致中国用户补充通知（中国大陆地区）

本部分条款适用于位于中华人民共和国（以下简称“中国”；不包括香港、澳门和台湾地区）使用Exos服务的个人，包括其个人信息将存储于Coach Hub应用程序的用户。本节内容系依据中国《个人信息保护法》及相关法律法规制定，用以补充 EXOS 隐私政策。如本《致中国用户补充通知》与Exos主隐私政策存在任何不一致之处，则就中国用户而言，应以本通知为准。

个人信息定义： 就本通知而言，“个人信息”系指中国法律所定义之个人信息——即以电子或其他方式记录的与已识别或可识别的自然人有关的各类信息，不包括匿名化信息。若提及“敏感个人信息”，则指一旦泄露、非法提供或滥用可能导致个人尊严或人身安全受到损害的个人信息（例如，健康医疗信息、精确位置信息、个人金融账户信息等）。

数据控制者及代表： Exos（Athletes’ Performance, Inc.及其关联公司）系决定您个人信息处理目的和方式的组织。Exos总部位于美国亚利桑那州凤凰城玫瑰园巷东2629号，邮编85050，可通过privacyofficer@teamexos.com联系。对于中国境内的个人，如法律要求，Exos将在中国境内指定一名代表处理个人信息保护事宜。您可联系韩融先生进行咨询，地址为中国上海市浦东新区世纪大道100号上海环球金融中心60楼，邮编200120，（如本通知未另行指定代表，您可继续联系我们位于美国的隐私官，我们将遵照中国法律处理您的请求）。

我们收集的个人信息： 我们根据隐私政策（参见“我们从您那里收集哪些个人信息”章节）收集并使用个人信息。特别强调的是，对于个人信息存储于Coach Hub的中国用户，可能包括：

• 身份标识及联系信息：您的姓名、电子邮箱地址、电话号码及员工ID（如用于账户设置）。
• 账户及个人资料数据：您在创建Coach Hub账户时提供的信息，例如年龄、出生日期、性别及任何个人资料偏好。
• 健身及健康相关数据（敏感个人信息）：关于您的健身活动及健康状况的信息，由您记录或通过您使用Coach Hub生成。这可能包括锻炼计划、运动表现指标（例如心率、卡路里消耗、步数）、您选择输入的营养信息或生活方式信息，以及您选择与Exos教练分享的任何健康史或伤病信息。请注意：根据中国法律，此类信息被视为敏感个人信息。我们仅出于向您提供健康指导和管理健身计划之目的处理该等敏感数据，且仅在获得您明确同意的情况下进行。（参见下文“我们如何使用您的个人信息”章节。）
• 设备及使用数据：关于您如何访问Coach Hub应用程序或网站的信息——例如设备类型、操作系统、IP地址、登录时间以及使用日志（您查看的锻炼内容、使用时长等）。此等信息有助于我们确保服务正常运行并提升用户体验。
• 通信信息：如您与Exos进行通信（例如，发送反馈或联系支持），我们可能会收集您的联系方式及通信内容。如我们录制指导课程（例如虚拟训练课程），我们将在事先征得您的同意。

我们不收集中国政府颁发的任何个人身份号码（例如身份证号码）或金融账户密码。除上述基本健身指标外，我们不收集生物识别信息。我们不会故意收集中国境内14岁以下任何人的个人信息（我们的服务面向成年员工）。

我们如何使用您的个人信息：我们将个人信息用于以下目的（与隐私政策“我们如何使用个人信息”章节保持一致）：

• 提供及个性化健康服务：我们处理您的个人及健康数据，以设计并调整您的健身计划、追踪您的进展并为您提供量身定制的指导。例如，我们的教练及算法可能会使用您的锻炼历史及健康信息来建议修改您的锻炼计划。我们不会使用此信息来诊断或治疗疾病，任何健康指标仅用于支持您的健身及健康目标。
• 服务运营及安全：我们使用设备及使用数据以维护应用程序功能、执行故障排除、确保账户安全（例如，检测可疑登录）及改进功能。
• 通信：我们可能会使用您的联系信息发送服务通知（例如，日程变更或条款更新）或回复您的咨询。如您已同意，我们可能会发送激励信息或健康提示作为计划的一部分。您可以选择取消非必要通信。
• 合规及法律： 在必要时，我们将处理数据以遵守中国法律义务或当局要求（例如，满足公共卫生要求或根据有效的法律命令，受适用法律约束）。如我们将来需要将您的数据用于此处未列出的新目的，我们将根据法律要求获得您的同意。

