Privacy Notice

Last Updated: May 2026

Purpose: This Privacy Notice explains how Xim Limited ("Xim", "we", "us", or "our") collects, uses, discloses and protects personal data in connection with the Lifelight® Measurement Technology, Lifelight Connect Applications Developed and Distributed by Xim, Third Party Applications That Integrate Lifelight Using the Lifelight Software Development Kit (SDK), Our Websites and Online Services, Marketing Communications and Events, Recruitment Activities, Supplier And Commercial Relationships, and Regulatory, Safety and Corporate Governance Obligations.

Lifelight technology enables physiological measurements to be derived from camera based optical signals captured from the skin surface.

This Privacy Notice applies globally. Where local privacy laws provide additional rights or stricter protections, those requirements apply in addition to this Notice.

Introduction
Who We Are
Privacy Laws That May Apply
How Lifelight Technology Is Delivered
Categories Of Personal Data We Process
Age Restrictions and Children
Purposes Of Processing and Legal Bases
Special Category (Health) Data
Data Sharing
International Transfers
Data Retention
Security and Technology
Website Analytics and Cookies
Your Data Protection Rights
Complaints
United States Privacy Rights
Changes To This Notice
South Africa — Additional Provisions Under POPIA

1. Introduction

This Privacy Notice explains how Xim Limited ("Xim", "we", "us", or "our") collects, uses, discloses and protects personal data in connection with:

The Lifelight® Measurement Technology

Lifelight Connect Applications Developed and Distributed by Xim
Third Party Applications That Integrate Lifelight Using the Lifelight Software Development Kit (SDK)
Our Websites and Online Services
Marketing Communications and Events
Recruitment Activities
Supplier And Commercial Relationships
Regulatory, Safety and Corporate Governance Obligations

Lifelight technology enables physiological measurements to be derived from camera based optical signals captured from the skin surface.

This Privacy Notice applies globally. Where local privacy laws provide additional rights or stricter protections, those requirements apply in addition to this Notice.

2. Who We Are

Xim Limited
The University of Southampton Science Park
2 Venture Road
Chilworth
Southampton
SO16 7NP
United Kingdom

Company Number: 3699022
ICO Registration Number: ZA24174

Data Protection Officer

Prior Analytics Ltd
Email: dpo@lifelight.ai

Where required under applicable law, including Article 27 EU GDPR, Xim may appoint local privacy representatives.

3. Privacy Laws That May Apply

Depending on your location and how the Lifelight service is used, your personal data may be subject to one or more applicable data protection and privacy laws.

Comprehensive Data Protection Frameworks

Personal data may be protected under comprehensive privacy laws including:

Australia – Privacy Act 1988 and Australian Privacy Principles (APPs)
Brazil – Lei Geral de Proteção de Dados (LGPD)
European Union – General Data Protection Regulation (EU GDPR)
Germany – Telecommunications Digital Services Data Protection Act (TDDDG) and related ePrivacy requirements governing cookies, local storage and access to information stored on user devices
Mexico – Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP)
Peru – Personal Data Protection Law (Law No. 29733) and implementing regulations
South Africa – Protection of Personal Information Act (POPIA)
Switzerland – Federal Act on Data Protection (FADP) and Ordinance on Data Protection (ODP)
Thailand – Personal Data Protection Act (PDPA)
United Kingdom – UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018

United States Privacy Laws

Where the service is used in the United States, applicable federal and state privacy laws may apply, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) and other state privacy laws such as those in Colorado, Virginia, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee and Florida.

Where Lifelight is deployed by healthcare organisations subject to the Health Insurance Portability and Accountability Act (HIPAA), Xim may act as a Business Associate and process protected health information in accordance with applicable Business Associate Agreements.

Other national or regional privacy laws may apply depending on the jurisdiction in which the service is deployed or accessed.

4. How Lifelight Technology Is Delivered

Lifelight technology may be deployed in different configurations depending on the product implementation.

