1. Scope of this Policy

This Policy applies to personal data and health data collected, used, disclosed, or processed through:

• The MytoFit application
• MytoFit websites, digital platforms, and internal systems
• Connected wearable devices and health platforms, including Garmin Connect, Google Health Connect, Huawei Health, Apple Health, Fitbit, Samsung Health, and other supported platforms
• Data manually entered by users
• Data from laboratories, hospitals, clinics, or healthcare partners where the user has provided consent or where another lawful basis applies
• Reports or dashboards for users, doctors, hospitals, organizations, or business partners, according to the applicable consent and service arrangement
• Customer support, events, surveys, communications, and other service channels

Where a specific product or service has a separate privacy notice, that notice will apply to that specific product or service.

2. Types of Data We May Collect

Depending on the services selected and permissions granted by the user, we may collect the following categories of data:

2.1 Identity and Account Data

Such as name, surname, email address, phone number, profile photo, username, password, device ID, and other information necessary to create an account and provide the service.

2.2 Profile and Demographic Data

Such as age, age range, date of birth, sex, height, weight, language, country, time zone, lifestyle, behavior, wellness goals, and user preferences.

2.3 Health and Wellness Data

Such as blood pressure, HbA1c, triglycerides, LDL-C, HDL-C, ApoB, weight, BMI, exercise behavior, sleep, walking, running, recovery, resting heart rate, HRV, VO2max, SpO2, and other health or wellness data provided or connected by the user.

2.4 Connected Health Platform Data

Such as data from Garmin Connect, Google Health Connect, Huawei Health, Apple Health, Fitbit, Samsung Health, or other wearable devices and health platforms connected by the user.

2.5 Laboratory and Healthcare Partner Data

Such as blood test results, health check-up results, hospital data, clinic data, or healthcare partner data, where the user has provided consent or where another lawful basis applies.

2.6 Technical and Usage Data

Such as login history, feature usage, screen interaction, notification interaction, device information, operating system, browser, IP address, cookies, log files, and other technical data necessary for service operation, security, and improvement.

3. Health Data as Sensitive Personal Data

Health data, biometric data, vital-sign data, wearable data, sleep data, exercise data, laboratory results, and other data that may reflect a user's health condition may be considered sensitive personal data under the PDPA.

We will collect, use, or disclose such data only where we have an appropriate lawful basis, such as explicit consent, contractual necessity, legal obligation, or another lawful basis permitted by applicable law.

4. Sources of Data

We may receive data from:

• Users directly, such as during account registration, profile input, health data entry, or customer support communication
• Connected devices or health platforms selected by users, such as Garmin, Google Health Connect, Huawei Health, Apple Health, Fitbit, and Samsung Health
• Hospitals, clinics, laboratories, or healthcare partners, where authorized by the user
• Organizations, employers, or business partners, where relevant to the service and permitted by law
• Our technical systems, such as cookies, log files, analytics, and security monitoring tools

5. Purposes of Data Processing

We may use user data for the following purposes:

• To create and manage user accounts
• To provide MytoFit services and related features
• To connect and synchronize data from authorized devices or health platforms
• To analyze health behavior, exercise, sleep, recovery, and wellness trends
• To generate Health Scores, Wellness Scores, risk-awareness indicators, insights, dashboards, recommendations, and reports
• To support behavior change in movement, nutrition, sleep, recovery, stress management, and lifestyle
• To provide doctor, hospital, or healthcare-provider dashboards where the user has provided consent
• To provide corporate wellness reporting in aggregated, group-level, or non-identifiable form, unless the user has provided separate explicit consent otherwise
• To develop, improve, test, and secure our services
• To detect, prevent, and resolve technical issues, misuse, fraud, or security incidents
• To communicate with users about services, notifications, support, or policy changes
• To comply with applicable laws, government orders, or legal processes

6. Lawful Bases for Processing

7. Health Data Commitments

8. Data from Garmin, Google Health Connect, Huawei Health, Apple Health, and Other Platforms

When users connect an external health platform, they choose which data types MytoFit may access.

MytoFit uses such data only to provide wellness, fitness, lifestyle, health-trend analysis, health-risk awareness, score display, alerts, and personalized recommendation features.

Garmin, Google, Huawei, Apple, Fitbit, Samsung, and other platforms are independent third-party services. Connection to these platforms does not mean that those platforms endorse, verify, control, or assume responsibility for MytoFit's scores, recommendations, reports, analysis, or AI-generated content.

