FLOODLIGHT™ MS MOBILE APP GLOBAL PRIVACY NOTICE

last revised on October 1, 2023

 

FLOODLIGHT™ MS MOBILE APP PRIVACY NOTICE FOR CLINICAL TRIAL PARTICIPANTS

If you are participating in a clinical trial or study that requires you to use this App, you will also be required to sign an informed consent form, which will be provided to you by your healthcare provider or the clinical trial administrator. In the event of a conflict between the terms of this Notice and the informed consent form, the terms of the informed consent form will supersede the provisions of this Notice. We would still like to invite you to study this Notice carefully as it provides you with general details on the protection of Personal Data relating to you. Please note that either your clinical trial / study site or the respective sponsor may serve as the data controller, and not the healthcare service provider (HCP) as stated in the Notice.

FLOODLIGHT™ MS MOBILE APP PRIVACY NOTICE FOR PATIENT USE

Effective Date. This Privacy Notice (“Notice”) is effective as of October 1, 2023.

Roche, including our Affiliates, is committed to protecting your Personal Information. This Notice and the Floodlight MS Mobile App Terms and Conditions of Use (together – the “Terms”) outline the types of Personal Information Roche may collect; the means by which Roche may collect, use, or share your Personal Information; steps Roche takes to protect your Personal Information; and choices you are provided with respect to the use of your Personal Information. Please be aware that Roche will primarily act as a Data Processor to your healthcare service provider (hereafter HCP), but also as a Data Controller for certain Processing activities; for details around this concept, please have a look at the definitions section below. To the extent that this Notice provides you with information on Roche’s activities as a Data Processor, this document complements the information provided by your HCP. In case of a conflict between information provided by your HCP as a Controller and this Notice, the information provided by your HCP shall supersede the information provided in this notice.

Please read this Notice carefully. We respect your privacy and we want you to understand how your HCP and we as Roche manage the information you provide to us and the measures we take to protect it.

Roche is the provider of the Floodlight MS Mobile App, or in more legalistic terms, it serves as the so-called “Legal Manufacturer” of the App and the underlying Floodlight MS application. We need to know certain Personal Information about you in order to facilitate your use of the Floodlight MS Mobile App, as prescribed by the Roche Customer to you, and to perform the services requested by you and your HCP in our App. Please note: You may decide not to provide your personal information at all by electing not to register to use the App or enter your personal information into any forms or data fields on the App. If you choose not to provide your personal information, or provide incomplete or misleading information, Roche may not be able to provide you with information and/or access to the App.

By registering to use the Floodlight MS Mobile App (“Floodlight” or the “App”), you acknowledge that you have read, understood and agree to the App’s Notice, and that you are aware that the collection, use, processing and disclosure of your Personal Information as outlined below is required for you to use Floodlight MS and in compliance with the Terms and applicable laws and privacy regulations.

Depending on your country of residence, you may have additional privacy rights under your local law. This is particularly the case if you are residing in Australia, Brazil, Canada, a Member Country of the EU/EEA, and the United States of America. Those rights as well as the appropriate channels for contacting Roche with questions, requests, and inquiries in scope of such applicable privacy laws are outlined for you below. To the extent, your HCP is controlling the data relating to you, we invite you to review your privacy rights with your HCP.

Specifically, if you are a User in Brazil, you may have additional privacy rights under the Brazilian General Data Protection Law (LGPD) - Law n. 13.709/18.- You may exercise these rights either against your HCP or Roche, depending on which of the two serves as the data controller in the specific processing activities.

If you are a User in the European Union or a Member State of the European Economic Area, you will have the rights as a data subject as stipulated by the EU General Data Protection Regulation EU 2016/679 (“EU GDPR”) and any applicable ePrivacy framework.

If you are a resident of Australia, you may have additional rights over your Personal Information as set out in Privacy Act 1988 (Cth) and Australian Privacy Principles.

If you are a User in the United States of America, please review Roche’s US Supplemental Privacy Notice to understand what rights you may have under applicable US privacy laws.

If you are participating in a clinical trial or study that requires you to use this App, you will also be required to sign an informed consent form, which will be provided to you by your healthcare provider or the clinical trial administrator. In the event of a conflict between the terms of this Notice and the informed consent form, the terms of the clinical trial informed consent form will supersede the provisions of this Notice. In other words, this Notice is for your information. Your primary, legally binding consent is declared via the trial / study informed consent material. You will still have to agree to the terms of this Notice in order to facilitate the use of the App.

