Lungpacer Medical

PRIVACY STATEMENT effective 2020 DEC 07

Information on the Processing of Personal Data by Lungpacer Medical Inc.

Lungpacer Medical Inc. (“Lungpacer” or “we”) processes your personal data only to the extent permissible under statutory provisions, in particular, the EU General Data Protection Regulation (“GDPR“) and country specific data protection regulations. The purpose of this notice is to inform you about the nature, scope and purposes of your personal data collected and processed by Lungpacer. This information is intended for any natural person (in particular, patients, health professionals, representatives or contact persons of vendors, other (potential) business partners or (potential) customers) to whom we have (or will have) a contract or business relationship or any other communication relationship.

I.          Responsibilities and contact details

The data controller, i.e. the company responsible for processing your personal data is:

Lungpacer Medical Inc., Canada 601 W. Cordova Street, Suite 130 Vancouver, BC V6B 1G1 Canada

Our data protection officer is available by email at: compliance@lungpacer.com

Telephone: +1-484-350-4530

Our EU data protection representative according to Art. 27 GDPR is:

GDPR-Rep.eu, Maetzler Rechtsanwalts GmbH & Co KG, Vienna, Austria, web page available at: https://gdpr-rep.eu/q/13797583.

II.         Processing of your personal data

1.         Data processing on our Website

a.         General information

During your visit to our patient information website, rescue3study.com, we will collect data about your computer and your visits including the IP address of the computer you are using, your geographical location, the type of web browser and operating system being used, the domain name of the internet service provider, the web page you are coming from, the rescue3study.com web pages visited and the date and duration of the visit. The data will also be stored in log files in our system.

We require this information for technical purposes to guarantee the stability and safety

of our website. In this context, the data is analyzed only for statistical purposes and in an anonymized form. Alternatively, the data may be analyzed for statistical purposes in a pseudonymised form. In this latter case, we will ask for your consent to do so. Under the GDPR, the legal basis for this data processing is Art. 6 (1) lit. a GDPR. Furthermore, with your consent, we localize your geographical location in order to display the respective website adapted to your country.

b.         Use of cookies

On our website, we use cookies, i.e., small text files that are stored on your computer. These cookies enable analysis of your use of the website and are used for marketing purposes. Cookies do not cause any damage to your computer, handheld or mobile device, but make it easier, for example, to find preferences, pre-fill certain fields and adapt the content of the services on the site visited. Such data allows the improvement of ergonomics and services according to your interests.

When you visit our website, we will ask for your consent to use cookies other than cookies required for the basic functioning of the website. You may refuse the use of cookies by selecting the appropriate settings. Please note that if you do this, you may not be able to use the full functionality of our website. Under the GDPR, the legal basis for this data processing is Art. 6 (1) lit. a GDPR (your consent) or (with regard to essential cookies required to operate the website) Art. 6 (1) lit. f GDPR (our legitimate interest).

Where we base data processing on our legitimate interest, we have carefully weighed our business interests with the interests and fundamental rights and freedoms of affected data subjects, and we have come to the conclusion that they do not override our legitimate interest. The data collected will be analyzed only in a pseudonymised form.

We will only keep cookies for as long as necessary to achieve the relevant purposes set out in this Data Processing Notification, notably for marketing and statistical purposes.

Generally-speaking, we use 1st and 3rd-party session and persistent cookies. The cookies set by us are called “1st-party cookies” and the cookies set by our third-party partners and service providers are called “3rd-party cookies”. Session cookies are temporary cookies that remain on your device until you close your web browser. Many session cookies are essential to make our website work correctly, as they typically enable you to move around and use specific features of our website.

Persistent cookies remain on your device after you close your browser or until you manually delete it (for the former, how long the cookie remains on your device will depend on the duration or “lifetime” of the specific cookie and your browser settings).

Persistent cookies help us recognize you as an existing user of our website, so it’s easier

and convenient to return to our website or interact with our services without signing in again. In addition, persistent cookies also help us recognize you when you view a resource belonging to our website from another website or app (such as an advertisement) and help us record information about your web browsing habits during the lifetime of the persistent cookie.

Examples of cookies we may use:

–     Essential Cookies: These cookies are strictly necessary for our website to function properly and ensure our services are accessible to you (e.g., log-in functionality, load balancing, navigation, filling in forms). The website cannot function properly without these cookies.

–     Preference Cookies: Preference cookies enable our website to provide enhanced features or settings based on your previous visits and selections, such as language preferences, remembering log-in details.

–     Statistic Cookies: Statistic cookies enable us to understand how visitors interact with our website by collecting and reporting information anonymously.

–     Marketing Cookies: Marketing cookies are used to track visitors across our website. The intention is to display advertisements that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers.

If you have any concerns about our use of cookies, you can take action to prevent them from being set, such as by changing your browser settings to block certain types of cookies. You may also delete cookies held on your device at any time by going to the appropriate settings within your web browser.

You have the option to configure your devices to accept all cookies, to notify you when a cookie is issued or to never accept cookies. However, the latter option may result in some personalized services not being provided and, as a result, you may not be able to take full advantage of all the features offered by our website. If you do not wish to receive cookies in general or only to refuse certain cookies, you can change your browser settings accordingly.