Users may manage or revoke permissions through MytoFit, device settings, or the relevant health platform settings.

Data that a user authorizes MytoFit to access from external health platforms will be used only for the purposes described in this Policy and in accordance with the permissions granted by the user. The Company will not sell identifiable health data and will not use such health data for personalized advertising, data brokerage, credit assessment, lending decisions, employment suitability decisions, or insurance eligibility decisions.

9. Limitations of Wearable Data

10. Use of AI and Third-Party AI Providers

MytoFit may use internal systems, algorithms, knowledge graphs, risk models, rules-based systems, and artificial intelligence systems to support wellness, fitness, lifestyle, behavior-support, and health-risk awareness recommendations.

MytoFit does not send raw identifiable health data to consumer AI chatbot services or AI services that do not provide appropriate data-protection safeguards.

Where MytoFit uses enterprise-grade or API-based third-party AI model providers, we will do so only as necessary and under appropriate data-protection safeguards, such as data-processing agreements, purpose limitation, no model-training use, limited retention, encryption, access control, and audit controls.

Before sending data to an external AI provider, MytoFit will seek to reduce identifiability where appropriate. This may include pseudonymization, aggregation, de-identification where possible, or transformation of raw data into abstracted recommendation context, such as age band, general activity level, sleep trend, recovery trend, or risk category, instead of sending name, email, phone number, precise GPS route, raw device files, or detailed health timelines.

11. Disclosure of Data to Third Parties

We may disclose data, only as necessary and under an appropriate lawful basis, to the following parties:

• Cloud infrastructure, hosting, security, analytics, customer support, or IT service providers
• Enterprise-grade or API-based AI providers, subject to this Policy
• Doctors, hospitals, clinics, or healthcare partners, where the user has provided consent
• Organizations or employers, only in aggregated, group-level, or non-identifiable form unless the user has provided separate explicit consent otherwise
• Payment providers, logistics providers, or service partners necessary to provide the service
• Government authorities, courts, regulators, or law-enforcement agencies where required by law
• Successors or relevant parties in connection with a merger, acquisition, restructuring, or transfer of business, subject to applicable law and appropriate safeguards

12. On-Device vs. Cloud Processing

13. International Data Transfers

In some cases, we may need to transfer personal data outside Thailand, such as to cloud infrastructure providers, technology providers, or enterprise AI service providers.

Where the destination country does not provide an adequate level of personal data protection under Thai law, we will implement appropriate safeguards, such as data-processing agreements, security requirements, purpose limitation, user consent, or other mechanisms required by law.

For enterprise, hospital, or institutional clients that require data to be stored or processed in Thailand, MytoFit may provide domestic cloud, private cloud, or on-premise deployment arrangements under a separate agreement.

14. Data Retention

We retain data only for as long as necessary for the purposes described in this Policy, for legal or contractual obligations, or for the establishment, exercise, or defense of legal claims.

When a user requests account deletion or deletion of personal data, the Company will delete, destroy, or anonymize the relevant data in accordance with the procedures and timeframes described in this Policy, unless the Company is required or permitted to retain certain information due to legal obligations, contractual obligations, system security, fraud prevention, investigation of abnormal use, dispute management, or the establishment, exercise, or defense of legal claims.

Deleted data may remain temporarily in backup systems, security logs, audit logs, or disaster recovery systems for a limited period in accordance with the Company's backup and deletion cycles. The Company will restrict access to such data and will not use it for other purposes, except to the extent necessary for legal compliance, security, audit, or protection of the Company's rights.

If a user revokes access to a health platform connected to MytoFit, the Company will stop collecting new data from that platform and will handle any data previously collected by MytoFit in accordance with this Policy, applicable law, and the relevant platform requirements.

15. Data Security

We use organizational and technical measures to protect user data, such as access control, encryption, access logging and monitoring, vendor control, data backup, security testing, and personnel training.

However, no system is 100% secure. We will use reasonable industry-standard efforts to protect data against unauthorized access, use, disclosure, alteration, or destruction.

16. Cookies and Similar Technologies

We may use cookies, SDKs, log files, and similar technologies to provide the service, maintain security, analyze usage, improve user experience, and develop our systems.

Users may manage or delete cookies through browser or device settings. Disabling certain cookies may affect some service features.

