This Privacy Policy (“Policy”) explains how BalanX Bio LLC (“BalanX Bio”, “Company”, “we”, “us”, and “our”) collects, uses, discloses, transfers, stores, and protects personal data of individuals (“you”, “your”, “User”) who access or use our websites, mobile and desktop applications, APIs, digital services, biotechnology platforms, AI/AGI systems, analytics tools, and all related services worldwide (collectively, the “Services”). This Policy applies regardless of where you reside, including, but not limited to, the United States, European Union, United Kingdom, Asia, India, Middle East, Africa, South America, Eastern Europe, Turkey, and all other jurisdictions.

As a global organization, we recognize the vital importance of protecting personal data and complying with applicable global privacy and data protection laws, including the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and a variety of other data protection regimes.

You should read this Policy carefully. By accessing or using the Services, or by otherwise providing personal data to us, you acknowledge that you accept the practices described in this Policy.

Who this Policy Applies to

This Policy applies to all personal data collected through:

• Our websites and web applications
• Mobile and desktop applications
• Emails, newsletters, forms, surveys
• APIs and third-party integrations
• Customer support and technical logs
• Any offline interactions related to the Services

“Personal data” refers to information relating to an identified or identifiable individual, such as identifiers, contact information, demographics, IP addresses, device identifiers, or any data that may be linked to a person. This Policy also covers sensitive categories of personal data to the extent we collect and process them under explicit consent and applicable legal bases.

Information we Collect

We may collect a broad range of personal and non-personal data to provide the Services, enhance your user experience, comply with legal obligations, secure our systems, and fulfill contractual and operational purposes. This section is intentionally extensive because we collect and process data in many contexts.

A. Personal Identifiers
We may collect your name, mailing or billing address, email address, telephone number, user credentials, and other identifiers associated with your account or use of the Services.

B. Account and Profile Information
When you register for an account or engage with the Services, you may provide profile information including username, password, communication preferences, account type, and other profile data.

C. Contact and Correspondence
We collect personal data that you provide when you contact us, respond to surveys, participate in support chats, or communicate with our teams or third-party support services.

D. Usage and Technical Data
We automatically collect usage information and technical data when you interact with our Services, which may include:

• IP address and approximate geographic location
• Device identifiers and operating systems
• Browser type and version
• Pages visited, features used, time and duration of activities

Click paths, referral URLs, search terms, performance metrics.
This data helps us improve, secure, and optimize our Services.

E. Cookies and Tracking Technologies
We use cookies, web beacons, pixels, SDKs, and similar technologies to collect data about usage patterns, preferences, and performance. This includes both essential cookies and non-essential tracking for analytics, advertising, and personalization. You may control cookie preferences through settings and consent management tools where applicable.

F. Biotech / Health / Sensitive Data
In cases where we collect health-related, scientific, biometric, genomic, clinical, or other highly sensitive data (only where you have given explicit, documented consent and where allowed by law), we treat such “special categories of data” with heightened safeguards in accordance with applicable laws.

How We Use Personal Data

We use personal data for multiple purposes that are necessary for operations, compliance, security, and to deliver, maintain, enhance, and personalize our Services. These include:

A. Provision of Services
To operate, maintain, troubleshoot, and support your use of the Services, including features, integrations, analytics, access control, updates, and communications.

B. Communication
To send service-related notices, updates, security alerts, and administrative messages; to respond to your inquiries; and to provide customer support.

C. Improvements and Research
To analyze trends, usage, performance, and security of the Services; to develop new features; and to conduct internal research and product performance evaluation.

D. Security and Fraud Prevention
To detect, mitigate, investigate, and prevent security incidents, unauthorized use, fraud, spam, breaches, or other malicious activity.

E. Compliance, Safety, and Legal Obligations
To comply with applicable laws, respond to legal process, enforce our Terms of Service, and resolve disputes; and to maintain records required by law.

F. Marketing
Where you have given appropriate consent, we may send promotional messages, newsletters, or marketing communications. You can opt out at any time via provided mechanisms.

