Effective as of: Apr 1, 2025

1. Introduction

Your privacy is extremely important to us and we are committed to protecting it and maintaining your trust. To better protect you, we provide this notice explaining our online information practices and the choices you can make about the way your information is collected and used.

This Privacy Policy relates to information collected by Momence, Inc. (referred to in this Privacy Policy as "Momence", "we", "us" or "our") through your use of our Services or engaging with us.

By “Personal Data,” we mean information that allows us to determine your identity, and by “process” or “processing,” we mean any type of operation or set of operations which is performed on Personal Data such as (but not exclusively) collection, storage, use and sharing. Other terms not defined below will have the same meanings as set forth in our Terms of Service.

We use Your Personal data to provide and improve the Momence Services. By using the Momence Services, You agree to the collection and use of information in accordance with this Privacy Policy.

Our role with respect to the processing of your Personal Data will vary depending on the type of activities we perform.

• For delivery of Purchased Services. We are a “Data Processor” of Personal Data when providing Purchased Services to Subscribers. A Subscriber is considered the Data Controller of its own Subscriber Data (which, for clarity, may include data about its clients, customers or members (which we refer to as an “End User” or “End Users”). Please note that Subscribers are responsible for preparing their own privacy policies and making those policies available to their respective End Users.
• For Momence marketing and managing a Subscriber’s Momence account. We serve as a Data Controller when conducting our own marketing for Momence Services, or when managing the details of a Subscriber’s Momence account, as discussed below.

For information about your privacy choices, please see Section 13, Your Choices, and Section 14, Privacy Notice Specifications for Certain U.S. Jurisdictions.

If you are a resident of California, please also refer to the Momence CCPA Privacy Policy, for information about the categories of personal data we collect and your rights under California privacy laws.

We recommend that you read this Privacy Policy in full to ensure you are fully informed.

When you access or use the Momence Services, you agree to the terms and conditions of this Privacy Policy and that the information contained in this Privacy Policy serves as notice at or before the point of collection for all information collected as described below.

If you have any questions about this Privacy Policy or Momence’s data collection, use, and disclosure practices, please contact us at privacy@momence.com.

If you do not agree to our use of your personal data in line with this policy, please do not use the Momence Services.

2. Definitions

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

For the purposes of this Privacy Policy:

• Business. For the purpose of CCPA/CPRA, it refers to Momence as the legal entity that collects Consumers’ personal data and determines the purposes and means of the processing of Consumers’ personal data, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of Consumers’ personal data, that does business in the State of California.
• CCPA and/or CPRA. It refers to the California Consumer Privacy Act (the “CCPA”) as amended by the California Privacy Rights Act of 2020 (the “CPRA”).
• Consumer. For the purpose of the CCPA/CPRA, it means a natural person who is a California resident. A resident, as defined in the law, includes (1) every individual who is in the USA for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the USA who is outside the USA for a temporary or transitory purpose.
• COPPA. Children’s Online Privacy Protection Act. in the US.
• Cookies. Small files that are placed on Your computer, mobile Device, or any other Device by a website, containing the details of Your browsing history on that website among its many uses.
• Data Controller. For the purposes of the GDPR (General Data Protection Regulation), it refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
• Device. Any device that can access the Momence Services such as a computer, a cell phone, or a digital tablet.
• Do Not Track (DNT). A concept that has been promoted by US regulatory authorities, in particular the U.S. Federal Trade Commission (FTC), for the Internet industry to develop and implement a mechanism for allowing internet users to control the tracking of their online activities across websites.
• End User. Any individual who interacts with the Momence Services, including users of our mobile applications such as the Momence App, and individuals who book appointments, purchase services and otherwise interact with our Subscribers through the Momence Services.
• GDPR. General Data Protection Regulation (EU) 2016/679 as amended.
• Momence Software Product. Any software product distributed or made available by Momence under the Momence Subscription Agreement or any other Momence Agreement, excluding third-party software. Any such third-party software is governed by its own terms and conditions and Privacy Notice.
• Momence Software as a Service. Any Momence Software Product that is offered as a hosted solution, where the software is installed and maintained by Momence and provided to you as a service.
• Momence Website. Any website that is the property of Momence, including, but not limited to, https://momence.com.
• Momence Account. An account you create and which Momence may use in communicating with you or providing Momence Products to you. Your Momence Account is accessed via a username and password or a similar authentication method and can be used to manage your Personal Data.
• Momence Terms of Use. The Momence Subscription Agreement, the Momence Terms of Use for a product or a service, the Momence License Agreement, or other agreements you have in place with Momence covering Momence Products or services.
• Personal Data. Any data relating to an identified or identifiable natural person.For the purposes of GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity. For the purposes of the CCPA/CPRA, Personal Data means any information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with You.
• Service. It refers to the Application or the Website or both.
• Service Provider. Any natural or legal person who processes the data on behalf of Momence. It refers to third-party companies or individuals employed by Momence to facilitate the Service, to provide the Service on behalf of Momence, to perform services related to the Service or to assist Momence in analyzing how the Service is used. For the purpose of the GDPR, Service Providers are considered Data Processors.
• Subscriber. Any business or entity that subscribes to (or otherwise accesses or uses) the Momence Services, including any staff, employees, consultants, advisors, or independent contractors accessing the Momence Services on the Subscriber’s behalf.
• Third-party Social Media Service. It refers to any website or any social network website through which a User can log in or create an account to use the Momence Services.
• Usage Data. It refers to data collected automatically, either generated by the use of the Momence Services or from the Momence Services infrastructure itself (for example, the duration of a page visit).
• You. The individual accessing or using the Momence Services, or the company, or other legal entity on behalf of which such individual is accessing or using the Momence Services, as applicable. Under GDPR, You can be referred to as the Data Subject or as the User as you are the individual using the Momence Services.

