Privacy Statement

This Privacy Statement describes how Dante Labs International Inc (“Dante Labs,” “we,” “our,” or “us”) collects, uses, shares, and protects information in connection with the Dante Labs website (dantelabs.com and us.dantelabs.com), mobile applications, and all related services, products, and tools (collectively, the “Services”). This Privacy Statement applies to all users of the Services in the United States. If you are located in the European Economic Area, United Kingdom, or Switzerland, please also review our region-specific privacy notices linked at the bottom of this page.

At Dante Labs, we believe that your genetic information is among the most personal and sensitive data that exists. We are committed to transparency about how we handle your data and to providing you with meaningful choices about its use. Please read this Privacy Statement carefully. By using our Services, you acknowledge that you have read and understood this Privacy Statement.

1. Definitions

To help you understand this Privacy Statement, we define the following categories of information:

“Genetic Information” means your raw DNA sequencing data (including FASTQ, BAM, and VCF files), variant calls, genotype data, and any information derived from the analysis of your genome, including reports on ancestry composition, health predispositions, carrier status, traits, pharmacogenomic profiles, and wellness indicators. Genetic Information also includes the fact that you have undergone or ordered genetic testing.

“Self-Reported Information” means information you provide to us voluntarily, such as health history, demographic data, lifestyle questionnaires, family medical history, symptoms, and any other information you submit through surveys, forms, or account profiles.

“Account Information” means information you provide when you register for an account or place an order, including your name, email address, mailing address, date of birth, sex assigned at birth, payment information, and account credentials.

“Web Behavior and Device Information” means information collected automatically when you use our Services, including IP address, browser type and version, device identifiers, operating system, referring URLs, pages visited, time spent on pages, clickstream data, and information collected through cookies, pixels, and similar technologies.

“Aggregate Information” means information that has been combined with data from other users and stripped of direct identifiers such that it cannot reasonably be used to identify any individual.

“De-identified Information” means Genetic Information or Self-Reported Information from which direct identifiers (name, email address, account ID) have been removed and to which a code or pseudonym has been assigned, such that the information cannot reasonably be linked back to a specific individual without additional information held separately.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information provided during registration and checkout
• Self-Reported Information you submit through health questionnaires, surveys, or your account profile
• Biological samples (saliva or other sample types) you submit for genome sequencing
• Communications you send to our customer support team
• Feedback, reviews, or other content you voluntarily submit

2.2 Information Generated from Your Sample

When we process your biological sample, we generate Genetic Information through whole genome sequencing. This includes sequencing your entire genome to produce raw data files and analyzing that data to generate reports on ancestry, health predispositions, carrier status, traits, pharmacogenomics, and other categories. The depth and scope of analysis depends on the product you purchase.

2.3 Information Collected Automatically

When you visit our website or use our Services, we automatically collect Web Behavior and Device Information through cookies, pixels, and similar tracking technologies. For detailed information about the specific technologies we use, please see our Cookie and Tracking Disclosure.

3. How We Use Your Information

3.1 Genetic Information

We use your Genetic Information to:

• Process your biological sample and perform genome sequencing
• Generate and deliver your personalized reports and analyses
• Provide ongoing updates to your reports as new scientific research becomes available (for active subscribers)
• Respond to your customer support inquiries related to your results
• Comply with applicable legal obligations

We do not use your Genetic Information for advertising or marketing purposes. We do not sell your Genetic Information. We do not share your Genetic Information with insurance companies or employers.

3.2 Account and Self-Reported Information

We use your Account Information and Self-Reported Information to:

• Create and manage your account
• Process and fulfill your orders
• Communicate with you about your account, orders, and Services
• Provide customer support
• Personalize your experience and deliver relevant content
• Send you marketing communications (with your consent, where required)
• Detect and prevent fraud and abuse
• Comply with legal obligations

3.3 Web Behavior and Device Information

We use Web Behavior and Device Information to:

• Operate, maintain, and improve our website and Services
• Analyze usage patterns and trends
• Measure the effectiveness of our advertising campaigns
• Provide personalized advertising on third-party platforms (subject to your cookie consent choices)

Important: As described in our Cookie and Tracking Disclosure, certain Web Behavior and Device Information—including information about products you purchase—may be transmitted to third-party analytics and advertising providers. Because a product purchase on our website may indicate that you have ordered a genetic test, we treat purchase conversion data with heightened sensitivity. Please see Section 7 (Third-Party Tracking Technologies) and our Cookie and Tracking Disclosure for details on how we handle this data and how you can exercise your choices.

