1. INTRODUCTION

1.1. Tandem Health AB ("Tandem Health", "we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you visit our website at www.tandemhealth.ai (the "Website"), contact us or request information about our products and services, express interest in or evaluate our healthcare SaaS platform (the "Platform"), or when you are in contact with us for any other business purpose.

1.2. We will treat your personal data confidentially and in accordance with statutory data protection regulations. Such legal provisions are, in particular, Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), and applicable national data privacy laws.

1.3. This policy does not cover personal data about our employees, job applicants, or consultants, which are addressed in separate policies.

1.4. We act as a data controller for personal data we process about you for the operation of this website and the provision of the services offered on this website to our customers, as described in this Privacy Policy.

1.5. When you use our Platform as an end user, we instead act as a data processor, as explained in section 10.

1.6. Important notice for patients and end users of our Platform: If your personal data is processed within the Platform by your healthcare provider or organization, this Privacy Policy does not govern how that organization uses your data. Your healthcare provider acts as the data controller for such processing, and you should refer to their own privacy notice for details about how your data is handled. For more information about our role as a data processor in these circumstances, please see clause 10 below.

1.7. This Privacy Policy serves to inform you in accordance with Articles 13 and 14 of the GDPR.

2. WHO WE ARE AND HOW TO CONTACT US

2.1. Tandem Health AB is registered in Sweden with registration number 559444-6857 with address Malmskillnadsgatan 44A, 111 57 Stockholm, Sweden.

2.2. For privacy-related inquiries, contact us by email at dpo@tandemhealth.ai, or by post to Data Protection Officer, Tandem Health AB, Malmskillnadsgatan 44A, 111 57 Stockholm, Sweden.

3. PERSONAL DATA WE COLLECT

3.1. The personal data we process relating to you is mainly collected from you when you visit and use our website or when we come into contact with you — e.g. via email, telephone or personal meetings, conferences, conventions or similar occasions. We may also collect your personal data from a third party, usually from the company or organization you represent.

3.2. The personal data we collect depends on how you interact with us.

3.3. When you visit our website, we collect technical data including IP address, browser type and version, operating system, device information, referring URLs, pages visited, and time and date of visits. We also collect cookies and tracking data as described in our Cookie Policy, and approximate location data derived from your IP address.

3.4. When you contact us as an enquirer or prospective or existing customer, we collect identity and contact data such as your name, job title, organization name, email address, and telephone number. We also collect communication content you provide in enquiry forms, emails, calls, or meetings, your marketing preferences and consent to receive marketing communications, and meeting and event data from demonstrations, webinars, conferences, or trade events.

3.5. We may receive data from third parties, including publicly available professional information from sources such as LinkedIn, company websites, or professional directories for business development purposes. We also receive data from analytics providers, advertising partners, and social media platforms in accordance with their privacy policies, as well as referrals and recommendations from existing customers, partners, or professional networks.

3.6. As part of the services offered through our Platform, we process special categories of data, in particular health data (including patient data, diagnosis, treatment, etc.), as a data processor on behalf of our clients.

4. LEGAL BASIS FOR PROCESSING

4.1. This section explains the legal reasons we are allowed to collect and use your personal data. We must always have a valid legal basis under data protection law before processing your information.

4.2. We only process your personal data where we have a lawful basis under the GDPR and applicable national data protection laws. Processing may be based on multiple legal bases. Should one of the legal bases cease to apply — for example, because you withdraw your consent or object to the processing of your personal data — the processing of your personal data may still be lawful because it is based on another legal basis.

4.3. You are not obliged to provide us with your personal data. However, if you decide not to provide us with your data or only provide it in part, you may not be able to use our services or only use them to a limited extent.

4.4. When you visit our website, we rely on legitimate interests under Article 6(1)(f) GDPR for website analytics, security monitoring, responding to enquiries, business-to-business direct marketing, fraud prevention, and improving our services, where our interests are not overridden by your rights. We also rely on consent under Article 6(1)(a) GDPR where you have freely given specific, informed, and unambiguous consent — including placing non-essential cookies or sending electronic marketing to individual consumers (as opposed to business contacts). You may withdraw consent at any time.

4.5. When we collect personal data in relation to potential business relationships and to maintain and develop existing business relationships, our legal basis is legitimate interest under Article 6(1)(f) GDPR, where our legitimate interest is to create, maintain, and develop a business relationship with you or the company or organization you represent.

