Insulet Corporation Privacy Policy

Version June 2023

This section describes how we process personal data of customers using the Omnipod® 5 Automated Insulin Delivery System ("Omnipod® 5 System"). Navigate to the relevant section for more information on:

1.1 What personal data we collect
1.2 Why we process your personal data
1.3 Processing personal data of customers <18 years old
1.4 Sharing of your personal data

1.1 What personal data we collect

We will collect personal data directly from you, and in some instances from other sources.

1.1.1 Personal data we collect directly from you

The categories of personal data that we may collect directly from you include the following:

• personal and contact details: e.g. name, date of birth, phone number, email address, gender and postal address;
• order details: e.g. date of order, pod start date, purchase order;
• payment details: e.g. card information, insurance details and billing information;
• technical device information: e.g. the Internet Protocol address for your device, device identifiers, diagnostics data (log files) providing information on the functioning and use of the Omnipod 5® System;
• health data: any information about your diabetes condition and treatment, such as information about your use of Insulet products or services, information on your use of the Omnipod 5® System (such as total-, basal- and bolus insulin delivery, meal information, notifications, glucose levels, time zone you are in, Pod state, Controller state, Continuous Glucose Monitoring (“CGM”) system state, and settings data), product orders, product training information and health insurance coverage; personal data you provide directly to Insulet when contacting us: e.g. when you email us, call the Omnipod® Customer Care Team (your call may be recorded), or when you submit information in the online Omnipod® account. Please ensure that you only provide necessary data relating to your specific request; and
• personal data you provide directly to Insulet when using our web-services or applications: e.g. when using your Omnipod® ID, the online Omnipod® account, www.omnipod.com or our other websites (the "Websites"), filling in surveys or using other communication platforms to contact or tag Insulet, such as social media.

We may be required to collect some of this personal data from you in order to fulfil a contract we have with you (e.g. we cannot deliver products to you without your name and postal address or take payment without your card details).

1.1.2 Personal data we collect from other sources

The categories of personal data that we may collect from other sources include the following:

• personal and contact details, e.g. name, date of birth, phone number, email address, gender, postal address, from your health care professional;
• health data about your diabetes condition and treatment or in the event of issues with your Omnipod® 5 System, from for example your health care professional;
• health insurance information from your health insurance company or the national healthcare system, where applicable;
• health data from data management platforms you use, from for example Glooko if you have instructed Glooko to share such data with us, or if needed for troubleshooting purposes in the event issues occur;
• health data and your product complaint data from the CGM system provider you use, for example Dexcom; and
• technical usage data when you visit our Websites, use our applications or web-based communication channels or services we create, use, offer or operate. We receive such data via the use of cookies or similar technologies. Please find more information on the use of such technologies on our Website in our cookie policy.

1.2 Why we process your personal data

We may use your personal data, including your health data, for the following purposes:

• order and payment management and product support: we may process your personal data to conclude and execute our contract with you, such as for managing your Insulet product and service order(s) and relevant payments, providing product support, responding to any requests and inquiries you make to us, including to understand more about your particular situation and how our products and services might help, and providing you with relevant information (e.g. in relation to using a Controller). Where applicable, we process your personal data to obtain payment or reimbursement for products from your healthcare provider or insurer or the national healthcare system. If you request a replacement product via the online Omnipod® account, we may make use of an automated questionnaire to assess your eligibility to replacement products based on our internal product replacement guidelines. You may always call the Omnipod® Customer Care Team to discuss your eligibility. We are required to process your personal data based on a legal basis. The processing of your personal data to manage your orders and payment and to provide product support is necessary to perform our contract with you or to take steps at your request prior to entering into a contract. Considering the context in which we process your personal data, we take the view that your personal data in relation to contract performance reveals data concerning your health, a special category of personal data. Therefore, to the extent the processing concerns your health data, we also rely on your consent as the lawful basis for this purpose.
• training on the use of the Omnipod 5® System: we process your personal data to invite you to and provide you with trainings on the use of the Omnipod 5® System, or other Insulet products or services. We process your contact details, information on which product you use, information you provide during the training and information we may receive from your health care provider. After the training, we may send you a survey by email to request your feedback on the training, in order to evaluate and improve the training. We process your personal data based on the necessity of processing for reasons of public interest in the area of public health, namely to ensure a high standard of quality and safety of our products and services. Further, we evaluate your survey feedback to improve our trainings based on your consent.
• setup and use of your Omnipod® ID: we process your personal data (your contact details and date of birth) for the set-up of your Omnipod® ID. Based on the personal data you provide, we verify in our systems whether you are an Insulet customer and are authorized to create an Omnipod® ID. We also process your personal data for use of your Omnipod® ID, such as for activation and use of your Omnipod® 5 System and for access to the online Omnipod® account, and maintenance of your Omnipod® ID. We process your personal data based on your consent.
  
