Milieu Privacy Policy

This Privacy Policy ("Privacy Policy") explains how Milieu ("Milieu," "we," "our," or "us") collects, uses, stores, protects, discloses, or otherwise processes your information when you interact with us through the Milieu website ("Website") located at visit www.milieubio.com, our product and Services, and/or other communication channels under our control, such as email, telephone, or social media (collectively, the "Services").

Our Services may contain links to third-party websites. Once you leave our Services, we do not control how your data is handled by those sites. We encourage you to review their privacy policies before using their services.

By using our Services, you acknowledge and accept the terms of this Privacy Policy. If you do not agree, please discontinue use immediately. We may update this policy from time to time, and any changes will be posted on this page. Your continued use of the Services after any update constitutes acceptance of the revised policy.

Data We Collect from You

At Milieu, we are committed to delivering exceptional products while safeguarding your privacy. We only collect the data necessary to enhance your experience and provide our Services effectively. The specific types of data we collect depend on how you interact with us and our products.

When you create a Milieu account, make a purchase, visit our website, communicate with our chatbot, contact our support team, respond to our surveys, or engage with us in any other way, we may collect both Personal Information ("Personal Information") and Sensitive Personal Information ("Sensitive Personal Information") (collectively, "Collected Information"), including:

Personal Information

• Account and Contact Information. Information provided through your Milieu Account and related account details, including full name, email address, date of birth, phone number, and postal address.
• Lifestyle Information. Your living habits, such as skin care routines, current skincare products used, sleep habits, exercise habits, sun exposure, water intake, diet, and makeup usage.
• Location Information. Your zip code, home address, and other location data help us analyze your environment but do not constitute precise geolocation data.
• User Behavior. Information about how you interact with our website, including pages visited, time spent on pages, navigation patterns, click activity, and other engagement metrics. This data may be collected through cookies, tracking technologies, or analytics tools to improve user experience and website functionality.
• Other Personal Information You Provide to Us. We may collect any other personal information you choose to provide when you communicate with us, including through customer support, surveys, feedback, social media interactions, or other means.

Sensitive Personal Information

• Health Information. Information related to an individual's health status, conditions, treatments, or medical history, such as skin condition (general or seasonal), skin concerns, age, sex assigned at birth, stress level, menstrual cycle, and other relevant conditions.
• Biomaterials. Your skin swab samples collected through the testing kit. The material will be analyzed to assess your skin microbiome. At no point will your human genetic material (i.e., your own DNA) be sequenced, analyzed, or digitized. Our testing is limited to microbial DNA found on the surface of your skin and does not involve any analysis of your personal genome.
• Personal Image. Any personal photos or images uploaded to our website.

Usage of Collected Data

Specifically, we do not use Collected Information for any purposes other than the following:

• to tailor the features, performance, and support of our Services to you and your preferences such as formulating customized skin care products and providing personalized health insights and recommendations;
• to verify your identity as the holder of an account with us;
• to manage orders, respond to inquiries, provide assistance, and address any questions or concerns related to our Services;
• to market our Services that we believe may be of interest to you.
• to provide, operate, analyze usage of, and improve our Services, including research and development;
• to comply with legal obligations, including responding to court orders, government, or regulatory requests;
• to ensure security, detect and prevent fraud, and address security incidents, abusive behavior, or suspected malicious or illegal activities; and
• to enforce our Terms of Service, policies, and agreements with you and third parties.

Data Security

We take the security of your data seriously. We have implemented measures designed to secure your Collected Information from accidental loss and from unauthorized access, use, alteration, and disclosure. Collected Information is encrypted and securely transmitted to protect your privacy. After transactions, Collected Information is stored in an encrypted third-party database that complies with industry security standards.

The safety and security of your information also depends on you. Where we have given you, or where you have chosen, a password to access certain parts of our Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. We urge you to be careful about giving out information in public areas of the Website like customer review message boards. The information you share in public areas may be viewed by any user of the Website.

