Vitaliv Privacy Policy

April 6th, 2022

Summary

This Privacy Policy describes how Vitaliv Inc. processes Personal Data pertaining to natural persons that interact with it as website visitors or Prospect Customers/ Customers (meaning how such Personal Data is: Collected; Stored; Accessed; Processed, and Shared) both online and by other means, such as by phone while Customers order Vitaliv products; as well as which are the Legal Basis towards such Processing activities.

This Privacy Policy is provided to you in line with the following Applicable Personal Data Protection Legislation:

  • The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, also known as the General Data Protection Regulation (the GDPR), which became enforceable across the EU and the EEA from 25 May 2018, having replaced the previous Directive 95/46/EC; In Ireland, the national law, which amongst other considerations, gives further effect to the GDPR, is the Data Protection Act 2018 (‘the 2018 Act’).

  • The Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, also known as the ePrivacy Directive, amending the Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

  • The California Consumer Privacy Act 2018 (CCPA), assembly Bill of the State of California, United States of America, No. 375, under CHAPTER 55, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the Governor on 28 June 2018. Filed with the Secretary of State on 28 June 2018 and enforceable since 01 January 2020.

  • The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a United States federal law that sets national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A primary goal of the Privacy Rule is to ensure that individuals’ health information is adequately protected while allowing the flow of health information needed to provide and promote high-quality health care and protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting people's privacy who seek care and healing.

The primary goal of Processing Personal Data is to convey Vitaliv’s products portfolio and Services (in the area of food supplements) while supporting the Prospect Customer/ Customer during the purchasing process, which takes place either via email messages, a phone call, or enabling the Data Subject (Customer) access to Vitaliv’s website/ online store.

All partner entities with which Vitaliv may have to share some of its Personal Data to enable its Service towards its Prospect Customer/ Customers (for such entities deliver a part of that Service) have a Data Processing Agreement in place that also comprehends Standard Contractual Clauses as required under the EU General Data Protection Regulation (EU) 2016/679 (the “GDPR”) about those which Personal Data Processing activities do not take place in the EU.

Personal Data is exclusively Processed under the scope and purpose of agreed Services between Vitaliv and the Data Subject (natural person to whom such Data pertains). At the same time, the Data Subject maintains complete control over it as defined under the GDPR as Data Subject's Rights.

Any questions may be posted via the e-mail privacy@vitaliv.us

Application

Vitaliv reserves the right to modify this Privacy Policy by posting an updated, time-stamped version on its websites.

I. Data Collection

As a retailer of food supplements, Vitaliv Processes Personal Data about those Data Subjects who have freely submitted it with a view (potential intention) to purchase our products (“Prospect Customers”); as those who have already purchased our products (“Customers”) plus staff members who (as Data Subject's) are also entitled to their Privacy Rights.

Upon reaching one of Vitaliv’s “web landing pages,” “Prospect Customers” will be invited to input some information (including Personal Data) that serves the purpose of identifying best-fit products/ services for their specific needs. While doing so, those Data Subjects are at this moment informed by this Privacy Policy that by freely inputting any information, they consent to the herein described Processing activities.

At this stage, where visitors are “Prospect Customers” and before having them inputting any Data on Vitaliv’s online forms, the univocal identification of the individual inputting the Data as the Data Subject has not occurred, merely an unidentified source is inputting the Data (for it can be anyone).

The univocal identification of the individual as the Data Subject him/ herself occurs after the individual becomes a Customer and requires making available a two-factor authentication process by which Vitaliv submits information/ validation over two separate communications channels that address the same natural person and upon collecting matching feedback from both it can document up to its capabilities that the person interacting with Vitaliv is the Data Subject.

Vitaliv does this via a Call Center call with confirmation through email or SMS; sending out an SMS that is confirmed by email; when the Customer buys something through the payment action or when the Customer Logs in to Vitaliv’s tools (username and password).

”Customers” Personal Data is processed within a more extensive range for those have already been interacting with the company. However when becoming a Customer, the Data Subject is asked for his/ her explicit Consent towards the Personal Data Processing scope and purpose.