我们确保最小化数据收集和使用——即我们仅处理与上述目的相关且必要的数据。我们不进行过度或不相关的数据收集。我们不会在没有人为干预的情况下，将您的个人数据用于产生法律或类似重大影响的自动化决策；任何自动化分析（例如锻炼建议）均可由我们的教练进行审查或调整。

敏感个人信息的处理：如前所述，您的部分数据（健康及健身指标，可能包括年龄或体重）可能属于敏感个人信息。我们将仅在健康服务所需的范围内并采取严格保护措施处理敏感数据。我们将在收集任何敏感个人信息之前或之时获得您的同意。例如，当您注册时，您可能会被要求同意一份声明，例如“我同意为参与Exos健康计划之目的处理我的健康相关个人信息。”您可以拒绝提供敏感数据；但是请理解，如果您拒绝提供，我们可能无法提供该计划的某些个性化功能。我们实施安全措施（如下所述）以保护所有个人数据，并特别关注敏感数据（加密、访问控制等）。

共享和披露： Exos将不会与任何第三方共享您的个人信息，除非隐私政策允许并符合中国法律。实际上，您的数据主要由Exos及公司客户（通常是您的雇主）在计划管理所需的范围内访问。例如，您的雇主可能会收到关于计划参与或结果的汇总报告，但未经您明确同意，不会收到您的个人健康详情，除非是其员工福利管理所必需的。我们不销售您的个人数据。

如我们将来需要委托第三方服务提供商（处理者）处理您的部分数据（例如，云托管提供商或数据分析工具），我们将与彼等签订符合中国法律保护标准的数据处理协议。彼等将仅根据我们的指示处理数据，而非出于其自身目的。我们的分包商列表可在我们的隐私政策中查阅，我们可根据请求提供任何此类数据接收者的名称及联系方式。

未经您的单独同意，我们不会公开披露您的任何个人信息（例如，发布您的姓名或数据），除非适用法律或政府命令要求此类披露。

如发生业务转让（例如合并或Exos将此服务移交给其他提供商），我们将通知您接收您个人信息的新数据处理者的名称及联系方式，并确保彼等根据与本通知等同的条款继续保护您的数据。如新数据处理者更改处理目的或方法，彼等将需要重新获得您的同意。

个人信息的国际传输： 您的个人信息将传输至并存储于位于美国的服务器上，由Exos和/或其云服务提供商运营。这对于我们向您提供Coach Hub服务至关重要（因应用程序基础设施位于美国）。我们理解并尊重中国对跨境数据传输的严格要求。我们已采取以下措施以合法传输和保护您的数据：

• 我们获得您对跨境传输的明确同意。通过同意本通知（和隐私政策）并使用Coach Hub，您确认您的个人信息将被传输至美国进行处理。在账户注册期间，您可能会被要求勾选一个专门用于跨境传输的同意框。您可以随时撤回此同意（参见下文“您的权利”章节），尽管此举可能意味着我们无法再向您提供服务。
• 我们根据法律要求实施合同及安全保障措施。Exos已签署了中国个人信息出口标准合同条款（SCCs），确保数据接收方（Exos美国关联公司）提供与中国法律要求相同的数据保护水平。本合同根据《个人信息保护法》的规定，解决了数据安全、个人权利及政府访问等问题。可根据请求提供SCC的副本或摘要。
• 在开始数据传输之前，Exos根据《个人信息保护法》第55条进行了个人信息保护影响评估，以评估并减轻跨境传输中涉及的风险。我们得出结论，传输不会损害个人权利，且数据将在海外得到充分保护。关键考虑因素包括数据量及敏感性（中等且与健身相关）、目的（员工健康）以及美国现有的数据保护措施。
• 数据保护措施：所有个人数据在从中国传输至美国期间均使用行业标准协议（HTTPS/TLS）进行加密。我们将数据存储于具有访问控制的安全设施中。仅经授权的Exos人员（例如您的教练或需要维护系统的支持工程师）方可访问可识别数据，且彼等接受了与《个人信息保护法》兼容的隐私法律培训。我们还尽可能对数据进行假名化或聚合以进行分析，以最大程度地减少个人身份的暴露。
• 我们将监控监管发展。如中国当局要求采取额外措施（例如，提交文件或通过政府网关路由数据），我们将相应遵守。如将来法律发生变化，导致无法继续跨境传输，我们将把数据迁移至本地解决方案或获得必要的政府批准以继续，并通知您任何重大变化。