4.1 Lifelight Connect (Xim Application)

In some cases, Lifelight is delivered through Lifelight Connect, an application developed and distributed directly by Xim.

Lifelight Connect incorporates the Lifelight measurement engine and may be distributed through mobile application stores including:

Apple App Store
Google Play Store

Where individuals use Lifelight Connect directly, Xim acts as the Data Controller responsible for determining how personal data is processed within the application.

This includes responsibility for:

User Account Management Where Applicable
Physiological Signal Processing
Generation of Vital Sign Measurements
Storage of Production Signals
Platform Security and Integrity
Medical Device Regulatory Compliance and Safety Monitoring

4.2 Partner Applications Using the Lifelight SDK

Lifelight technology may also be integrated into third party applications using the Lifelight Software Development Kit.

In these deployments, the organisation operating the host application generally determines how Lifelight functionality is incorporated into the service provided to end users. The partner organisation typically acts as the Data Controller for activities such as User Identity and Account Management, Patient or User Records Maintained Within the Partner Application, the Clinical or Service Context in Which Lifelight Measurements Are Used, and Decisions Regarding How Measurements Are Presented, Interpreted or Stored.

Xim provides the Lifelight technology that processes optical signals captured by the device camera to generate physiological measurements. In connection with the operation of the Lifelight technology, Xim may process data relating to:

Optical Physiological Signal Capture
Signal Processing and Measurement Generation
Operation and Performance of The Lifelight Measurement Engine
System Security and Integrity Monitoring
Medical Device Regulatory Compliance and Safety Monitoring

Depending on the technical architecture and contractual arrangements in place, Xim may act as a Data Processor, Independent Data Controller, or Joint Controller for specific processing activities. The allocation of responsibilities between Xim and the partner organisation is defined in the applicable contractual agreements and data protection documentation governing the integration.

4.3 Lifelight Measurement Engine

The Lifelight measurement engine analyses optical signals captured from the skin surface using device cameras to estimate physiological measurements. This involves analysing subtle variations in light reflected from the skin to derive vital sign measurements.

Facial video signals are processed transiently during measurement to extract physiological signals. Xim does not retain still facial images, video recordings or audio recordings as part of this process. The Lifelight system does not perform facial recognition, identity verification, or biometric identification.

5. Categories Of Personal Data We Process

Xim may process the following categories of personal data.

Identity And Contact Data

Name
Email Address
Telephone Number
Job Title
Organisation
Account Identifiers
Consent Records

Technical And Usage Data

IP Address
Device Identifiers
Device Type and Operating System
Application Usage Data
Authentication Logs
Security Logs
Cookie Identifiers
Local Device Storage Information, including consent preferences, application settings, and user-enabled biometric inputs stored on the device

Health And Sensitive Data

Optical Physiological Signals Derived from Camera Capture
Demographic Inputs Such as Age, Sex (at birth) and Height
Derived Vital Sign Measurements

Facial video signals used during measurement are processed temporarily and are not retained.

6. Age Restrictions and Children

Lifelight technology and Lifelight Connect are intended for use by individuals who are 18 years of age or older.

Xim does not knowingly collect or process personal data relating to individuals under the age of 18. Lifelight technology must not be used by, or on behalf of, individuals under the age of 18.

If Xim becomes aware that personal data relating to an individual under the age of 18 has been collected, that information will be deleted as soon as reasonably practicable.

7. Purposes Of Processing and Legal Bases

Under UK GDPR and EU GDPR, personal data must be processed using a lawful basis.

Purpose	Legal Basis
Provision of Lifelight Measurement Services	Article 6(1)(b) Contract
Operation of Lifelight Within Partner Applications	Article 6(1)(f) Legitimate Interests
Platform Security and Fraud Prevention	Article 6(1)(f) Legitimate Interests
Medical Device Regulatory Compliance	Article 6(1)(c) Legal Obligation
Public Health Collaboration or Research Programmes	Article 6(1)(e) Public Task
Business Administration and Commercial Relationships	Article 6(1)(f) Legitimate Interests
Marketing Communications	Consent Or Legitimate Interests

Where Legitimate Interests are relied upon, Xim conducts an assessment to ensure those interests do not override the rights and freedoms of individuals.