Vitaliv also collects information about its websites' visitors via cookies and similar technologies, regardless of those being “Customers,” “Prospect Customers,” or just plain visitors; yet those "users" are informed about the purpose of such Cookies via the Cookies Policy and are allowed to manage those (disabling any Cookies that they may consider to be "inappropriate" for their navigation purposes).

Vitaliv does not cross-reference data/ information gathered through cookies and similar technologies with existing Personal Data about “Prospect Customers,” except for the IP address in use and for the limited purpose as set out in this Policy (ahead); with regards to “Customers” Vitaliv tacks their visits to its website to assess points of interest and therefore better focus its support towards them.

Furthermore, the information gathered via Cookies is limited in scope, and it is hosted/ Processed separate (segregated) from the Personal Data about Data Subjects, hence not enabling the univocal identification of a given natural person on its own, meaning not consisting of Personal Data.

Any user that is identified as being under 21 years of age (therefore not bearing total legal capacity as an adult) is not allowed to use our websites. If any Person Data has been gathered about such an individual, it shall be immediately erased from all repositories except a black-list that will prevent further collection/ Processing of such Data.

II. Who is the Data Controller of your data?

Vitaliv is the entity that acts as the Data Controller for this Privacy Policy and all data processing practices herein contemplated. All questions or requests regarding the processing of the personal data under our control or processing may be addressed to privacy@vitaliv.us

III. How do we collect your data?

Data Sources.

Vitaliv collects or obtains Personal Data from the following sources (under the following Legal Basis):

  • Where the Data Subject provides the Data him/ herself by a conscious affirmative action aimed at giving specific information: e.g., where the Data Subject contacts Vitaliv via e-mail or telephone, fills out online forms, or replies to questions on the websites or those of phone operators (Consent);

  • Driven from the ordinary course of business operations towards “Prospect Customers” and “Customers”: e.g., dispatching and invoicing ordered products (Legitimate Interest);

  • Where based on Data Subjects' feedback (forms, emails, calls), provided information (e.g., age, gender, purchasing history, and answers to a set of optional Quiz questions) is used to “fit” the Data Subject into a group of Data Subjects with common interests or needs so relevant information (that may include marketing material), as well as other communications, may be tailored towards those with similar interest. This is a form of “profiling” yet one that helps the Data Subject through focused support from Vitaliv’ side (Legitimate Interest);

  • Vitaliv also resorts to public telephone databases to check the number that the Data Subject has freely submitted. This aims at both preventing reaching out to “the wrong person” as well as validating the information that is vital under a commercial relationship (Legitimate Interest);

  • Where new Personal Data is created out of Vitaliv Processing activities, plus the mandatory recording and documenting of Vitaliv own data protection practices and other interactions with the Data Subject (Legal Requirement).

Third-Party Sources.

Vitaliv does not seek Personal Data from third parties (e.g., data brokers), nor does it actively search online or otherwise for any publicly available Personal Data (except to verify the data that themselves the Data Subjects themselves have provided).

All Personal Data that is Processed by Vitaliv has originated from the Data Subjects themselves, while subject to notices and consents, or obtained in the ordinary course of its Service activities.

In the eventuality that Vitaliv becomes in contact with Personal Data via a 3rd party source, which is deemed “relevant” under the scope and purpose of rendered and agreed on services with a given Data Subject, Vitaliv will observe by the GDPR Article 14, meaning immediately informing the Data Subject about what Personal Data has been gathered from which “source” and the inherent purpose; in case the Data Subject does not consent to it or provide any feedback within one month, such Personal Data will be erased from all of Vitaliv’ repositories.

Cookies.

When a Data Subject visits Vitaliv’s websites, session cookie files are either placed on his/ her browser device, or the website reads such already existing files.

Vitaliv exclusively uses those cookies that record information about the “IT architecture and Landscape” of the device being used by the visitor (e.g., browser; browsing preferences; other…); however, without identifying that visitor personally (as a Data Subject).