Although we do our best to protect your Collected Information, the transmission of information via the internet is not completely secure, and we cannot guarantee the security of your Collected Information transmitted to our Services. Any transmission of Collected Information is at your own risk. By using our services, you acknowledge and accept these inherent risks. We are not responsible for circumvention of any privacy settings or security measures contained on our Services. We encourage you to take precautions when handling Collected Information, particularly when using public computers or unsecured networks, to further safeguard your data.

Data Retention

We retain Collected Information for as long as necessary to provide our Services, fulfill your requested transactions, comply with legal obligations, resolve disputes, enforce agreements, and support other legitimate business purposes. Retention periods are determined based on the nature of the data, applicable legal requirements, and business needs.

For example, if you provide Personal Information when creating an account, we may retain it for as long as your account remains active. Sensitive Personal Information will only be retained for the minimum period required to fulfill the original purpose of collection, comply with legal obligations, or as explicitly permitted by law. Identifiable biomaterials will be retained for no longer than 24 months, or until a valid request for deletion or destruction is received, whichever occurs first, unless a longer retention period is legally required.

If Collected Information is no longer necessary for our Services or required by law, we will delete or de-identify it in accordance with our data de-identification guidelines outlined in Section 5 of this Privacy Policy. However, we may retain certain Personal Information if necessary to comply with legal, accounting, or regulatory obligations.

If you reside in a jurisdiction that grants specific privacy rights, please refer to the Your Privacy Rights section below for details on how to exercise those rights.

Data De-Identification

We may de-identify personal information to ensure that it cannot reasonably be linked to an individual or household. When we de-identify data, we implement technical and administrative measures to prevent re-identification. Additionally, we do not re-identify any de-identified data and require any third parties who receive such data to adhere to contractual obligations prohibiting re-identification.

Because de-identified data does not contain personally identifiable information, we may retain it for a longer period than identifiable data, and it is not subject to our data retention guidelines outlined in Section 4 of this Privacy Policy. We may use de-identified or aggregated data for research, analytics, and other lawful purposes.

We may use de-identified data to conduct internal research, support product development, and advance technological innovation, including the development and refinement of AI algorithms and machine learning models for both existing and new applications. This may involve using data to enhance functionality, optimize performance, and drive innovation within our Services, with our affiliated partners, or through new ventures.

For this policy, "de-identified" data refers to data that has been de-identified, aggregated, or anonymized, using methods required or permitted by the applicable state law.

Disclosure of Your Information

Other than as described herein, we do not sell, trade, or otherwise transfer to third parties your Collected Information.

We may disclose Collected Information:

• to contractors, service providers, and other third parties we use to support our business and who are bound by contractual obligations to keep your information confidential and use it only for the purpose for which we disclose it to them;
• to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Milieu's assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Milieu about our Website and Services users is among the assets transferred;
• to fulfill the purpose for which you provide it;
• for any other purpose disclosed by us when you provide the information;
• to our subsidiaries and affiliates; or
• with your consent.

Categories of contractors, service providers, and other third parties may include, but are not limited to:

• lab partners that analyze collected data;
• IT service providers, including cloud storage, hosting, and cybersecurity vendors;
• analytics and marketing partners to help us improve and promote our Service;
• logistics and fulfillment partners for order processing and delivery;
• payment processors to facilitate transactions; and
• customer support providers to assist with inquiries and issue resolution.

We may also disclose your Collected Information:

• to comply with any court order, law, or legal process, including to respond to any government or regulatory request;
• to enforce or apply our Terms of Service and other agreements, including for billing and collection purposes; or
• when we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Milieu, our customers, or others.

We may disclose aggregated information about our users, and de-identified information, without restriction.

Your Privacy Rights

We are committed to protecting your privacy and ensuring compliance with applicable federal and state laws, such as California Consumer Privacy Act (CCPA) as amended by California Privacy Rights Act (CPRA).

If you are a resident of California, or a state with similar privacy laws, you may have the following rights regarding your personally identifiable data. These rights do not apply to data that has been de-identified.

