SomaEthos GDPR & Global Data Protection Policy

Effective Date: 05/11/2025
Data Controller: SomaEthos – CR No. 230248
Registered Jurisdiction: State of Qatar
Website: www.somaethos.com
Privacy Contact: privacy@somaethos.com

1. Global & Regional Applicability

This Privacy Policy applies globally to all individuals who access, use, or interact with SomaEthos services, regardless of geographic location.

SomaEthos operates from the State of Qatar and provides services internationally, including but not limited to individuals located in:

• The European Union (EU)
• The European Economic Area (EEA)
• The United Kingdom (UK)
• The Middle East and Gulf Cooperation Council (GCC) countries
• North America
• Other international jurisdictions

Where applicable, SomaEthos aligns its practices with:

• EU GDPR (Regulation (EU) 2016/679)
• UK GDPR
• Applicable data protection principles of the State of Qatar
• Recognized international data protection standards

Nothing in this Policy is intended to limit mandatory statutory rights granted under applicable local law. In case of conflict, mandatory legal requirements prevail only to the minimum extent required by law.

2. Purpose & Scope

This Policy explains how SomaEthos collects, uses, stores, shares, transfers, protects, and governs personal data in connection with:

• Training programs and coaching
• Nutrition and wellness guidance
• Health & wellness coordination and referrals
• Concierge services
• Subscriptions and membership services
• Digital advisory and communications
• Website and platform usage

This Policy forms part of our legal framework together with our Terms & Conditions and any additional consents you provide (e.g., Health Data Consent).

3. Data Controller & Contact

For GDPR/UK GDPR purposes, SomaEthos is the Data Controller for personal data processed through our platform.

Privacy Contact: privacy@somaethos.com

Where required by law or operational needs, SomaEthos may appoint a data protection representative and/or a Data Protection Officer (DPO). If appointed, contact details will be published on the Website.

4. Data Protection Principles (GDPR Article 5)

We process personal data in accordance with:

• Lawfulness, fairness & transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity & confidentiality (security)
• Accountability

We maintain internal measures and records designed to demonstrate compliance.

5. Personal Data We Collect

We may collect and process the following categories:

5.1 Identity Data

Name, date of birth, nationality (and identity details only where necessary).

5.2 Contact Data

Email address, phone number, address.

5.3 Account & Membership Data

Account identifiers, subscription status, plan history.

5.4 Health & Wellness Data (Special Category Data – GDPR Article 9)

May include (only when you voluntarily provide it or request related services):

• Medical reports, lab results, blood tests
• Body composition and measurements
• Injury history and mobility limitations
• Nutrition logs and lifestyle information
• Training history and performance metrics

5.5 Concierge & Preference Data

Preferences, booking requests, travel details (only if you provide them and only as needed for facilitation).

5.6 Payment & Transaction Data

Payment status and transaction history. Full card details are not stored by SomaEthos when processed by PCI-compliant payment processors.

5.7 Technical & Usage Data

IP address, device identifiers, browser type, log data, cookies and similar technologies.

5.8 Communications Data

Messages, emails, WhatsApp/Chat records (if you choose to communicate that way), support tickets, call notes.

6. How We Collect Data

We collect data through:

• Information you submit (forms, onboarding, messages, uploads)
• Account creation and subscriptions
• Communications with us
• Platform usage and technical logs
• Cookies and similar technologies (where applicable)
• Third parties only when you instruct us (e.g., you ask us to coordinate with a clinic/provider)

7. Legal Bases for Processing (GDPR Article 6 & 9)

We process personal data under one or more lawful bases:

7.1 Article 6 Legal Bases

• Consent (Art. 6(1)(a))
• Contract (Art. 6(1)(b))
• Legal obligation (Art. 6(1)(c))
• Legitimate interests (Art. 6(1)(f))

7.2 Special Category (Health) Data – Article 9

We process health data only when a valid condition applies, primarily:

• Explicit consent (Art. 9(2)(a))

You may withdraw consent at any time; however, withdrawal may limit our ability to provide certain services.

8. Purposes of Processing

We process personal data to:

• Provide and manage Services and subscriptions
• Deliver coaching, nutrition, and training guidance
• Coordinate health referrals upon request
• Facilitate concierge services upon request
• Communicate with you and provide support
• Maintain internal records and service quality
• Prevent fraud and protect platform security
• Comply with legal obligations
• Improve platform performance and user experience

We do not sell your personal data.

9. Health Data Protection (Enhanced Safeguards)

Health data is treated as highly sensitive. We implement safeguards such as:

• Restricted access (need-to-know basis)
• Role-based permissions
• Secure storage and controlled sharing
• Enhanced confidentiality requirements
• Additional consent controls for health data

Health data is shared only:

• With your instruction/consent, or
• Where necessary to deliver Services you request, or
• Where required by law

10. Data Sharing & Recipients

We may share personal data with:

10.1 Service Providers (Processors/Sub-Processors)

IT hosting, infrastructure, analytics (where applicable), CRM systems, customer support tools—subject to contractual obligations.

10.2 Payment Providers

Payment processors for subscription and service payments.