This Notice only applies to your use of this App. This Notice does not apply to any third party apps or websites linked to or accessible from the App. Roche is not responsible for the privacy practices, the content or any Processing activities of any third parties, sites or apps.

Definitions

User” or “you” means you, the individual, who has been prescribed the use of the App by the Roche Customer or are otherwise using the App.

Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including, but not limited to, your name, address, e-mail address, telephone number and/or certain categories of sensitive personal information (such as health data you may choose to share with us).

Data Controller” determines the purpose and means of personal data processing; this is a regulatory concept developed under the EU GDPR. In more lay terms, the data controller decides about the “why” and the “how” of the data processing.

Data Processor” processes personal data only on behalf of the controller, as determined in an agreement between the parties. The data processor is often a third party to the Data Controller (e.g. Roche to your HCP), but in the case of Roche, one legal entity of Roche may act as processor for another legal entity of Roche Group.

Processing” means any operation or set of operations which is performed on Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Roche Customer” means any institution, corporation or individual, which subscribed to use Roche’s Floodlight MS solution in order to be able to prescribe the use of this App to you. This includes your healthcare provider (HCP) and/or your healthcare institution who prescribed this App to you.

Roche Group” means F. Hoffmann-La Roche AG, a Swiss multinational healthcare company, together with all the corporations through which it operates around the globe. You can learn more about Roche Group and Roche Affiliates worldwide by visiting: https://www.roche.com/about

/business/roche_worldwide.htm.

Roche” or “we” or “us” means (i) when in relation to the App’s legal manufacturer: Roche Molecular Systems, Inc., a member of Roche Group located at 2881 Scott Blvd, Santa Clara, CA 95050 USA (the “Legal Manufacturer”); (ii) when in relation to the App’s enabler or distributor: a company-member of Roche Group other than the Legal Manufacturer that operates in the country where the App is made available to you (“Roche Affiliate”); and (iii) when in relation to Roche a service provider: Legal Manufacturer, Roche Affiliate and/or any other company-member of Roche Group that is providing services that are requested by you in relation to the App. This may include companies-members of Roche Group that are owned or controlled by the Legal Manufacturer, own or control Legal Manufacturer, or such that are owned or controlled by the ultimate parent company of the Legal Manufacturer. We need to make this distinction as both your HCP (the Roche Customer) and Roche may serve as the Data Controller, depending on the specific Processing activities.

Roche may act as a Data Controller or Data Processor, as defined by the EU General Data Protection Regulation (EU GDPR) or the UK General Data Protection Regulation (UK GDPR), as applicable. The EU representative of F. Hoffmann-La Roche, Ltd is Roche Privacy GmbH, Emil-Barell-Str. 1, D-79639 Grenzach-Wyhlen, Germany. The UK representative of F. Hoffmann-La Roche Ltd is Roche Products Limited, 6 Falcon Way, Shire Park, Welwyn Garden City, Hertfordshire AL7 1TW, United Kingdom.

What Information Does Roche Collect via Floodlight MS? Roche will not have access to your HCP medical history file, or other sensitive Personal Information held by your HCP, such as treatment plans or previously collected diagnostic information. In order to facilitate your use of the App, you will be asked to provide the following Personal Information:

Due to the nature of the App, the system also generates certain types of event data (such as system logs) that may qualify as Personal Information in certain jurisdictions. For example, if the User is conducting one of the tests in the Floodlight MS App, the system will both record the results of the test, but also the fact itself that the test was successfully completed (in terms of a timestamp of the completion of the test). This information is required to provide the service to your HCP. For more information on this, please also see the following section.

Data for Advanced Analytics: Floodlight MS monitors disease progression over time, and therefore for the App to perform this function we need to build up information that is linked to you as a user over time. We are using a technology from a third party called Amplitude© that helps us gather and organize the information.

We use the data processed by Amplitude to provide the Floodlight MS services to your healthcare provider and to you, and we use the data processed by Amplitude to monitor, refine and improve the offering. We may also use such information to monitor the security and compliance of the system. These uses are necessary to provide and maintain the Floodlight MS services.

