Resmed Healthcare Professional Customer Privacy Notice

When you interact with Resmed or our products, Services or websites, our privacy practices and your privacy rights are described generally in the Privacy Policy applicable to your region. This Notice forms part of and supplements our Privacy Policy for North American users and provides additional information about the Personal Information we collect and process about you when you interact with Resmed in a business-to-business capacity. For example, this Notice applies to representatives, employees or contact persons of our current, prospective or former business customers, business partners, service providers or contractors, which may include but are not limited to Home Medical Equipment providers (HME), Durable Medical Equipment providers (DME), sleep labs, healthcare practitioners, hospitals, insurers, payors or other business customers, as well as any individuals that interact with Resmed’s business-to-business websites, offerings or Services, including but not limited to the Resmed Online Store (“Business Contacts” or “you”).

For purposes of this Notice, “Personal Information” means information that identifies, describes or is reasonably capable of being associated with our Business Contacts. This Notice does not address or apply to our handling of Personal Information that is exempt under applicable privacy laws, including publicly available information, information governed by the Health Insurance Portability and Accountability Act (“HIPAA”), or deidentified or aggregated information.

Depending on how you interact with us, we may provide you with other privacy notices that include additional details about our privacy practices.

We may collect Personal Information from you directly or indirectly to provide Services, conduct business with you and for any of the purposes set forth below. To the best of our knowledge, the following list describes the categories and examples of Personal Information we collect when you interact with us in a business-to-business capacity and may have collected about you in the last 12 months. The following information is collected directly from you:

• Contact information and similar identifiers such as name, telephone number, email address, mailing address and fax number.
• Professional or employment information such as job title, role, company name, occupation and licenses.
• User account information such as username, password, login, administrative permissions and other preferences.
• Corporate account information such as company affiliation, shipping address, invoice information, payment information and other personally identifiable information connected to account management.
• Commercial information such as any personally identifiable information associated with sales orders or records of products or Services purchased, obtained or reviewed.

The following information is collected indirectly or automatically through your use of the Services, websites or internet activity:

• Activity and usage information such as data or analytics related to how you interact with our sites, Services or applications, including page views, login attempts, purchase attempts, links and items clicked, features used, error messages, time spent within the Services and other usage information.
• Device and browsing information such as IP address, unique ID, device type, general location information (such as region, which may be derived from your IP address), browser type, browser language, domain names, access times, date and time stamps, operating system, scrolling activity, internet service provider and other similar device and browsing information.
• Location information such as physical location, geolocation, device location or login location.

To the extent permitted by law, we may combine this information with other information that we have collected about you. For more information about our use of cookies and other similar technologies to collect any of the information listed in this section, refer to section 7 of this Notice.

Resmed may collect and use the above categories of Personal Information for the following business or commercial purposes (and any directly related purposes):

• Operate our business. To provide and operate our Services, communicate with you about your use of our Services, provide troubleshooting and technical support and for similar purposes.
• Conduct business with you. To conduct business with you or your employer, such as to perform our contractual obligations to your employer or principal; to maintain your account and provide you access to our systems including for purposes of patient management; to provide you with products, Services or offerings; and to process your transactions, invoice your account and fulfill your orders.
• Security and troubleshooting. To maintain the security and functionality of our Services and online offerings, including to confirm identities, prevent fraud and provide support such as debugging and troubleshooting.
• Communicate with you. To respond to communications and inquiries from you or your employer and to send administrative information to you, such as changes to our terms, conditions, policies, purchase-related information and for other similar purposes.
• Marketing and promotions. For marketing and promotional purposes such as to send you or your employer marketing communications and information about our Services and new offerings.
• Customization and personalization. To personalize your experience within the Services by presenting products and offers tailored to you.
• Surveys and feedback. To administer surveys and questionnaires such as for market research or user satisfaction purposes.
• Research and analysis. To conduct research and analysis designed to improve our business, products, Services and websites, including but not limited to data analytics, comparative analysis and machine learning.
• Planning and managing events. To plan for events, studies and for other event management purposes, including registration, attendance, connecting you with other event attendees and contacting you about relevant events, studies or offerings related to your use of the Services.
• Audits and assessments. To conduct financial, tax and accounting audits; audits and assessments of our operations, privacy, security and financial controls, risk and compliance with legal obligations; our general business, accounting, record keeping and legal functions and for other similar purposes.
• Compliance and legal process. To comply with applicable legal or regulatory obligations, including as part of a judicial proceeding; to respond to a subpoena, warrant, court order or other legal process; or as part of an investigation or request, whether formal or informal, from law enforcement or a governmental authority.
• Reviewing, reporting and other internal operations. For our business purposes such as data analysis, audits, fraud monitoring and prevention, enhancing, improving or modifying our Services, identifying usage trends, operating and expanding our business activities and for internal quality control and training purposes.
• Mergers, acquisitions and other business transactions. To assess and implement mergers, acquisitions, reorganizations, bankruptcies and other business transactions, such as financings, and to administer our business, accounting, auditing, compliance, recordkeeping and legal functions.

