PRIVACY POLICY

Radformation, Inc. (“we”, “our”, “us”, or “Radformation”) is committed to protecting the privacy and security of your personal information. We take care to protect the privacy of our (currently thousands of) customers and users of our products that communicate (online or offline) with us via email; over the phone; on social media platforms; at events; and through our website https://www.radformation.com/ (the “Site”) and any applications on this domain, including RadMachine (“Apps”). The Site and Apps shall be known together as the “Services”.

We have therefore developed this privacy policy (“Policy”) to inform you of the data we collect, what we do with your information, what we do to keep it secure, and the rights and choices that you have over your personal information. By using our Services, you are acknowledging that you understand and agree to the terms of this Policy, and consent to the types of information and the manner in which we may collect, use and disclose such information. If you do not agree to the terms of this Policy, please do not use the Services.

We may change this Privacy Notice from time to time (for example, if the law changes). We will alert you that changes have been made by indicating on the Policy the date it was updated. This Policy was last updated on February 28, 2025. Each time you access the Services, the most recent version of the Policy will apply. Your continued use of the Services following the posting of changes to these terms will mean you accept those changes. We recommend that you check this policy regularly to keep up to date.

Throughout this document we refer to “data protection legislation,” which means the Data Protection Act 2018 (DPA2018), United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003, all the foregoing as amended from time to time, and any legislation implemented in connection with the aforementioned legislation. Where data is processed by a controller or processor established in the European Union or comprises the data of people of the European Union, it also includes the EU General Data Protection Regulation (EU GDPR). This includes any replacement legislation coming into effect from time to time.

Radformation is the controller for the personal information we process, unless otherwise stated.

Our data protection manager is: Reanna Knoll rknoll@radformation.com

Our European Union notified body is BSI Group (Netherlands) NB 2797

The Information Commissioner's Office (ICO) regulates data protection and privacy matters in the UK. They make a lot of information accessible to consumers on their website and they ensure that the registered details of all data controllers such as ourselves are available publicly. You can access them here https://ico.org.uk/for-the-public You can make a complaint to the ICO at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.

1. "Data controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law, the controller may be provided for in law.

2. "Data processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

3. "Data protection legislation" means the Data Protection Act 2018 (DPA2018), United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003, all the foregoing as amended from time to time, and any legislation implemented in connection with the aforementioned legislation. Where data is processed by a controller or processor established in the European Union or comprises the data of people in the European Union, it also includes the EU General Data Protection Regulation (EU GDPR). This includes any replacement legislation coming into effect from time to time.

4. "Data protection manager (DPM)" means the individual responsible for Radformation’s GDPR compliance. Has many of the duties of a Data Protection Officer as described in GDPR Art. 37. Radformation’s DPM is Reanna Knoll (rknoll@radformation.com).

5. "Data subject" means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

6. "Personal data" or "personal information" means any information relating to a living data subject. Personal data that Radformation gathers may include individuals' phone numbers, personal and professional email addresses, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationalities, job titles, right-to-work information, employment records and contacts, and CVs. Personal data does not include data where any features which could identify individuals have been removed (anonymous data).

7. "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processing may be wholly or partly by automated means (i.e., by computer, apps or other digital system), or by other means (i.e., paper records) that form part of filing system or are intended to form part of a filing system.

8. "Supervisory authority" means the national body responsible for data protection. Radformation’s supervisory authority is consolidated with their human resources office.

9. "Third party" means a service provider (including contractors and designated agents) affiliated with Radformation.

No personal information is collected, stored, or shared in ways other than those specified in this Policy.

We only collect personal information that we know we will genuinely use and in accordance with data protection legislation. The type of personal information that we will collect about you and that you voluntarily provide to us via any on- or offline communication medium may include some or all of the following:

• Name
• Date of birth
• Mailing address
• Telephone number
• Email address
• Email preferences
• Survey responses
• IP address

We may, in further dealings with you, extend this personal information to include your purchases, services and subscriptions, records of conversations, and agreements and payment transactions.

You are under no statutory or contractual requirement or obligation to provide us with your personal information; however, we require the ability to uniquely identify your account and your country of residence in order to effectively manage your account.

We do not collect the following information:

• Financial details (e.g., income, salary, insurance details, bank details)
• Medical record numbers
• Family lifestyle (e.g., children, marital status, social status)
• Racial or ethnic origin
• Health data (e.g., treatment, health condition, mental health status, physical health data) including images
• Religious beliefs
• Criminal offenses or proceedings

The legal basis for processing your data is based on your specific consent, performance of a contract/compliance with a legal obligation, your vital interest, and/or our legitimate interest, as established at the point the information was initially provided. Therefore we will not store, process or transfer your data unless we have an appropriate lawful reason to do so.