We are committed to protecting your privacy. As part of this commitment, we have agreements with Amplitude that ensure compliance with all applicable laws and regulations, including but not limited to US HIPAA and EU GDPR. We have also ensured that Amplitude does not have access to any information that directly identifies you. Furthermore, we use this same approach to ensure any information that directly identifies you is not shared with any unauthorized third party outside of the Floodlight MS program.

We have also instructed Amplitude to ensure that all data is stored based on your place of residence, so data from US residents users is stored in the US and data from all other users who reside outside the US is stored in Germany. Service and support will be provided out of the respective region where your data are stored.

We recognize the trust you place in us by allowing us to access and process your data as part of providing you the Floodlight MS services. We are always happy to address any question or concern that you may have.

US Users only: Except as otherwise permitted or required by law, Roche collects, uses, and discloses any individually identifiable health information consistent with the terms of applicable HIPAA business associate agreements with Roche Customers. Please note that Roche may use and share information with a third party analytics service provider to help us obtain certain information regarding the use of the App, such as to monitor the use of the App and to gain insights that enable us to improve our services. Such information will not include your name, email address, or similar information.

Non-Personal Information. Roche collects and retains certain non-Personal Information to help improve our products and services, as well as for internal research or other business purposes. This information may include, and is not limited to, your feedback about your use of the App, aggregated data, technical analytics (such as what brand, type and model of device you are using), and other technical, non-Personal Information resulting from your use of the App. This information collected and used by Roche will not personally identify you and will therefore not fall under applicable data protection laws and regulations.

Legal Basis for Processing of Personal Information. You may only register to use and access the App if your HCP prescribed the use of this App to you. Therefore, Roche processes your Personal Information primarily to facilitate your use of the App, on behalf of and as requested by your healthcare provider (HCP), a Roche Customer.

Roche may process your Personal Information also as a Data Controller to:

For the avoidance of doubt, to the extent we process data relating to data subjects in the EU/EEA or UK as a Data Controller, Processing activities that ensure the security of Processing activities, Processing activities that aim to secure the integrity and availability of the Floodlight MS application, the adherence to requests from governmental institutions or courts, and other compliance related activities are based on our legitimate interests as defined in Art 6 1) f) EU GDPR. For US users, please note that we are required under applicable data privacy legislation, such as HIPAA, to ensure and maintain the security and compliance of the Floodlight MS application.

How Will Roche Use my Personal Information? Any Personal Information we collect and process on behalf of you or the Roche Customer shall be used solely for the following purposes:

As stated before, Roche will act as a Data Controller for certain Processing activities, in particular activities related to security, integrity and availability of the Floodlight MS services, adherence to regulatory requirements as a legal manufacturer of the Floodlight MS application, the improvement of the Floodlight MS services, compliance related matters and legitimate requests from authorities, courts and other governmental institutions.

Will Roche Use My Personal Information for Marketing Purposes? We will not use, sell or transfer your Personal Information for marketing purposes unless we obtain your express consent for this in accordance with applicable laws. We will still send you important information about the App, any updates or changes in functionality that may affect your use of the App, as well as legal and regulatory notices, when required.

How Will Roche Share My Personal Information with Others? We do not sell your Personal Information. Roche shall only share your Personal Information with Roche Customers, Roche Affiliates involved in the provision of services, our third-party service provider(s), for legal reasons, to facilitate your use of the App, or as requested by you. To the extent we rely on third-party service providers for the processing of Floodlight MS data, we will only do so after signing relevant agreements that ensure full compliance with applicable data protection laws and regulations (e.g., such as Business Associate Agreements under US HIPAA, or a Data Processing Agreements under EU GDPR). The following sections explain in more detail when and why we share your information.

Roche Will Share Your Personal Information with Your Healthcare Provider. When you register your App account by using a code provided by the Roche Customer, your account will be connected to your HCP, the Roche Customer. Your Personal Information, your data, and medical status will be available to your HCP via the App, and your HCP will act as the primary Data Controller in relation to such data.

Roche May Need to Share Your Personal Information for Legal Reasons. We may share your Personal Information in response to a legal obligation, or if we have determined that sharing your Personal Information is necessary to:

In case we share your Personal Information for Legal Reasons, Roche may act as the Data Controller unless a request, legally binding order, court order or government regulation is enforceable against your HCP, and if your HCP then instructs us to share your Personal Information.

