mySugr GmbH Privacy Notice

Version dated January 1, 2022

The applicable version of this privacy notice can be viewed and downloaded as a PDF from our website www.mysugr.com.

1 INTRODUCTION

Data Controller

Whenever this Privacy Notice refers to “we” or “mySugr” it means the mySugr GmbH, located at the business address Trattnerhof 1, 1010 Vienna, Austria and registered in the Company Register of Vienna Commercial Court under FN 376086 v. mySugr is the stated responsible entity and data controller under the data protection regulations. In other words, we are the company that decides on the purpose and means of processing your personal data (“User Data”) and is therefore responsible for its security and compliance with the applicable laws. Section 2 of this Privacy Notice contains detailed information on the necessary processing of your personal data.

The basis for this Privacy Notice is the General Data Protection Regulation of the European Union (“GDPR”, Regulation (EU) 2016/679); if your country of residence foresees additional or varying requirements, you can find information on those in section 9 of this Privacy Notice.

This Privacy Notice applies to User Data processed in connection with our products and services. As the responsible entity we are subject, for example, to information requirements that we wish to fulfill in connection with this Privacy Notice. We also provide additional information within our products, e.g. we may ask you for a new consent or explain the consequences of revocation. The information in our products does not contradict this privacy notice, but rather supplements it with brief and easily readable information so that you can make decisions more easily. This Privacy Notice and the additional information are easily accessible at any time from within our products and on our website.

Structure and consent concept

This Privacy Notice informs you about the purposes and scope of processing your User Data, data transfers, as well as your extensive rights. As our offer is exclusively aimed at persons with diabetes, your use of our products typically already provides information on your health condition. We therefore only process User Data as health data with your consent. We differentiate as follows:

“Necessary Processing of Personal Data” describes how we process your User Data which is required to fulfill the contract and to provide our services to you. Without this consent the use of our products is not possible from a legal and a factual point of view because our services depend on this processing.

“Processing for Product Improvement” explains how you can help us and other users, with your optional consent, by allowing us to use your data in particular to develop algorithms for therapy management, improve the product and so forth without us contacting you for advertising purposes etc. You can also use our products without giving us this consent - but your consent improves the database in the interest of all users so that we can improve our product more quickly.

“Processing for Marketing Purposes” describes how we contact you for marketing purposes, with your optional consent, e.g. by email, notifications etc. Here too you may use the products without consent but with your consent you will receive valuable information on our products or if, for example, your health insurance company covers new services.

Under “General Information” we have assembled the information that applies to all of the above consents to avoid repetition.

The above mentioned categories are described in more detail below. You may provide the relevant consents upon registration, upon request (e.g. during a pairing process) or later via the account settings. You may revoke any consents at any time via the account settings or by sending an email to support@mysugr.com. In such an instance we will inform you about the consequences of the revocation. The lawfulness of the processing prior to revocation remains unaffected.

In some cases, the processing of your data may take place independently of your consent on the basis of statutory principles, i.e. based on law (e.g. medical device regulations). We will inform you accordingly in appropriate cases.

2 NECESSARY PROCESSING OF PERSONAL DATA

If you consent during the creation of an account, we will process your User Data listed below in order to be able to provide our services. If you do not consent to this necessary processing, you cannot use the services of mySugr. You may provide your consents during the registration process and manage them in the account settings.

In order to protect your User Data, our services can only be used in connection with a user account. To create a user account we require, collect and process the following User Data:

Your Email address, in connection with your chosen Password is necessary to create and maintain an account and create an Account ID when you register in our apps as well as to provide you with a secure way of logging into your account.

Your Email Address is also used to communicate with you where this is required to support or troubleshoot our products. One purpose is the mySugr user support service, which you can contact at support@mysugr.com. The information and personal data you wish to exchange with our user support service is solely your decision and we will never require any personal data which is not necessary to provide you with the information or support you request. Communication with you may be necessary, either by email, in-app message push notification in order to inform you about updates to our products and services or provide you with important security advice as well as assistance associated with your usage. This support communication - as an essential part of our products - is sent to you notwithstanding whether you have subscribed to our Newsletter or not.

