This privacy notice for Debrief AI Inc. (“we,” “us,” or “our”), describes how and why we might collect, store, use, and/or share (“process”) your information when you use our services (“Services”), such as when you:

• Download and use our mobile application (Ultra Dymensions)
• Use our facial analysis and skincare reformulation services
• Engage with us in other related ways, including any sales, marketing, or events

1. What Information Do We Collect?

Personal Information You Disclose to Us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide when you express an interest in obtaining information about our products and Services, participate in activities on our platform, or otherwise contact us.

Personal Information Provided by You

The personal information we collect depends on how you interact with us and the Services, the choices you make, and the features you use. This may include:

• Email addresses
• Names
• Phone numbers

Sensitive Information

When necessary, with your consent or as permitted by applicable law, we process the following categories of sensitive information:

• Biometric data

Payment Data

We may collect data necessary to process payments, such as your payment instrument number and security code. All payment data is securely stored by Apple. You may review Apple’s privacy policy at:Apple Payment Privacy Notice.

Application Data

If you use our application, we may also collect the following data if you provide access or permission:

Mobile Device Access

We may request access to certain mobile features, including your camera, photo library, and other functionalities. You can change these permissions in your device settings.

Mobile Device Data

We automatically collect certain device data, including:

• Device model, manufacturer, and operating system
• Application identification numbers
• IP address (or proxy server)
• Internet service provider and/or mobile carrier

Push Notifications

We may request to send push notifications regarding your account or features of the application. You can disable these in your device settings.

This information is primarily used to ensure the security and functionality of our application, enable troubleshooting, and for internal analytics and reporting purposes.

Information Automatically Collected

In Short: Some data, such as your Internet Protocol (IP) address and device characteristics, is collected automatically when you interact with our Services.

We automatically collect certain data when you visit, use, or navigate our platform. While this information does not reveal your specific identity, it may include:

Log and Usage Data

This includes diagnostic, performance, and usage data that our servers log automatically when you access our Services. It may include:

• IP address and device information
• Browser type and settings
• Pages viewed, searches, and interactions within the Services
• Error reports and system activity logs

Device Data

We collect information about the computer, phone, tablet, or other device you use to access the Services, including:

• Device and application identification numbers
• Operating system and browser type
• Hardware model and network information

Location Data

We may collect location data, either precise or imprecise, depending on your device settings. For example, we may use GPS and IP-based geolocation. You can opt out of this by disabling location services in your device settings, but this may affect certain features of the Services.

2. How Do We Process Your Information?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with the law. We may also process your information for other purposes with your consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• To deliver and facilitate services. We process your information to provide you with the requested service.
• To request feedback. We process your information to request feedback and contact you about your use of our Services.
• To identify usage trends. We analyze how you use our Services to improve them.
• To determine marketing effectiveness. We process information to optimize marketing and promotional campaigns.
• To protect an individual’s vital interests. We process information when necessary to prevent harm.

3. What Legal Bases Do We Rely on to Process Your Information?

In Short: We only process your personal information when we have a valid legal reason to do so under applicable law, such as your consent, compliance with laws, contractual obligations, protecting your rights, or fulfilling legitimate business interests.

Legal Bases for Users in the EU and UK

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on when processing your personal information. These may include:

• Consent: We process your information if you have given explicit permission. You can withdraw your consent at any time.
• Performance of a Contract: We process your information to fulfill contractual obligations or provide services at your request.
• Legitimate Interests: We process data when necessary for legitimate business interests that do not override your fundamental rights, such as:
  • Analyzing service usage to improve engagement and retention
  • Supporting marketing and promotional activities
  • Enhancing user experience based on data analysis
• Legal Obligations: We process data to comply with legal requirements, cooperate with law enforcement, or protect our legal rights.
• Vital Interests: We process information when necessary to protect an individual’s safety.

Legal Bases for Users in Canada

Under Canadian privacy laws, we may process your information with your express or implied consent. In some cases, we may be legally permitted to process information without consent, including:

• When collection is in the best interest of an individual and obtaining consent is not feasible
• For fraud prevention and investigations
• For business transactions, under certain conditions
• When required to comply with subpoenas, warrants, or court orders
• To identify or contact individuals in cases of injury, illness, or death
• To prevent financial abuse or legal violations

4. When and With Whom Do We Share Your Personal Information?

In Short: We may share information in specific situations described in this section and/or with the following categories of third parties.

