Diopsys, Inc.

Privacy Statement

Our Privacy Statement was updated on August 25, 2022.

This Diopsys Privacy Statement (this “Privacy Statement”) describes information that Diopsys, Inc. and its affiliates (collectively, “Diopsys”) collect, use, process, share, and store, including information that may personally identify you, such as your name, email address, shipping address, and other data described below.

This document focuses on information related to (1) your inquiry, purchase, and use of Diopsys products,

  1. operation of the public websites available at Diopsys.com and all subdomains, including access to and use of Diopsys’ e-commerce website for the purchase of Diopsys Products (the “Diopsys Websites”), and

  2. your participation in any Diopsys studies or the receipt of any additional services from Diopsys (collectively, “Diopsys Products”).

    BY PURCHASING, USING, PARTICIPATING IN, OR INQUIRING ABOUT ANY DIOPSYS PRODUCTS, YOU AGREE TO THE TERMS OF THIS PRIVACY STATEMENT, AND YOU EXPRESSLY CONSENT TO THE COLLECTION, USE, PROCESSING, AND DISCLOSURE OF YOUR PERSONAL DATA IN ACCORDANCE WITH THIS PRIVACY STATEMENT.

    What information does Diopsys collect?

    As you interact with Diopsys or any of its distributors or representatives, Diopsys may collect the following information about you:

    • Identity data – this means data that allows someone to identify or contact you and may include your name, gender, profession, title, place of work, and similar information identifying you;

    • Contact information – this may include your email address, telephone number, physical address, shipping address, and other information used to contact you;

    • Profile data – this may include your username and password, in addition to any other information you provide in connection with establishing and maintaining a Diopsys profile or account;

    • Transaction data – this may include details about your Diopsys Product purchases and participation;

    • Payment information – this may include bank routing and account numbers, credit card numbers, your billing address, and other information used to process payment for any Diopsys Products you purchase;

    • Technical data – this may include data associated with the connection of any Diopsys Product or your personal computer to the internet, such as internet protocol (IP) addresses, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technical information about the devices you use to access Diopsys Websites;

    • Usage data – this may include information about how you use Diopsys Websites and Diopsys Products;

    • Regulatory data – this may include information you report to us and additional information we request from you in connection with your user experience;

    • Marketing and communications data – this may include your preferences in receiving marketing and other communications from Diopsys; and

    • General correspondence – this may include the subject matter and content of any electronic, written, or other correspondence you communicate to Diopsys, whether inquiry, comment, adverse event, warranty claim, or otherwise.

Diopsys may also collect, use, process, share, and store anonymous data, for example, statistical or demographic information, for any purpose. Anonymous data may be derived from your interactions with Diopsys, but is not considered personal data, as it does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific Diopsys Website feature. However, if we combine or connect this anonymous data with your personal data so that it can directly or indirectly identify you, Diopsys treats the combined data as personal data, which will only be used in accordance with this Privacy Statement.

How is your personal data collected?

Diopsys collects personal data through direct interaction, automated technologies, and from third parties.

When you contact Diopsys requesting information, providing feedback, or in connection with participating in or purchasing a Diopsys Product, you may explicitly provide us with your identity data, contact information, profile information, payment information, marketing and communications information, and general correspondence. This information is typically communicated to Diopsys by you submitting online electronic forms, by written contract, by email, in-person, or over the phone.

Personal data is collected by automated technologies and interactions. As you interact with Diopsys Websites, your technical data and usage data may be automatically recorded. We collect this personal data by using cookies, server logs, web beacons, and other similar technologies, as more fully described in the section below titled “Cookies”.

Personal data may also be submitted to us by third parties. Generally, these third parties will be Diopsys Product distributors and representatives, through whom you have purchased or are purchasing Diopsys Products. Please carefully review the privacy policies of any third parties with whom you may provide personal data, including their policies on sharing your personal data.

How does Diopsys use the information it collects?

We use this information to respond to your requests, enable you to purchase, receive, use, and participate in Diopsys Products, transmit payment, administer and protect our business and your personal data, improve the Diopsys Products, satisfy legal obligations, and provide you with relevant information on Diopsys and the Diopsys Products.

We may also use this information in a non-identified form for research purposes and to help us make sales, marketing, and business decisions. For example, we may use aggregated information as part of a study on the use and effectiveness of certain treatments.

We may use service providers to perform some of these functions. Those service providers are restricted from sharing your information for any other purpose.

We use industry-standard methods to help keep this information safe and secure while it is transmitted over your network and through the Internet to our servers. Depending on your location and type of data, Diopsys may process your personal information on servers that are not in your home country.

