Jurisdictional Applicability

This Privacy Policy applies to all Users regardless of your country or region of residence or establishment. The specific rights and obligations that apply to you may vary depending on your jurisdiction, as set out in the relevant sections below.

• If your country of residence or establishment is within the European Economic Area ("EEA"), Switzerland, or the United Kingdom, additional provisions for European Users apply to you. See Section 10 (Your Rights — EEA, UK, Switzerland).
• If your country of residence or establishment is in Australia, additional provisions for Australian Users may apply. [To be published as a separate appendix.]
• If your country of residence or establishment is in the United States, China, Brazil, Canada, Hong Kong, Taiwan, Singapore, or all other countries and territories, the General Privacy Policy below applies to you.

Kibo processes personal data in accordance with applicable privacy and data protection laws, including the General Data Protection Regulation (GDPR) in the European Union, the Health Insurance Portability and Accountability Act (HIPAA) where applicable, and relevant regional data protection acts (e.g., PDPA, PDPO).

1. Introduction and Scope

1.1. Who We Are

Kibo Platform ("Kibo," "we," "us," or "our") operates the Kibo mobile application, website (www.kibocare.com), and related technology offerings (collectively, the "Kibo Platform" or "Services"). We are a technology intermediary connecting Users with Healthcare Providers, Clinical Trial Sponsors, and Local Affiliates for cross-border healthcare services.

1.2. Purpose of This Policy

This Privacy Policy describes how we collect, use, store, transfer, and protect your personal data, including health data, when you use the Kibo Platform. It applies to all Users—Patients, Healthcare Providers, Clinical Trial Sponsors, Local Affiliates, and visitors.

1.3. Data Controller

The Kibo entity with whom you contract (as set out in our Terms of Service, Schedule 1 — Contracting Entities) acts as the data controller for your personal data. If you have questions about which entity processes your data, please contact us using the details in Section 15.

1.4. Related Documents

This Privacy Policy is incorporated by reference into our Terms of Service. We also maintain a Cookie Policy that describes how we use cookies and similar technologies. Your use of the Platform is subject to both this Privacy Policy and our Terms of Service.

2. Information We Collect

2.1. Information You Provide Directly

We collect information you provide when you:

• Account Registration: Legal name, email address, phone number (with country code), date of birth, and other identity verification information.
• Profile Information: Profile photo, preferred language, travel preferences, and medical history or condition information you choose to share for matching purposes.
• Medical Records and Health Data: Documents, images, scans, lab results, prescriptions, and other health-related information you upload. This is sensitive/special category data under applicable laws (e.g., GDPR Article 9).
• Communications: Messages you send through the Platform, feedback, reviews, and support inquiries.
• Payment Information: Billing address and payment method details. We do not store full credit card numbers; payment processing is handled by third-party payment processors.
• Application Information: If you apply as a Healthcare Provider or to join our network, we collect business information, licenses, accreditations, and contact details.

2.2. Information Collected Automatically

When you access the Platform, we may automatically collect: Device and Usage Data (IP address, device type, operating system, browser type, pages visited, time spent, referring URLs); Log Data (server logs, access times, diagnostic information); Cookies and Similar Technologies (as described in our Cookie Policy).

2.3. Information from Third Parties

We may receive information from Healthcare Providers (booking confirmations, appointment status); Authentication Providers (if you sign in via Google or similar—name, email, profile picture); Payment Processors (transaction status and limited payment metadata).

3. How We Use Your Information

3.1. Purposes of Processing

We use your personal data to: Provide the Services (operate the Platform, facilitate bookings, store and transmit medical records to authorized recipients, enable search and AI matching, process payments); Communicate with you (transactional communications, support); Improve the Platform (analyze usage, develop features, enhance security); Comply with legal obligations; Marketing (with your consent—you may opt out at any time).

3.2. Legal Basis (EEA, UK, Switzerland)

Where required by law, we process based on: Contract Performance (necessary to perform our contract); Legitimate Interests (operating the Platform, improving services, security); Consent (marketing, sharing health data); Legal Obligation. For health data (special category under GDPR), we rely on your explicit consent or other permitted grounds.

3.3. We Do Not Sell Your Personal Data

We do not sell your personal information to third parties. We do not share your data for third-party marketing purposes without your consent.

4. Sharing and Disclosure of Your Information

4.1. Authorized Recipients

We share your data only with: Healthcare Providers, Clinical Trial Sponsors, and Local Affiliates—only to the extent you authorize (e.g., when you book or submit a dossier); they are independent data controllers. Service Providers (hosting, payment, analytics, support)—we require them to protect your data. Legal and Regulatory Authorities when required by law.

4.2. Cross-Border Data Transfer

YOU EXPRESSLY CONSENT to the transfer of your personal and medical data across international borders for facilitating medical treatment, consultations, or clinical trial participation. We use adequacy decisions, Standard Contractual Clauses (SCCs), and other safeguards as required by law. Data protection laws in other countries may differ from those in your jurisdiction.

5. Data Security

We implement appropriate technical and organizational measures including: Encryption (TLS 1.2+ in transit, AES-256 at rest); Access Controls (role-based, authorized personnel only); Audit Logging (access to health data is logged); Secure Development practices. Despite our efforts, no method is 100% secure. You are responsible for safeguarding your account credentials.

6. Data Retention

We retain personal data only as long as necessary: Account Data—while active and for a reasonable period after closure; Medical Records—as long as you maintain an account and as required for care and legal obligations; Transaction and Payment Data—as required by tax/financial regulations (e.g., 7 years); Logs and Analytics—typically 12–24 months. Upon valid deletion request, we will delete or anonymize within 30 days, subject to legal retention requirements.

7. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Platform, analyze usage, and personalize content. See our Cookie Policy for details. You can manage preferences through your browser settings or our cookie consent tool.

8. Children's Privacy

The Kibo Platform is not intended for individuals under 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with data, please contact us and we will delete it promptly.

9. Your Rights

Depending on your jurisdiction, you may have: Access (copy of your data); Rectification (correction of inaccurate data); Erasure ("right to be forgotten"); Restriction (limit processing); Portability (data in machine-readable format); Objection (object to legitimate-interest or direct marketing processing); Withdraw Consent (where processing is consent-based). Contact us at Section 14 to exercise these rights. We will respond within the timeframe required by law (e.g., 30 days under GDPR). We may need to verify your identity.

10. Your Rights — EEA, UK, Switzerland

If you are in the EEA, UK, or Switzerland, you have the rights in Section 9. In addition: You have the right to lodge a complaint with a data protection supervisory authority in your country. For GDPR-related inquiries, you may contact our Data Protection Officer at the email in Section 14.

11. California Privacy Rights (CCPA/CPRA)

California residents may have additional rights: Right to know what we collect and how it is used; Right to delete; Right to opt out of "sale" or "sharing"—We do not sell or share personal information for cross-context behavioral advertising; Right to non-discrimination. Contact us to exercise these rights.

12. Hong Kong (PDPO) and Singapore (PDPA)

If you are in Hong Kong or Singapore, we process data in accordance with PDPO and PDPA. You have rights to access and correct your personal data. Contact us to exercise these rights.

13. Changes to This Privacy Policy

We may update this Privacy Policy. Material changes will be posted with an updated "Last Updated" date. We will provide notice at least 30 days before effective where required by law. Your continued use after the effective date constitutes acceptance.

14. Contact Us

If you have questions or wish to exercise your rights, please contact us at:

For general support or account inquiries, please use the in-app help center or contact support through the Platform.