Privacy Notice for iCan App of Changsha Sinocare Inc

Privacy Notice for iCan App of Changsha Sinocare Inc.

To fully protect your rights and interests, we have made the following updates:

• Updated the description of section “What personal Data do we collect about you?”.

• Improved text clarity and phrasing.

Effective from: October 2025

Changsha Sinocare Inc.("we") operates the Sinocare Continuous Glucose Monitor System Application ("iCan App").

Changsha Sinocare Inc. is the controller of your personal data and as such your direct point of contact related to data protection. You can reach us at any time using the following contact options:

Postal: Changsha Sinocare Inc. 265 Guyuan Road, Hi-Tech Zone, Changsha, 410205, Hunan Province, P.R. China

Via E-Mail:DataManagement@sinocare.com

Data Protection Officer: Gavin Li

The use of the iCan App is only possible after prior creation of a user account with us. The terms of use can be found at iCan App Terms of Use.When using the iCan App in connection with the glucose sensor and the transmitter (collectively as "Product "), we enable you to transmit, retrieve and display certain information regarding your diabetes.. With the iCan App, we offer you the voluntary option to upload your data to a cloud server hosted by our service provider in Singapore. Otherwise, the data collected will remain stored locally and in a secure environment on your device. You can also, in your own responsibility, decide to share your data with family members and friends or your health care professional. When using the iCan App, we consequently collect and process your personal data, including special categories of personal data. Personal data means any information relating to an identified or identifiable natural person. Since the protection of your privacy as well as the protection of your personal data in connection with the use of the iCan App is very important to us, we would like to inform you in detail below which personal data we collect and process from you, for which purposes and on which legal basis we process this data and with whom we may share your data.

What personal Data do we collect about you?

1. When you download the iCan App from your App Store (e.g. Google Play, Apple App Store or Huawei AppGallery), certain required information is transmitted to the App Store you have selected. This information includes in particular your user name, your email address and your customer number of the App Store user account, the time of the download of the iCan App, provided that the App requires payment, your payment information (e.g. credit card data etc.) as well as the individual device identification number (Device ID) of the device on which you download and install the iCan App. We have no influence on these data processing operations. It is conducted exclusively by the respective provider of the App Store and we are not responsible for this processing in the meaning of the data protection laws. (" App Store Data").

2. When you use the iCan App and create a user account, we collect and process certain Technical Data that is mandatory for the use of the App. This Technical Data, which is necessary for the use of the iCan App and is collected automatically, includes your IP address, your operating system and its current version, date and time of access (" Technical Data").

3. In order to use the iCan App, you must first create a user account with us, either by registering directly using an email address or phone number, or by linking a third-party login (e.g., Google Account or Apple Account, hereinafter “Third-Party Login ”). Depending on the information received from the third-party provider and its match with existing records, this process may result in either direct login or initiation of a new account registration. Access to the iCan App is only possible through such a user account.

All such information provided by you directly or obtained via Third Party Login for the purpose of creating or accessing your user account shall be referred to collectively as “User Account Data”.

(1) If you create a user account directly with us, we will collect and process, alongside the aforementioned Technical Data, for the creation of the user account, your email address or phone number (depends on your selection), a user name chosen by you and an individual password to protect your user account. When logging into the App in the future, you must provide this email address or phone number and your password so that you can be granted access to your user account.

(2) If you access the iCan App via a Third-Party Login, we may receive limited information from the third-party provider. This information may include:

(a) a unique account identifier assigned to your Google or Apple Account (used for identity recognition);

(b) your email address (which, in the case of Apple, may be a private relay email address); and

This information is used solely to authenticate your identity and to associate your third-party login with an iCan App user account. We do not access your third-party credentials or any other unrelated data.

In cases where the third-party provider (e.g., Apple) returns a private relay email address which is unidentifiable, we will collect an additional valid email address directly from you to enable proper account creation or identification.

A valid email address or phone number is required in all cases to ensure accurate account identification and to access the App.

4. When you create your user account with us, along with the User Account Data, you may optionally and voluntarily provide some information about yourself, it may include: your username,gender, email address or phone number, date of birth, type of diabetes (“Basic Information”).

5. In order to provide you with the glucose monitoring features of our service, we collect and process information from your iCan CGM sensor and your blood glucose meter (BGM) tests. This may include: real-time glucose values, historical trends, data timestamps, and BGM readings that you enter manually or sync from a connected Bluetooth BGM for calibration or logging (“ Glucose Data”).

6. To help you create a detailed health diary and better understand the context of your glucose levels, the iCan App allows you to voluntarily log various health and lifestyle events (“ Event Data”). The information you can record includes:

Fingertip Blood Data: Your fingertip blood glucose readings and calibration records.
Diet Records: Details about your meals, such as mealtimes, carbohydrate counts, and notes. You also have the voluntary option to upload photographs of meal to these records.
Insulin and Medication: The type, dosage, and time of your insulin injections or other medications.
Exercise: The type, duration, and intensity of your physical activities.