All other terms used in this Privacy Notice (such as controller, processor, data subject, and others) that are defined in Article 4 of the GDPR shall have the same meaning as defined in Article 4 of the GDPR.

Momence Software Products, the Momence Website, Momence Accounts, and Momence Software as a Service may be collectively referred to as "Momence Services”.

3. Scope of this Privacy Policy

Please note that this Privacy Policy does not cover all types of information that Momence may handle. Our obligations to clients and Service Providers are outlined in a distinct Data Protection Policy. Additionally, this Privacy Policy is part of, and subject to, our Terms of Use. Any terms in this Privacy Policy that are capitalized but not explained will carry the definitions provided in our Terms of Use.

For employees, our commitments are outlined in our internal employment policies.

4. What Data We Collect

We may collect personal data that you provide directly to us, such as:

• Name
• Email address
• Username
• Password
• Phone number
• Address
• Payment data
• Comments, voluntarily provided feedback, and any data provided in survey responses or forms

We also collect data automatically as you navigate through the site, including:

• IP address
• Browser type
• Pages visited
• Time spent on pages
• Referring website
• Cookies or other tracking identifiers
• Data about your use of Momence Services, and your Momence Account;

5. How We Collect Your Data

We collect Personal Data directly from you when you interact with our products and services or communicate directly with us. We may also collect data about you from third parties. For example, if you access our products or services through a third-party application, such as an app store, a third-party login service, or a social networking site, we may collect from that third-party application personal data about you that you have made available via your privacy settings. We also collect data automatically when you visit the Momence Website or use Momence Service.

• Automatic collection of personal data. We may collect certain information automatically when you use our services, such as your IP address, user settings, MAC address, cookie identifiers, mobile carrier, mobile advertising, and other unique identifiers, browser or Device information, location information (including approximate location derived from your IP address), and internet service provider. We may also automatically collect information regarding your use of Momence Services, such as pages that you visit before, during, and after using our products and services, information about the links you click, the types of content you interact with, and the frequency and duration of your activities, and other information about how you use our services, for instance the features you use; the type, size and filenames of attachments you upload to the Momence Services; frequently used search terms. We also collect information about the teams and people you work with and how you interact with them, like who you collaborate and communicate with most frequently.
• Log files. We collect non-personally identifiable information through our Internet log files, which record data such as user IP addresses, browser types, domain names, and other anonymous statistical data involving the use of the Momence Services. This information may be used to analyze trends, to administer the Momence Services, to monitor the use of the Momence Services, and to gather general demographic information. We may link this information to personally identifiable information for these and other purposes, such as personalizing your experience on the Momence Services, and evaluating the Momence Services in general.
• Crash reports. If you provide crash reports within Momence Services, we may collect personal data related to them, including detailed diagnostic information about your Device and the activities that led to the crash.
• Cookies. For more information regarding Cookies and other tracking technologies, please refer to our Cookie Policy.
• AI. If you are using Momence AI, we or our LLM providers may collect personal data related to your AI service usage. For more information, please consult our dedicated policy.
• Online forms. We may collect Personal Data via a form based on the nature of your interaction with us. Each form explains our purpose for collecting such data in more detail.
• Social media platforms. Our products and services may contain buttons for social media platforms, such as Facebook, Instagram, and X, and these buttons might include widgets such as the “Share This” button or other interactive mini-programs. These features may collect personal data such as your IP address, and they may set a cookie to enable them to function properly. Your interactions with these platforms are governed by the privacy policies of the companies providing them.
• Direct interaction. We may collect Personal Data from you as part of your interaction with us, for example, when we provide product, services or sales support to you.

