Accu-Chek SmartGuide Predict App Privacy Notice

Effective Date: April 10, 2025

1. CONTROLLER IDENTITY, DATA PROTECTION OFFICER, CONTACT

The Accu-Chek SmartGuide Predict App (“App”) is operated by Roche Diabetes Care GmbH (“Roche”, “we”, “our”, or “us”), which controls the processing of personal data. In case of any questions or suggestions, you can contact us at:

Roche Diabetes Care GmbH
Sandhofer Strasse 116
68305 Mannheim, Germany
Tel: +49 (0) 621 / 759- 0

e-Mail: [email protected]
Registered Office: Mannheim
Register court: AG Mannheim HRB 720251
Regulatory Authority: Regional Council Karlsruhe VAT Reg. (ID): DE 297138554

Alternatively, you may contact our data protection officer at [email protected].

2. HOW WE USE YOUR PERSONAL DATA

Protecting your privacy is very important to us and we understand that information about your health is sensitive. We are committed to processing your personal data in compliance with applicable laws.

This Privacy Notice explains how we use any personal data we collect about you:

2.1 USE OF THE APP, PRODUCT IMPROVEMENT, CUSTOMER SUPPORT

We process the following personal data when you use the App to provide you the App services as described in our General Terms & Conditions and within the App:

First name, Last name, Email address, Language, Country, Time zone and offset,Timeblock ranges, User mobile device IP Address, Blood glucose (BG) units and carbohydrate units, BG Upper/Lower target, Therapy data (Diabetes type) , Consent, FHIR ID, BG calibration, Glucose in capillary blood by Glucometer, CGM Glucose Concentration, CGM rate of change (Trend Information), CGM Quality, CGM session, Time Offset, Time Stamp, Flags, Carbohydrate intake measured (Meal Data), Notes, Diabetes type, Basal, Bolus, BG upper target, BG lower target, Hyper limit, Hypo limit, Urgent Hypo Limit, Hypo Alert, Hyper Alert, Lower hypo alarm, Device Manufacturer, Device model, Device model number, BG Unit (Display), Carbohydrate Unit (Display), Notification settings.

We further use the data you provide while using the App for troubleshooting purposes and to fix technical issues as well as user handling issues with the App. We may contact you regarding important product or performance issues, or respond to your questions or to your request for support, troubleshooting, or any performance issues.

The legal basis for this data processing is your consent.

If you provide additional consent, we also process the data listed above to improve our products and services. This consent is optional and not required to use the App services.

2.2. COMMUNICATE WITH US BY TELEPHONE, E-MAIL, OR WEB FORMS

If you communicate with us by telephone, e-mail, web forms, or similar means of communication, we will process your contact details and the personal data you give to us. We will process such data only to the extent required to answer your inquiry and will delete the data when no longer required as evidence (normally three years).

2.3. FOR STATUTORY PURPOSES

Roche must use personal data where legally required and where possible we will de-identify, pseudonymize, aggregate, and/or anonymize information to comply with our legal obligations as a medical device manufacturer. This data is securely held by Roche and will not be used to identify you individually by your name, mobile phone number or email address, except where we are under a legal obligation to include this data. The legal requirements for which Roche will use this data are:

a) As required for the establishment, exercise, or defense of legal claims. We may process your personal data as required to prepare or protect against legal claims; including litigation, anti-fraud measures, and technical and organizational measures to protect our networks and technology against attacks. The legal basis for this data processing is Art 9 (2) f EU General Data Protection Regulation (“GDPR”).

b) For research. We may process your personal data for scientific research purposes or statistical purposes in accordance with applicable law, provided it is proportionate to the aim pursued, respects the essence of the right to data protection, and provides for suitable and specific measures to safeguard your fundamental rights and interests. As a rule, we will still ask for your consent when we would like you to participate e.g. in a study. The legal basis for this data processing is Art 9 (2) j GDPR in combination with applicable EU or EU member state law.

c) For regulatory purposes. As manufacturer, respectively distributor of the App, which qualifies as a medical device, we are subject to increased requirements for monitoring and improving the functionality, the quality, security, and the effectiveness of the App. These regulatory monitoring and related reporting requirements may also result in the processing of personal data. The legal basis for this data processing is Art 9 (2) i GDPR.

d) Where otherwise required by law, including to respond to any competent regulatory, law enforcement body, governmental authorities, to address national security or epidemics, judicial proceeding, court order, government request or legal process served on us, or to protect the safety, rights, or property of our customers, the public, Roche or others, and to exercise, establish or defend Roche’s legal rights or where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of this Privacy Notice, or as evidence in litigation in which we are involved. The legal basis for this data processing is Art 9 (2) i GDPR.