Instructions to this effect are provided for example here:

–     For Internet Explorer: https://support.microsoft.com/en-us/help/17442/windows- internet-explorer-delete-manage-cookies

–     For Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies- website-preferences

–     For Safari: https://support.apple.com/en-gb/HT201265

–     For Chrome: https://support.google.com/chrome/answer/95647?hl=en- GB&hlrm=en

You can also visit the below link for an overview of how to block or delete cookies on

the most common browsers: http://www.allaboutcookies.org

For any further queries or information related to cookies, please write to

privacy@lungpacer.com with the subject line “Cookie Policy.”

2.         Other data processing activities by Lungpacer

We may collect and use your personal data for the following purposes:

–     internal administrative purposes (e.g., for accounting purposes) (applicable legal basis under the GDPR: legal obligations (Art. 6 (1) lit. c GDPR);

–     ensure IT security and IT operations at our enterprise (applicable legal basis under the GDPR: legitimate interest (Art. 6 (1) lit. f GDPR);

–     prevent criminal offences and conduct compliance investigations in individual cases (applicable legal basis under the GDPR: legitimate interest (Art. 6 (1) lit. f GDPR);

–     engage service providers (e.g., external IT service providers) who support our business processes (applicable legal basis under the GDPR: legitimate interest (Art. 6

(1) lit. f GDPR) or (in connection with contract management) performance of a contract (Art. 6 (1) lit. b GDPR);

– business communication purposes, such as vendor management and advertising (applicable legal basis under the GDPR: legitimate interest (Art. 6 (1) lit. f GDPR); and,

– for any other purpose we may disclose to you from time to time (applicable legal basis under the GDPR as communicated).

Where we base data processing on our legitimate interest, we have carefully weighed our business interests with the interests and fundamental rights and freedoms of affected data subjects, and we have come to the conclusion that they do not override our legitimate interest.

If you choose not to provide us with your personal data, we are unable to perform the contractual relationship initiated with you and/or cannot fulfill the above described communication purposes.

III.        Disclosure of your personal data

Your personal data may be stored in our website server, email/electronic file servers, or Customer Relationship Management (CRM) system and may be transmitted to and processed by specialized third party service providers inside and outside the European Union (EU) / European Economic Area (EEA) to the extent required for the purposes

outlined above. The service providers perform specific services for us such as, e.g., data

storage, IT services, and email services.

The service providers will process data only on our behalf and only on the basis of our strict instructions laid down in the respective data processing agreement. Every third- party service provider has been chosen carefully and will be monitored regularly by Lungpacer.

Where data is processed on our behalf in countries outside the EU/EEA, such countries may not have data protection laws and regulations comparable to the ones applicable in the EU. To the extent that no statutory level of security comparable to the European data protection laws exists in such countries, we will adopt appropriate measures to ensure that your personal data will be adequately protected in these countries. In particular, we may choose service providers which are certified under Standard Contractual Clauses published by the European Commission. You may contact our data protection officer for further information, and, in particular, request access to the contracts concluded.

IV.       Confidentiality and deletion of your personal data

1.         Confidentiality and security

Each of our employees as well as all staff members of third-party service providers who have access to personal data are obliged to treat your data as confidential. We take steps designed to ensure that only those employees or staff members who need access to your personal data to fulfil their employment duties will have access to it.

We have implemented physical, organizational, contractual and technological security measures to protect your personal data and other data from loss or theft, unauthorized access, disclosure, copying, use, or disclosure and modification. While we maintain a multitude of security measures to prevent unauthorized access to or disclosure of your personal data, no security measures are absolute or wholly guaranteed. If you have reason to believe that your interaction with us is no longer secure (for example, if you believe that the security of the data you have provided to us has been compromised), please contact us immediately using the contact details in the section “Contact us” below. We will make reasonable attempts to notify you if we determine there were unauthorized acts by third parties that violate the law or this policy, or other security breaches, or where otherwise required by law.

2.         Deletion of personal data collected in log files on our website

We delete log files collected during your visit of our website after a period of 8 weeks, unless it is necessary to store the data for a longer period of time for the purposes indicated above. In this case, we delete your personal data once it is no longer required

for the purposes indicated above, and statutory retention periods (if applicable) have

expired. Session cookies are usually deleted once your internet session is closed.

3.         Deletion of personal data collected in connection with other data processing activities

We will delete your personal data after termination of our contract with you, or our

contact relationship with you, if the storage is no longer necessary for the fulfilment of our (post-) contractual obligations or the legitimate interests cited in this data protection notice, and if there are no statutory retention obligations. In case statutory retention obligations apply, we will restrict the processing of your data for the duration of such retention obligations.

V.         Your Rights

Subject to the statutory requirements, the fulfilment of which must be assessed on a case-by-case basis, you have the right to access to your personal data, to require rectification and correction, and under GDPR, besides the rights of access and rectification/correction, you have the right to require the deletion of your personal data or the restriction of the processing, and to receive your personal data in a structured, commonly used and machine-readable format (data portability).

Under the statutory requirement, the fulfilment of which must be assessed on a case- by-case basis, you also have the right to object to the processing of your personal data. Furthermore, you are entitled to lodge a complaint with a supervisory authority regarding the processing of your personal data.

If you wish to exercise your rights, or if you have any questions or concerns about your personal data or our privacy practices, please direct your request to compliance@lungpacer.com.

VI.       Amendments to this data protection notification

We reserve the right to amend this data protection notification as we continue to develop and update our website and our work process, or as a result of changed statutory or regulatory provisions or the development of our business. You can access the current version of this data protection information at any time on our website at www.lungpacer.com.

VII.      Contact us

If you have any questions or concerns about your personal data, our privacy practices, or this notice, you can always contact our data protection officer at compliance@lungpacer.com