1. Introduction to this Policy

1.1. This privacy policy (“Policy”) relates to:
1.1.1. the websites at www.medi2data.com and www.medi2cert.co.uk, and in
either such case any subdomain or any such related website and/or mobile
application for such website (together the “Website”);
1.1.2. the Electronic Medical Reporting (eMR) software application;
1.1.3. the Medical Data Exchange (MD-X) software application;
1.1.4. the Medical Evidence Tracker (MET) software application; and
1.1.5. a platform application operated by Medidata Exchange Limited (trading as
medi2data) for a Client and/or customers of that Client (any application as
described in clauses 1.1.2 to 1.1.5 inclusive an “Application”).

1.2. You should read this Policy carefully as it contains important information about how we
will collect, process, use and store your Information (as defined below in clause 3.1). In
certain circumstances (see below), you will be required to indicate your Consent to
the processing of your Information as set out in this Policy when you first submit such
Information to or through the Website or an Application or otherwise in writing to us.
For further information about Consent, see clause 6 below.

1.3. We may update this Policy from time to time in accordance with clause 16 below.
This Policy was last updated on 27 August 2025.

2. About us and definitions

2.1. The terms “Medi2data” or “us” or “we” refer to Medidata Exchange Limited and, where
applicable, Medi2data SA (Pty) Ltd (see further clause 2.2 below). We are a company
limited by shares registered in England and Wales under company number 09481183
whose registered office is at Ty Derw, Lime Tree Court, Cardiff Business Gate, Cardiff,
CF23 8AB, Wales, United Kingdom. The term “you” refers to the individual accessing
and/or submitting Information to or through the Website or an Application or otherwise
using our Services.

2.2. We, and where relevant our South African subsidiary, Medi2data SA (Pty) Ltd. (see
below in this clause 2.2 and also clauses 3.2 and 10.2 for further details of the entity
and its activities), as the Data Processor or where relevant Data Controller for the
purposes of UK GDPR, can be contacted via our Data Protection Officer via email to
DPO@medi2data.com or post to Medi2data, The Maltings, East Tyndall Street, Cardiff,
CF24 5EA.

We and where relevant Medi2data SA (Pty) Ltd., as the Data Processor or Data Controller
are responsible for, and control the processing of or control your Personal Data in
accordance with the UK General Data Protection Regulation 2021 (“UK GDPR”) and the
Data Protection Act 2018 (“DPA”) and all other applicable laws and regulations which
may be in force from time to time relating to the processing of Personal Data and
privacy.

Without limiting the generality of the foregoing, where the context allows (where
Personal Data is regarded by law as being created or processed in the Republic of
South Africa (“RSA”), the terms Data Processor and Data Controller are deemed to
Medi2data is a brand name for Medidata Exchange Limited – Privacy Policy 2025
include reference also to us and Medi2data SA (Pty) Ltd. each being also a “responsible
party” under the Protection of Personal Information Act (“POPIA”) of the RSA. Where
contact is to be made for the purposes of POPIA to us or Medi2data SA (Pty) Ltd,
contact may be made by email to DPO@medi2data.com or by post to 8 Church Street,
Durbanville, Cape Town, South Africa. Where the context requires, references to “us”
should be construed as referring to Medi2data SA (Pty) Ltd.

2.3. The following definitions apply in this Policy:
2.3.1. “Application” has the meaning given in clause 1.1.5;

2.3.2. “Client” or “Clients” means a client or clients of Medi2data including, as
applicable, relevant individuals, recruiters and third party requesters of
medical records, reports and/or information (such as insurers, governmental
agencies, clinical research providers and retail health providers);

2.3.3. “Consent” means freely given, specific, informed and unambiguous indication
of your wishes given by a statement or clear affirmative action;

2.3.4. “Data Controller” and “Data Processor” are as defined in Article 4 of the UK
GDPR and such expressions include where the context allows reference to the
‘responsible party’ in Section 1 of POPIA;

2.3.5. “Data Subject Access Request” a request to obtain confirmation as to whether
or not Personal Data concerning a natural person is being processed pursuant
to Article 15 of the UK GDPR and where the context allows Section 5 of POPIA;

2.3.6. “DPA” has the meaning given in clause 2.2;

2.3.7. “Information” has the meaning given in clause 3;

