1. Introduction

Ameya Research Corp. (“AMEYA,” “we,” “us,” or “our”) respects the privacy of the users of our mobile applications, websites, and services (“you” or “your”). This Privacy Policy describes what information we collect, how we collect it, how we use it, with whom we may share it, how long we keep it, how you can have it deleted, and what choices you have regarding our collection, use, and sharing of your information.

This Privacy Policy applies to information collected through the AMEYA mobile application, the AMEYA website at www.ameyahealth.com, and any related services we provide (collectively, the “Services”). It applies in conjunction with our Terms of Use. By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy and accept and agree to be bound by it.

AMEYA will not collect, use, or disclose Personal Information or health information except in accordance with applicable law, including the Alberta Health Information Act, the Alberta Freedom of Information and Protection of Privacy Act, the federal Personal Information Protection and Electronic Documents Act (PIPEDA), and, where applicable to United States users, the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations.

2. Definitions

AMEYA, us, our

Ameya Research Corp. and its affiliates, and their respective directors, officers, employees, agents, contractors, successors, permitted assigns, and permitted sublicensees.

Personal Information

Information about an identifiable individual that you provide when creating an account or using the Services, which may include your name, username, password, email address, phone number, mailing address, date of birth, demographic information, and your internet protocol (IP) address.

Health Information

Information about your physical or mental health, health services you have received or may receive, medications, symptoms, vital signs, clinical assessments, survey responses, exercise and activity data, nutrition data, and other information you record in or that is generated through the Services. Health Information includes “health information” as defined in the Alberta Health Information Act and “protected health information” (PHI) as defined under HIPAA where applicable.

Collected Information

Personal Information and Health Information collectively, together with any technical and usage information described in Section 3.

3. Information We Collect

3.1 Information You Provide

We collect information you provide directly when you register for an account, complete forms or surveys within the Services, communicate with us, or otherwise interact with the Services. This may include:

• Account information (name, email address, password, phone number)
• Profile information (date of birth, demographic details)
• Health information you enter into the Services (symptoms, vitals, survey responses, exercise activity, nutrition, mood, sleep, and similar)
• Information you provide through clinical assessments, questionnaires, or research instruments
• Communications you send to us (support requests, feedback)

3.2 Information Collected Automatically

When you use the Services, we automatically collect certain technical information necessary to deliver, secure, and improve the Services:

• Device information (device type, operating system, app version)
• Log information (IP address, access times, features used)
• Crash and error information necessary to diagnose technical issues

The AMEYA website (www.ameyahealth.com) uses only essential cookies required for the site to function. We do not use analytics, advertising, or marketing cookies on the website.

3.3 Information from Healthcare and Research Partners

Where you participate in a program offered through a healthcare provider, health authority, or research study, we may receive information about you from that partner with your authorization or under an applicable research ethics approval, information-sharing agreement, or information-management agreement.

4. How We Use Your Information

We use Collected Information to:

• Provide, operate, and maintain the Services and your account
• Deliver clinical programs, assessments, content, and personalized recommendations within the Services
• Communicate with you about the Services, including service updates, security notices, and support responses
• Improve, debug, and secure the Services
• Conduct research, evaluation, and quality improvement, where authorized by applicable law and, where required, by a research ethics board
• Comply with legal, regulatory, and clinical recordkeeping obligations
• Establish, exercise, or defend legal claims

We do not sell your Personal Information or Health Information. We do not use your Personal Information or Health Information for advertising or marketing to third parties.

5. How We Share Your Information

We share Collected Information only as described below:

5.1 With Your Healthcare Providers and Care Team

Where you are enrolled in a program through a healthcare provider, health authority, or clinical research study, we share information with that provider, authority, or research team to support your care or participation, in accordance with the consent, authorization, or data-sharing agreement governing the program.

5.2 With Service Providers

We share information with service providers that process data on our behalf and only under contractual obligations that require them to protect your information and to use it solely for the purposes we specify. Our current service providers include:

• Amazon Web Services, Inc. (AWS): hosting, authentication (Amazon Cognito), database (Amazon RDS), file storage (Amazon S3), and content delivery (Amazon CloudFront). AWS infrastructure for AMEYA is located in the AWS Canada (Central) region.

We may engage additional service providers in the future (for example, to support AI-assisted features, video delivery, transactional email, or push notifications). When we do, we will update this Privacy Policy and, where required, obtain your consent.

5.3 For Legal and Safety Reasons

We may disclose information when required to do so by law, including by subpoena, warrant, or court order, or for the purpose of a court proceeding or a proceeding before a quasi-judicial body to which AMEYA is a party. We may also disclose information where necessary to protect the rights, safety, or property of AMEYA, our users, or others.

5.4 In a Business Transaction

If AMEYA is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice of any such transfer and any change in applicable privacy practices.