We generally collect Personal Information from the following sources:

• Directly or indirectly from you
• Our affiliates and subsidiaries
• Our business partners
• Operating systems and platforms
• Publicly available information and sources

Your Personal Information is generally hosted on regional infrastructure. For example, Personal Information transmitted in connection with North American business activities, Services or website interactions is ordinarily stored on U.S.-based servers. Notwithstanding, Resmed makes no warranty as to storage location, and you authorize the transfer of your Personal Information to different jurisdictions for purposes consistent with this Notice, in furtherance of legitimate business purposes or pursuant to an authorized disclosure as set forth in section 6 of this Notice.

We retain your Personal Information for as long as needed, or permitted, based on the reason we obtained it (consistent with applicable law). When deciding how long to keep your information, we consider a variety of factors, including whether the information relates to ongoing or potentially ongoing business interactions or Services, whether we are subject to any legal obligations (eg, any laws that require us to keep records for a certain period of time before we can delete them) or whether we have taken any legal positions (eg, issued any legal holds or otherwise need to preserve the information). From time to time, we may also de-identify your Personal Information, retain it and use it in compliance with applicable privacy laws.

Resmed may disclose your Personal Information to certain third parties as consistent with the purposes set forth above. To the best of our knowledge, the following describes the categories of third parties that we disclose Personal Information to, and may have disclosed Personal Information to, in the last 12 months:

• Affiliates, subsidiaries and business partners. We may share your Personal Information with our affiliates or subsidiaries and any company owned or controlled by Resmed. Resmed also partners with other businesses to offer products and services, and we may disclose your Personal Information to those business partners.
• Vendors and service providers. We may disclose your Personal Information to vendors and service providers who perform functions and provide services on our behalf. These vendors and service providers are contractually required to keep your Personal Information confidential and to use your Personal Information for the sole purpose of performing the services we ask them to provide. For example, these vendors and service providers may provide website hosting and IT support, customer support, data hosting, analytics, email solutions, audits, consulting, payment processing, invoicing and legal counsel.
• Business transfers. If we or our affiliates are or may be acquired by, merged with or invested in by another company, or if any of our assets are or may be transferred to another company, whether as part of a bankruptcy or insolvency proceeding or otherwise, we may disclose or transfer the Personal Information we have collected from you to the other company. We may also disclose certain Personal Information as necessary prior to the completion of such a transaction as part of due diligence or as necessary to plan for a transaction.
• Compliance and legal obligations. Resmed may disclose your Personal Information if we are required to do so by law or subpoena or if we reasonably believe such action is necessary to comply with the law and the reasonable requests of regulators, law enforcement or other public authorities. We also may disclose the Personal Information we collect to comply with a judicial proceeding, court order or other legal process, including responding to national security or law enforcement disclosure requirements.
• Aggregate and de-identified information. We may disclose aggregate or de-identified information about users for analytics, research or other purposes
• Other disclosures. We may disclose Personal Information to others and in ways not described above either as necessary to provide the Services or after we notify you and/or obtain your consent to the extent required by applicable law.

As a general rule, we do not sell or share (as defined by the California Consumer Privacy Act) Personal Information related to Business Contacts.

To facilitate the indirect or automatic collection of Personal Information, we and our service providers may use cookies, pixels, tags and other similar tracking mechanisms. For additional information, refer to “Our use of cookies and other tracking mechanisms” in our Privacy Policy.

When acting in a business-to-business capacity, our use of cookies and other trackers is generally necessary to facilitate your use of our Services or website(s). Where our use of cookies and other trackers is not necessary, we strive to respect your cookie settings, which can be adjusted through your browser or, where applicable, through consent management functionality built into our website(s). Changing your cookie settings may impact the functionality of certain features.

In certain circumstances, we use third-party tools, such as Pendo™ Analytics, Google™ Analytics and Firebase™ Analytics, which are operated by third-party companies. These third-party analytics companies may collect usage data (using cookies, pixels and similar tools) about our Service to provide us with reports and metrics that help us evaluate usage of the Service, improve our sites, service and products and enhance performance and user experiences. To learn about Pendo’s privacy practices, review the Pendo Privacy Policy. To learn more about Google’s privacy practices, review the Google Privacy Policy. You can also download the Google Analytics Opt-out Browser Add-on to prevent your data from being used by Google Analytics at https://tools.google.com/dlpage/gaoptout.

In this section, we provide additional information for residents of certain North American jurisdictions, including California and other U.S. states, which have passed data privacy laws that provide residents with specific rights regarding their Personal Information. This section describes those rights and how to exercise them, if applicable.

Understanding your rights

Right to know/request access. Regarding Personal Information we have collected about you in the prior twelve (12) months, and subject to certain conditions and exceptions, you may request:

• the categories of Personal Information we collected about you
• the categories of sources from which we collected your Personal Information
• the business or commercial purposes for collecting, selling or sharing your Personal Information
• the categories of third parties to whom we have disclosed your Personal Information
• the specific pieces of your Personal Information collected.

