Privacy Notice

Eversense® Continuous Glucose Monitoring System

Last updated on September 6, 2022

Your privacy is important to Senseonics, Incorporated (“Senseonics”, “us” or “we”) and we recognize the responsibility you entrust us with when providing your personal data. This Privacy Notice explains how we handle and treat your personal data when you utilize our products, services, and tools, as further described below. The purpose of this Privacy Notice is to provide you with a clear explanation of what personal data we collect, and when, why, and how we collect, use and share your personal data. It also explains your legal rights regarding such data.

We strongly urge you to read this notice and make sure you fully understand our practices in relation to personal data before you utilize our products, services, and tools. After you have read this notice, if you would like further clarification please contact us at dataprivacy@senseonics.com.

If you are located in the European Economic Area (EEA), please consult the EEA GDPR supplemental notice below.


Table of Contents

1. Scope of this Privacy Notice

2. What personal data does Senseonics collect and how do we collect it?

3. How does Senseonics use your personal data?

4. With whom does Senseonics share your personal data?

5. How does Senseonics keep your personal data safe?

6. How long does Senseonics keep your personal data?

7. Your Privacy Rights

8. International Data Transfers

9. Children

10. Links to Other Websites

11. Contact Us

12. Changes to Privacy Notice

13. EEA GDPR Supplemental Notice


1. Scope of this Privacy Notice

Senseonics’ Products and Services (defined below) are designed to address many of the problems of traditional glucose sensor technologies and to provide an unmatched combination of accuracy and long sensor life. In an effort to meet these goals and provide patients and customers a beneficial experience, Senseonics collects certain types of personal data from patients, customers and users as they utilize our products, services, and tools. This Privacy Notice applies to data received or collected through the following sources:

  • Data collected, stored, and/or transmitted through our subcutaneous Eversense® Sensor and our Eversense Smart Transmitter, which are part of our Eversense® Continuous Glucose Monitoring (CGM) System (our “Devices”);
  • Data collected, stored, and/or transmitted through the Eversense® Mobile Application, the Eversense® NOW Mobile Application, and any other mobile applications available for download through the Apple App Store, the Google Play store for Android devices, and that may be accessed through computers, tablets, or mobile devices (each a “Mobile App” and collectively the “Mobile Apps”); and
  • Data collected, stored, and/or transmitted through a personal computer and cloud-based applications such as the Eversense® Diabetes Management Software (DMS) and DMS Pro that permit monitoring and analysis of daily and historical glucose values and other health-related information (collectively the “Software”).

The Devices, Mobile Apps, and Software, whether one or more are utilized by a user, customer, or patient, are collectively referred to in this Privacy Notice as “Senseonics Products and Services.”


2. What personal data does Senseonics collect and how do we collect it?

In order to provide Senseonics Products and Services, we collect information about you which we refer to as “personal data.” Personal data is data that can be used to identify you personally, such as your name, date of birth, home address, phone number, e-mail address, device serial number, or certain personal health information. For patients in the EEA, subject to important rights to opt in or opt out of sharing/synching data, this information may include sensitive personal data, such as your historical glucose values and other health-related information.

2.1. Information collected about patients from the Eversense CGM system

  • When you download and install a Senseonics Mobile App (such as the Eversense Mobile Application or the Eversense NOW Mobile App) or Software (such as the Eversense Diabetes Management System (DMS) on your personal computer), you may be asked to create an account, depending on your geographic location. When you create an account, we will collect your first and last name, and email address. We may further collect your date of birth, gender, address, profile picture, physician’s information, etc.
  • When you use our Devices, we collect: your Transmitter serial number and Sensor serial number; the date and time when your Sensor was inserted; your country of location (which is inferred from your IP Address) and regional settings; the Eversense App version you use; glucose alerts with time stamps; information about the mobile device you use (e.g., device type, mobile network information, and type of mobile browser); as well as technical information about your Transmitter and Sensor (e.g., Sensor performance information, Smart Transmitter firmware version, Transmitter performance information (e.g., battery life)).
  • When you sync your Device: When you sync your Device through a Mobile App or Software, data recorded on your Device about your current and historical glucose values and any additional health-related personal data is transmitted from your Device to Senseonics servers (hosted by a third party), which are located in the Netherlands for patients residing in Europe and in The Dalles, State of Oregon for US patients. Patients in the EEA may elect not to sync their data. If you decide to sync your Device, we collect: your historical glucose values and glucose value time stamps; we may calculate Mean Absolute Relative Difference (MARD) values for the device based on the information provided; your glucose settings; whether you decided to create an account; and technical information about the Device (e.g., whether you decided to share your Device data with third-parties not affiliated with Senseonics (such as Diasend, mySugr, Apple Health or Glooko), your health care provider, and/or your friends and family).
  • When you contact Customer Care to report an issue, concern or complaint regarding the Device, the Mobile App or the Software, we collect your name, your sensor insertion date, your Sensor serial number, the Transmitter serial number, and other information that may be relevant to your complaint.