2.3.8. “Medi2data”, “us” and “we” have the meanings given in clause 2.1;

2.3.9. “Policy” has the meaning given in clause 1.1;

2.3.10. “Personal Data” means any information that identifies or makes identifiable a
natural (living) individual;

2.3.11. “POPIA” has the meaning given in clause 2.2;

2.3.12. “RSA” has the meaning given in clause 2.2;

2.3.13. “Services” means any services we provide to or in respect of you to any
Client, healthcare professionals and other business partners, whether via or
following use of our Website or any Application or any other services we
provide to or in respect of you to a Client;

2.3.14. “Website” has the meaning given in clause 1.1.1;

2.3.15. “you” has the meaning given in clause 2.1; and

2.3.16. “UK GDPR” has the meaning given in clause 2.2.

In this Policy, “include”, “includes”, “including”, “such as” and similar words and
expressions must be read as if followed by “without limitation” and references to
clauses are to clauses of this Policy.

3. Information we may collect about you

3.1. When you use the Website, an Application and/or when you otherwise deal with us, or
provide information to a third party (including but not limited to a recruiter, an insurer or another
Medi2data is a brand name for Medidata Exchange Limited – Privacy Policy 2025
business partner of ours or your doctor or another healthcare professional) who provides information
about you to us, we may collect, process, use and store the following information about
you (“Information”):

3.1.1. personal information including first and last name, date of birth, title,
photograph and/or likeness and any relevant insurance policy or
NHS number;

3.1.2. contact information including one or more of current residential or
business address, email address, employer, job title, and/or phone
number, and, where relevant, the same in respect of your doctor,
other healthcare professional or insurer or other service provider;

3.1.3. technical information including IP address, operating system,
browser type and related information regarding the device you used
to visit the Website or the Application, the length of your visit and
your interactions with the Website or Application;

3.1.4. information obtained through forms completed by you on the
Website, or the Application or otherwise in writing and provided to
us, including information you provide when you register to use the
Application, download the Application, provide information to
facilitate our providing any of the Services or when you report any
problem with the Website, any Application or any of our Services;

3.1.5. details of your use of our Website or any Application or any of our
Services including traffic data and other communication data;

3.1.6. (if you are being considered for a job) recruitment information
including biographical information such as education and
employment history, references and right to work information (such
as passport, driving licence and/or visa information);

3.1.7. compliance information including searches against international
sanctions lists, criminal record databases, insurance claims databases
and other compliance monitoring, reporting and remediation
information;

3.1.8. marketing data, including your preferences in receiving marketing
from us and dietary preferences for events we may operate;

3.1.9. information relating to your health or medical records (“Special
Category Data”), obtained by any means described above and which
will be handled in accordance with clause 3.2 below; and

3.1.10. details of any enquiries made by you through the Website or the
Application or otherwise in writing and provided to us, together
with details relating to subsequent correspondence (if applicable).

3.2. If you are an individual, any Special Category Data (information relating to your health or
medical records) will be (as applicable) either or both (a) processed through the Website
and/or in the Application for the purposes of responding to a Data Subject Access
Request made by you or on your behalf and/or included in a curated medical report
created by clinical staff of ours, where you have requested such a report (through the
Website or the Application) and/or (b) included in a curated medical report created
by clinical staff of our wholly-owned subsidiary, Medi2data SA (Pty) Ltd, where you
have requested such a report (through the Website or the Application). Further
details of Medi2data SA (Pty) Ltd are given in clause 10.2. Where (a) applies, please
note that we will be processing relevant data as a Data Processor on behalf of a Data
Controller (typically your doctor or other healthcare professional), where “Data
Medi2data is a brand name for Medidata Exchange Limited – Privacy Policy 2025
Processor” and “Data Controller” are as defined in the UK GDPR. The processing of this
Special Category Data will not be subject solely to this Policy where we are the Data
Processor and you will also need to review the contents of the Data Controller’s (i.e.
typically your doctor’s or other healthcare professional’s) privacy policy in respect of the
processing of this Special Category Data and their privacy policy will take
precedence. We have data processing agreements in place with relevant Data
Controllers. Where (b) applies, this Policy applies to the report created and
Medi2data SA (Pty) Ltd will be the Data Controller and we will be the Data Processor.

