Policy privacy

Effective date: August 08, 2025

Pursuant to the Law on Electronic Data Protection No. 25/NA dated 12 May 2017 (the "Law"), enacted to protect the privacy rights of personal data subjects, the collection, use, or disclosure of personal data must comply with the requirements and conditions set forth by the Law. To ensure that the processing of personal data through the activities of the Okardcare platform operated by Okardtech Co., Ltd. (the "Company") complies with the law, the Company has established this Privacy Policy to ensure that you, as the personal data owner, are aware of and acknowledge the importance of personal data protection that the Company will provide in accordance with the law.

Definitions

• Law: Refers to the Law on Personal Data Protection, ministerial regulations, announcements, guidelines, or measures issued under the authority of the Law on Personal Data Protection of 2017.
• Policy: Refers to the policy of Okardtech Co., Ltd.
• Account: Refers to the unique account created to allow you to access our services or parts of our services.
• Application: Refers to Okardcare, the software program provided by the Company.
• Company: (Referred to as "Company", "we", or "our" in this agreement) refers to Okardtech Co., Ltd.
• Country: Refers to the full sovereignty of any nation.
• Device: Refers to any device capable of accessing the services, such as a computer, mobile phone, or digital tablet.
• System: Refers to Okardcare.
• Personal Data: Means any information relating to an identified or identifiable individual.
• Service: Refers to the Application.
• Service User: Refers to the patient.
• Service Provider: Refers to a doctor, an individual, or a legal entity that processes data on behalf of the Company, and includes third-party companies or individuals hired by the Company to facilitate the service, provide the service on behalf of the Company, perform service-related activities, or assist the Company in analyzing how the service is used.
• Usage Data: Refers to information collected automatically, whether from the use of the service or from the underlying infrastructure of the service itself (for example, the duration of a session in the system).
• You: Refers to the individual accessing or using the service, the company, or other legal entity on behalf of which such individual accesses and uses the service in the system.
• Agreement: Means the terms of use and policies of the system that have been clearly defined.
• Third Party: Refers to any individual or organization that is not a primary contracting party to the agreement or use of the system.
• Okardcare Partners: Such as hospitals, banks, government sectors, and others.
• Application Form: Refers to the act of completely filling out personal information about oneself in the system provided.
• Personal Data Processing: Refers to the collection, use, disclosure, or any action regarding personal data or sensitive personal data. This includes, without limitation, transferring, transmitting, destroying, deleting, and other actions.

Processing of Personal Data

In collecting, using, or disclosing personal data under Okardcare's policy, the Company agrees to comply with the following terms and conditions:

Collection of Personal Data

The Company will collect your personal data for specific purposes and in compliance with the law. The Company may collect your personal data directly through the Okardcare member registration form or through the following channels:

• Registration via phone number
• Registration via email
• Registration via Google application

In addition, Okardcare may collect your personal data and that of others (if any) from communication channels. You confirm that the disclosure or provision of others' personal data on Okardcare is lawful. In cases where your personal data is obtained from other sources, we will take the following actions within 30 days from the date your personal data is stored in the system:

• Notify you about the collection of personal data from other sources.
• Obtain your consent, unless authorized to collect by law.
• Notify you about the new collection purpose for the use or disclosure of personal data, such as creating and managing user accounts on Okardcare.
• Notify you of cases where you are required to provide personal data to comply with the law or contracts where personal data must be provided to enter into a contract, and inform you of the possible consequences of not providing personal data.

Types of Personal Data

• Identification data including: profile picture, first name, last name, age, date of birth, and others.
• Contact information including: address, phone number, email address, and others.
• Okardcare account data including: user account, complete usage history, and others.
• Identity proof including: service providers' information must include certification from the relevant department, and identity proof for service users must include an ID card or passport, and others.
• Transaction and financial data including: payment history for service fees, points, and others.
• Technical/professional information including: workplace address, department, specialty or specialization, and others.
• Other information including: feedback on staff performance, and other information considered personal data under the personal data protection law.

Purposes of the Privacy Policy

• To create and manage user accounts with Okardcare.
• To provide health consultation services, treatment, recommendations of treatment facilities, and therapy.
• To process payment of service fees.
• To provide post-service support.
• To collect feedback.
• Internal company management.
• To comply with the terms and conditions of Okardcare.
• To prevent the use of Okardcare in violation of the terms and conditions, such as preventing patient data leaks and inappropriate consultations.
• To exercise legal rights or resolve disputes that may arise from the use of Okardcare.
• To comply with state laws and regulations.
• To conduct marketing and promotional activities in a non-disclosed manner.
• To improve products, services, or user experience in identifiable ways.