Except for IP addresses, this information is never combined with the data about either “Prospect Customers,” thus not leading to the identification and habits “profiling” of any specific Data Subject. As previously mentioned and with regards to “Customers,” this Data will support Customer care, and Customer focused support services.

IP addresses are exclusively cross-referenced with other data for safekeeping the company from fraud attempts plus with regards to “Customers” documenting operations by (1) verifying the identity of a person signing in and (2) making records of your consent and other legally binding actions (Legitimate Interest).

The IP address is also used (while segregated) for web analytics (via Google Analytics).

For detailed information about cookies in use and similar employed technologies, please refer to the Cookies Policy.

Telephone Calls.

Vitaliv may reach out to “Prospect Customers” via its call centers under a “cold calling” prospective however observing by GDPR Article 14 ruling, and that means not to act as a “cold calling standard” in the sense that the Data Subject is presented with a Sales/ Marketing pitch, yet (and as GDPR allows it for the Controller to gather Personal Data from a source other than the Data Subject), to convey the “scope” and “purpose” of Vitaliv’ activity and inquire about the potential interest from the Data Subject's side. If the answer is “NO” (as per ruled under GDPR), all Personal Data is erased and the contact “blacklisted” (so it won’t be contacted again); if the Data Subject, on the other hand, demonstrates wanting to know more, then Vitaliv will present its Services Portfolio.

Vitaliv may reach out to “Customers” via a phone call aimed at conveying/ selling new Products or Services that is part of the Service Terms, hence under Data Subjects’ Consent.

On a “lighter” note, a phone call may be issued towards “Prospect Customers” or “Customers” to: (1) gather additional information about those Data Subjects that is relevant to the Service or (2) confirm an order posted by the Data Subject over Vitaliv’ website.

During such calls, the Data Subjects may be informed that the call is being recorded and requested to orally confirm their agreement with the “order terms” or any agreement set forth over that call.

IV. What data do we process?

Personal Data.

Vitaliv processes the following types of personal data:

  • Identification Data: First and last name, email address, physical address (Consent);

  • Account Verification data: While having become a “Customer,” the Data Subject may choose to sign up on Vitaliv’s website, in such case, the login (username and password) is stored/ processed by Vitaliv as well as session information which includes the IP address (Legitimate Interest);

  • Purchasing history: it is of vital importance for the company to operate that “Customer” orders are registered while complemented by information such as name, address, relevant dates, products ordered, and payment details (Legitimate Interest);

  • Product search information: as the Data Subject navigates through Vitaliv’s website, a log is produced about visited pages and time spent on each page. When that is information is cross-referenced with other Personal Data that the Data Subject has provided via online forms or any other “channel” (e.g., weight; height; gender; bodily conditions/ habits; other…), Vitaliv may profile that Data Subject’ interest points and focus relevant product/ service feedback information towards him/ her. (when becoming a “Customer” the Data Subject Consents to this Processing activity. However, this is “Profiling,” and although it represents an added value towards the Data Subject, nevertheless he/ she may opt out from having it done);

  • Information about a group of recipients of marketing communications, based on their purchasing history and product search information. This information only will be sent with the perview of sending you newsletters and other direct marketing communications tailored to your interest in our products. (when becoming a “Customer” the Data Subject Consents to this Processing activity again this is “Profiling,” and although it represents an added value towards the Data Subject, he/ she may opt out from having it done);

  • Legally necessary information: Vitaliv also collects data which is necessary to conclude a lawful contract of sale as per the Data Subject’s local jurisdictions requirements;

  • Consent and other administrative records, together with the date and time means of consent, IP address and any related information (e.g., the subject matter of the consent);

  • Communications addressed to Vitaliv and from Vitaliv;

  • Any other information voluntarily transmitted to Vitaliv by documented conscious affirmative action.

Sensitive personal data.