  Your Omnipod® ID is necessary for setup and use of the Omnipod® 5 System and for access to the online Omnipod® account. For completeness, we inform you that if you do not consent or withdraw your consent to the processing of personal data necessary for the use and maintenance of the Omnipod® ID, we cannot provide you with the Omnipod® 5 System and online Omnipod® account. If you have any questions on this point, please contact the Omnipod® Customer Care Team at 0800 011 6132 or +44 20 3887 1709 if calling from abroad.* You can also withdraw your consent via our webform.
• setup and use of your Omnipod 5® System: we process your personal data, including your Omnipod® ID and the Omnipod 5® System data (such as diagnostic data related to the insulin pump functioning, connectivity between the Omnipod® 5 System devices, or insulin delivery, and the Controller ID, Controller version, software version, and security certificates) that we collect from your Omnipod 5® System for the provision thereof, such as to:
  1. set-up and activate your Omnipod® 5 System, for example by verifying your Omnipod® ID and processing your privacy preferences;
  2. ensure the security of your personal data, for example by regularly verifying your Omnipod® ID and security certificates of your Controller;
  3. ensure the proper functioning of the Omnipod® 5 System. We automatically receive diagnostics data (log files) providing information on your use of the Omnipod 5® System and how it functioned from your Omnipod® 5 System in the event an issue (e.g. related to the insulin pump functioning, connectivity between the Omnipod® 5 System devices, or insulin delivery) is recognized by the Pod or Controller. We process such data to ensure the safety of the Omnipod® 5 System, perform technical and security maintenance of the Omnipod® 5 System, identify and fix bugs, troubleshoot the Omnipod® 5 System, and to develop updates of the Omnipod® 5 System;
  4. provide you with software updates of the Omnipod® 5 System. We check which software and Controller version you are using before providing an update;
  5. assist you with your use of the Omnipod 5® System upon your request. For this purpose, we may among others process diagnostics data and combine such data with other data we hold on you (such as your contact details); and
  
  Our main interest is that you know what we are doing and why we are doing it. We therefore rely on your consent as the primary lawful basis for the processing of your personal data this purpose. You may contact us to withdraw your consent at any time. We do inform you, however, that our other interest is that the Omnipod® 5 system is and remains safe and secure. We therefore continue to process certain of your personal data if you withdraw your consent to ensure that we provide you with a medical device adhering to high standards of quality and safety, which is our legitimate interest.
  
  If you have any questions on this point or wish to withdraw your consent, please contact the Omnipod® Customer Care Team at 0800 011 6132 or +44 20 3887 1709 if calling from abroad.* You can also withdraw your consent via our privacy webform.
   
• use of the online Omnipod® account: we process your personal data (e.g. your Omnipod® ID, personal and contact details, privacy settings, order history, training history, complaint history, and complaints you lodge) when you use the online Omnipod® account, e.g. to authenticate you, allow you to update your personal and contact details, process your orders, investigate complaints you lodge in the portal, determine warranty replacement eligibility, implement your privacy preferences, and maintain the online Omnipod® account. You can change your Omnipod® ID/username, password, and phone number for multi-factor authentication in the online Omnipod® account. We process your personal data on the basis of your consent for this purpose. You can withdraw your consent at any time by contacting contact the Omnipod® Customer Care Team at 0800 011 6132 or +44 20 3887 1709 if calling from abroad* or by updating your choices in the online Omnipod® account.
   