For what purposes do we process your personal data?

1. We process the Technical Data solely for the purpose of providing you with the iCan App, to ensure the security and functionality of the iCan App, and to evaluate the utilization of the App.

2. Your User Account Data will only be used to perform the contract concluded with you for the use of the iCan App.

3. The Glucose Data you provide, in particular the data about your glucose levels, will be processed for the purpose of enabling you the use of the iCan App, in particular to provide you with your current glucose levels, to provide you with a retrospective analysis of your glucose levels and, consequently, to improve your understanding and control of your diabetes. In addition, your Glucose Data will also be processed to provide you with warning messages and alerts if your glucose level reaches a life-threatening range and to enable you to take appropriate remedial measures. Legal basis for this processing is your explicit consent to be provided when installing the iCan App. Please note that without your consent, you cannot use the iCan App to monitor your glucose levels.

4. Instead of storing your User Account Data and Glucose Data on your device, you have the opportunity to upload your Glucose Data and User Account Data to our cloud servers using the function provided in the iCan App and store it there. This has the advantage that you will have access to your data even if you change mobile devices and download and install the iCan App on a new mobile device. By uploading the data, you can easily transfer it to the iCan App on a new mobile device. This function is disabled in the default setting of the App. Legal basis for this processing activity is also with your explicit consent. This is optional and by no means mandatory to use the iCan App.

5. Should you choose to upload and store your Glucose Data and User Account Data to the cloud servers operated by us using the function provided in the iCan App, we intend to share this data in an aggregated, i.e. anonymized, form with research and development centers in the United States of America and Peoples’ Republic of China for statistical and analytical research purposes and to improve data related to diabetes research. Processing for research purposes includes, but is not limited to, creating, accessing, storing, using, analyzing, and sharing the data with affiliates, external researchers, healthcare companies and professionals, and health authorities. We will also use aggregated or anonymized data to evaluate and improve the performance of the iCan App and to update and improve existing features, develop new features to meet the individual needs of our users, and to improve statistical and scientific research capabilities. We will only share this anonymized and aggregated data upon your explicit consent.

6. With your explicit prior consent, we process and share your Glucose Data, the remaining time of your CGM device and your Basic Information via iCan Review with your selected Health Care Professional in order to enable the receiving Health Care Professional to obtain, evaluate, review, and analyze your glucose level and to provide you with proper and improved medical treatment with regards to your diabetes ( “ HCP shared Data ”). Legal basis for this processing operation is your prior explicit. The selected Health Care Professional is solely responsible for the processing of your data after disclosure via iCan Review to them.

7. With your explicit prior consent, we process and share your Glucose Data and basic personal information via iCan Reach with your selected family members and friends in order to enable your family members and friends to review your Glucose Data. Legal basis for this processing operation is your prior explicit consent .The selected family members and friends is solely responsible for the processing of your data after disclosure via iCan Reach to them.

8. Upon your request, we process your data for the performance of the contract concluded with us in order to provide you with adequate and helpful customer service or customer support, should you ever experience problems with the iCan App or require assistance. In this context, our customer service personnel may need to access the data stored in your user account or terminal device and may be located in a country different from the country from which you are making the customer request or the country in which you are resident or habitually resident. In such case we also require your consent to access your data.

9. We process your personal data exclusively for the aforementioned purposes. To the extent that we intend to process your personal data for purposes other than these purposes, we will only do so to the extent required/permitted by law or if you have given us your consent to process the data for the different purposes. Prior to any further processing for the different purposes, we will inform you accordingly and provide you with all necessary information.

10. We will not use automatic decision-making (including profiling) to process your personal data.

11. For withdrawing your consent, please refer to the “Which rights do I have” section below.

12. Obtaining the location is only used for helping scan and search nearby Bluetooth device. We will not locate and collect your location information.

With whom do we share your personal data?

In addition to the cases explicitly mentioned in this privacy notice, your personal data will only be shared without your express prior consent or if this is permitted and required by law.

1. If you decide to upload your user account to the cloud, your Technical Data, User Account Data and Glucose Data will be shared with our technical service providers for the purpose of offering the optional cloud storage service to you. In this case, any transfer of personal data will take place for the fulfillment of the contract concluded with you and, in case of your Glucose Data, on the basis of your prior express consent.

2. If you decide to share your Glucose Data with third parties via the "Access" function of the iCan App, you need to give us your prior express consent to transfer to and share this personal data with these persons. You are yourself responsible for selecting any such persons and to ensure that these do not misuse your Glucose Data. You can at any time disable the access of any of these persons to your Glucose Data in the "Access" function of the iCan App.

