PRIVACY NOTICE

Roche Diabetes Care Digital Solutions And Services

Effective Date: June 1, 2025

Click here to jump to the specific section: Introduction | Scope | Data Controller | Categories of Personal Data Collected and Sources | How We Use Personal Data & Legal Basis | Recipients of your Personal Data | International Data Transfers | Your Privacy Rights | Storage period | Changes to This Privacy Notice | Country Specific Provisions

1. INTRODUCTION

This Privacy Notice is meant to explain to you what kind of personal data we collect from what sources and for what purposes. Please read the Privacy Notice carefully before registering and using Roche's digital diabetes care products, solutions or services.

For purposes of this Privacy Notice, "Personal Data" is any information by which you can be individually identified both directly and indirectly, including, but not limited to, your name, e-mail address, and health data.

Our activities are not designed or intended for use by children under the age of 18 years old. We do not knowingly collect any personal data from anyone under the age of 18 until their legal representative has given their consent in a verifiable form.

2. SCOPE

This Privacy Notice applies to the personal data collected through Roche's diabetes care digital solutions and services for personal use by non-professional users (e.g. People with Diabetes), to which this privacy notice is linked (including mySugr App, Accu-Chek SmartGuide App, SmartGuide Predict App, Accu-Chek account, collectively referred to as the "Digital Solutions"). This includes data collected during account creation, usage of the digital solution's functionalities, interactions with our services (such as customer support), data collected through e-commerce portals, and data exchanged with third-party apps, connected therapy devices, and healthcare providers.

3. DATA CONTROLLER

Roche Diagnostics International AG, Forrenstrasse 2, 6343, Rotkreuz, Switzerland, email: [email protected] ("Roche") is the data controller responsible for the overall collection and processing of personal data. However, for the mySugr App, both Roche Diagnostics International AG, Forrenstrasse 2, 6343, Rotkreuz, Switzerland and mySugr GmbH, located at Trattnerhof 1, 1010 Vienna, Austria, act as joint data controllers; privacy inquiries related to the mySugr App should be directed to the Roche Privacy Office at [email protected]. Similarly, for users of the Accu-Chek SmartGuide App and SmartGuide Predict App, Roche Diagnostics International AG, Forrenstrasse 2, 6343, Rotkreuz, Switzerland and Roche Diabetes Care GmbH, located at Sandhofer Strasse 116, 68305 Mannheim, Germany, act as joint data controller. Any privacy inquiries should also be directed to the Roche Privacy Office at [email protected].

Additionally, for marketing and sales related activities, the local Roche Diagnostics affiliate within your country also acts as a data controller to ensure that marketing communications and sales related activities are tailored to your local preferences and regulatory requirements. A list of Roche Diagnostics affiliates is available at: https://www.roche.com/locations.

4. CATEGORIES OF PERSONAL DATA COLLECTED AND SOURCES

We collect various types of personal data from different sources including directly from you, automatically when you use the Digital Solutions and services, or from third parties as described in the table below.