In general, for purposes of applicable law, Diopsys is a controller of the information collected in connection with Diopsys Products.

Our legal basis for processing information

We process your information for the purposes described in this Privacy Statement based on the following legal grounds: (1) providing you with Diopsys Products under contract, (2) pursuing legitimate interests, or

(3) complying with legal obligations.

When we provide a Diopsys Product, we process your data to deliver and support a product or service you have requested under contract, including our Terms and Conditions of Saleand Terms of Use.

When we pursue legitimate interests, we process your information for our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. These interests may include:

  • offering and improving Diopsys Products;

  • developing new products and features;

  • understanding how people use Diopsys Products;

  • discussing participation in clinical trials;

  • performing research that improves Diopsys Products;

  • sending you information about Diopsys Products consistent with your preferences;

  • protecting against harm to the rights, property, and safety of Diopsys, our users, and the public;

  • detecting, preventing, or otherwise addressing fraud, abuse, security or technical issues with our services;

  • maintaining and improving the integrity of our computing systems, and protecting our users’ data security; and

  • enforcing legal claims, including investigation of potential violations of applicable Terms of Use.

    When we comply with legal obligations, we process your data when we have a legal obligation to do so, for example, if Diopsys must respond to a legal process or an enforceable governmental request.

    In what circumstances does Diopsys share my information?

    We will not share personal information for any commercial or marketing purposes unrelated to your purchase, use, or participation in Diopsys Products without first obtaining your consent. We do not rent or sell our customer lists. The following are the limited situations where we may share personal information:

  • We have vendors, service providers, and technicians who help with some of our product shipping, and data processing and storage, including helping to answer your questions. They may also assist with monitoring our servers for technical problems. These technicians (as well as Diopsys employees) can access certain information about you or your account in line with this work, but these technicians are not allowed to use this data for non-Diopsys purposes.

  • Upon the sale or transfer of the company and/or all or part of its assets, your personal information may be among the items sold or transferred. We will request a purchaser to treat our data under the privacy statement in place at the time of its collection.

  • We will share personal information with third parties if we have a good faith belief that access, use, preservation or disclosure of the information is reasonably necessary to (i) meet any applicable law, regulation, legal process or enforceable government request; (ii) enforce Diopsys policies or contracts, including investigation of potential violations; (iii) detect, prevent or otherwise address

    fraud, security or technical issues; (iv) protect against harm to the rights, property or safety of Diopsys, our users or the public as required or permitted by law.

  • In the event that we intend to enter into a major corporate transaction, such as the merger or sale of all or a part of our business, we may disclose certain of your personal data to potential buyers, underwriters, or advisors. If we do this, we will take reasonable precautions to ensure that the recipients of your personal data are obligated to keep it confidential.

    We may share non-personal information (for example, aggregated or anonymized customer data) publicly and with our partners. For example, we may publish trends about ERG adoption. We may also share non- personal information with our distributors and sales representatives, investors, and treatment professionals. We take steps to keep this non-personal information from being associated with you, and we require other parties to do the same.

    If you purchase a Diopsys Product from a party other than Diopsys, for example, a distributor of Diopsys Products or an independent sales representative, or hire an outside party to setup or provide service to your Diopsys Products, and you share your personal information with those parties, we cannot control the collection, storage or sharing of information collected by that party. For example, a party that services your Diopsys Product may retain information that you provided to them in connection with the service. Always check the privacy policies of any company that collects your personal information.

    How do I have my personal information deleted, changed, or updated?

    Diopsys generally stores your personal information on third-party servers of well-recognized data management and networking companies for as long as you remain a Diopsys customer, or a reasonable period of time to respond to your requests or provide you with information about Diopsys Products, or until you request deletion of your personal information. In addition, Diopsys may store your personal information to resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

    Diopsys respects your privacy and realizes that not everyone wants their personal information stored or processed. With that in mind, please notify us if you would like to do any of the following:

  • Seek confirmation regarding whether Diopsys is processing your personal data;

  • Review and receive a copy of the personal data we hold about you;

  • Correct or amend any incomplete or inaccurate data we may hold about you;

  • Have your personal data deleted from our servers, subject to potential competing legal interests;

  • Object to the processing of your personal data or request a suspension of such processing; or

  • Withdraw your consent to the processing of your personal data.

You may request such action by emailing privacy@Diopsys.com, or by submitting your requests to Diopsys in writing at:

Diopsys, Inc.

Attn: Privacy Requests

19578 10th Avenue NE, Suite 200

Poulsbo, WA 98370

Please note that withdrawing your consent, deleting your personal data, or otherwise limiting how Diopsys processes your personal data may impact your use of the Diopsys Products, or prevent Diopsys from being able to provide certain products or services to you.