How Does Roche Protect My Personal Information? Roche and its Affiliates strive to use adequate physical, technical, and administrative safeguards (such as firewalls, encryption, identity management and intrusion prevention and detection) to protect the information you share through the App from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. All data uploaded into the App is encrypted in transit and at rest. However, Roche cannot guarantee the absolute security of your Personal Information, as no data transmission over the Internet or data storage system is guaranteed to be 100% secure. We recommend that you take any available precautions to protect Personal Information you submit via the App. If you have reason to believe that the use of the App is no longer secure (for example, if you feel that the security of your App account might have been compromised), please contact your HCP immediately in accordance with the “Your Privacy Related Requests” section in this Notice.

Separately, please also note that in the event of a notifiable data breach, it will be dealt with in accordance with the applicable data privacy / data breach laws and regulations of the relevant jurisdiction.

For How Long Does Roche Keep My Personal Information? Regarding the retention of the data relating to you, we would like to distinguish regarding the different Processing activities. Regarding the data related to the use of the App, we will keep your Personal Information for as long as you continue to use the App. We will keep your information for as long as you maintain a registered User account, until we obtain an instruction from your HCP to delete data relating to you, or until we process a direct request by you to delete your information, or until your HCP ceases to provide the App, whichever is sooner. Please note: deleting the App from your device does not delete your account; however, you may delete your account via the App settings.

For our own purposes, and as a Data Controller, we may retain your Personal Information for a longer period of time if so required by applicable law (for example, if legally required, we will retain user support emails and associated information to ensure that we can perform legitimate business functions such as accounting for tax obligations, legal and compliance obligations or audits for security purposes). The retention period will depend on the applicable law and Roche policies, and you may contact Roche at any time for further details on such data retention. Please be informed that Roche is subject to specific retention requirements, as Roche is the Legal Manufacturer of the Floodlight MS application.

Will Roche Transfer My Personal Information Across International Borders? Based on the instructions of your HCP, and subject to a Processing agreement between your HCP and Roche, your personal data may be transferred cross-border as permitted by applicable data protection laws. In case Roche is processing data as a Data Controller, it may also transfer your Personal Information as deemed necessary by Roche, in particular to Roche Affiliates or third party-service providers that are involved in the provision of Floodlight MS services. Such transfers are based on intra-company agreements between the different Roche legal entities, or in the case of a third party through a data Processing agreement that includes a transfer mechanism as required by applicable law (e.g., the EU SCC and additional safeguards as required for the EU/EEA/UK). Roche uses, both as the Data Processor and as Controller, a central IT infrastructure. Based on the settings chosen by you in your registration process, the central IT instance for Floodlight MS is in the USA (for US data subjects) or in Germany (for the rest of the world). Please note that further data transfers across borders may occur based on the instructions provided by your HCP as a Data Controller; in this case, your HCP will provide you with all the relevant information regarding the specific data transfer. The countries, in which data is processed, may impose different privacy obligations than your country of origin. In transferring your Personal Information, we will rely on available data privacy mechanisms and applicable privacy laws and regulations to ensure a high level of protection for your Personal Information.

What Rights Do I Have with Regards to My Personal Information? You may exercise your statutory data subject rights against the Data Controller, so either your HCP or Roche. If you are unsure about the entity that serves as the Data Controller for a specific processing activity, please do not hesitate reaching out either to your HCP or Roche. We will be here to assist you and to direct you accordingly. Roche enables you to access, control and delete your Personal Information. To the extent Roche acts as the Data Controller, Roche will, as a baseline, always adhere to the data subject rights provided by the EU GDPR. In case applicable laws and regulations foresee stricter or structurally different data subject rights, Roche will honor such rights in all countries in which we as Roche actively market the Floodlight MS services. This section explains the ways you may exercise these rights in accordance with specific, applicable laws and regulations:

(i) Australian Users: Roche will manage your Personal Information in accordance with the Privacy Act 1988 (Cth) and Australian Privacy Principles. If you wish to access further information about how Roche collects, uses and stores your data, please review Roche's Australian Privacy Policy or contact Roche’s Australian Privacy team using the details provided in the 'Contact Us' section below. You are entitled to rights under Australian Law:

The right to access: You have the right to access, update and delete your Personal Information held by Roche.

The right to withdraw consent: You can withdraw your consent at any time by contacting us. However, if you choose to withdraw your consent, we may not be able to provide you with information and/or access to services.