Refer to sections 2 through 6 of this Notice for general information on these topics. We do not collect any Sensitive Personal Information from you when acting in a business-to-business capacity.

Right to delete. Subject to certain conditions and exceptions, you may request that we delete your Personal Information.

Right to correct. Subject to certain conditions and exceptions, you may request that we correct inaccuracies in your Personal Information. Generally speaking, you or an administrator can correct your Personal Information through the self-service portal.

Right to restrict. Subject to certain conditions and exceptions, you may request that we restrict our use of your Personal Information if such Personal Information contains sensitive data or identifiers (“Sensitive Personal Information”). When acting in a business-to-business capacity, we do not collect, use or disclose Sensitive Personal Information for any purpose that would require us to provide you with a right to limit the use of your Sensitive Personal Information.

Right to opt-out of sales and sharing. You have the right to opt-out of the “sale” and “sharing” of your Personal Information, as those terms are defined under applicable laws. While we do not disclose Personal Information to third parties in exchange for monetary compensation, we reserve the right to use third-party analytics and advertising cookies that may be considered “selling” and “sharing” in certain circumstances. To exercise your right to opt-out of the “selling” or “sharing” of your Personal Information where applicable, click the “Do Not Sell or Share My Personal Information” link at the bottom of applicable pages of our website. Submitting an opt-out request will only opt you out of disclosures that are considered “sales” or “sharing,” but it will not opt you out of other disclosures, such as to our service providers.

Right to non-discrimination. We will not discriminate against you for exercising any of the rights described in this section.

Exercising Your Rights

Because Resmed values your privacy, we strive to honor requests to exercise your privacy rights regardless of whether a particular statute obligates us to do so. However, we make no warranties about our willingness or ability to honor requests in the absence of an applicable legal requirement.

Exercise of certain rights may also be limited in some circumstances, such as where honoring a request may restrict our ability to serve you or your employer. We reserve the right to verify the authenticity of your request before acting on it and any right to decline a request to the extent permitted by applicable law.

To submit a request to exercise any of these rights, you can:

• Call us at 1-800-424-0737
• Complete an online request form at https://www.resmed.com/DataRequest

Verification. Before responding to your request, we must first verify your identity. You must provide us with your first name, last name and email address. We will take steps to verify your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information to verify your identity, or where necessary, to process your request. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for the denial.

Authorized agents. You may designate someone as an authorized agent to submit requests and act on your behalf. Authorized agents are required to provide proof of their authorization in their first communication with us, and we may also require that the relevant Business Contact directly verify their identity and the authority of the authorized agent. We reserve the right to reject (1) authorized agents who have not fulfilled the above requirements or (2) automated requests where we have reason to believe the security of the requestor’s Personal Information may be at risk.

Response timing and format. We will respond to your request as required under applicable privacy laws. If we deny the request, residents of certain jurisdictions may appeal our decision by sending an email to privacy@resmed.com.

Additional California disclosures

The California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), provides California residents with the aforementioned rights. The CCPA and other California laws may also provide additional rights, including the following:

Shine the Light. California’s “Shine the Light” law permits California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. At this time, we do not disclose Personal Information to third parties for their direct marketing purposes.

Global Privacy Control. California recognizes the universal opt-out signal known as Global Privacy Control (GPC). GPC is a proposed specification that allows you to make a single opt-out of the sale or share of your Personal Information to the extent that a particular website and browser are able to recognize the signal. At Resmed, we strive to honor the GPC as a valid request to opt-out of the sale or share of your Personal Information to the extent applicable. You can change your privacy preferences through the “Do Not Sell or Share My Personal Information” link at the bottom of applicable pages.

Do not track. Our websites and Services do not recognize or respond to any signal which your browser might transmit if you have enabled your browser’s “Do Not Track” feature. However, you can set your preferences for cookies on our websites as described above.

Our business-to-business offerings are not intended for, or directed to, children or minors of any sort. We do not knowingly collect Personal Information from children under the age of sixteen (16). If you are under 16 years of age, do not use or access our Services at any time or in any manner. If we learn that we have received information directly from a child who is under the age of 16, we will delete such information from our systems. If you are a parent or legal guardian and become aware that your child has provided us with Personal Information without appropriate consent, send an email to privacy@resmed.com.

The Notice is current as of the Effective Date set forth above. We may change, update or modify this Notice from time to time, so check back periodically. We will post any updates to this Notice here. If we make any changes to this Notice that materially affect our practices regarding our use of the Personal Information that we have previously collected from you, we will endeavor to provide you with notice.

If you have any questions or concerns relating to this Notice, contact our Privacy Office:

Privacy Office
Resmed Corp.
9001 Spectrum Center Blvd, San Diego, CA 92123
Tel: 1-800-424-0737
Email: privacy@resmed.com

RH-1111037/1 2024-01