Consumer Health Data Privacy Notice

Effective Date: March 31, 2024

We may collect Consumer Health Data directly from you, from cookies and other technologies, and from third parties.

We obtain most of the Consumer Health Data we process either from your computer (via cookies and other similar technology) or from you. We obtain it from you either (1) directly through the therapy device that monitors your sleep and/or your mask, or (2) automatically from your smart device (for example, phone or tablet).

Specifically, the Consumer Health Data we collect automatically may include your IP address, therapy device type, unique therapy device identification numbers (for example, EasyCare Number), operating system version, the dates on which you access and use the service, user behavior (for example, your interactions with the service), geographic location (for example, country- or city-level location) and other technical information.

When you interact with our Services, we may use tools, such as cookies and other technologies such as Firebase™ Analytics and Google Analytics™ to understand how you are using our Services. We use tools in our emails to learn how you interact with our service, your general location, and what parts of our service interest you the most. This helps us make our emails more relevant and engaging for you, especially the ones offering coaching tips. Our goal is to ensure you find our emails useful and that they enhance your experience with our service. This approach is part of our commitment to continuously improve the way we communicate with you. The only information we receive is whether emails are opened and if links within the email are clicked. These technologies are known as “tracking pixels” or “clear gifs.”

We may also collect Consumer Health Data about you from third parties, including third-party applications, where you have consented to their sharing your Consumer Health Data with us.

We may collect, use and share Consumer Health Data for the following purposes:

• Operation of our business. To provide and operate our Services, communicate with you about your use of our Services, provide troubleshooting and technical support, and for other similar operational purposes.
• Provision of Services. To provide you Services, including PAP machine and mask setup instructions, key metrics from your nightly sleep therapy sessions, trends between your therapy and broader heath (for example, daily steps) and coaching related to your therapy.
• Communication with you. To respond to your communications and inquiries to fulfill your requests. This includes sending you requested materials, newsletters and information for our products and Services. We may also send you administrative information, such as changes to our terms, conditions and policies.
• Marketing and promotions. For marketing and promotional purposes, such as sending you marketing communications and information about our Services, market research, technologies and new offerings. We may send you this information via email in compliance with applicable laws and based on your preferences.
• Customization and personalization. To personalize your experience within the Services by suggesting other Services, information, educational content, coaching, products and offers tailored to you. We may also provide key metrics from your nightly sleep therapy sessions and to otherwise deliver your sleep therapy.
• Research and development. We may de-identify, pseudonymize or aggregate Consumer Health Data for statistical analysis and market research to enhance existing or new products and Services and to help us better understand the sleep apnea population. We may also communicate with you about our Services and seek your input for market research and product improvement purposes.
• Surveys and feedback. To conduct surveys related to your use of the Service, sleep therapy or other health conditions.
• Planning and managing events. To plan for events or studies and other event management purposes. This can include registration, attendance, connecting you with other event attendees, and contacting you about relevant events, studies or offerings related to your use of the Services.
• Audits and assessments. (1) To conduct financial, tax and accounting audits (such as audits and assessments of our operations, privacy, security and financial controls), (2) to assess risk and compliance with legal obligations (such as our general business, accounting, recordkeeping and legal functions), (3) to maintain appropriate business records and enforce company policies and procedures.
• Compliance and legal process. To comply with applicable legal or regulatory obligations, including responses to (1) a judicial proceeding, (2) a subpoena, warrant, court order or other legal process, or (3) an investigation or request (whether formal or informal) from law enforcement or another governmental authority.
• Auditing, reporting and other internal operations. (1) For our business purposes (such as data analysis, audits and fraud monitoring and prevention), (2) to enhance, improve or modify our Services (such as identifying usage trends and determining the effectiveness of our promotional campaigns), (3) to operate and expand our business activities, and (4) for internal quality control and training purposes.
• General business and operational support. (1) To assess and implement mergers, acquisitions, reorganizations, bankruptcies, financing and other business transactions and (2) to administer our business, accounting, auditing, compliance, recordkeeping and legal functions.