Device Permissions and Sensors

The Okardcare mobile application requests the following device permissions to provide its features. We only access these when you actively use the related feature, and we do not access them in the background unless explicitly noted.

• Camera: Used during video consultations with doctors and to upload profile photos or images of medical documents and prescriptions. Camera access is only active during these features.
• Microphone: Used during voice and video calls with doctors. Audio is transmitted in real time to the other call participant and is not recorded or stored on our servers unless you explicitly consent.
• Location (Approximate and Precise): Used to help you find nearby doctors, hospitals, and clinics. Location data is used only at the moment of search and is not continuously tracked or stored.
• Notifications: Used to send appointment reminders, incoming call alerts, chat messages from healthcare providers, and important account updates.
• Full-Screen Calls and Foreground Service: Used to display incoming voice and video call screens (similar to a regular phone call) and to keep an active call running in the background so it is not interrupted.
• Photos and Media: Used when you upload medical documents, prescription images, or profile pictures from your device gallery. We only access the specific images you select.
• Bluetooth: Used to connect to Bluetooth audio devices such as wireless headsets or earbuds during consultations.
• Internet and Network State: Required to connect to our servers, sync your data, and conduct real-time consultations.
• Wake Lock and Boot Completed: Used to ensure incoming call notifications are delivered even when the device is idle, and to restart notification services after the device reboots.
• Battery Optimization: Optionally requested so that incoming call notifications are not delayed by aggressive battery saving. You can decline this without losing core functionality.

We do NOT collect data from your contacts, SMS messages, call logs, or browsing history.

Collection of Personal Data Without Consent

To achieve historical or data archiving purposes for public benefit, or related to research or statistics with appropriate management to protect your freedoms, such as statistical research on Okardcare users and others.

To prevent threats to your life, body, and health, such as analysis or assessment of the ability to participate in service provision and use.

To perform a contract to which you are a party, or to take steps at your request before entering into such a contract, such as creating and managing user accounts on the Okardcare system.

To carry out our public interest mission, or as authorized by the state, such as complying with the laws and regulations of governmental organizations and others.

For our legitimate interests or those of others, unless such interests are overridden by your fundamental rights to personal data, such as for post-service support and other services.

Collection of Data Through Consent Requests

In cases where the Company cannot collect personal data without consent, including: collecting personal data for marketing and advertising purposes, improving products and services, or improving user experience, and others.

The Company will inform you about the purposes of collecting, using, and disclosing personal data when necessary, and will respect your freedom to give consent. The Company will not collect, use, or disclose personal data that is not necessary or relevant to your use of the service.

The Company will not collect, use, or disclose personal data of those who have not yet reached the legal age, and will rely on the guardian to make decisions on their behalf. However, if you wish to use the Company's services, please proceed as follows:

In the case of persons under the age of 18, parental consent must be obtained, or parental consent must be given to act on their behalf.

If the Company learns that personal data has been collected from a person under the age of 18 without parental consent, the Company will delete or destroy the personal data immediately.

Processing of Personal Data for the Purpose of Controlling the Use of Okardcare in Compliance with Terms and Conditions

The Company needs to process your personal data for the purpose of controlling the use of Okardcare in compliance with the terms and conditions. If any person violates Okardcare's terms and conditions, whether a service provider or service user, before signing up, you acknowledge and agree that these terms are accepted. If another person exercises the right to object to the processing of personal data, request the deletion or destruction of personal data, suspend the use of personal data, and other rights of others, that person may be restricted from accessing Okardcare.

Information to be Notified When Collecting Personal Data

The Company will notify you of the following details when collecting personal data, unless you are already aware of these details.

• The purpose of the collection and use or disclosure of personal data.
• We notify you of cases where you are required to provide personal data to comply with the law, where it is necessary to provide personal data to enter into a contract, and the possible consequences of not providing personal data.
• The personal data to be collected, the period of collection, and the period during which the data will be retained.
• The categories of persons or entities to whom the collected personal data may be disclosed.
• Information about us, such as name, contact address, and how to contact the data protection officer.
• Your legal rights.

Use of Personal Data

The Company will use your personal data for the purposes for which it was collected or as authorized by law.

Disclosure of Personal Data

The Company may disclose or transfer your personal data to the board of directors, shareholders, employees, subcontractors, or internal personnel for necessary purposes under the conditions specified for the collection of personal data or as required by law. In addition, the Company may disclose or transfer your personal data to affiliates, subsidiaries, or newly established companies in which the Company holds shares.