6. Why We Collect and How We Use Your Data

We do not sell any data, including your personal data. We will only collect and process your personal data in accordance with applicable data protection and privacy laws. We need to collect and process certain personal data in order to provide you with access to Momence Services. If you registered with us, you will have been asked to check a tick box indicating your agreement to provide this data in order to access our services. This consent provides us with the legal basis we require under applicable law to process your data. You maintain the right to withdraw such consent at any time.

We collect data for various reasons, such as:

• To provide you with software, services, or information. We may collect data, including your Personal Data, that is required to provide you with software, support, and services, license validation and checking for updates, providing support, reporting issues and bugs, and other processing connected with the use of Momence Services or information. We may use collected data to develop and test products and services. You may explicitly provide the Personal Data required for you to receive the software, support, or services, whether you purchase or use Momence Services, use our support forums, sign up for a Momence Account, register for a webinar, participate in a survey, and/or subscribe to receive marketing and/or technical information and content. This data may also be collected in the course of your using Momence Services. We may use third-party service providers, acting as data processors, to assist us in providing Momence Services to you or in our operations. For example, we may use third-party service providers to provide data storage and backup services. The legal basis for this data processing is the performance of a contract between you and us. With your consent, your Personal Data may also be transferred to third-party service providers, acting as separate Data Controllers, who provide products and services complementary to Momence Services (further data processing performed by these service providers is governed by their privacy policies). The legal basis for this data processing is consent.
• To protect us from piracy and the unlawful use of our software or services. We may collect data that is necessary to protect us from piracy or the unlawful or unauthorized use of our software or services, or that is necessary to ensure the security of our software or services, including both Personal Data provided by you (see above) and data collected in the course of your use of Momence Services. The legal basis for this data processing is Momence legitimate interest in protection from piracy and from the unlawful use of Momence Services. Such personal data may include your IP address and information about your Momence Account.
• To improve our offerings based on usage. With your consent, we may collect anonymous data based on your use of Momence Services. We use this data to better understand the usage patterns of our products and services and the behaviors of our collective audience. At times, we may share this information in an aggregated anonymous form with third parties. Since the data is anonymous, no personal data is processed. Please refer to our Momence Cookie Policy for more information regarding the collection of non-anonymous data (Cookies) when you are using the Momence Website.
• For Momence internal evidence and to protect the rights and interests of Momence and other users. We may collect data that is required as evidence of the provision of software and services to you, of any communication between you and us, of your contact details, of your use of our services, of your compliance with the terms of the agreement between you and Momence, of any payments or refunds, and of any issues or disputes between you and us. We may use and disclose this data where we believe, in our sole judgment, that it is legitimate and appropriate to do so to protect our rights and interests and the rights and interests of other users of the Momence Services, or where we believe there has been a violation of this Privacy Policy that could affect the interests of Momence or its customers for a period corresponding to the statute of limitations. The legal basis for this data processing is our legitimate interest in keeping internal evidence and protecting the rights and interests of us and other users.
• To promote and market our products and services. We may use feedback that you voluntarily provide about our products or services. As permitted by applicable law, we may use such feedback in the form of anonymized quotes or in other ways in accordance with the Momence Terms of Use. We also may use data that we collect and aggregate to assist us in determining the appropriate marketing and advertising for our products and services. In doing so, we may share anonymous aggregated data with third parties to assist us with these efforts. With your consent or if permitted by applicable law on the legal basis of legitimate interest, we may also use your contact details to send you commercial communications about our products and services. We may also use third-party service providers to assist us with our email marketing. In that case, the third-party service provider will have access to your email address, your name, and other information necessary to engage in the marketing. Such third-party service providers will act as data processors and will not use your Personal Data for their own purposes. As more fully described in the How We Collect Data section, we also may use third-party service providers to assist us with our digital advertising, including through cross-contextual advertising on third-party properties. In that case, the third-party service provider will have access to your online identifiers and information about your use of our products and services. The legal basis for this data processing is our legitimate interest in promoting and marketing our products and services, or your explicit consent. During conferences or events, we may use badge scanning services, also called lead retrieval or scanning, where we can scan your badge and collect certain Personal Data to enable us to contact you for the above-mentioned purposes.
• To fulfill legal duties stipulated by accounting, taxation, and other laws. We may use and disclose your Personal Data where required by law, such as in keeping and disclosing our accounts, in keeping and disclosing our tax records, and in response to a court order, valid subpoena, or other legal process for the period of time required by such laws. The legal basis for this data processing is our compliance with our legal obligations.