8. Special Category (Health) Data

Health data constitutes Special Category Personal Data under Article 9 GDPR. Xim processes health data using the following lawful bases where applicable.

Explicit Consent – Article 9(2)(a)

Used where individuals voluntarily use Lifelight Connect or other direct consumer deployments.

Where users separately opt in to analytics and app improvement features, Xim may process limited technical, behavioural, and health-related usage information associated with use of the application, such as measurement events, feature usage, and engagement metrics, for:

Product improvement
Service analytics
Aggregated usage reporting
Platform performance monitoring

This analytics consent is optional, is not required in order to use the application, and may be withdrawn at any time through the application settings.

Health Or Social Care Purposes – Article 9(2)(h)

Used where Lifelight operates within healthcare environments for Health Monitoring, Provision of Healthcare, and Clinical Assessment. In these circumstances, Xim may act as a Data Processor acting on the instructions of the healthcare organisation acting as the Data Controller.

Public Interest in Public Health – Article 9(2)(i)

Used for activities including Medical Device Safety Monitoring, Regulatory Reporting, Post Market Surveillance, and Public Health Protection. These activities are supported under Schedule 1 Part 1 of the Data Protection Act 2018.

10. International Transfers

Personal data may be transferred to, stored in, or accessed from countries outside the United Kingdom where this is necessary for the operation of Lifelight services, global infrastructure, or regulatory and commercial activities.

These transfers may involve personal data being processed, stored, or remotely accessed from jurisdictions including the United Kingdom, Member States of the European Union or European Economic Area, the United States, Australia, Brazil, Mexico, Peru, South Africa, Switzerland, Thailand, and other countries where Xim, its affiliates, partners, service providers, or regulatory authorities operate.

Where personal data is transferred internationally, Xim implements appropriate safeguards in accordance with applicable data protection laws. These safeguards may include the use of approved contractual clauses, data transfer agreements, or reliance on recognised adequacy decisions, where available. Under certain laws such as South African laws, Xim may rely on consent for transfers from South Africa to the United Kingdom or other jurisdictions.

Where personal data is transferred outside the United Kingdom or European Economic Area to countries that do not benefit from an adequacy decision, appropriate safeguards are implemented to ensure that personal data remains protected.

Transfer risk assessments are conducted where required by applicable data protection laws.

11. Data Retention

Personal data is retained only for as long as necessary for the purposes described in this Privacy Notice.

Typical retention periods include:

Data Category	Retention Period
Account And User Profile Information	Duration Of Account Plus Up To 2 Years
Application Usage and Technical Logs	12 Months
Security And Authentication Logs	Up To 24 Months
Physiological Measurement Data and Production Signals	Up To 7 Years Where Required for Medical Device Regulatory Compliance
Customer And Commercial Relationship Data	6 Years
Recruitment Data	12 Months

Where data is no longer required, it is securely deleted or anonymised.

12. Security and Technology

Xim implements appropriate technical and organisational security measures including: Encryption In Transit and at Rest, Role Based Access Controls and Authentication Safeguards, Audit Logging and Monitoring, Infrastructure Monitoring and Vulnerability Management, Incident Response Procedures, and Secure Cloud Infrastructure.

The measurements generated by Lifelight are intended to support health monitoring and clinical assessment but do not replace the judgement of qualified healthcare professionals. Clinical interpretation and any healthcare decisions remain the responsibility of appropriately qualified practitioners or authorised organisations using the technology.

13. Website Analytics and Cookies

Our websites use cookies and similar technologies to support website functionality, analytics and security monitoring.

Where required by applicable law, cookie consent mechanisms are used to allow users to manage their preferences.

Further information about the cookies used on our websites, including their purpose and duration, is provided in our Cookie Policy.

Xim applications, websites and online services may use cookies, local storage, device identifiers and similar technologies to support platform functionality, security, consent management, analytics and application performance.

