PRIVACY POLICY

XAICARE LTD ("we"), a company registered in England and Wales, runs suna.health. We collect what you give us when you join the waitlist or reserve, plus basic technical data about your visit. We use it to run your reservation, improve the site, and measure our marketing, based on contract, our legitimate interests, and where required your consent. We share it only with service providers who help us run SUNA: • Payments: Stripe Payments Europe Ltd (Ireland) for EU/UK customers, Stripe Inc (USA) for everyone else. They store your name, email, billing address and payment method so we can charge your deposit, the device remainder before shipping, and your monthly subscription. Stripe is our PCI-compliant payments partner; we never see your card details. Stripe's privacy notice: https://stripe.com/privacy. • Hosting and email: Vercel (USA) hosts the site; Resend (USA) sends our emails. • Marketing measurement: Meta, TikTok and Pinterest receive hashed event data so we can measure our ads. • Error tracking: Sentry (Sentry Inc., based in San Francisco; EU customer data is processed at their Frankfurt data center) receives error reports including your email address and user ID for debugging payment and account issues. Sentry's privacy notice: https://sentry.io/privacy/. We use Sentry's EU region to keep this data inside the EEA for UK/EU users. • Product analytics: PostHog receives anonymized usage analytics. • Database: Supabase (EU region). Where data leaves the UK or EEA we rely on UK / EU adequacy decisions, the EU-US Data Privacy Framework, or Standard Contractual Clauses, as applicable. We keep your data only as long as needed or required by law. ──────────────────────────────────────── WHAT WE DO NOT DO • We do not sell your personal data. Not to anyone. Not ever. • We do not share your data with advertisers for re-targeting outside our own ad-measurement events. • We do not share your data with health insurers, employers, or background-check services. • We do not allow third-party data brokers to access your account. • We do not use your data to train models for any third party. ──────────────────────────────────────── DATA SECURITY • Sensitive fields at rest are encrypted using AES-256. • All data in transit uses TLS 1.3. • Payment card details never touch our servers (handled by Stripe, PCI-DSS). • Authentication tokens are scoped, expire, and can be revoked. • Error data sent to Sentry is processed in their EU (Frankfurt) region for UK/EU users. • We use least-privilege access controls internally; only the people who need to see something do. ──────────────────────────────────────── HEALTH DATA (SPECIAL CATEGORY) When you use SUNA, we may process information about your digestion, gut, and nutrition. Under UK GDPR this is special-category (health) data. We process it only with your explicit consent (UK GDPR Article 9(2)(a)), solely to provide your wellness insights and the SUNA service. You can withdraw consent at any time by emailing echo@suna.health, after which we stop processing and delete this data unless we are required to keep it by law. SUNA is a wellness product and does not provide medical diagnosis. ──────────────────────────────────────── YOUR RIGHTS Under UK GDPR you can access, correct, delete, export, restrict, or object. Email echo@suna.health, or complain to the ICO at ico.org.uk. SUNA is for adults. ──────────────────────────────────────── CHANGES TO THIS POLICY We may update this policy as the product changes. For any material change (new data collected, new processor added, expanded data sharing), we will give reasonable advance notice by email before the change takes effect. The "Last updated" date at the top is always current. ──────────────────────────────────────── COOKIES Some cookies are required for the site to work. They're always on: • Your reservation, currency, and referrals. • Stripe payment cookies during secure checkout. Other cookies are for advertising and measurement: Meta Pixel (_fbp, _fbc), TikTok pixel (_ttp), and Pinterest tag (_epik). Where required by law we show a banner asking before any of these are set. To change your choice later: click "Cookie Preferences" in the footer, or add ?cookies=1 to any URL. Your decision is stored on your device for one year. ──────────────────────────────────────── CONTACT echo@suna.health suna.health Disclaimer! Wellness device. Not medical. Not diagnostic. Ask your doctor. © 2026 Suna Health