Data collected directly from you
Data Category	Data types
Account User Data	Mandatory: Email address, password, account ID, account history including registration date and the last login, status of consents, language, time zone and country of residence.
User Profile Data	Mandatory: First name, Last name, Date of Birth. Optional: Address, Telephone Number, Sex.
Medical Master Data	Medical Master Data: This is the basic information required to set up the core diabetes management features of the Digital Solution. For example, in the mySugr app: Mandatory Medical Master Data includes: Your Insulin Therapy Type (e.g., if you use an Insulin Pen, Insulin Pump, or No Insulin), whether you take diabetes tablets (Yes/No), the type of blood glucose meter you primarily use (if applicable). Optional Medical Master Data includes e.g. your specific Diabetes Type, the year you were diagnosed with diabetes, your Blood Glucose Target Range, your body height and body weight, details about your medication (e.g., type of insulin, basal rate settings for pump users, correction factors, carbohydrate-to-insulin ratios).
Medical Data	Medical Data collected during the use of the specific Digital Solution, as described in the user manuals. In the mySugr app when you create a log entry, the date and time are automatically recorded (this is mandatory for the entry). You can then optionally add a variety of details to each entry, such as: Activity: Place of activity, type and duration of physical activities. Food & Meals: Food intake, deal descriptions, ingredients. Medication: pills taken, insulin injections (type, dose). Measurements: Blood Glucose Measurements (these can also be automatically imported from therapy devices), blood pressure, body weight, HbA1c, Ketones, Steps. Notes & Tags: notes, custom medication tags. Pump Data (if applicable): Temporary basal rate changes and dates. In Accu-Chek SmartGuide App and SmartGuide Predict App, this data may include e.g. Basic Settings: Your units for blood glucose (BG) (e.g., mg/dL or mmol/L) and carbohydrates (e.g., grams, portions). Your BG Upper and Lower target levels. Therapy Information: Your Diabetes type. Calibration & Meter Data: BG calibration data (if using a meter that requires it). Glucose readings from a connected Glucometer. CGM (Continuous Glucose Monitor) Data. Timestamps & Flags: Time Offset, Time Stamp, Flags (these are often technical data points associated with readings to ensure accuracy). Lifestyle Data: Carbohydrate intake (Meal Data). Insulin Data: Basal insulin settings, Bolus insulin doses. Alert Settings: Your personalized settings for Hyper (high blood sugar) and Hypo (low blood sugar) limits, including Urgent Hypo Limits, and whether alerts are enabled. Manual Logbook Entries: Any information you manually enter in the App logbook, which might include insulin type and values, carbohydrate intake, blood glucose values, or any additional notes you wish to record. We process your data, including blood glucose logs, to generate insights and predictions regarding your diabetes management. These insights, designed to enhance your understanding of your health, involve identifying trends, assessing potential risks, and calculating metrics such as the CGM rate of change (Trend Information).
Commercial and financial information	Commercial and financial information, such as App store download information, purchases, invoices, payment status, payment method (Credit Card, Bank Account etc.), social insurance number (if/where legally required), mySugr App: mySugr Pro Status, vouchers redeemed; Order information (e.g. for ordering meters).
User's content	Optional content you provide as you use the core function of the Digital Solutions, such as: Names and/or GPS coordinates of locations, the name of your "Monster". Also the content of your communications with our support services or other inquiries, surveys data, ratings or feedback.
Data collected from your device and its operation
Data Category	Data types
Usage Data	Mandatory Usage Data: Data required for technical and security purposes, including: Device Information: device ID, IP address, device manufacturer, device type, operating system version, app version, language preference, - Technical Connection: Bluetooth Code (if you connect a bluetooth device); log files and security events. App settings and notifications: your choices for notification settings within the digital solution, and other display option and activated integrations. Data required for product safety reasons. This includes all the "Usage Data required for technical and security purposes" listed above, as well as: Your country (which is derived from your IP address to ensure the app's features comply with local legal requirements). Records of key actions you take within the app: when you register, make your first log entry, pair a blood glucose meter, set up a feature like the bolus calculator, or enable connections with other Roche systems. Status of your meter pairing (e.g., if it's connected or disconnected). Basic technical details about your app session (e.g., when your session starts and ends, how the app communicates with our internal software components (SDK), the version of these components, and a general session identifier with a timestamp). Crash and bug reports (these include information about your device and app state at the time of the issue to help us diagnose the problem). Error reports (these include error numbers, messages, and technical details). Optional Usage Data: Optional Usage Data collected for Marketing. Only upon your consent for marketing communication, includes log entry, integration paired, actively logging, diabetes type and therapy type. Optional Usage Data collected for Product Improvement: events when you interact with features like challenges, device pairing, or subscription screens; how you navigate through different parts of the app by tapping buttons or viewing information; and system events like receiving notifications or encountering errors. For every such action or event, we also record the specific timestamp.
Data exchanged with Third Parties:
From Health Apps Data or other digital solutions	The data exchanged depends on the specific Health Data Apps/ Solution and the information you choose to share, which may include blood glucose, carbohydrates, blood pressure, insulin delivery, steps, weight, and workout details.
Therapy Devices	The data exchanged depends on the therapy device you are connecting. It may include: blood glucose meters, CGM measurement records, injected doses,CGM Glucose Concentration (your actual glucose reading from the sensor), CGM Quality Value (an indicator provided by the sensor about the reliability of a specific reading), CGM session information (e.g., start/end times of a sensor session), CGM patch status information. Error data and status information from the therapy device and Digital Solution are also collected
Data Sharing with Healthcare Professionals or other third parties upon your consent	The data exchanged depends on the specific medical need, functionality and/or third party you choose to share with, which may include blood glucose, carbohydrates, blood pressure, insulin delivery, steps, weight, and workout details.