3.3. We may monitor your use of the Website or the Application through ‘cookies’ and
similar tracking technologies. We may also monitor traffic, location and other data and
information about users of the Website or the Application. Such data and information, to
the extent that you are individually identifiable from it, constitutes Information as
defined above. However, some of this data will be aggregated or statistical, which
means that we will not be able to identify you individually. See clause 15 below for
further information on our use of cookies.

4. How long we keep your Information

4.1. Subject to clause 4.5, we will keep your Information only for the purposes set out in the
table below (see clause 5).

4.2. We will only retain your Personal Data for as long as reasonably necessary to fulfil the
purposes we collected it for, including for the purpose of satisfying any legal,
regulatory, tax, accounting or reporting requirements. We may retain your Personal
Data for a longer period in the event of a complaint or if we reasonably believe there is a
prospect of litigation in respect of our relationship with you. We are required to keep
the information we collect as set out in clause 3.1 of this Policy for 6 years, unless
instructed by the Data Controller to remove the Personal Data before this period.

4.3. If required, we will be entitled to hold Personal Data for longer periods in order to comply
with our legal or regulatory obligations.

4.4. Where we hold the Information based on your express Consent and have no other legal
basis for holding your Information, we will hold it until Consent is withdrawn.

4.5. In some circumstances you can ask us to delete your Personal Data – see clause 12
below for further Information.

5. Legal Basis for processing your information

5.1. We may use your Information for different business purposes and in reliance on
different legal bases, depending on the nature of our relationship with you and in
accordance with applicable laws. In certain cases, the legal basis will be reliant on
your consent and in other cases we will not require your consent provided we need to
use the Information to perform our contractual and other legal obligations in respect
of you as individual (including our pre-contractual obligations) or we pursue our
legitimate interests or there is another purpose required or permitted by applicable
law. In accordance with the UK GDPR, the DPA and/or POPIA as applicable we may
only process your Information if we have a “legal basis” (i.e. a legally permitted reason)
for doing so. For the purposes of this Policy, our legal basis for processing your
Information is set out in the table below.

6. Your Consent to Processing

6.1. As noted above, you will be required to give Consent to certain processing activities
before we can process your Information as set out in this Policy. Where applicable, we
will seek this consent from you when you first submit Information to or through the
Website or the relevant Application.

6.2. If you have previously given Consent, you may freely withdraw such Consent at any
time. You can do this by notifying us in writing (see clause 19 below).

6.3. If you withdraw your Consent, and if we do not have another legal basis for processing
your information (see clause 5 above), then we will stop processing your Information.
If we do have another legal basis for processing your information then we may
continue to do so subject to your legal rights (for which see clause 12 below).

6.4. Please note that if we need to process your Information in order to operate the
Website, the Application and/or provide our Services, and you object or do not consent
to us processing your Information, the Website, the Application and/or our Services
may not be available to you

7. Marketing and opting out

7.1. Where you are dealing with us on behalf of a limited company or LLP, for business
purposes, then we may contact you by email to your corporate email address about
similar or related products that we offer. If you prefer not to receive any direct
marketing communications from us, or you no longer wish to receive them, you can opt
out at any time (see below).

7.2. Where you have previously ordered services from us, or been considered for
employment, we may contact you by telephone, email and post about similar or
related services and promotions or employment opportunities that may be of interest to
you. We will inform you if we intend to use your data for such purposes and give you
the opportunity to opt out of receiving such information from us. In addition, and if
you have given permission, we may also contact you by telephone, email and post
about our other products, services, promotions and special offers that may be of
interest to you. We will inform you (before collecting your data) and seek your
permission if we intend to use your data for such additional marketing purposes. If
you prefer not to receive any direct marketing communications from us, or you no
longer wish to receive them, you can opt out at any time (see below).

7.3. If you have given permission, we may contact you by post, telephone and email to
provide information about products, services, promotions and other information we
think may be of interest to you. We will inform you (before collecting your data) if we
intend to use your data for such purposes. If you would rather not receive such
marketing information from us, or you no longer wish to receive it, you can opt out at
any time (see below).

7.4. We will get your express opt-in consent before we share your personal data with any
third party for marketing purposes.