When you install and use our app, we also collect information on the device you are using and generate crash and bug reports if required. This is necessary for us to troubleshoot and determine the circumstances of a potential problem. We record key data of your device and your usage behavior as our contractual fulfilment, as well as to customize our products. This includes processing individual user information, such as your location, diabetes type or type of therapy, for instance to configure the user interface. An automated analysis of your user behavior is performed exclusively for the purpose of customizing your use when fulfilling the contract and has no legal effect for you.

We also process your IP address to assess from which country or region you are using our services and to provide you with the features and information which is relevant in your country. Your IP address is also used to determine the data storage location for your account.

3 OPTIONAL PROCESSING OF PERSONAL DATA

Any other User Data which is collected and processed while you use our services is optionally provided by you when using certain functions of our applications. Those optional User Data and their collection purposes are:

General Data
This optional data is collected and processed to be able to address and contact you in a suitable way and to process order, delivery, support and billing of our products, including products of our cooperation partners. It includes:

Medical Master Data
This optional data is collected and processed in order to be able to provide a personalised application experience. It includes:

Commercial and Usage Data
This optional data is collected and processed in order to store and retain necessary financial information in case you make a purchase, as well as to improve our app experience for you. It includes:

Medical Data
This optional data is collected and processed in order to be able to deliver the service which is offered by the mySugr Logbook app. It includes:

The scope of the personal data processed by mySugr depends on your registration and the use of our products. We only process User Data that you actively and voluntarily provide to mySugr. The entry of requested User Data is however a requirement for the comprehensive use of our products. If you do not enter optional data the associated functionality of our products is limited accordingly. For example our Logbook or Bolus Calculator require detailed (voluntary) entry of your data in order to ensure optimal use. In any case, each function describes the purpose for which the data is needed.

If you pair Therapy Devices (e.g. blood glucose meters, insulin pens or insulin pumps) with your mobile device, data is being transferred between those devices and our apps. In those cases, only the data relevant for the operation of the device is being transmitted or imported into our apps.

When pairing a therapy device via Bluetooth ®, certain mobile devices require access to your location for the pairing process. If this is the case, you will be asked to allow access to the location. The purpose is to enable the therapy device to be detected through Bluetooth ®. This access is only necessary for the pairing action from a technical point of view; mySugr will not process your location for this purpose.

You can optionally activate synchronization between our apps and Health Apps, such as those by Apple or Google, and other connected services, which enables data to be exchanged between our apps and those Health Apps. This synchronisation only takes place if you activate this in the settings of our apps and configure the data that is being exchanged.

In addition to the User Data you provide voluntarily, there is also the option of independently activating or deactivating the recording of certain data in the settings of our apps and other software of your device (e.g. operating system, other apps, app stores etc.). If you have questions, please contact support@mysugr.com.

4 PROCESSING FOR PRODUCT IMPROVEMENT

mySugr would also like to use the data you provide via the mySugr products to continuously improve and innovate our portfolio by gathering insights, detect patterns, generate real world evidence and develop predictive algorithms from health data. Such innovations will be used for decision support with the objective to further improve medical outcomes and the quality of life of people with diabetes.

We will only use your data and any additional data, as detailed below, if you provide us with your express consent. You can give and revoke your consent for the processing for product improvement at any time, in your account settings within our apps.

Additional data

In general, we use the same User Data to improve our products as stated in sections 2 and 3. In addition, mySugr may also record the following User Data:

Usage Data - We record Activity Events, not necessarily related to the delivery of our services, which allow us to understand how you use our products. This enables us to assess how our products are used and to constantly improve our services.

Purpose of product improvement

As a result of a fast paced technological progress, we have to constantly analyze, develop, test, and improve our products and their interactions, in order to ensure that our content benefits users in the most effective way. To achieve this, we conduct usage and security tests and the knowledge gained is incorporated into improved new versions of our products. These improvements are also provided to you via frequent app updates.

5 PROCESSING FOR MARKETING PURPOSES

5.1. Newsletter

We would like to send you interesting information on products and services in addition to the contractual scope, including information from carefully selected partners, and invitations to participate in surveys or other sales promotions and marketing activities (“Newsletter”).

We will only process your personal data for this purpose and send you Newsletters if you actively consent and subscribe. You can revoke your consent at any time, via the link in every Newsletter or in your account settings in our apps.

5.2 Other types of marketing

Other consents, e.g. for surveys, notifications, or customized offers, are obtained as required when you are logged in. We always explain to you why we need certain data and also how you can revoke the consent.

From time to time we may also show you offers within the app without processing your personal data. These non-customized advertisements will also be shown to you if you have not provided your consent for processing your personal data for marketing purposes.

6 USAGE FOR STATUTORY PURPOSES

6.1 Scientific research and statistics

mySugr is committed to the science of all aspects of diabetes. Therefore, anonymous User Data may also be used for the purposes of research and statistics (always whilst complying with the recognized ethical scientific standards) and internal analyses. This is used mainly to determine and improve the effectiveness of techniques for controlling and treating diabetes. The legal basis for this is Article 9 (2) j) of the GDPR which provides for processing of Special Categories of Personal Data for scientific research and statistical purposes. We will always make sure that all User Data is properly anonymised before it is used for those purposes.

6.2 Enforcement of rights

The use of personal data may also be necessary to prevent abuse by users or to assert, exercise, or defend legal claims. We may be forced into disclosure due to binding laws, court or official decisions and instructions, criminal investigation, or in the public interest. In such cases, the storage and processing of your data is permitted by law without your consent. The legal basis for this is Article 9 (2) f) GDPR.

6.3 Compliance with medical device legislation

As the manufacturer or distributor of a medical device, we are subject to elevated requirements for monitoring the functionality of our products. This vigilance system required for regulatory purposes may also involve the processing of personal data. The legal basis for this is Article 9 (2) i) GDPR, which provides for processing necessary for reasons of public interest in the area of public health.

7 GENERAL INFORMATION

7.1 Purpose limitation and security

mySugr uses your personal data exclusively for the purposes determined in this Privacy Notice and the relevant consents. We ensure that each processing is restricted to the extent necessary for its purpose.

We always guarantee adequate security and confidentiality of your personal data. This covers protection from unauthorized and illegal processing, unintentional loss, unintentional destruction or damage using appropriate technical and organizational measures. We use strict internal processes, security features, and the latest encryption methods, always taking into account state-of-the-art technology.

7.2 Data Processors

Our products are subject to complex processes that, in light of our millions of users, we have to manage and keep up-to-date. For technical support we therefore use certain affiliated companies of the Roche Group – F. Hoffmann-La Roche Ltd. - and third-party suppliers (“Data Processors”) in order to offer a comprehensive and optimal use of our products to you. The categories of Data Processors are listed in more detail in section 7.5.

mySugr transfers User Data to Data Processors exclusively within the framework of this Privacy Notice and only to fulfill the purposes stated within. Data Processors work according to our specifications and instructions; they are not permitted to use the personal data of our users for their own or other purposes.

We use Data Processors offering sufficient guarantees that suitable technical and organizational measures are undertaken in a way that the processing of personal data complies with the statutory requirements and our Privacy Notice. The protection of the rights of our users is ensured by concluding binding contracts that meet the strict requirements of GDPR.

Third-party suppliers appointed by mySugr may only use other processors (subcontractors) with our prior consent. If a subcontractor does not comply with the same data protection obligations and all of the appropriate security measures that we impose on our Data Processors, we will prohibit the use of such a subcontractor.

7.3 Encryption, pseudonymization, and anonymization

Each transfer of personal data, without exception and by default, is encrypted during transfer. Using HTTPS (hypertext transfer protocol secure) we ensure that your data is not intercepted by unauthorized third parties.

In addition, for the purposes of data security and minimization, we also use other processes for the encryption and pseudonymization of User Data. This depends on the type, scope, and purpose of the relevant data processing and takes into account the latest technology. For example, we only disclose or transfer User Data that a Data Processor requires to carry out their tasks.

When a contractual relationship with a Data Processor is terminated, such Data Processor must, at mySugr’s discretion, either return all User Data or delete it if there are no statutory retention obligations.

Data that requires no personal reference for processing (e.g. for research and analysis) is subject to anonymization. This is done in a way that prevents a connection or attribution to a specific Data Subject in all cases.

7.4 EU and Third Countries

We primarily select Data Processors which are based in or whose servers are located in the European Union (EU) or European Economic Area (EEA).

In exceptional cases we may appoint third-party suppliers who are located in or who have servers outside the EU. However, even in these cases your personal data is subject to an equally high protection level in line with the GDPR – either through an EU adequacy decision, which considers data protection in certain third-party countries to be appropriate, or through the Standard Contractual Clauses approved by the European Commission, which the contractual relationships with our contracted Data Processors are based on, or through comparable legal instruments permitted under the GDPR. A copy of such guarantees or information on these can be requested via privacy@mysugr.com.

Furthermore, we ensure that our Data Processors have additional security standards in place, such as individual security measures and data protection provisions or certifications under the GDPR.

7.5 Categories of Data Recipients

Our cooperation partners are bound by the agreements signed with mySugr as well as by the GDPR and only process data according to our instructions. We provide our users’ data only to fulfill the respective contract:

Manufacturers and suppliers require personal data, such as names and addresses to handle orders for goods. A typical example is the delivery of a blood glucose meter and test strips as part of the mySugr Bundle.

Insurance companies may exchange data with us if you buy our products as part of your health insurance (statutory or private). If applicable, this enables billing based on the tariff of your insurance company.

Accounting and payment service providers support us in the ongoing billing of our chargeable products.

Customer support services and their tools help our User Support to quickly and efficiently handle our users’ inquiries. Here, for example, queries are recorded from various communication channels and grouped according to topics using ticketing systems.

Analysis service providers and their tools help us to understand how users use our products in order for us to provide customized communication and product improvements in the future. This way we can for example avoid that a pump user with type 1 diabetes receives messages about type 2 diabetes or pens.

Marketing service providers support us in creating, sorting, customizing, and sending newsletters, emails, and other messages about our products to our users.

Hosting and cloud services and their tools are used to store data and to produce anonymized analyses (see section 7.3 above).

Certain functions within our app, such as the report generation or communication options with your healthcare professional or mySugr coach, allow you directly share certain User Data with a third party from within our products. In this case you are deciding on your discretion which data you share with which party at what point in time. Therefore such data transfers are solely your responsibility.

7.6 Storage and deletion

Your User Data is stored on your device as well as on our servers. The server location where your User Data is being stored is determined during registration based on your Geolocation. This way we decide if your data is either stored on servers in the European Union or the USA. Regardless of the storage location we ensure that the high protection level pursuant to the GDPR is guaranteed at all times; this applies to data at rest, but also to data that is stored temporarily at a different location or is transferred for processing.

mySugr only stores your personal data for the duration of the contract. In some cases, longer storage may be required in order to fulfil post-contractual obligations or to comply with statutory obligations or disclosure duties, or to assert, exercise, or defend legal claims. Personal data that needs to be retained for this purpose is transferred to a separate archive storage and is not used for any purpose other than the purpose of retention unless it is required by law.

Personal data recorded/stored in paper documents is destroyed by shredding those documents. Personal data stored in the form of an electronic record is deleted using a technical method which does not allow reproducing the record.

7.7 Technical and Organizational Measures

Administrative measures: ISO/IEC 27001 certified information security management system, security officer, a data protection officer, asset management, regular employee training, development principles

Technical measures: Access control, password policy, backup policy, disaster recovery process, security updates/patch policy, infrastructure and network policies and processes, infrastructure monitoring, data encryption in transport and at rest

Physical measures: Physical access control

7.8 Minors

You must be at least 18 years (or such greater age required in your country) to register for our Products. The Products may be used for minors in accordance with the intended use of the Products. In this case the caregiver has to register for our Products in order to manage the account for the minor (see section 3.2.4 of our General Terms and Conditions). This also applies to processing of such personal data, which is only legal if and to the extent to which the consent has been obtained by and through the parent/guardian. Otherwise use of our products is prohibited.

7.9 Data protection officer

Our Data Protection Officer is available to answer all questions regarding the processing of your User Data and data protection at mySugr. You can contact our Data Protection Officer via privacy@mysugr.com. Our Data Protection Officer monitors compliance with all data protection regulations and is subject to strict statutory secrecy and confidentiality obligations.

You can find more information, including the contact details of our Data Protection Officer on our website www.mysugr.com/en/app-tc-privacy/.

Our Data Protection Officer is widely involved in all topics associated with protecting the personal data of our users. As a trained expert, our Data Protection Officer monitors our processing on an ongoing basis, informs and regularly advises the entire mySugr team in order to ensure the best possible protection of your User Data.

7.10 Changes

Technology and processes used for our services as well as data protection legislation are constantly being developed. Therefore we will have to undertake changes in our products and services from time to time. We will inform you of any changes in this Privacy Notice via appropriate means and with advance notice period. If necessary we will ask you for new consent before further processing your personal data.

You can find previous versions of our Privacy Notice on our website www.mysugr.com/en/app-tc-privacy/.

8 YOUR RIGHTS

mySugr would like to make sure you are fully aware of all of your data protection rights. In case you want to execute any of your rights, please contact us at privacy@mysugr.com.

In general, if you make a request to mySugr, we will provide you with your requested information as quickly as possible, latest within one month, or within any shorter period in case the local data protection regulations in your country require a shorter period. You can find more information on those local provisions in section 9 of this Privacy Notice.

Every user is entitled to the following:

8.1 The Right to Access

You have the right to request a copy of your personal data as well as all information relating to the processing of your personal data. This includes information on the processing purposes, data and recipient categories, storage time, origin of your personal data, and your rights under the data protection regulations. You can find all of this information in this Privacy Notice and you can also contact us at privacy@mysugr.com.

8.2 The Right to Rectification

You have the right to request that mySugr correct any information you believe is inaccurate. You also have the right to request mySugr to complete any information you believe is incomplete. You can correct or complete most of your personal data yourself within our apps.

8.3 The Right to Erasure

You have the right to request that mySugr erase your personal data. However, please be aware that we will have to retain certain personal data even after you have requested the deletion to comply with statutory obligations.

8.4 The Right to Restrict Processing

You have the right to request that mySugr restrict the processing of your personal data, under certain circumstances, for example for the duration of any investigation review that you have requested.

8.5 The Right to Object to Processing

You have the right to object to mySugr’s processing of your personal data, under certain circumstances.

If we process your personal data based on your consent, you may revoke the consent at any time. However, revoking your consent will not affect the lawfulness of the processing before the revocation. We will continue to provide our services if they do not depend on the consent that has been revoked.

8.6 The Right to Data Portability

You have the right to request that mySugr transfer the data we have collected to another organization, if this is technically feasible, or directly to you, in electronically readable form.

8.7 Complaints

If you feel we are not protecting your data protection rights adequately, please contact us at any time at support@mysugr.com or contact our data protection officer directly at privacy@mysugr.com. We will handle your request immediately.

You also have the right to submit a complaint with the relevant Data Protection Authority for mySugr, which is the Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Wien, Austria - www.dsb.at. In addition, you have the right to complain to a supervisory authority in the EU member state in which you are resident, in which your workplace is located, or which is the location of a suspected infringement.

9. COUNTRY SPECIFIC PROVISIONS

9.1 Germany

Certain products and services of mySugr may be part of statutory health programs, e.g. Digital Healthcare Act in Germany (“Digital Healthcare Application”). Such User Data of Digital Healthcare Applications will be processed in accordance with all legal requirements which are specified in more detail in this section.

User Data of Digital Healthcare Applications will not be processed for product improvement and marketing purposes. When it comes to the lawful basis for data processing based on statutory law, User Data of Digital Healthcare Applications will only be processed for patient safety reasons (incident reporting to BfArM) in accordance with section 6.3.

9.2 USA

Patient Information

In accordance with HIPAA, any use or disclosure of protected health information by mySugr or any subcontractor will be governed by the respective service agreement and a Business Associate Agreement executed between you and mySugr.

Your Rights if Your Data is Covered by California Law

If you are a California resident as defined by the California Consumer Privacy Act (CCPA), you can find a description of these rights covered in the California Supplemental Privacy Notice. That privacy notice contains information on how to contact mySugr to exercise any of your rights under that law.

California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please use the contact information provided in the California Supplemental Privacy Notice.

Minors

We are committed to protecting the privacy of children. As such, we do not intentionally collect data from users under the age of 13 years old in connection with our general purpose website(s), app(s) or other services. If you are the parent or guardian of a child under the age of 13 who has submitted information through this Site, please email us to privacy@mysugr.com in order to request deletion.

THANK YOU FOR YOUR CONFIDENCE IN US!