Data Protection Regulation

1. Responsible company and contact details

If you have any questions regarding the processing of your personal data, please contact us:

SteadySense GmbH Kärntner Strasse 518 8054 Seiersberg-Pirka Austria Tel: +43316 232004

gdpr@steadysense.at www.steadysense.at

2. Personal Data

SteadySense processes personal data that is collected or transmitted by business partners in the context of a business relationship. The following categories of personal data are - depending on the service - the subject-matter of the processing:

• Inventory data (for example, names, addresses).

• Contact details (e.g. e-mail, telephone numbers).

• Content data (e.g. text input, photographs, videos).

• Usage data (e.g. websites visited, interest in content, access times).

• Meta/communication data (e.g. device information, IP addresses).

• Health details (e.g. Temperature data, weight)

3. Purpose and Legality

SteadySense processes personal data to provide services related to medical device technology. The following legal principles can be taken into consideration:

3.1 Fulfilment of contractual obligations and pre-contractual measures pursuant to Article 6 paragraph 1 (b) of the GDPR

In order to provide our contractual or pre-contractual services to our business partners, the processing of personal data is necessary. If you do not wish to provide us with this data, it may be impossible to conclude the contract or execute the order or pre-contractual services. An existing contract can no longer be executed under these circumstances and may have to be terminated. Please refer to the individual contracts for the scope and specific purpose of data processing. If you have registered as a test person, this is only so you can be contacted for future tests. Your data will be deleted after 24 months.

3.2 Protection of legitimate interests pursuant to Article 6, paragraph 1 (f) GDPR

SteadySense processes your data in the ordinary course of company business (e.g. accounting, controlling) based on the legitimate interest in proper and efficient business management as well as for process and business optimization.)

3.3 Consent according to Article 6, paragraph 1 (a) GDPR

If the processing of personal data goes beyond contractual or legal obligations and a legitimate interest, SteadySense will seek the consent of business partners, for example for the distribution of our newsletter. In the event of consent, the data will be processed exclusively for the stated purpose. Consent given can be revoked at any time. The revocation can be given both in writing and orally: gdpr@steadysense.at.

3.4 Further justification in the context of legal obligations

Fulfillment of legal obligations according to Article 6, paragraph 1 GDPR.

Legal obligations may require us to process personal data. At SteadySense, these obligations result, among other things, from the Distance and Foreign Transactions Act, the Business Code and/or the Federal Fiscal Code.

4. Empfänger

Empfänger der personenbezogenen Daten sind Mitarbeiter von SteadySense (z.B IT-Betreuer, Support, Marketing, Logistik, Rechnungswesen), die diese entsprechend des Verwendungszweckes und der Rechtsgrundlage verarbeiten.

Je nach Zweck der Verarbeitung gibt SteadySense Daten an von ihr beauftragte Auftragsverarbeiter (Insbesondere Newsletter-Dienstleister, Dienstleister für Online-Zahlungsabwicklung und Logistikpartner) weiter, sofern wir dies zur Erfüllung der jeweiligen Aufgabe benötigen. SteadySense achtet bei der Auswahl ihrer Auftragsverarbeiter auf die Einhaltung der datenschutzrechtlichen Bestimmungen. Es wurden mit den Auftragsverarbeitern Vereinbarungen getroffen die sicherstellen, dass die personenbezogenen Daten vertraulich und sorgfältig verarbeitet werden. Die erhobenen Daten werden nicht verkauft oder unbegründet an unbeteiligte Dritte weitergegeben. Abhängig vom abgeschlossenen Vertrag kann eine Weiterleitung der Daten an Dritte erforderlich sein.

4. Recipients

The recipients of the personal data are employees of SteadySense (eg. IT support, Customer Support, Marketing, Logistics, Accounting) who process them according to the purpose of use and the legal framework.

Depending on the purpose of the processing, SteadySense will pass on data to contract processors (especially newsletter service providers, online payment processing service provider and logistics partners), if we need to do so in order to fulfil the relevant task. SteadySense is committed to compliance with data protection regulations when selecting its contract processors and has entered into agreements with the contract processors to ensure that personal data is processed confidentially and carefully. The collected data will not be sold or passed on to uninvolved third parties. Depending on the contract, the data may have to be forwarded to third parties.

5. Storage Time

In principle, we will only store your data for as long is necessary for processing on the grounds of the relevant purpose and the relevant legal basis, and as long as this is permissible under the applicable law. Your personal data, which you provide to us when contacting us, will be stored for as long as necessary to answer the specific inquiry. Among other things, SteadySense is subject to the following legal storage obligations:

• Business Code (UGB Austria)

• Federal Fiscal Code (BAO Austria)

• General Civil Code (ABGB Austria)

6. Affected Rights

You are fundamentally entitled to the following rights:

• Right of access by the data subject Art 15 GDPR

• Right to rectification Art. 16 GDPR

• Right to erasure (‘right to be forgotten’) Art. 17 GDPR

• Right to restriction of processing Art. 18 GDPR

• Right to data portability Art. 20 GDPR

• Right to object Art. 21 GDPR

Processing of your personal data is based on your consent, you have the right to revoke this consent at any time with immediate effect. The lawfulness of the processing of your personal data until the revocation is not affected by the revocation.