2.2. Information collected about HCPs from the Eversense DMS Pro System

If you are a physician or other health care professional (HCP) managing a patient who uses the Eversense System:

  • When you create an account, we collect: your first and last name; title; email address; phone number; Health Care Facility Name; and country. We may further collect: your address; profile picture; and date of birth.
  • When your patients decide to share their data with you, we will collect information about which patients’ data you have reviewed from your account.
  • When you contact Customer Care to report an issue, concern or complaint regarding the Device, the Mobile App or the Software, we collect your name, your email address, your phone number, and any other information that you report.

2.3. Information collected about Patients’ friends and/or family from the Eversense NOW Remote Monitoring App

If you are a friend or family member of a patient who uses the Eversense System, and you are using a Mobile App or Software:

  • When you create an account, we collect your first and last name, and email address.
  • When a patient decides to share their Device data with you, we will collect information about your invitation to receive their data and your use of the Mobile App and/or Software.
  • When you contact Customer Care to report an issue, concern or complaint regarding the Device, the Mobile App or the Software, we collect your name, your email address, your phone number, and any other information that you report.

3. How does Senseonics use your personal data?

For provision of Senseonics Products and Services and Customer Care Service–we may use your personal data to:

  • Facilitate, manage, and maintain the use of our products and services;
  • Appropriately address complaints, and inform you of relevant product or service updates, helpful information, tips and reminders;
  • Contact you in connection with the provision of the product or service, including sending important information regarding the product or service, such as technical notices, manufacturing news, updates and alerts, relevant data privacy or security events, or changes to our terms and conditions.

For product improvement–we may use your personal data to:

  • Develop and/or improve products and services;
  • Enhance or modify our services (for example, by identifying usage trends);
  • Conduct data analysis

For marketing purposes–with your consent where required by applicable laws, we may use your personal data to:

  • Conduct data analysis;
  • Send emails and notices regarding opportunities related to our products and services.

Internal business purposes–we may use your personal data to:

  • Ensure access to and maintenance of our products and services and ensure their proper functioning;
  • Conduct audits of our products and services;
  • Track any fraudulent activities and other inappropriate activities, and monitor content integrity on our products and services.

Compliance with our legal and regulatory obligations–we may use your personal data to comply with our legal and regulatory obligations, such as post-marketing obligations with our approvals.

For EEA residents, please review the EEA GDPR Supplemental Notice below.

4. With whom does Senseonics share your personal data?

4.1. Data shared to provide Senseonics Products and Services

We share your personal data with third parties only where it is necessary, and for purposes described in this Privacy Notice. We may share your personal data with the following categories of third parties:

Affiliates: We may share your personal data with our corporate parent, subsidiaries, and affiliates.

Business partners / Services providers: We may transfer your personal data to our business partners / service providers as necessary for them to provide services to us in connection with our fulfilment of the purposes set out above. For example, we may rely on service providers to host our server and Software; distribute our Senseonics Products and Services; provide Customer Care Service; provide Customer Relation Management services; etc. Ascensia Diabetes Care is our commercialization partner, providing several important services relating to our products. Our other business partners / service providers include without limitation: Teleperformance; Salesforce; Roche; Liquid Web; and additional parties we may work with from time to time.

Government Agencies, Regulators and Professional Advisors: Where permitted or required by applicable law or regulation, we may also need to transfer your personal data to government agencies and regulators (such as medical device regulators, tax authorities, courts, and other government authorities) to comply with our legal obligations, and to external professional advisors as necessary to defend our legal interests.

Organizations Involved in Business Transfers: In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, will be transferred to the acquiring entity or the surviving entity in a merger or other such transaction. Such information would be transferred in accordance with applicable law.

4.2. Data shared as directed by patients

Data shared with your HCP through Eversense DMS Pro System: You may direct us to share your data with your HCP. In such cases, your HCP will have access to your name; CGM system settings; email; date of birth; glucose data; events; and calibrations.

Data shared with your friends and/or family members through Eversense NOW Remote Monitoring App: You may direct us to share your data with your friends and/or family members. In such cases, your friends and/or family will have access to your name; profile picture; most recent 3 hours of glucose data; 20 most recent glucose alerts; 20 most recent events; and calibrations.