4.6. When we collect personal data in relation to the conclusion and performance of contracts, our legal basis is performance of a contract under Article 6(1)(b) GDPR, as the processing is necessary to conclude and perform a contract with you or the company or organization you represent. If you are acting on behalf of someone else — e.g. in the capacity of representative of a partner or supplier — our processing is carried out based on our legitimate interests under Article 6(1)(f) GDPR, where our legitimate interest is to conclude and perform the agreement with the company or organization you represent.

4.7. We may also process your personal data in order to fulfil our legal obligations according to law or other statutes to which we are subject (including tax, accounting, regulatory, or safeguarding obligations), or if we are subject to orders or decisions by courts or authorities which require us to process your personal data. We may also process your personal data so that you, the company or organization you represent, we, or any relevant third party can establish, exercise, or defend legal claims. The legal basis for this is Article 6(1)(c) GDPR.

5. HOW WE USE YOUR PERSONAL DATA

5.1. For website visitors, we use your data to operate, maintain, and secure our website, analyze website traffic and improve user experience, detect and prevent fraud, security incidents, and illegal activity, and comply with legal and regulatory obligations.

5.2. For potential business relationships and to maintain and develop existing business relationships, we use your data to respond to your enquiry, question, or request for information, schedule and conduct product demonstrations, webinars, or meetings, send you relevant information about our products, services, and industry developments, manage our sales pipeline and customer relationship management (CRM) records, improve our marketing and business development activities, and comply with legal and regulatory obligations.

5.3. For the administration and performance of contracts, we use your data for communication and administration related to any contract between us and you or the company or organization you represent. This includes, among other things, invoicing and customary contract management, as well as follow-up and documentation of contract-related matters.

6. HOW WE SHARE YOUR PERSONAL DATA

6.1. We do not sell, rent, or trade your personal data to third parties. Your personal data will not be disclosed to unspecified recipients. We will only disclose your personal data to third parties to the extent necessary to pursue our legitimate business objectives and as required by applicable law, and only in accordance with applicable laws with appropriate safeguards implemented through contractual agreements.

6.2. We may share your personal data with service providers and sub-processors who process data on our behalf, including cloud hosting providers, CRM and marketing automation platforms, customer support tools, analytics services, payment processors, and IT security providers. All such parties are subject to strict contractual obligations to process data only on our documented instructions and in compliance with applicable data protection law.

6.3. We may share your data with group companies within our corporate group if necessary or otherwise appropriate, including when providing services in countries other than Sweden.

6.4. We may share your data with professional advisers, including lawyers, accountants, auditors, tax advisers, and insurers who provide consultancy, legal, accounting, audit, tax, insurance, and other professional services.

6.5. We may share your data with regulatory and law enforcement authorities, including government agencies, regulators, law enforcement bodies, courts, and other public authorities where required or permitted by law, or to establish, exercise, or defend legal rights and claims.

6.6. In connection with any merger, acquisition, reorganization, sale of assets, or insolvency proceeding, your data may be transferred to prospective buyers, investors, or successors, subject to equivalent data protection safeguards.

6.7. We require all third-party service providers to respect the security and confidentiality of your personal data, process data only in accordance with our instructions and applicable data protection law, implement appropriate technical and organizational security measures, and notify us promptly of any security incidents or data breaches.

7. INTERNATIONAL TRANSFERS

7.1. Tandem Health is based in Sweden and operates within the European Economic Area (EEA). However, your personal data may be transferred to, stored in, and processed in countries outside the EEA where our service providers, group companies, or partners are located.

7.2. When we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place to protect your data. These safeguards include transfers to countries recognized by the European Commission as providing an adequate level of data protection, use of Standard Contractual Clauses (SCCs) approved by the European Commission, and other appropriate safeguards recognized under applicable data protection law.

8. HOW LONG WE KEEP YOUR DATA

8.1. We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal, accounting, regulatory, and contractual requirements. Your personal data may be retained for longer if required or authorized by applicable laws or regulations.

8.2. Aggregated and anonymized data that no longer identifies individuals may be retained indefinitely for research, statistical analysis, and product development purposes.

8.3. When personal data is no longer required for the purposes set out in this policy, we securely delete or irreversibly anonymize it in accordance with our data retention and deletion procedures.

