SmartLinkO2® Privacy Policy

Effective Date: 03/04/2022

Last Modified: 06/13/2023

DeVilbiss Healthcare LLC ("DeVilbiss Healthcare," "our," "we," or "us") respects your privacy and is committed to protecting your personal information. The term "personal information" means any information relating to an identified or identifiable individual. This privacy policy applies to the SmartlinkO2® website and our related mobile application (collectively, the "Services") and describes the types of information we collect and our practices for collecting, using, and disclosing it. This privacy policy does not apply to information collected offline or by any third party, including any application or content that may link to or be accessible from the Services. The terms of use for the Services can be viewed at Terms of Use. Visitors, users, and others who reside in the State of California, may refer to the Privacy Policy for California Residents for supplemental information to that below.

• Tenancy / organization name, username or email address, and password when a non-patient user logs into the SmartLinkO2® website or email address and password when a patient user logs into the mobile application
• De-identified therapy data from a patient's medical device that is uploaded to the SmartLinkO2®, which is then matched with other information, such as patient name, patient ID, and patient contact information
• Information uploaded to the Services, including patient name, patient ID, patient contact information (email, phone number, address), birthdate, patient height / weight, clinical notes and other documents, prescriptions, instructions, and photos
• Responses to surveys

We collect this information:

• Directly from you when you provide it to us
• From a patient's medical device
• From third parties involved in the care of the patient, such as a doctor or respiratory therapist

When using the Services, DeVilbiss Healthcare and third parties do not collect information about your online activities over time and across third-party websites or other online services, and the Services do not respond to "Do Not Track" signals.

When you use the Services, we ensure that we can properly identify you as a user by allowing the Identity Provider, Keycloak, to place cookies on our website to remember you as a user of the Services. This happens each time you return to the Services. This process of identifying you as a user of the Services is to ensure that our Services are secure and that the information that you provide to us is safe.

Where we need to collect personal information by law or under the terms of a contract we have with you and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel the Services, but we will notify you before doing so.

We may use your information, including personal information:

• To provide you with the Services
• To administer your profile
• To send you notifications, with your agreement by email, SMS, or mobile push notices, providing you with account-related reminders or updates, or letting you know that you have a message on the SmartLinkO2® Platform

• To authenticate and otherwise maintain security of the Services
• To improve the Services and for product development
• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us
• In any other way we may describe when you provide the information
• For any other purpose with your consent

We may use aggregated information and de-identified information without restriction.

We rely on the following lawful bases to process your personal information for these non-exhaustive purposes:

We may obtain your consent to process your personal information in certain circumstances, which may include when you elect to receive information from us, or you contact us to register an interest in our Services or company. We may also rely upon our legitimate interest in developing our business as a basis for sending you marketing information and nformation about our Services (see below).

We rely on this lawful processing ground when we process your personal information to perform a contract which we have with you, or when we take steps in anticipation of entering into a contract with you, for example in connection with the provision of our Services to you and the management of our relationships with third parties.

We rely on this lawful processing ground when we process your personal information to meet legal and regulatory obligations which apply to us.

We rely on this lawful processing ground when we process your personal information to provide our Services, to respond to specific requests, to manage our business operations, to manage our relationships with you and with third parties in connection with our business, and when we provide you with marketing information or other information in relation to our Services which we believe may interest you.

If you wish to have more information regarding the legitimate interests we rely on, please contact us at SmartLinkO2@drivemedical.com

We may disclose information, including personal information:

• To our affiliates and service providers
• To third parties involved in the care of the patient, such as a doctor, respiratory therapist, or insurance company, subject to their duty of confidentiality
• To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets
• To comply with any court order, law, or legal process, including to respond to any government or regulatory request
• If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of DeVilbiss Healthcare, our customers, or others
• For any other purpose disclosed by us when you provide the information
• With your consent

We may disclose aggregated information and de-identified information without restriction.

If you live in the EEA or the UK, you may have the right to the following:

• The right to request access to your personal information, which includes the right to obtain confirmation from us as to whether or not personal information concerning you is being processed, and where that is the case, access to the personal information and information related to how it is processed
• The right to object to or restrict our processing of your personal information, which includes preventing us from continuing to process your personal information in whole or in part (for example, when you only want personal information processed for certain purposes)
• The right to data portability, which includes certain rights to have your personal information transmitted from us to another controller
• The right to rectification of your personal information, which includes the right to have incomplete personal information completed or inaccurate personal information corrected, and the right to have your personal information deleted
• Where processing of your personal information is based on consent, the right to withdraw your consent at any time without affecting the lawfulness of the processing of personal information that occurred before you withdraw consent

To make such aany requests related to the above rights, please email us at SmartLinkO2@drivemedical.com.