The Company may disclose or transfer your personal data to external parties ("Personal Data Processors"), including overseas server providers, external service providers, business partners, government organizations, and others, for purposes necessary under the conditions specified for the collection of personal data or as required by law. This means that such personal data processing has undergone a security assessment for personal data processing in accordance with legal standards.

The Company will control and oversee personal data processors to ensure they meet the personal data protection standards established by law through contracts or personal data processing agreements.

In cases where your personal data is disclosed or transferred to a destination country or international organization that receives personal data, they will apply personal data protection standards no lower than those established by law, through contracts or personal data processing agreements, except:

• Consent has been obtained from you by informing you about the inadequate personal data protection standards of the destination country or international organization collecting personal data.
• Compliance with the law.
• Necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into such a contract.
• Necessary for the performance of a contract between you and another person for your benefit.
• Necessary for important public interest.
• The Company will control and direct the handling of personal data to perform the following duties: collect, use, and disclose personal data for purposes in accordance with instructions received from the Company.

Period of Personal Data Processing

The Company will retain your personal data for the period necessary to use the Okardcare services on your account, or for the necessary period set out in this policy, or as required by law.

If you cancel your Okardcare account, the Company will retain your personal data for the period necessary to fulfill the specified purposes, in this policy, or as required by law.

Your Rights Regarding Personal Data

You can exercise certain rights you have regarding your personal data as detailed below:

1. Right to Withdraw Consent

You have the right to withdraw your consent to the processing of your personal data that you have provided to the Company. However, such withdrawal will not affect the lawful collection, use, and disclosure of your personal data during the period for which you gave consent.

If withdrawing consent will affect you, the Company will inform you of the consequences of such withdrawal before proceeding with the withdrawal of consent according to your right. For example, if you have given consent to access conversations between you and your treating doctor, and later you wish to withdraw your consent, the Company will inform you that withdrawing consent may result in losing continuous access to the service.

2. Right to Access and Request Copies of Personal Data

You have the right to access and request a copy of your personal data, with the personal data provided in a commonly readable or usable format, and the personal data may be used or disclosed automatically.

3. Right to Request the Transmission or Transfer of Personal Data

You have the right to request the Company to transmit or transfer your personal data in a readable, usable format, and the personal data may be used or disclosed by automated means to another data controller.

4. Right to Correct Personal Data

You have the right to request the Company to correct your personal data to ensure it is accurate, current, complete, and not misleading.

5. Right to Object to Processing of Personal Data

You have the right to object to the collection, use, or disclosure of your personal data that the Company processes for the following purposes:

• Regarding public interest or state authority.
• Regarding direct marketing.
• Regarding scientific research, historical research, or statistics.
6. Right to Request Deletion or Destruction of Personal Data

You have the right to request the deletion, destruction, and de-identification of personal data in the following cases:

• When personal data is no longer necessary for the purposes for which it was processed.
• When in any event, the Company has no legal authority to process your personal data.
• When you exercise the right to withdraw your consent to the processing of your personal data and the Company has no legal authority to continue processing your personal data.
• When you object to the processing of your personal data and the Company must comply with your request.
7. Right to Restrict the Use of Personal Data

You have the right to request that your personal data be restricted from use in the following cases:

• While the rights regarding your personal data are being verified and corrected to ensure they are accurate, complete, and not misleading.
• While exercising your right to object to the collection, use, and disclosure of your personal data during the period of verification.
• When your personal data must be deleted or destroyed but you exercise your right to request that the use of your personal data be restricted instead.
• When your personal data is no longer necessary to retain for processing, but you can request that it be retained for the purposes of legal claims, compliance with or performance of legal claims, or defense of legal claims.
8. Right to File a Complaint

If you believe that your personal data is being processed in a manner inconsistent with the purposes for which it was collected or authorized by law, you have the right to file a complaint with the Company regarding the processing of your personal data.

You can exercise your rights by accessing your Okardcare account (https://okardcare.com/en/contact-us) or by filling out a rights request form. Upon receiving your request, the Company will process it according to the details below:

• Rights of personal data subjects, contact channels, processing time (within days)
• Self-service on the Okardcare website by filling out the rights request form — Right to withdraw consent (within 7 days).
• Right to request access and obtain a copy of personal data (immediate).
• Right to request the transmission or transfer of personal data (within 30 days).
• Right to request correction of personal data (immediate).
• Right to object to the processing of personal data (within 30 days).
• Right to request the deletion or destruction of personal data (within 30 days).
• Right to suspend the use of personal data (within 30 days).