7.5. You have the right at any time to ask us, or any third party, to stop processing your
information for direct marketing purposes. If you wish to exercise this right, you
should contact us by sending an email to connect@medi2data.com or contact the
relevant third party using their given contact details, giving us or them enough
information to identify you and deal with your request.

8. Disclosure of your information

8.1. We may disclose your Information (including Personal Data and including where
relevant and lawful Special Category Data):

8.1.1. to other companies within our group of companies (which means
our subsidiaries, our ultimate holding company and its subsidiaries,
as defined in section 1159 of the UK Companies Act 2006) (and we
will ensure they have appropriate measures in place to protect your
Information);

8.1.2. to our business partners, service providers, professional advisers or
third-party contractors to enable them to undertake services for us
and/or on our behalf (and we will ensure they have appropriate
measures in place to protect your Information);

8.1.3. to any prospective investor in or buyer or seller of any interest in any
debt or equity in or any of the assets and liabilities of our company or any
of its subsidiaries (and their representatives) in the event that a sale or
purchase of any of these things is contemplated (and we will ensure
they have appropriate measures in place to protect your
Information);

8.1.4. if we are under a duty to disclose or share Personal Data in order to
comply with any legal obligation, including (but not limited to) any
request or order from law enforcement agencies and/or HMRC
and/or the Information Commissioner’s Office or any other regulatory
body or authority in connection with any investigation to help
prevent unlawful activity; we may in certain circumstances consider
ourselves compelled proactively to supply information to relevant authorities if
we suspect a breach of law or have safeguarding concerns; and

8.1.5. to other third parties if you have specifically consented to us doing
so.

Third parties who may have access to your Personal Data in connection with your
health may include doctors and other healthcare professionals, any Client or actual
or prospective employer or family member or carer whom you authorize us to
contact in this regard, and also third party IT system suppliers of ours who may need
some level of access for technical purposes in connection with the operation of
systems. Finance, legal and regulatory professionals may also have access to your
Personal Data in connection with the purposes described above.

8.2. We may create alone or with assistance from selected third parties aggregated,
anonymous information (i.e. information from which you cannot be personally
identified), or insights based on such anonymous information, and such information
may be disclosed to such third parties. Such third parties may include analytics and
search engine providers to assist us in the improvement, optimization, development
and expansion of our business or the Website or Application or our Services and such
third parties may include third party purchasers of such insights. In all such
circumstances we will not disclose any information which can identify you personally
and we will act in accordance with applicable laws.

8.3. If any part of our business is sold or integrated with another business your
Information may be disclosed to our advisers and any prospective purchasers and their
advisers and will be passed on to the new owners of the business.

8.4. Where we hold information on you and we obtained it for an initial purpose, we may
with your consent in future apply it for a further, different purpose. It will be for
you to decide at the time whether you want to agree to the data we hold being used
for the further, different purpose.

9. Keeping your information Secure

9.1. We will use technical and organisational security measures, policies and procedures in
accordance with good industry practice to safeguard your Information, including the
use of data encryption as applicable. We limit access to your Information only to
those of our and our subsidiary’s employees staff and other third parties on a business
need to know basis. They will only process your personal data upon our instructions,
and they are subject to a duty of confidentiality. See clause 10 regarding international
transfers of your information.

9.2. Where we have given you (or where you have chosen) a password that enables you to
access an Application or secure part of our Website, you are responsible for keeping
this password confidential. Please do not share this password with anyone.

9.3. While we will use all reasonable efforts to safeguard your Information, you
acknowledge that the use of the Internet is not entirely secure and for this reason we
cannot guarantee the security or integrity of any Information that is transferred from
you or to you via the Internet. We have implemented procedures to respond to any
suspected personal data breach or security incident and will notify you and relevant
data protection regulators where we are legally required to do so in the event of any
personal data breach or security incident.

10. Cross-border transfers of information

10.1. We may on occasion transfer your Information outside the UK, EU or RSA to another
jurisdiction for processing. Where Personal Data is transferred outside the territory
from where it was collected, we will implement appropriate legal mechanisms to
ensure that your Personal Data remains adequately protected upon reaching its
destination, as required by applicable laws including UK GDPR, DPA and/or POPIA as
applicable.