• Product research, development and improvement: we may collect data from your Omnipod 5® System (e.g. total- basal-, bolus insulin delivery, meal information, notifications, glucose levels, Pod state, Controller state, CGM system state, device identifiers and settings data) and process such data in pseudonymized format in combination with your demographic data (e.g. gender, age, country, type of diabetes and diabetes treatment) to conduct research on and improve the Omnipod® 5 System and related Insulet products, and to develop new products. We may use the outcome of our research as well to disseminate knowledge in the clinical community, support product claims, feed into clinical decision support tools used by Health Care Professionals to optimize diabetes treatment, develop training materials, improve the Omnipod® 5 System setup process, analyse data to identify items relevant for product risk management,, comply with our legal obligations related to medical devices, report to competent authorities, and support new or updated marketing authorisations.
  
  For the abovementioned purposes, we may for example analyse:
   
  1. self-management patterns, customer experience, insulin treatment patterns, glycaemic outcomes, product effectiveness and safety of Omnipod 5® System customers;
  2. product and product feature usage, usage patterns and product performance, among others to enhance the insulin delivery algorithm, identify prompts, insights or feedback that could be provided to customers, understand and address alerts and alarms, calculate probability and occurrence rates for product investigations, identify and address software or hardware shortcomings, and inform future product designs;
  3. treatment behaviours of customers that may be at high-risk of using the Omnipod® 5 System sub-optimally;
  4. bolus behaviour, among others to enhance the bolus calculator and interface; and
  5. connectivity metrics of the CGM system, Pod and Controller, among others to identify and address potential system issues.
  
  We will only collect and process data from your Omnipod 5® System for this purpose if you have consented to this. The provision of your consent is optional, and you may withdraw your consent at any time by contacting contact the Omnipod® Customer Care Team at 0800 011 6132 or +44 20 3887 1709 if calling from abroad* or by updating your choices in the online Omnipod® account. In some instances, for example if your data is part of an ongoing research project, we may continue processing data we collected prior to your withdrawal of consent based on our legitimate interest to process personal data for reasons of public interest in the area of public health, namely to ensure high standards of quality and safety of medical devices, or if necessary for scientific research or for statistical purposes if, based on your individual case, the deletion of your data would render impossible or seriously impair the achievement of our research.
  
  To conduct product research, development and improvement, we may combine information related to your use of the Omnipod 5® System with other personal data we hold on you, such as your demographic data (e.g. age, country, date or age of diagnosis, previous therapy, gender), our internal customer identifier, or data we may receive from data management platform providers and/or CGM system providers if you have separately agreed to sharing such data.
   
• Data sharing with Glooko AB: upon your request, we can link your Omnipod® ID to your Glooko account and collect data from your Omnipod 5® System (e.g. total-, basal- and bolus insulin delivery, notifications, glucose levels, Pod state, Controller state, device identifiers and settings data) to share in real-time with Glooko AB to automatically synchronize and display your personal data on your diabetes treatment in the Glooko data management platform. If you link to Glooko and enable data sharing after the first-time setup of your Omnipod® 5 System, we will also share data on your use of the Omnipod 5® System of approximately the last 90 days that is available in our systems.
  
  We will only link your Omnipod® ID to your Glooko account and share your personal data with Glooko AB if you have consented to this. The provision of your consent is optional, and you may withdraw your consent to data sharing at any time by unlinking your Omnipod® ID and Glooko account in the online Omnipod® account or by contacting the Omnipod® Customer Care Team. If you unlink, we will stop sharing your Omnipod® 5 System data with Glooko AB. Any data that you have shared previously will remain available in your Glooko account.
  