• Right to Know. You may request information about the categories of data we collect, the sources of collection, the purposes for which we use it, and the third parties with whom we share it.
• Right to Access. You have the right to request a copy of the specific data we have collected about you.
• Right to Correct. You may request corrections to any inaccurate or incomplete data we maintain.
• Right to Delete. You can request that we delete your data, subject to certain legal exceptions such as to complete a transaction, detect security threats, or comply with a legal obligation.
• Right to Opt-Out of Sale or Sharing. We do not sell data, but if we engage in data sharing as defined by applicable laws, you may opt out.
• Right to Limit Use of Sensitive Data. For sensitive data we collect (e.g., biometric information), you may restrict its use to only what is necessary for providing our Service.
• Right to Non-Discrimination. Exercising your privacy rights will not result in any denial of Services, price increase, or change in the quality of Services.

To exercise your rights, you may submit a request by emailing us at: [email protected]

Children and Personal Data

We comply with all applicable federal and state laws, including the Children's Online Privacy Protection Act (COPPA). Our Services is not intended for children under 13, and we do not knowingly collect their data without verifiable parental consent.

If we become aware of unauthorized data collection from a child, we will promptly delete it. Parents or guardians may request access, correction, or deletion of their child's data by contacting us at [email protected].

Cookies

Cookies are small files that a site or its service provider transfers to your computer's hard drive through your web browser. We use cookies and other technologies for different purposes:

• Strictly Necessary Cookies. To carry out essential services of our Website including tracking sign-ups and processing payments.
• Analytics Cookies. To understand how users arrive to and use our site.
• Functional Cookies. To make our site more user-friendly and give visitors a better browsing experience.
• Marketing Cookies. To facilitate our direct marketing.

You can choose to accept, decline, or withdraw consent to cookies. Be aware that disabling cookies may prevent you from using certain features or services on our Service.

Do Not Track Disclosure

California Online Privacy Protection Act (CalOPPA) requires us to disclose how we respond to Do Not Track (DNT) signals set in a user's web browser. Currently, we do not respond to DNT signals, as there is no industry-wide standard for recognizing and implementing them. However, we respect user privacy and provide alternative options to manage tracking preferences through cookie settings.

Changes to Our Privacy Policy

Unless otherwise required by law, it is our policy to post any changes we make to our Privacy Policy on this page with a notice that the Privacy Policy has been updated on our Website home page. If we make material changes to how we treat the information collected from our users, we will notify you through a notice on our Website home page. The date the Privacy Policy was last revised is identified at the top of the page. You are responsible for periodically visiting our Website and this Privacy Policy to check for any changes.

Contact Us

If you have any questions or concerns regarding this Privacy Policy or data processing, if you would like to change or access the Personal Information we have collected from you, or if you would like to make a complaint, you may contact us using the information below:

We may collect Consumer Health Data as defined in Section 1 of this addendum ("Consumer Health Data") from individuals in Washington in accordance with the Washington My Health My Data Act ("MHMD"). This addendum supplements our primary Privacy Policy and any other relevant addenda at milieubio.com. It applies solely to Washington residents or individuals whose Consumer Health Data is collected within Washington state (referred to as "Covered Resident(s)" or "you").

This addendum provides detailed information regarding our collection, use, and sharing of Consumer Health Data. It explains the types of Consumer Health Data we collect, the reasons for its collection, and how we use it. Additionally, it outlines the sources from which we obtain Consumer Health Data, the categories of data we share, and the third parties and affiliates with whom we share it. Furthermore, this addendum details your rights under MHMD.

It is important to note that this addendum does not apply to data collected in an employment context. As such, it does not cover information related to job applicants, employees, or contractors associated with our organization.

1. Consumer Health Data Definition & Exceptions

Consumer Health Data refers to Personal Information that can reasonably be linked to an individual and relates to their past, present, or future physical or mental health. However, the following types of data are not considered Consumer Health Data under MHMD:

• Protected Health Information covered under Health Insurance Portability and Accountability Act (HIPAA)
• health care records governed by WA Revised Code § 70.02;
• patient data regulated under 42 C.F.R. Part 2;
• human subject research data under applicable federal regulations;
• quality improvement & peer review records maintained by healthcare entities;
• data for public health purposes under 45 C.F.R. § 164.512; and
• de-identified data

Additionally, Personal Information regulated under other federal and state laws (e.g., Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), and Family Educational Rights and Privacy Act (FERPA)) is also exempt from MHMD.

