PRIVACY POLICY FOR THE ELECTRONIC SERVICE USER ACCOUNT AND MEDCOURSES PORTAL

TABLE OF CONTENTS

1. GENERAL PROVISIONS

2. GROUNDS FOR DATA PROCESSING

3. PURPOSE, LEGAL BASIS AND PERIOD OF DATA PROCESSING

4. DATA RECIPIENTS

5. PROFILING

6. RIGHTS OF THE DATA SUBJECT

7. COOKIES, USAGE DATA AND ANALYTICS

8. FINAL PROVISIONS

1. GENERAL PROVISIONS

1.1. This Privacy Policy is for information purposes. The Privacy Policy sets out the rules concerning the processing of personal data by the Controller when the User uses the User Account and participates in the pilot programme. Within its scope, the Policy indicates the legal grounds for data processing, the purposes and period of personal data processing, and the rights of data subjects.

1.2. The controller of personal data is Bethink Spółka z ograniczoną odpowiedzialnością with its registered office in Poznań (registered office address and address for service: ul. Ułańska 3, 60-748 Poznań); entered in the Register of Entrepreneurs of the National Court Register under KRS number 0000668811; registry court in which the company's documentation is kept: District Court Poznań - Nowe Miasto and Wilda in Poznań, 8th Commercial Division of the National Court Register, NIP: 7811943756, REGON: 366802351; e-mail address: info@medcourses.com - hereinafter referred to as the "Controller"

1.3. The Controller has appointed a Data Protection Officer who may be contacted at the following e-mail address: dpo@medcourses.com.

1.4. Personal data are processed by the Controller in accordance with applicable provisions of law, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) - hereinafter referred to as the "GDPR" or the "GDPR Regulation". The official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679

1.5. Use of the User Account and participation in the pilot programme are voluntary. Likewise, the related provision of personal data by the User is voluntary, subject to two exceptions: (1) entering into contracts with the Controller - failure to provide, in the cases and to the extent indicated in the User Account Terms and Conditions, the personal data necessary to enter into and perform the agreement for the provision of the Electronic Service with the Controller results in the inability to enter into that agreement. In such a case, providing personal data is a contractual requirement and, if the data subject wishes to enter into a contract with the Controller, the data subject is obliged to provide the required data. In each case, the scope of data required to enter into a contract is indicated in the Terms and Conditions; (2) statutory obligations of the Controller - providing personal data is a statutory requirement arising from generally applicable provisions of law imposing on the Controller an obligation to process personal data (e.g. processing data for the purpose of keeping accounting books), and failure to provide such data will prevent the Controller from performing those obligations.

1.6. The Controller exercises particular care to protect the interests of persons whose personal data are processed by it, and in particular is responsible for and ensures that the data collected by it are: (1) processed lawfully; (2) collected for specified, lawful purposes and not further processed in a manner incompatible with those purposes; (3) substantively accurate and adequate in relation to the purposes for which they are processed; (4) kept in a form which permits identification of the persons to whom they relate for no longer than is necessary to achieve the purpose of processing; and (5) processed in a manner ensuring appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures.

1.7. Taking into account the nature, scope, context and purposes of processing, as well as the risk of infringement of the rights or freedoms of natural persons of varying likelihood and severity, the Controller implements appropriate technical and organisational measures to ensure that processing is carried out in accordance with this Regulation and to be able to demonstrate this. Those measures are reviewed and updated where necessary. The Controller applies technical measures preventing unauthorised persons from obtaining and modifying personal data transmitted electronically.

1.8. All words, expressions and acronyms appearing in this Privacy Policy and beginning with a capital letter (e.g. Service Provider, User Account) shall be understood in accordance with their definitions set out in the Terms and Conditions of the Electronic Service - User Account: https://cms.landing.bethink.tech/assets/medcourses/legal/medcourses-terms-of-use-1.1.pdf and https://cms.landing.bethink.tech/assets/medcourses/legal/medcourses-user-account-terms-1.1.pdf

2. GROUNDS FOR DATA PROCESSING

2.1. The Controller is entitled to process personal data where - and to the extent that - at least one of the following conditions is met: (1) the data subject has consented to the processing of his or her personal data for one or more specified purposes; (2) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Controller is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

2.2. Processing of personal data by the Controller requires in each case the existence of at least one of the grounds indicated in section 2.1 of the Privacy Policy. The specific grounds for the processing of Users' personal data by the Controller are indicated in the following section of the Privacy Policy - with reference to the given purpose of personal data processing by the Controller.