  Glooko AB will process your personal data as separate and individual data controller in accordance with the Glooko privacy notice. Insulet cannot control and is not responsible for Glooko AB’s processing of your personal data. If you have any questions on how Glooko AB processes your personal data, please contact Glooko AB at [email protected].
   
• evaluating and improving our products and services: we may process your personal data to request feedback on your satisfaction of our products and services, analyse information about how you use our services, analyse feedback that you provide via surveys regarding our products and services, provide an improved experience for our customers, and improve and evaluate our products and services. This may include pseudonymizing your data to perform data analytics and internal reporting to understand how our products and services are used. As a legal basis for these purposes, we rely on your consent. Further, we may record or monitor your phone calls to the Omnipod® Customer Care Team for quality control and training purposes. We will inform you before recording the phone call and you can choose not to be recorded.
• marketing, newsletters and email communications: we may process your personal data to send you marketing communications, such as information on any of our new and/or existing products and services. We may personalise these messages to make them more relevant and interesting for you, for example based on the type of Insulet product or CGM you use, and on whether you are a customer or legal guardian. We will obtain your consent first before sending you marketing messages and newsletters. Further, we may review your interaction with our emails, for example to improve the effectiveness of our marketing messages. We may also use your personal data to send you reorder reminder emails, if applicable in your jurisdiction. You can always unsubscribe from marketing messages and newsletters by clicking the "Unsubscribe" link included in each marketing communications or contacting us directly via the following privacy webform.
• complaint investigation: we process diagnostics data providing information on your use of the Omnipod 5® System and how it functioned in the last couple of days(e.g. related to the insulin pump functioning, connectivity between the Omnipod® 5 System devices, or insulin delivery) to investigate a complaint you may lodge regarding the Omnipod 5® System, and to maintain the Omnipod 5® System if necessary. We may combine such data with other data we hold on you, such as your contact details, to address your complaint. During your use of the Omnipod®5 System, we automatically receive diagnostics data on your use of the Omnipod® 5 System, such as data related to the algorithm status, CGM status, insulin deliver, bolus, basal programme and settings, and log files that we receive if an event is recognized by the Pod or Controller. Such data may be relevant to investigate your complaint. Further, we receive additional diagnostics data for investigation purposes if you upload your Omnipod 5® System diagnostics data from your Controller to Insulet after your contact with the Omnipod® Customer Care Team on your complaint. In the event your Controller needs to be replaced, we may ask you to return it and we may analyse the Omnipod 5® System diagnostics data on your Controller to investigate your complaint. We process your data for complaint investigation based on our legitimate interest to ensure high standards of quality and safety of medical devices, and may use the outcome to fix bugs.
• reasons of public interest in the area of public health: we may process and disclose your personal data, such as your complaint data and Omnipod 5® System diagnostics data that we automatically receive related to the algorithm status, CGM status, insulin deliver, bolus, basal programme and settings, or in the event an issue is recognized by the Pod or Controller, for reasons of substantial public interest in the area of public health (including ensuring high standards of quality and safety of medical devices, or to prevent or lessen a serious and imminent threat to the health or safety of a person or the public). We process your personal data based on a legal obligation we are subject to in various EU Member States, or based on our legitimate interests to ensure the continued safety and performance of the Omnipod®5 System or to cooperate with or report to a competent authority in cases where we believe this is necessary. Such processing, including disclosure of your personal data, may for instance be necessary to:
   