(ii) All Users in the United States. The information below applies to all users of the App in the United States:

Profile Information. You can review and edit certain account information you have chosen to add to your profile by logging in to your registered account and navigating to your account settings.

Deleting Your Account. If you would like to delete your Roche account, please access our Help page within the App, which will instruct you how to do this. You may also contact the Roche Customer who enabled your access to the App. In some cases, we will be unable to delete your account, such as if there is an issue with your account related to trust, safety, or fraud. When we delete your account, we may retain certain information for legitimate business purposes, or to comply with legal or regulatory obligations. For example, we may be obligated to retain your information as part of an open legal claim. When we retain such information, we do so in ways designed to prevent its use for other purposes.

(iii) Brazilian Users: Under the Brazilian General Data Protection Law (Law n. 13.709/18), you have the following rights regarding your personal data. If you would like or need to exercise any of these rights, please proceed in accordance with the section below “Your Privacy Related Requests”:

I. Confirm whether we process your personal data;

II. Access your personal data;

III. Request we correct incomplete, inaccurate or out-of-date data;

IV. Request we anonymize, block or delete unnecessary or excessive data or data processed in noncompliance with the LGPD;

V. Request your data to be transferred to another legal entity under your right to data portability;

VI. Request we delete your personal data processed under consent;

VII. Request information about public and private entities with which we share your data;

VIII. Request information about the consequences of not providing consent, when applicable; and

IX. Withdraw your consent, when applicable.

(iv) European Union / Switzerland / UK Users

Provided EU GDPR, the UK GDPR or the Swiss Data Protection Act covers your personal data, please note that you have the right to request from Roche access to and rectification of your personal data as well as the right to data portability, if applicable, or erasure or restriction of processing of your personal data. Erasure or restriction of Processing is only possible if and to the extent the Processing of personal data is based on consent or legitimate interest. If data processing is based on consent, kindly note that you have the right to withdraw your consent at any time, however, without affecting the lawfulness of processing based on consent before its withdrawal. To send us a note to exercise your right to withdraw consent, please see contact details below.

In the event you have the impression that our data Processing is non-compliant with EU GDPR, the UK GDPR or the Swiss Data Protection Act: You are entitled to lodge a complaint with the responsible supervisory authority.

Can Roche Make Changes to this Notice? We may change this Notice from time to time. Such update may reflect the continuous development of the App, but it may also be triggered by regulatory requirements or user feedback. When changes are made, we will make the revised Notice available to you via the App. Any time we make material and significant changes to the Notice, we will alert you by email. If you do not agree to the changes after receiving notice of such changes, you should stop using the App and delete your Floodlight MS account. Otherwise, your continued usage of the App will mean you accept those changes, to the extent permitted by law. If required by law, we will invite you to re-consent to an updated version of the Notice. Please regularly check the App to review the then-current Notice.

Important Note about Children’s Privacy. The App is not intended to be, and may not be accessed or used by anyone who has not reached the age of majority in their location. If you are a parent or guardian and you become aware that your child has provided us with Personal Information, please contact us so that appropriate measures may be taken.

Your Privacy Related Requests. You can access, correct or delete some of your Personal Information in App settings at any time. For the Processing activities for which your HCP acts as the Data Controller, to file a concern, a complaint, or a request for correction, request for deletion of your Personal Information, or to opt-out of any particular programs, please contact the HCP that has prescribed this App to you and follow its instructions.

In the event you contact Roche directly for any of the above, Roche will promptly notify your HCP, and will assist the institution in executing your privacy related request. Please also make sure you are provided with the contact details of the data protection/data privacy responsible for your HCP.

In case Roche acts as a Data Controller for certain processing activities, please reach out to us as described in the following Contact Us section.

Contact Us. If you would like to contact Roche regarding this Notice or if you would like to exercise any of the rights afforded to you by applicable law, please contact us as follows:

For all Australian Residents:

Please contact us by email australia.privacy-request@roche.com

For all Brazilian Residents:

Please contact us by email at brasil.privacidade@roche.com

For United States Residents:

Please contact us by email uspriv@roche.com

For EU /EEA/Switzerland/ UK / All other Countries:

Please contact us by email global.privacy@roche.com

Please note that email communications are not always secure. Please do not include health information or other sensitive information in your email to us.