UK Compliance Addendum

UK COMPLIANCE ADDENDUM TO TERMS OF USE

Effective Date: December 1, 2025

This UK Compliance Addendum (“Addendum”) supplements and modifies the existing Terms of Use Agreement between Wellness Research Institute LLC, D/B/A Shortlister (“WRI,” “we,” or “us”) and you (“you” or “User”) dated December 1, 2021 (“Terms”). This Addendum applies specifically to Users located in the United Kingdom and Users processing personal data of UK data subjects through the Services.

1. DATA PROTECTION AND PRIVACY COMPLIANCE

1.1 GDPR EU & UK and Data Protection Act 2018 Compliance

We are committed to following and complying with both the EU General Data Protection Regulation (“EU GDPR”) and the UK General Data Protection Regulation (“UK GDPR”), as well as the Data Protection Act 2018. We process all personal data in strict accordance with these regulations and maintain the highest standards of data protection for all users, regardless of location.

1.2 Data Controller and Processor Relationships

Where you use the Services to process personal data of your employees, clients, or other individuals, you act as the data controller and we act as your data processor
Where we collect personal data directly from you or End Users for our own purposes (such as account management, service provision, and analytics), we act as the data controller
Both parties shall comply with their respective obligations under UK data protection laws in their respective roles

1.3 Data Processing Terms

Our data processing activities are governed by our Data Processing Agreement (“DPA”), which forms part of these Terms. The DPA includes:
Details of processing activities, data categories, and retention periods
Technical and organizational security measures
Procedures for data subject rights requests
Cross-border transfer safeguards
Data breach notification procedures

1.4 Data Subject Rights and Procedures

All users have comprehensive rights regarding their personal data under EU and UK GDPR. You may exercise these rights at any time by contacting us at privacy@myshortlister.com. We are committed to responding to all requests within one month of receipt.

Your Rights Include:

1. Right to Access Your Data

Request a complete copy of all personal data we hold about you
Receive information about how your data is being processed
Obtain details about data sharing and retention periods

2. Right to Amend, Edit, or Correct Your Data

Update your profile information at any time through your account settings
Request correction of any inaccurate or incomplete personal data
Modify your preferences and account details

3. Right to Request Removal of Your Data (Right to Erasure)

Request complete deletion of your personal data from our platform
Have your data removed when it’s no longer necessary for the original purpose
Withdraw consent where processing was based on consent

4. Right to Unsubscribe or Opt-Out of Marketing Communications

Easily unsubscribe from all marketing emails using the unsubscribe link in any email
Update your communication preferences in your account settings
Contact us directly to be removed from all marketing communications
Opt-out of specific types of communications while maintaining your account

5. Right to Object to Processing

Object to the use of your personal data for direct marketing purposes
Object to processing based on legitimate interests
Request restriction of processing in certain circumstances
Challenge automated decision-making or profiling

How to Exercise Your Rights:

Online: Log into your account and update your preferences in account settings
Email: Contact us at privacy@myshortlister.comprivacy@myshortlister.com with your specific request
Written Request: Send a letter to our address below with your request

We will verify your identity before processing any data requests and provide confirmation once your request has been completed.

2. MARKETING COMMUNICATIONS AND CONSENT

2.1 Marketing Opt-Out Rights

You have the absolute right to unsubscribe or opt-out of all marketing communications at any time:

Instant Unsubscribe: Click the unsubscribe link at the bottom of any marketing email
Account Settings: Update your communication preferences in your account dashboard
Email Request: Send an opt-out request to privacy@myshortlister.com

2.2 Communication Preferences

You can choose to:

Opt-out of all marketing communications while keeping your account active
Select specific types of communications you wish to receive
Update your preferences at any time without penalty
Receive only essential service-related communications

We will process all opt-out requests immediately and confirm your preferences within 48 hours.

3. DATA ACCESS AND PORTABILITY

3.1 Right to Data Copy and Portability

You have the right to receive a complete copy of all personal data we hold about you:

Data Export: Request a comprehensive download of all your personal data in a structured, commonly used, and machine-readable format
Data Report: Receive a detailed report showing what data we collect, how it’s used, and who it’s shared with
Processing Details: Get information about the legal basis for processing, retention periods, and your rights
Free of Charge: All data access requests are provided free of charge (unless requests are manifestly unfounded or excessive)

3.2 Data Correction and Amendment

You can amend or correct your personal data through multiple channels:

Self-Service: Update most information directly through your account settings
Assisted Updates: Contact us to correct data you cannot edit yourself
Error Reporting: Report any inaccuracies and we will investigate and correct them promptly
Verification: We may ask for verification before making significant changes to protect your account security

3.3 Response Timeframes

Data access requests: Within 30 days
Data correction requests: Within 30 days
Simple profile updates: Immediately upon request
Complex data requests: We will acknowledge receipt within 48 hours and provide regular updates

4. OBJECTION TO DATA PROCESSING

4.1 Right to Object

You have the right to object to the processing of your personal data, including:

