Privacy Notice

August 2023

1 GENERAL

1.1 Sundog Ventures OÜ (“Service Provider” or “we”) provides access to the website www.scrubin.io(«Website») and the services offered on the Website («Services»). The Website is an information society service («Platform») that connects companies and personnel companies («Provider») operating in the healthcare field with independent individuals («User») operating in the healthcare field and allows Users to explore job offers from Providers («Job Offers»). Your privacy as a User and the privacy of representatives and/or employees («Representative») of Providers are important to us. Therefore, we respect your right to privacy

and the protection of personal data.

1.2 This privacy notice («Notice») provides an overview of how we process, including collect, use, retain, and transmit your personal data when you: (i) visit our Website; (ii) as a User, wish to start using or use the Platform, including creating or managing a user account; (iii) as a Representative, wish to start using or use the Platform, including creating or managing a user account; (iv) contact us by phone or email, social media channels, or other means; (v) perform

other actions that result in the acquisition and processing of your personal data.

1.3 We process your personal data as described in this Notice and in accordance with applicable laws, including the General Data Protection Regulation (2016/679) («GDPR») of the European Union and other data protection laws.

1.4 If you disclose any third party’s personal data to us (e.g., data of your employee, board

member, colleague), you must present this Notice to these individuals.

2 DATA CONTROLLER

2.1 Regarding the processing of personal data described in this Notice, the data controller of your personal data, who defines the purposes and means of processing your personal data, is Sundog Ventures OÜ, registration code 16261429, address Tatari tn 64, Tallinn 10134, Estonia.

2.2 If you have any questions about the processing of your personal data, please contact us via email at info@vahetused.ee.

3 CATEGORIES AND SOURCES OF PERSONAL DATA

3.1 Personal data is any information that enables us to directly or indirectly identify you as an

individual. We may process, including collect, use, retain, and transmit the following categories of personal data:

3.1.1 If a User wishes to start using or uses the Platform, we may process the following personal data: first name, last name, phone number, email address, date of birth, personal identification code, healthcare professional code (if applicable), gender, profession, specialization, employment status, Job Offer data, User feedback; if the User represents a legal entity, the legal entity’s data (including name, registration code) («User Basic Data»).

3.1.2 If a Representative wishes to start using or uses the Platform, we may process the following personal data: first name, last name, email address, data of the legal entity they represent (including name, registration code), job title («Representative Basic Data»).

3.1.3 If you contact us, we may process the following personal data: User Basic Data, Representative Basic Data, message date and time, message content («Communication Data»).

3.1.4 When you visit the Website, including the Platform, our servers may automatically record data submitted by your web browser or device, including data about the device that may contain your personal data: device IP address, log file with the time and date of website visit, browser type and version, selected time zone, device operating system, URL from which you navigated to the Website, your Website navigation, device type, operating system, device unique identifiers, device settings, and geographical location data. The data we collect may depend on your device and its software settings («Technical Data»).

3.1.5 We use cookies on the Website to optimize the Website and its features. Cookies may collect your personal data. For more information, see the Cookie Notice.

3.2 We may collect your personal data: (i) directly from you, e.g., when you visit the Website, including the Platform, create a user account, use the Services, or contact us; (ii) from the legal

entity you represent; (iii) from third parties or databases (e.g., healthcare professionals register).

3.3 If you do not provide us with the required personal data, we will not be able to provide you with the Services, including the Platform, contact you, or fulfil other purposes set out in section 4.1 of this Notice.

4 PURPOSES AND LEGAL BASIS OF PERSONAL DATA PROCESSING

4.1 We process your personal data lawfully, fairly, and transparently, including only when we have a legal basis for doing so. The legal basis for processing personal data depends on the purpose of the processing. We may process specific categories of your data for the following purposes and legal bases:

a) Purpose of processing: Taking measures prior to entering into a a contract (including terms of service or terms and conditions), including holding pre-contractual negotiations and concluding, managing and executing the contract, including creating and managing an account, using the Platform, providing user support, following the execution of the contract.

Legal basis of processing:

If the User is a natural person or a sole proprietor: fulfilling the contract or taking measures prior to entering into the contract.

If the User represents a legal entity: our legitimate interest in fulfilling the contract concluded between us and the legal entity you represent or in taking measures prior to entering into such a contract.

If we process the Representative’s personal data: our legitimate interest to fulfill the contract concluded between us and the legal entity you represent or to take steps prior to entering into a contract

Categories of personal data: User Basic Data, Communication Data, Technical Data; Representative Basic data, Contact data, Technical data

b) Purpose of processing: Receiving and responding to inquiries and feedback via the Website, email or other means of communication

Legal basis of processing: Our legitimate interest in ensuring communication with (potential) Users and/or with providers, business partners and other persons

Categories of personal data: Communication Data

c) Purpose of processing: Providing news or general information about the Services

Legal basis of processing: Our legitimate interest keeping Users and Providers informed with Service-related information, incl with updates or offers

Categories of personal data: User Basic Data, Representative Basic Data, Contact Data

d) Purpose of processing: Making available the main functions of the website, including the Platform, and managing, improving, customizing and developing it

Legal basis of processing: Our legitimate interest in providing access to the Website and analyzing Website usage patterns in order to improve the Website and improve the user experience