You may object at any time to the processing of your Personal Data unless you provide us with consent for such processing. In that case, you may revoke your consent.

7. How We Share and Disclose Your Data

We do not sell your personal data. We may share the information we collect in various ways, including the following:

• Vendors and Service Providers. We may share information with third-party vendors and service providers that provide services on our behalf, such as helping to provide our Services, for promotional and/or marketing purposes, and to provide you with information relevant to you such as product announcements, software updates, special offers, or other information.
• Aggregate Information. Where legally permissible, we may use and share information about users with our partners in aggregated or de-identified form that can’t reasonably be used to identify you.
• Advertising. We work with third-party advertising partners to show you ads that we think may interest you. These advertising partners may set and access their own Cookies, pixel tags, and similar technologies on our Services, and they may otherwise collect or have access to information about you which they may collect over time and across different online services.
• Third-Party Partners. We also share information about users with third-party partners in order to receive additional publicly available information about you.
• Information We Share When You Sign Up Through a Referral. If you sign up for our Services through a referral from a friend, we may share information with your referrer to let them know that you used their referral to sign up for our Services.
• Analytics. We use analytics providers such as Google Analytics. Google Analytics uses Cookies to collect non-identifying information. Google provides some additional privacy options regarding its Analytics Cookies at http://www.google.com/policies/privacy/partners/.
• Business Transfers. Information may be disclosed and otherwise transferred to any potential acquirer, successor, or assignee as part of any proposed merger, acquisition, debt financing, sale of assets, or similar transaction, or in the event of insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.
• As Required By Law and Similar Disclosures. We may also share information to (i) satisfy any applicable law, regulation, legal process, or governmental request including requests made by public authorities to meet national security or law enforcement requirements; (ii) enforce this Privacy Policy and our Terms of Service, including investigation of potential violations hereof; (iii) detect, prevent, or otherwise address fraud, security, or technical issues; (iv) respond to your requests; or (v) protect our rights, property or safety, our users and the public. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention.
• With Your Consent. We may share information with your consent.

8. Legal Basis for Processing Personal Data

Our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the specific context in which we collect it.

However, we will normally collect personal data from you only (i) where we need the personal data to perform a contract with you; (ii) where the processing is in our legitimate interests and not overridden by your rights; or (iii) where we have your consent to do so. We have a legitimate interest in operating our Services and communicating with you as necessary to provide these Services, for example when responding to your queries, improving our platform, undertaking marketing, or for the purposes of detecting or preventing illegal activities.

In some cases, we may also have a legal obligation to collect personal data from you or may otherwise need the personal data to protect your vital interests or those of another person.

If we ask you to provide personal data to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal data is mandatory or not (as well as of the possible consequences if you do not provide your personal data).

9. Third-party Services

You may access other third-party offerings through the Momence Services, for example by clicking on links to those third-party offerings from within the Momence Services. Momence is not responsible for the privacy policies and/or practices of these third-party offerings, and we encourage you to carefully review their privacy policies.

10. Data Security

Momence is committed to protecting your Personal Data. To do so, we employ a variety of security technologies and measures designed to protect information from unauthorized access, use, or disclosure.