8.4. In certain circumstances, we may retain your data for longer periods where required or permitted by law, including to comply with legal, regulatory, or contractual obligations, to establish, exercise, or defend legal claims, with your explicit consent, or where necessary for archiving purposes in the public interest, scientific or historical research, or statistical purposes, subject to appropriate safeguards.

9. DATA SECURITY

9.1. We implement robust technical and organizational security measures to protect your personal data against unauthorized or unlawful access, processing, disclosure, alteration, destruction, loss, or damage.

9.2. Our security measures include encryption of data in transit using Transport Layer Security (TLS 1.2 or higher) and encryption of data at rest using industry-standard algorithms. We implement multi-factor authentication (MFA) for user accounts and administrative access, role-based access controls and the principle of least privilege, and regular security assessments, vulnerability scans, and penetration testing conducted by independent third parties. We maintain 24/7 security monitoring, intrusion detection, and incident response capabilities, follow secure software development lifecycle practices including code reviews and security testing, and maintain regular backups with secure, encrypted storage and tested recovery procedures. We also provide comprehensive staff training on data protection, information security, and privacy best practices, and implement physical security controls at data center facilities, including access controls, surveillance, and environmental protections.

9.3. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (such as the Swedish Authority for Privacy Protection or other competent national data protection authority) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. We will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, and we will document all data breaches, including the facts, effects, and remedial actions taken.

9.4. While we implement industry-leading security measures, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for notifying us immediately of any unauthorized access to or use of your account.

10. OUR ROLE: DATA CONTROLLER AND DATA PROCESSOR

10.1. This section explains the different roles we play when handling your personal data. Depending on how you interact with us, we may be responsible for deciding how your data is used, or we may process it on behalf of your organization.

10.2. Tandem as data controller. When you visit our website, submit an enquiry, request information, or express interest in our products and services, Tandem Health acts as a data controller. This means we determine the purposes and means of processing your personal data in accordance with this Privacy Policy.

10.3. Tandem as data processor. When our Platform is used by a customer organization (such as a healthcare provider, clinic, hospital, or other entity), that customer organization is typically the data controller for personal data processed within the Platform. This includes patient data, health records, and clinical information, end user account data for healthcare professionals and staff, and other personal data uploaded, entered, or generated within the Platform by the customer.

10.4. In the circumstances described in clause 10.3, Tandem Health acts as a data processor on behalf of the customer organization. As a data processor, we process personal data only in accordance with the customer's documented instructions as set out in the applicable Data Processing Agreement (DPA) or equivalent contractual terms. We do not use that data for our own purposes (other than as explicitly permitted under the DPA), we implement appropriate technical and organizational security measures to protect the data, we assist the customer in responding to data subject rights requests and in ensuring compliance with data protection obligations, we notify the customer without undue delay upon becoming aware of a personal data breach, and we delete or return all personal data to the customer at the end of the provision of services, unless retention is required by applicable law.

10.5. If you are an end user or patient whose data is processed within the Platform provided to your healthcare provider or organization, that organization — not Tandem Health — is the data controller responsible for your personal data. You should direct any questions, requests, or complaints about how your data is processed to that organization, and that organization's privacy notice applies to the processing of your data within the Platform.

10.6. This Privacy Policy describes Tandem Health's own processing activities as a data controller. For information about our data processing activities on behalf of customer organizations, please refer to the applicable Data Processing Agreement or contact the relevant customer organization.

11. YOUR DATA PROTECTION RIGHTS

11.1. This section describes the rights you have over your personal data, including how to access, correct, or delete your information, and how to make a complaint if you are unhappy with how we handle it.

11.2. Under the GDPR and applicable national data protection laws, you have comprehensive rights in relation to your personal data.

11.3. Right of access (Article 15 GDPR). You have the right to obtain confirmation as to whether we process your personal data and, if so, to request access to that data and receive a copy, along with information about the processing.

11.4. Right to rectification (Article 16 GDPR). You have the right to request correction of inaccurate or incomplete personal data concerning you.

11.5. Right to erasure (Article 17 GDPR). You have the right to request deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, you withdraw consent and there is no other legal basis for processing, you object to processing based on legitimate interests and there are no overriding legitimate grounds, the data has been unlawfully processed, or erasure is required to comply with a legal obligation.

11.6. Right to restriction of processing (Article 18 GDPR). You have the right to request that we limit how we use your data in certain circumstances, including where you contest the accuracy of the data, the processing is unlawful and you oppose erasure, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of whether our legitimate grounds override yours.