Vendors, Consultants, and Other Third-Party Service Providers

We may share your data with third-party vendors, service providers, contractors, or agents (“third parties”) who perform services for us or on our behalf and require access to such information. These third parties operate under contracts designed to safeguard your personal information. They:

• Are instructed only to process your data as directed by us.
• Are prohibited from sharing your data with any organization apart from us.
• Commit to protecting your data and retaining it only for the period we instruct (no longer than one year).

The categories of third parties we may share your personal information with include:

• Data Analytics Services
• Data Storage Service Providers
• OpenAI

Business Transfers

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

5. How Long Do We Keep Your Information?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice, up to a maximum of one year, unless otherwise required by law.

We will retain your personal information only as long as necessary to provide access to your previous scan results. Face scans are stored for a maximum of one year, unless a longer retention period is required by law.

When we have no ongoing legitimate business need to process your personal information or when one year has elapsed, we will:

• Delete the information entirely.
• Anonymize the data so it is no longer linked to you.
• If immediate deletion is not possible (e.g., due to backup archives), we will securely store and isolate the data from further processing until deletion is feasible.

6. How Do We Keep Your Information Safe?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We implement appropriate security measures to safeguard the personal information we process. However, despite our best efforts, no electronic transmission over the Internet or data storage technology can be guaranteed to be 100% secure. As a result, we cannot guarantee that hackers, cybercriminals, or unauthorized third parties will not access, steal, or modify your information improperly.

While we strive to protect your data, transmitting personal information to and from our Services is at your own risk. You should only access our Services within a secure environment.

7. Do We Collect Information From Minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly solicit data from or market to individuals under the age of 18. By using the Services, you confirm that you are at least 18 years old or that you are a parent or guardian providing consent for a minor to use our Services.

If we discover that we have collected personal information from users under 18 years of age, we will promptly deactivate the account and delete the data from our records. If you become aware of any such data collection, please contact us at:rli@debriefbiosciences.com.

8. What Are Your Privacy Rights?

In Short: In some regions, such as the European Economic Area (EEA), United Kingdom (UK), Switzerland, and Canada, you have rights that allow you greater access to and control over your personal information.

Depending on your location, applicable privacy laws grant you certain rights, which may include:

• The right to request access and obtain a copy of your personal information.
• The right to request rectification or erasure of your personal data.
• The right to restrict the processing of your personal information.
• The right to data portability, where applicable.
• The right not to be subject to automated decision-making.

You can exercise these rights by contacting us at:rli@debriefbiosciences.com.

Withdrawing Your Consent

If we are processing your personal information based on your consent, you have the right to withdraw that consent at any time. You can do so by contacting us. However, withdrawing consent will not affect the lawfulness of processing conducted prior to withdrawal.

EU, UK, and Switzerland Residents

If you believe that we are unlawfully processing your personal information, you have the right to file a complaint with your local data protection authority.

Swiss Residents

If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner for further inquiries.

If you have any questions or concerns about your privacy rights, please email us at:rli@debriefbiosciences.com.

9. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.

10. Do United States Residents Have Specific Privacy Rights?

In Short: If you are a resident of California, Colorado, Connecticut, Utah, or Virginia, you are granted specific rights regarding access to your personal information.

What Categories of Personal Information Do We Collect?

We have collected the following categories of personal information in the past twelve (12) months:

• Biometric information
• Sensitive personal information

We will use and retain the collected personal information as needed to provide the Services or for:

• Biometric information - As long as the user has an account with us
• Sensitive personal information - As long as the user has an account with us

Biometric information may be used or disclosed to a service provider or contractor for additional, specified purposes. You have the right to limit the use or disclosure of your sensitive personal information.

How Do We Use and Share Your Personal Information?

Learn about how we use your personal information in the section, "How Do We Process Your Information?"

Will Your Information Be Shared With Anyone Else?

We may disclose your personal information with our service providers pursuant to a written contract between us and each service provider. Learn more about how we disclose personal information in the section, "When and With Whom Do We Share Your Personal Information?"

We may use your personal information for our own business purposes, such as for undertaking internal research for technological development and demonstration. This is not considered to be "selling" of your personal information.

We have not disclosed, sold, or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. We will not sell or share personal information in the future belonging to website visitors, users, and other consumers.

California Residents

California Civil Code Section 1798.83, also known as the "Shine The Light" law permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.

