Privacy Policy

1. Overview.

This ChromaCode Privacy Policy (“Policy”) explains how we may use information collected through the use of the ChromaCode website
or ChromaCode Cloud. In this Privacy Policy “user”, “you” and “your” refers to users of the product (either an individual or an organization).
“ChromaCode”, “Company”, “we”, “us” and “our” refers to ChromaCode Inc. This policy also explains your choices about how we use information about
you. Your choices include how you can object to certain uses of information about you and how you can access and update certain information
about you. If you do not agree with this policy, you should not access or use the ChromaCode website or ChromaCode Cloud.

2. Definitions. 

a. “Personal Information”. Any information relating to an identified individual, or to an individual who can be identified, directly or indirectly,
by reference to such information, which may include, an identification number, an email address, physical address, phone number, or
one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. Without limiting the
foregoing, Personal Information does not include information that is de-identified or corporate information that relates to an
organization but not to an individual, such as a corporate name, corporate address or general corporate phone number.
b. “Analysis Data”. Output data from an instrument (e.g. qPCR machine) that contains intensity data collected from biological samples
analyzed on that instrument, sample IDs and metadata about the run. Analysis Data will be kept confidential.

3. Information We May Collect or Use.
a. Account and profile information. When your institution creates an initial account with ChromaCode Cloud, we store the email addresses
of administrators and users of the organizational account. We do not collect any other Personal Information from ChromaCode Cloud
users during account set-up. This Personal Information is kept confidential.
b. Location information. We record the IP addresses of computers from which Personal Information and Analysis Data are uploaded.
c. Content you provide through use of ChromaCode Cloud. When a user uploads Analysis Data to ChromaCode Cloud we store metadata
about instrument (e.g. make/model/serial number), metadata about the run (e.g. run time), the uploaded raw intensity data, the
processed data, the target calls, and details of the assay configuration used to analyze the data. ChromaCode may extract and use deidentified
data which involves removal of sample names from the data. This data is combined with data from other customers and
analyzed by ChromaCode. The data is not shared with other customers.
d. Usage information. We may collect anonymous web navigational information to improve our understanding of the usability of the
ChromaCode Cloud and ChromaCode website. Frequency of page hits and time spent on different pages are not associated with
individual users or organizations.

4. How We Collect Your Information.
a. Usage Information. We use Matamo to collect navigational information to users in ChromaCode Cloud. We include a Javascript tag
provided in each page of ChromaCode Cloud that enables Matomo to record activity across the application. Data is aggregated to
provide detailed web analytics reports about page views. Matamo is configured in ChromaCode Cloud to automatically anonymize
users’ IP addresses and to respect any Do Not Track settings.
b. Analytics. We use analytics applications, including “Google Analytics”, to collect information about use of the ChromaCode website.
Google Analytics collects information such as how often users visit a website, what pages they visit when they do so, and what other
websites they visited prior to coming to a website. We use the information obtained from these applications only to improve our Sites
and our product and service offerings. The information generated about your use of our Sites will be transferred and saved to the
vendor’s server in the United States. For Google Analytics, within Member States of the European Union or other signatories of the
Agreement on the European Economic Area, Google will first shorten your IP address. In exceptional cases, the full IP address will be
transferred to a Google server in the United States to be shortened there. Google’s ability to use and share information collected by
Google Analytics about your visits to the Sites is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. You can
opt-out of Google Analytics tracking by visiting https://tools.google.com/dlpage/gaoptout/.
c. Analysis Data. We process qPCR instrument output files and extract signal intensity data and instrument metadata. We do not retain the
files after they have been processed. We store the extracted data in our system and use signal processing and curve analysis
algorithms to identify targets in the processed samples. Results and associated reports are stored in our system and only are only
accessible by you. We also store de-identified input and processed data in a separate database and aggregate with other customers’
data.