3.4 Aggregate and De-identified Information

We may use Aggregate Information and De-identified Information for research, product improvement, publication, and other purposes. Such information cannot reasonably be used to identify you. If you consent to participate in our Research Program (see our separate Research Consent document), your De-identified Information may be included in research datasets.

4. How We Share Your Information

We do not sell your Genetic Information. We share your information only in the following circumstances:

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf, such as payment processors, cloud hosting providers, customer support platforms, shipping carriers, and email service providers. These providers are contractually required to use your information only to provide services to us and are prohibited from using it for their own purposes.

4.2 Laboratory Partners

Your biological sample is processed at our laboratory facilities. Sample processing involves the generation of Genetic Information from your sample. Our laboratory operations are subject to strict confidentiality, security, and quality control requirements.

4.3 Third-Party Analytics and Advertising

Our ecommerce website uses third-party analytics and advertising tools, including Meta (Facebook) Pixel, Google Analytics, Google Tag Manager, and Microsoft advertising tools. These tools may receive Web Behavior and Device Information, including information about purchase transactions, paired with cookie-based identifiers. For full details, see our Cookie and Tracking Disclosure.

We do not deploy third-party tracking pixels, session replay tools, or advertising beacons on authenticated pages where your Genetic Information, reports, or test results are displayed.

4.4 Research Collaborators

If you provide separate, explicit consent through our Research Consent document, we may share your De-identified Information with approved research collaborators for scientific research purposes. You may withdraw your research consent at any time without affecting your access to the Services.

4.5 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request. We may also disclose information to enforce our Terms of Service, protect the rights, property, or safety of Dante Labs, our users, or the public, or to detect, prevent, or address fraud, security, or technical issues. Dante Labs will not voluntarily cooperate with law enforcement requests for customer Genetic Information without a valid court order, warrant, or subpoena, except where we believe in good faith that disclosure is necessary to prevent imminent harm to life.

4.6 Business Transactions

In the event of a merger, acquisition, bankruptcy, dissolution, reorganization, or similar corporate transaction, your information may be transferred to a successor entity. In any such transaction, we will require the successor entity to honor the commitments made in this Privacy Statement with respect to your Genetic Information. See Section 12 (Bankruptcy and Corporate Transaction Protections) for additional details.

5. Data Storage and Security

5.1 Where We Store Your Data

Dante Labs stores customer data using secure cloud infrastructure. Your Genetic Information is stored on servers located within the United States. Biological sample processing occurs at our laboratory facilities in Italy, after which raw sequencing data is transferred to and stored on U.S.-based servers. For Texas residents, please see Section 10.4 (Texas Genomic Act Compliance) for additional data storage commitments.

5.2 Security Measures

We implement administrative, technical, and physical safeguards designed to protect your information, including:

• Encryption of Genetic Information at rest and in transit using industry-standard protocols (AES-256 encryption at rest; TLS 1.2+ in transit)
• Access controls limiting employee access to Genetic Information on a need-to-know basis
• Multi-factor authentication for internal systems containing Genetic Information
• Regular security assessments and penetration testing
• Employee training on data privacy and security
• Incident response procedures for suspected data breaches

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

5.3 Data Retention

We retain your information as follows:

• Biological Samples: Your biological sample is destroyed promptly after sequencing is complete and your results are delivered, unless you explicitly opt in to extended sample storage.
• Genetic Information: We retain your Genetic Information for the duration of your account, plus a period of up to three (3) years following account deletion, after which it is permanently deleted. You may request earlier deletion at any time (see Section 8, Your Rights).
• Account Information: We retain Account Information for the duration of your account and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce agreements.
• Web Behavior and Device Information: We retain automatically collected data for up to twenty-four (24) months, after which it is aggregated or deleted.

6. Sample Storage and Biobanking

Dante Labs destroys your biological sample promptly after your genome sequencing is complete and your results have been delivered to you. We do not retain biological samples beyond the period necessary to complete sequencing and quality control.