Vitaliv does not seek to collect or otherwise Process Sensitive Personal Data as set out in the GDPR Article 9. That means that Vitaliv does not specifically Process Data pertaining to health status in general or physical and mental health conditions that may afflict those Data Subject about whom it Processes Personal Data.

Nevertheless, Vitaliv is fully aware and wishes to make it crystal that some of the Personal Data identifiers gathered and Processed under its Services (e.g. weight; age; gender; sleeping problems; other…), may lead any 3rd party that potentially could have access to those to infer upon potential health status or medical conditions that may affect those Data Subjects who bear them; hence when providing your Consent to the Processing of your Personal Data, you are also aware of this risk (although minimum).

Vitaliv exclusively Processes such Personal Data in order to provide its “Prospect Customers” and “Customers” with assertive support towards finding a product (that is legally certified as a food supplement in accordance with the EU Directive 2002/46/ EC) which may prove to be beneficial for the Data Subject.

Further note (as a disclaimer) that Vitaliv products, although may be beneficial to human health, do not fall into the category of “medicinal products” within the meaning of Council Directives 65/65/EC and 92/73/EC while instead fitting the definition of “food supplements” as set out in Article 2 (a) of the Directive 2002/46/EC.

Financial Information.

Financial information may also configure Sensitive Personal Data (depending in concrete on which data), to mitigate in advance the inherent risk towards the Data Subject, Vitaliv does not collect nor process Personal Data such as payment cards or bank accounts, resorting instead to the services of third-party providers, such as acquirers and payment services, that effectuate your payments.

Social Logins.

If you choose to register or log in to our services using a social media account, we may have access to certain information about you. Our Website offers you the ability to register and login using your third-party social media account details (like your Facebook or Twitter logins). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the social media provider concerned, but will often include your name, email address, friends list, profile picture as well as other information you choose to make public on such social media platform. We will use the information we receive only for the purposes that are described in this privacy notice or that are otherwise made clear to you on the relevant Website. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy notice to understand how they collect, use and share your personal information, and how you can set your privacy preferences on their sites and apps.

V. For what purposes do we process your data?

General purposes.

The purposes for which Vitaliv may process Personal Data include:

  • Effectuating sales of the product that has been ordered by the Data Subject or towards which the Data Subject has actively expressed his/ her interest in by placing his/ her information with Vitaliv (Consent);

  • Marketing communications: sending weekly newsletters to “Prospect Customers” and “Customers” about Vitaliv products and services, which both may be interested in, via email, text messages, social media, or regular post, subject to ensuring that such communications are provided towards Data Subjects in compliance with applicable law. The Data Subject may opt-out from this service at any time (Legitimate Interest);

  • Surveys: from time to time, Vitaliv may request Data Subjects to answer a few questions which can make its products more relevant, affordable, and beneficial for those Data Subjects. The Data Subject may opt-out from this service at any time (Consent);

  • Legal compliance: compliance with Vitaliv legal and regulatory obligations under applicable law and contracts;

  • Improving Vitaliv websites and services: though it is unlikely, Vitaliv may need to request of the Data Subject for direct feedback that will contribute to having Vitaliv fixing an existing issue and/ or improving its websites performance and inherent services; such as our Client Relationship Management software; as well as to operate IT security and conduct IT security audit (Legitimate Interest);

  • Other legitimate interests such as the proper and efficient operation of Vitaliv business, detecting, and protecting against, breaches of its policies, contracts, and applicable laws; or establishing, exercising or defending its legal rights.

No Automated Decision Making.

Although there is Automated Processing, namely with regards to "Profiling" activities via Vitaliv internal algorithms, there is no Automated Decision Making in place over Vitaliv platforms/ Services.

Quiz Questions.

As stated above, Vitaliv does not process Personal Data that concerns to human health, yet it enables help towards the Data Subject and based on his/ her feedback with finding a product (among those merchandised by Vitaliv) that may prove to be relevant towards the Data Subject as a Food Supplement.