2. Categories of Consumer Health Data We Collect

We may collect the following types of Consumer Health Data with your consent or as necessary to provide the services you request, including but not limited to:

• Health conditions, diagnoses, treatments, and medical history
• Social, psychological, and behavioral health data
• Records of health-related procedures or surgeries
• Prescription medication use and purchase history
• Symptoms and health measurements
• Gender-affirming care details
• Reproductive and sexual health information
• Location data that may indicate an effort to obtain health services
• Data that identifies an individual seeking healthcare services
• Health-related insights derived from non-health data sources
• Genetic and biometric data
• Wellness, fitness, and lifestyle data
• Health insurance and billing information
• Data collected through mobile apps, wearable devices, or online platforms

3. Sources of Consumer Health Data

We collect Consumer Health Data from a variety of sources, including but not limited to:

• Direct interactions with you. Information you provide when using our services, communicating with us, or engaging with our platforms.
• Your activities while using our services. Data generated through your interactions, such as usage patterns, preferences, and service-related activities.
• Our affiliates and business partners. Businesses and third-party entities with whom we maintain commercial relationships to enhance our services.

4. Use of Consumer Health Data

We use Consumer Health Data only as outlined in this addendum. Our purposes include:

• Account Management and Security. Verifying your identity, managing user accounts, ensuring security, and detecting and preventing fraud or malicious activity.
• Customer Support and Transactions. Processing transactions, managing orders, responding to inquiries, and providing assistance related to our Services.
• Communications and Notifications. Sending Services-related notifications, updates, and marketing relevant products and services that may interest you.
• Personalization and Insights. Tailoring features, performance, and support based on your preferences, including formulating customized skincare products and providing personalized health insights and recommendations.
• Research and Development. Conducting research, analyzing usage, and enhancing our Services through development and optimization.
• Promotions and Engagement. Administering promotions, such as contests or sweepstakes, and facilitating interactions with our platforms.
• Legal and Compliance. Meeting legal and regulatory obligations, responding to court orders and government requests, and enforcing our Terms of Service, policies, and agreements.

5. Sharing of Consumer Health Data

We may share Consumer Health Data with your consent or as necessary to provide requested services. Under MHMD, "sharing" refers to disclosing data to a third party or affiliate, excluding:

• Providing data to fulfill services consistent with its original purpose;
• Sharing data with entities you have a direct relationship with, provided we retain control and use is in accordance with your consent; and
• Transferring data as part of a business merger, acquisition, or similar transaction.

Other than as described here, we do not sell, trade, or transfer your Collected Information. However, we may share it in the following cases:

• Service Providers & Business Operations. We share data with contractors, service providers, and third parties who assist in our business operations, such as lab partners, IT service providers, cloud storage, cybersecurity vendors, analytics and marketing partners, logistics providers, payment processors, and customer support teams. These entities are contractually required to protect your information and use it only as specified.
• Corporate Transactions. If Milieu undergoes a merger, acquisition, restructuring, or sale of assets, Collected Information may be transferred as part of the transaction.
• Legal & Compliance. We may disclose data to comply with legal obligations, court orders, regulatory requirements, or law enforcement requests, and to enforce our Terms of Use or protect our rights, property, or safety.
• With Your Consent. We share data only for purposes disclosed at the time of collection or with your explicit consent.

In accordance with MHMD requirements, we ensure that any third party processing consumer health data on our behalf does so under a binding data processor agreement, which sets out specific processing instructions and limits the use of such data.

6. Exercising Your Rights

As a Covered Resident, you have the following rights:

• Right to Confirm. You may confirm whether we collect, share, or sell your Consumer Health Data.
• Right to Access. You may access the Consumer Health Data we hold about you.
• Right to Obtain. You may obtain a list of any third parties or affiliates that receive your data.
• Right to Delete. You may delete your Consumer Health Data.
• Right to Withdraw. You may withdraw consent for data collection and sharing.
• Right to Appeal. You may appeal our responses to your data rights requests.