If you wish to have your biological sample stored for a longer period (for example, to enable future re-analysis with improved technologies), you may opt in to extended sample storage at the time of purchase or through your account settings. If you opt in to extended storage:

• Your sample will be stored in a secure, climate-controlled facility
• You may request destruction of your stored sample at any time by contacting hello@dantelabs.com
• We will confirm destruction of your sample in writing within thirty (30) days of your request
• In the event of a corporate transaction or bankruptcy, stored samples will be treated in accordance with Section 12 of this Privacy Statement

If you do not opt in to extended storage, your sample is destroyed after results delivery. This destruction is irreversible, and we will not be able to perform additional analyses on a destroyed sample.

7. Third-Party Tracking Technologies

Our ecommerce website (dantelabs.com and us.dantelabs.com) uses third-party tracking technologies for analytics, advertising measurement, and conversion optimization. These technologies are described in detail in our separate Cookie and Tracking Disclosure.

Important Notice Regarding Genetic Testing Status: Because Dante Labs is a genomics company, a purchase on our website may reveal to third-party analytics providers that you have ordered a genetic test. Certain state laws, including the Illinois Genetic Information Privacy Act (GIPA), treat the disclosure of the fact that an individual has undergone genetic testing as protected information. We have implemented safeguards to minimize the risk of such disclosure, including:

• Configuring purchase conversion events to transmit only generic transaction data (purchase amount) without product names, categories, or identifiers that reveal the genetic nature of the purchase, where technically feasible
• Providing you with a meaningful choice to opt in or opt out of advertising and analytics cookies before they fire, through our cookie consent mechanism
• Not deploying any third-party tracking pixels, session replay tools, or advertising beacons on authenticated account pages where your Genetic Information, reports, or results are displayed

For Illinois residents, please see Section 10.2 (Illinois GIPA Compliance). For all users, please see our Cookie and Tracking Disclosure for a complete list of tracking technologies and your options.

8. Your Rights

Depending on where you live, you may have some or all of the following rights with respect to your personal information:

• Access: You may request a copy of the personal information we hold about you.
• Deletion: You may request that we delete your personal information, including your Genetic Information, Account Information, and biological sample (if stored). Upon receiving and verifying your request, we will delete your information within the timeframes required by applicable law.
• Correction: You may request that we correct inaccurate personal information.
• Data Portability: You may request a copy of your Genetic Information in a commonly used, machine-readable format (e.g., VCF file).
• Opt-Out of Sale/Sharing: We do not sell your Genetic Information. For information about opting out of the sharing of Web Behavior and Device Information for targeted advertising, please see our Cookie and Tracking Disclosure.
• Withdrawal of Consent: Where we rely on your consent to process information (such as for research participation or marketing communications), you may withdraw your consent at any time.
• Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, please contact us at dpo@dantelabs.com or by mail at the address listed in Section 15. We will respond to verified requests within the timeframes required by applicable law (generally 30–45 days). We may need to verify your identity before processing your request.

9. Data Breach Notification

In the event of a security breach involving your personal information, Dante Labs will:

• Investigate the breach promptly and take steps to contain it and mitigate harm
• Notify affected individuals within the timeframes required by applicable law. Many states require notification within 30 to 60 days of discovery. Where no specific state deadline applies, we will provide notification within sixty (60) days of confirming the breach
• Notify applicable state attorneys general and regulatory authorities as required by law
• Provide affected individuals with a description of the breach, the types of information involved, the steps we are taking to address it, and recommendations for steps you can take to protect yourself
• Offer appropriate remediation measures, which may include credit monitoring, identity theft protection, or other services, depending on the nature and severity of the breach

If you believe your Dante Labs account has been compromised, please contact us immediately at dpo@dantelabs.com.

10. State-Specific Privacy Disclosures

10.1 California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), provides you with specific rights regarding your personal information.

Categories of Personal Information Collected: In the preceding twelve (12) months, we have collected the following categories of personal information: identifiers (name, email, mailing address); personal information categories listed in Cal. Civ. Code §1798.80(e) (name, address, payment information); protected classification characteristics (sex, age); commercial information (purchase history, products purchased); internet or other electronic network activity information (browsing history, interactions with our website); geolocation data (inferred from IP address); sensory data (biological samples); sensitive personal information (Genetic Information, precise geolocation, account credentials); and inferences drawn from the above.