5. How We Use Your Information.
a. To monitor performance of our products. We may use studies of the processed Analysis Data in the ChromaCode Cloud to assess the
performance of our reagents. For example, we may use aggregated Analysis Data to assure the uniformity and stability of components
in our reagent lots. We may also use aggregated Analysis Data to identify optimizations of our assays across different instrument
platforms.
b. For research and development. We may use the aggregated Analysis Data in the ChromaCode Cloud to improve our computational
methods. For example, we may compare processed signal data with raw intensity data to evaluate the performance of our algorithms
on different instrument platforms.
c. To communicate with you about our products. If your institution has opted in to receive information about our marketing programs, we
may use information about the assays you are running to provide you with information about new ChromaCode products that may be of
interest.
d. To support customers. We may use your information (with your consent) to resolve technical problems.

6. How We Share Your Information. ChromaCode does not share your Personal Information or Analysis Data with any third parties other than
authorized third party vendors that work on ChromaCode’s behalf and who in all cases, are subject to confidentiality obligations.

7. Customer Access and Control of Information. You have the right to delete some or all of your Personal Information and Analysis Data in
ChromaCode Cloud at any time, understanding that this data will be immediately and permanently deleted and cannot be restored.

8. Changes of Privacy Policy. We reserve the right to change this privacy policy without notice. When we make changes, we will make them available
within thirty days. The changed Privacy Policy supersedes and replaces the prior version. Your continued access to ChromaCode cloud represents
your acceptance of the changed policy. All users of ChromaCode Cloud will be notified of changes by email.

9. Users from Outside the United States. ChromaCode is based in the U.S., and the Company’s offices are headquartered in the U.S. Be aware that
information you provide to ChromaCode that it obtains as a result of your use of the software may be processed and transferred to the U.S. and be
subject to U.S. law. Information may be processed by staff working for the Company in the US.

10. Information Security. We will take reasonable precautions to protect your Personal Information in our possession from loss, misuse, and
unauthorized access, disclosure, alteration or destruction. We will make reasonable efforts to keep your Personal Information reliable for its
intended use, accurate, current and complete. As necessary, we will take additional precautions regarding the security of particularly sensitive
information, such as credit card information. While we strive to secure your Personal Information, we cannot warrant or guarantee that this
information will be protected under all circumstances, including those beyond our reasonable control.

11. Children. The Sites are intended for business use. We do not knowingly collect or solicit Personal Information from anyone under the age of 16. If
you are under 16, please do not attempt to register for the Sites or send any Personal Information about yourself to us. If we learn that we have
collected Personal Information from a child under age 16, we will delete that information as quickly as possible. If you believe that a child under 16
may have provided us Personal Information, please contact us.

12. Contacting Us. Questions regarding this Privacy Policy should be directed to privacy@chromacode.com or by mailing ChromaCode Privacy, Suite
100, 2330 Faraday Avenue, Carlsbad, CA 92008.