11.7. Right to data portability (Article 20 GDPR). Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

11.8. Right to object (Article 21 GDPR). You have the right to object at any time to processing of your personal data based on legitimate interests, unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims. You also have the right to object to processing of your personal data for direct marketing purposes, including profiling related to such marketing, in which case we will cease processing for such purposes.

11.9. Rights related to automated decision-making (Article 22 GDPR). You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning you, unless such decision is necessary for entering into or performing a contract, is authorized by applicable law, or is based on your explicit consent.

11.10. Right to withdraw consent. Where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before its withdrawal.

11.11. Tandem Health does not currently engage in solely automated decision-making, including profiling, that produces legal effects concerning data subjects or similarly significantly affects them within the meaning of Article 22 GDPR. Where the Platform incorporates automated features or algorithms, these are used solely to support and assist human decision-making and do not produce decisions based solely on automated processing. If Tandem Health introduces any such automated decision-making or profiling in the future, we will update this Privacy Policy to provide full disclosure and will ensure that appropriate safeguards are in place, including the right to obtain human intervention, to express your point of view, and to contest the decision.

11.12. To exercise any of these rights, please contact us by email at dpo@tandemhealth.ai, or by post to Data Protection Officer, Tandem Health AB, Malmskillnadsgatan 44A, 111 57 Stockholm, Sweden. Please provide sufficient information to enable us to identify and verify your identity, and specify which right you wish to exercise and the scope of your request. We will respond to your request within one (1) calendar month of receipt, or inform you if we require an extension of up to two (2) further months due to the complexity or number of requests.

11.13. We will not charge a fee for processing your request unless your request is manifestly unfounded or excessive, in particular due to its repetitive character, or you request further copies of your data beyond the first copy. We may refuse to act on your request where we are unable to verify your identity, the request is manifestly unfounded, excessive, or repetitive, an exemption applies under applicable data protection law, or complying with the request would adversely affect the rights and freedoms of others.

11.14. If you are dissatisfied with how we handle your request or have concerns about our data processing practices, you have the right to lodge a complaint with a supervisory authority. In Sweden, this is Integritetsskyddsmyndigheten (Swedish Authority for Privacy Protection), Box 8114, 104 20 Stockholm, Sweden; www.imy.se. In other EU/EEA countries, you may complain to the supervisory authority in your country of habitual residence, place of work, or the place where the alleged infringement occurred. You can find a list of EU/EEA supervisory authorities at https://edpb.europa.eu/about-edpb/board/members_en.

11.15. You also have the right to seek judicial remedy before a competent court if you believe your data protection rights have been infringed.

12. COOKIES AND TRACKING TECHNOLOGIES

12.1. Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyze website usage, and deliver personalized content and advertising. Cookies are small pieces of information that a website stores on your device. Cookies can be "persistent cookies" or "session cookies" from "first-party" or "third-party" sources. Collection of information by use of cookies is carried out based on your consent, unless they are strictly necessary in order for you to be able to use our website in an appropriate manner. Please see our Cookie Policy for further information about how Tandem uses cookies.

13. THIRD-PARTY LINKS AND SERVICES

13.1. Our website may contain links to third-party websites, applications, services, or content that are not owned, operated, or controlled by Tandem Health, including partner and customer websites, social media platforms, service providers and integrations, and informational resources and industry publications.

13.2. We are not responsible for the privacy practices, content, or security of any third-party websites or services, the collection, use, or disclosure of your personal data by third parties, or any loss, damage, or other consequences arising from your use of third-party websites or services.

13.3. When you click on a third-party link or access a third-party service, you leave our website and are subject to the privacy policy and terms of service of that third party.

13.4. We strongly encourage you to read the privacy policies and terms of service of any third-party websites or services you visit or use, as their practices may differ significantly from ours.

13.5. The inclusion of any link on our website does not imply endorsement, recommendation, or approval by Tandem Health of the linked website, its content, or its privacy practices.

13.6. If you choose to share your personal data with third parties through integrations, plugins, or other features available through our Platform, you do so at your own risk, and we are not responsible for how those third parties process your data.

14. MARKETING COMMUNICATIONS

14.1. We may send you marketing communications about our products, services, events, webinars, industry news, and other information we believe may be of interest to you, subject to applicable law and your communication preferences.