3. SECURITY

Roche takes appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Besides, for the purposes of data security and minimization, Roche uses processes for the encryption and pseudonymization of personal data.

4. WHO RECEIVES YOUR PERSONAL DATA?

4.1 Roche shares your personal data with your consent and further as necessary in relation to the above purposes, as required by applicable laws, court orders, or government regulations. Our App is subject to complex processes that we have to manage and keep up-to-date. For technical support, we therefore use affiliated companies of the Roche Group and third-party suppliers (“Processors”) in order to offer you a comprehensive and optimal use of our products. Roche uses Processors e.g. for IT systems operation, access management, and maintenance or to fulfill business transactions, such as providing customer services or sending communications.

4.2 Our Processors are bound by the data processing agreements signed with us as well as by the GDPR and only process data according to our instructions. We transfer personal data to Processors exclusively within the framework of this privacy notice and only to fulfill the purposes stated in it. Processors work according to our specifications and instructions; they are not permitted to use the personal data of our users for their own or other purposes. We use Processors offering sufficient guarantees that suitable technical and organizational measures are undertaken in a way that the processing of personal data complies with the statutory requirements and our privacy notice. The transfer of data to our Processors and service providers is protected by guarantees such as adequacy decisions, certifications or EU standard contractual clauses. A copy of such guarantees or information on these can be requested from [email protected]. The protection of the rights of our users is ensured by concluding binding contracts that meet the strict requirements of GDPR. Our Processors may only appoint other processors (subcontractors) which comply with the same data protection obligations and all of the appropriate security measures that we impose on our Processors.

4.3 Roche will not sell or otherwise transfer your personal data to any third parties for their own use unless with your explicit consent.

4.4 Please note that if you exercise any option to directly share certain data with a third party from within our App, e.g. with your healthcare professional, you are solely responsible for such data transfers.

5. TRANSFERS TO OTHER COUNTRIES

5.1 We primarily select cooperation partners who are based in or whose servers are located in the European Union (EU) or European Economic Area (EEA). Data transmission within the EU and EEA is unobjectionable because the GDPR applies in all EU and EEA member states.

5.2 In exceptional circumstances, we appoint third-party suppliers who are located in or who have servers outside the EU. However, even in these cases your personal data is subject to a high protection level in line with the GDPR – either through an EU adequacy decision, which considers data protection in certain third-party countries to be appropriate (e.g. Switzerland, Israel, and New Zealand), or through certain standard contractual clauses approved by the EU, which the contractual relationships with our Processors are based on, or through comparable legal instruments permitted under the GDPR. In any case, all Processors are subject to the obligations in this privacy notice. In addition, we ensure that our partners have additional security standards in place, such as individual security measures and data protection provisions.

6. STORAGE AND DELETION

6.1 Roche uses Amazon Web Services, Inc. (AWS) to host your App accounts and all data related to the App service in the cloud. The servers that host App accounts and all data related to the App service are located in Frankfurt (Main), Germany. Roche has implemented appropriate security measures and controls to protect your personal data.

6.2 As a rule, we only store your personal data for the duration of you having an account. In exceptional cases, longer storage may be required in order to fulfill post-contractual obligations or to comply with statutory storage obligations or disclosure duties, or to assert, exercise, or defend legal claims (limitation periods).

7. YOUR RIGHTS AND HOW TO EXERCISE THEM

7.1 You may, in accordance with applicable data protection law,

7.2 You can exercise your rights by visiting your account and adjusting your privacy preferences, managing your consent, and downloading and uploading corrected data.

7.3 If you are not satisfied with the way Roche handles your data or responds to your requests, without prejudice to any other administrative or judicial remedy you have the right to file a complaint with a supervisory authority in the country of your habitual residence, your place of work or the place of the alleged infringement.

8. PRIVACY OF CHILDREN

Our App is intended to be used by people of at least 18 years of age. We do not deliberately collect any personal data from anyone we know to be a child without the prior, verifiable consent of his or her legal representative.

9. CHANGES TO THIS PRIVACY NOTICE

9.1 If we make material changes to our Privacy Notice, an updated version of this Privacy Notice will reflect those changes. You will be notified if there is a new version of this Privacy Notice and - if necessary - will be prompted to read and accept it so that you can continue to access and use the App.

9.2 Without prejudice to your rights under applicable law, we reserve the right to update and amend this Privacy Notice without prior notice to reflect technological advancements, legal and regulatory changes, and good business to the extent that it does not change materially your rights as set out in this Privacy Notice.

9.3 If you do not agree to the changes to this Privacy Notice, you should stop using the App and revoke your consent.

Thank you for your confidence!

Please print or store a copy of this Agreement for your records.