Platform to function (e.g., session cookies, security tokens). These do not require consent. b) Analytics Cookies Used to understand how visitors use our Platform and to improve performance. These are only placed with your explicit consent. c) Preference Cookies Used to remember your settings such as language preference. These are only placed with your explicit consent. You can manage your cookie preferences at any time through our cookie consent banner. You can also control cookies through your browser settings. For more details, please see our separate Cookie Policy.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including: - Encryption of data in transit (TLS/SSL) and at rest - Access controls and authentication mechanisms - Regular security assessments and monitoring - Data processing agreements with all sub-processors - EU-only data storage - Staff training on data protection Despite our efforts, no method of transmission over the Internet or electronic storage is 100% secure. If you become aware of any security breach, please notify us immediately at privacy@magistra.health.

Our Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will take immediate steps to delete that data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by: - Posting the updated policy on our Platform with a revised "Last updated" date - Sending you an email notification for significant changes - Requesting renewed consent where required by law We encourage you to review this Privacy Policy periodically.

If you believe that our processing of your personal data infringes the GDPR or the UAVG, you have the right to lodge a complaint with the Dutch Data Protection Authority: Autoriteit Persoonsgegevens PO Box 93374 2509 AJ The Hague The Netherlands Website: https://autoriteitpersoonsgegevens.nl Phone: +31 (0)70 888 85 00

If you have any questions about this Privacy Policy or our data processing practices, please contact us: Magistra Health B.V. Email: privacy@magistra.health DPO: dpo@magistra.health Website: magistra.health Instagram: @magistra.health