Data shared with third parties such as Diasend, mySugr, Apple Health or Glooko: You may direct us to share your data with third parties such as Diasend, mySugr, Apple Health or Glooko. In such cases, the third party will have access to glucose data and glucose trends]. Please note that we have no control over the processing activities of such third parties. Once shared, the processing of your personal data will be subject to the third parties’ privacy notice.

5. How does Senseonics keep your personal data safe?

We are committed to keeping the personal data provided to us secure and we have implemented appropriate information security policies, rules and technical measures to protect the personal data that we have under our control from unauthorized access, improper use or disclosure, unauthorized modification, and unlawful destruction or accidental loss. We have put in place procedures to deal with any suspected breach of personal data and will notify individuals and any applicable regulator of a breach where we are legally required to do so.

6. How long does Senseonics keep your personal data?

We retain personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, regulatory, post-approval monitoring, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.

To determine the appropriate retention period for personal data, we consider the following criteria:

  • our legal obligations to retain the personal data under applicable laws (e.g., Medical Device Regulation imposes us to keep some data for 15 years for conformity purposes);
  • applicable legal holding and/or limitation periods for the establishment, exercise or defence of any potential legal claims.

When we no longer require the personal data we have collected about you, we will either delete or irreversibly anonymize it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible. If we anonymize your personal data (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.

7. Your Privacy Rights

As the data owner, you will maintain control over your data. You may update your information at any time by logging into your account on our Software or Mobile App and making the appropriate changes.

If you would like to review, correct, update, suppress, or delete personal data that you have provided to us, you may update such information maintained in your account on our Software or Mobile App, or contact us at dataprivacy@senseonics.com. In your request, please make clear what changes, corrections, suppression or limitations you would like to place on your personal data. For your protection, we may only implement requests with respect to the personal data associated with the particular email address that you use to send us your request, and we may contact you or take other steps to verify your identity before implementing your request. Please note that we may not be able to accommodate every request for a change, correction, suppression or limitation, and we may need to retain certain information for recordkeeping purposes, regulatory or legal reasons, and/or to complete any transactions that you began prior to requesting any change.

You can deactivate your Senseonics account by contacting us at dataprivacy@senseonics.com. When you do so, data that can identify you and that is associated with your account will be subsequently removed from Senseonics Products and Services to the extent reasonably possible.

For EEA residents, please review the EEA GDPR Supplemental Notice below.

8. International Data Transfers

We are headquartered in the United States and have service providers in other countries, and your personal data may be transferred to the United States or other locations outside of your country where privacy laws may not be as protective as those in your country. We will take appropriate steps to ensure that transfers of personal data are in accordance with applicable laws.

For EEA residents, please review the EEA GDPR Supplemental Notice below.

9. Children

Senseonics Products and Services are not intended for use by individuals under 18 years of age in any jurisdiction and Senseonics does not market or promote the product for any individuals under 18. Therefore, we do not knowingly collect any personal data from persons under 18. If we learn that we have collected or received personal data from any person under 18 without verification of parental consent, we will delete that information. If you believe that we might have any information from or about an individual under the age of 18, please contact us at dataprivacy@senseonics.com.

10. Links to Other Websites

Our Mobile Apps and Software may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

11. Contact us

You may contact us using the following details:

Email address: dataprivacy@senseonics.com

Postal address:
Data Protection Officer
Senseonics, Incorporated
20451 Seneca Meadows Parkway
Germantown, MD 20876
USA

12. Changes to this Privacy Notice

We may make changes to this Privacy Notice. To ensure that you are always aware of how we use your personal data, we will update this Privacy Notice from time to time to reflect any changes to our use of your personal data. We may also make changes as required to comply with changes in applicable law or regulatory requirements and emerging privacy practices. Please regularly check this document or this webpage for the latest version of this Privacy Notice.

****************

EEA GDPR Supplemental Notice

If you are located in the European Economic Area or the United Kingdom, and use Senseonics Products and Services, this EEA GDPR Supplemental Notice applies to you.

1. Who is the Controller?
Senseonics, Incorporated, a company based in the United States of America, with its headquarters at 20451 Seneca Meadows Parkway, Germantown, Maryland 20876, is the controller of your personal data.