Marketing Processing: Object to any use of your data for direct marketing purposes
Legitimate Interest Processing: Challenge processing based on our legitimate interests
Profiling and Automated Decision-Making: Object to automated processing that affects you

4.2 Objection Process

To object to data processing:

Specify Your Objection: Clearly state which processing activities you object to
Provide Reasons: Explain your particular situation if objecting to legitimate interest processing
Submit Your Request: Contact us through any of the channels listed in Section 1.4
Receive Confirmation: We will acknowledge your objection and stop the contested processing unless we have compelling legitimate grounds

4.3 Consequences of Objection

When you object to processing:

We will immediately stop the contested processing activities
Your account and core service functionality will remain intact where possible
Some features may become unavailable if they depend on the contested processing
You can withdraw your objection at any time

5. CROSS-BORDER DATA TRANSFERS

5.1 International Transfers

As we are based in the United States, personal data processed through our Services may be transferred to and processed in the United States and other countries outside the UK and EU. We ensure appropriate safeguards are in place for such transfers in accordance with both EU and UK data protection laws.

5.2 Transfer Mechanisms

International transfers of personal data are protected by:

Standard Contractual Clauses approved by EU and UK authorities
Adequacy decisions where applicable
Other legally approved transfer mechanisms under both EU and UK GDPR

6. UK-SPECIFIC LEGAL PROVISIONS

6.1 Consumer Rights

If you are a consumer (as defined under UK consumer protection laws), you have additional rights that cannot be excluded or limited by these Terms, including rights under the Consumer Rights Act 2015.

6.2 Unfair Contract Terms

Nothing in these Terms or this Addendum shall exclude or limit our liability for:

Death or personal injury caused by our negligence
Fraud or fraudulent misrepresentation
Any other liability that cannot be excluded or limited under UK law

6.3 Distance Selling Regulations

If you are a consumer purchasing Services online, you may have cancellation rights under the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013. Details of any applicable cancellation rights will be provided at the time of purchase.

7. COMPLIANCE OBLIGATIONS

7.1 Your Compliance Responsibilities

When using our Services, you agree to:

Comply with all applicable EU and UK laws and regulations
Ensure you have lawful basis for any personal data processing
Provide required privacy notices to data subjects
Obtain necessary consents where required
Implement appropriate technical and organizational measures to protect personal data

7.2 Prohibited Data

You must not upload, store, or process through our Services:

Special categories of personal data (as defined in EU and UK GDPR) without explicit consent or other lawful basis
Personal data of children under 13 without verifiable parental consent
Any data in violation of EU or UK data protection laws

8. SECURITY AND DATA BREACHES

8.1 Security Measures

We implement appropriate technical and organizational security measures to protect personal data, including:

Encryption of data
Access controls and authentication measures
Regular security assessments and updates
Staff training on data protection

8.2 Data Breach Notification

In the event of a personal data breach affecting EU or UK data subjects:

We will notify you without undue delay and within 72 hours where feasible
We will provide information about the nature of the breach and remedial actions taken
You remain responsible for assessing whether notification to supervisory authorities or data subjects is required

9. SUPERVISORY AUTHORITY

9.1 UK Data Protection Authority

The Information Commissioner’s Office (ICO) is the UK’s independent data protection authority. You have the right to lodge a complaint with the ICO regarding our processing of your personal data.

Contact details:

Website: www.ico.org.uk
Phone: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

10. GOVERNING LAW AND JURISDICTION

10.1 UK Law Application

Notwithstanding Section 17 of the main Terms, for Users located in the UK:

This Addendum and data protection matters shall be governed by UK law
UK courts shall have jurisdiction over data protection disputes
The main Terms shall continue to be governed by Illinois law except where superseded by this Addendum

10.2 Alternative Dispute Resolution

Before pursuing formal legal action, parties agree to attempt resolution through the ICO’s informal resolution process where applicable to data protection matters.

11. RETENTION AND DELETION

11.1 Data Retention

We retain personal data only for as long as necessary to:

Provide the Services
Comply with legal obligations
Resolve disputes
Enforce our agreements

11.2 Data Deletion

Upon termination of your Account or upon request (where legally permissible), we will delete or anonymize your personal data within a reasonable timeframe, except where retention is required by law.

12. CONTACT INFORMATION

12.1 Data Protection Officer

For all data protection inquiries, please contact our Data Protection Officer:

Email: privacy@myshortlister.com
Address: Wellness Research Institute LLC, 310 Busse Hwy, #386, Park Ridge, IL 60068

13. UPDATES TO THIS ADDENDUM

We may update this Addendum from time to time to reflect changes in law or our practices. We will notify you of material changes and obtain your consent where required by law.

14. PRECEDENCE

In the event of any conflict between this Addendum and the main Terms regarding UK Users or UK data protection matters, this Addendum shall take precedence.

By continuing to use our Services after the effective date of this Addendum, you acknowledge that you have read, understood, and agree to be bound by this UK Compliance Addendum in addition to the main Terms of Use.