Privacy policy for the PARI Connect app

Last updated: 25 October 2024

PLEASE READ OUR PRIVACY POLICY CAREFULLY BEFORE USING OUR APP.

1 General information
We, PARI Pharma GmbH (‘PARI’), based in Starnberg, are part of the PARI Group. We are
passionate about shaping a world in which everyone can breathe freely. To achieve this, we
develop innovative, high quality and scientifically tested products for the treatment of respira-
tory diseases.

The PARI Connect App (“App”) has been specially developed for patients with chronic lung
disease and can only be used in conjunction with an eTrack Controller. The aim is to accom-
pany patients and carers on their treatment journey and to provide them with a treatment man-
agement tool.

This privacy policy applies to our mobile iOS and Android apps. We store and process your
health data only with your consent. In this privacy policy, we explain the nature, purpose and
scope of data collection in the context of use of the app. We would like to point out that online
data transfer may be vulnerable to security breaches. Data cannot be completely protected
against access by third parties.

We are aware of our responsibility towards you and your data. We will handle your data with
the greatest of care at all times and in compliance with the applicable data protection regula-
tions.

2 Controller
The ‘controller’ for processing your ‘personal data’ under the data protection regulations is
ourselves,

PARI Pharma GmbH
Moosstrasse 3
82319 Starnberg, Germany
Germany

3 Data protection officer
You can reach our data protection officer as follows:

PARI Pharma GmbH
Data protection officer
Moosstrasse 3
82319 Starnberg, Germany

Tel. +49 (0)8151 279279

or

dataprotection@pari.com.

4 Data processing in the context of registration
What categories of personal data do we process under this data processing activity?

PARI Pharma GmbH shall create a user account for you. We require an email address, a
password and a nickname to do so.

Please create a nickname that does not allow any conclusions to be drawn about your name.
Also with respect to the email address you enter, you may use an address that does not allow
any conclusions to be drawn about your name. This allows you to protect your identity too.

Once you have successfully registered, we shall send you a confirmation email to the email
address you entered.

What do we process your personal data for when you register?

Data processing is carried out to provide your user account. An eTrack controller is required
to use the app.

What is the legal basis for this data processing activity?

The legal basis for this is the performance of a contract with you concerning use of the app as
per Art. 6(1)(1)(b) GDPR/UK GDPR).

Who do we share your personal data with during this data processing activity?

We will not share your data with third parties unless you explicitly enable this in the app to give
your doctor access. More information about this can be found under the section on data recip-
ients and the ‘Share data’ function (see below).

5 Multi-factor authentication
What categories of personal data do we process under this data processing activity?

Multi-factor authentication can be set up to additionally restrict access to the app. A mobile
phone number is used for this. Ideally, this should be a different mobile phone number to the
one for your device where you install the app. The mobile phone number stored in your user
account is also saved for this purpose. You then receive an additional PIN as an SMS to log
into the app.

What is the legal basis for this data processing activity?

You provide your personal data on a voluntary basis. Data processing is based on your consent
as per Art. 6(1)(1)(a) GDPR/UK GDPR. You may revoke this consent at any time with effect
for the future. The lawfulness of processing carried out based on consent up until revocation
of the same is not affected by such revocation, however. You may send your revocation to
dataprotection@pari.com at any time.

Who do we share your personal data with during this data processing activity?

We do not disclose your data to third parties. More information about this can be found under
the section on data recipients (see below).

6 Data processing in the context of app functions, data storage and data manage-
ment

What do we process your personal data for during these data processing activities?

We store data in the app so you can view and retrieve it at any time.

• To use the app, you must either connect the app to your eTrack controller (blue or grey
device) and, if applicable, additionally your mySpiroSense via Bluetooth or enter the invi-
tation code you received from your doctor. The app then transfers and stores the inhalation
data and, if necessary, the lung function measurements. The grey eTrack controller allows
you to automatically transfer your inhalation data via Wi-Fi. Simply register the WiFi name
and the password in the app and on the eTrack Controller.

• The app includes a treatment plan that you can enter all your treatments and activate
individual reminders in. You can also enter what medication you have already taken. You
can also answer questions about your current quality of life, fill out quality of life question-
naires (cystic fibrosis questionnaire – revised application (‘CFQ-R’)) and enter your current
health data (e.g. oxygen saturation or weight). All the values and all the medication taken
can be viewed in the Analysis section and sent to third parties as a report. You can also
record how intense your coughing was on a coughing scale. There is also a diary function
where you can save comments. By providing this feature, we want to give you an overview
of your treatment.

• The app tracks some of your entries, such as the time you last took medication, to docu-
ment the same.