  1. provide you with relevant regulatory information, including safety notices;
  2. to identify and analyse trends on e.g. incidents or undesirable side-effects and report such trends to competent authorities;
  3. conduct analytics on the safety and performance of the Omnipod® 5 System; and
  4. to cooperate with or report to competent authorities (e.g. health authorities, authorities that oversee the healthcare system, the U.S. Food and Drug Administration, or authorities responsible for criminal law enforcement) regarding e.g. activities authorised or required by law, such as audits, investigations, and inspections, or to report incidents.
• reasons of public interest: we may process and disclose your personal data for reasons of substantial public interest (e.g. compliance with tax requirements). We process your personal data based on a legal obligation we are subject to or based on our legitimate interests to cooperate with or report to a competent authority in cases where we believe this is necessary.
• exercising our rights or to comply with legal or regulatory obligations: we may process and disclose your personal data to the extent necessary to establish, exercise or defend legal claims, for example to detect, prevent and respond to any product liability claims, fraud claims, intellectual property infringement claims or violations of law or the contract, when it is in our, or our partners’ legitimate interests. You will be notified of any such uses or disclosures to the extent permitted by law. For this purpose, we may process among others diagnostics data (log files) (e.g. related to the insulin pump functioning, connectivity between the Omnipod® 5 System devices, or insulin delivery) from your Omnipod® 5 System in the event of an issue, or when you lodge a complaint and your complaint data. We may also process your data to investigate and respond to whistleblowing activities, based on a legal obligation or our legitimate interest.
• emergencies: if you require emergency treatment and we are unable to obtain your consent, we may disclose your health data to a family member,relative or health care professional who is involved in your care. We rely on our legitimate interest to protect your vital interests for this purpose.
• dentification and authentication: we use your identification information to verify your identity when you access and use our services, for example when you contact the Omnipod® Customer Care Team. We process your personal data based on our legitimate interest to provide you with a secure service.
• clinical trial and related research: we may collect health data about you if you participate in a clinical trial. If you participate in such trial, we will inform you about how we process your personal data for the purpose of the clinical trial or related research in that context, for example in the informed consent form.

When we rely on your consent to use your personal data you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Please change your privacy settings in the online Omnipod® account or contact us using the following webform if you wish to withdraw your consent. If you have any questions on this point, please contact the Omnipod® Customer Care Team at 0800 011 6132 or +44 20 3887 1709 if calling from abroad.*

Where we rely on our legitimate interests to process personal data, you can find out more about this basis for processing, or object to these uses of personal data by contacting us using the following webform

1.3.Processing personal data of customers <18 years old

We may process personal data of minors in the event a customer has not yet reached the age of 18 years old ("dependant"). We process the dependant's personal data in accordance with this Privacy Policy.

We request the legal guardian of the dependant to manage the dependant's contact and interaction with Insulet, including the managing of their privacy rights. For example, we request the legal guardian to create an Omnipod® ID in order to set up and activate the Omnipod® System for their dependant, manage their privacy preferences, and access the online Omnipod® account. The legal guardian can also contact the Omnipod® Customer Care Team with questions and request regarding our processing of their dependant's personal data.

For more information on our processing of the legal guardian's personal data, please see the section of this privacy policy.

1.4.Sharing of your personal data

We may share your personal data, including your health data, with third parties under the following circumstances and to the extent permitted by law:

• service providers and business partners: we may share your personal data with our service providers and business partners that perform customer support services and other business operations for us. For example, we may partner with other companies to process secure payments, fulfil orders, optimize our services, provide online product trainings, support email and messaging services and analyse information.
• IT service providers and business partners: we may share your personal data with our IT service providers and other business partners, such as the service providers of our customer relationship management system, cloud storage locations, identification management system, application security providers, and resource planning system.
• Insulet Group of companies: the entities that form the Insulet Group of companies work closely together to provide our products and services to you. We may share certain of your personal data with the Insulet Group of companies for business operations and marketing purposes.
• billing or payment services: we may share your personal data with companies who will process payment for the products you use, or with your insurer for reimbursement purposes.
• Glooko (data management platform): we share your personal data with Glooko AB if you consent to linking your Omnipod® ID to your Glooko account and sharing your personal data related to your use of the Omnipod 5® System with Glooko AB to synchronise such data with your Glooko account. Such data sharing allows you to view the information on your use of the Omnipod 5® System and diabetes treatment in the data management platform of Glooko and share such data with your healthcare professional if you wish. The provision of your consent is optional and you may withdraw your consent at any time by updating your preferences in the online Omnipod® account or by contacting the Omnipod® Customer Care Team at 0800 011 6132 or +44 20 3887 1709 if calling from abroad.* In case of questions about the service provided by Glooko, please contact Glooko at [email protected]
• CGM system providers: we may share your personal data with your CGM system provider in case you file a complaint related to the use of your CGM system.
• authorities responsible for criminal law enforcement, court, regulator, public authority or other third party: we may share your personal data with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party
• asset purchasers: we may share your personal data with any third party that purchases, or to which we transfer, all or substantially all of our assets and business. Should such a sale or transfer occur, we will use reasonable efforts to try to ensure that the entity to which we transfer your personal data uses it in a manner that is consistent with this Privacy Policy.