10.2. Information you provide to us is stored on our secure servers in the United Kingdom
and may be transferred to servers in the EU (in respect of which the UK has granted
the EU data privacy adequacy, meaning personal data can flow freely between the
UK and EU, as the EU’s data protection regime is considered essentially equivalent to
the UK GDPR). In addition, we carry out certain of our operations with assistance
from a wholly-owned subsidiary, Medi2data SA (Pty) Ltd (a company incorporated in
the Republic South Africa with company number K2024/151466/07 and having its
registered address at 8 Church Street, Durbanville, Cape Town, South Africa).

10.3. We have a Data Sharing Agreement with Medi2data SA (Pty) Ltd that includes
Standard Contractual Clauses under the UK Information Commissioner’s Office
International Data Transfer Agreement for the transfer of personal data from the UK
and the agreement also requires that Medi2data SA will only process Personal Data in
support of our business. The agreement similarly protects information transfers from
the RSA.

10.4. Your personal data that is accessible to Medi2data SA (Pty) Ltd will be held on servers
in the UK and EU (as referred to in Clause 10.2) that may be remotely accessed from
South Africa for the purposes of assisting in the operations of our business. Such
access constitutes a transfer of your data for the purposes of UK GDPR and the DPA.
We ensure that such information is not otherwise transferred from the UK or EU or
further transferred from South Africa other than back to the UK or EU or as required
or permitted by law. We ensure that your personal data in South Africa is not
processed save as permitted by law.

11. Information about other Individuals

If you give us information on behalf of a third party, you confirm that the third party has
appointed you to act on his/her/their behalf and has agreed that you can: give Consent
on his/her/their behalf to the processing of his/her/their Information; receive on
his/her/their behalf any data protection notices.

12. Your rights and duty to inform us of changes

You have a number of rights under data protection law. Full information on your rights
under UK GDPR and the DPA can be found on the UK Information Commissioner’s website
at https://ico.org.uk and information on rights under POPIA can be found on the RSA
Information Regulator’s website https://inforegulator.org.za

These include the right to be informed about the collection and use of your personal
data, for example by this Policy. This section sets out your further, specific legal rights in
respect of any of your Personal Data that we are holding and/or processing.

If you wish to exercise any of your legal rights, you should put your request in writing to
the applicable Data Controller where this is not us or Medi2data SA or otherwise to us (using
our contact details in clause 19 below) giving us enough information to identify you and
respond to your request. We may require you to supply evidence of your identity and
other information we need to deal with your request. In the majority of cases, we will
respond within one month of receiving the necessary information to deal with your
request.

12.1. You have the right to request access to information about Personal Data that we may
hold and/or process about you (commonly known as a “data subject access
request”), including: whether or not we are holding and/or processing your Personal
Data; the extent of the Personal Data we are holding; and the purposes and extent of
the processing.

12.2. You have the right to have any inaccurate or incomplete information we hold about
you be corrected and/or updated. If any of the Information that you have provided
changes, or if you become aware of any inaccuracies in such Information, please let us
know in writing giving us enough information to deal with the change or correction. It
is important that the Information we hold about you is accurate and current. Please
keep us informed if your Information changes during our relationship with you.

12.3. You have the right in certain circumstances to request that we delete all Personal Data
we hold about you (the ‘right of erasure’). Please note that this right of erasure is not
available in all circumstances, for example where we need to retain the Personal Data
for legal compliance or contractual purposes. If this is the case, we will let you know.

12.4. You have the right in certain circumstances to request that we restrict the processing of
your Personal Data, for example where the Personal Data is inaccurate or where you
have objected to the processing (see clause 12.6 below).

12.5. You have the right to request a copy of the Personal Data we hold about you and to
have it provided in a structured format suitable for you to be able to transfer it to a
different Data Controller (the ‘right to data portability’). Please note that the right to
data portability is only available in some circumstances, for example where the
processing is carried out by automated means. If you request the right to data
portability and it is not available to you, we will let you know.

12.6. You have the right in certain circumstances to object to the processing of your
Personal Data. If so, we shall stop processing your Personal Data unless we can
Medi2data is a brand name for Medidata Exchange Limited – Privacy Policy 2025
demonstrate sufficient and compelling legitimate grounds for continuing the
processing which override your own interests. If, as a result of your circumstances, you
do not have the right to object to such processing then we will let you know.