• The app is connected to a PARI back-end where the user and treatment data is stored,
managed and analysed. Central data storage means that data cannot be lost and you can
switch to another mobile phone without having to create a backup first.

• The PARI back-end sends you push notifications that remind you of certain actions in your
treatment process, including synchronisation with the eTrack controller, the end of treat-
ment breaks, or reports that you can send to third parties if you have activated this function
previously.

• Report function: If you’d like to send your reports to yourself or to a third party, please note
that the reports are sent by email and that this may not be a secure means of communi-
cation unless end-to-end encryption is used.

• ‘Share data’ function: If your doctor uses the PARItrack Dashboard and invites you to

share your data with them, you can enable this function in the app. You enter the code
that your doctor has to give you for this in the ‘Share data’ section or when you first register
in the app and instruct us to make the data available to the doctor. This shares your data
with your doctor in the ‘PARItrack Dashboard’ (encrypted web portal), so they can view
your treatment plan, your treatment performance, your wellbeing, your cough data and the
answers to and results of the completed CFQ-R questionnaires and your vital parameters.
Your doctor will not have access to your diary entries. Your doctor can enable permissions
for additional practice staff to access the PARItrack Dashboard. You can disable this at
any time in the app in the ‘Share data’ section. Your doctor will then no longer be able
to see any of your data (neither from the past, nor from the future).

• In the UK you can also share your inhalation data with the Cystic Fibrosis Health Hub

(CFHealthHub) if you have your eTrack Controller registered in the CFHealthHub platform.
To do that you can select to share your data with the CFHealthHub within the share data
function in the more section. Your inhalation data only will then be transferred to the CFHH
platform. You can disable this at any time in the app in the ‘Share data’ section.

Please refer to the detailed data protection information of CFHealthHub for further infor-
mation about data processing within the CFHealthHub.

• “Buddy System” function: This feature allows you to invite someone to support your treat-

ment journey (“Therapy buddy”) or someone who is automatically informed if your therapy
adherence drops, who can then remind you about your therapy (“Reminder“). These peo-
ple have selected access or information about the entries in the app and your therapy.
You can stop sharing at any time. If you change your access rights, your buddy is only
shown the functions you have selected at that time.

• “Cough detection” function: Here, you can record the frequency of your nightly coughing

on the microphone of your smartphone and see the results. If you use this function, the
app will request the following information from you: Age range, biological sex, sleeping
arrangements. The app also has to be authorised to gain access to the microphone of
your device. The microphone has to be switched on. If you have activated this function,
audio recordings are made when the App recognises a coughing sound. These short audio
recordings are saved locally on your device, and are deleted again as soon as the number
of coughs is determined. Nobody has access to the temporary, locally saved audio record-
ings. The function is based on a clinically validated algorithm, which analyses and evalu-
ates the data you have entered for the coughing function and the audio recording. The
cough monitoring does not work in large spaces or outdoors, if you share your bedroom
with someone of the same sex or with children.

The following additional data can be specified for the app’s above functions:

Height, date of birth, manual information about treatment performance, appointments, medi-
cation, activities, and vital parameters such as weight, oxygen saturation, lung function and
blood sugar.

What are the legal bases for these data processing activities?

You provide your personal data and health data on a voluntary basis. Processing of this data
is based on your consent as per Art. 6(1)(1)(a) and on Art. 9(2)(a) GDPR/UK GDPR for your
health data. You may revoke this consent at any time with effect for the future. The lawfulness
of processing carried out based on consent up until revocation of the same is not affected by
such revocation, however. You may send your revocation to dataprotection@pari.com at any
time. Please note that the processing of this personal data is necessary to guarantee all of the
app’s functionalities.

Who do we share your data with during this data processing activity?

Your data will not be disclosed to third parties as long as you do not actively give your doctor
access to your data using the ‘Share data’ function or your therapy buddy using the ‘Buddy
system’. More information about this can be found under the section on data recipients (see
below).

7 Data processing for the purpose of anonymisation
What do we process your personal data for during these data processing activities?

The data collected when the app is in use may be anonymised by PARI, to remove any refer-
ence to you. The anonymised data is no longer personal data. What characterises anonymised
data is the fact that it lacks any references to specific individuals, and also this information can
no longer be recovered following the anonymisation process. We use the anonymised data,
among other things, for scientific research and statistical purposes, and particularly for the

purpose of evaluating, communicating and (if necessary) proving the effect, use and benefits
of the app.

What are the legal bases for these data processing activities?

The anonymisation process is based on Art. 9(2)(j) GDPR/UK-GDPR.

Who do we share your data with during this data processing activity?

The data is not disclosed to third parties for the anonymisation process.