We encrypt your data in transit and at rest where it is technically feasible. For the protection of data during transmission, we use an up-to-date TLS (Transport Layer Security) protocol to encrypt your data. To encrypt sensitive data at rest, we use strong, up-to-date encryption algorithms, such as AES-256. All encryption keys are regularly rotated, and access to them is strictly limited.

We thoroughly review all Personal Data usage processes before implementation to help achieve compliance with applicable data-protection-related laws and to safeguard user information. This is done to minimize data usage and to make sure that you, as the data owner, are informed about the processing. When the reason for data storage expires, and we are no longer required to keep it, we remove your Personal Data from our servers or anonymize it for further usage. Depending on the activity within which your data is collected, it may appear in datasets used for research. Before using the datasets for research or other purposes you are not informed of, we remove or anonymize your Personal Data in the datasets.

The measures we use are designed to provide a level of security appropriate to the risk of processing your personal data. Please note that no service is completely secure. While we strive to protect your data, we cannot guarantee that unauthorized access, hacking, data loss or a data breach will never occur.

For more information on Momence security controls, please see our Momence Data Protection Policy.

11. Data Retention

If at any time you choose to cease using the Momence Services, you may ask for your Personal Data to be removed from our servers by sending a request to privacy@momence.com. After the Personal Data removal, we may keep pseudonyms of your Personal Data solely as a record of the data removal. Generally, we retain your Personal Data as long as we need to in order to achieve the purpose for which it was collected. We may retain your information if it is required for compliance with legal obligations and/or defense in the event of a violation of the Momence Terms of Use and/or Privacy Policies. We may also have copies of your information in application logs, weblogs, and/or backups made for security and support purposes if this is mentioned in a Momence Terms of Use or consent text accepted before the Personal Data collection. These backups will not be accessible as separately delineated information. We may store Personal Data pertaining to a customer or user for as long as they are entitled to a license for or usage of the Momence Services. Further, we may keep the data to protect ourselves from damage in the event of litigation in accordance with the current legislation. Please note, however, that you must retain a copy of all data that you have placed on our servers in case of any loss. Further, if you cease using our services, we will not be responsible for the retention of any of your data.

12. Your Rights

This section provides specific information for residents of certain states in the United States with comprehensive privacy laws, including but not limited to California, Colorado, Connecticut, Delaware, Iowa, Indiana, Montana, New Jersey, Oregon, Texas, Tennessee, Utah or Virginia, as well as other jurisdictions and regulations that allow for individual privacy rights such as the European Economic Area, the United Kingdom, and the General Data Protection Regulation (“GDPR”).

Depending on your location, you may have the following rights regarding your personal data:

• The right to access. You may have the right to obtain from us a confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, to request access to your Personal Data. The information about Personal Data processing includes the purposes of the processing, the categories of Personal Data concerned, the recipients or categories of recipients to whom your Personal Data has been or will be disclosed, etc. However, this is not an absolute right, and the interests of other individuals may restrict your right of access. Further, you may have the right to obtain a copy of your Personal Data undergoing processing. For additional copies requested, we may charge a reasonable fee based on administrative costs.
• The right to rectification. You may have the right to obtain from us the rectification of inaccurate Personal Data. Depending on the purposes of the processing, you may have the right to have incomplete Personal Data made complete, in particular by providing a supplementary statement.
• The right to erasure (the right to be forgotten). Under certain circumstances, you may have the right to require us to delete your Personal Data.
• The right to restrict processing. Under certain circumstances, you may have the right to require us to restrict the processing of your Personal Data. In this case, the respective Personal Data will be marked and may only be processed by us for certain purposes.
• The right to personal data portability. Under certain circumstances, you may have the right to receive the Personal Data that you have provided us concerning you in a structured, commonly used, and machine-readable format, and to transmit this Personal Data to another entity.
• Right to Non-Discrimination: Under certain circumstances, you may have the right not to receive discriminatory treatment on the basis of exercising your privacy rights under applicable law.
• The right to object. Under certain circumstances, you may have the right to object at any time, on grounds relating to the particular situation, to the processing of your Personal Data by us, and we may be required to no longer process your Personal Data.

Certain states in the United States, such as California, provide residents a right to limit the use of their sensitive personal data. However, we do not engage in uses or disclosures of sensitive personal data that would trigger the right to limit under state law.

To exercise these rights, please contact us at privacy@momence.com.

You may lodge a complaint related to the processing of your Personal Data with the competent data protection authority for the country where you are located.