Senseonics’ Data Protection Officer can be contacted at :

  • By e-mailing: dataprivacy@senseonics.com
  • Or by writing to:
    • Data Protection Officer
      Senseonics, Incorporated
      20451 Seneca Meadows Parkway
      Germantown, MD 20876
      USA

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Senseonics, Incorporated has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:

2. What Are Our Legal Bases for Processing Personal Data?

Processing activity

Purpose

Legal ground

Provision of Service & Customer service

  • to facilitate, manage, and maintain the use of our products and services
  • to appropriately address complaints, inform customers of relevant product or service updates, helpful information, tips and reminders
  • to contact the customer in connection with the provision of the product or service, including sending important information regarding the product or service, such as technical notices, manufacturing news, updates and alerts, relevant data privacy or security events, or changes to our terms and conditions
  • Necessary for contract performance (art. 6.1(b) GDPR)
  • Consent in case of health related data (art. 9.2(a) GDPR)
  • exceptionally, necessary to protect the vital interests of the data subject (art. 9.2(c) GDPR)

Product improvement

  • to develop and/or improve products and services
  • To enhance or modify our services (e.g by identifying usage trends)
  • Legitimate interest

(art. 6.1(f) GDPR)

  • Consent in case of health related data

(art. 9.2(a) GDPR)

Marketing

  • data analysis
  • to send emails and notices to our customers regarding opportunities relating to our products and services
  • Consent (art. 6.1(a) GDPR)

Internal business purposes

  • ensure access to and maintenance of our products and services and ensure their proper functioning;
  • audit;
  • fraud monitoring and prevention
  • Legitimate interest

(art. 6.1(f) GDPR)

  • Consent in case of health related data

(art. 9.2(a) GDPR)

Compliance with our regulatory and legal obligations

  • to comply with our legal and regulatory obligations, such as post-marketing authorization’s obligations.
  • Legal obligations (art. 6.1(c) GDPR)
  • Necessary for reasons of public interest in the area of public health in case of health related data

(art. 9.2(i) GDPR)

3. Your rights

You have the following rights in relation to the personal data we hold about you:

Right of access: You can ask us to provide you with information about our processing of your personal data and give you access to your personal data;

Right to rectification: If the personal data we have about you is inaccurate or incomplete, you are entitled to request to have it rectified;

Right to erasure: You can ask us to delete or remove personal data where there is no lawful reason for us continuing to store or process it, where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully, or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons that will be notified to you, if applicable, at the time of your request;

Right to restrict processing: You can ask us to suspend the processing of your personal data if, (i) you want us to establish the data’s accuracy; (ii) where our use of the data is unlawful but you do not want us to erase it; (iii) where you need us to hold the data even if we no longer require it, as you need it to establish, exercise or defend legal claims; or (iv) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it;

Right to object: Where we are relying on a legitimate interest for data processing but there is something about your particular situation, you have the right to object to processing if you believe it impacts on your fundamental rights and freedoms;

Right to data portability: You have the right, in certain circumstances, to ask us to provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you;

Right to withdraw consent at any time: Where we are relying on consent to process your personal data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent;

Right to Lodge a Complaint with a Supervisory Authority: You may submit a complaint about our use of your personal data or our response to your requests regarding your personal data. To do this, you may contact us or submit a complaint to the Supervisory Authority in your jurisdiction: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the personal data or where certain exemptions apply.

In order to exercise your rights, please contact Senseonics in writing by one of the methods set out under “Contact Us” above.

4. How Do We Protect Personal Data if we transfer it internationally?
We may transfer your personal data to recipients outside of the EEA and/or UK. Some of these recipients are located in countries for which either the European Commission and/or UK Government (as and where applicable) has issued adequacy decisions, in which case, the recipient’s country is recognized as providing an adequate level of data protection under UK and/or European data protection laws (as applicable) and the transfer is therefore permitted under Article 45 of the GDPR.

Some recipients of your personal data may be located in countries outside the EEA and/or the UK for which the European Commission or UK Government (as and where applicable) has not issued adequacy decisions in respect of the level of data protection in such countries (“Restricted Countries”). For example, the United States is a Restricted Country. Where we transfer your personal data to a recipient in a Restricted Country, we will either:

Enter into appropriate data transfer agreements based on so-called Standard Contractual Clauses approved from time-to-time under GDPR Art. 46 by the European Commission, the UK Information Commissioner’s Office or UK Government (as and where applicable); or

Rely on other appropriate means permitted by the EU/UK GDPR, which establish that such recipients will provide an adequate level of data protection and that appropriate technical and organizational security measures are in place to protect personal data against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.

You may contact us in writing by one of the methods set out under “Contact us” above if you would like further information on the specific mechanism that we use when transferring your personal data outside of the EEA.

MKT-6008-01-000 Rev 1