3. PURPOSE, LEGAL BASIS AND PERIOD OF DATA PROCESSING

3.1. In each case, the purpose, basis and period, as well as the recipients of personal data processed by the Controller, result from the actions undertaken by a given User within the User Account.

3.2. The Controller may process personal data when the User uses the User Account for the following purposes, on the following bases, for the following periods and within the following scope:

4. DATA RECIPIENTS

4.1. For the proper functioning of the User Account, including for the performance of contracts concluded, it is necessary for the Controller to use the services of external entities (such as, for example, a software provider). The Controller uses only the services of such processors that provide sufficient guarantees of implementing appropriate technical and organisational measures so that processing meets the requirements of the GDPR Regulation and protects the rights of data subjects.

4.2. Personal data may be transferred by the Controller to a third country (i.e. outside the European Economic Area), provided that the Controller ensures that in such a case the transfer will take place to a country ensuring an adequate level of protection - in accordance with the GDPR Regulation, and that the data subject has the possibility of obtaining a copy of his or her data. The Controller transfers the personal data collected only where and to the extent necessary to achieve a given purpose of data processing consistent with this Privacy Policy. Personal data may be transferred outside the European Economic Area, including to:

4.2.1. Google LLC with its registered office in Mountain View, United States (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), in connection with the use of the e-mail system and tools forming part of Google Workspace (previously G Suite and Google Apps for Work), for statistical and administrative purposes and in connection with the use of the Google reCAPTCHA mechanism to ensure security;

4.2.2. The Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, Georgia 30308, USA - the provider of the Mailchimp service enabling the Controller to send messages.

4.2.3. Atlassian Pty Ltd c/o Atlassian, Inc. with its registered office at 1098 Harrison Street, San Francisco, CA 94103, USA - the provider of the Atlassian Jira Software service used by the Controller to plan and track the process of creating and implementing the Online Portal software.

4.2.4. Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA - the provider of an application used by the Controller to monitor, diagnose, repair and optimise the Online Portal software.

4.2.5. Mailgun Technologies, Inc., 112 E Pecan St #1135, San Antonio, TX 78205, USA - the provider of software enabling the Controller to send messages, including transactional messages.

4.2.6. Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, California, USA, represented by Meta Platforms Ireland Limited - the provider of services ensuring the maintenance of relations with users, including account support activities.

4.2.7. Freshworks, Inc. - 2950 S. Delaware Street, Suite 201, CA 94403, San Mateo, USA, which provides technical support ticket handling.

4.2.8. Zapier, Inc., 548 Market St, San Francisco, California 94104, USA - the provider of an application ensuring the automation of messages sent.

4.2.9. Amazon.com, Inc. - 410 Terry Avenue North, Seattle, WA 98109-5210, USA, ensuring the archiving of documentation.

4.2.10. OpenAI, Inc. - with its registered office in San Francisco, USA (3180 18th Street, San Francisco, CA 94110), providing a service consisting in acting as a substantive assistant answering course participants' questions on the basis of information contained in the courses.

4.2.11. Stripe, Inc. - with its registered office c/o The Corporation Trust Company Corporation Trust Center, 1209 Orange St, Wilmington, DE 19801, United States - the provider of electronic payments.

4.3. The transfer of data by the Controller does not take place in every case and not to all recipients or categories of recipients indicated in the Privacy Policy - the Controller transfers data only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve it.

4.4. Users' personal data may be transferred to the following recipients or categories of recipients:

4.4.1. entities handling electronic payments or payment card payments - in the case of a User who uses an electronic payment method or payment card payment, the Controller makes the collected personal data available to the selected entity handling the above payments on the Online Portal on behalf of the Controller to the extent necessary to handle the payment;

4.4.2. service providers supplying the Controller with technical, IT and organisational solutions (in particular providers of computer software for operating the website, the newsletter handling system, providers of e-mail and hosting services, and providers of technical assistance to the Controller) - the Controller makes the collected personal data available to the selected provider acting on its behalf only where and to the extent necessary to achieve a given purpose of data processing consistent with this section of the Privacy Policy;

4.4.3. providers of accounting, legal and advisory services providing accounting, legal or advisory support to the Controller (in particular an accounting office, law firm or debt collection company) - the Controller makes the collected personal data available to the selected provider acting on its behalf only where and to the extent necessary to achieve a given purpose of data processing consistent with this section of the Privacy Policy;

4.4.4. other Users - the User Account also serves joint learning, the exchange of knowledge and experience, and communication between Users - therefore contact details, including other data voluntarily disclosed by the User, may be visible to other Users of the Portal;

4.4.5. providers of opinion survey systems - in the case of a User who has agreed to express an opinion, the Controller makes the collected personal data of the User available to the selected entity providing the opinion survey system on behalf of the Controller to the extent necessary for the User to express an opinion using the opinion survey system;

4.4.6. chat service providers - providing a communication service with the User based on artificial intelligence (AI) solutions, including:

4.4.6.1. Qdrant Solutions GmbH - with its registered office in Germany (Chausseestraße 86, 10115 Berlin), in order to ensure the provision by the Controller of services offered within the Online Portal by ensuring communication with the customer.