If you are under 18 years of age, reside in California, and have a registered account with the Services, you have the right to request removal of unwanted data that you publicly post on the Services. To request removal of such data, please contact us using the contact information provided below and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on the Services, but please be aware that the data may not be completely or comprehensively removed from all our systems (e.g., backups, etc.).

CCPA Privacy Notice

This section applies only to California residents. Under the California Consumer Privacy Act (CCPA), you have the rights listed below.

If this definition of "resident" applies to you, we must adhere to certain rights and obligations regarding your personal information.

Your Rights With Respect to Your Personal Data

• Right to request deletion of the data — Request to delete: You can ask for the deletion of your personal information. If you ask us to delete your personal information, we will respect your request and delete your personal information, subject to certain exceptions provided by law.
• Right to be informed — Request to know: Depending on the circumstances, you have a right to know whether we collect and use your personal information, the categories of personal information that we collect, and the purposes for which the collected personal information is used.
• Right to Non-Discrimination: We will not discriminate against you if you exercise your privacy rights.

How to Exercise Your Rights

To exercise these rights, you can contact us by submitting a data subject access request, by email atrli@debriefbiosciences.com, or by referring to the contact details at the bottom of this document. If you have a complaint about how we handle your data, we would like to hear from you.

11. Do Other Regions Have Specific Privacy Rights?

In Short: You may have additional rights based on the country you reside in.

Australia and New Zealand

We collect and process your personal information under the obligations and conditions set by Australia's Privacy Act 1988 and New Zealand's Privacy Act 2020 (Privacy Act).

This privacy notice satisfies the notice requirements defined in both Privacy Acts, in particular: what personal information we collect from you, from which sources, for which purposes, and other recipients of your personal information.

If you do not wish to provide the personal information necessary to fulfill their applicable purpose, it may affect our ability to provide our services, in particular:

• Offering you the products or services that you want
• Responding to or helping with your requests

At any time, you have the right to request access to or correction of your personal information. You can make such a request by contacting us by using the contact details provided in the section "How Can You Review, Update, or Delete the Data We Collect From You?"

If you believe we are unlawfully processing your personal information, you have the right to submit a complaint about a breach of the Australian Privacy Principles to the Office of the Australian Information Commissioner and a breach of New Zealand's Privacy Principles to the Office of New Zealand Privacy Commissioner.

Republic of South Africa

At any time, you have the right to request access to or correction of your personal information. You can make such a request by contacting us by using the contact details provided in the section "How Can You Review, Update, or Delete the Data We Collect From You?"

If you are unsatisfied with the manner in which we address any complaint with regard to our processing of personal information, you can contact the office of the regulator, the details of which are:

The Information Regulator (South Africa)
General enquiries:enquiries@inforegulator.org.za
Complaints (complete POPIA/PAIA form 5):PAIAComplaints@inforegulator.org.za &POPIAComplaints@inforegulator.org.za

12. Do We Make Updates to This Notice?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this privacy notice from time to time. The updated version will be indicated by an updated "Revised" date, and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to stay informed on how we are protecting your information.

13. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may email us atrli@debriefbiosciences.com.

14. How Can You Review, Update, or Delete the Data We Collect From You?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it. To request to review, update, or delete your personal information, please fill out and submit a data subject access request:Submit Request.

15. Face Data Handling Specifics

What is Face Data?

Face Data refers to the images that you provide, which are essential for conducting our personalized skincare analysis and reformulation services.

Why Do We Store Face Data?

We retain Face Data to enable access to your historical scan results, enhancing your experience by allowing you to track changes and compare past analyses.

How Long Do We Store This Data?

Face Data is stored for one year to allow you sufficient time to review and compare your scan results over an extended period. This duration supports a comprehensive analysis of changes in your skin and makeup preferences over time. Unless a longer retention period is mandated by law, data older than one year is deleted.

Which Third Parties Have Access to Face Data?

OpenAI is the sole third party with access to your Face Data.

Why Do We Share Your Data With Third Parties?

We collaborate with OpenAI, leveraging their advanced analytics capabilities to conduct skincare analysis, ensuring high accuracy and personalized results.

How Long Do Third Parties Store the Data?

OpenAI may securely retain API inputs and outputs for up to 30 days to provide their services effectively and to monitor for any misuse of the data. Post this period, all inputs and outputs are removed from OpenAI's systems, except in cases where retention is required by law.