The Services are not intended for use by children under the age of 13, and Radformation does not knowingly collect or use any personal information from such children. If we become aware that we have unknowingly collected personal information from a child under the age of 13, we will make commercially reasonable efforts to delete such personal information from our database.

Whenever you use the Site, we and/or our service providers may use a variety of technologies that automatically collect information about how the Site is accessed and used (“Usage Information”).Usage Information may include, in part, browser type, operating system, the page viewed, the time, how many users visited the Site, and the website you visited immediately before the Site. This statistical data provides us with information about the use of the Site, such as how many visitors visit a specific page on the Site, how long they stay on that page, which websites they are coming from and which hyperlinks, if any, they “click” on. Usage Information helps us to keep the Site user friendly and to provide visitors with readily accessible and helpful information. We may also use your Usage Information to troubleshoot issues with access or use of our Site. Usage Information is generally non-identifying, but if we associate it with you as a specific and identifiable person, we treat it as Personal Information.

We believe that such technology usage is fair, lawful, and proportional to the legitimate interest and needs of our business, and that our methodology fairly addresses each user’s legitimate rights and expectations in view of the context and purpose for the collection and use of the information collected.

In the course of collecting Usage Information we may also collect your IP address, MAC Address or other unique identifier (each a “Device Identifier”) for the computer, mobile device, internet provider or other technology (collectively, “Device”) you use to access the Site. A Device Identifier is a number that is automatically assigned to your Device when you access a web site or its servers. Our computers identify your Device by its Device Identifier. When you visit the Site, we may view your Device Identifier. We use this information to identify repeat visitors to our Site. We also may use this information to enhance the Site and troubleshoot issues with access or use of our Site. We may associate your Device Identifier with your Personal Information.

The technologies used on the Services, including Device Identifiers, to collect Usage Information may include, without limitation:

Cookies – Cookies are data files placed on a Device when it is used to utilize the Services. We may use cookies to collect and store certain information about you. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer until you delete them). In some countries, we are not permitted to send cookies to the browser of a user without the prior consent of the affected user. In this case, we will seek such consent. This section assumes that either the use of cookies is not restricted by applicable law, or if it is restricted that the individual has explicitly consented to the use of the cookies.

Web Beacons – We may also include web beacons (also known as web bugs, Internet tags, pixel tags, tracking pixels and clear GIFs) with the content and information that we deliver to you, which we will use to collect information regarding your interaction with our Services. A web beacon is a transparent graphic image placed on a web page or in an email, which indicates that a page or email has been viewed or that an email has been forwarded. In addition, a web beacon allows us to obtain information such as the IP address of the computer that downloaded the page on which the beacon appears, the URL of the page on which the beacon appears, the time the page containing the beacon was viewed, the type of browser used to view the page, and the information in cookies set by us. A web beacon may also tell your browser to get content from another server.

Cookies and web beacons (together, “Cookies”) may enable us to track and target the interests of our users to enhance the experience on our Services, track user actions/behavior on our Services and track the effectiveness of our Services.

If you want to prevent the use of certain cookies, you do have the ability to opt out.

We use Google Analytics to understand how users use our Services so as to enhance the user experience on our Services. If you wish to opt-out of Google Analytics, go to https://tools.google.com/dlpage/gaoptout?hl=en-GB.

Radformation uses your personal data to:

• Contact you regarding any questions, suggestions, issues or complaints you have contacted us about
• Make available our products and services to you
• Process your orders
• Take payment from you or give you a refund
• Perform statistical analysis
• Get feedback from you about our products and services
• Power our security measures and services so you can safely use the Site and products
• Help us understand more about you as a customer and the products and services you consume, so we can serve you better
• Contact you about products and services from us, and updates to this Policy
• Provide you with online advertising and promotions
• Allow you to register for an account on the Site. A user may need to complete a registration form and create an account with us in order to use certain aspects of our Services. During registration, a user is required to give certain information (such as name and email address). This information is used to contact you about the products/services on our Services in which you have expressed interest or subscribed to, send you payment reminders and allow you to easily change this information for purposes of making payments or accessing our services.