4.4.6.2. OpenAI, Inc - with its registered office in San Francisco, USA (3180 18th Street, San Francisco, CA 94110), providing a service consisting in acting as a substantive assistant answering course participants' questions on the basis of information contained in the courses.

4.4.7. providers of embedded social plug-ins, scripts and other similar tools enabling the browser of the person visiting the Online Portal website to download content from the providers of the above-mentioned plug-ins (e.g. login using social networking service login data) and to transfer, for this purpose, the visitor's personal data to those providers, including also:

4.4.7.1. Facebook Ireland Ltd. - the Controller uses social plug-ins of the Facebook service on the Online Portal website (e.g. Like! button, Share, Messenger or logging in using Facebook login data) and therefore collects and makes available the personal data of a User using the Online Portal website to Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland) to the extent and in accordance with the privacy rules available here: https://www.facebook.com/about/privacy/ (these data include information about actions - including information about the device, websites visited, purchases, advertisements viewed and the manner of use of services - irrespective of whether the User has a Facebook account and whether he or she is logged in to Facebook). Detailed information and rules concerning data processing can be found here

4.4.8. marketing service providers, in particular Google LLC with its registered office in Mountain View, United States (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), Google Ireland Ltd. (Gordon House Barrow Street Dublin 4, D04E5W5 Ireland), TikTok Technology Limited (10 Earlsfort Terrace, Dublin, D02 T380, Ireland) and Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland) - the Controller collects information made available by users and transfers it to the above entities in order to conduct remarketing activities, i.e. to target personalised advertisements to those users and to target and create groups of persons similar to those users in order to direct marketing communications to them. Detailed information and rules concerning data processing by the above entities can be found respectively:

4.4.8.1. for data transferred to Google LLC and Google Ireland Ltd. - here;

4.4.8.2. for data transferred to Facebook Ireland Ltd. - here;

4.4.8.3. for data transferred to TikTok Technology Limited - here.

4.5. In the case of the User's participation in the pilot programme, the User's personal data will, on the basis of consent given by the User, be disclosed to the User's University as part of the implementation of an individual purpose of personal data processing. In that case, the University becomes a separate controller of personal data, independently deciding on the methods and purposes of personal data processing.

5. PROFILING

5.1. The GDPR Regulation imposes on the Controller an obligation to provide information about automated decision-making, including profiling referred to in Article 22(1) and (4) of the GDPR Regulation, and - at least in those cases - meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject. Bearing this in mind, the Controller provides information concerning possible profiling in this section of the Privacy Policy.

5.2. The Controller may use profiling within the User Account for direct marketing purposes; however, decisions made by the Controller on its basis do not concern the conclusion of, or refusal to allow the use of, Electronic Services or other services and products of the Service Provider. The effect of using profiling may be, for example, the display of tailored content.

5.3. Profiling consists in the automatic analysis or prediction of a person's behaviour, e.g. by browsing a specific page, or by analysing the previous history of pages viewed or other activities within the Educational Universe. A condition for such profiling is that the Controller holds personal data of the person concerned.

5.4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning that person or similarly significantly affects that person.

6. RIGHTS OF THE DATA SUBJECT

6.1. Right of access, rectification, restriction, erasure or portability - the data subject has the right to request from the Controller access to his or her personal data, their rectification, erasure ("right to be forgotten") or restriction of processing, and has the right to object to processing, as well as the right to data portability. Detailed conditions for exercising the above rights are indicated in Articles 15-21 of the GDPR Regulation.

6.2. Right to withdraw consent at any time - where the data of a person are processed by the Controller on the basis of consent given (pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR Regulation), that person has the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.

6.3. Right to lodge a complaint with the supervisory authority - a person whose data are processed by the Controller has the right to lodge a complaint with the supervisory authority in the manner and according to the procedure specified in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office.

6.4. Right to object - the data subject has the right at any time to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her based on Article 6(1)(e) (public interest or public tasks) or (f) (legitimate interest of the controller), including profiling based on those provisions. In such a case, the Controller may no longer process those personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of claims.

