Zonitas Privacy Policy

Introduction

Policy effective from 11th July 2025 This Privacy Notice for Zonitas ("we," "us," or "our") describes how and why we access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services").

Collection and Use of Information

Any user registration information that you provide to Zonitas or its products, Zonitas LabConnexa and Zonitas LabTrace, will be treated with high standards of security and confidentiality, strictly in accordance with Irish Data Protection Acts, the EU General Data Protection Regulation and any guidance issued by the Data Protection Commission. Zonitas or its products will not collect any personal information without your knowledge. Any information collected is used for a particular purpose, such as:

• Register and manage user accounts.
• Arrange and coordinate medical sample transport.
• Provide service notifications and customer support.
• Monitor service performance and improve our platform.
• Download and use our mobile application or any other application of ours that links to this Privacy Notice.

The type of information we collect includes:

• Names
• Phone numbers
• Email addresses
• Passwords (fully encrypted; we don’t have any visibility)
• Hospital name
• User address
• Information related to your sample delivery and services(collection timestamp and delivery timestamp)
• Product Usage Report

Lawful Basis for Processing Personal Data

Zonitas processes your personal data in accordance with the requirements of the General Data Protection Regulation (GDPR) and Irish Data Protection Acts. The lawful basis for processing your data depends on the nature of your interaction with our services and includes:

• Contractual necessity: We process data to fulfill our obligations in delivering services such as arranging and tracking the transport of medical samples, facilitating communication between hospitals and labs, and maintaining secure system access for authorised users.
• Legitimate interests: We process certain data to support the ongoing performance, safety, and security of our platform. This includes improving product features, auditing sample logistics, and ensuring service reliability—without compromising your rights or freedoms.
• Consent: In cases where we collect optional data or use your information for purposes beyond service provision (such as customer surveys or newsletters), we will request your explicit consent. You can withdraw this consent at any time.

Sensitive Data and Explicit Consent

Zonitas does not process any special category data, such as patient medical information or health records, through our platform. If our services evolve to include the handling of such data, we will only do so with your explicit consent and in compliance with Article 9 of the GDPR.

When and with whom do we share your personal information

We do not share information that our product collects with third parties. Zonitas will not release any of your details to a third party without your consent.

Do we use cookies and other tracking technologies?

We do not use cookies to track information on our end, but the browsers might install cookies which we can’t access and are not liable for.

Is your information transferred internationally?

No. All the information is stored in Ireland.

Data Storage

Zonitas uses cloud-based data storage services provided by Amazon Web Services (AWS), with all data securely stored in Ireland. While we and AWS take reasonable and robust measures to safeguard your data, no method of electronic transmission or storage is entirely risk-free.

Privacy by Design and Data Protection Impact Assessments

Privacy by Design

Zonitas follows the principles of Privacy by Design and by Default by embedding data protection into our system architecture and business practices. This includes:

• Limiting personal data collection to what is necessary for service delivery.
• Implementing technical safeguards such as encryption and secure access controls.
• Regularly reviewing data handling procedures as part of our internal compliance efforts.

Data Protection Impact Assessments (DPIAs)

Zonitas does not currently process special category (sensitive) data such as patient health records. As such, a formal Data Protection Impact Assessment has not yet been required under GDPR Article 35.

However, we recognise our obligation to assess and mitigate risks. We commit to conducting DPIAs before implementing any new processing activities that may:

• Involve special category data.
• Use large-scale tracking or profiling.
• Introduce new technologies or data flows that could affect individuals' rights and freedoms.

We will also conduct DPIAs in line with Irish Data Protection Commission guidance as our services expand.

Security, Auditability & Breach Response

Security Measures

Zonitas takes reasonable and proportionate steps to protect the personal data we process. Our current measures include:

• Secure cloud storage through Amazon Web Services (AWS) in Ireland.
• Encrypted transmission (HTTPS/SSL) and encryption at rest.
• Role-based access to internal systems.

As the platform evolves, we plan to introduce further safeguards such as multi-factor authentication (MFA) and enhanced endpoint monitoring.

Auditability

We do not currently maintain detailed system-level access logs. However, we plan to implement basic access logging and monitoring as the platform evolves, to help detect unusual activity and support future auditability. These controls will be developed in line with our internal risk management goals and data protection obligations.

Incident Response & Breach Handling

Zonitas maintains a basic incident response procedure to detect, assess, and respond to data breaches or system security issues. This includes:

1. Identification and initial containment of the issue.
2. Internal investigation and root cause analysis.
3. Corrective actions to mitigate future risk.
4. Notification to the Irish Data Protection Commission within 72 hours if required under GDPR.
5. Informing affected users promptly where applicable.

Continuous Improvement

We are committed to maturing our security practices alongside the growth of our platform. This includes periodic policy reviews, staff awareness training, and external consultation where necessary.

How long do we keep your information?

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law.

Your Rights

Under certain circumstances, and dependent on the legal basis under which your personal data is processed, by law you have the right to:

• Request information about whether we hold Personal Data about you, and, if so, what that Personal Data is and why we are holding/using it.
• Request access to your Personal Data (commonly known as a “Data Subject access request”).
• Request the correction of the Personal Data that we hold about you.
• Request erasure of your Personal Data.
• Object to the processing of your Personal Data.
• Object to automated decision-making, including profiling Request the restriction of the processing of your Personal Data.
• Request transfer of your Personal Data in an electronic and structured form (“data portability”).

How do you exercise your rights?

If you have any questions about this policy or about our data protection compliance, please contact us.

To exercise your rights, contact us and we will respond to your request within 30 days.

Contact Information:

Telephone: 01 843 8243

Email: info@zonitas.com

Address: Kenure Demesne, Rush, Co. Dublin, K56 DC66, Ireland.

Your Right to Lodge a Complaint

You, as the Data Subject, have the right to complain at any time to a supervisory authority in relation to any issues related to our processing of your Personal Data. We would like to hear from you first if you have a complaint so that we may rectify the issue. As our organisation is located in Ireland and we conduct our data processing here, we are regulated by the Irish Data Protection Commissioner.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on our site with the revised date. We encourage you to review this Privacy Policy periodically.