Such activity comprehends activities such as sending a tailored newsletter towards the Data Subject according to his/ her interest in Vitaliv products. As a tool that enables such focused personalized assistance, Vitaliv may resort to the Quiz feedback, which may include questions about the Data Subject’s bodily conditions and habits, e.g.: “Do you sleep well each night?”.

The Principle of Data Minimization.

Vitaliv takes every reasonable step to ensure that Personal Data under its Processing activities is absolutely limited to the amount and type that is necessary to deliver Service towards our "Customers" as it has been agreed by them, not maintained over redundant repositories nor for any longer than required under the scope of agreed services.

VI. What legal basis do we employ to process your data?

In processing your Personal Data in connection with the purposes set out in this Privacy Policy, Vitaliv may rely on one or more of the following legal bases, depending on the specific context:

(1) The processing is necessary for connection with an existing contract of sale of Vitaliv product and /or Services that the Data Subject has entered into with Vitaliv; or to take necessary steps at the request of the Data Subject prior to entering into such a contract (e.g., when the Data Subject has provided Vitaliv with his/her data on Vitaliv website request form so it can contact the Data Subject by phone or e-mail to conclude the sale).

(2) Vitaliv has obtained the Data Subject's prior consent to the processing. Vitaliv seeks the Data Subject's consent for, among other topics, sending newsletters and other direct marketing messages to “Prospect Customers”.

Please, note that whenever a Data Subject provides Vitaliv his/her consent towards the Processing activities at hand, he/she is entitled by law and may at any point in time withdraw such consent free of charge.

There are however circumstances where Vitaliv may refuse to comply with such a request, namely where Contractual obligations have not been met by the Data Subject and withdrawing Consent implies the inability for Vitaliv to have documented proof of such status.

In some other cases/ circumstances, withdrawing Consent may imply that Vitaliv is no longer capable of delivering the agreed Services, in which case the Data Subject shall be informed in detail and asked to confirm his/her decision.

Where the Data Subject does so wish, yet is not able to find a direct way to withdraw his/her Consent towards Vitaliv; he/she may via the website or through the newsletter e-mails submit such withdrawal request to privacy@vitaliv.us

(3) Under some circumstances, Vitaliv has a legitimate interest in carrying out the processing of Personal Data. This may be the ground where: (i) providing or improving its services, such as developing the CRM software; (ii) fulfilling regulatory and compliance obligations; (iii) contacting the Data Subject, subject always in compliance with applicable law; (iv) detecting, and protecting against, breaches of its policies, contracts, and applicable legislation; or (v) establishing, exercising or defending its legal rights; (vi) where the Data Subject has previously freely submitted his/ her Personal Data towards Vitaliv. Vitaliv acts in plain conscience that it may only rely on such Legal Basis for Processing Personal Data where and to the extent that such Legitimate Interest is not overridden by the fundamental rights and freedoms of those Data Subjects to whom the Personal Data pertains to.

(4) The processing is necessary for compliance with a legal obligation. This is the case where (as an example) Vitaliv needs to process payroll or tax data pertaining to its staff. Likewise and as another example both towards "`Prospect Customers"` as "`Customers"` where Vitaliv is required by law to produce towards a law-enforcement agency any of the Personal Data in its possession.

VII. What third parties can receive my data?

Third-Party Recipients.

As with regards to the overwhelming majority of organizations in our days, the Services delivered by Vitaliv comprehend some components that are executed by some partners, which in some cases imply the access and processing of Personal Data.

Vitaliv may, therefore, share some Personal Data with such other companies that act as Processors or Controllers in complement towards Vitaliv direct service components

Legal Obligations

We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal processes, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements). We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.

Data processing agreements.

Where a third party (Processor or Controller) is engaged by Vitaliv, those companies shall be subject to binding contractual obligations as prescribed under Art. 28 GDPR, via a Data Processing Agreement.

Among others, the Processor/ Controller will have to/ commit to (i) process Personal Data provided by Vitaliv exclusively as per provided documented instructions; and (ii) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks pertinent to such processing.