通过实施上述措施，我们旨在确保您的数据持续合法地流向我们的美国平台，而不会损害其安全性或您的隐私权。如您对跨境处理有任何疑问，可联系我们（参见下文“联系我们”章节）。

数据安全措施：我们积极采取措施保护您的个人信息。根据中国的要求（《个人信息保护法》第51条及相关标准），我们已建立内部安全管理系统并采用技术措施，包括：

• 访问控制：我们严格限制个人数据访问权限，仅限于因工作需要而访问的人员（最小权限原则）。敏感健康数据的访问权限仅限于您的Exos教练及少数必要的IT管理员。所有访问均被记录及监控。
• 加密及存储安全：个人数据以加密形式存储于我们的数据库中。例如，健康笔记等敏感字段可能在静态时加密。数据备份亦进行加密。我们使用具有防火墙及入侵检测系统的安全云基础设施。
• 数据传输：当数据传输时（例如您的应用程序与我们的服务器通信），其通过加密（HTTPS）进行保护。我们亦采取预防措施验证客户端及服务器的身份，以防止中间人攻击。
• 匿名化：如我们分析使用趋势或向客户（雇主）报告整体健康结果，我们使用聚合及去识别化的数据。除非需要，否则会删除个人身份。
• 员工培训及审计：我们对员工进行《个人信息保护法》下的数据保护义务培训。我们定期审查及审计我们的数据处理实践。我们已任命一名隐私官负责监督合规性。
• 事件响应：我们设有事件响应计划。万一发生涉及您信息的數據洩露或泄漏，我们将根据要求及时通知您及相关中国当局（如安全事件可能造成重大损害，《个人信息保护法》要求我们通知用户并向当局报告）。我们亦将立即采取措施遏制及补救情况。

尽管我们努力保护您的数据，但请注意，没有任何系统是100%安全的。然而，我们致力于遵守所有适用的安全标准并持续改进我们的防御措施以应对不断变化的威胁。

数据保留：我们将保留您的个人信息，直至达到上述目的所需的时间，除非法律要求或允许更长的保留期限。通常，对于Coach Hub计划，如您是活跃参与者，我们会保留您的数据以提供服务。如您停止使用Coach Hub（例如，您离职或计划结束），我们将在整个计划结束后的90天内，或在您最后一次使用服务后的三年内删除或匿名化您的个人信息，除非我们需要保留更长时间以遵守法律义务或解决任何争议。（例如，如税法或审计法要求，或者与正在进行的法律索赔相关，我们可能会保留某些记录，如适用。）我们遵循存储限制原则——这意味着我们不会无限期保留个人数据。

如您要求删除某些数据（参见下文您的权利），且无法律要求我们保留，我们将删除或匿名化该数据。在某些情况下，数据可能不会立即永久删除，而是会移至安全存档（特别是备份），然后在正常的备份轮换过程中稍后擦除——但在过渡期间不会使用或披露。我们将在您的数据完全删除后，根据您的请求通知您。

