Privacy Policy

General Privacy Notice

Effective Date: December 12, 2025

Verici Dx, Inc. (“we”, “us”, “our”) takes the protection of your personal information (“Personal Data”) very seriously. Personal Data is any information about you that can be used to identify you as a person.

We develop a cutting-edge range of diagnostic products designed to create better outcomes in organ transplant. Our data collection primarily relates to the business of creating, evaluating, selling, and facilitating investment and interest in these products.

This Privacy Notice (this “Notice”) describes how we use your Personal Data when you:

• visit our websites;
• use one of our diagnostic products outside of one of our clinical trials;
• provide feedback about our products (including if you prescribe or treat a patient using one of our products or otherwise evaluate them as a medical professional);
• invest in our company;
• or contact us directly outside of any participation in one of our clinical trials.

This Notice is meant to help you understand what information we collect, why we collect it, and your rights under various privacy laws that may apply to you.

This Notice does not apply to Personal Data we collect by other means, like Personal Data that we collect from participants in our clinical trials (see: https://www.vericidx.com/clinical-trials-privacy-notice/).

GENERAL

We are required to give you this information in order to comply with various privacy and data protection laws, including Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR) and the GDPR in such form as incorporated into the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 and any regulations thereunder, and the UK Data Protection Act 2018 (the “UK GDPR”), as well as the Health Insurance Portability and Accountability Act (“HIPAA”). In the context of this Notice, Verici Dx is the “data controller” for your Personal Data when regulated by the GDPR and UK GDPR.

Personal Data, where applicable, includes Protected Health Information (“Protected Health Information”), as defined by HIPAA, whether it be genetic or otherwise. Protected Health Information may be in any form or medium, including electronic, paper, or oral, which we create or receive and includes information that relates to your past, present, or future physical or mental health or condition. Protected Health Information also includes information regarding the provision of health care to you; or the past, present, or future payment for the provision of health care to you. Under HIPAA, we are required to maintain the privacy of your Protected Health Information, notify you should your Protected Health Information be affected in the event of a data breach, and abide by the terms of this Notice that are currently in effect.

YOUR PRIVACY RIGHTS

OUR DUTIES

We are required by law to:

• maintain the privacy of Personal Data;
• provide you with notice of our legal duties and privacy practices with respect to Personal Data;
• notify you should your Personal Data be affected in the event of a data breach; and
• abide by the terms of this Notice that are currently in effect.

PERSONAL DATA WE HOLD ABOUT YOU

We collect, use, store, and transfer different categories of Personal Data about you which we have grouped together as follows. When you visit our website, contact us, or otherwise interact with us or products, we may collect:

• Identity Data includes first and last name, username or similar identifier.
• Contact Data could include your email address. telephone number, or physical address.
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website or intranet.
• Usage Data includes information about how you use our website, intranet, products, and services.

If you use/are prescribed/are treated pursuant to our diagnostic tests outside of one of our clinical trials, in addition to your Identity and in some circumstances, Contact, Technical or Usage Data, we may also collect:

• Medical Data/Protected Health Information including your treatment outcomes as a result of the use of our diagnostic test, information about your treating physician and locations where you have received treatment, and other information related to understanding the efficacy of our diagnostic test as well as, where necessary to report to regulators about its use, including negative outcomes.
• Sensitive Identity Data (Race and/or Racial Identity): to the extent this is communicated to us as part of an evaluation of the efficacy of our test as compared to traditional methods of predicting or evaluating an individual’s response to transplant, or as part of your medical record and (Government ID): we may also process your Social Security Number, Tax ID, NIH number or other Government-issued identification number as part of your medical record communicated to us or as part of processing payment information, including communications with your insurance provider.
• Insurance and Financial Information including details of your insurance provider and plan, and related financial information if we receive information about how you or your insurance company paid for our product.

If you are a healthcare provider or other medical professional that prescribes our diagnostic test, treats a patient pursuant to our tests outside of one of our clinical trials, or otherwise reviews, evaluates, or assists in sales or marketing related to our products, in addition to your Identity, Contact, and possibly Technical or Usage Data, we may also collect:

• Educational and Professional Information including your professional certifications, potentially trade union membership if it is provided to us, and the hospitals and/or treatment centers you may be affiliated with.

If you are an investor or Director of/in our company, in addition to your Identity, Contact, Technical and Usage Data, and Educational or Professional Information (if you provide them to us), we will also collect:

• Investment Data could include details of your shareholding or option holding if you are a shareholder or option holder, including your votes and shareholder identification number.

We may also collect, use, and share Aggregated Data, such as statistical data, for any purpose. Aggregated Data may be derived from your Personal Data, but is not considered Personal Data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data with other website visitors to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Notice.

WHERE WE GET YOUR PERSONAL DATA:

In the context of this Notice, we collect your Personal Data from the following sources:

Direct interactions: You may share your Personal Data with us directly, by filling in forms or by corresponding with us by post, phone, and e-mail or otherwise when you visit our website, provide feedback (including about our products), seek to use or use our products, seek to pay us for use of our products, treat someone or seek to treat someone by using our products, or buy our shares.

Indirect interactions: If you are treated pursuant to one of our tests, your physician, insurance company, or the location where you are treated may share your personal data with us. If you are a former or current shareholder, we may collect your Personal Data indirectly through your agent, such as your stockbroker or share plan administrator.

