NEW YORK CONSUMER PRIVACY POLICY

This New York Consumer Privacy Policy (“Policy”) is applicable only to New York state residents and supplements other privacy policy concerns, terms, and conditions that exist regarding services provided by Biospace, Inc., DBA InBody (“InBody”). This Policy covers a variety of New York state privacy laws that have been enacted, including the Stop Hacks and Improve Electronic Security Act (“SHIELD”), the Identity Theft Protection and Mitigation Services Act, and the New York Privacy Act (“NYPA”)(all together, the “Acts”) and describes the rights available to New York consumers of InBody products and regarding their personal information and InBody’s practices regarding the collection, use, disclosure, and sale of personal information, as defined in the Acts. In reviewing this Policy, you are further encouraged to review our other terms and conditions for further information regarding our overall privacy practices, as well as other rights you have under federal law. You agree and understand the following:

1. Your Rights:
1. The Right to Know: This is your right to know what categories of personal information we collect about you, how we use your personal information, whether we share, disclose, and/or sell your personal information to third parties, and what other rights you may have under the Acts with respect to your personal information.
2. The Right to Delete: This is your right to request that we delete the personal information we have collected from you and maintain in our systems, subject to certain exceptions that permit us to keep your personal information for specific purposes.
3. The Right to Access: This is your right to request access to the personal information we have collected about you.
4. The Right to Opt-Out of Sale: This is your allowing you to opt-out of the sale of your personal information to third parties, if any.
5. The Right to Equal Service: This is your right to not be retaliated against by InBody in any manner for exercising any of your rights under the Acts or other privacy policy agreements between you and InBody.
2. The Categories of Personal Information InBody Collects Under the Acts

   In the last twelve months, InBody may have collected the following categories of personal information, as defined under the Acts, about New York consumers (for more information on our collection practices, please review our Terms of Service):

   1. Personal Identifiers: real name, alias, postal address, a unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers, including those personal information categories listed in the Acts, which also includes signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit and debit card numbers, any other financial information, medical information, or insurance information.
   2. Protected classification characteristics under New York or federal law: age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex, gender, gender identity, gender expression, pregnancy status, childbirth and related medical conditions, sexual orientation, veteran or military status, genetic information.
   3. Commercial Information: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
   4. Biometric Information: genetic, physiological, behavioral, and biological characteristics, or activity patters used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health or exercise data.
   5. Internet or other similar network activity: browsing history, search history, information on a consumer’s interaction with a website, application or advertisement.
   6. Geolocation Data: physical location or movements.
   7. Inferences drawn from other personal information: profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
3. Sources of the Information We Collect Under the Acts

InBody collects certain personal information about you from a variety of sources in order to provide you with our services, communicate with you and your service facilitator, and provide you with the support you need to use our services. These sources may include:

1. Information provided by you to InBody directly, such as when you contact or communicate with us, or when you establish a user account.
2. Information we collect automatically and through your use of InBody’s services and products, including our websites and applications.
3. Information obtained by third parties, such as your service facilitator.
4. Information publicly available about you.
1. How InBody Uses Your Information

Under the NYPA, InBody is required to act as a data fiduciary to you, exercising the duty of care, loyalty, and confidentiality expected of a fiduciary with respect to your personal information. As such, InBody shall, and shall cause third-party service providers to, act in your best interests in a manner that may be reasonably expected by a reasonable InBody customer under similar circumstances. For information on how InBody uses the information we obtain from you, please review our Terms of Service.

1. Disclosure of Your Information

As mentioned in the InBody Terms of Services, InBody does not sell your personal information to third parties for monetary consideration for any purpose, including advertising. However, InBody may share your personal information, with the following entities for the purpose described below:

1. Business transfers:

InBody may disclose personal information in connection with the sale, merger, sale of assets or reorganization of InBody or its affiliates. In such an event, your information will transfer to the acquiring company. Notice of such a transfer will be provided to you.

1. Third Parties:

   InBody has a relationship with third-party service providers including, but not limited to, LookinBody Company and InBody Co., Ltd. They help InBody provide services to you, administer InBody’s business, and design, maintain, improve InBody’s service(s), systems, procedures, protocols, and security.