您的权利和选择（中国）：您对您的个人信息拥有重要权利。我们已根据中国法律将其总结如下：

• 访问及复制权：您可以要求确认我们是否正在处理您的个人信息，并要求获取我们持有的您的个人信息的副本。例如，您可以要求查看我们存储的健身数据及个人资料信息。一旦我们验证您的身份，我们将以方便的格式并在法律要求的范围内提供这些信息。
• 更正或修改权：如您发现我们持有的任何个人信息不正确或不完整，您有权要求更正。例如，如您的出生日期或联系信息在我们的记录中是错误的，或者健康记录被错误记录，您可以要求我们更正。我们可能需要验证您提供的新信息的准确性，我们将及时进行更正。
• 删除权：您可在法律规定的情况下要求删除您的个人信息。这包括：(a) 如我们收集信息的目的已实现，或者不再需要保留数据；(b) 如我们未经适当同意或违反法律收集/使用您的信息；(c) 如您已经撤回您的同意；或**(d)** 如您终止使用我们的服务（例如，您离职或计划结束）。在确认您的请求后，我们将删除您的个人信息（或匿名化），并指示任何持有该信息的服务提供商亦这样做（除非法律另有允许）。请注意，在某些情况下我们可能会拒绝您的删除请求：例如，如保留数据是遵守法律义务或当局命令所必需的，或者数据是解决法律索赔所必需的。如我们依赖此类例外情况，我们将在回复中告知您无法删除数据的原因。此外，如您要求我们删除您的数据，您可能会失去对任何已保存的锻炼或成就的访问权限（删除是永久性的）。
• 撤回同意权：如我们基于您的同意处理您的个人信息（这包括您的大部分Coach Hub数据，因您同意健康计划，特别是敏感健康数据处理），您有权随时撤回该同意。您可通过联系我们或（如可用）在应用程序中更改您的设置来撤回同意。在您撤回同意后，我们将停止处理相应的个人信息。请理解，撤回同意不影响撤回之前已完成处理的合法性，且如您撤回对基本数据（如所有健身数据）的同意，我们可能无法继续向您提供服务。如出现此等情况，我们将在您提出请求时通知您，以便您做出决定。
• 限制或反对权：您有权反对或限制某些处理活动。例如，如我们使用您的数据进行直接营销（目前不适用），您可以提出反对并选择退出。如您认为我们的处理超出了必要范围或影响了您的权利，您可以要求我们限制处理。我们将满足反对意见，除非我们有凌驾于您的利益之上的令人信服的合法理由，或出于法律诉求的需要。在依赖同意的情况下，撤回同意是提出主要的反对方式（如上所述）。
• 数据可移植权：您有权要求以结构化、常用电子形式将您的个人信息传输给您。例如，您可以要求获取您的健身数据副本以传输至个人应用程序。如果法律要求，我们将在技术可行的情况下促成此传输。目前，由于我们的服务较为独特，这可能不太适用，但我们将尽力满足此类请求。
• 知情权：本通知旨在履行您的知情权。如果我们处理您数据的方式发生重大变更，或发生安全事件，我们将通知您。我们力求所有数据实践的透明度。
• 投诉权：如您认为我们违反了中国个人信息保护法律或您的权利，您有权向主管机关投诉。在中国，主要监管机构是国家互联网信息办公室（CAC）及其地方分支机构。您亦可向其他相关监管部门举报问题。我们鼓励您首先通过privacyofficer@teamexos.com联系我们，以便我们直接及时解决您的疑虑。我们致力于真诚地解决任何问题。

我们不会因您行使上述任何权利而进行报复或拒绝为您提供服务。行使您的权利：如需提出上述任何请求，请联系我们（参见下文“联系我们”章节）。对于某些请求，我们需要验证您的身份，以确保提出请求的人是您（或您的授权代理人）。例如，我们可能会要求您确认我们存档的一些个人详细信息。我们努力在合理的时间内并根据法律要求回复您的请求。根据《个人信息保护法》，我们将在15个工作日内回复，或者在需要延期时通知您。如我们拒绝您的请求（例如拒绝无根据的删除请求），我们将在回复中解释我们的理由。