Categories of Personal Information Sold or Shared: We do not “sell” personal information as defined by the CCPA. We may “share” (as defined by the CCPA) Web Behavior and Device Information with third-party advertising partners through cookies and similar technologies for cross-context behavioral advertising. You may opt out of such sharing through our cookie consent mechanism or by contacting us.

Sensitive Personal Information: Genetic Information is “sensitive personal information” under the CCPA. We use Genetic Information only to provide you with our genome sequencing and reporting services and do not use it for advertising or profiling purposes. You have the right to limit the use and disclosure of your sensitive personal information.

Your California Privacy Rights: As a California resident, you have the right to: (1) know what personal information we collect, use, disclose, and sell or share; (2) request deletion of your personal information; (3) request correction of inaccurate personal information; (4) opt out of the sale or sharing of your personal information; (5) limit the use and disclosure of your sensitive personal information; and (6) not be discriminated against for exercising these rights.

To exercise these rights, contact us at dpo@dantelabs.com or call us at [phone number]. We will verify your identity using the email address associated with your account. You may designate an authorized agent to submit requests on your behalf, provided the agent presents written authorization.

10.2 Illinois Genetic Information Privacy Act (GIPA)

The Illinois Genetic Information Privacy Act (410 ILCS 513/1 et seq.) provides protections for genetic testing information of Illinois residents.

Our Commitments Under GIPA:

• We will not disclose your Genetic Information, or the fact that you have undergone genetic testing, to any third party without your prior written consent, except as permitted by GIPA
• We will not disclose your Genetic Information to any insurance company, employer, or their agents
• We obtain affirmative, written consent through our Genetic Data Consent Form before any sharing of genetic testing information with third parties
• We have implemented safeguards to prevent the inadvertent disclosure of your genetic testing status through ecommerce tracking technologies (see Section 7)

Your Rights Under GIPA: If you are an Illinois resident and believe that your rights under GIPA have been violated, you may bring an action for the greater of actual damages or statutory damages of $2,500 per negligent violation or $15,000 per intentional or reckless violation, plus reasonable attorney’s fees and costs. To raise a concern, please contact us at dpo@dantelabs.com.

10.3 Washington My Health My Data Act

If you are a Washington state resident, the My Health My Data Act (RCW 19.373) provides additional protections for consumer health data, which includes Genetic Information.

Consumer Health Data We Collect: We collect Genetic Information (genome sequencing data and derived reports), health history and Self-Reported Information you provide, and information about your purchase of genetic testing services.

Purposes of Collection: We collect consumer health data for the purpose of providing you with genome sequencing and reporting services, improving our products, and, with your separate consent, for scientific research.

Categories of Third Parties with Whom We Share Consumer Health Data: We share consumer health data with laboratory service providers (for sample processing), cloud hosting providers (for data storage), and, with your separate written consent, research collaborators.

How to Exercise Your Rights: Washington residents have the right to: (1) confirm whether we are collecting, sharing, or selling their consumer health data; (2) request access to their consumer health data; (3) request deletion of their consumer health data; and (4) withdraw consent for the collection and sharing of consumer health data. Contact us at dpo@dantelabs.com. We will not discriminate against you for exercising these rights.

10.4 Texas Genomic Act (HB 130) Compliance

Effective September 1, 2025, the Texas Genomic Act of 2025 (Texas Health & Safety Code, Chapter 174) imposes requirements on entities that conduct genome sequencing research or testing on Texas residents. Dante Labs is committed to full compliance with the Texas Genomic Act.

Foreign Adversary Equipment and Software: Dante Labs does not use genome sequencers or genome sequencing-related software produced by or on behalf of a “foreign adversary” (as defined by the Act to include China, Cuba, Iran, North Korea, Russia, and Venezuela) or any entity domiciled in, controlled by, or owned by a foreign adversary country. Our sequencing operations use equipment manufactured by Illumina, Inc., a U.S.-headquartered company.

Data Storage: Genome sequencing data of Texas residents is stored within the United States. We employ reasonable encryption and cybersecurity practices to protect this data, and we ensure that genome sequencing data of Texas residents is not accessible to individuals located within the borders of a foreign adversary country.

Bankruptcy Protections: In compliance with the Texas Genomic Act, Dante Labs will not sell or otherwise transfer genomic sequencing data of Texas residents to a foreign adversary or any entity domiciled in or controlled by a foreign adversary, including as part of a bankruptcy proceeding or plan of reorganization. See Section 12 for additional bankruptcy protections.

