India Privacy Practices

IDEO LP (“IDEO”) respects the privacy of observation participants and the confidence of our clients and business partners. Accordingly, we collect, process and disclose personal information in a manner consistent with the laws of the countries in which we do business. The following India Privacy Practices (the “Privacy Practices”) sets forth the privacy principles established by IDEO with respect to transfers of personal information from India.

Scope

These Privacy Practices apply to all personal information received by observation participants from India including electronic, paper or verbal information.

Definitions

For purposes of these Privacy Practices, the following definitions shall apply:

• IDEO means IDEO LP and each of its predecessors, successors, affiliates, employees, representatives and branch offices.

• “Personal information” means any information that relates to a natural person that, either directly or indirectly, either alone or in combination with other information available or likely to be available, is capable of identifying such person. For the purposes of these Privacy Practices, unless otherwise stated, “personal information” includes “sensitive personal information”, as defined below.

• “Sensitive personal information” consists of (i) data relating to passwords, (ii) financial information including but not limited to bank account details, (iii) credit card and debit card details, (iv) physical, physiological and mental health condition, (v) medical records and history, (vi) sexual orientation, and (vii) biometric information of employees and family members, provided that any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law in effect shall not be regarded as personal or sensitive personal information for the purposes of these Privacy Practices.

Privacy Principles

The privacy principles in these Privacy Practices have been developed based on Indian law.

Purposes of Processing

IDEO collects and uses personal information in order to select and administer its workforce; run its operations; ensure the safety and protection of its workforce and resources; and conduct design research in order to understand user needs to inform its design and innovation consulting services for its clients. In collecting sensitive personal data, IDEO obtains consent from the relevant individual for such collection and use of his/her sensitive personal data.

Notice

Where IDEO collects personal information directly from individuals in India, it will inform them about the purposes for which it collects and uses personal information about them, the types of third parties to which IDEO discloses that information, the choices and means, if any, IDEO offers individuals for limiting the use and disclosure of personal information about them, and how to contact IDEO. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to IDEO, or as soon as practicable thereafter, as well as any time IDEO proposes to use information for a purpose other than the purpose for which it was originally collected.

Choice

To the fullest extent required by applicable law, IDEO will offer individuals the opportunity not to provide personal information and to withdraw their earlier consent.

Data Integrity

IDEO will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. IDEO will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.

Disclosure / Transfers

IDEO will disclose or transfer personal information only with the consent of the data subject or where such disclosure is necessary for the performance of a contract between the data subject and IDEO or for compliance with a legal obligation. Such transfers include intercompany transfers from India to IDEO offices in the United States and Europe (and may include transfers to IDEO offices in Asia and Southeast Asia). Such transfers shall be made only to jurisdictions that implement and maintain security practices and procedures not lower than the standards of IS/ISO/IEC 27001. IDEO will obtain assurances from third parties to whom personal information is transferred that they will safeguard such information consistently with these Privacy Practices. Where IDEO has knowledge that a third party to whom personal information was transferred is using or disclosing such information in a manner contrary to these Privacy Practices, IDEO will take reasonable steps to prevent or stop the use or disclosure.

Access and Correction

Upon a reasonable request, IDEO may grant individuals reasonable access to correct, amend, or delete personal information that it holds about them.

Security

IDEO will implement reasonable practices and procedures, not lower than the standards of IS/ISO/IEC 27001, to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. IDEO is committed to taking appropriate technical, physical and organizational measures to protect personal information (including sensitive personal information) against: unauthorized or accidental destruction, alteration or disclosure; accidental loss; unauthorized access; misuse; unlawful processing; or damage. These measures include equipment, application and information security; access security; and training of IDEO employees about these Privacy Practices and the appropriate processing of personal information.

Enforcement

IDEO will conduct compliance audits of its relevant privacy practices to verify adherence to these Privacy Practices. Any employee that IDEO determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment.

Dispute Resolution

Any questions or concerns regarding the use or disclosure of personal information should be directed to Ka Yun Cheng, Privacy Officer, at the address below. IDEO will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information by reference to the principles contained in these Privacy Practices.

Limitation on Application of Principles

Adherence by IDEO to the principles set forth in these Privacy Practices may be limited (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.

Contact Information

Questions or comments regarding these Privacy Practices should be submitted to the IDEO Privacy Officer:

Ka Yun Cheng IDEO LP 715 Alma Street Palo Alto, CA 94301 kcheng@ideo.com

with a copy to: IDEO Legal Group IDEO LP 715 Alma Street Palo Alto, CA 94301 legalnotice@ideo.com

Changes to these Privacy Practices: These Privacy Practices may be amended from time to time, consistent with the requirements of the Indian law.

Privacy Policy Updated as of July 21, 2015