联系我们（中国）：如您对本通知或您的个人信息有任何疑问、疑虑或请求，您可通过以下方式联系我们：

• 电子邮件：privacyofficer@teamexos.com

（请在您的电子邮件主题中注明您是中国用户，以便更快路由）

• 邮寄：

收件人：韩融

中国上海市浦东新区世纪大道100号上海环球金融中心60楼，邮编200120

我们将酌情用英语或中文回复咨询。如您更倾向于用中文沟通，我们将予以配合。

(TRANSLATION BELOW)

Additional Notice to Users in China (Mainland PRC)

Effective Date: September 1, 2025

This section applies to individuals located in the People’s Republic of China (“China” – excluding Hong Kong, Macao, and Taiwan) who use Exos services, including individuals whose information will be stored in the Coach Hub application. It is provided in accordance with China’s Personal Information Protection Law and related laws. It supplements the Exos Privacy Policy. In case of any inconsistencies between this China Notice and the main Privacy Policy, this Notice will prevail for users in China.

Personal Information Definition: For purposes of this Notice, “Personal Information” has the meaning defined under Chinese law – i.e., any kind of information, recorded electronically or otherwise, that relates to an identified or identifiable natural person, excluding anonymized information. If we refer to “sensitive Personal Information,” it means personal information that, if leaked or misused, may easily cause harm to personal dignity or safety of persons (for example, health and medical information, precise location, personal financial accounts, etc.).

Data Controller and Representative: Exos (Athletes’ Performance, Inc. and its affiliates) is the organization determining the purposes and means of processing your Personal Information. Exos is headquartered at 2629 E. Rose Garden Lane, Phoenix, AZ 85050, USA, and can be contacted via privacyofficer@teamexos.com. For individuals in China, if required by law, Exos will designate a representative within China to handle personal information protection matters. You may contact Rong Han at 60F, Shanghai World Financial Center 100 Century Avenue, Pudong New Area Shanghai, China 200120 for any inquiries (if no separate representative is listed here, you may continue to contact our Privacy Officer in the US, and we will handle your request in compliance with Chinese law).

What Personal Information We Collect: We collect and use Personal Information as described in the Privacy Policy (see “What Personal Information We Collect From You”). In particular, for users in China with information stored in Coach Hub, this may include:

• Identifiers and Contact Information: Your name, email address, phone number, and employee ID (if used for account setup).
  
  
• Account and Profile Data: Information you provide when creating your Coach Hub account, such as age, date of birth, gender, and any profile preferences.
  
  
• Fitness and Health-Related Data (Sensitive Personal Information): Information about your fitness activities and wellness, which you log or that is generated through your use of Coach Hub. This can include workout routines, performance metrics (e.g., heart rate, calories burned, step count), nutrition or lifestyle information you choose to input, and any health history or injuries you choose to share with Exos coaches. Please note: this type of information is considered sensitive Personal Information under Chinese law. We will process this sensitive data only for the purposes of providing you with wellness coaching and managing the fitness program, and only with your explicit consent. (See “How We Use Your Information” below.)
  
  
• Device and Usage Data: Information about how you access the Coach Hub app or site – e.g., device type, operating system, IP address, login times, and usage logs (which workouts you view, duration of use, etc.). This helps us ensure the service functions properly and improve the user experience.
  
  
• Communications: If you communicate with Exos (for example, send feedback or contact support), we may collect your contact details and the content of your communications. If we ever record coaching sessions (such as a virtual training session), we will obtain your consent prior.
  
  

We do not collect any personal identification numbers issued by the Chinese government (such as ID card numbers) or financial account passwords. We do not collect biometric identifiers other than basic fitness metrics as described. We do not knowingly collect personal information from anyone under 14 years old in China (our services are for adult employees).

How We Use Your Personal Information: We use the information for the following purposes (as aligned with the “How We Use Personal Information” section of the Privacy Policy):

• Provide and Personalize the Wellness Service: We process your personal and health data to design and adjust your fitness program, track your progress, and deliver coaching tailored to you. For example, our coaches and algorithms may use your workout history and health info to suggest modifications to your exercise plan. We will not use this information to diagnose or treat medical conditions, and any health metrics are used solely to support your fitness and wellness goals.
  
  
• Service Operation and Security: We use device and usage data to maintain the app’s functionality, perform troubleshooting, ensure account security (e.g., detecting suspicious logins), and improve features.
  