Annual Compliance Certification: Dante Labs submits an annual certification to the Texas Attorney General by December 31 of each year confirming compliance with the Texas Genomic Act, as required by the Act.

Your Rights Under the Texas Genomic Act: Texas residents who are harmed by the storage or use of their genome sequencing data in violation of the Act may bring a private cause of action and are entitled to recover the greater of actual damages or statutory damages of up to $5,000 per violation, plus court costs and reasonable attorney’s fees.

10.5 Indiana Consumer Genetic Testing Protections (HB 1521)

Indiana law imposes requirements on companies offering direct-to-consumer genetic testing to Indiana residents. Dante Labs complies with these requirements, including:

• Providing clear and complete information about how Genetic Information is collected, used, and disclosed
• Obtaining informed consent before collecting, using, or disclosing Genetic Information
• Providing mechanisms for Indiana residents to access, download, and delete their Genetic Information
• Implementing security measures to protect Genetic Information
• Destroying biological samples within the timeframes specified by applicable Indiana law

10.6 Other State Genetic Privacy Laws

In addition to the states identified above, several other states have enacted or are considering genetic privacy protections. Dante Labs monitors developments in state genetic privacy law and is committed to complying with applicable requirements in all jurisdictions where we offer our Services. If you have questions about your rights under the laws of your state, please contact us at dpo@dantelabs.com.

11. Children’s Privacy

Dante Labs Services are available only to individuals who are at least 18 years old. We do not knowingly collect personal information from anyone under the age of 18. If a parent or legal guardian wishes to order our Services on behalf of a minor child, the parent or guardian must create the account, provide consent, and assume full responsibility for the minor’s use of the Services and the handling of the minor’s Genetic Information.

12. Bankruptcy and Corporate Transaction Protections

We understand that the security of your Genetic Information extends beyond normal business operations. In the event that Dante Labs enters bankruptcy, dissolution, receivership, or undergoes a merger, acquisition, or other corporate transaction:

• Genetic Information Will Not Be Treated as a Freely Transferable Asset. We will seek to ensure that any successor entity or acquirer is contractually bound to honor the commitments in this Privacy Statement.
• You Will Be Notified. We will provide you with notice of any proposed transfer of your Genetic Information as part of a corporate transaction, to the extent permitted by law and the applicable court or regulatory authority.
• You Will Have an Opportunity to Delete. Where feasible and permitted by law, we will provide you with an opportunity to request deletion of your Genetic Information before it is transferred to a successor entity.
• Foreign Adversary Restrictions. In compliance with the Texas Genomic Act and consistent with our values, we will not sell or transfer genomic sequencing data to any foreign adversary or entity controlled by a foreign adversary, including in a bankruptcy proceeding.
• Ongoing Privacy Protections. Any successor entity that receives your Genetic Information will be required to provide protections at least as strong as those described in this Privacy Statement, or to delete the information.

We recognize that the recent experiences of other consumer genomics companies in bankruptcy proceedings have raised legitimate concerns about the disposition of genetic data. We are committed to providing the strongest protections practicable for your Genetic Information in all circumstances.

13. Do Not Track Signals

Some web browsers transmit “Do Not Track” (DNT) signals. Our website responds to DNT signals by disabling non-essential tracking cookies when a DNT signal is detected. You may also manage your cookie preferences through our cookie consent mechanism.

14. Changes to This Privacy Statement

We may update this Privacy Statement from time to time. If we make material changes, we will notify you by posting the updated Privacy Statement on our website with a revised “Last Updated” date, and, where required by law or where the change is material, by sending you an email notification. Your continued use of the Services after the effective date of any updated Privacy Statement constitutes your acceptance of the changes.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Statement or our privacy practices, please contact us:

Privacy Administrator

Dante Labs International Inc.

667 Madison Ave, FL 5

New York, NY 10065

USA

Email: dpo@dantelabs.com

15. PRIVACY NOTICE ADDENDUM FOR EUROPEAN RESIDENTS

EEA, United Kingdom, and Switzerland

Last Updated: April 12, 2026

This Privacy Notice for European Residents (“Notice”) supplements the Dante Labs Privacy Statement and explains how Dante Labs International Inc (“Dante Labs,” “we,” “our,” or “us”) complies with data protection obligations specifically applicable to individuals located in the European Economic Area (“EEA”), the United Kingdom (“UK”), and Switzerland.