We may share your personal data with other organizations if:

• The law or a public authority says we must share the personal data, such as to comply with a court order or subpoena. Disclosing this information helps enforce our policies and protect the safety and security of you, your property, our employees, our service providers, our subcontractors, other third parties, or equipment that belongs to us, our service providers, or our subcontractors.
• We need to share personal data in order to establish, exercise or defend our legal rights (this includes providing personal data to others for the purposes of preventing fraud and reducing credit risk)
• Third-party data processors require this information in order to provide elements of services for us, such as fulfilling orders and requests (e.g., to deliver equipment and software) and troubleshooting issues you may have with our Services or your account. We have data processing agreements in place with our data processors. This means that they are only able to process your personal information under our strict instructions. They may only share your personal information with other organizations apart from us if we have provided them with prior written consent for this sharing. In addition, these other organizations must comply with our data processing agreement. They will hold your personal data securely and retain it for the period we instruct. Only employees, service providers and subcontractors who need the personal information to perform a specific job (for example, billing, customer service, delivery of equipment or software) are granted access to the information. The computers/servers in which we store personal information are kept in a secure environment.

We will not trade, rent, share or sell your personal information to third parties, unrelated to providing you with quotes, equipment and services, unless you ask or authorize us to do so.

The Services may contain links to other websites. Any personal information you provide on linked pages or sites is provided directly to that third party and is subject to that third party’s privacy policy. This Policy does not apply to such linked sites, and we are not responsible for the content or privacy and security practices and policies of these websites or any other sites that are linked to or from the Services. We encourage you to learn about their privacy and security practices and policies before providing them with personal information.

Retention, disposal, and data security

In certain circumstances it will be necessary to retain specific records in order to fulfill statutory or regulatory requirements and to meet operational needs. We will always retain your personal information in accordance with data protection legislation and never retain your information for longer than is necessary and will retain the minimum amount of information that it is required to hold to meet our statutory functions and the provision of our services. To determine the appropriate retention period for personal data, Radformation considers the amount, nature and sensitivity of the personal data; the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which Radformation processes your personal data and whether those purposes can be achieved through other means; and the applicable legal requirements. Necessary records, documents and electronic data of Radformation are adequately protected, archived and disposed of in accordance with international guidelines.

In circumstances where a retention period of a specific document has expired, a review is always carried out prior to a decision being made to dispose of the record.

All cryptographic keys are retained as long as the data that the keys decrypt is retained. Cryptographic keys are managed by Google Cloud Platform, and data at rest is encrypted using AES-256.

Data, including media and email, are retained digitally on Radformation’s servers; Radformation does not retain paper records of any personal data. The backup of electronic data is as follows:

Access to stored electronic data is limited to those who require it to perform their specific job duties and who have the appropriate training to use the data responsibly, and the systems on which this information is stored are password-protected. Systems can be audited to trace any modifications.

IT equipment and devices that can store personal data include:

• PCs
• Laptops
• Mobile phones
• Multi-functional devices such as printers and scanners
• Servers
• Removable media, such as USB memory sticks and external hard drives

IT equipment disposal is managed by Radformation’s internal IT department in accordance with the Waste Electric and Electronic Equipment Regulations 2013

Data security is of great importance to Radformation, and to protect your data, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure your collected data. Security measures include:

• Limiting access to our buildings
• Implementing access controls over our information technology
• Appropriate procedures and technical security measures, including strict encryption, anonymization, archiving techniques) to safeguard your information across all our computer systems
• Never asking you for your passwords

Please be aware, however, that despite our efforts, no security measures are perfect or impenetrable and no method of data transmission can be guaranteed against any interception or other types of misuse. To protect the confidentiality of personal information maintained in your account, you must keep your password confidential and not disclose it to any other person. Never enter your password into an email or after following a link from an email. You are responsible for all uses of the Services by any person using your password. Please advise us immediately if you believe your password has been misused.

Radformation has procedures to deal with any suspected data security breaches and will notify you and any applicable regulator of a suspected breach where it is legally required to do so. As of the last revision of this Policy, Radformation has not experienced a breach.

Our Services do not currently respond to browser-based do-not-track signals. You can choose to have your computer warn you each time a cookie is being set, or you can choose to turn off all cookies. You do this through your browser settings. Each browser is different, so look at your browser's help menu to learn the proper way to modify your browser’s cookies setting.

If you disable cookies, some features may be disabled that make your experience with our Services more efficient and some of our services may not function properly.

The following information applies to those under the jurisdiction of the UK/EU GDPR:

Certain principles apply when any personal data belonging to or provided by data subjects is collected, stored or transmitted. Personal data is:

1. Processed fairly, lawfully and transparently
2. Collected and processed only for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary for the purposes for which it is processed
4. Kept accurate and up to date. Any inaccurate data must be deleted or rectified without delay
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed
6. Processed in a manner that ensures security, using appropriate technical and organizational measures

Radformation must ensure accountability and transparency in all use of personal data. Data protection legislation obliges all employees to take a proactive approach to data protection. In order to encourage best practice and to avoid penalties, all employees are required to read this policy, to treat others’ personal data with due care and consideration and to ensure that Radformation can demonstrate compliance.