Legal Bases for Processing

Where applicable (such as under the GDPR and similar laws), our processing of personal data is based on one or more lawful bases, which may include:

• Contract performance: processing necessary to deliver the Services.
• Legitimate interests: internal operational purposes such as security, fraud prevention, analytics.
• Consent: where required, such as marketing communications or non-essential cookies.
• Legal obligations: compliance with law enforcement or regulatory requirements

Disclosure of Personal Data

We may share personal data with:

A. Service Providers
Third-party vendors, contractors, and service partners that perform services on our behalf such as analytics, hosting, customer support platforms, payment processors, and cloud infrastructure.

B. Affiliates
Our corporate affiliates and subsidiaries for purposes consistent with this Policy.

C. Legal and Safety Obligations
Law enforcement, government agencies, or courts where required by applicable laws or legal process, to protect rights, property, safety, or to prevent wrongdoing.

D. Business Transitions
In connection with mergers, acquisitions, reorganizations, or asset sales, subject to confidentiality obligations.

We do not sell personal data for commercial gain without clear consent.

International Data Transfers

We operate globally and may transfer personal data across national borders, including to countries whose data protection laws may not be equivalent to those in your jurisdiction. We apply appropriate safeguards such as legally recognized transfer mechanisms, adequacy decisions, and contractual obligations to protect personal data during international transfers.

Retention of Personal Data

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, resolve disputes, enforce agreements, conduct audits, or as permitted by law.

Your Rights

Depending on your local law, you may have rights regarding personal data, including:

• Access: request a copy of your data
• Correction/Rectification: correct inaccurate data
• Deletion: request deletion of your data
• Restriction of Processing
• Data Portability
• Opt-Out of Certain Processing (such as marketing)
• Withdraw Consent where processing is based on consent

We maintain mechanisms to receive and process such requests within timelines required by applicable law (e.g., GDPR within one month).

Security Measures

We implement reasonable technical, administrative, and organizational safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. These may include encryption, access controls, monitoring, and periodic reviews. However, no system is infallible and security cannot be guaranteed.

Children & Minors

Our Services are not intended for children under applicable minimum ages (typically 13 or older depending on jurisdiction). We do not intentionally collect personal data from minors without consent of a parent or guardian as required by applicable law.

Policy Updates

We may update this Policy as our data practices, technology, legal requirements, or business activities change. We will indicate the effective date at the top, and when required by law, notify you of material changes.

Jurisdiction-Specific Rights & Compliance

Because BalanX Bio is a global company operating across jurisdictions, this section outlines specific data subject rights and compliance obligations applicable under major global privacy laws, including detailed notices and extended rights for individuals in those regions.

A. European Union (GDPR & EU-Equivalent Protections)
For individuals located in the European Union, European Economic Area, and UK (collectively “EU/EEA/UK”), the following extended rights apply in addition to the general rights described earlier:

• Access & Portability: You have the right to request a copy of your personal data that we hold in a structured, commonly used, machine-readable format and to request that we transmit that data to another controller.
• Rectification & Erasure: You can correct inaccurate personal data or request deletion (“right to be forgotten”) subject to legal exceptions (e.g., compliance obligations, public interest).
• Restriction of Processing: You can request that processing of your personal data be restricted where accuracy is contested, processing is unlawful, or you need the data for legal claims.
• Objection: You have the right to object to processing for direct marketing or on grounds relating to your particular situation, unless overriding legitimate grounds exist.
• Lodge a Complaint: You may lodge a complaint with a relevant supervisory authority in your country.
• Legal Bases & Data Minimization: We must demonstrate a lawful basis for processing personal data, including consent, contract necessity, compliance with legal obligations, legitimate interests, vital interests, or public tasks. These extended protections reflect the rigorous requirements of the General Data Protection Regulation (GDPR), which applies to all companies processing the personal data of EU/EEA/UK individuals regardless of the Company's physical location.