This Notice should be read together with our Privacy Statement, Cookie and Tracking Disclosure, Terms of Service, and our EU/EEA Terms of Service Addendum. Capitalized terms not defined in this Notice have the meanings set forth in our Privacy Statement. Where this Notice conflicts with our Privacy Statement, this Notice shall prevail for individuals to whom it applies.

1. Data Controller

Dante Labs International Inc is the “controller” of your personal data within the meaning of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”), the UK General Data Protection Regulation (“UK GDPR”), and the Swiss Federal Act on Data Protection (“FADP”). This means we determine the purposes and means of processing your personal data when you use our Services.

Our contact details are:

Dante Labs International Inc

[Address, City, State, ZIP, United States]

Email: dpo@dantelabs.com

Phone: [phone number]

2. EU and UK Representative

Pursuant to Article 27 of the GDPR and Article 27 of the UK GDPR, Dante Labs has appointed a representative in the European Union and the United Kingdom for data protection matters:

EU Representative:

[Representative Name]

[Address, EU Member State]

Email: [eu-representative email]

UK Representative:

[Representative Name]

[Address, United Kingdom]

Email: [uk-representative email]

You may contact our EU or UK representative for any matters related to the processing of your personal data under the GDPR or UK GDPR.

3. Data Protection Officer

Dante Labs has appointed a Data Protection Officer (“DPO”) who can be contacted for any questions or concerns regarding our processing of your personal data:

Data Protection Officer

Dante Labs International Inc

Email: dpo@dantelabs.com

4. Categories of Personal Data We Process

We process the following categories of personal data, as described in detail in our Privacy Statement:

• Identity Data: Name, date of birth, sex assigned at birth
• Contact Data: Email address, mailing address, phone number
• Account Data: Account credentials, account preferences
• Financial Data: Payment card details (processed by our third-party payment provider), purchase history
• Genetic Data (Special Category): Raw DNA sequencing data, variant calls, genome analysis results, derived reports. Under Article 9 of the GDPR, genetic data is a “special category of personal data” that requires additional protections and a specific legal basis for processing.
• Health Data (Special Category): Self-reported health information, health predisposition reports derived from genetic analysis. Health data is also a special category of personal data under Article 9.
• Technical Data: IP address, browser type and version, device identifiers, operating system, time zone settings
• Usage Data: Information about how you use our website and Services, including pages visited, features used, and clickstream data
• Biological Samples: Saliva or other biological samples you submit for sequencing (destroyed after processing unless you opt in to extended storage)

5. Legal Bases for Processing

Under the GDPR, we must have a lawful basis for each processing activity. The table below sets out the legal bases we rely on for the principal ways we process your personal data:

5.1 Explicit Consent for Genetic and Health Data

Because your Genetic Information and health data are “special categories of personal data” under Article 9 of the GDPR, we require your explicit consent before processing this data. You provide this explicit consent when you:

• Submit your biological sample and affirmatively agree to our Terms of Service and Genetic Data Consent Form, authorizing us to sequence your genome and generate reports
• Separately opt in to our Research Program through our Research Consent document

You may withdraw your consent for the processing of special category data at any time (see Section 7). Withdrawal of consent does not affect the lawfulness of processing carried out before your withdrawal.

5.2 Legitimate Interests

Where we rely on legitimate interests as a legal basis for processing, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. Our legitimate interests include operating and improving our Services, ensuring the security and integrity of our systems, preventing fraud, and communicating with you about your account. We do not rely on legitimate interests as a legal basis for processing special category data (Genetic Information or health data).

6. International Data Transfers

Dante Labs is headquartered in the United States. Your personal data will be transferred to, stored, and processed in the United States. Biological sample processing occurs at our laboratory facilities in Italy.

When we transfer your personal data outside the EEA, UK, or Switzerland to countries that have not been recognized by the European Commission, the UK Information Commissioner’s Office (“ICO”), or the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) as providing an adequate level of data protection, we rely on the following safeguards:

6.1 Standard Contractual Clauses

For transfers of personal data from the EEA to the United States, we have implemented the European Commission’s Standard Contractual Clauses (SCCs) adopted pursuant to Commission Implementing Decision (EU) 2021/914. For transfers from the UK, we use the UK International Data Transfer Addendum to the EU SCCs. These contractual mechanisms require the data importer to protect your personal data in accordance with EEA/UK data protection standards.