Vitaliv has in place a schedule of regular audits towards those Processors, hence monitoring (up to its capability) the adherence of its partners towards these and other obligations pertaining to Personal Data Protection assurance and GDPR Compliance.

Google Analytics.

Our websites use Google Analytics, a web analytics service provided by Google, Inc., USA. Google Analytics employs cookies which are used to generate information about your use of our websites (including your IP address). This information is then transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our websites, compiling reports on website activity and providing other services relating to website activity and Internet usage. Google will not associate your IP address with any other data held by Google. For more information about Google’s privacy policies, please, visit http://www.google.com/analytics/ Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("`DNT"`) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.

Other Global OSPs and Software Providers.

We utilize a range of globally recognized online services, including SaaS and cloud solutions, which may process your data in some form, such as Dropbox, Amazon, Google Suite, Microsoft Office, and others. Most such providers have their storage and processing facilities in Europe so that your data do not leave the EU. Where they do not have such facilities or let data leave the EU, they are under obligation to comply with the GDPR. For information about compliance with applicable data protection laws, you can find on the website of the OSPs and software providers.

VIII. Direct marketing

Direct marketing is a Service that Vitaliv renders to the Data Subjects about whom it Processes Personal Data and one of added value in the sense that allows “Prospect Customers” and Customers to become aware of VîtaLiv’ portfolio items that may represent effective leverage towards them.

Notwithstanding that fact, Vitaliv’ Direct Marketing approach depends upon the established relationship with the Data Subject:

  • If an active “Customer” (someone who has bought our Products/ Services), will be receiving weekly newsletters and other marketing communications unless he/ she opts out.

  • If a “Prospect Customer”, in the sense of a Data Subject who has already freely submitted his/ her Personal Data towards Vitaliv (hence demonstrating an interest in our Portfolio), yet have not yet purchased anything to Vitaliv, the company considers having Legitimate Interest to submit Direct Marketing communications in order to further enlighten such prospect.

  • If a “Prospect Customer” that has not yet interacted with Vitaliv, Direct Marketing will not be submitted without Data Subject's Consent.

Vitaliv attempts at minimizing the chance of its messages constituting “spam” (meaning uninteresting information under the perspective of the Data Subject), hence tailoring them, as much as possible towards the interest points of each Data Subject. For this purpose, Vitaliv collects from the Data Subjects some specific data (e.g. age; gender; Quiz answers) as well as purchasing history. This is “profiling” in the sense that an assessment is done to ensure the Data Subject does not get irrelevant Marketing information, hence in the interest of the Data Subject him/ herself, however, if the Data Subject does not wish the newsletters be tailored they can convey that request by e-mail to privacy@vitaliv.us

Whether a “Prospect Customer” or “Customer”, the Data Subject may simply choose to opt-out from the newsletters service altogether and stop receiving them, by submitting such request via the e-mail privacy@vitaliv.us

IX. Retention periods

General Retention Criteria.

Vitaliv will maintain Personal Data pertaining to its “Prospect Customers” and “Customers” for the duration of the Services, where warranty applies or contractual terms need to be observed, under Legitimate Interest if undergoing a dispute on a court of Law with the Data Subject or where Legal requirements apply (e.g. invoices must be maintained by Law for 7 years after document date).

In specifics:

Customer Data. Vitaliv may retain Personal Data of Customers for the longest of the following terms: (i) three years in order to be able to respond to any questions or complaints which may be addressed to Vitaliv; (ii) for the term necessary to comply with all applicable laws; and (iii) for the duration of any period necessary to establish, exercise or defend any legal rights.

X. Rights of Data Subjects

Under applicable Personal Data Protection Legislation, the Data Subject has the following set of established rights:

[HIPAA] The right to receive a notice of privacy practices. Please refer to this Privacy Policy plus the information provided to you upon requesting your consent to become a study participant.

[GDPR] Right of access. The right to obtain from the Controller confirmation as to whether their personal data is being processed, and, if so, to access such personal data as well as related information. Vitaliv will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the data Subject to ensure authorized secure access. Participants may exercise this right by reviewing information on the Vitaliv website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not a Vitaliv Participant.