   When we allow our contracted third-party service provider to have access to your personal information, they are permitted to use it only for purposes that are consistent with this Policy. We ensure, through agreements in place, that these third parties have equivalent level of protection established in their organizations for sturdy protection of your information. If a substantial change in our or our associates’ business model occurs, that impacts the use of your information, an updated privacy policy will be provided. Below is the list of some of the third parties that may use your personal information:

   1. Use of Personal Information: By LookinBody Company
      1. To administer and maintain InBody’s servers.
      2. To provide the highest level of support, if needed.
      3. Improve InBody’s content
         1. The collection of personal information also helps create, develop, operate, deliver, and improve services that are provided to you.
         2. To track and respond to safety concerns and to further develop and improve services
      4. LookinBody Company may use the aggregated data, so they can administer and improve our services and websites, analyze trends and gather broad demographic information
         1. The LookinBody Company may also use the aggregated data for various business purposes including research and development.
   2. Use of Personal Information: By InBody Co., Ltd.
      1. InBody Co., Ltd. may share or sell aggregated, de-identified, data that does not identify you, with partners and the public in various of ways, such as by providing research or reports about health and fitness or in connection with contests, challenges or another event. When they provide this information, they perform appropriate procedures so that the data does not identify you.
2. With Service Providers and Business Partners:

InBody works with other companies and individuals to perform services on InBody’s behalf. Any such subcontractor will be under the compliance of 45 CFR § 164.502(b). Examples of providers include data analysis firms, credit card processing companies, customer service and support providers, email and SMS vendors, web hosting and development companies and fulfillment companies. These third parties may be provided with access to your personal information as required to perform functions for InBody, but the use will be subject to contracts and agreements in place that protect the confidentiality of the information.

1. Law enforcement:

InBody may disclose and report to law enforcement agencies information related to activities that InBody reasonably believes to be unlawful, or that InBody reasonably believes may aid a law enforcement investigation into unlawful activity. In addition, InBody reserves the right to release your information to law enforcement agencies if InBody determines, in its sole judgment, that the release of your information may help protect the safety or property of any person or entity.

1. Required or Permitted by law:

InBody may disclose your information to others as required or permitted by law. This may include disclosing your information to governmental entities, including the New York Attorney General, New York Department of State, and the New York Division of State Police, or pursuant to court orders, subpoenas, warrant, summons or similar process.

1. Protection for InBody and Others:

InBody may disclose the information obtained from you when InBody believes it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any individuals, violations of our Terms of Service or this Policy, or as evidence in litigation in which InBody is involved.

1. To You:

Under the Acts, InBody is required to inform you should your personal information be acquired by a third party without your authorization. Should such an acquisition occur, InBody shall inform you within three (3) business days following determination and/or notice of such unauthorized acquisition.

1. Unrestricted Use

   The Acts does not restrict InBody’s ability to disclose the personal information identified above to third parties for the purposes previously stated and for the following purposes, which include:

   1. Compliance with federal, state, or local laws.
   2. Compliance with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
   3. Cooperation with law enforcement agencies concerning conduct or activity that InBody, a service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
   4. Exercise or defense of legal claims.
   5. Collection, use, retention, sale, or disclosure of consumer information that is deidentified or aggregated consumer information.
   6. Collection or sale of consumers’ personal information if every aspect of that commercial conduct takes place wholly outside of New York.
2. Protecting Your Personal Information

   Under the Acts, InBody is required to implement certain security measures when processing and/or storing your personal information and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of your personal information, including:

   1. Designation of an IT Security Coordinator;
   2. Identifying or causing the identification of reasonably foreseeable internal and external data security risks;
   3. Regular and routine assessments of the sufficiency of InBody’s data security safeguards, network and software design, information processing, transmission, storage and disposal;
   4. Regular and routine employee training and management regarding security program practices and procedures;
   5. Contracting with and managing service providers capable of maintaining appropriate safeguards to InBody’s data security, and auditing the same;
   6. Ensure that InBody’s policies and procedures remain flexible and able to change to shifting circumstances in the law or otherwise;
   7. Ensure that InBody is capable of detecting, preventing, and responding to system failures and third-party threat actors, intrusions, and other unauthorized access attempts; and
   8. Dispose of your personal information within a reasonable amount of time following your request or after it is no longer needed for our business purposes.
3. Your Right to Know the Personal Information Obtained About You

   The Acts requires that, upon request, InBody must provide you the following information:

   1. The categories of personal information obtained from you.
   2. The categories of sources from which the personal information is obtained.
   3. The business and/or commercial purpose for collecting, disclosing, or selling, if applicable, the personal information.
   4. The categories of third parties with whom InBody has shared your personal information.
   5. The specific pieces of personal information obtained from you.

   This is known as your “right to know” under the Acts.

4. Your Right to Request Access to the Personal Information Obtained About You

   The Acts requires InBody to provide you with access to the actual personal information collected about you during the course of the preceding twelve months; this is known as your “right to access” under the Acts.

   The Acts requires InBody to comply with up to two access requests during a single twelve-month period, which are subject to limitations for manifestly unfounded or excessive requests.