6.2 EU-U.S. Data Privacy Framework

[If applicable: Dante Labs has certified its compliance with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. Dante Labs adheres to the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles with regard to the processing of personal data received from the EEA, UK, and Switzerland. To learn more about the Data Privacy Framework program and view our certification, please visit https://www.dataprivacyframework.gov/.]

[Alternatively, if Dante Labs has not yet certified: Dante Labs is evaluating certification under the EU-U.S. Data Privacy Framework and currently relies on Standard Contractual Clauses as the primary transfer mechanism for personal data from the EEA, UK, and Switzerland to the United States.]

6.3 Italy (Laboratory Processing)

Italy is a member of the European Economic Area. Transfers of personal data from other EEA countries to Italy do not require additional safeguards. For transfers from the UK to Italy, we rely on the UK adequacy decision for EEA countries.

6.4 Supplementary Measures

In addition to the legal transfer mechanisms described above, we implement supplementary technical and organizational measures to protect your data during and after transfer, including:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
• Pseudonymization of Genetic Information where technically feasible
• Access controls limiting access to personal data to authorized personnel on a need-to-know basis
• Contractual obligations on sub-processors to maintain equivalent security standards
• Regular assessment of the legal regime in the destination country to evaluate potential risks to data protection

7. Your Rights Under the GDPR, UK GDPR, and FADP

As an individual located in the EEA, UK, or Switzerland, you have the following rights with respect to your personal data. These rights are subject to certain conditions and exceptions under applicable law.

7.1 Right of Access (Article 15)

You have the right to request confirmation as to whether we process your personal data and, if so, to obtain access to that data together with information about the purposes of processing, the categories of data concerned, the recipients to whom data has been disclosed, and the retention period.

7.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and, taking into account the purposes of the processing, completion of incomplete personal data.

7.3 Right to Erasure (‘Right to Be Forgotten’) (Article 17)

You have the right to request the deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purpose for which it was collected, where you withdraw consent and no other legal basis exists, or where the data has been unlawfully processed. Upon a verified erasure request, we will:

• Delete your Account Information, Self-Reported Information, and Genetic Information from our active systems
• Instruct our service providers and sub-processors to delete your data
• Destroy any stored biological sample, if applicable
• Remove your data from any future research datasets (data already distributed to research collaborators in de-identified form prior to your request may not be retrievable)

We may retain certain data where required by law (e.g., for tax, legal, or regulatory compliance purposes), in which case we will inform you.

7.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data, where the processing is unlawful but you oppose erasure, where we no longer need the data but you require it for legal claims, or where you have objected to processing and verification is pending.

7.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. For Genetic Information, we provide the ability to download your raw data files (VCF format) and reports through your account dashboard.

7.6 Right to Object (Article 21)

You have the right to object to processing of your personal data where we rely on legitimate interests as our legal basis. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where the processing is necessary for the establishment, exercise, or defense of legal claims.

You have the absolute right to object to the processing of your personal data for direct marketing purposes at any time. Upon such objection, we will cease processing your data for direct marketing without exception.

7.7 Right to Withdraw Consent (Article 7(3))

Where we rely on your consent as the legal basis for processing (including for the processing of special category data such as Genetic Information), you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

You may withdraw consent by:

• Changing your cookie preferences through the “Your Privacy Choices” link on our website
• Updating your research participation preference in your account settings
• Contacting us at hello@dantelabs.com or dpo@dantelabs.com

7.8 Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Dante Labs does not make decisions based solely on automated processing that produce legal or similarly significant effects on you. Our genome reports provide informational and educational content and do not constitute medical diagnoses or decisions with legal or similarly significant effects.

7.9 How to Exercise Your Rights

To exercise any of the above rights, please contact us at hello@dantelabs.com or dpo@dantelabs.com. We will verify your identity before processing your request and will respond within one (1) month of receipt. If your request is complex or we have received a large number of requests, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for it within one month of receipt.