5. HOW WE USE PERSONAL DATA & LEGAL BASIS

5.1 To fulfill the core service delivered by the Digital Solutions

5.1.1 Account creation:

To use the Digital Solutions and access its functionalities, you need to create an account and log in. This step is crucial for safeguarding your personal data within our secure, access controlled cloud environment, which enables us to obtain and manage your consent and data sharing preferences.

Account creation collects: Account User Data, User Profile Data, and Mandatory Usage Data for technical and security purposes.

• When you create an account, we automatically generate a unique ID for you. This helps us identify your account and keep your information safe and secure.
• We collect your country of residence to set up your account, tailor the service to your needs, and provide support.
• We also collect your date of birth to verify legal age and ensure data synchronization for healthcare provider sharing (with your consent).
• ou can rectify this information at any time via our Customer Support.
• For further details on the specific data types within these categories, please consult section 4 "Categories of Personal Data Collected and Sources ".

5.1.2 Provision of the Digital Solution Functionalities:

We collect personal data to deliver the Digital Solution's services and functionalities. This includes data used to personalize your experience and enhance engagement, such as through challenges and gamification elements, as outlined in the user manuals and terms and conditions of the respective Digital Solution. For mySugr App, please note that some functionalities are only available to Pro users, such as mySugr Bolus Calculator and Blood Sugar Reminders as described in the user manuals.

The categories of personal data processed depend on the functionality and Digital Solution you are using, which may include: Account User Data, User Profile Data, Medical Master Data, Medical Data, Commercial and Financial Information, User's Content, Mandatory Usage Data for technical and security purposes, Data exchanged with Third Parties, such as Therapy Device Data.

• Some data is optional, and not providing it may impact the availability of certain Digital Solution features. For example, Medical Data is collected and processed in order to be able to deliver the service which is offered by the respective Digital Solution for basic and pro users. If you do not enter optional Medical Data the associated functionality of our products is limited accordingly.
• Furthermore, you have the option to enable GPS coordinates to determine your current location for logbook entries, if enabled in your device settings. In addition, you can manually enter or select a location.
• Please see the "Categories of Personal Data Collected and Sources" section for specific data types.

5.1.3 Security:

To safeguard your personal data and prevent any accidental or unlawful actions like destruction, loss, alteration, or unauthorized disclosure, we actively process certain personal data.

To ensure this security, we process the following categories of personal data: Account User Data, User's Content, Mandatory Usage Data for technical and security purposes, as well as Data exchanged with Third Parties. Please see the "Categories of Personal Data Collected and Sources" section for specific data types.

5.1.4 Customer Support and Responding to your Inquires:

We collect and process your personal data to provide you with effective support for the Digital Solutions and to answer your inquiries via phone, emails, webform, or other channels. This includes assisting you with the initial installation and setup, troubleshooting any technical issues you may encounter, providing ongoing service and updates, and performing necessary maintenance to ensure the smooth operation of the Digital Solutions.