Automated interactions: As you interact with our website or intranet, we may automatically collect Technical Data or Usage data about your equipment, browsing actions, and patterns. We collect this Personal Data by using cookies and other similar technologies. You can manage the collection of this information here: https://vericidx.com/cookie-policy/

HOW WE USE PERSONAL DATA

We use your Personal Data to:

• To sell, market, and deliver our diagnostic tests;
• To evaluate the efficacy of our diagnostic tests;
• To facilitate payment for our diagnostic tests, including interacting with insurance providers;
• To administer and protect our business and website (including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data);
• To use data analytics to improve our website, products/services, marketing, customer relationships, and experiences;
• To grow and develop our business;
• To contribute to research to improve outcomes in organ transplants and treatment;
• To communicate with you in order to respond to your questions, concerns, or requests to exercise data subject rights;
• To facilitate investment in our company, including to administer our shareholder and share option scheme relationships; and
• To ensure we comply with all laws and regulations applicable to a publicly traded company.

Use and processing of your Personal Data may be necessary or based on our legitimate interests in facilitating the operation and growth of our business, to provide our diagnostic tests and monitor their safety and efficacy and to run our website; the performance of the contract between us and you, should you invest in our company or seek to use our products; and compliance with laws and regulations, including securities regulations requiring us to collect and maintain records about investments in our company.

DATA SHARING

Within the company:

Your Personal Data may be disclosed within the company for administrative, technical, and management purposes as described in this Privacy Notice.

Service providers:

We may share your Personal Data with our service providers (who provide hosting, cloud data storage, data analytics, email and word processing or cloud-based computing software, and share registry service providers). We contractually require our service providers to protect your data. Especially but not exclusively for Medical Data/Protected Health Information, Sensitive Identity Data, and Insurance or Financial Data, we require that these service providers use the data solely to provide the services to us and not for their own purposes.

Researchers and scientific partners:

We may share your Personal Data with other third parties including researchers and / or scientific partners for additional research purposes related to transplant efficacy. We will always make sure that we have an applicable legal basis for sharing the data with any additional researchers, that the researcher applies specific and adequate safeguards to protect your Personal Data, and that any future research is compatible with the original purpose for which it was collected.

Regulatory or governmental agencies:

We may share your Personal Data with certain regulators or other authorities who require reporting of certain processing activities in certain circumstances including the UK Financial Conduct Authority and HR, Revenue and Customers.

Other third parties

We may share your Personal Data with other third parties, for example in the context of the possible sale or restructuring of the business, or to relevant third parties such as research partners, auditors, lawyers or professional advisors, or our insurers.

We may also disclose your Personal Data to comply with a subpoena, bankruptcy proceedings, or similar legal process, or in response to lawful requests by public authorities, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or those of you or third parties, or the public at large.

We require all third parties to respect the security of your Personal Data and treat it in accordance with the law.

DATA TRANSFERS

Personal Data collected and processed under the terms of this Notice may be collected or transferred to Verici Dx, its vendors, service providers, Business Associates, and research partners in the United States. The United States may have data protection laws less stringent than or otherwise different from the laws in effect in the country in which you are located. We will only transfer your Personal Data where there are appropriate safeguards in place. Where required, these safeguards may include the use of the European Commission-approved Standard Contractual Clauses. We will also take steps to ensure that your Personal Data receives an adequate level of security protection wherever it is processed.

DATA SECURITY

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know are subject to confidentiality obligations.

DATA RETENTION

We will only retain your Personal Data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances, we may anonymize your Personal Data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

QUESTIONS

If you have any questions about this Notice or our processing of your Personal Data, please contact privacy@vericidx.com or our Data Protection Officer (DPO) at the contact information provided below. Our DPO will respond to you as soon as possible but no later than 4 weeks after you contact us.

Data Protection Officer:

We have appointed VeraSafe as our DPO. You may contact VeraSafe at experts@versafe.com, or at any of the following addresses:

European Union and United Kingdom Representative

We have appointed VeraSafe as our Representative in the European Union and the United Kingdom for data protection matters. While you may also contact us, please contact VeraSafe on matters relating to the processing of your Personal Data.

VeraSafe Ireland Ltd.
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland
https://verasafe.com/public-resources/contact-data-protection-representative

VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom
https://verasafe.com/public-resources/contact-data-protection-representative

If you want to seek an independent recourse mechanism, you may contact your local Data Protection Authority (DPA). You can find a list of each European Union country’s DPA here: https://edpb.europa.eu/about-edpb/board/members_en. If you are based in the United Kingdom, your local DPA will be the UK Information Commissioner’s Office, which can be found here: https://ico.org.uk/.

For any of your rights listed above, you may also lodge a complaint with us, the data protection authority, or the U.S. Secretary of Health and Human Services. If you have a concern about our privacy practices, including the way we handle your Personal Data, you can report it to us, the data protection authority that is authorized to hear those concerns, or the U.S. Department of Health and Human Services respectively depending upon the type of Personal Data your complaint concerns. You will not be retaliated against for filing a complaint.

If you would like to file a complaint with the Secretary of the U.S. Department of Health and Human Services, please contact:

U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201
1-800-368-1019
ocrprivacy@hhs.gov
https://www.hhs.gov/guidance/document/hippa-violation-file-complaint

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Under HIPAA, you may request a paper copy of this privacy notice at any time.

CHANGES TO THIS PRIVACY NOTICE

We may update this Privacy Notice at any time, and we will either provide you with a new privacy notice or update the web page you read it on. We will also update the “Effective Date” at the top of this Notice.