14.2. Our legal basis for sending marketing communications is your consent where you have opted in to receive such communications, or our legitimate interests in promoting our business to existing and prospective customers, where permitted by law (such as the "soft opt-in" exception for business-to-business communications under the EU Privacy and Electronic Communications Directive).

14.3. You have the right to opt out of receiving marketing communications at any time by clicking the "unsubscribe" or "opt-out" link included in every marketing email we send, updating your communication preferences in your account settings (for registered users), contacting us at support@tandemhealth.ai with your request, or following any other opt-out mechanism provided in the communication.

15. ADDITIONAL PROVISIONS FOR UK-BASED CUSTOMERS AND USERS

15.1. The following provisions apply to customers, users, and data subjects located in the United Kingdom. They supplement the rest of this Privacy Policy and address the specific requirements of the UK data protection framework.

15.2. Where Tandem Health processes the personal data of individuals ordinarily resident in the United Kingdom, Tandem Health complies with the UK General Data Protection Regulation (UK GDPR), as incorporated into UK domestic law by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018. In the event of any conflict between the UK data protection framework and the EU GDPR provisions set out elsewhere in this Privacy Policy, the UK framework shall prevail in respect of UK data subjects.

15.3. The independent regulator responsible for data protection in the United Kingdom is the Information Commissioner's Office (ICO). If you are a UK-based individual and you consider that Tandem Health has not handled your personal data in accordance with applicable law, you have the right to raise a complaint with the ICO. This right is without prejudice to any right you may have to seek a judicial remedy before a competent court under Article 79 UK GDPR.

15.4. Where personal data relating to UK individuals is transferred to a country outside the United Kingdom, Tandem Health ensures that an appropriate transfer mechanism is in place as required by Chapter 5 UK GDPR. Recognised mechanisms include transfer to a country subject to UK adequacy regulations made by the Secretary of State, use of an International Data Transfer Agreement (IDTA) approved by the ICO, or use of UK Addenda to Standard Contractual Clauses. UK customers may request a copy of the applicable transfer mechanism documentation by contacting dpo@tandemhealth.ai.

15.5. Where Tandem Health is engaged by a UK healthcare provider, NHS organisation, or independent clinic to process patient or service-user data within the Platform, Tandem Health acts as a data processor within the meaning of Article 4(8) UK GDPR. In such cases, processing is carried out under a Data Processing Agreement that satisfies the requirements of Article 28 UK GDPR. Tandem Health supports customer organisations in meeting their obligations under the NHS Data Security and Protection (DSP) Toolkit, including by maintaining relevant technical and organisational security measures and providing documentation of its data processing activities on request.

15.6. UK-based customers and users with queries relating to data protection compliance, including requests for Data Processing Agreement documentation or transfer mechanism records, should contact our Data Protection Officer by email at dpo@tandemhealth.ai, or by post to Data Protection Officer, Tandem Health AB, Malmskillnadsgatan 44A, 111 57 Stockholm, Sweden.

16. CHANGES TO THIS PRIVACY POLICY

16.1. We may update this Privacy Policy from time to time to reflect changes in our data processing practices or services, changes in applicable data protection law or regulatory requirements, technological developments or industry best practices, or feedback from users, regulators, or other stakeholders.

16.2. When we make material changes to this Privacy Policy, we will notify you by posting the updated policy on our website with a new "Last Updated" date, sending you an email notification at the email address associated with your account (where we have your contact details and the change materially affects your rights), or displaying a prominent notice on our website or within the Platform prior to the changes taking effect.

16.3. We will provide you with at least 30 days advance notice of any material changes that adversely affect your rights or significantly alter how we process your personal data.

16.4. The "Last Updated" date at the top of this Privacy Policy indicates when it was most recently revised. We encourage you to review this policy periodically to stay informed about how we protect your personal data.

16.5. If you do not agree to the changes, you should discontinue use of our services and contact us to discuss your options, which may include account closure or data deletion, subject to our legal obligations.

17. CONTACT US

17.1. If you have any questions, concerns, requests, or complaints relating to this Privacy Policy or how we handle your personal data, please contact us by email at dpo@tandemhealth.ai, or by post to Data Protection Officer, Tandem Health AB, Malmskillnadsgatan 44A, 111 57 Stockholm, Sweden.

Last updated: April 16, 2026