For this purpose, we may need to process various categories of personal data. This may include, Account User Data, User Profile Data, Medical Master Data, Medical Data, Commercial and Financial Information, User's Content, Mandatory Usage Data, and Data exchanged with Third Parties, such as Therapy Device Data. Please see the "Categories of Personal Data Collected and Sources" section for specific data types.

5.1.5. Notifications:

To effectively support your diabetes management and safety, the Digital Solutions utilizes notifications to provide timely updates and alerts.

Depending on the specific Digital Solution, these notifications may include, Glucose Alarms to signal high or low glucose levels based on your customized target ranges, Critical Alerts for severe glucose excursions or sensor issues that override device silencing, Sensor Expiration Reminders to ensure timely sensor replacement, and Sensor Connection Loss alerts to inform you of any data transmission interruptions.

The personal data processed for these notifications, which require you to enable notifications in your device settings, includes Account User Data, User Profile Data, Mandatory Usage Data for technical, security and safety purposes, Medical Master Data, Medical Data, and Therapy Devices. While you can disable notifications in your device settings at any time, we strongly advise keeping them enabled for your diabetes management and safety. For detailed information on the specific data types within these categories, please refer to the "Categories of Personal Data Collected and Sources" section.

Legal Basis to fulfill the core services of the Digital Solutions

For the processing of your personal data, including your health data to fulfill the core service delivered by the Digital Solutions, we rely on your consent. You can revoke this consent at any time (by deleting the account or by contacting our Customer Service at the email address provided in Section 8, "Your Privacy Rights"). However, this will prevent you from using our Digital Solutions. The lawfulness of the processing before revocation remains unaffected.

5.2 Ordering a Product or Service

When you order products or services from us, we process your personal data to fulfill your order, manage the transaction, and deliver the products or services you have requested. This includes processing payments, arranging shipment or delivery, and providing necessary support related to your order. We may also use your contact information to communicate with you regarding your order status, delivery updates, or any issues that may arise. We will also process personal data, where you are eligible for reimbursement related to the use of Roche's medical devices.

Personal data collected for this purpose may include: Account User Data, User Profile Data, Commercial and Financial Information. For detailed information on the specific data types within these categories, please refer to the "Categories of Personal Data Collected and Sources.

Legal Basis: We process this information to perform our agreement with you. For health data, we require your explicit consent.

5.3 Statutory Purposes

5.3.1 For regulatory purposes (including product safety):

In our capacity as manufacturers and providers of the Digital Solutions, regulated medical devices, we must adhere to strict requirements for monitoring, improving functionality, quality, security, and effectiveness of the Digital Solutions. To ensure compliance with legal obligations, we collect and process personal data for purposes including, but not limited to, adverse event reporting, ensuring product safety and security, post market surveillance, managing product complaints, and fulfilling other regulatory requirements as mandated by applicable laws. This processing is necessary for us to meet our legal responsibilities and obligations as a manufacturer and provider of medical devices and digital health solutions.

Personal data collected: In order to ensure compliance with legal obligations and depending on the specific regulatory requirements, we may collect the following information: Account User Data, User Profile Data, Medical Master Data, Medical Data, Commercial and Financial Information, User Content Data, Mandatory Usage Data for safety purposes, Therapy Device Data.

Legal basis: We will process this information, including your health data, to the extent we have a legal obligation to do so, in compliance with legal obligation and reasons of public interest in the area of public health.

5.3.2 For other Statutory Purposes:

• As required for the establishment, exercise, or defense of legal claims. We may process your personal data as required to prepare or protect against legal claims; including litigation and anti-fraud measures.
• Where otherwise required by law, including to respond to any competent regulatory, data subject rights, law enforcement body, governmental authorities, judicial proceeding, court order, government request or legal process served on us, or to protect the safety, rights, or property of our customers, the public, Roche or others, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of this Privacy Notice, or as evidence in litigation in which we are involved.