Exercising your rights is free of charge. However, if your request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request, in accordance with Article 12(5) of the GDPR.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Our specific retention periods are set forth in Section 5.3 of our Privacy Statement. In determining the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, whether we can achieve those purposes through other means, and applicable legal requirements.

For EEA, UK, and Swiss residents, the following additional principles apply:

• We will not retain personal data longer than necessary for the specified purpose
• Where consent is the legal basis and you withdraw consent, we will delete the relevant data promptly, subject to any legal retention obligations
• You may request deletion at any time under your right to erasure (Section 7.3)

9. Cookies and the ePrivacy Directive

In compliance with the ePrivacy Directive (2002/58/EC, as amended) and its national implementations, we obtain your prior, informed, and freely given consent before placing any non-essential cookies or similar technologies on your device. This includes analytics cookies, functional cookies, and marketing/advertising cookies.

Our cookie consent mechanism:

• Presents clear information about each category of cookie before consent is given
• Does not use pre-checked boxes or implied consent
• Allows you to accept or reject each category of non-essential cookies individually
• Does not make access to the Services conditional on acceptance of non-essential cookies
• Records your consent and allows you to change or withdraw consent at any time through the “Your Privacy Choices” link

For complete details about the cookies and tracking technologies we use, please see our Cookie and Tracking Disclosure.

10. Children’s Data

Dante Labs Services are intended for individuals aged 18 and older. We do not knowingly collect or process personal data from children under 16 years of age (or such lower age as may be applicable in your country for the provision of information society services) without the consent of a parent or legal guardian. If you become aware that a child has provided us with personal data without parental consent, please contact us at dpo@dantelabs.com, and we will take steps to delete such information.

11. Data Protection Impact Assessments

Given the sensitive nature of Genetic Information and the large-scale processing involved in our Services, Dante Labs has conducted Data Protection Impact Assessments (“DPIAs”) in accordance with Article 35 of the GDPR. These assessments evaluate the necessity and proportionality of our processing activities, the risks to the rights and freedoms of data subjects, and the measures we have implemented to address those risks. We review and update our DPIAs periodically and when we introduce new processing activities that may pose a high risk to data subjects.

12. Sub-Processors

We engage third-party sub-processors to assist in providing our Services. In accordance with Article 28 of the GDPR, all sub-processors are bound by data processing agreements that require them to process personal data only on our documented instructions, to implement appropriate technical and organizational security measures, to assist us in fulfilling data subject rights, to delete or return data at the end of the engagement, and to make available all information necessary to demonstrate compliance.

Our principal categories of sub-processors include:

• Cloud Hosting and Infrastructure: Servers located in the United States for data storage and processing
• Laboratory Services: Sample processing at facilities in Italy (within the EEA)
• Payment Processing: Third-party payment processors for transaction processing
• Customer Support: Customer service platforms and tools
• Email and Communications: Email service providers for transactional and marketing communications

A list of our current sub-processors is available upon request by contacting dpo@dantelabs.com.

13. Technical and Organizational Security Measures

In accordance with Article 32 of the GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Pseudonymization and encryption of personal data
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• Measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing

For further details, see Section 5.2 of our Privacy Statement.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, Dante Labs will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the GDPR.

Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will also communicate the breach to affected data subjects without undue delay, in accordance with Article 34 of the GDPR, unless one of the exceptions set forth in Article 34(3) applies.

15. Complaints and Supervisory Authorities

If you believe that our processing of your personal data infringes the GDPR, UK GDPR, or FADP, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, your place of work, or the place of the alleged infringement.

Relevant supervisory authorities include:

• EEA: A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en
• United Kingdom: Information Commissioner’s Office (ICO), https://ico.org.uk/make-a-complaint/
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC), https://www.edoeb.admin.ch/

We encourage you to contact us first at hello@dantelabs.com or dpo@dantelabs.com so that we may attempt to resolve your concern before you escalate to a supervisory authority.

16. Changes to This Notice

We may update this Notice from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on our website. Where required by law, we will re-obtain your consent for processing activities that are based on consent.

17. Contact Information

For any questions or concerns regarding this Notice or our data protection practices, please contact:

Data Protection Officer

Dante Labs International Inc

667 Madison Ave

FL 5

New York, NY 10065

USA

Email: dpo@dantelabs.com

Privacy Administrator

Email: dpo@dantelabs.com