To further protect your privacy, Diopsys will endeavor to take commercially reasonable steps to verify your identity before granting access to or making any changes to your personal information.

We endeavor to respond to all requests within 30 days. In some instances, if your request is particularly complex or you have made a number of requests, it may take longer to complete your requests. In those circumstances, we will notify you of the status of your requests and provide updates on progress.

How does Diopsys protect my personal information when it is transferred internationally?

Your personal information may be collected, processed, and stored by Diopsys or its service providers in the United States and other countries where our servers reside. Please be aware that the privacy protections and legal requirements, including the rights of authorities to access your personal information, in the United States and other countries may not be equivalent to those in your country.

We may share, as described in this Privacy Statement, information with our affiliates and subsidiaries, and third parties. We may disclose information in response to legal process and lawful requests by public authorities in the United States and other countries for the purposes of law enforcement and national security. With certain service providers we may use specific contractual clauses approved by the European Commission, designed to provide personal data the same protection it has in Europe, as required or permitted by Articles 46 and 49 of the General Data Protection Regulation.

If you are using Diopsys Products outside the United States, by accepting this Privacy Statement you consent to the transfer of your personal data to the United States and other countries where Diopsys operates, in accordance with this Privacy Statement.

Cookies

We use and engage certain providers to use cookies, web beacons, and similar tracking technologies (collectively, “Cookies”) on Diopsys Websites.

Cookies are small amounts of data that are stored on your browser, device, or the page you are viewing. Some Cookies are deleted once you close your browser, while other Cookies are retained even after you close your browser so that you can be recognized when you return to a website.

We use Cookies to help provide you with applicable information on the Diopsys Websites, to gather information about your usage patterns to enhance your personalized experience on Diopsys Websites, and to understand usage patterns to improve the Diopsys Website experience and Diopsys Products.

Cookies on the Diopsys Websites may consist of the following types:

  • Operational Cookies: These are required for the operation of our Diopsys Websites. They include, for example, cookies that enable you to log into secure areas.

  • Analytical/Performance Cookies: These allow us to recognize and count the number of users of our Diopsys Websites and understand how such users navigate through the Diopsys Websites. This helps to improve how the Diopsys Websites work, for example, by ensuring that users can find what they are looking for easily. These Cookies are session cookies which are erased when you close your browser. We use Google Analytics, and you can see below ways to control the use of Cookies by Google Analytics.

  • Functional Cookies: These improve the functional performance of our Diopsys Websites and make the sites easier for you to use. For example, Cookies are used to remember that you have previously visited the Diopsys Websites and have been asked to remain logged in. These Cookies qualify as

    persistent cookies, because they remain on your device for us to use during a next visit to our the Diopsys Websites. You can delete these Cookies via your browser settings.

  • Cookie Pop Up: We use a Cookie to determine if you have consented to our use of Cookies and our Privacy Statement, and to ensure we do not show it to you again when you accept it.

Your acceptance of Cookies may be modified by changing your Internet browser settings. These settings are typically located under the sections “Help” or “Internet Options” in your Internet browser. If you disable or delete certain Cookies in your Internet browser settings, you might not be able to access or use important functions or features of the Diopsys Websites, and you may be required to re-enter your log-in details.

Minors

Diopsys Products do not knowingly collect or store any personal information from anyone under the age of

18. Only individuals aged 18 and older are permitted to purchase and use Diopsys Products, and only if they agree to be bound by the terms of this Privacy Statement, our Terms of Use, and our Terms and Conditions of Sale.

Can the Privacy Statement be changed?

Please note that this Privacy Statement may change from time to time. We will provide notice of any changes on the Diopsys Website or by contacting you. Any changes to this Privacy Statement will be effective upon the earlier of thirty (30) calendar days following our posting of notice of the changes on the Diopsys Website, or thirty (30) calendar days following our dispatch of an e-mail notice to you.

Changes to this Privacy Statement may affect our use of personal data that you provided us prior to our notification to you of the changes. If you do not wish to permit changes in our use of your personal data, you must notify us prior to the effective date of the changes that you wish to deactivate your account with us. Continued use of the Diopsys Website or Products following notice of such changes shall indicate your acknowledgement of such changes and agreement to be bound by the terms and conditions of such changes.

How can I contact Diopsys?

If you have any questions regarding this Privacy Statement, you may submit an inquiry to Diopsys via email at privacy@Diopsys.com or by mailing your requests to Diopsys at:

Diopsys, Inc.

Attn: Privacy Requests

19578 10th Avenue NE, Suite 200

Poulsbo, WA 98370

COR-0018 REV A Diopsys Privacy Policy