Certain storage technologies are strictly necessary for the operation and security of the service. Where required by applicable law, including under ePrivacy, PECR or equivalent local laws, consent mechanisms are used to allow users to manage preferences relating to non-essential analytics or tracking technologies.

App Analytics

The Lifelight Connect app uses Mixpanel, a third-party analytics tool, to help us understand how the app is used and to improve your experience. Unlike website cookies, app analytics are only activated if you choose to allow them when you first open the app. No analytics data is collected before you have given your consent.

You can change your analytics preference at any time in the Settings section of the app.

14. Your Data Protection Rights

Depending on where you are located, you have a number of rights under applicable regional data protection laws.

Right Of Access
Individuals have the right to request confirmation of whether their personal data is being processed and to obtain access to that data together with information about how it is used.

Right To Rectification
Individuals may request correction of inaccurate or incomplete personal data.

Right To Erasure
Individuals may request deletion of personal data where the data is no longer necessary for the purposes for which it was collected, where consent has been withdrawn, or where processing is unlawful. This right may be limited where processing is required to comply with legal obligations or to support medical device regulatory and safety requirements.

Right To Restrict Processing
Individuals may request that processing of their personal data is restricted in certain circumstances, for example while the accuracy of data is being verified.

Right To Data Portability
Where processing is based on consent or contract and carried out by automated means, individuals may request a copy of their personal data in a structured, commonly used and machine-readable format.

Right To Object
Individuals may object to processing carried out on the basis of Legitimate Interests. Individuals also have the right to object at any time to the processing of personal data for direct marketing purposes.

Right To Withdraw Consent
Where processing relies on consent, individuals have the right to withdraw consent at any time.

Regional Privacy Rights

Depending on your location, you may have certain rights regarding your personal data under applicable privacy laws.

European Union and United Kingdom
Individuals located in the European Union or the United Kingdom may exercise rights under the EU General Data Protection Regulation and UK GDPR, including rights to access, correct, erase, restrict or object to processing of personal data, request data portability where applicable, and lodge a complaint with a supervisory authority.

Switzerland
Individuals located in Switzerland may exercise rights under the Federal Act on Data Protection (FADP), including the right to request information about personal data processed about them, request correction of inaccurate personal data, and object to certain processing activities where permitted by law.

Brazil
Individuals located in Brazil may exercise rights under the Lei Geral de Proteção de Dados (LGPD), including rights to confirmation of processing, access to personal data, correction of inaccurate or incomplete information, anonymisation or deletion of unnecessary data, data portability where applicable, information about data sharing, and the right to withdraw consent where processing is based on consent.

South Africa
Individuals located in South Africa may exercise rights under the Protection of Personal Information Act, 2013 (POPIA). A full statement of those rights (including the rights to notification, access, correction, deletion, objection, withdrawal of consent and complaint), the contact details of the Deputy Information Officer, and the procedure for exercising them, is set out in Section 18 of this Privacy Notice.

Australia, Mexico, and Peru
Individuals located in Australia, Mexico, or Peru may exercise rights under applicable national data protection laws, including rights to access personal data held about them, request correction of inaccurate data, request deletion or blocking of data where permitted, and object to certain processing activities in accordance with local legal requirements.

United States Privacy Rights
Where applicable U.S. state privacy laws apply, individuals located in certain U.S. states may have rights regarding their personal information, including the right to access personal information held about them, correct inaccuracies in their personal information, request deletion of personal information, obtain a portable copy of their personal information, opt out of the sale of personal information or targeted advertising where applicable, and appeal a refusal to take action on a privacy request where permitted by law.

These rights may arise under state privacy laws including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) and similar privacy laws adopted in states such as Colorado, Virginia, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee and Florida.

Xim does not sell personal information and does not use health data for targeted advertising.

Automated Processing
Lifelight technology uses algorithmic analysis to generate physiological measurements. These outputs do not themselves constitute decisions producing legal or similarly significant effects for individuals.