Personal data collected: In order to ensure compliance with legal obligations and depending on the specific regulatory requirements, we may collect the following information: Account User Data, User Profile Data, Medical Master Data, Medical Data, User Content Mandatory Usage Data, Commercial and Financial Information, Data exchanged with Third Parties including Therapy Device Data.

Legal basis: We will process this information, including your health data, to the extent we have a legal obligation to do so, in compliance with legal obligation and reasons of public interest in the area of public health.

5.4 Product improvement

With your (optional) explicit consent for product improvement, we will use your personal data to enhance and optimize the Digital Solutions and its services. We analyze, develop, test, refine, and conduct analytical studies of our products and their features to provide maximum benefit and introduce new innovations. This includes testing performance, enhancing existing features and algorithms for improved accuracy and usability, gathering user interaction insights through analytical data, and collecting feedback through surveys to further refine our offerings. All of this helps us understand how you use our products and how we can continue to make them valuable tools for your diabetes management. These improvements may be provided to you via frequent Digital Solution updates.

Personal data collected for this purpose includes: Account User Data, User Profile Data, Medical Master Data, Medical Data, User's Content, Mandatory Usage Data for technical, security and safety purposes, Optional Usage Data collected for Product Improvement, Commercial and Financial Information, and Therapy Device Data.
For detailed information on the specific data types within these categories, please refer to the "Categories of Personal Data Collected and Sources" section.

Legal Basis: We will only use your data for product improvement purposes if you provide your explicit consent. You can revoke this consent at any time in your account settings or by contacting our Customer Support Service at the email address provided in Section 8, "Your Privacy Rights"; this will not impact your use of our Digital Solutions.

5.5 Scientific Research and Statistics

We may process your personal data, including health related data, for scientific research purposes or statistical purposes. This may include analyzing anonymized or pseudonymized data to generate new medical claims for our certified medical device, or to understand and assess whether the usage of these Digital Solutions benefit people with diabetes. Our study data may be used to better understand the factors influencing diabetes and its management, helping to advance prevention, diagnosis, and treatment strategies. It may also involve developing and testing new technologies to investigate innovative approaches to diabetes care and other health areas and to address fundamental questions about how technology can best support individuals in managing their health. Such research may contribute to the development and provision of technologies and healthcare solutions, ultimately aiming to improve patient care. Furthermore, we use statistical analysis to examine overall trends and patterns in the use of our Digital Solutions and issue aggregated reports for internal use to understand how our Digital Solutions are used and perform (e.g. number of active users), but the data is aggregated and this processing activity does not involve making decisions about you personally or affecting your individual experience.

The data processed includes Account User Data, User Profile Data, Medical Master Data, Medical Data, Usage Data and Therapy Devices. Your data is pseudonymized and results of our analysis are aggregated to protect your privacy.

Legal basis: we process this data based on our legitimate interests to conduct research to advance science. We may process health data for scientific or statistical purposes. You can exercise your right to object to this specific processing by contacting our Customer Service at the email address provided in Section 8, "Your Privacy Rights"; this will not impact your use of our Digital Solutions.

5.6 Marketing of products, promotions and services:

With your (optional) explicit consent, we will process your personal data to send you newsletters, surveys, marketing emails, and other communications that may be tailored to your interests and preferences regarding the Digital Solutions, related products, and services.

We aim to provide you with relevant and personalized information to enhance your experience with our products and services. Personal data collected for this purpose depends on the type of the marketing activity, it may include: Account User Data, User Profile Data, Medical Master Data, Medical Data, Commercial and Financial information, User history, Mandatory Usage Data, Optional Usage Data for Marketing, User's Content, Data exchanged with third parties including, Therapy Devices. We collect and process this data to ensure that our marketing communications are relevant, personalized, and valuable to you. For detailed information on the specific data types within these categories, please refer to the "Categories of Personal Data Collected and Sources" section.

Legal Basis: We will collect and process this information for marketing purposes only upon your explicit consent. You can revoke marketing consent at any time in your account settings, or by contacting us at the email address provided in Section 8, "Your Privacy Rights"; this will not impact your use of our solutions.