[CCPA] Right to know and access your personal information – similar to the Right of Access under the GDPR, California residents have the right to:

• Know the categories of personal information we collect and the categories of sources from which we got the information.

• Know the business or commercial purposes for which we collect and share personal information.

• Know the categories of third parties and other entities with whom we share personal information, and

Access the specific pieces of personal information we have collected about you.

[HIPAA] The right to access and request a copy of medical records. Vitaliv does not maintain medical records about its customers, however it maintains Personal Health Information in the sense of biometrics that can be cross-referenced to assess potential conditions, so the Data Subjects may exercise this Right under such context. Please refer to the Right of Access under the GDPR.

[GDPR] Right to rectification. The right to obtain the rectification of inaccurate Personal Data pertaining to that Data Subject. Participants may directly amend existing information on the Vitaliv website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not Vitaliv Participants.

[HIPAA] The right to request an amendment to medical records. Although Vitaliv does not maintain medical records about its customers, some information may contain Personal Health Information, hence the exercise of this Right under HIPAA applies to those cases. Please refer to the Right to Rectification (above) under the GDPR.

[GDPR] Right to erasure. The right to have Personal Data pertaining to them that is under Processing by Vitaliv erased and, therefore, Processing stopped, unless a legal duty or have a legitimate ground to retain certain data prevents Vitaliv from observing such right, in which case the Data Subject shall be duly informed. This right may be exercised by submitting a request as defined in the procedure stated below in this section.

[CCPA] Right to deletion – again in a similar manner to what the GDPR rules, natural persons who reside in the state of California may, in some circumstances, ask us to delete their personal data/ information.

We may refuse the exercise of such right if it prevents us from exercising legal defense, we cannot do it driven from a legal obligation or there is the risk of by doing so, not being able to fulfill any open contractual obligations.

[GDPR] The right to restrict processing. Under relevant conditions set out by the law, the right to request and have in place processing restrictions (in scope and purpose) towards Personal Data that pertains to them. When exercising this right, the Data Subject must be specific about which processing activities are being requested to be restricted and the Controller shall provide feedback to the Data Subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to Processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section.

[GDPR] The right to object to processing. The right to object to processing activities that have been qualified under this Privacy Policy has occurred under the Legal Basis of Legitimate Interest by the side of Vitaliv. The exercise of this right may also occur where the Data Subject wishes to opt-out from an existing Service (and not necessarily cancelling the Service). When exercising this right, the Data Subject must be specific about which processing activities are being requested to stop and the Controller shall provide feedback to the Data Subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to Processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section.

[CCPA] Right to opt out of sales – We do not sell your data.

[GDPR] Right to data portability. The right to receive the Personal Data pertaining to that Data Subject, in a structured, commonly used and machine-readable format as well as the right to transmit such Personal Data to another controller without hindrance. Vitaliv will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the data Subject to ensure authorized secure access. Customers may directly amend existing information on Vitaliv’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those data Subjects who are not Vitaliv Customers.

[GDPR] Right to be informed about a Personal Data Breach. The Data Subject has the right (and it is the Controller’s obligation by law to ensure it) to be informed of any unauthorized disclosure or potential disclosure of his/ her Personal Data to unauthorized 3rd parties within 72 hours of its occurrence.

[GDPR] Right to lodge a complaint with a supervisory authority. The right to lodge a complaint regarding Vitaliv’s Processing activities over his/ her Personal Data towards any of the EU Member States data protection Supervisory Authorities. Vitaliv is however also available to provide any clarification towards those Data Subjects who may feel that it’s Processing of the Personal Data that pertains to them has negatively impacted them or somehow breached their rights under GDPR and/ or the right to Privacy, having such Personal Data processed in a secure manner and Confidentiality assurance. Data Subject may submit a complaint via the request process as per herein defined ahead.