To exercise any of your rights, please contact our Data Protection Officer at dpo@lifelight.ai.

15. Complaints

If you have concerns about how your personal data is handled, please contact:

Email: dpo@lifelight.ai

You also have the right to lodge a complaint with a supervisory authority.

United Kingdom – Information Commissioner's Office (ICO)
ICO Head Office: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745
Visit: https://ico.org.uk/make-a-complaint

European Union – Relevant National Data Protection Authority
Brazil – Autoridade Nacional De Proteção De Dados
South Africa – Information Regulator
Thailand – Personal Data Protection Committee

16. United States Privacy Rights

Where applicable U.S. state privacy laws apply, individuals may have rights to:

Access Personal Information
Correct Inaccuracies
Delete Personal Information
Obtain Portable Copies of Data
Opt Out of Targeted Advertising
Appeal Denied Requests

Xim does not sell personal information and does not use health data for targeted advertising.

17. Changes To This Notice

We may update this Privacy Notice periodically. The most current version will always be available:

On Our Website
Within Lifelight Connect or Relevant Applications

18. South Africa — Additional Provisions Under POPIA

This Section 18 applies in addition to the other provisions of this Privacy Notice where Lifelight Connect, the Lifelight measurement engine, or Xim's associated websites or services are used by data subjects located in the Republic of South Africa, or where personal information of such data subjects is otherwise processed by Xim. In the event of any conflict between this Section 18 and any other provision of this Privacy Notice, this Section 18 prevails in respect of South African data subjects. The balance of this Privacy Notice continues to apply globally and is not limited by this Section 18.

18.1 Application of POPIA

The processing of personal information of South African data subjects by Xim is subject to the Protection of Personal Information Act, 2013 (POPIA). POPIA applies to Xim by virtue of section 3(1)(b) of POPIA, which extends POPIA to responsible parties not domiciled in South Africa where they make use of automated or non-automated means in South Africa.

For the purposes of POPIA, Xim is the "responsible party" in respect of the processing of personal information of South African users of Lifelight Connect and the Lifelight measurement engine.

18.2 Responsible Party

Xim Limited
The University of Southampton Science Park, 2 Venture Road, Chilworth, Southampton SO16 7NP, United Kingdom
Company Number: 3699022

18.3 Information Officer

In compliance with section 55 of POPIA, Xim has appointed an Information Officer who is registered with the Information Regulator. South African data subjects may direct enquiries, requests and complaints to the Information Officer.

Information Officer: Claire Robinson, Prior Analytics Ltd, Xim Limited.
Email: dpo@lifelight.ai

18.4 Lawful Bases for Processing Under POPIA

Xim processes the personal information of South African data subjects on one or more of the following lawful bases under section 11(1) of POPIA, according to the purpose of the processing:

(a) Consent (section 11(1)(a)): your consent captured at sign-up is the primary basis for the processing of personal information through Lifelight Connect and the Lifelight measurement engine, and for the processing of special personal information (in the form of explicit consent under section 27(1)(a), as addressed in Section 18.5).

(b) Performance of a contract (section 11(1)(b)): processing necessary to provide the services you have subscribed to, to administer your account, and to take steps at your request prior to entering into a contract.

(c) Compliance with a legal obligation (section 11(1)(c)): processing necessary for Xim to comply with obligations imposed by law, including medical-device regulatory, pharmacovigilance, tax and accounting obligations.

(d) Protection of a legitimate interest of the data subject (section 11(1)(d)): limited processing necessary to protect your account and your personal information, including account-recovery and user-verification activities.

(e) Legitimate interests pursued by Xim or a third party (section 11(1)(f)): processing necessary for the legitimate interests of Xim or a third party to whom the information is supplied, including platform and information security, fraud prevention, network integrity, analytics performed on an aggregated or de-identified basis, and the defence of legal claims. Such processing is carried out subject to a balancing assessment against your rights and interests.