  
• Communication: We may use your contact info to send service notifications (for example, schedule changes or updates to our terms) or respond to your inquiries. If you have agreed, we might send motivational messages or wellness tips as part of the program. You can opt out of non-essential communications.
  
  
• Compliance and Legal: Where necessary, we will process data to comply with Chinese legal obligations or requests by authorities (for instance, to meet public health requirements or upon valid legal order, subject to applicable law). If we ever need to use your data for a new purpose not listed here, we will obtain your consent as required by law.
  
  

We ensure that we minimize the collection and use of data – i.e., we only process data that is relevant and necessary for the above purposes. We do not engage in excessive or irrelevant data collection. We do not use your personal data for automated decision-making that produces legal or similarly significant effects without human involvement; any automated analysis (e.g., workout recommendations) can be reviewed or adjusted by our human coaches.

Processing of Sensitive Personal Information: As noted, some of your data (health and fitness metrics, possibly age or weight) may be sensitive. We will process sensitive data only to the extent necessary for the wellness service and with stringent protections. We will obtain your separate consent before or at the time of collecting any sensitive personal information. For example, when you sign up, you may be asked to agree to a statement like “I consent to the processing of my health-related personal information for the purposes of participating in the Exos wellness program.” You may refuse to provide sensitive data; however, please understand that if you do so, we may not be able to offer certain personalized features of the program. We implement security measures (described below) to protect all personal data, with special focus on sensitive data (encryption, access controls, etc.).

Sharing and Disclosure: Exos will not share your Personal Information with any third party except as allowed in the Privacy Policy and in compliance with Chinese law. In practice, your data is mainly accessed by Exos and by the corporate client (generally, your employer) to the extent needed for program administration. For instance, your employer may receive aggregate reports on program participation or outcomes, but not your individual health details without your specific consent, unless required for their employment benefits management. We do not sell your personal data.

If we ever need to entrust a third-party service provider (a processor) with some of your data (for example, a cloud hosting provider or a data analytics tool), we will sign a data processing agreement with them that is compatible with protection standards of Chinese law. They will only process data on our instructions and not for their own purposes. Our list of subprocessors is available in our Privacy Policy, and we can provide the names and contacts of any such data recipients upon request.

We will not publicly disclose any of your personal information (for example, publishing your name or data) without obtaining your separate consent, unless such disclosure is required by applicable law or government orders.

In the event of a business transfer (like a merger or if Exos were to hand over this service to another provider), we would inform you of the name and contact of the new data handler receiving your personal information, and ensure they continue to protect your data under terms equivalent to this Notice. If the new handler changes the purpose or method of processing, they would need to obtain your consent anew.

International Transfer of Personal Information: Your personal information will be transferred to and stored on servers located in the United States, operated by Exos and/or its cloud service providers. This is necessary for us to provide you with the Coach Hub service (since the application’s infrastructure is based in the U.S.). We understand and respect that China has strict requirements for cross-border data transfers. We have adopted the following measures to lawfully transfer and protect your data:

• We obtain your explicit consent for the cross-border transfer. By agreeing to this Notice (and the Privacy Policy) and by using Coach Hub, you acknowledge that your personal information will be transmitted to the U.S. for processing. During account registration, you may be asked to tick a consent box specifically for cross-border transfer. You can withdraw this consent at any time (see “Your Rights” below), though that will likely mean we can no longer provide the service.
  
  
• We implement contractual and security safeguards as required by law. Exos has executed China’s Standard Contractual Clauses (SCCs) for personal information export, ensuring that the data recipient (an Exos U.S. affiliate) provides the same level of data protection as required under Chinese law. This contract addresses data security, individual rights, and government access, in line with PIPL provisions. A copy or summary of the SCC can be provided upon request.
  
  
• Before commencing the data transfer, Exos conducted a Personal Information Protection Impact Assessment to evaluate and mitigate risks involved in the cross-border transfer, as per PIPL Article 55. We concluded that the transfer will not harm individuals’ rights and the data will be adequately protected overseas. Key considerations included the volume and sensitivity of data (moderate and related to fitness), the purposes (employee wellness), and the data protection measures in place in the U.S.
  