In addition, you have the right to lodge a complaint with the supervisory authority:

Austrian Data Protection Authority Wickenburggasse 8-10 1080 Vienna Austria dsb@dsb.gv.at

7. Website - Personal data

In the course of your visit to our website, we will potentially process the following personal data:

• Date and time the website was accessed

• Your IP address

• Name and version of your Web browser

• The website (URL) that you visited before you visited our website

• Certain cookies

8. Online-Shop/In-App-Shop - Personal data

To enable us to process and complete your order in our Online-Shop/In-App-Shop, we require your complete and correct name, address, and payment details as well as your e-mail address. We need your e-mail address in order to confirm the receipt of your order.

Use of cookies

9. Google Analytics

Our website uses features of the web analysis service Google Analytics from the ’ Google ’ company:

Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043 United States

Google Analytics collects the number of users and the usage behaviour on our website. Cookies are used for this, they enable the analysis of the use of the website by our users. The information generated in this way is transferred to the provider’s servers in the USA and stored there. We have entered into a corresponding contract with the provider for the purposes of assignment-related data processing. If you do not want your usage behaviour to be recorded on our website, you can prevent this by setting your browser so that no cookies are stored. You can prevent the installation and storage of cookies by setting your browser software accordingly and by downloading and installing the browser plugin which is available free of charge.

We also use the Google Firebase Service to analyze any app crashes.

10. Klavio

Newsletter distribution is managed by ‘Klavio’

125 Summer Street Floor 7, Boston, MA 02111

‘Klavio’ guarantees, by certification in accordance with the ‘EU- US Privacy Shield’, available at privacy-shield, that the data protection regulations of the EU are also observed when processing data in the USA. Further data protection information from ‘Klavio’ can be found at: Klavio.

When you register for our newsletter, your registration data, namely your e-mail address and IP address, are processed and stored by ‘Klavio’.

11. Facebook

As part of our social media marketing and advertising campaign SteadySense will use and create Facebook Events. These include:

App installation App launch Registration Method of use/app mode Patch ordered

The SteadyTemp app and website use tracking tools to track the performance of our services, this is necessary to better understand how you use our products, and to see what improvements we need to make to offer a better service.

12. Apple Health iOS

You can choose whether and to what extent your personal data is shared between the femSense app and Apple Health. Permission can be granted or revoked at any time in the Apple Health settings. With your permission, femSense can interact with the Health app on your iOS device. This may involve a transfer of your personal data to Apple servers outside the European Union.

SteadySense may not use data collected in connection with health, fitness, and medical research for promotional purposes or share it with third parties. This includes the Clinical Health Records API, the HealthKit API, Motion and Fitness, Movement Disorder APIs, or health-related research on human subjects - for marketing or other usage-based data mining purposes, except to improve health management or for the purpose of health research, and then only with permission.

SteadySense does not use information for advertising obtained through the use of the HealthKit framework or similar services.

SteadySense may not share any information obtained through HealthKit with third parties without the express permission of the user. Even with permission, SteadySense can only share information with third parties if they also provide a health or fitness service to the user.

SteadySense may not sell information obtained through HealthKit to advertising platforms, data brokers or information retailers.

If the user agrees, SteadySense can share their HealthKit data with third parties for medical research, but must clearly communicate to the user how the app will use their HealthKit data.

SteadySense values your privacy and does not sell personal information to third parties.

13. Sensitive Information

Sensitive information (e.g. menstrual cycle data) entered in the femSense App that can be connected to the user is stored for internal analytics purposes and to monitor the functionality of the femSense App. The provided sensitive information is not shared with any third parties.

14. User content

User content in the femSense App is generated when submitting a customer support request and is solely used for internal analytics purposes and to monitor the functionality of the femSense App. The provided user content is not shared with any third parties.

15. System Diagnostics

Should the femSense app experience technical difficulties or shut down, crash reports are anonymously submitted. These are for analytic purposes and to monitor the performance of the femSense app, and are not shared with any third parties.

16. Deleting your account

If you wish to delete your femSense account, please use the “contact support” function in the menu of the femSense app and state that you wish to delete your account. Your account will be deleted within 2 working days.

17. Confidentiality

All SteadySense employees are required to maintain secrecy about any information disclosed by you in the context of their employment or business.

18. Data Security

Data security is very important to us. SteadySense has taken all necessary technical and organizational measures to ensure the security of data processing and to protect personal data from access by unauthorized third parties. SteadySense’s IT infrastructure complies with current security requirements and is checked regularly.

The femSense system uses a variety of cryptographic methods for security purposes and to protect the transmission of confidential content, such as temperature data and cycle data.

The HTTP connection between the app and the backend server is encrypted using the TLS method. The server is located in Europe and is hosted by SteadySense.

SteadySense does not store any payment-related data and archives health data and body measurement data only anonymously.