3. If you decide to share your HCP shared Data with your treating Health Care Professional through iCan Review, you need to give us your prior express consent to transfer and share this personal data with these recipients. The data will then be hosted by AWS as our data processor. You are yourself responsible for selecting any such recipient and to ensure that these recipients do not misuse your HCP shared Data. Once your HCP shared Data have been shared with your treating Health Care Professional with your prior explicit consent, these recipients are the sole controller in relation to the use of your data. You can at any time block the access of a specific Health Care Professional to your HCP shared Data in the iCan App.

4. If you decide to share your Glucose Data and your Basic Information with family members and friends through iCan Reach, you need to give us your prior express consent to transfer and share this data with these recipients. The data will then be hosted by AWS as our data processor. You are yourself responsible for selecting any such family members and friends to ensure that these recipients do not misuse your Glucose Data and your Basic Information. Once your Glucose Data and your Basic Information have been shared with your family members and friends with your prior explicit consent, these recipients are the sole controller in relation to the use of your data. You can at any time block the access of a family members and friends to your Data in the iCan App.

5. If you decide to generate and share a history report, the method you choose determines our role and your responsibility. When you use the email function within our service, you give us your express consent for us to transmit the report on your behalf to a recipient you designate; please be aware that this action is irreversible. Alternatively, if you choose to download the report as a PDF, you are creating a local copy on your device outside of our control, and you are solely responsible for the security and any subsequent sharing of that file.

6. We may also disclose your User Account Data and Glucose Data to our third party service providers, for the purpose of customer services and support. In this case, any transfer of personal data will only take place if you have given us your prior express consent to transfer to and share this personal data with our third party service providers.

7. Any transfer of personal data to the above mentioned recipients in Section 1, 2 and 3 is justified by the fact that you have previously given us your express consent to transfer this personal data. If we use such external service providers, we have carefully selected them beforehand as processors and verify their reliability and contractually obligate to process all personal data provided by us exclusively in accordance with our instructions.

8. We may share the Technical Data and User Account Data within the Sinocare Group for internal administrative purposes and in particular for joint customer services and Sinocare Meditech Inc. (3230 W Prospect Road, Lauderdale, FL 33309. USA), if this is necessary for the above purposes. Insofar as non-anonymized Glucose Data is also included in the transfer, the transfer will only take place with your consent.

9. We may share Technical Data and User Account Data with persons engaged in the conduct of our business to the extent necessary (auditors, financial institutions, insurance companies, legal advisors, regulators, parties involved in acquisitions or the establishment of joint ventures) based on our legitimate business interest.

10. With your explicit consent, we will share your User Account Data and Glucose Data uploaded to the cloud in aggregated and anonymized form with research and development centers in the U.S. and China, affiliated companies, external researchers, healthcare companies and professionals, and health authorities for statistical and analytical research purposes.

11. To the extent necessary to investigate unlawful or abusive use of the iCan App or for legal defense or enforcement and to investigate criminal offenses, we may disclose your Technical Data and Account Data to law enforcement or other authorities and, if necessary, to harmed third parties and legal counsel. However, we will only forward your data if there are indications of illegal or abusive behavior and upon binding request. We may also share it, particularly with our legal counsel, if necessary to enforce our iCan App terms of use or other legal claims. In addition, we may be required by law to provide information about personal data at the request of certain public authorities. This typically includes requests from law enforcement authorities, authorities that prosecute administrative offenses subject to fines, and tax authorities. We may also disclose your data to authorized third parties if we are permitted to do so by law (e.g., in the case of (third-party) information claims for intellectual property rights infringement) or if we are required to provide information by an administrative or court order. The legal basis for the disclosure of your personal data is either our respective legal obligation to comply our legitimate interest, or if there are indications of unlawful or abusive behavior, we have a legitimate interest in disclosing the data to enforce our terms of use, our own legal claims or those of third parties, and our interests outweigh your interest in protecting your personal data.

Do we transfer your personal data to third countries?

The below mentioned recipients of your personal data may process your personal data:

1. Changsha Sinocare Inc. in China (support services)

2. AWS with physical server location in Singapore (as hosting provider)

3. research and development centers in the U.S. and China, affiliated companies, external researchers, healthcare companies and professionals, and health authorities (aggregated and anonymized data only).

4. The Health Care Professionals you decide to share your HCP shared Data with through iCan Review

5. You family members and friends you decide to share your Glucose Data and your basic personal information with through iCan Reach

6.Any email recipient you designate when you instruct us to send a report from our service.