B. United States (CCPA / CPRA & Other State Laws)
For individuals who are California residents, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) and other state privacy statutes grant expanded rights, including:

• Right to Know: You can request disclosure of categories of personal information collected, sources of data, purposes of use, and categories of third parties with whom data is shared.
• Right to Access & Portability: You may request a copy of personal information in a consumer-friendly format.
• Right to Delete: You can request the deletion of your personal information, subject to exceptions (e.g., legal compliance, fraud prevention).
• Right to Opt-Out of Sale/Sharing: You may direct us not to sell or share your personal information (in some states “sharing” includes cross-context behavioral advertising).
• Non-Discrimination: You cannot be denied services or charged different prices for exercising your rights.
• Children's Data: Special protections apply for data of children under 16; opt-in is required for sale/sharing of that data. Similar privacy laws across other U.S. states (e.g., Virginia, Colorado, Connecticut, Utah, Texas, etc.) provide similar rights and obligations related to access, portability, correction, and opt-out, and in many cases require designated compliance functions for businesses that exceed thresholds of data processing.

C. India (Digital Personal Data Protection Act & Rules)
For individuals in India, the Digital Personal Data Protection Act (DPDP Act, 2023) and the Digital Personal Data Protection Rules, 2025 set clear requirements and rights for data principals (individuals), and obligations for fiduciaries (controllers). These include:

• Notice & Purpose Limitation: Clear and specific notices about data collection, purposes, and retention must be provided prior to processing.
• Consent & Data Minimization: Personal data may only be collected for specified purposes and with consent that is explicit, informed, and unambiguous.
• Breach Reporting: Fiduciaries must report verified data breaches to the Data Protection Board of India and, if required, to affected individuals.
• Data Principal Rights: Access, correction, deletion, objection, and grievance mechanisms must be available, with specified timelines.
• Significant Data Fiduciaries: Higher obligations apply to entities processing sensitive data at scale, including DPIAs, audits, and appointment of a compliance officer.

India's privacy framework reflects a growing global consensus on individual rights similar to GDPR principles, while also incorporating localized compliance mechanisms.

D. Asia Pacific, Middle East & South America / Africa
Various national privacy laws outside Europe and the U.S. are now in force requiring comprehensive rights and safeguards:

• Asia: Many countries have robust data protection statutes requiring notice, consent, data subject rights, and lawful bases (e.g., Singapore PDPA, South Korea PIPA, China PIPL).
• Middle East: Laws such as the Saudi Arabia Personal Data Protection Law (PDPL) and UAE Federal Decree-Law on Personal Data Protection require strict accountability, penal provisions, and safeguards similar to GDPR principles.
• South America: Brazil's LGPD compels transparent processing, rights to access, correction, deletion, portability, and clear legal bases.
• Africa: South Africa's POPIA and similar laws across the continent require lawful processing, security safeguards, breach notifications, and enforcement mechanisms.

Across these regimes, the core principles of transparency, purpose limitation, data minimization, and security are consistent, while enforcement powers and the specifics of rights may vary by jurisdiction.

Don't Assume One Law Covers All

It is important to note that compliance with one privacy law (e.g., GDPR or CCPA) does not automatically ensure compliance with other privacy laws. Each jurisdiction often has its own requirements — for example, India's DPDP Act requires explicit, documented consent language and distinct breach notification timelines that differ from GDPR and U.S. state laws.

How to Exercise Your Rights

To exercise your rights under this Policy or applicable laws, contact our privacy team as provided below. We will verify your identity, process requests within applicable legal timeframes, and provide mechanisms for submitting requests, including email, web forms, or online portals. Your request may require:

• Verifiable identity evidence
• Context of the request
• Details necessary to locate your data

For European users, rights requests will be handled at no cost and usually within one month, with extensions if necessary. For U.S. state privacy rights, we will respond within the timelines specified by law (typically 45 days unless an extension is justified under law).

Security and Data Protection Controls

We implement technical and organizational safeguards tailored to the type of data processed, including encryption, access controls, secure coding practices, logging, and monitoring to reduce the risk of unauthorized access, alteration, loss, or destruction of personal data. These controls are reviewed periodically to respond to emerging threats and evolving industry standards.