8 Cookies
The app itself does not use cookies. However, in some country versions we have integrated
important information and content from our website within the app for you. Only technically
necessary cookies are used if you use these functions. No advertising or statistical tracking
takes place. The legal basis is our legitimate interest as per Art. 6(1)(f) GDPR/UK GDPR. Our
interest is to provide user-friendly presentations in the app.

Information about data processing can be found on our website at:
https://www.pari.com/de/datenschutz/datenschutzerklaerung-internet/?disableOptIn=1

9 What we do to protect your data
Our app transfers the data you enter in the app to a PARI-managed server in the AWS cloud
for secure storage and to provide you with the desired app features. For transfer, the data is
encrypted for security reasons and to protect the transfer of confidential content. This encryp-
tion prevents the data you transfer from being read by unauthorised third parties. The data is
also stored in encrypted form on the server.

10 Processor
We work with Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Lux-
embourg (‘AWS’) and “Google Analytics Firebase” (Google Ireland Limited based in Gordon
House, Borrow Street, Dublin 4, Ireland) as partners for the technical implementation and man-
agement of the app. We have concluded appropriate contracts (especially processing con-
tracts) with the service providers that ensure that your personal data is processed in accord-
ance with the legal requirements. Processors are not third parties. For the potential transfer to
third countries, see paragraph 18.

11 Data recipients
Your data may be viewed by the following recipients. Some of them only have access to pseu-
donymised data.

• Processors such as AWS and Google Analytics Firebase
• Employees and external staff working for the PARI Group who require the data to carry

out their tasks, e.g. app support
• People that you send your reports to in the context of the report function
• Your doctor and their staff and/or the CFHealthHub personnel, if you have shared your

data with them using the ‘Share data’ function
• People that you have invited as therapy buddy

12 Minors
Minors may only use our app before the age of 16 with the consent of a parent or guardian.
Use of the app is prohibited if a parent or guardian does not consent to the processing of the

minor’s personal data. You therefore confirm to us that you are at least 16 years old during the
registration process or that your parents have agreed to the use.

13 The app’s access rights
We require the access rights listed below to provide our services through the app: (i) Bluetooth;
(ii) if the transfer is via WiFi, access rights to this are required; and (iii) if cough detection is
used, the microphone of your smartphone.

For Android devices, the Bluetooth function permits access to location data. We have no influ-
ence over that. In the context of the app, we do not store or use the location data.

14 Requests sent to us
If you contact us (e.g. using the contact form within the app, or by email, phone or fax), we
shall store and process your request, including all personal data resulting from the same (e.g.
name, request), for the purpose of processing your request. The legal basis for processing is
our legitimate interest in responding to your request.

15 Use of analytics tools

Google Analytics Firebase

In the Android version of the app, we use Google Analytics Firebase (hereinafter referred to
as ‘Google Firebase’) to analyse app crashes (Firebase Crashlytics) and to send push notifi-
cations. The provider is Google Inc., Google Ireland Limited, based at Gordon House, Barrow
Street, Dublin 4, Ireland.

Google Firebase stores information for these purposes, including the number and duration of
sessions, operating systems, device models and region.

The use of Google Firebase may require that your personal data be transferred to the USA.
The storage period for the data thus recorded is a maximum of 14 months.

The use of Google Firebase to send push notifications is based on the fulfilment of the contract
with you regarding the use of the app as per Art. 6(1)(1)(a) GDPR/UK GDPR.

Data processing for analysing crash reports is based on your consent to data processing as
per Art. 6(1)(1)(a) and Art. 9(2)(a) of the GDPR/UK GDPR, and appropriate national laws.

More information about Google Firebase can be found at:

https://firebase.google.com

https://www.firebase.com/terms/privacy-policy.html

During transfer to Google Analytics Firebase, your data is encrypted using the HyperText
Transfer Protocol Secure (HTTPS) and transferred over logically separate network infrastruc-
tures. More information about the above-mentioned protection measures can be found at
https://firebase.google.com/support/privacy. Alternatively, you are welcome to contact us by
email on the above-mentioned contact address.

Developer reports on iOS

If you have activated the sharing of iPhone analysis data with Apple Inc. and its subsidiaries
in your iPhone settings, we may also be given the opportunity to access anonymised crash
reports from Apple Inc. The crash reports contain anonymised information on operating system
specifications as well as performance and usage statistics, but no personal data.

16 Internal analyses for product improvement purposes
We analyse your data in pseudonymised form in the context of product improvement. This is
a legitimate interest as per Art. 6(1)(f) of the GDPR/UK-GDPR. If you use our app, your be-
haviour and the app’s usage behaviour may be statistically evaluated and analysed to improve
our products. These analyses take place internally. Your pseudonymised data is not disclosed
to third parties.