  
• Data protection measures: All personal data is encrypted during transmission between China and the U.S. using industry-standard protocols (HTTPS/TLS). We store the data in secure facilities with access controls. Only authorized Exos personnel (such as your coach or support engineers who need to maintain the system) can access identifiable data, and they are trained on privacy laws in a manner compatible with PIPL. We also pseudonymize or aggregate data wherever possible for analytics, to minimize exposure of personal identity.
  
  
• We will monitor regulatory developments. Should Chinese authorities require additional steps (for instance, filing documentation or routing data through a government gateway), we will comply accordingly. If in the future, laws change such that continuing cross-border transfers is not permissible, we will either migrate data to a local solution or obtain the necessary government approvals to continue, and inform you of any significant changes.

By implementing the above, we aim to ensure the continuous and lawful flow of your data to our U.S. platform without compromising its security or your privacy rights. If you have any questions about cross-border handling, you can contact us (see “Contact Us” below).

Data Security Measures: We take active steps to safeguard your personal information. In alignment with China’s requirements (PIPL Art. 51 and related standards), we have established internal security management systems and employ technical measures, including:

• Access Control: We limit access to personal data strictly to personnel who need it to perform their job (principle of least privilege). Access to sensitive health data is restricted to your Exos coach and a few essential IT administrators. All access is logged and monitored.
  
  
• Encryption & Storage Security: Personal data is stored in encrypted form in our databases. For example, sensitive fields like health notes may be encrypted at rest. Data backups are also encrypted. We use secure cloud infrastructure with firewalls and intrusion detection systems.
  
  
• Data Transmission: When data is in transit (such as your app communicating with our server), it is protected by encryption (HTTPS). We also take precautions to validate the identity of the clients and servers to prevent man-in-the-middle attacks.
  
  
• Anonymization: If we analyze usage trends or report overall wellness outcomes to the client (employer), we use aggregated and de-identified data. Individual identities are removed unless needed.
  
  
• Employee Training and Audits: We train our staff on data protection obligations under PIPL. We conduct periodic reviews and audits of our data handling practices. We have appointed a Privacy Officer responsible for overseeing compliance.
  
  
• Incident Response: We have an incident response plan. In the unlikely event of a data breach or leakage involving your information, we will promptly notify you and the relevant Chinese authorities as required (if a security incident is likely to cause significant harm, PIPL requires we inform users and report to authorities). We will also take immediate steps to contain and remedy the situation.

While we strive to protect your data, please note that no system can be 100% secure. However, we are committed to complying with all applicable security standards and continuously improving our defenses to meet evolving threats.

Data Retention: We will retain your personal information for the period necessary to fulfill the purposes stated above, unless a longer retention is required or permitted by law. In general, for the Coach Hub program, if you remain an active participant, we keep your data to provide the service. If you cease to use Coach Hub (for example, if you leave your employer or the program ends), we will delete or anonymize your personal information after 90 days in the case of the entire program ending, and otherwise three years from from your last activity in the service, except where we need to keep it longer to comply with legal obligations or resolve any disputes. (For instance, we might retain certain records if required by tax or audit laws, or if related to an ongoing legal claim, if applicable.) We follow the principles of storage limitation – meaning we do not retain personal data indefinitely.

If you request deletion of certain data (see below for your rights), and no law requires us to keep it, we will delete it or render it anonymous. In some cases, instead of immediate permanent deletion, data might be moved to a secure archive (especially backups) and then erased a bit later in the normal course of backup rotation – but during that interim it will not be used or disclosed. We will inform you once your data is fully deleted as per your request.

Your Rights and Choices (China): You have important rights regarding your personal information. We have summarized them below in accordance with Chinese law:

• Right to access and copy: You can request confirmation whether we are processing your personal information, and request a copy of the personal information we hold about you. For example, you can ask to see the fitness data and profile information we have stored. We will provide this, once we verify your identity, in a format that is convenient and to the extent required by law.
  
