We at Unterleitner Enterprise Ltd (“we”, “us”, “our”) respect your concerns about privacy. This Privacy Notice explains how we use any personal data we collect about you and your rights in relation to the information. "Personal data" means any information that identifies you as an individual or is capable of identifying you as an individual. For the purpose of applicable data protection laws, including the General Data Protection Regulation (the “GDPR”), the data controller is Unterleitner Enterprise Ltd, a company registered in Cyprus. Our company registration number is HE462617. Our email address is paul.u@gmx.at. Information covered by this Privacy Notice This Privacy Notice covers all personal data collected and used by us. This includes your name, age, postal address, email address, phone number, credit card number, details of the preferences you express to us, your comments and questions, and technical information from the devices you use to access our website. It also includes information on your body and wellbeing, including height, weight (including information on obesity), body statistics, workouts, mood, meals, nutrition and general health and wellbeing, that you decide to disclose to us on this website or through the use of our app or that is generated by the app, as well as any pictures that you choose to share with us. Summarizing overview Please refer to the summarizing overview below setting out the purposes, legal basis as well as applicable retention periods pertaining to the various processing activities as described in the sections above.

Personal Data we obtain We (and our service providers) collect this personal data from you when you: • purchase products or services from us, including a coaching subscription. • submit any information through this website. • create an account with us, or otherwise sign up for our services. • opt in to or otherwise receive marketing from us or our representatives. • choose to participate in our customer feedback surveys. • communicate with us via third-party social media websites. • contact us, correspond with us, or otherwise provide information to us. When you visit our website and/or app, we (and our service providers) may use cookies (please see our cookie policy separately on our website) and other technologies to automatically collect the following information on you: • technical information, including your IP address, your login information, browser type and version, device identifier, location and time zone setting, browser plug-in types and versions, operating system and platform, page response times and download errors. • information about your visit, including the websites you visit before and after our website and products you viewed or searched for. • length of visits to certain pages, page interaction information (such as scrolling, clicks and mouseovers) and methods used to browse away from the page. Within our app you may choose to: 2 • record a fitness activity, for example a run. You must first allow the app to access your location. Then the app will access your location data from the moment you start recording the activity until the moment you stop the recording. To ensure that your full activity is recorded, we need to continue to access the location data if the app is in the background during the activity. You can remove the permission at any time by adjusting your device settings. • import your history of fitness activities from Apple Health or Google Fit. You must first allow the app to access your data from these sources. We will then use Google APIs to receive the information. Our use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.You can remove the permission at any time by adjusting your app settings. While you are generally free to choose to what extent you share your personal data with us, please note that opting to not share such personal data may limit our ability to provide our service and our performance of the contract you have entered with us. How we use the information we obtain We use the personal data we collect from and about you for the following purposes: • to set up and manage your online account. • to provide our services to you, which may include • designing tailored meal and workout plans. • monitoring changes or adaptations in your body to improve your coaching cycle, and to combine information we receive and collect (e.g. from updates you provide on your body transformation) to provide you with a more personalised experience and to make informed decisions about future coaching to best facilitate your improvement. This also provides vital statistics which we use to better understand the efficacy of different approaches to dieting and workouts. • a history of your fitness activities, including (where eligible) duration, distance, speed, activity type and heart rate, as well as an overview of your fitness progression. • access to the chat functionality, including a group chat with other clients, where you may post and communicate. • to provide you with information about our products and services (provided you have either consented to this or we by other means are allowed to reach out to you for marketing purposes). • to process your payments. • to notify you of any changes to our services that may affect you. • to comply with our legal obligations to keep internal (financial) records. 3 The legal bases for which we collect, use, transfer or disclose your personal data include: • the performance of our contract obligations with you (see article 6(1)(b) of the GDPR). • our legitimate interests (see article 6(1)(f) of the GDPR), which include: improving our offerings as a business; personalising our services and interactions with you, to better meet your needs as a customer; and detecting and preventing fraud. • compliance with our legal obligations (see article 6(1)(c) of the GDPR). • to the extent we send you information on our products and services for marketing purposes, we will either ask for your consent (in accordance with article 6(1)(a) of the GDPR) before processing your information in this way or process your personal data based on our legitimate interests (in accordance with article 6(1)(f) of the GDPR - the legitimate interests are stated above). Pictures that you choose to share with Unterleitner Enterprise Ltd are used by us solely for tracking your progress and will never be shared on our website or social media unless you give your explicit consent hereto. The use of consent for processing of your health data In order for us to be able to deliver customized meal- and workout plans to you, we may process certain health data provided by you, including information on allergens, information that might reveal obesity or specific injuries or other relevant information related to your physical or mental health status. In addition to the legal bases described above, the legal basis for our processing of your health information is Article 9 (2) (a) of the GDPR, which means that we will ask you for your explicit consent to allow us to process your health data prior to you becoming a client with us. Further, you may choose to make certain information public yourself e.g. by sharing personal information with us directly or to other people through the group chat. In this case, the legal basis is Article 9, (2) e) cf. Article 6 (1) b) of the GDPR. You may at any time withdraw your consent to us processing your health data. However, you should be aware that if we are prevented from processing relevant personal data, including information on any allergens, information that might reveal