To exercise your rights, you may submit a request by emailing us at: [email protected]

We will respond to your request within 45 days. If additional time is required, we may extend this period by another 45 days and will notify you accordingly.

If your request is denied, you have the right to appeal. We will review your appeal and respond within 45 days. Covered Residents may also file a complaint with the Washington Attorney General or contact the Washington Consumer Protection Hotline at 1-800-551-4636 for further assistance.

7. Data Sales

Under MHMD, "selling" Consumer Health Data involves exchanging it for monetary or other valuable consideration, excluding:

• Transfers as part of business mergers or acquisitions; and
• Sharing with service providers in line with the data's intended purpose.

Other than as described herein, we do not sell, trade, or otherwise transfer to third parties your Consumer Health Data.

8. Updates and Changes to This Addendum

We may update this addendum at our discretion. Any changes will be posted on our website with an updated "Last Updated" date. Continued use of our services after modifications indicates your acceptance of the updated terms.

9. Contact Information

If you have any questions or concerns regarding this addendum or data processing, if you would like to change or access the Consumer Health Data we have collected from you, or if you would like to file a complaint, you may contact us using the information below:

We may collect Consumer Health Data as defined in Section 1 of this addendum ("Consumer Health Data") from individuals in Nevada in accordance with the Nevada Senate Bill 370 ("SB 370"). This addendum supplements our primary Privacy Policy and any other relevant addenda at milieubio.com. It applies solely to Nevada residents or individuals whose Consumer Health Data is collected within Nevada state (referred to as "Covered Resident(s)" or "you").

This addendum provides detailed information regarding our collection, use, and sharing of Consumer Health Data. It explains the types of Consumer Health Data we collect, the reasons for its collection, and how we use it. Additionally, it outlines the sources from which we obtain Consumer Health Data, the categories of data we share, and the third parties and affiliates with whom we share it. Furthermore, this addendum details your rights under SB 370.

It is important to note that this addendum does not apply to data collected in an employment context. As such, it does not cover information related to job applicants, employees, or contractors associated with our organization.

1. Consumer Health Data Definition & Exceptions

Consumer Health Data refers to Personal Information that can be linked or reasonably capable of being linked to a particular individual and used to identify their past, present, or future health status. However, the following types of data are not considered Consumer Health Data under SB 370:

• Deidentified data;
• information not used to identify an individual's health status;
• information collected or shared as expressly authorized by federal or state law; and
• information exempted under SB 370 or other applicable regulations.

2. Categories of Consumer Health Data We Collect

We may collect the following types of Consumer Health Data with your consent or as necessary to provide the services you request, including but not limited to:

• Health conditions, diagnoses, treatments, and medical history
• Social, psychological, and behavioral health data
• Records of health-related procedures or surgeries
• Prescription medication use and purchase history
• Symptoms and health measurements
• Gender-affirming care details
• Reproductive and sexual health information
• Location data that may indicate an effort to obtain health services
• Data that identifies an individual seeking healthcare services
• Health-related insights derived from non-health data sources
• Genetic and biometric data
• Wellness, fitness, and lifestyle data
• Health insurance and billing information
• Data collected through mobile apps, wearable devices, or online platforms

3. Sources of Consumer Health Data

We collect Consumer Health Data from a variety of sources, including but not limited to:

• Direct interactions with you. Information you provide when using our services, communicating with us, or engaging with our platforms.
• Your activities while using our services. Data generated through your interactions, such as usage patterns, preferences, and service-related activities.
• Our affiliates and business partners. Businesses and third-party entities with whom we maintain commercial relationships to enhance our services.