10.3 Third-Party Providers You Request

Doctors, clinics, labs, physiotherapists, concierge providers—only as needed and typically upon your instruction.

10.4 Legal/Regulatory Authorities

When required by law, lawful request, or to protect rights and safety.

Important: Independent medical and concierge providers may be separate Data Controllers for the data they receive. Once shared with them, their own policies apply for their processing.

11. International Transfers (GDPR Chapter V)

If you are located in the EU/EEA/UK, your data may be transferred outside your jurisdiction, including to Qatar.

Where required, we apply safeguards such as:

• Standard Contractual Clauses (SCCs)
• Contractual confidentiality and security commitments
• Technical and organizational measures
• Data minimisation

By using Services, you understand your data may be processed internationally as described in this Policy.

12. Data Retention (Storage Limitation)

We retain personal data only as long as necessary:

• While your account is active
• To deliver Services
• To comply with legal and financial obligations
• To resolve disputes and enforce agreements

Typical retention approach (may vary by legal requirement):

• Account and service records: retained while active + reasonable period after
• Financial records: retained as required by applicable law
• Health data: retained while needed for Services; deletable upon valid request unless legal retention applies

13. Your Rights (GDPR Articles 12–23)

Where GDPR/UK GDPR applies, you may have the right to:

• Access (Art. 15)
• Rectification (Art. 16)
• Erasure (Art. 17)
• Restriction (Art. 18)
• Data portability (Art. 20)
• Object (Art. 21)
• Withdraw consent at any time
• Lodge a complaint with a supervisory authority

Requests: privacy@somaethos.com

We aim to respond within 30 days, subject to lawful extensions for complex requests.

14. Cookies & Tracking Technologies

We may use cookies and similar technologies for:

• Essential platform function
• Security
• Performance and analytics (where enabled)

Where required by law, we implement consent mechanisms. You can manage cookies through browser settings and any on-site consent tool.

15. Automated Processing, Profiling & AI (GDPR Article 22)

We may use AI-supported tools to assist with:

• Wellness analytics
• Summaries and reporting
• Program structuring

We do not use fully automated decision-making that produces legal or similarly significant effects without human oversight.

All guidance remains advisory and subject to human review and your own decision-making.

16. Security Measures (Integrity & Confidentiality)

We implement commercially reasonable security measures such as:

• Access controls and authentication
• Secure hosting environments
• Monitoring and logging
• Organizational confidentiality controls
• Vendor and sub-processor security obligations

No system is 100% secure; however, we continuously work to improve protection.

17. Data Breach Response (GDPR Articles 33–34)

In the event of a personal data breach:

• We will assess risk promptly
• Where required, notify the relevant authority within 72 hours
• Where required, notify affected individuals without undue delay
• Document incidents and apply corrective actions

18. Sub-Processors & Vendor Governance

We may use processors/sub-processors to support operations (e.g., hosting, IT, CRM). We require appropriate contractual protections including:

• Confidentiality obligations
• Security commitments
• Processing instructions
• Restrictions on further sub-processing where applicable

A list of key processors may be made available upon request where appropriate.

19. DPIA & Internal Compliance (GDPR Article 35)

Where processing may result in high risk (e.g., broader health data processing), we may conduct a Data Protection Impact Assessment (DPIA) and implement risk-mitigation measures.

We may maintain internal records such as:

• Processing activity records (ROPA)
• Consent logs
• Access controls and audit trails (where applicable)

20. Children & Minors Policy (Parent/Guardian Consent)

SomaEthos services are not directed to individuals under the age of 18.

We do not knowingly collect, process, or store personal data from minors without verified parental or legal guardian consent.

If a minor (under 18) wishes to access or use any SomaEthos service (including training, wellness coordination, or health-related services), the following conditions apply:

• Verified consent: Explicit written consent must be provided by a parent or legal guardian.
• Acceptance on behalf of minor: The parent/guardian must accept the Terms & Conditions and this Privacy Policy on behalf of the minor.
• Health data: Any health data relating to a minor will be processed only with verified parental/guardian authorization and appropriate explicit consent where required.
• Responsibility: The parent/guardian assumes responsibility for decisions made regarding the minor's participation and data submission.
• Verification: Where required under applicable law (including GDPR Article 8), SomaEthos may request verification of parental authority before providing services.

If we become aware that personal data has been collected from a minor without appropriate consent, we will take steps to delete such data.

Parents/guardians may contact us to access, correct, or request deletion of a minor's data: privacy@somaethos.com

21. Governing Law, Complaints & Policy Updates

21.1 Governing Law

Unless mandatory local law requires otherwise, this Policy is governed by the laws of the State of Qatar.

21.2 Complaints

You may contact us first at privacy@somaethos.com.

Where GDPR/UK GDPR applies, you may also lodge a complaint with your relevant supervisory authority.

21.3 Updates

We may update this Policy from time to time. The latest version will be published on our Website. Continued use of Services after publication constitutes acceptance of the updated Policy.

Contact

• Privacy Contact: privacy@somaethos.com
• Website: www.somaethos.com
• Jurisdiction: State of Qatar