13. European Data Subjects: EU General Data Project Regulation (“GDPR”).
a. GDPR. For this GDPR section, we use the terms “Personal Data” and “processing” as they are defined in the GDPR, but “Personal Data”
means information that can be used to individually identify a person, and “processing” generally covers actions that can be performed in
connection with data such as collection, use, storage and disclosure. ChromaCode is the controller of your Personal Data processed in
connection with the Sites. Note that we may also process Personal Data of our customers’ end users or employees in connection with
our provision of services to customers, in which case we are the processor of Personal Data. If we are the processor of your Personal
Data (i.e., not the controller), please contact the controller party in the first instance to address your rights with respect to such data. If
there are any conflicts between this section and any other provision of this Privacy Policy, the policy or portion that is more protective of
Personal Data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following
applies to you, please contact us at privacy@chromacode.com.
b. What Personal Data Do We Collect from You? We collect Personal Data about you when you provide such information directly to us,
when third parties such as our business partners or service providers provide us with Personal Data about you, or when Personal Data
about you is automatically collected in connection with your use of our Sites. Please see the section Information We May Collect About
You and How We Collect Your Information. For the purposes of this Privacy Policy, when we use the term Personal Information, that is
intended to also indicate Personal Data pursuant to the GDPR and EU Personal Data pursuant to the Privacy Shield in each case if the
applicable data subject is an EU resident.
c. How Do We Use Your Personal Data? Please refer to the section on How We Use Your Information above for details of how we use and
process your Personal Data.
d. Lawful Bases for Processing. We will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for
processing may include consent, contractual necessity and our “legitimate interests,” as further described below.
i. Contractual Necessity: When you purchase our products and services, we process your contact information (e.g., name,
phone number, address, email address) as a matter of “contractual necessity”, meaning that we need to process the data to
perform under our Terms and Conditions or other agreement with you, which enables us to provide you with the products and
services you request. When we process data due to contractual necessity, failure to provide such Personal Data will result in
your inability to use some or all portions of the Sites or our products and services that require such data.
ii. Legitimate Interest: We may also process your contact information and other categories of Personal Data described in the
section Information We May Collect About You section above for our legitimate interest purposes.
1. Examples of these legitimate interests include:
a. Operation and improvement of our business, products, and services
b. Provision of customer support
c. Protection from fraud or security threats
d. Protecting the security of your account with us
e. Providing you with a sign-in method
f. Determining your geographic location and preferences so that we can serve you better
g. Compliance with legal obligations
h. Completion of corporate transactions
iii. Consent: In some cases, we process Personal Data based on the consent you expressly grant to us at the time we collect
such data. When we process Personal Data based on your consent, it will be expressly indicated to you at the point and time
of collection. If you provide us with opt-in consent to receive marketing information from ChromaCode, we will process your
email address for the purpose of sending you marketing information about our products and services. The legal ground for
processing your email address for this purpose is your consent. You may withdraw your consent any time by selecting
“unsubscribe” in the marketing email or email us at privacy@chromacode.com.
iv. Other Processing Grounds: From time to time we may also need to process Personal Data to comply with a legal obligation, if
it is necessary to protect the vital interests of you or other data subjects, or if it is necessary for a task carried out in the public
interest.
e. How and With Whom Do We Share Your Data? We share Personal Data with vendors, third party service providers, and agents who
work on our behalf and provide us with services related to the purposes described in this Privacy Policy or our Terms and Conditions.
For more information on such third parties, please refer to the section titled How We Share Your Information above.
f. How Long Do We Retain Your Personal Data? We retain Personal Data about you as set forth on our company’s data retention policy.
In some cases we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or
collect fees owed, or is otherwise permitted or required by applicable law, rule, or regulation. Afterwards, we retain some information in a
depersonalized or aggregated form but not in a way that would identify you personally.
g. What Security Measures Do We Use? We seek to protect Personal Data using appropriate technical and organizational measures based
on the type of Personal Data and applicable processing activity. For example, we protect the security of your information during
transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input. We also require our supplier and
vendors to protect such information from unauthorized access, use, and disclosure.
h. What Rights Do You Have Regarding Your Personal Data? You have certain rights with respect to your Personal Data, including those
set forth below. For more information about these rights, or to submit a request, please email privacy@chromacode.com. Please note
that in some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it
jeopardizes the rights of others, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a
decision. In some cases, we may also need to you to provide us with additional information, which may include Personal Data, if
necessary to verify your identity and the nature of your request.
i. Access: You can request more information about the Personal Data we hold about you and request a copy of such Personal
Data. You can also access certain of your Personal Data by contacting us at privacy@chromacode.com to make such
corrections.
ii. Rectification: If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that
we correct or supplement such data. In certain circumstances, you can correct some of this information directly by
contacting us at privacy@chromacode.com to make such corrections.
iii. Erasure: You can request that we erase some or all of your Personal Data from our systems.
iv. Withdrawal of Consent: If we are processing your Personal Data based on your consent (as indicated at the time of collection
of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right,
you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal
Data, if such use or disclosure is necessary to enable you to utilize some or all of our Sites.
v. Portability: You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we
transmit the data to another controller where technically feasible.
vi. Objection: You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain
purposes.
vii. Restriction of Processing: You can ask us to restrict further processing of your Personal Data.
viii. Right to File Complaint: You have the right to lodge a complaint about ChromaCode’s practices with respect to your Personal
Data with the supervisory authority of your country or EU Member State.

September 20, 2018.