We take appropriate measures to provide guarantees that the recipients comply with the law. Unless there are other appropriate safeguards or transfer mechanisms in place, we use the ASEAN Model Contractual Clauses with our service providers. The standard contractual clauses are available on website.Furthermore, you can request further information on these measures taken at any time using the contact details above.

Please note that despite careful selection and commitment of our service providers, these may be subject to compulsory laws in their respective country of establishment requiring them to grant access to data on request of governmental authorities.

Please be aware that the data protection laws in other countries may differ from, and in some cases, be less protective than, the laws in your region. In certain circumstances, governmental authorities in those countries may have the right to access your data, and you may have limited legal options to be informed about or challenge such access.

When do we delete your personal data?

We retain your personal data only for as long as it is necessary to fulfill purposes for which it was collected and processed, or as required under applicable legal or regulatory obligations. In general, we store your personal data for the duration of the contractual relationship with the iCan App.

2. If you choose to withdraw your consent in accordance with the “What rights do you have?” section below (e.g. for hosting your Glucose Data in the cloud), such withdrawal shall only apply to future processing and shall not affect the lawfulness of processing carried out prior to the withdrawal. The data already collected and processed under valid consent will continue to be retained in accordance with this Privacy Notice.

3. If you have shared your HCP shared Data with your treating Health Care Professional and withdraw your consent for your Health Care Professional, the Health Care Professional’s access via iCan Review will be disabled. If you delete your iCan user account, your HCP shared Data will be deleted from the cloud server. As a result, any prior access granted to Health Care Professionals via iCan Review will automatically be revoked.

4. If you have shared your basic personal information and your Glucose Data with your family members or friends via iCan Reach and withdraw your consent, their access of your data via iCan Reach will be disabled, and they will no longer be able to view your basic personal information and Glucose Data stored on the cloud server. If you delete your iCan user account, your basic personal information and Glucose Data will be permanently deleted from the cloud server after a 15-day pending deletion period. During this period, previously authorized iCan Reach Users may continue to access the associated data shared prior to the deletion request. Upon expiry of the period, the access through iCan Reach will be automatically revoked.

5. Your personal data collected and processed when you contact our customer service will be stored where this is necessary to ensure product safety and to comply with applicable regulatory provisions. By initiating contact with our customer service, you acknowledge and consent to the use of your personal data for these purposes. The data stored on the mobile device you use in connection with the use of the iCan App will be stored until you decide to delete the iCan App.

Legal requirements for the retention and deletion of personal data, in particular tax and commercial law requirements for retention, remain unaffected.

How do we process children’s data?

We do not knowingly collect and process personal data from children under the age of 18 without the consent of their parents or other legal guardians. Our product is intended for use by adults only. If Sinocare becomes aware that a child has created a User Account without appropriate consent, the account may be deleted. If you are a parent or guardian and believe that your child has submitted personal data to us, you may delete the account directly with a 15-day pending period or contact us at iCansupport@sinocare.com to request deletion of the account and associated data immediately.

Which encryption methods and encryption standards do we use for the security of your personal data?

For data loss prevention and protection against unauthorized access to your personal data, we use various encryption methods, encryption standards and security means.

User Account Data and Glucose Data stored locally on your device is encrypted using CBC encryption, while the user account password is MD5 encrypted. The data transmitted from the transmitter to the iCan App adopts the Bluetooth standard protocol for encryption. Should you choose our cloud service and decide to upload your User Account Data and Glucose Data to our cloud server, this data is transmitted to the cloud server using HTTPS encryption. The data stored on our cloud server is encrypted using Advanced Encryption Standard (AES).

For the prevention of data loss of data stored on our cloud server, we perform daily incremental backups and monthly full backups for the sole purpose of providing you with backups of your data in the event of accidental data loss.

Which rights do you have?

You have the right to request information about the data we have stored about you, to request the rectification of inaccurate data and to request the erasure of data or the restriction of data processing. You may also request the transmission of personal data to you or a third party.

You have the right to object to the processing of your data, provided that the reason for the objection arises from your particular situation and it concerns data that we process to protect one of our interests worthy of protection or if it concerns the use of your data for direct marketing.

You also have a right to lodge a complaint with a competent supervisory authority if you consider that we are not processing your personal data in accordance with applicable law. This can be, for instance, the supervisory authority at the place of your residence.

If you have given us consent to process your personal data, you can withdraw this consent at any time without providing reasons and with effect for the future at the email address or phone number provided above under the contact details. For data stored on cloud servers, you can also decide to change your choice at any time directly in the privacy panel. Please note that this will not affect the processing of your data up to the receipt of the withdrawal notice by us.

Amendment of this Privacy Notice

We always keep this Privacy Notice updated. The current version can always be viewed under the menu "About" within the App. If we change this Privacy Notice, we will inform you about this via a corresponding banner in the iCan App or via email.