Note: The processing time is calculated from the date the Company receives complete documentation. In addition, if you have any questions or recommendations regarding the processing of your personal data, you may contact the Company's data protection officer through the contact channels provided. The Company reserves the right to refuse to comply with your request if your request is unreasonable, or if the Company has the legal right to continue processing your personal data. In cases where the Company is unable to comply with your request, the Company will record the data subject's request along with the reason in the personal data processing register. In addition, if you reside in Europe (EEA), in addition to the rights mentioned above, you also have the right to file a complaint with your local data protection authority.

Data Security

The Company has established appropriate security measures to prevent the loss, access, use, alteration, modification, or disclosure of personal data without authorization or improper actions. Such measures will be reviewed as necessary, or as technology changes, to ensure the effectiveness of data in maintaining appropriate security. These measures will preserve the confidentiality, integrity, and availability of data to prevent loss, access, use, alteration, modification, or disclosure. In addition, the Company will establish personal data security measures, including administrative, technical, and physical safeguards. These measures prevent inappropriate access to personal data (access controls), and combat spam, spyware, or viruses. You can report incidents that may affect the Company's security at info@okardcare.com

The Company has established a monitoring system to delete or destroy personal data when the following conditions are met:

• When the period for collection, use, and disclosure has expired.
• When personal data is no longer relevant or necessary to retain.
• When the data owner requests it or withdraws consent, except when personal data is collected, used, or disclosed for the purposes of exercising freedom of expression, historical archiving, document preservation, or related to research or statistics, performing duties for public benefit, complying with the law to achieve specific purposes, establishing legal claims, and complying with or defending legal claims.

Account & Data Deletion

You can permanently delete your Okardcare account and the personal data associated with it at any time, using either the in-app option or the web request page below.

Option 1: Delete from inside the app (recommended)

If you can sign in to the Okardcare app, this is the fastest way to delete your account and data:

1. Open the Okardcare app and sign in.
2. Go to Profile → Settings → Account.
3. Tap "Delete Account" and confirm with your password or OTP.
4. Your account is queued for deletion immediately and removed from our active systems within 30 days.

Option 2: Request deletion from the web

If you cannot access the app, you can request account and data deletion without signing in at: https://okardcare.com/en/account-deletion

What gets deleted

When you delete your account, the following data is permanently removed from our active systems within 30 days:

• Your profile information (name, photo, date of birth, contact details).
• Your account credentials (email, phone number, password).
• Your appointment history and consultation notes (subject to legal retention below).
• Your messages and chat history with healthcare providers.
• Your saved preferences and device tokens.

What is retained, and for how long

Some data must be kept after account deletion to comply with the Law on Personal Data Protection No. 25/NA (2017), the Lao Accounting Law, and other applicable regulations. We retain only the minimum necessary, securely and in restricted form:

• Medical and consultation records: Retained for up to 5 years from the consultation date to comply with healthcare record-keeping obligations.
• Financial and payment records: Retained for up to 10 years to comply with the Lao Accounting Law and tax regulations.
• Anonymized analytics: Aggregated, de-identified usage data may be retained indefinitely. This data cannot be linked back to you.
• Legal hold: If your data is subject to an active legal claim, regulatory investigation, or law enforcement request, we will retain it until the matter is resolved.

Timeline

Active-system deletion is completed within 30 days of your request. Backup copies are overwritten on a rolling basis and fully expire within 90 days. After these periods, only the legally required data described above remains, kept in a restricted, access-controlled form.

Personal Data Breach Notification

In the event of a breach of your personal data, the Company will notify the Office of the Personal Data Protection Commission without delay, within 72 hours of becoming aware of the breach where feasible. If the breach poses a high risk to your rights and freedoms, the Company will inform you of the breach and provide remedial measures without delay through various channels such as the website, messages, email, telephone, and others.

Policies of Linked Sites and Other Third Parties

This policy applies only to the provision of health consulting services, treatment, recommendation of treatment facilities, and the use of Okardcare. The use of Okardcare may include links to other websites that are not owned or controlled by the Company. Please understand that the Company is not responsible for the privacy practices of other websites. Therefore, the Company recommends that you contact or carefully study the personal data protection policies of third parties before providing your personal data to third parties that process personal data.

Changes to the Privacy Policy

The Company may update this policy from time to time. You can review the terms and conditions of the updated policy on the Company's website as detailed below: This policy was last revised and is effective as of 30 August 2024.

Contact Details

If you have any questions about this policy, including the exercise of your personal data rights, you can contact the Company or its data protection officer through the following details:

Okardtech Co., Ltd.

Road 13 South, Saphangmuek Village, Saythany District, Vientiane Capital

Support center: info@okardcare.com

Email: okard.xpds@gmail.com