17. Minors and Legally Incapacitated Persons

Where we know that data requiring consent belongs to a minor, legally incapacitated person, or quasi-incompetent person, we will obtain consent from a parent, guardian, curator, or authorized person as required by law.

If we later discover that data was collected without valid consent where consent was required, we will delete, destroy, or de-identify such data as soon as reasonably possible, unless another lawful basis applies.

18. Data Subject Rights

Users have rights under the PDPA, including:

• Right of access
• Right to obtain a copy of data
• Right to rectification
• Right to erasure or destruction
• Right to restriction of processing
• Right to object
• Right to withdraw consent
• Right to data portability
• Right to lodge a complaint with the relevant authority

These rights may be subject to legal conditions, exemptions, and timelines.

19. Withdrawal of Consent and Disconnection

Users may withdraw consent or disconnect Garmin, Google Health Connect, Huawei Health, Apple Health, Fitbit, Samsung Health, or other connected platforms through MytoFit, device settings, or the relevant platform settings.

After withdrawal or disconnection, MytoFit will stop collecting new data from that source. Withdrawal of consent will not affect processing that was lawfully conducted before the withdrawal.

20. Account Deletion and Personal Data Deletion

Users may request deletion of their MytoFit account and/or request that the Company delete, destroy, or anonymize their personal data in accordance with their rights under applicable personal data protection laws. Users may submit such requests through the channels provided in the application, the Company's website, or the contact channels specified in this Policy.

Upon receiving a request, the Company may verify the identity of the requester in order to prevent unauthorized access, modification, or deletion of data. The Company will process the request within 30 days, or within the period required or permitted by applicable law, unless the Company needs to retain certain data for legal obligations, contractual obligations, security, dispute investigation, fraud prevention, or the establishment, exercise, or defense of legal claims.

Account deletion may result in the user losing access to their account, usage history, MytoFit Score reports, recommendations, settings, device connection history, and certain MytoFit services. In some cases, such information may not be recoverable.

If a user has connected MytoFit with Apple Health, Google Health Connect, Garmin Connect, Huawei Health, Fitbit, Samsung Health, or other external health platforms, deletion of the MytoFit account will cause MytoFit to stop processing data under that account, and the Company will delete, destroy, or anonymize data stored by MytoFit in accordance with this Policy. However, the user may also need to revoke access permissions or manage source data directly through the settings of the relevant device or external health platform.

Data that has been aggregated, statistical, or anonymized so that it can no longer identify an individual user may continue to be retained and used by the Company for analytics, service improvement, research, system development, group-level reporting, or statistical analysis, provided that such data cannot be used to identify the individual user.

Where a user accesses the services through an organization, employer, hospital, clinic, or certain business partners, deletion or handling of certain data may depend on the Company's role as a data controller or data processor, the relevant service agreement, data processing agreement, and applicable legal basis.

After the Company completes the request, the Company may notify the user of the outcome through an appropriate contact channel, unless applicable law or security reasons prevent disclosure of certain details.

21. Medical Disclaimer

22. Sponsored Content & Advertising

We may display third-party sponsored content. General advertising will not use identifiable health data. You can opt out of personalized advertising in your app settings. We comply with Apple App Tracking Transparency (ATT) and Google Play advertising consent requirements.

23. Sharing with Healthcare Providers

We may share health data with doctors, hospitals, clinics, or healthcare partners only where the user has provided explicit consent. Data is shared for wellness and healthcare purposes as consented to by the user.

24. Data Processing Addendum

For enterprise clients where MytoFit acts as a Data Processor under the PDPA, a full Data Processing Agreement (DPA) is available upon request. Contact services@jmcqcs.com.

25. Complaints

If users believe that we have processed their data in a way that does not comply with applicable law, users may contact us first so that we can investigate and address the concern.

Users also have the right to lodge a complaint with Thailand's Personal Data Protection Committee or other competent authority.

26. Changes to this Policy

We may update this Policy from time to time to reflect changes in our services, technologies, laws, or external platform requirements.

We will notify users of material changes through our website, application, or other appropriate channels and will indicate the effective date of the latest version.

27. Contact Us

For questions, concerns, or data-subject-right requests, please contact:

• Company: JMC Quantum Cultures Co., Ltd.
• Address: 45 Soi Chan 28, Thung Wat Don, Sathorn, Bangkok 10120
• Email: services@jmcqcs.com
• Phone: 098-992-3401
• Website: www.jmcqcs.com

Response Timeline: We will respond to requests within the period required by applicable law.