13. Your Choices

You can use some of the features of the Momence Services without registering, thereby limiting the type of information that we collect.

• You may unsubscribe from receiving certain promotional emails from us. If you wish to do so, simply follow the instructions found at the end of the email. Even if you unsubscribe, we may still contact you for informational, transactional, account-related, or similar purposes.

• Many browsers have an option for disabling Cookies, which may prevent your browser from accepting new Cookies or enable selective use of Cookies. Please note that, if you choose not to accept Cookies, some features and the personalization of our services may no longer work for you. You will continue to receive advertising material but it will not be tailored to your interests.

If personal data covered by this Privacy Policy is to be used for a new purpose that is materially different from that for which the personal data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party in a manner not specified in this Policy, Momence will provide you with an opportunity to choose whether to have your personal data so used or disclosed. Requests to opt out of such uses or disclosures of Personal Data should be sent to privacy@momence.com.

Certain personal data, such as information about medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, is considered "Sensitive Information." Momence will not use Sensitive Information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual unless Momence has received your affirmative and explicit consent (opt-in).

14. How We Protect Children’s Privacy

We are committed to protecting the privacy of children. Our products and services are generally not designed for and are not offered to children under the age of 13. We do not collect personally identifiable information from any person we actually know is under the age of 13. In some cases, there's an exception to this approach, and children under 13 might be able to use our services. When a child confirms that they are under 13 years old, we ask for their parent's or legal guardian's email address to obtain permission to process such Personal Data for this purpose in accordance with COPPA and GDPR. If we don't receive permission within three (3) days or we are denied permission, the Personal Data collected through the form will be automatically deleted after three (3) days. If we learn that a Child has provided his or her Personal Data through the Momence Services without parental consent, we will take immediate steps to remove and delete that information from the Platform. We don't send marketing communications to children under 15 years old. Children between the ages of 13 and 16 are asked to confirm that they discussed the processing of their data with their parents or legal guardians and have their permission. If you are a parent or legal guardian of a Child and have questions regarding this Children’s Use policy, please contact us at privacy@momence.com.

15. International Data Transfers

Personal Data may be stored and processed in any country where we, our subsidiaries, partners, sub-processors and providers of Third-Party Services conduct business or host events. These locations may be outside your home country, including in the United States, where different data protection laws may apply.

When we transfer Personal Data, any transfers will be done in accordance with applicable data protection laws, including through the implementation of appropriate or suitable safeguards in accordance with such applicable data protection laws, such as standard contractual clauses, published by the European Commission under Commission Implementing Decision 2021/914, to help protect your rights and enable these protections to travel with your data. We put in place appropriate terms to protect your Personal Data in our agreements with our sub-processors and other Service Providers. To learn more about the European Commission’s decisions on the adequacy of the protection of personal data in the countries where Momence processes personal data, see this article on the European Commission website.

Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer subject to the terms of our Momence Data Protection Policy.

International transfers within the Momence Services: When we disclose information about you within and among the Momence Services, we make use of the Data Privacy Framework to receive personal data transfers from the European Union/European Economic Area to the U.S. (see “Data Privacy Framework Notice” section below), and the standard contractual data protection clauses, which have been approved by the European Commission, to safeguard the transfer of information we collect from the European Economic Area and the United Kingdom (the "UK").

International transfers to third parties: Some of the third parties described in this Privacy Policy, which provide services to us under contract, are based in other countries that may not have equivalent privacy and data protection laws to the country in which you reside. When we disclose information of customers in the European Economic Area and the UK, we make use of the European Commission-approved standard contractual data protection clauses, binding corporate rules for transfers to data processors, or other appropriate legal mechanisms to safeguard the transfer.

Data Privacy Framework Notice

On July 10, 2023, the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework (EU-U.S. DPF) entered into force.

Momence, Inc. adheres to the Data Privacy Framework Principles regarding the collection, use, and retention of personal data that is transferred from the European Union and the United Kingdom to the U.S.

Momence complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Momence has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework Program, please visit the Data Privacy Framework Program website here.

As required under the principles, when we receive information under the Data Privacy Framework and then transfer it to a third-party service provider acting as an agent on our behalf, we have certain liability under the Data Privacy Framework if the agent processes the information in a manner inconsistent with the Data Privacy Framework and we are responsible for the event giving rise to the damage.