   In addition, there are certain categories of personal information that InBody may not return to you in response to your access request due to the inherently sensitive nature of such information which could create a substantial, articulable, and unreasonable risk to the security of that personal information. This includes your Social Security number, driver’s license number, or other government-issues identification number, financial account number, health insurance or medical identification number, account password, or security questions and answers.

5. Your Right to Request Deletion of Personal Information Obtained About You

   If you wish to request InBody to delete the personal information obtained about you, subject to a verifiable consumer request, InBody will delete your personal information from InBody’s systems, barring exception. Service providers and third parties with whom InBody has shared your personal information will be notified.

   However, in addition to certain applicable terms and conditions pertaining to deletion of information as found in the InBody Terms of Service, your deletion request is subject to certain exceptions which InBody may rely on where it is necessary for the company to retain personal information in order to:

   1. Complete the transaction for which the personal information was collected, provide a product or service requested by you, or reasonably anticipated, within the context of InBody’s ongoing business relationship with you, or other wise perform an agreement between InBody and yourself.
   2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity.
   3. Identify and repair errors that impair existing intended service functionalities.
   4. Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
   5. Comply with the Acts, as applicable.
   6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws when such deletion of information is likely to render impossible or seriously impair the achievement of such research, if you have provided informed consent.
   7. To enable solely internal uses that are reasonably aligned with the expectations of the consumer, as based upon the consumer’s existing relationship to InBody.
   8. Comply with a legal obligation.
   9. Otherwise use the personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

   Should any of these exceptions apply, InBody is not required to delete your personal information. In the event that your request is denied based on any of these exceptions, InBody will inform you, in writing, of the reason.

6. Submitting a Request

   Given the sensitive nature of the information under the Acts and as proscribed by the law itself, it is essentially that InBody verify your identity in order to process your request, whether it is for access or deletion of your personal information. While the identity verification process involves the processing of personal information relevant to you as the requestor, InBody does not collect or retain the information that you provide as part of the request process, provided that InBody will retain contact information provided for the purpose of fulfilling your request or otherwise communicating with you in connection with your request. If InBody cannot verify your identity, your request will be denied.

   To exercise any of your Acts rights, please contact us at info@inbody.com.

7. Your Right to Opt Out of Personal Information Sales

   The Acts adds a new right for New York consumers to opt-out of the sale of their personal information to third-parties. InBody will provide you with the ability to manage your privacy preferences. To choose the opt-out selection on your preferences settings, which is available on our websites and applications. If you exercise your right to opt-out of the sale of your personal information to third-parties, InBody shall not ask you to change your decision and you will experience no effect in how InBody provides its services to you or charge you additionally for your decision to restrict InBody’s ability to sell your personal information.

8. Your Right to Equal Service

   The Acts prohibits businesses from discriminating against New York consumers for exercising any of their rights under the Acts. This means that if you exercise any of your rights under the Acts as provided under this Policy, InBody shall not:

   1. Deny you goods or services;
   2. Charge you different prices for goods and services than you would have received otherwise; or
   3. Provide different levels of quality of goods or services to you;
9. Other Information: For information regarding InBody’s general privacy practices, some of which may or may not be applicable to you, please visit Inbody’s Privacy Policy page.
10. Update

    We reserve the right to change and amend any part of the Policy at any time and without prior notice. Details of these updates will be made available to you via InBody’s website(s). InBody advises that you check our websites from time to time to make sure that you agree with any changes and amendments. Your continued use of our Services constitutes your acceptance to this Policy and any updates. This Policy is incorporated into the Terms of Service for End User (if you are an End User) and the Terms of Service for Analysis Facility (if you are a Facility User), along with our standard Privacy Policy for those subjects and topics not covered hereunder.

11. Contact Information

    If you have any questions or comments regarding this Policy, our information handling practices, or any other aspects of your privacy and the security of information, please send an email to Info@InBody.com or contact us at

    InBody
    Attn: Product Support
    (323) 932-6503
    13385 Cerritos Corporate Dr., Suite C
    Cerritos, CA 90703

    You agree and acknowledge that you have read this Policy in its entirety and expressly consent to our collection, use, and disclosure, before accessing or using the Service(s), of your Personal Information in accordance with and subject to the limitations of this Policy.

    By signing, you acknowledge that you are of the legal age of consent in your jurisdiction.

    If you are not of legal age of consent in your jurisdiction, you may not sign this Policy and instead, you shall direct your parent or legal guardian to sign. By signing, parent or legal guardian further agrees and acknowledges that parent or legal guardian has obtained from, executed, and delivered to the Analysis Facility the appropriate parental consent and release forms.