Data controlling and processing

Radformation is classified as a data controller and data processor. Radformation is a data controller of our employee human resources data but also for the customer personal data processed as part of our sales and marketing functions. In doing so, Radformation must maintain the appropriate registration(s).

Radformation is a data processor when it is contracted by a third-party organization to offer a service to data subjects and process their personal data for the data controller. In doing so, Radformation must comply with its contractual obligations and act only on the documented instructions of the data controller. If Radformation at any point determines the purpose and means of processing without the instructions of the controller, Radformation shall be considered a data controller and therefore breach its contract with the controller and have the same liability as the controller.

As a data processor, Radformation must:

• Not use a sub-processor without the written authorisation of the data controller
• Co-operate fully with the ICO or other supervisory authority
• Ensure the security of the personal data
• Keep accurate records of processing activities
• Notify the controller of any personal data breaches

If you are in any doubt about how we handle data, contact the DPM for clarification.

As a data controller, Radformation must only appoint processors who can provide sufficient guarantees under the UK/EU GDPR that the rights of data subjects will be respected and protected and the personal data will be kept secure.

As a data processor, Radformation must only act on the documented instructions of a controller. Radformation acknowledges its responsibilities as a data processor under the UK/EU GDPR and will protect and respect the rights of data subjects.

What happens if Radformation changes hands

We may, from time to time, expand or reduce our business, and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part, and the new owner or newly controlling party will, under the terms of this Policy, be permitted to use that data only for the purposes for which we originally collected it.

Your rights over your information

If you would like to exercise any of the rights below, please contact us as set out above. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge and will respond without delay and within one calendar month of receipt of your request. In certain circumstances, such as if the request is complex or you have submitted numerous requests, we may extend this period by two months, but we will always notify you if any extension is necessary.

We may ask for proof of identity and sufficient information about your interactions with us so that we can locate your personal information. Please note that the time limit for fulfilling your request does not start until we have been able to verify your identity.

• Right to be informed about our collection and use of personal data: You have the right to be informed about the collection and use of your personal data. We ensure we do this by providing you with this privacy notice. This notice is regularly reviewed and updated to ensure it accurately reflects our data processing activities.
• Right to access your personal information: You have the right to access the personal information that we hold about you in many circumstances, by making a request. This is sometimes termed a “data subject access request”. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge and will respond without delay and within one calendar month of receipt of your request.
• Right to rectification of your personal information: If any of the personal information we hold about you is inaccurate, incomplete or out of date, you may ask us to correct it.
• Right to stop or limit our processing of your data: You have the right to object to us processing your personal information for particular purposes, to have your information deleted if we are keeping it too long, or have its processing restricted in certain circumstances.
• Right to erasure: You have the right to have personal data erased. This is also known as the “right to be forgotten”. The right is not absolute and only applies in certain circumstances.
• Right to data portability: You have the right to receive personal data you have provided to a controller in a structured, commonly used and machine-readable format. It also gives you the right to request that a controller transmits this data directly to another controller.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection. You can find the ICO’s contact details at https://ico.org.uk/global/contact-us.

California requires operators of websites or similar services to make certain disclosures to users who reside in California regarding their rights. Specifically:

Shine the light

For clarity, we will not trade, rent, share or sell your personal information to third parties unless you ask or authorize us to do so. However, if we disclose personal information that is primarily used for personal, family, or household purposes of a California user to a third party for said third party’s direct marketing purposes, we will identify such third party along with the type of personal data disclosed, upon your request.

For further clarification, please refer to the “Contact us” section below. Under California law, businesses are only required to respond to a user’s request once during any calendar year.

Do Not Track

Some browsers give individuals the ability to communicate that they wish not to be tracked while browsing on the Internet. California law requires that we disclose to users how we treat do-not-track requests. The internet industry has not yet agreed on a definition of what “Do Not Track” means, how compliance with “Do Not Track” would be measured or evaluated, or a common approach to responding to a “Do Not Track” signal. We have not yet developed features that would recognize or respond to browser initiated Do Not Track signals in response to California law. In the meantime, there are technical means to prevent some of the tracking.

California Consumer Privacy Act

If you have any questions about this Policy, please contact us at 261 Madison Avenue, 9th Floor, New York, NY 10016, email us at: info@radformation.com, or call us at 844-723-3675.