obesity or specific injuries or other relevant information related to your physical or mental health status, we will not be able to provide you with our services (customized meal- and workout plans based on your unique needs). Third Parties, including processing by Lenus eHealth ApS The security of your personal data is extremely important to us. We do not sell your personal data to any third parties, and we never will. 4 Access to your personal data is only provided to carefully selected third parties, including: • our service providers who help us to provide our services to you, such as our infrastructure and IT service providers. These include Lenus eHealth ApS and Stripe, who support our business by providing technical infrastructure services, analysing product performance, providing technical assistance and facilitating payments. We note therefore that Lenus eHealth ApS may process your personal data as data processor on behalf of us. However, Lenus eHealth ApS may also act as an independent data controller in limited cases. You can read more about Lenus eHealth’s processing of your personal data as data controller (including cookies) here: https://lenusehealth.com/privacy-policy/. You can read more about Stripe’s processing of your personal data as a data processor here: https://stripe.com/en-dk/privacy. • our regulators, law enforcement agencies or other public authorities and organisations if we are required to disclose your personal data by law. • potential buyers and their advisors in case of a business transfer, such as in connection with a reorganisation, restructuring, merger, acquisition or transfer of assets, provided that the receiving party agrees to treat your personal data in a manner consistent with this Privacy Notice. Our website may, from time to time, contain links to and from the websites of our partners, or affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy notices and that we have no control over how they may use your personal data. You should check the privacy notices of third party websites before you submit any personal data to them. How long we retain your personal data for Your personal data will only be stored for as long as necessary for the purposes for which they were collected and only to the extent permitted by applicable laws. When we no longer need to use your information, we will remove it from our systems and records and / or take steps to promptly anonymise it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which we are subject). We adhere to the retention periods listed in the below table. As a general rule, we erase or anonymise your personal data according to the time limits stated below unless it is necessary that we continue to store them.

Any health information as well as uploaded body images will however always be deleted 6 months after your last activity. Third country data transfers The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"), which does not offer an equivalent level of protection of the personal data to that guaranteed within the EEA. It may also be processed by staff operating outside the EEA and who work for us or for one of our service providers. The countries outside the EEA where personal data about you may be transferred and stored include USA. We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Privacy Notice and applicable data protection laws, including, where relevant, entering into EU standard contractual clauses (or equivalent measures) with the party outside the EEA receiving the personal data in accordance with Article 46(2)(c) of the GDPR. You can find a copy of the EU standard contractual clauses by clicking here. Keeping your information secure We have implemented technical and organisational security measures in order to safeguard personal data in our custody and control. Such measures we have implemented include, limiting access to personal data only to employees and authorised service providers who need to know such information for the purposes described in this Privacy Notice, as well as other technical, administrative and physical safeguards. To provide you with increased security, certain personal data stored in your online account is only accessible via your username and password. You are responsible for maintaining the confidentiality of your online account credentials, and we strongly recommend that you do not disclose your online account username or password to anyone. We will never ask you for your password in any unsolicited 6 communication. Please notify us immediately (see "Contact us" section below) of any unauthorised use of your online account credentials or any other suspected breach of security. Your Personal Data Rights You have various rights in connection with our processing of your personal data: • Access. You have the right to request a copy of the personal data we are processing about you, which we will provide back to you in electronic form. • Rectification. You have the right for any incomplete or inaccurate personal data that we process about you to be rectified. • Deletion. You have the right to request that we delete personal data that we process about you, except we are not obligated to do so if we need to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims. • Restriction. You have the right to restrict our processing of your personal data where you believe such data to be inaccurate, our processing is unlawful or that we no longer need to process such data for a particular purpose. Where we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it, we would mark stored personal data with the aim of limiting particular processing for particular purposes in accordance with your request, or otherwise restrict its processing. • Objection. Where the legal justification for our processing of your personal data is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim. • Withdrawing Consent. Where we process certain personal data on the basis of your consent, you have the right to withdraw your consent, including with regard to direct marketing. In relation to the consequences of your withdrawal of consent for us to process your health data, please see above under “The use of consent for processing of your health data”. If you wish to exercise one or more of the above rights, please contact us with your request at paul.u@gmx.at, and include your name, email and postal address, as well as your specific request and any other information we may need in order to provide or otherwise process your request. In some situations, we may impose limitations on your rights, as permitted by law. Before we can provide you with any information or correct any inaccuracies, where there are reasonable grounds for doubting your identity, we may ask you to verify your identity and/or provide other details to help us respond to your request. Nonetheless, verification of identity shall be carried out by cross-checking information we already hold from you. For the exercise of your rights, please contact us using the 7 contact information provided below in the “How to Contact Us” section. In all cases, you have a right to file a complaint with the local data protection authority if you believe that we have not complied with applicable data protection laws. If you reside in the EU or EEA, you can find the contact details of your local data protection authority by clicking on this link. How to contact us If you have any questions about this Privacy Notice and/or about the privacy policies and practices of our service providers, please contact us at paul.u@gmx.at. Last updated: 8/1/2024