12.7. You have the right in certain circumstances not to be subject to a decision based
solely on automated processing, for example where a computer algorithm (rather than
a person) makes decisions which affect your contractual rights. Please note that this
right is not available in all circumstances. If you request this right and it is not available
to you, we will let you know.

12.8. You have the right to object to direct marketing, for which see clause 7.5 above.
If you have a concern that is not resolved through correspondence and/or discussions with
us, you can raise your concern with the Information Commissioner’s Office (see clause 14.2
below).

13. Accessing Personal Data

13.1. You will not have to pay a fee to access your Personal Data (or to exercise any of the
other rights in clause 12). However, we may charge a reasonable fee if your request is
clearly unfounded, repetitive or excessive.

13.2. We may need to request specific information from you to help us to confirm your
identity to ensure your right to access your Personal Data. This is a security measure
that Personal Data is not disclosed to any person who has no right to receive it. We
may also contact you to ask you for further information in relation to your request to
speed up our response.

13.3. We try to respond to all legitimate requests within one month. Occasionally, it could
take us longer than a month if your request is particularly complex or you have made a
number of requests. In this case, we will notify you and keep you updated.

14. Complaints

14.1. If you have any concerns about how we collect or process your Information please
contact us through dpo@medi2data.com.

14.2. However, if you do not feel we have handled your concern then you have the right to
lodge a complaint with a supervisory authority, which for the UK is the UK Information
Commissioner’s Office (“ICO”). Complaints can be submitted to the ICO through the
ICO helpline by calling 0303 123 1113. Further information about reporting concerns
to the ICO is available at https://ico.org.uk/concerns/. For the RSA this can be
submitted to the Information Regulator using the information available at
https://inforegulator.org.za/complaints/.

15. ‘Cookies’ and related Software

15.1. Our software may issue ‘cookies’ (small text files) to your device when you access and
use the Website or the Application. Cookies do not affect your privacy and security
since a cookie cannot read data off your system or read cookie files created by other
sites.

15.2. Our Website and Application use cookies and other tracking and monitoring software
to: distinguish our users from one another; collect standard Internet log information;
and to collect visitor behaviour information. The information is used to track user
interactions with the Website and the Application and allows us to provide you with a
good experience when you access the Website or the Application, helps us to improve
our Website, Application and Services, and allows us to compile statistical reports on
Medi2data is a brand name for Medidata Exchange Limited – Privacy Policy 2025
visitors and activity of the Website and Application.

15.3. You can set your system not to accept cookies if you wish (for example by changing
your browser settings so cookies are not accepted), however please note that some of
our Website or Application features may not function if you remove cookies from your
system. For further general information about cookies please visit
www.aboutcookies.org or www.allaboutcookies.org.

16. Changes to this Policy

We keep this Policy under regular review and may change it from time to time. If we
change this Policy we will post the changes on this page, and where appropriate when
you next start the Application, so that you may be aware of the Information we collect
and how we use it at all times. You are responsible for ensuring that you are aware of
the most recent version of this Policy as it will apply each time you access the
Website or the Application.

17. Links to other Websites

17.1. Our Website or Application may contain links to other websites. This Policy only
applies to our Website and our Application. If you access links to other websites any
Information you provide to them will be subject to the privacy policies of those other
websites.

17.2. We have no control over third party websites or systems and accept no legal
responsibility for any content, material or information contained in them. Your use of
third-party sites or systems will be governed by the terms and conditions of that third
party. It is your responsibility to ensure you are happy with such third-party terms and
conditions.

17.3. The display of any hyperlink and/or reference to any third-party website, system,
product or service does not mean that we endorse that third party’s website, products
or services and any reliance you place on such hyperlink, reference or advert is done
at your own risk.

18. Accessibility

This Policy aims to provide you with all relevant details about how we process your
Information in a concise, transparent, intelligible and easily accessible form, using
clear and plain language. If you have any difficulty in reading or understanding this
Policy, or if you would like this Policy in another format (for example audio, large print or
braille), please get in touch with us.

19. Contact Us

We welcome your feedback and questions on this Policy. If you wish to contact us,
please email us at dpo@medi2data.com or call 03333 055 774 or write to us at the
applicable address set out in clause 2.