Privacy Notice

We at Team Tumi Fitness LTD (“we”, “us”, “our”) respect your concerns about privacy.

This Privacy Notice explains how we use any personal data we collect about you and your rights inrelation to the information. "Personal data" means any information that identifies you as an individualor is capable of identifying you as an individual.

For the purpose of applicable data protection laws, including the General Data Protection Regulation(the “GDPR”), the data controller is Team Tumi Fitness LTD with email address TEAMTUMIFITNESS@GMAIL.COM.

Information covered by this Privacy Notice

This Privacy Notice covers all personal data collected and used by us. This includes your name, age, postal address, email address, phone number, credit card number,details of the preferences you express to us, your comments and questions, and technical informationfrom the devices you use to access our website.

It also includes information on your body andwellbeing, including height, weight (including information on obesity), body statistics, workouts, mood,meals, nutrition and general health and wellbeing, that you decide to disclose to us on this website orthrough the use of our app, as well as any pictures that you choose to share with us.

Personal Data we obtain

We (and our service providers) collect this personal data from you when you:

•purchase products or services from us, including a coaching subscription.

•submit any information through this website.•create an account with us, or otherwise sign up for our services.

•opt in to or otherwise receive marketing from us or our representatives.

•choose to participate in our customer feedback surveys.

•communicate with us via third-party social media websites.

•contact us, correspond with us, or otherwise provide information to us.

We also work closely with third parties (such as business partners and analytics providers) and may receive other personal data about you from those third parties, which we may combine with the information you have provided to us.

We process all data we obtain from such other sources inaccordance with this Privacy Notice. When you visit our website and/or app, we (and our service providers) may use cookies and othertechnologies to automatically collect the following information on you:

•technical information, including your IP address, your login information, browser type andversion, device identifier, location and time zone setting, browser plug-in types and versions,operating system and platform, page response times and download errors.

•information about your visit, including the websites you visit before and after our website andproducts you viewed or searched for.

•length of visits to certain pages, page interaction information (such as scrolling, clicks andmouseovers) and methods used to browse away from the page. Within our app you may choose to

•record a fitness activity, for example a run. You must first allow the app to access yourlocation. Then the app will access your location data from the moment you start recording theactivity until the moment you stop the recording. To ensure that your full activity is recorded, we need to continue to access the location data if the app is in the back ground during the activity. You can remove the permission at any time by adjusting your device settings.

•import your history of fitness activities from Apple Health or Google Fit. You must first allowthe app to access your data from these sources. You can remove the permission at any time by adjusting your app settings. How we use the information we obtainWe use the personal data we collect from and about you for the following purposes:

•to set up and manage your online account.

•to provide our services to you, which may include•designing tailored meal and workout plans.

•monitoring changes or adaptations in your body to improve your coaching cycle, andto combine information we receive and collect (e.g. from updates you provide on 2your body transformation) to provide you with a more personalised experience andto make informed decisions about future coaching to best facilitate yourimprovement. This also provides vital statistics which we use to better understandthe efficacy of different approaches to dieting and workouts.

•a history of your fitness activities, including (where eligible) duration, distance,speed, activity type and heart rate, as well as an overview of your fitnessprogression.

•to provide you with information about our products and services (provided you have eitherconsented to this or we by other means are allowed to reach out to you for marketingpurposes).

•to process your payments.

•to notify you of any changes to our services that may affect you.

•to comply with our legal obligations to keep internal (financial) records.The legal bases for which we collect, use, transfer or disclose your personal data include:

•the performance of our contract obligations with you (see article 6(1)(b) of the GDPR).

•our legitimate interests (see article 6(1)(f) of the GDPR), which include: improving our offeringsas a business; personalising our services and interactions with you, to better meet your needsas a customer; and detecting and preventing fraud.

•compliance with our legal obligations (see article 6(1)(c) of the GDPR).