[CCPA] Right to be free from discrimination – You may exercise any of the above rights without fear of being discriminated against. We are, however, permitted to provide a different price or rate to you if the difference is directly related to the value provided to you by your data. For any of the above-mentioned CCPA related rights, you may designate an authorized agent to make a request on your behalf. In the request, you or your authorized agent must provide including information sufficient for us to confirm the identity of an authorized agent. We are required to verify that your agent has been properly authorized to request information on your behalf and this may take additional time to fulfil your request.

Any Data Subject may exercise his/ her rights under GDPR by reaching out to Vitaliv’ DPO through the e-mail address dpo@Vitaliv.com or, while logged in to the platform via the “Exercise of Rights” form.

If you have any questions, complaints or wish to exercise your rights under GDPR, please do make clear on your message:

• Purpose: Question; Complaint; Exercise of the Data Subject’s rights under GDPR

• What triggered your need to contact us?

• When did the root cause which triggered the need to contact us took place?

• If a Participant, a mobile phone number or alternative personal e-mail address so we may proceed with a two-factor authentication process.

Why the need to provide alternative personal contact?

Under applicable Personal Data Protection legislation only the Data Subject may exercise his/ her rights, hence organizations must ensure and document that the Data Subject or his/ her legal representatives are the ones interacting with the company while acting over his/ her Personal Data.Submitting a Data Subject Request/ Complaint.

Under the scope of Personal Data Protection, the Data Subjects may address Vitaliv e-mail to privacy@vitaliv.us

The exercise of Data Subjects’ rights as some other “interactions” requires the univocal identification of the person submitting such request as being, in fact, the Data Subject to whom such Personal Data pertains to, hence Vitaliv may have to set in place a process or mechanism that allows it to document having undergone such assertive identification.

XI. Miscellaneous

Links to 3rd Party Sites. Our Websites include links to other websites whose privacy practices may differ from those of Vitaliv. If you submit personal data to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any website you visit.

XII. Glossary

“Agreed Services” or “Services” means those Services being rendered by the Controller towards the Data Subject towards which he/ she has agreed with and/ or comprehending Processing legitimacy that derives from an existing and documented Legal Basis.

“Controller” means the “Party” which determines the “scope”, “purpose” and form of Personal Data Processing activities.

“Data Subject” means the identified or identifiable natural person to whom “Personal Data” relates. Both Parties understand that the “Data Subject” is the sole owner of “Personal Data” which pertains to him/ her.

“Data Subjects’ Rights” means the rights established towards the “Data Subjects” under “GDPR”.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the “Personal Data” Treatment” and on the free movement of such data, while replacing the Directive 95/46/EC and having become enforceable on May 25th, 2018.

“IT Landscape” means the set of IT assets and services of and at the disposal of either the Data Subject, Vitaliv or its Partners that enables their Personal Data Processing to occur, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), Data Center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, Firewalls and web-based resources.

“Legal Basis” means the enlisted lawful grounds that a Controller has to entice Personal Data Processing activities under “GDPR”, namely (but not limited to) having documented: the Data Subject’ Explicit Consent towards those Personal Data Processing activities; the Controller’ Legitimate Interest in proceeding with those activities; accessory legal obligations that the Controller must observe and which entitled it to proceed with such activities within the limits of GDPR ruling and inherent obligations.

“Partner” means any 3rd party entity towards which the Controller may resort in order to ensure Personal Data Processing activities under an established Legal Basis (as defined under the “GDPR”) and within the scope of agreed Services with the Data Subject.

“Personal Data” means any data which by itself or when cross-referenced with other data enables one to univocally identify a specific natural person, the “Data Subject”. It bears the same meaning as Personal Information; Personal Individual Information or Personal Health Information (where the case of health-related information about a Data Subject).

“Personal Data Processing” means any operation or set of operations which is performed upon “Personal Data”, whether by automated means, such as: collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing).

“Personal Data Breach” means any “event” or “incident” (as per ITIL definition) which enables the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to “Personal Data”.

“Processor” means the entity which proceeds with authorized Personal Data Processing activities on behalf of the “Controller”.