  
• Right to correct or rectify: If you discover that any personal information we hold about you is incorrect or incomplete, you have the right to request a correction. For instance, if your birthdate or contact info is wrong in our records, or if a health entry was logged inaccurately, you can ask us to fix it. We may need to verify the accuracy of the new information you provide, and we’ll make the correction promptly.
  
  
• Right to delete: You may request deletion of your personal information under the circumstances provided by law. This includes: (a) if the purposes for which we collected it have been achieved, or it’s no longer necessary to retain the data; (b) if we collected/used your info without proper consent or in violation of law; (c) if you have withdrawn your consent; or (d) if you terminate your use of our services (for example, you leave the company or the program is ended). Upon confirming your request, we will delete your personal information (or anonymize it) and also instruct any service providers who have it to do the same (except to the extent law permits otherwise). Please note, there are certain exceptions where we may refuse a deletion request: for example, if retaining the data is required to comply with a legal obligation or an order from authorities, or if the data is necessary for resolving a legal claim. If we rely on such an exception, we will inform you of the reason we cannot delete the data. Also, if you ask us to delete your data, you may lose access to any saved workouts or achievements (deletion is permanent).
  
  
• Right to withdraw consent: Where we process your personal information based on your consent (this includes most of your Coach Hub data, since you consent to the wellness program and especially to sensitive health data processing), you have the right to withdraw that consent at any time. You can do so by contacting us or (if available) changing your settings in the app. After you withdraw consent, we will stop processing the corresponding personal information. Please understand that withdrawal of consent does not affect the legality of processing done prior to withdrawal, and that if you withdraw consent for essential data (like all your fitness data), we may not be able to continue providing the service to you. We will inform you if that is the case at the time of your request so you can decide.
  
  
• Right to restrict or object: You have the right to object to or limit certain processing activities. For example, if we were to use your data for direct marketing (not currently applicable), you could object and opt-out. If you feel our processing is beyond what is necessary or is impacting your rights, you can request us to restrict processing. We will accommodate objections unless we have compelling legitimate grounds that override your interests or if it’s needed for legal claims. In contexts where we rely on consent, withdrawing consent is the primary way to object (as described above).
  
  
• Right to data portability: You have the right to request a transfer of your personal information to you in a structured, commonly used electronic form. For instance, you could ask for a copy of your fitness data to port to a personal app. Where required by law, we will facilitate this transfer, provided it’s technically feasible. Currently, because our service is unique, this may not be very applicable, but we will do our best to honor such requests.
  
  
• Right to be informed: This entire Notice is part of fulfilling your right to be informed. We will inform you of significant changes to how we process your data or if there is a security incident. We aim for transparency in all data practices.
  
  
• Right to lodge a complaint: If you believe we are violating Chinese personal information protection laws or your rights, you have the right to complain to the competent authorities. In China, the primary regulator is the Cyberspace Administration of China (CAC) and its local branches. You may also report issues to other relevant regulatory departments. We encourage you to first reach out to us at privacyofficer@teamexos.com so we can address your concerns directly and promptly. We are committed to resolving any issues in good faith.

We will not retaliate against or refuse to serve you for exercising any of the above rights. Exercising Your Rights: To make any of the requests above, please contact us (see “Contact Us” below). For certain requests, we will need to verify your identity to ensure that it’s you (or your authorized agent) making the request. For example, we may ask you to confirm some personal details we have on file. We strive to respond to your request within a reasonable time and as required by law. Under PIPL, we will respond within 15 working days or notify you if we need an extension. If we decline your request (such as rejecting an unfounded deletion request), we will explain our reasons in our response.

Contact Us (China): If you have any questions, concerns, or requests regarding this Notice or your Personal Information, you can reach out in the following ways:

• Email: privacyofficer@teamexos.com 

(Please include that you are a China user in your email subject for faster routing.)

• Mail: 

Attention: Rong Han

60F, Shanghai World Financial Center 100 Century Avenue, 

Pudong New Area Shanghai, China 200120

We will respond to inquiries in English or Chinese as appropriate. If you prefer to communicate in Chinese, we will accommodate that.