Categories of personal data: All data categories as appropriate

e) Purpose of processing: Diagnosing and troubleshooting website issues

Legal basis of processing: Our legitimate interest in ensuring access to the Website, protecting personal data and preventing malicious and/or illegal actions

Categories of personal data: All data categories as appropriate

f) Purpose of processing: Fulfilling legal or regulatory obligations or responding to requests

Legal basis of processing: Fulfilling our legal obligations

Categories of personal data: All data categories as appropriate

g) Purpose of processing: Backing up data, including personal data and materials, in our backup systems

Legal basis of processing: Our legitimate interest in ensuring the continuity and security of data processing processes

Categories of personal data: All data categories as appropriate

h) Purpose of processing: Enforcement and protection of rights, including preparation, submission or defense of legal claims in court proceedings or out-of-court proceedings

Legal basis of processing: Meie õigustatud huvi meie õiguste jõustamiseks ja kaitsmiseks

Categories of personal data: All data categories as appropriate

4.3 In exceptional cases, we may process your personal data based on your consent, primarily when refusing or withdrawing consent does not have negative consequences for you. When seeking your consent, we will inform you about the purposes of processing and the personal data processed.

4.4 We may process your personal data for other purposes not listed above only if we inform you in advance about new or additional processing purposes and provide you with additional relevant information.

RECIPIENTS AND TRANSFER OF PERSONAL DATA

5.1 We may transfer your personal data to the following categories of recipients:

5.1.1 Public authorities and law enforcement agencies, to fulfil legal obligations, court orders, or prevent and detect illegal activities;

5.1.2 Service providers, contractors, partners, third parties, such as those providing us with IT services, data analysis services, customer support services, payment services, or marketing services;

5.1.3 Professional advisors, such as auditors and legal advisors, to ensure our lawful business operations and exercise or defend our rights;

5.1.4 Affiliates, such as our subsidiaries, to share administrative infrastructure;

5.1.5 Successors and/or potential company acquirers, as necessary for the transfer, merger, or acquisition of our business entity.

5.2 We have entered into data processing agreements with all recipients who process personal data on our behalf as processors, ensuring that they process personal data in accordance with the requirements of data protection laws.

5.3 Some of the recipients, including authorized processors, involved in our data processing may be located outside the European Economic Area, and therefore, in disclosing your personal data to them, we may transfer your personal data outside of that territory. In such cases, we ensure the application of adequate protection measures for the protection of your personal data (such as the Standard Contractual Clauses adopted by the European Commission or an adequacy decision). You have the right to receive additional information about the protective measures taken by contacting us using the contact details provided in section 2 of this Notice.

RETENTION OF PERSONAL DATA

6.1 We retain your personal data only as long as necessary for the purposes of processing unless otherwise specified in applicable laws or as follows:

6.1.1 User Basic Data, Representative Basic Data, and Communication Data are retained for up to 3.5 years after the termination of the contract, such as account closure;

6.1.2 User Basic Data and Representative Basic Data related to financial transactions

are retained for 7 years from the beginning of the financial year following the year of data collection;

6.1.3 Technical Data is retained for 30 days from the date of data collection.

6.2 After the end of the retention period for personal data or if we no longer need the relevant personal data for the purposes of the processing, we will erase or anonymize the personal data within a reasonable time following the achievement of the purpose, except where longer retention of personal data is required to fulfill legal obligations or requirements or to resolve legal disputes.

6.3 At the end of the retention period for personal data or when the legal basis for processing personal data related to the purpose has ceased, we may retain materials containing your personal data in backup systems. Backed-up materials are removed from use and deleted at the end of the backup cycle.

DATA SUBJECT RIGHTS

7.1 You have the right to contact us at the email address info@vahetused.ee to exercise the following rights concerning our processing of your personal data:

7.1.1 The right to access personal data, including obtaining copies of them and information about the processing of your personal data;

7.1.2 The right to rectify personal data if we have incorrect data about you;

7.1.3 The right to erase personal data, e.g., if they are no longer needed for the purpose for which we collected them, you withdraw consent for processing, and we have no other legal basis for processing personal data, or personal data have been processed unlawfully;

7.1.4 The right to request the restriction of processing personal data, e.g., if you contest the accuracy of personal data, processing is unlawful, or you need personal data for the preparation, submission, or defense of legal claims;

7.1.5 The right to personal data portability to you or another controller if technically feasible, e.g., when the legal basis for processing is your consent;

7.1.6 The right to object, e.g., when such processing is based on our legitimate interest or marketing purposes;

7.1.7 The right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of processing personal data before consent was withdrawn;

7.1.8 The right to lodge a complaint with a supervisory authority, e.g., the Data Protection Inspectorate (www.aki.ee, info@aki.ee).

LINKS TO THIRD-PARTY WEBSITES

8.1 Our Website may contain links to websites that we do not manage. Therefore, this Notice does not apply to data processing performed by such third parties. Please note that we do not have control over the content and actions of these websites and do not assume responsibility for the principles or personal data processed through these websites or services. For more information on how third parties process your personal data, refer to the respective privacy notices of the visited websites.

CHANGES TO THE NOTICE

9.1 We may modify or supplement the Notice from time to time to accurately reflect the processing of your personal data. In such cases, the latest version of the Notice will be published on this website.