5.7 Data Sharing Authorized by You

5.7.1 Data exchange with Third Party Health Apps, other digital solutions or third parties:

You can optionally activate synchronization between our Digital Solutions and third party health apps, such as Apple Health or Google Fit, or exchange data with other digital solutions or third parties. When you authorize a connection with a third party health app, digital solution or third party, we will share all relevant data collected by our Digital Solutions up to that point, as well as ongoing data while the connection remains active. Similarly, we may also receive data from these third-party apps or solutions, which will be used for the purposes described in this Privacy Notice. The data types exchanged depend on the specific solution and the information you choose to exchange, which may include blood glucose, carbohydrates, blood pressure, insulin delivery, steps, weight, and workout details.

Legal Basis: We share your data with third-parties solutions, only with your optional and explicit consent. You can view and manage your connected third-party solutions and revoke data sharing authorization at any time in the device settings, Digital Solution settings or your account settings. Please note that once the data is transferred to a third-party upon your consent, that data becomes subject to the third party's privacy policy and terms of service, and we are no longer responsible for its processing. Stopping the connection will prevent future data sharing, but it will not affect data that has already been shared with the third party solution. We recommend reviewing the privacy policies of any third party before authorizing the data sharing.

5.7.2 Sharing Data with Healthcare Providers:

You have the option to share your diabetes data with your healthcare providers to provide them with a comprehensive view of your diabetes management. This data can be shared through various methods, including generating a unique sharing code within the Digital Solution and sharing it with your healthcare provider, providing a downloaded report directly, via healthcare professionals invitations emails, or other secured means.

Legal Basis: We share your data with healthcare providers only with your (optional) explicit consent. You maintain control over whether you share your data and can revoke access at any time within your account's settings. Stopping the connection will prevent future data sharing, but it will not affect data that has already been shared with the healthcare provider. It is important to understand that when we provide services to your healthcare providers, we process your data under their instruction, and they are responsible for ensuring they have the legal basis to request and process your data.

6. RECIPIENTS OF YOUR PERSONAL DATA

We may share your Personal Data with other affiliated Roche companies to help us to fulfill the processing described in this privacy notice, including IT support, product maintenance, troubleshooting, product complaints, research and statistics. A list of Roche's affiliates is available at: https://www.roche.com/locations.

Roche engages external service providers who process personal data strictly on our behalf and in accordance with our instructions. All service providers are contractually bound to process personal data solely based on our documented instructions and are subject to strict confidentiality and security obligations. These service providers operate in the following sectors:

• IT infrastructure, support and cloud providers: including the operation, storage, hosting, access management, and maintenance of IT systems. Examples of such providers includes:
  • Amazon Web Services, Inc. (AWS): For hosting Digital Solutions accounts and related data in the cloud.
  • Firebase Crashlytics (Google): For collecting and providing crash reports and technical data.
  • Cloudflare, Inc.: For providing website security, performance, and other network services.
• Customer service providers, providing IT infrastructure to assist customer support activities and fulfilling business transactions. Some of these providers include, but are not limited to:
  • SFDC Ireland Limited: for customer support and marketing activities.
• Payment service providers, for handling payments and related financial operations;
• Marketing, surveys and other communications providers, for managing surveys, push notifications, users communications, and marketing campaigns. Some of these providers include, but are not limited to:
  • Braze, Inc.: For safety, product vigilance, product improvement, user communications, including in app safety communications and marketing campaigns.
  • Qualtrics, LLC: For managing surveys and collecting feedback.
• Data analytics providers, for analyzing usage patterns, for safety and product vigilance purposes and for improving our products and services.