Our servers are either located in the United States or, if located in other countries, may be accessed from the United States. Please note that in countries outside your own country, and in particular outside the EU,EEA and UK, a different standard on data protection might apply than you are used to in your own country.

Sensitive Personal Data (also known as "Special Categories of Personal Data") is information related to your race or ethnic origin, political opinions, religion or other beliefs, health, genetic or biometric data, sex life or sexual orientation, criminal background, or trade union membership. DeVilbiss Healthcare only processes Sensitive Personal Data:

• With your explicit consent
• To protect your vital interests or those of another person
• Where the processing is necessary for purposes of preventive or occupational medicine, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of relevant country law or pursuant to contract with a health professional
• For the establishment, exercise, or defense of legal claims
• To the extent permitted or required by applicable law

You are not generally required to provide us with any Sensitive Personal Data when using our Services. If your Sensitive Personal Data is required, we will inform you at the time of collection and let you know whether your decision would prevent you from using our Services or the requested product or service.

DeVilbiss Healthcare may also transfer personal information from the European Union and the UK to countries for which adequacy decisions have been issued, or may use contractual protections for the transfer of personal information to third parties, such as an inter-company agreement which complies with the European Commission's Standard Contractual Clauses or their equivalent under applicable law, or rely on the third parties' certification to the EU-U.S. or Swiss-U.S. Privacy Shield Frameworks where applicable. In all cases we will ensure that when we share personal information, we will do so in compliance with European and UK privacy laws. You may contact us at SmartLinkO2@drivemedical.com to obtain a copy of the safeguards we use to transfer personal information outside of the EEA and the UK.

When determining the appropriate retention period for personal information, we take into account various criteria, such as the amount, nature and sensitivity of the personal information, potential risk of harm from unauthorized use or disclosure, purposes for which we process your personal information, whether we can achieve those purposes through other means, and our business operations and legal requirements.

We have implemented measures designed to secure your personal information from unauthorized access, use, alteration, and disclosure. These include a variety of technologies and procedures to help protect the security of your personal information from unauthorized access, use, or disclosure. We also maintain standard physical and electronic procedural safeguards that limit access to your personal information to our employees (or people working on our behalf and under confidentiality agreements) who, through the course of standard business activities, need to access your personal information. Our network is audited to ISO 27001, ISO 27017, ISO 27018, ISO 20000-1, ISO 22301, and ISO 9001, and our development process is audited to ISO 13485 and MEDSAP.

You can review and change your personal information by logging into the Services and visiting your account profile page. You may also send us an email at SmartLinkO2@drivemedical.com. to request access to, correct, or delete any personal information that you have provided to us. We cannot delete your personal information except by also deleting your user account. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect. Residents in certain states, such as California, may have additional personal information rights and choices. Please see Your State Privacy Rights for more information.

State consumer privacy laws may provide their residents with additional rights regarding our use of their personal information. To learn more about California residents' privacy rights, visit [LINK TO PRIVACY NOTICE FOR CALIFORNIA RESIDENTS ]. Colorado, Connecticut, Virginia, and Utah each provide their state residents with rights to:

• Confirm whether we process their personal information.
• Access and delete certain personal information.
• Data portability.
• Opt-out of personal data processing for targeted advertising and sales.

Colorado, Connecticut, and Virginia also provide their state residents with rights to:

• Correct inaccuracies in their personal information, taking into account the information's nature.
• Opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.

To exercise any of these rights please send us an email at SmartLinkO2@drivemedical.com. To appeal a decision regarding a consumer rights request please send us an email at SmartLinkO2@drivemedical.com.

We may periodically update this privacy policy to reflect changes in our privacy practices and will post the new effective date at the top of this webpage. If we make a material change to our privacy practices, we will post a notice on the Services and additionally seek your affirmative consent if a material change will apply to information DeVilbiss Healthcare has already collected.

Please submit questions, concerns, or requests to exercise your applicable rights to DeVilbiss Healthcare by email to SmartLinkO2@drivemedical.com.

If you live in the EEA or the UK, DeVilbiss Healthcare LLC is the entity responsible for the processing of your personal information. Please submit questions, concerns, or requests to exercise your applicable rights by email to SmartLinkO2@drivemedical.com or write to:

Drive DeVilbiss Healthcare
100 DeVilbiss Drive
Somerset, PA 15501

You may also make a complaint to your local data protection authority.