We encourage you to contact us as provided below should you have a Data Privacy Framework related (or general privacy-related) complaint.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Momence commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Momence commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to VeraSafe, an alternative dispute resolution provider based in the European Union. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://verasafe.com/managed-services/data-privacy-framework-dispute-resolution-program for more information or to file a complaint. The services of VeraSafe are provided at no cost to you.

Under certain conditions, more fully described on the Data Privacy Framework website, including when other dispute resolution procedures have been exhausted, you may invoke binding arbitration. Further information can be found on the official DPF website.

Please also refer to our Momence Data Security FAQ and Momence Data Protection Policy for more information about data transfers.

Momence, Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the effective date at the top.

17. Sub-Processors

The following is a list of current third-party vendors that may either directly or indirectly collect information from you in their capacity as a Sub-Processor. Please review the relevant privacy policies (links current as of the date of publication of this Privacy Policy) for further information on how each third-party handles your personal data. Due to the nature of our global business and our ongoing efforts to delight our customers, our Sub-processors may change from time to time. For example, we may deprecate a Sub-Processor to consolidate and minimize our use of Sub-Processors, or we may add a Sub-Processor if we believe that doing so will enhance our ability to deliver our Subscription Service.

Entity Name	Purpose	Subject Matter	Corporate Location	More information
Amazon Web Services, Inc.	Hosting and Infrastructure		USA	http://aws.amazon.com/
Classpass	Session Bookings		USA	https://classpass.com/
Cloudflare, Inc.	Content Delivery Network		USA	https://www.cloudflare.com/
Crowdin	Translations Management		Estonia	https://crowdin.com/
Datadog, Inc.	Quality Assurance and Support Service		USA	https://www.datadoghq.com/
Grafana	Data Visualization Platform		USA	https://grafana.com/
Gympass	Session Bookings		USA	https://www.gympass.com/
Kisi	Fitness Platform		USA	https://www.getkisi.com/
Mailchimp	Email Delivery Service		USA	https://mailchimp.com/legal/privacy
Mailgun	Email Delivery Service		USA	https://www.mailgun.com/
Mailjet	Email Delivery Service		France	https://www.mailjet.com/
Moloni	Invoices Generation		Portugal	https://www.moloni.pt/
MyClubs	Sports Membership Platform		Austria	https://www.myclubs.com/
Intercom, Inc.	Cloud-based in-app support chat platform		USA	https://www.intercom.com/
OpenAI, L.L.C.	AI Products		USA	https://openai.com/
Quickbooks	Bookkeeping		USA	https://quickbooks.intuit.com/
Sendgrid	Email Delivery Service		USA	https://sendgrid.com/policies/privacy/
Sentry, Functional Software, Inc.	Quality Assurance and Support Service		USA	https://sentry.io/
Spivi	Fitness Tracking Platform		USA	https://www.spivi.com
Stripe, Inc.	Payment Processor		USA	https://stripe.com/us/privacy
Twilio	Calling and Messaging		USA	https://www.twilio.com/legal/privacy
Xero	Accounting		USA	https://www.xero.com/
Yappy	Accounting		Panama	https://www.yappy.com.pa/

18. Contact Us

If you have any questions or concerns about this Privacy Policy, please email us at privacy@momence.com or write to us at:

Momence, Inc.
2261 Market Street #4671
San Francisco, CA 94114
US

For the EEA, you may also:

• Contact our Data Protection Officer responsible for your country or region, if applicable at privacy@momence.com.
• Lodge a complaint with a data protection authority for your country or region or where an alleged infringement of applicable data protection law occurs. A list of data protection authorities is available at https://ec.europa.eu/newsroom/article29/items/612080.

19. Additional Disclosures

California

See the Momence CCPA Privacy Policy

Colorado/Connecticut/Virginia

If you live in Colorado, Connecticut, or Virginia you have some additional rights:

If we deny your rights request, you have the right to appeal that decision. We will provide you with the necessary information to submit an appeal at that time.

You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the Consumer. Momence does not engage in such profiling as defined by Colorado law, so there’s no need to opt out.

Nevada

We do not sell your covered information, as defined under Chapter 603A of the Nevada Revised Statutes. If you still have questions about your covered information or anything else in our Privacy Statement, please send an email to privacy@momence.com.