We may also share your Personal Data with other third parties, for the following purposes:

• To facilitate a merger, consolidation, transfer of control or other corporate reorganization in which Roche participates, or pursuant to a financial arrangement undertaken by Roche;
• To respond to appropriate requests of legitimate government authorities, or where required by applicable laws, court orders, or government regulations; and
• To allow data sharing with the recipients you designate when you use the data sharing functionalities of our digital products as described in the section above;
• Where needed for corporate audits or to investigate or respond to a complaint or security threat.
• Manufacturers and suppliers, where required to handle orders for goods (e.g. delivery of a blood glucose meter and test strips).
• To insurance companies if you buy our products as part of your health insurance (statutory or private). If applicable, this enables billing based on the tariff of your insurance company.
• We may share de-identified, pseudonymized, aggregated, and/or anonymized information with affiliated Roche companies and with other third parties for the purposes relating to research and statistics as set out above.

7. INTERNATIONAL DATA TRANSFERS

We primarily select cooperation partners who are based in or whose servers are located in the European Union (EU) or European Economic Area (EEA). Our servers are primarily located in Frankfurt (Main), Germany. However, data for users located in the United States is stored on servers within the US. Roche has implemented appropriate security measures and controls to protect your personal data.

In exceptional circumstances, we appoint third-party suppliers who are located outside the EU or who have servers outside the EU. However, even in these cases your personal data is subject to a high protection level in line with applicable data protection laws, either through an EU adequacy decision, which considers data protection in certain third-party countries to be appropriate, or through Standard Contractual Clauses approved by the EU, which the contractual relationships with our affiliated Roche companies, Processors or Third Party Recipients are based on, or through comparable legal instruments permitted under the GDPR, or applicable data protection laws. In addition, we ensure that our partners have additional security standards in place and data protection provisions.

8. YOUR PRIVACY RIGHTS

In accordance with applicable data protection laws, you may have the following rights regarding your personal data:

• The right to request access to the Personal Data that Roche has about you;
• The right to rectify or correct any Personal Data that is inaccurate or incomplete;
• The right to request a copy of your Personal Data in electronic format so that you can transmit the data to third parties, or to request that Roche directly transfer your Personal Data to one more third parties;
• The right to object to the processing of your Personal Data for marketing and other purposes;
• The right to erasure of your Personal Data when it is no longer needed for the purposes for which you provided it, as well as the right to restriction of processing of your Personal Data to certain limited purposes where erasure is not possible.

Generally, erasure, objection or restriction of processing of your Personal Data can be pursued when the processing is based on your consent or our legitimate interests. If data processing is based on consent, note that you have the right to withdraw your consent at any time, but that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.

You can exercise many of your data subject rights, such as data correction and updates, data deletion, access and withdrawal of consent:

• directly within the Digital Solution (including data export);
• within your account settings;
• as well as via our Customer Support at [email protected], as described in the respective user manuals and other information found in our Solutions;
• Alternatively, you can also contact Roche's privacy office via [email protected]

If you are not satisfied with the way Roche handles your data or responds to your requests, without prejudice to any other administrative or judicial remedy, you have the right to file a complaint with a supervisory authority in the country of your habitual residence, your place of work or the place of the alleged infringement.

9. STORAGE PERIOD

We store your personal data for the time necessary to provide you the services, or until you delete your account or for two years from the last time logged into the Digital Solution. The personal data subject to regulatory requirements may be retained for a longer period of time approximately ten years to comply with the legal obligations as described in this Privacy Notice.

10. CHANGES TO THIS PRIVACY NOTICE

From time to time, we may revise this Privacy Notice. Any such changes to this Privacy Notice will be reflected on this page. Roche recommends that you review this Privacy Notice regularly for any changes. The date on which this notice was last revised is located at the top of this notice. In the event of a substantial change to this Privacy Notice, we will inform you by email, through the Digital Solutions, or by other reasonable means.

11. COUNTRY SPECIFIC PROVISIONS

To address local legal requirements and provide transparency regarding country specific data privacy provisions, please refer to the following link. This document outlines specific information and rights applicable to residents of certain jurisdictions. Please review this document to understand the specific privacy rights that apply to you and our responsibilities in your country.