17 Storage of your data on AWS servers
All data processed with the app is processed on servers belonging to Amazon Web Services
EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg, Luxembourg (‘AWS’). Data
processing takes place within the EU.

18 Transfer to third countries
PARI will not transfer your data to third countries.

When you use AWS, data are sent to AWS and, under certain circumstances, sent to the USA
to Amazon Inc. Amazon Inc. may process the transferred data to create anonymised user
profiles for statistical purposes. We essentially have no influence on this data processing. AWS
is therefore responsible for this data processing.

AWS has implemented compliance measures for international data transfers. These apply to
all world-wide activities in which AWS processes personal data from natural persons in the EU
and in the UK. Data transfer to the USA is based on the Standard Contractual Clauses (SCC).
Details are available here: https://aws.amazon.com/de/blogs/security/aws-gdpr-data-pro-
cessing-addendum/.

AWS is also an active participant in the EU-US Data Privacy Framework, including the UK
Extension, which governs the correct and secure data transfer of personal data from EU and
UK citizens to the USA. AWS undertakes to comply with the European level of data protection
when processing your relevant data, through the EU-US Data Privacy Framework including
the UK Extension and through the SCC, even if the data is stored, processed and managed in
the USA.

More information on the handling of user data is available in the AWS data protection policy at
https://aws.amazon.com/de/privacy/?nc1=f_pr.

Google may also send your data to the USA. Google is an active participant in the EU-US Data
Privacy Frameworks, including the UK Extension, which governs the correct and secure trans-
fer of personal data from EU and UK citizens to the USA. Google also uses Standard Contrac-
tual Clauses (SCC). Google undertakes to comply with the European level of data protection
when processing your relevant data through the EU-US Data Privacy Framework including the
UK Extension and through the SCC, even if the data is stored, processed and managed in the
USA. More information is available at https://policies.google.com/privacy.

19 Storage period and deletion in the event of inactivity
Unless expressly otherwise stated in this privacy policy, data stored in association with this
app will be deleted as soon as it is no longer required for its intended purpose and providing

the deletion does not conflict with any statutory retention obligations, e.g. in the case of data
that must be retained for commercial or tax law. National legal provisions set out in commercial
and tax law may require a retention period of up to 10 years.

You have the right to withdraw your consent to the processing of your data at any time and to
apply for the deletion of your data or to object to the processing of your data. If we are not
obliged by law to retain your data, we will delete all of your data.

20 Your rights
You have the right at any time to request that we grant you access to the data stored about
you (Art. 15 of the GDPR / UK GDPR). This also applies to the recipients or categories of
recipients that the data is disclosed to, and the purpose and duration of storage.

You also have the right to request rectification under the conditions set out in Art. 16 of the
GDPR/UK GDPR), the right to request erasure under the conditions set out in Art. 17 of the
GDPR/UK GDPR), and the right to request restriction of processing under the conditions set
out in Art. 18 of the GDPR/UK GDPR).

If personal data is processed for the performance of tasks carried out in the public interest
(Art. 6(1)(1)(e) of the GDPR/UK GDPR) or to safeguard legitimate interests (Art. 6(1)(1)(f) of
the GDPR/UK GDPR), you can object to the processing of your personal data at any time with
effect for the future. If you file an objection, we must refrain from any further processing of
your data for the aforementioned purposes, unless we can demonstrate compelling and legiti-
mate grounds for processing that outweigh your interests, rights and freedoms, or processing
is necessary for the establishment, exercise or defence of legal claims.

Under the conditions set out in Art. 21(1) of the GDPR/UK GDPR), data processing may
be objected to on grounds relating to the data subject’s particular situation.

Furthermore, you may request a data transfer at any time under the conditions set out in
Art. 20 of the GDPR/UK GDPR.

Please contact dataprotection@pari.com to exercise these rights.

You have the right to lodge a complaint with a data protection supervisory authority without
prejudice to any other administrative or judicial remedy. You may contact the data protection
supervisory authority in your usual place of residence or our company headquarters for this
purpose.

21 Using the app within studies

If you are using the app in the context of a study, it is possible that within the scope of the study
personal data is also partly processed jointly with the person responsible for the study in ac-
cordance with Art. 26 GDPR/UK GDPR. If you have any questions, please contact the person
responsible for the study. Please refer to the detailed patient information and data protection
information concerning participation in studies for further information about data processing
within the study, which the person responsible for the study will give you. The person respon-
sible for the study is also the point of contact for your enquiries.

22 Modifications
We reserve the right to modify our security and data protection measures if this becomes nec-
essary due to technical developments. In such cases, we shall also adapt our privacy policy