Country Specific Supplemental Privacy Notice

EEA, UK and Switzerland

Our Relationship With You

CareDx, Inc. is the controller of the personal information you provide during registration because we determine the purposes and means of processing your information.

Personal Information We Collect

When you create a Provider Account, we collect only the following information:

• First/Last name

• Organization name

• Email Address

• Country

• IP Address

We do not collect any patient data, health data, or other categories of personal information as part of this registration.

How We Use Your Personal Information

CareDx uses your registration information solely for the following purposes

• Creating and managing your security Provider Account, which allows you to order Lab Products sold by CareDx

• Communicating with you about your order.

Your information is not used for any other purpose, is not sold, and is not used for advertising or profiling.

Legal Bases for Processing

Under the laws of the EEA, UK, and Switzerland, we rely on the following legal bases to process your information:

• Performance of a contract. To create and manage your CareDx Customer Account

• Legitimate interests. To inform you of updates or new features to the products you use, in a manner we believe is expected and aligned with your professional role.

• Where required by applicable law.

• Where we have obtained your consent.

Residents of the EEA, UK, and Switzerland may also have the following privacy rights:

• Right of Access

• Right to Rectification/Correction

• Right to Restrict Processing

• Right to Erasure ("Right to be Forgotten")

• Right to Data Portability

• Right to Withdraw Consent of the Processing of your Personal Information

To exercise any of these rights, please contact us at privacy@caredx.com. We will respond in accordance with applicable law.

International Transfers

CareDx is a U.S.-based company. Your registration information may be stored or processed in the United States or in other countries that may not offer the same level of data protection as your home country.

If we transfer personal information outside the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses approved by the European Commission, the UK ICO, or the Swiss FDPIC

• Other applicable transfer mechanisms permitted by law.

These measures are designed to ensure a level of protection equivalent to that required under European data protection laws.

Data Retention

We retain your registration information only for as long as your provider account remains active or as required by applicable law. You may request deletion of your account at any time.

Complaints or Questions

If you have any questions about our privacy practices or wish to exercise your rights, you may contact:

Privacy Office CareDx, Inc. Email: privacy@caredx.com

For EU inquiries, you may contact our Stockholm, Sweden office directly at: privacy-eu@caredx.com.

You also have a right to lodge a complaint with a competent supervisory authority situated in the country of your habitual residence, place of work, or place of alleged infringement. You can find the relevant supervisory authority name and contact details for the EEA here, the UK here, and Switzerland here.

Brazil

This section applies to personal information that is processed pursuant to the Lei Geral de Proteção de Dados Pessoais (“LGPD”).

Data Controller

The entity responsible for processing and handling the personal information collected under this Country-Specific Supplemental Privacy Notice is CareDx. Contact our Data Protection Officer at privacy@caredx.com.

Privacy Rights

Under the LGPD, you may also have the rights to (1) anonymize and block the processing of your personal information, if the data is deemed unnecessary, excessive or processed in non-compliance with the provision of the LGPD; (2) confirm the existence of processing of your personal data; (3) request information about which third parties we share your data with; (4) be informed about the possibility of not giving your consent and the consequences in case of refusal; and (5) file a complaint with Brazil’s National Data Protection Authority.

China

This section applies to personal information that is processed pursuant to the China Personal Information Protection Law (“PIPL”).

Personal Information Processor

The entity responsible for processing and handling the personal information collected under this Country-Specific Supplemental Privacy Notice is CareDx.

Legal Basis

CareDx will process your personal information based on the relevant legal basis provided under the PIPL. Where consent is the underlying basis, we will obtain your consent.

Entrusted Processing and Sharing of Personal Information

We may engage other CareDx entities and third parties to process your personal information on our behalf, as necessary for the purposes outlined in the main Privacy Notice. Contracts with our data processors and service providers restrict their access to and use of personal information.

Data Storage and International Data Transfers

Generally, we will store your personal information in the U.S. However, as CareDx is a global company, for the purposes specified in this Privacy Notice, we may transfer your personal information to other countries (see list of countries). Transfers of your personal information outside of China are done according to the PIPL and other relevant data protection and privacy laws and with the necessary administrative, technical, and physical safeguards to protect your personal information, including seeking separate consent from you, when required by the PIPL.

Please contact privacy@caredx.com if you want to exercise your data subject rights against the above overseas recipient.

Privacy rights

Under the PIPL, you may also have the following privacy rights:

• Right of Access

• Right to Request Correction

• Right to Delete

• Right to Restriction of Processing

• Right to Data Portability

• Right to Withdraw Consent

To exercise any of these rights, submit your request to privacy@caredx.com.

We will respond to your requests to exercise your data subject rights in accordance with the applicable data protection laws. To the extent permitted by laws and regulations, we may not be able to respond to your request (examples: if your request is contrary to our obligations under laws and regulations or if we have sufficient evidence of your subjective abuse of rights under PIPL).

South Korea

This section applies to personal information that is processed pursuant to the Personal Information Protection Act (“PIPA”).

Data Controller

The entity responsible for processing and handling the personal information collected under this Country-Specific Supplemental Privacy Notice is CareDx.

Purpose for Processing

CareDx may collect and use the personal information listed in section “What Information Do We Collect?” and the main body of the Privacy Notice with your consent or for a different legal basis. If the items and purpose of use of your personal information changes, we will take the required measures to ensure that the applicable provisions of the PIPA are implemented, such as requesting additional consent from you.

International Data Transfers

Any transfers of your personal information outside of the Republic of Korea are done according to relevant data protection and privacy laws and with the necessary administrative, technical, and physical safeguards to protect your personal information. We provide your Personal Data to third parties as described below, either with your consent or under other legal bases as defined by applicable laws.

If you want to object to the transfer of your Personal Data overseas, please contact: privacy@caredx.com

Procedure and Method for Destruction of Personal Data

CareDx will destroy your personal information as outlined in the main Privacy Notice and will take standard commercially reasonable measures to ensure that your personal information is rendered irrecoverable or irreproducible. The specific manner of deletion will depend upon how the personal information is held by CareDx, as well as your relationship with CareDx.