•to the extent we send you information on our products and services for marketing purposes,we will either ask for your consent (in accordance with article 6(1)(a) of the GDPR) beforeprocessing your information in this way or process your personal data based on our legitimateinterests (in accordance with article 6(1)(f) of the GDPR - the legitimate interests are statedabove). Pictures that you choose to share with Team Tumi Fitness LTD are used by us solely for tracking yourprogress and will never be shared on our website or social media unless you give your explicit consenthereto. The use of consent for processing of your health dataIn order for us to be able to deliver customized meal- and workout plans to you, we may processcertain health data provided by you, including information on allergens, information that might reveal obesity or specific injuries or other relevant information related to your physical or mental healthstatus. The legal basis for our processing of your health information is Article 9 (2) a) cf. Article 6 (1) b)of the GDPR, which means that we will ask you for your explicit consent to allow us to process yourhealth data prior to you becoming a client with us. You may at any time withdraw your consent to us processing your health data. However, you should beaware that if we are prevented from processing relevant personal data, including information on anyallergens, information that might reveal obesity or specific injuries or other relevant information related to your physical or mental health status, we will not be able to provide you with our services (customized meal- and workout plans based on your unique needs). Third Parties, including processing by Lenus eHealth ApSThe security of your personal data is extremely important to us. We do not sell your personal data toany third parties, and we never will. Access to your personal data is only provided to carefully selected third parties, including:

our service providers who help us to provide our services to you, such as our infrastructureand IT service providers. These include Lenus eHealth ApS and Stripe, who support ourbusiness by providing technical infrastructure services, analysing product performance, providing technical assistance and facilitating payments. We note therefore that Lenus eHealthApS may process your personal data as data processor on behalf of us. However, LenuseHealth ApS may also act as an independent data controller in limited cases. You can readmore about Lenus eHealth’s processing of your personal data as data controller (includingcookies) here:https://lenusehealth.com/privacy-policy/. You can read more about Stripe’sprocessing of your personal data as a data processor here:https://stripe.com/en-dk/privacy.

•our regulators, or organisations to whom we are required to disclose your personal data by law.

•third parties connected with business transfers, such as in connection with a reorganisation,restructuring, merger, acquisition or transfer of assets, provided that the receiving partyagrees to treat your personal data in a manner consistent with this Privacy Notice. Our website may, from time to time, contain links to and from the websites of our partners, oraffiliates.If you follow a link to any of these websites, please note that these websites have their ownprivacy notices and that we have no control over how they may use your personal data. You should check the privacy notices of third party websites before you submit any personal data to them.How long we retain your personal data for your personal data will only be stored for as long as necessary for the purposes for which they were collected and only to the extent permitted by applicable laws. When we no longer need to use your information, we will remove it from our systems and records and / or take steps to promptly anonymise it so that you can no longer be identified from it (unless we need to keep your information to complywith legal or regulatory obligations to which we are subject). We adhere to the retention periods listed in the below table. As a general rule, we erase or anonymiseyour personal data according to the time limits stated below unless it is necessary that we continue tostore them, e.g. for the purpose of particular cases or the like.

Processing purposes

Retention period Management of your account 12 months after your last activity Delivery of coaching services 12 months after your last activity

Marketing purposes 12 months after your last activity

Payment purposes 60 months after your last activity

E-mails to/from you (notifications)6 months after your last activity

Mandatory recordkeeping 60 months after your last activity

Summarizing overview

Please refer to the summarizing overview below setting out the purposes, legal basis as well asapplicable retention periods pertaining to the various processing activities as described in the sections 5 above.