4. Use of Consumer Health Data

We use Consumer Health Data only as outlined in this addendum. Our purposes include:

• Account Management and Security. Verifying your identity, managing user accounts, ensuring security, and detecting and preventing fraud or malicious activity.
• Customer Support and Transactions. Processing transactions, managing orders, responding to inquiries, and providing assistance related to our Services.
• Communications and Notifications. Sending Services-related notifications, updates, and marketing relevant products and services that may interest you.
• Personalization and Insights. Tailoring features, performance, and support based on your preferences, including formulating customized skincare products and providing personalized health insights and recommendations.
• Research and Development. Conducting research, analyzing usage, and enhancing our Services through development and optimization.
• Promotions and Engagement. Administering promotions, such as contests or sweepstakes, and facilitating interactions with our platforms.
• Legal and Compliance. Meeting legal and regulatory obligations, responding to court orders and government requests, and enforcing our Terms of Service, policies, and agreements.

5. Sharing of Consumer Health Data

We may share Consumer Health Data with third parties when necessary to provide requested services or with your consent. Under SB 370, "sharing" means any act of disclosing, giving access to, or otherwise making Consumer Health Data available to someone else. A "third party" refers to any individual or organization that is not covered by SB 370, not acting as a processor on behalf of the business, not affiliated with the business, and not the consumer whose data is involved.

Other than as described here, we do not sell, trade, or transfer your Collected Information. However, we may share it in the following cases:

• Service Providers & Business Operations. We share data with contractors, service providers, and third parties who assist in our business operations, such as lab partners, IT service providers, cloud storage, cybersecurity vendors, analytics and marketing partners, logistics providers, payment processors, and customer support teams. These entities are contractually required to protect your information and use it only as specified.
• Corporate Transactions. If Milieu undergoes a merger, acquisition, restructuring, or sale of assets, Collected Information may be transferred as part of the transaction.
• Legal & Compliance. We may disclose data to comply with legal obligations, court orders, regulatory requirements, or law enforcement requests, and to enforce our Terms of Use or protect our rights, property, or safety.
• With Your Consent. We share data only for purposes disclosed at the time of collection or with your explicit consent.

6. Exercising Your Rights

As a Covered Resident, you have the following rights:

• Right to Confirm. You may confirm whether we collect, share, or sell your Consumer Health Data.
• Right to Access. You may access the Consumer Health Data we hold about you.
• Right to Obtain. You may obtain a list of any third parties or affiliates that receive your data.
• Right to Delete. You may delete your Consumer Health Data.
• Right to Withdraw. You may withdraw consent for data collection and sharing.
• Right to Appeal. You may appeal our responses to your data rights requests.

To exercise your rights, you may submit a request by emailing us at: [email protected]

We will respond to your request within 45 days. If additional time is required, we may extend this period by another 45 days and will notify you accordingly.

If your request is denied, you have the right to appeal. We will review your appeal and respond within 45 days.

7. Third-Party Data Collection

Third parties may collect Consumer Health Data over time and across various platforms when you interact with our Website. However, we do not knowingly allow such collection on pages accessible only after you log in to password-protected areas of our website.

We do not control how third parties collect or use your information. These entities may combine data collected from our site with information from other sources for their own purposes, including targeted advertising.

8. Data Sales

Under SB 370, "sales" is define as the exchange of Consumer Health Data for money or other valuable consideration, excluding exchange:

• To a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction through which the third party assumes control of all or part of our assets;
• by us to a processor when such exchange is consistent with the purpose for which the Consumer Health Data was collected and disclosed to the consumer;
• with a third party for the purpose of providing a product or service you requested;
• by us to an affiliate;
• as directed by you or if you are intentionally using us to interact with and disclose Consumer Health Data to a third party; or
• if you intentionally made the Consumer Health Data available to the general public through mass media in a manner that was not restricted to a specific audience.

Other than as described herein, we do not sell, trade, or otherwise transfer to third parties your Consumer Health Data.

9. Updates and Changes to This Addendum

We may update this addendum at our discretion. Any changes will be posted on our website with an updated "Last Updated" date. Continued use of our services after modifications indicates your acceptance of the updated terms.

10. Contact Information

If you have any questions or concerns regarding this addendum or data processing, if you would like to change or access the Consumer Health Data we have collected from you, or if you would like to file a complaint, you may contact us using the information below: