Privacy Notice for iCAN APP of Sinocare Meditech Inc.

Privacy Notice for CGM Application of Changsha Sinocare Inc.

Changsha Sinocare Inc.("we") operates the Sinocare Continuous Glucose Monitor System Application ("CGM APP").

Changsha Sinocare Inc. is the controller of your personal data and as such your direct point of contact related to data protection. You can reach us at any time using the following contact options:

Postal: Changsha Sinocare Inc., 265 Guyuan Road, Hi-Tech Zone, Changsha, 410205, Hunan Province, P.R. China

The use of the CGM APP is only possible after prior registration of a user account with us. When using the CGM APP in connection with the blood glucose sensor and the transmitter, we enable you to transmit, retrieve and display certain information regarding your diabetes (" Product "). The glucose sensor, which you can insert into your skin yourself using the applicator, transmits your current glucose levels via a transmitter to the CGM APP, which can display and identify your current glucose levels, long-term glucose trends and developments based on your glucose levels. Furthermore, the CGM APP can send you warning messages or alerts if you become hyperglycaemic or hypoglycaemic and thus reach a life-threatening state. In addition, with the CGM APP, we offer you the voluntary option to upload your data to a cloud server hosted in Singapore, which is operated by one of our partners on our behalf. Otherwise, the data collected will remain stored locally and in a secure environment on your device. When using the CGM APP, we consequently collect and process your personal data, including special categories of personal data. Personal data means any information relating to an identified or identifiable natural person. Since the protection of your privacy as well as the protection of your personal data in connection with the use of the CGM APP is very important to us, we would like to inform you in detail below which personal data we collect and process from you, for which purposes and on which legal basis we process this data and with whom we may share your data.

What personal Data do we collect about you?

1. When you download the CGM APP from your App Store (e.g. Google Play or Apple App Store), certain required information is transmitted to the App Store you have selected. This information includes in particular your user name, your email address and your customer number of the App Store user account, the time of the download of the CGM APP, provided that the App requires payment, your payment information (e.g. credit card data etc.) as well as the individual device identification number (Device ID) of the device on which you download and install the CGM APP. We have no influence on these data processing operations. It is conducted exclusively by the respective provider of the App Store and we are not responsible for this processing in the meaning of the data protection laws. (" App Store Data").

2. After the CGM APP has been downloaded and installed on your mobile device, it can be used without access to the Internet after you have set up a user account with us, which is described in more detail in section 4. In this case, all of the data described below will be stored exclusively locally on your mobile device. If you decide to upload this data to the cloud server operated by our service provider, which you can do so by activating a corresponding button in the app, the categories of personal data described below will be processed by us on an ongoing basis.

3. When you use the CGM APP and register a user account, we collect and process certain Technical Data that is mandatory for the use of the App. This Technical Data, which is necessary for the use of the CGM APP and is collected automatically, includes your IP address, your device ID (IMEI number = International Mobile Equipment Identity number), your operating system and its current version, date and time of access, the unique number of the carrier (IMSI = International Mobile Subscriber Identity), mobile phone number (MSISDN), the MAC address for WLAN use and the name of your mobile device. (" Technical Data").

4. In order to use the CGM APP, you must first register a user account with us and log in to the app via this user account. If you create a user account with us, we will collect and process, alongside the aforementioned Technical Data, for the creation of the user account, your email address, a user name chosen by you and an individual password to protect your user account (" User Account Data "). When logging into the app in the future, you must provide this email address/user name and your password so that you can be granted access to your user account.

5. When you use the CGM APP, special categories of personal data will be collected by the CGM APP, namely Health Data. This includes, when creating your user account, information such as diabetes type, gender and age, which you can optionally and voluntarily provide to us if you wish. In addition, however, it is necessary for the functioning of our Product and the CGM APP that your glucose levels are continuously processed in connection with the use of the CGM APP and the glucose sensor by transmitting them to the CGM APP ("Health Data "). For the transmission of the glucose levels to the CGM APP, it is necessary that the App accesses the Bluetooth interface of your mobile device in order to receive the glucose data transmitted by the transmitter.

For what purposes do we process your personal data?

1. We process the Technical Data solely for the purpose of providing you with the CGM APP, to ensure the security and functionality of the CGM APP, and to evaluate the utilization of the app.

2. Your User Account Data will only be used to perform the contract concluded with you for the use of the CGM APP.

3. The Health Data you provide, in particular the data about your glucose levels, will be processed for the purpose of enabling you the use of the CGM APP, in particular to provide you with your current glucose levels, to provide you with a retrospective analysis of your glucose levels and, consequently, to improve your understanding and control of your diabetes. In addition, your Health Data will also be processed to provide you with warning messages and alerts if your glucose level reaches a life-threatening range and to enable you to take appropriate remedial measures. Legal basis for this processing is your explicit consent to be provided when installing the CGM APP. Please note that without your consent, you cannot use the CGM APP to monitor your glucose levels.

4. Instead of storing your User Account Data and Health Data on your device, you have the opportunity to upload your Health Data and User Account Data to our cloud servers using the function provided in the CGM APP and store it there. This has the advantage that you will have access to your data even if you change mobile devices and download and install the CGM APP on a new mobile device. By uploading the data, you can easily transfer it to the CGM APP on a new mobile device. This function is disabled in the default setting of the App. Legal basis for this processing activity is also with your explicit consent. This is optional and by no means mandatory to use the CGM APP.

5. Should you choose to upload and store your Health Data and User Account Data to the cloud servers operated by us using the function provided in the CGM APP, we intend to share this data in an aggregated, i.e. anonymized, form with research and development centers in the United States of America and Peoples’ Republic of China for statistical and analytical research purposes and to improve data related to diabetes research. Processing for research purposes includes, but is not limited to, creating, accessing, storing, using, analyzing, and sharing the data with affiliates, external researchers, healthcare companies and professionals, and health authorities. We will also use aggregated or anonymized data to evaluate and improve the performance of the CGM APP and to update and improve existing features, develop new features to meet the individual needs of our users, and to improve statistical and scientific research capabilities. We will only share this anonymized and aggregated data upon your explicit consent.

6. Upon your request, we process your data for the performance of the contract concluded with us in order to provide you with adequate and helpful customer service or customer support, should you ever experience problems with the CGM APP or require assistance. In this context, our customer service personnel may need to access the data stored in your user account or terminal device and may be located in a country different from the country from which you are making the customer request or the country in which you are resident or habitually resident. In such case we also require your consent to access your data.

7. We process your personal data exclusively for the aforementioned purposes. To the extent that we intend to process your personal data for purposes other than these purposes, we will only do so to the extent required/permitted by law or if you have given us your consent to process the data for the different purposes. Prior to any further processing for the different purposes, we will inform you accordingly and provide you with all necessary information.

8. We will not use automatic decision-making (including profiling) to process your personal data.

9. For withdrawing your consent, please refer to the “Which rights do I have” section below.

With whom do we share your personal data?

In addition to the cases explicitly mentioned in this privacy notice, your personal data will only be shared without your express prior consent or if this is permitted and required by law.

1. If you decide to upload your user account to the cloud, your Technical Data, User Account Data and Health Data will be shared with our technical service providers for the purpose of offering the optional cloud storage service to you. In this case, any transfer of personal data will take place for the fulfillment of the contract concluded with you and, in case of your Health Data, on the basis of your prior express consent.

Any transfer of personal data to the above recipients is justified by the fact that you have previously given us your express consent to transfer this personal data. If we use such external service providers, we have carefully selected them beforehand as processors and verify their reliability and contractually obligate them to process all personal data provided by us exclusively in accordance with our instructions.

2. We may share the Technical Data and User Account Data within the Sinocare Group for internal administrative purposes and in particular for joint customer services as well as customer support with Changsha Sinocare Inc, if this is necessary for the above purposes. The legal basis for any disclosure of this personal data to our affiliated companies is our legitimate interes t . Insofar as non-anonymized Health Data is also included in the transfer, the transfer will only take place with your consent.

3. We may share Technical Data and User Account Data with persons engaged in the conduct of our business to the extent necessary (auditors, financial institutions, insurance companies, legal advisors, regulators, parties involved in acquisitions or the establishment of joint ventures) based on our legitimate business interest.

4. With your explicit consent, we will share your User Account Data and Health Data uploaded to the cloud in aggregated and anonymized form with research and development centers in the U.S. and China, affiliated companies, external researchers, healthcare companies and professionals, and health authorities for statistical and analytical research purposes.

5. To the extent necessary to investigate unlawful or abusive use of the CGM APP or for legal defense or enforcement and to investigate criminal offenses, we may disclose your Technical Data and Account Data to law enforcement or other authorities and, if necessary, to harmed third parties and legal counsel. However, we will only forward your data if there are indications of illegal or abusive behavior and upon binding request. We may also share it, particularly with our legal counsel, if necessary to enforce our CGM APP terms of use or other legal claims. In addition, we may be required by law to provide information about personal data at the request of certain public authorities. This typically includes requests from law enforcement authorities, authorities that prosecute administrative offenses subject to fines, and tax authorities. We may also disclose your data to authorized third parties if we are permitted to do so by law (e.g., in the case of (third-party) information claims for intellectual property rights infringement) or if we are required to provide information by an administrative or court order. The legal basis for the disclosure of your personal data is either our respective legal obligation to comply our legitimate interest, or if there are indications of unlawful or abusive behavior, we have a legitimate interest in disclosing the data to enforce our terms of use, our own legal claims or those of third parties, and our interests outweigh your interest in protecting your personal data.

Do we transfer your personal data to third countries?

The above mentioned recipients of your personal data may process your personal data:

1.Changsha Sinocare Inc. in China (support services)

2.Oracle Corporation ("Oracle") in the USA with physical server location in Germany and United Kingdom (as hosting provider)

3.research and development centers in the U.S. and China, affiliated companies, external researchers, healthcare companies and professionals, and health authorities (aggregated and anonymized data only)

If you decide to upload your data to the cloud servers operated by our service providers or if you agree to share your Health Data in anonymized form with third parties, your consent also covers the transfer of Health Data to recipients outside the European Union.

When do we delete your personal data?

We delete or anonymize your personal data as soon as it is no longer necessary for the purposes we have collected and processed it for. In general, we store your personal data for the duration of the contractual relationship regarding the CGM APP. If you have uploaded your personal data to our cloud server, we will store your User Account Data and Health Data for a period of twelve months from the last use of your User Account and delete or aggregate them thereafter. Should you withdraw your consent in accordance with the “What rights do you have?” section below (e.g. for hosting your Health Data in the cloud), the respective data will be deleted by us.

Your personal data collected and processed when you contact our customer service will be stored where this is necessary to ensure product safety and to comply with applicable regulatory provisions. We will anonymize your data to the extent permitted to comply with said regulatory provisions. The data stored on the mobile device you use in connection with the use of the CGM APP will be stored until you decide to delete the CGM APP.

Legal requirements for the retention and deletion of personal data, in particular tax and commercial law requirements for retention, remain unaffected.

How do we process children’s data?

We do not knowingly collect and process personal data from children under the age of 18 without the consent of their parents or other legal guardians. Our product is intended for use by adults only.

Which encryption methods and encryption standards do we use for the security of your personal data?

For data loss prevention and protection against unauthorized access to your personal data, we use various encryption methods, encryption standards and security means.

User Account Data and Health Data stored locally on your device is encrypted using CBC encryption, while the user account password is MD5 encrypted. The data transmitted from the transmitter to the CGM APP adopts the Bluetooth standard protocol for encryption. Should you choose our cloud service and decide to upload your User Account Data and Health Data to our cloud server, this data is transmitted to the cloud server using HTTPS encryption. The data stored on our cloud server is encrypted using Advanced Encryption Standard (AES).

For the prevention of data loss of data stored on our cloud server, we perform daily incremental backups and monthly full backups for the sole purpose of providing you with backups of your data in the event of accidental data loss.

Which rights do you have?

You have the right to request information about the data we have stored about you, to request the rectification of inaccurate data and to request the erasure of data or the restriction of data processing. You may also request the transmission of personal data to you or a third party.

You have the right to object to the processing of your data, provided that the reason for the objection arises from your particular situation and it concerns data that we process to protect one of our interestsworthy of protection or if it concerns the use of your data for direct marketing.

You also have a right to lodge a complaint with a competent supervisory authority if you consider that we are not processing your personal data in accordance with applicable law. This can be, for instance, the supervisory authority at the place of your residence.

If you have given us consent to process your personal data, you can withdraw this consent at any time without providing reasons and with effect for the future at the email address provided above under the contact details. For data stored on cloud servers, you can also decide to change your choice at any time directly in the privacy panel. Please note that this will not affect the processing of your data up to the receipt of the withdrawal notice by us.

Amendment of this Privacy Notice

We always keep this Privacy Notice updated. The current version can always be viewed under the menu "About" within the app. If we change this Privacy Notice, we will inform you about this via a corresponding banner in the CGM APP or via email.