Where consent is the lawful basis, you may withdraw your consent at any time in accordance with section 11(2)(b) of POPIA, by contacting the Information Officer. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal and does not affect processing that rests on another lawful basis.

18.5 Special Personal Information

Under POPIA, health-related information and biometric information constitute "special personal information" (as defined in section 26 of POPIA). Xim processes your special personal information on the basis of your explicit consent, given at sign-up in accordance with section 27(1)(a) of POPIA. You may withdraw your consent at any time by contacting the Information Officer, subject to the lawful bases on which Xim may continue to process personal information where permitted or required by applicable law.

18.6 Health Information

Health information is processed only for the purposes described in this Privacy Notice and, in particular, to generate vital sign measurements and provide the functionality of Lifelight Connect and the Lifelight measurement engine. Access to health information within Xim is limited to persons who are subject to a duty of confidentiality and who require access for the proper performance of their duties. Health information is not used for marketing purposes and is not disclosed to third parties save as described in Section 9 of this Privacy Notice and Section 18.8 below.

18.7 Children

In compliance with section 35 of POPIA, Xim does not knowingly process the personal information of children (being persons under 18 years of age). The Lifelight technology and Lifelight Connect are not intended for use by, or on behalf of, persons under 18. If Xim becomes aware that personal information of a person under 18 has been collected, such information will be deleted as soon as reasonably practicable.

18.8 Cross-border Transfers

Personal information of South African data subjects is transferred to, and processed in, the United Kingdom and may be transferred to other jurisdictions in which Xim or its operators carry on business or maintain infrastructure, as described in Section 10 of this Privacy Notice. Such transfers are made in compliance with section 72 of POPIA, and are supported by: (i) binding contractual safeguards that are substantially similar to the conditions for lawful processing under POPIA (section 72(1)(a)); and/or (ii) your consent to the transfer, captured at sign-up (section 72(1)(b)).

By consenting to the processing of your personal information at sign-up, you also consent to the transfer of your personal information to the United Kingdom and to other jurisdictions identified in this Privacy Notice.

18.9 Direct Marketing

Xim will send direct marketing communications by electronic means to South African data subjects only where you have given your prior opt-in consent under section 69 of POPIA, or where you are an existing customer of Xim and the communication relates to similar products or services, in each case in accordance with section 69(3) of POPIA. You may object to or opt out of direct marketing at any time through the unsubscribe mechanism provided in every marketing communication, in compliance with section 45 of the Electronic Communications and Transactions Act, 2002 (ECTA).

18.10 Your Rights Under POPIA

In addition to the rights set out in Section 14 of this Privacy Notice, South African data subjects have the following rights under POPIA: (i) to be notified that personal information about you is being collected (section 18); (ii) to request access to your personal information held by Xim (section 23); (iii) to request correction, destruction or deletion of your personal information (section 24); (iv) to object, on reasonable grounds, to the processing of your personal information (section 11(3)); (v) to object to the processing of your personal information for direct marketing (section 11(3)(b)); (vi) to withdraw your consent at any time (section 11(2)(b)); and (vii) to lodge a complaint with the Information Regulator (section 74).

Requests and objections should be addressed to the Information Officer at the contact details provided in Section 18.3 above.

18.11 Complaints to the Information Regulator

If you believe that Xim has not complied with POPIA in relation to your personal information, you have the right to lodge a complaint with the Information Regulator (South Africa):

Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal address: P.O. Box 31533, Braamfontein, 2017
Email: POPIAComplaints@inforegulator.org.za
Website: https://inforegulator.org.za

18.12 Access to Information and PAIA Manual

Xim has compiled a manual under section 51 of the Promotion of Access to Information Act, 2000 (PAIA), which sets out the categories of records held by Xim and the procedure for requesting access to those records. The PAIA Manual is available on Xim's website and on request from the Deputy Information Officer.

18.13 Security Compromise Notification

In the event of a security compromise affecting the personal information of South African data subjects, Xim will notify the Information Regulator and affected data subjects as soon as reasonably possible after the compromise is discovered, in accordance with section 22 of POPIA.