Processing purposes Legal basis Retentionperiod Management of your account Article 6(1)(b) of the GDPR12 months afteryour lastactivityDelivery ofcoachingservicesArticles 6(1)(b) of the GDPR and for health data, the legalbasis is article 9(2)(a), cf. article 6(1)(b) of the GDPR12 months afteryour lastactivityMarketingpurposesArticle 6(1)(a) of the GDPR12 months afteryour lastactivityPaymentpurposesArticle 6(1)(b) of the GDPR60 months afteryour lastactivityE-mails to/fromyou(notifications)Article 6(1)(b) of the GDPR6 months afteryour lastactivityMandatoryrecordkeepingArticle 6(1)(c) of the GDPR as we are required to store e.g.bookkeeping material (which may include personal data)60 months afteryour lastactivityThird country data transfersThe personal data that we collect from you may be transferred to, and stored at, a destination outsidethe European Economic Area ("EEA").It may also be processed by staff operating outside the EEA and6who work for us or for one of our service providers.We will take all steps reasonably necessary to ensure that your personal data is treated securely and inaccordance with this Privacy Notice and applicable data protection laws, including, where relevant,entering into EU standard contractual clauses (or equivalent measures) with the party outside the EEAreceiving the personal data. Keeping your information secureWe have implemented technical and organisational security measures in an effort to safeguardpersonal data in our custody and control. Such measures we have implemented include, limitingaccess to personal data only to employees and authorised service providers who need to know suchinformation for the purposes described in this Privacy Notice, as well as other technical, administrativeand physical safeguards. While we endeavour to always protect our systems, sites, operations and information againstunauthorised access, use, modification and disclosure, due to the inherent nature of the Internet as anopen global communications vehicle and other risk factors, we cannot guarantee that any information,during transmission or while stored on our systems, will be absolutely safe from intrusion by others,such as hackers. To provide you with increased security, certain personal data stored in your online account is onlyaccessible via your username and password. You are responsible for maintaining the confidentiality ofyour online account credentials, and we strongly recommend that you do not disclose your online account user name or password to anyone. We will never ask you for your password in any unsolicitedcommunication. Please notify us immediately (see "Contact us" section below) of any unauthoriseduse of your online account credentials or any other suspected breach of security. Your Personal Data Rights You have various rights in connection with our processing of your personal data:

•Access. You have the right to request a copy of the personal data we are processing aboutyou, which we will provide back to you in electronic form

•Rectification. You have the right for any incomplete or inaccurate personal data that weprocess about you to be rectified.

•Deletion. You have the right to request that we delete personal data that we process aboutyou, except we are not obligated to do so if we need to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims.

•Restriction. You have the right to restrict our processing of your personal data where youbelieve such data to be inaccurate, our processing is unlawful or that we no longer need toprocess such data for a particular purpose. Where we are not able to delete the data due to alegal or other obligation or because you do not wish for us to delete it, we would mark storedpersonal data with the aim of limiting particular processing for particular purposes inaccordance with your request, or otherwise restrict its processing.

•Objection. Where the legal justification for our processing of your personal data is ourlegitimate interest, you have the right to object to such processing on grounds relating to yourparticular situation. We will abide by your request unless we have compelling legitimategrounds for the processing which override your interests and rights, or if we need to continueto process the data for the establishment, exercise or defence of a legal claim.

•Withdrawing Consent. Where we process certain personal data on the basis of your consent,you have the right to withdraw your consent, including with regard to direct marketing. Inrelation to the consequences of your withdrawal of consent for us to process your health data,please see above under “The use of consent for processing of your health data”.If you wish to exercise one or more of the above rights, please contact us with your request at teamtumifitness@gmail.com, and include your name, email and postal address, as well as your specificrequest and any other information we may need in order to provide or otherwise process your request.In some situations, we may refuse to act or may impose limitations on your rights, as permitted by law. Before we can provide you with any information or correct any inaccuracies, we may ask you to verify your identity and/or provide other details to help us respond to your request. For the exercise of your rights, please contact us using the contact information provided below in the “How to Contact Us” section.I n all cases, you have a right to file a complaint with the local data protection authority if you believethat we have not complied with applicable data protection laws. If you are based in the UK, theInformation Commissioner’s Office can be contacted through their website at www.ico.org.uk. How to contact usIf you have any questions about this Privacy Notice and/or about the privacy policies and practices ofour service providers, please contact us at teamtumifitness@gmail.com

Last updated: 01/05/2022