6.5. Right to object to direct marketing - where personal data are processed for direct marketing purposes, the data subject has the right at any time to object to the processing of personal data concerning him or her for such marketing, including profiling, to the extent that the processing is related to such direct marketing.

6.6. In order to exercise the rights referred to in this section of the Privacy Policy, the Controller may be contacted by sending an appropriate message in writing or by e-mail to the Controller's address indicated at the beginning of the Privacy Policy.

7. COOKIES, USAGE DATA AND ANALYTICS

7.1. Cookies are small textual pieces of information in the form of text files, sent by the server and stored on the side of the person using the User Account (e.g. on the hard drive of a computer or laptop, or on the memory card of a smartphone - depending on the device used by the User). Detailed information concerning Cookies, as well as the history of their creation, can be found, among other places, here: https://pl.wikipedia.org/wiki/HTTP_cookie

7.2. Cookies that may be sent while using the User Account or the website on which a User Account may be created may be divided into various types according to the following criteria:

7.3. The Controller may process data contained in Cookies for the following specific purposes:

7.4. It is possible to check, in the most popular web browsers, which Cookies (including the operating period of the Cookies and their provider) are sent at a given moment in the following manner:

7.5. As standard, most web browsers available on the market accept the storage of Cookies by default. Everyone has the option to specify the conditions for the use of Cookies using the settings of their own web browser. This means that it is possible, for example, to partially limit (e.g. temporarily) or completely disable the possibility of storing Cookies - in the latter case, however, this may affect certain functionalities of the User Account (for example, it may be necessary to log in again when using another functionality of the User Account).

7.6. Web browser settings relating to Cookies are important from the perspective of consent to the use of Cookies by the Controller - in accordance with the law, such consent may also be expressed through the web browser settings. Detailed information on changing Cookie settings and deleting them independently in the most popular web browsers is available in the help section of the web browser and on the following pages (simply click the given link):

• in Chrome browser

• in Firefox browser

• in Internet Explorer browser

• in Opera browser

• in Safari browser

• in Microsoft Edge browser

7.7. The Controller enables Users to manage Cookies using the function available at https://medcourses.com/ in the lower part of the page, "Cookie preferences".

7.8. The Controller may use Google Analytics and Universal Analytics services provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). These services help the Controller keep statistics and analyse traffic when using the User Account. The collected data are processed within the above services to generate statistics useful in administering the User Account and analysing traffic while using the User Account. These data are aggregated. When using the above services, the Controller collects such data as the sources and medium of acquisition of visitors and the manner of their behaviour while using the User Account, information about the devices and browsers from which they visit the site, IP and domain, geographical data and demographic data (age, gender) and interests.

7.9. The use of Google Analytics 4 (a tool for analysing Website statistics) in conjunction with other Google products such as Google Signals, Google Ads and Google Tag Manager may result in:

7.9.1. linking the identifier stored in the cookie (Cookie ID) with the identifier of the user who created the account (user ID) in order to create profiled audience lists or conduct in-depth user analysis;

7.9.2. collecting website and application data to make it possible to better understand the User journey;

7.9.3. measurement without the use of cookies, and modelling of behaviour and conversions;

7.9.4. analysing data on websites in order to optimise marketing activities and areas on the website.

7.9.5. using predictive functions which suggest recommended actions without the use of complex models; the Controller,

7.9.5.1. for analytical purposes, may use the Clarity tool by analysing data on websites in order to optimise marketing activities and areas on the website.

7.9.5.2. for marketing and remarketing purposes, the Controller may also use the TikTok Ads tool - these activities consist in conducting marketing campaigns and tailoring the content presented to users.

7.10. It is possible for a given person to easily block the sharing of information about his or her activity with Google Analytics - for this purpose, for example, one may install a browser add-on made available by Google Ireland Ltd., available here: https://tools.google.com/dlpage/gaoptout?hl=pl

7.11. The Controller may use the Facebook Pixel service provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). This service helps the Controller measure the effectiveness of advertisements and learn what actions visitors take while using the User Account, as well as display tailored advertisements to those persons. Detailed information on the operation of Facebook Pixel can be found at the following internet address: https://www.facebook.com/business/help/742478679120153?helpref=page_content

7.12. Managing the operation of Facebook Pixel is possible through advertising settings in one's account on Facebook.com: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

8. FINAL PROVISIONS

8.1. The User Account may contain links to other websites or elements. The Controller encourages Users, after moving to other websites or elements, to familiarise themselves with the privacy policy established there. This Privacy Policy applies to the Portal and the User Account, including participation in the pilot programme.