6. Where Your Data Is Stored

Personal Information and Health Information collected through the Services is stored and processed on AWS infrastructure located in Canada (AWS ca-central-1 region). We do not currently transfer your Personal Information or Health Information outside Canada in the ordinary course of providing the Services. If this changes, we will update this Privacy Policy and, where required by law, obtain your consent.

7. Data Retention and Deletion

7.1 Retention Period

We retain your Personal Information and Health Information only for as long as necessary to fulfill the purposes described in this Privacy Policy, to provide the Services to you, and to comply with our legal, regulatory, and clinical recordkeeping obligations. Specifically:

• Active accounts: We retain your Personal Information for as long as your account is active.
• Inactive accounts: If your account becomes inactive (no login for 24 consecutive months), we will notify you and, unless you reactivate the account, we will delete or anonymize your Personal Information within 90 days, subject to the retention obligations below.
• Health Information: Where AMEYA holds Health Information as a custodian or affiliate of a custodian under the Alberta Health Information Act, or as a business associate under HIPAA, we retain that Health Information for the minimum period required by applicable health information legislation and the records retention requirements of the relevant healthcare provider or health authority (typically 10 years from the date of last service, or 10 years past the age of majority for minors, whichever is longer).
• Research data: Where your information has been collected as part of a research ethics board (REB)-approved research study, retention is governed by the approved research protocol and applicable research ethics requirements.
• Backups and logs: Residual copies in encrypted backups are purged on our standard backup rotation cycle (maximum 90 days after deletion from production systems).
• Legal holds: We may retain information longer where required by law, court order, or to establish, exercise, or defend legal claims.

7.2 Your Right to Deletion

You may request deletion of your account and the Personal Information associated with it at any time. To make a deletion request:

1. In-app: Open the AMEYA mobile app, go to Settings → Account → Delete My Account, and follow the prompts.
2. By email: Send a deletion request to support@ameyahealth.com from the email address associated with your account, with the subject line “Data Deletion Request.”
3. By mail: Write to Ameya Research Corp., 116 St. / 85 Ave., Edmonton, AB T6G 2R3, Canada.

We will acknowledge your request within 7 days and complete deletion within 30 days, except for information we are required to retain under the Health Information Act, the Freedom of Information and Protection of Privacy Act, PIPEDA, HIPAA, research ethics approvals, or other applicable law. Where we are required to retain certain records, we will inform you of the categories of information retained and the basis for retention, and we will delete all other Personal Information.

After deletion, your information will be removed from production systems immediately and from encrypted backups within 90 days. Anonymized or aggregated data that can no longer reasonably identify you may be retained for analytics, research, and service improvement.

7.3 Account Recovery Window

For 30 days following a deletion request, you may contact support@ameyahealth.com to cancel the request and restore your account. After 30 days, deletion is irreversible.

8. Your Rights and Choices

Subject to applicable law, you have the right to:

• Access the Personal Information and Health Information we hold about you
• Correct Personal Information that is inaccurate or incomplete
• Request deletion of your Personal Information, as described in Section 7
• Withdraw consent to our collection, use, or disclosure of your Personal Information, subject to legal or contractual restrictions and reasonable notice (withdrawing consent may affect our ability to provide some or all of the Services to you)
• Make a complaint to AMEYA or to the applicable privacy regulator (see Section 11)

To exercise any of these rights, contact us at support@ameyahealth.com. We may need to verify your identity before acting on your request.

For United States users: Where AMEYA acts as a business associate under HIPAA, your rights with respect to your protected health information are governed by HIPAA and the Notice of Privacy Practices of the covered entity that provided the Services to you. Please contact that healthcare provider to exercise HIPAA rights with respect to PHI in their designated record set.

9. Security

We use administrative, technical, and physical safeguards designed to protect your Personal Information and Health Information against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit and at rest, access controls based on least privilege, multi-factor authentication for administrative access, audit logging, regular security reviews, and security testing.

No method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

10. Children

The Services are not directed to children under 13. We do not knowingly collect Personal Information from children under 13 without verifiable parental consent. Where the Services are made available to individuals between 13 and the age of majority in their jurisdiction, we collect their information only with appropriate parental or guardian consent, or under a clinical or research authorization.

If you believe we have collected information from a child without appropriate consent, please contact us at support@ameyahealth.com and we will take steps to delete the information.

11. Contact Us and Complaints

If you have questions, concerns, or complaints about this Privacy Policy or our handling of your information, please contact us:

You also have the right to make a complaint to a privacy regulator:

• Office of the Information and Privacy Commissioner of Alberta: www.oipc.ab.ca
• Office of the Privacy Commissioner of Canada: www.priv.gc.ca
• For US users with HIPAA concerns: the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/ocr.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Effective Date” above and, where required by law, notify you through the Services or by email. Your continued use of the Services after a change takes effect constitutes your acceptance of the updated Privacy Policy.