To enhance user experience and product improvement, we may process Consumer Health Data or pseudonymized information using both automated methods of processing (for example, machine learning and artificial intelligence) and manual methods (for example, human). Our automated methods of processing will not have legal, financial or similar significant effects without appropriate human intervention. We will obtain your affirmative consent for any use or sharing of your Consumer Health Data that requires such affirmative consent under Consumer Health Laws.

We may share each of the categories of Consumer Health Data listed above with the following categories of third parties:

• Affiliates, subsidiaries and business partners. We may disclose your Consumer Health Data to our affiliates, subsidiaries and any company owned or controlled by Resmed. Resmed also partners with other businesses to offer products and services and we may disclose your Consumer Health Data to those business partners.
• Vendors and service providers. We may disclose your Consumer Health Data to vendors and service providers who perform functions and provide services on our behalf, such as IT support services and website hosting, marketing and marketing research providers, customer support, data storage, data analytics providers, auditors, consultants and legal counsel.
• Healthcare or home medical equipment providers. We may disclose your Consumer Health Data to healthcare or home medical equipment providers whose use and disclosure of the Consumer Health Data is limited to flagging whether the machines they monitor are registered with the Service, unless you consent to share additional information.
• Business transfers. If we or our affiliates are or may be acquired by, merged with or invested in by another company, or if any of our assets are or may be transferred to another company, whether as part of a bankruptcy or insolvency proceeding or otherwise, we may disclose or transfer the Consumer Health Data we have collected from you with or to the other company. We may also disclose certain Consumer Health Data as necessary before the completion of such a transaction or other corporate transaction, such as a financing or restructuring, to lenders, auditors and third-party advisors, including attorneys and consultants, as part of due diligence or as necessary to plan for a transaction.
• Compliance and legal obligations. We may disclose your Consumer Health Data in response to legal processes, including if our legal or compliance obligations require us to do so. For example, we may disclose Consumer Health Data in response to subpoenas, court orders and other lawful requests by regulators and law enforcement, including responding to national security or law enforcement disclosure requirements.
• Security and protection of rights. We may disclose your Consumer Health Data where we believe doing so is necessary to protect our Services, our rights and property or the rights, property and safety of others. For example, we may disclose Consumer Health Data (1) to prevent, detect, investigate and respond to fraud, unauthorized activities and access, illegal activities and misuse of the Services, (2) to respond to situations involving potential threats to the health, safety or legal rights of any person or third party or (3) to enforce, detect, investigate and act in response to violations of our Terms of Use. We may also disclose Consumer Health Data related to litigation and other legal claims or proceedings in which we are involved and for our internal accounting, auditing, compliance, recordkeeping and legal functions.
• Aggregate and de-identified information. We may use, disclose and otherwise process aggregate and de-identified, pseudonymized and anonymized information related to our business and Services with third parties for quality control, analytics, research, development and other purposes.
• Health trend data. You may consent to providing health trend data (for example, trends between your therapy usage and health data) by syncing the health app on your device with your myAir app. If you consent to the sharing of such health trend data from Google Health Connect, the use of the information from Google Health Connect will adhere to the Google Heath Connect Permissions Policy, including the Limited Use requirements. Health information from Google Health Connect will not be disclosed to marketing and analytics providers.
• Other disclosures. We may disclose Consumer Health Data to others and in ways not described above and will notify you and/or obtain your consent to the extent required by applicable law.

If you are a Washington or Nevada consumer, you may make certain requests regarding your Consumer Health Data, , subject to applicable law and certain exceptions. You can request to:

• know whether we are collecting or sharing your Consumer Health Data
• know the third parties to whom we have shared your Consumer Health Data and their contact information
• opt out of the collection, or sharing of your Consumer Health Data
• revoke your consent for the sale of your Consumer Health Data
• delete, access, amend, or review your Consumer Health Data.

You can use the following contact information to (1) make a request under this Privacy Notice, (2) raise questions, concerns or complaints about this Privacy Notice or the way we process your Consumer Health Data, (3) exercise any rights you may have as described under this Privacy Notice, or (4) understand how to escalate a complaint you have made to the relevant regulator:

Privacy Office

Resmed Corp.

9001 Spectrum Center Blvd, San Diego, CA 92123

Tel: +1 (800) 424-0737

Email: privacy@resmed.com