However, no system can be completely secure; users should understand that all data transmission and storage carry inherent risk.

Cross-Border Data Transfers & Safeguards

Because BalanX Bio operates globally, we may transfer personal data across international boundaries. These transfers may occur between data centers, cloud providers, affiliates, service partners, and processors in different countries.

To protect this data, we may implement internationally recognized transfer mechanisms, such as:

• Standard Contractual Clauses (SCCs), approved frameworks for lawful transfers under GDPR.
• Binding Corporate Rules (BCRs), internal global data protection policies that meet stringent regulatory standards.
• Adequacy Decisions, where regulators recognize that a country's laws protect personal data to a high standard.

To protect this data, we may implement internationally recognized transfer mechanisms, such as: Standard Contractual Clauses (SCCs), approved frameworks for lawful transfers under GDPR. Binding Corporate Rules (BCRs), internal global data protection policies that meet stringent regulatory standards. Adequacy Decisions where regulators recognize that a country's laws protect personal data to a high standard. We use these and other lawful transfer tools to ensure that personal data is protected even outside jurisdictions with strict privacy laws.

Cookies, Trackers, and Consent Management

A. Types of Tracking Technologies We use various tracking technologies, including:

• Cookies: Small data files stored on your device to recognize you and customize content.
• Web Beacons / Pixels: Tiny graphics or tracking codes on web pages and emails.
• SDKs: Software libraries within mobile and connected applications.

These trackers help with analytics, performance, authentication, security, personalization, and advertising.
B. Consent Management & Opt-Out
Depending on your jurisdiction:

• Some laws require opt-in consent (e.g., GDPR's requirement for affirmative consent before non-essential cookie activation).
• Others permit opt-out models (e.g., U.S. state privacy laws like CCPA/CPRA).

We implement consent management mechanisms that let you control how cookies and trackers operate, including opting out where required or permitted by law.

Breach Notification & Incident Response

In the event of a confirmed data breach involving your personal data, we will follow legal obligations applicable in your jurisdiction which generally include:

• Prompt investigation into the incident.
• Timely notification to affected individuals and regulatory authorities when required by law.
• Remediation measures to prevent recurrence.

Under GDPR, serious breaches must be reported to authorities within 72 hours unless unlikely to result in risk to rights and freedoms.

Enforcement, Penalties & Regulatory Oversight

Different jurisdictions empower regulators to enforce privacy laws:

• Under GDPR, fines can reach up to €20 million or 4% of global revenue, whichever is higher.
• Under CCPA/CPRA, penalties can include statutory damages and administrative fines.
• Other laws such as LGPD (Brazil) carry financial penalties and enforcement by national data protection authorities.

This means we must comply with multiple enforcement regimes and tailor our policies to meet evolving global requirements.

User Opt-out Signals & Global Privacy Control

We may support or respond to recognized privacy preference signals such as Global Privacy Control (GPC) and similar technologies that allow users to signal choices regarding the selling or sharing of personal data and participation in targeted advertising. These signals can be critical for compliance with laws like California’s privacy rights regime and are increasingly recognized as valid expressions of user choice under various laws.

If you configure your browser or device with such privacy controls, we will respect those choices in the context of our Services and the legal obligations we hold under applicable privacy laws.

Complaints With Supervisory Authorities or Regulators

In addition to contacting us directly, if you reside in a region with an independent data protection authority or regulator (e.g., GDPR supervisory authority, national privacy commissioner, or consumer protection agency), you may lodge a complaint with such authority about our privacy practices. We will cooperate with regulatory inquiries and enforcement actions as required by law.

General Legal and Accountabilities Statements

This Privacy Policy, together with any supplemental regional notices (e.g., for EU, California, or other jurisdictions), constitutes the full and exclusive statement of the Company’s privacy practices with respect to personal data collected through the Services. It supersedes any prior privacy notices that may have existed. Where applicable law requires a more specific or localized notice (for example, separate GDPR addenda or local consumer privacy notices), we will provide such notices in conjunction with or supplemental to this Policy.