Version June 2023

This section describes how we process personal data of customers using the DASH or EROS Insulin Delivery system. Navigate to the relevant section for more information on:

1.1 What personal data we collect
1.2 Why we process your personal data
1.3 Processing personal data of customers <18 years old
1.4 Sharing of your personal data

1.1. What personal data we collect

We will collect personal data directly from you, and in some instances from other sources.

1.1.1. Personal data we collect directly from you

The categories of personal data that we may collect directly from you include the following:

• personal and contact details: e.g. name, date of birth, phone number, email address, gender and postal address;
• order details: e.g. date of order, pod start date, purchase order;
• payment details: e.g. card information, insurance details and billing information;
• technical device information: e.g. the Internet Protocol address for your device, device identifiers, diagnostics data (log files) providing information on the functioning and use of the EROS or DASH system when you return the system for product complaint investigations;
• health data: any information about your diabetes condition and treatment, such as information about your use of Insulet products or services product orders, product training information and health insurance coverage;
• personal data you provide directly to Insulet when contacting us: e.g. when you email us, call the Omnipod® Customer Care Team (your call may be recorded), or when you submit information in the online Omnipod® account. Please ensure that you only provide necessary data relating to your specific request; and
• personal data you provide directly to Insulet when using our web-services or applications: e.g. when using your Omnipod® ID, the online Omnipod® account, www.omnipod.com or our other websites (the "Websites"), filling in surveys or using other communication platforms to contact or tag Insulet, such as social media.

We may be required to collect some of this personal data from you in order to fulfil a contract we have with you (e.g. we cannot deliver products to you without your name and postal address or take payment without your card details), and we will inform you of this when we collect that information.

1.1.2. Personal data we collect from other sources

The categories of personal data that we may collect from other sources include the following:

• personal and contact details, e.g. name, date of birth, phone number, email address, gender, postal address, from your health care professional;
• health data about your diabetes condition and treatment or in the event of issues with your EROS or DASH System, from for example your health care professional;
• health insurance information from your health insurance company or the national healthcare system, where applicable;
• health data from data management platforms you use, from for example Glooko if you have instructed Glooko to share such data with us, or if needed for troubleshooting purposes in the event issues occur; and
• technical usage data when you visit our Websites, use our applications or web-based communication channels or services we create, use, offer or operate. We receive such data via the use of cookies or similar technologies. Please find more information on the use of such technologies on our Website in our cookie policy.

1.2. Why we process your personal data

We may use your personal data, including your health data, for the following purposes:

• order and payment management and product support: we may process your personal data to conclude and execute our contract with you, such as for managing your Insulet product and service order(s) and relevant payments, providing product support, responding to any requests and inquiries you make to us, including to understand more about your particular situation and how our products and services might help, and providing you with relevant information (e.g. in relation to using a Controller). Where applicable, we process your personal data to obtain payment or reimbursement for products from your healthcare provider or insurer or the national healthcare system. If you request a replacement product via the online Omnipod® account, we may make use of an automated questionnaire to assess your eligibility to replacement products based on our internal product replacement guidelines. You may always call the Omnipod® Customer Care Team to discuss your eligibility. We are required to process your personal data based on a legal basis. The processing of your personal data to manage your orders and payment and to provide product support is necessary to perform our contract with you or to take steps at your request prior to entering into a contract. Considering the context in which we process your personal data, we take the view that your personal data in relation to contract performance reveals data concerning your health, a special category of personal data. Therefore, to the extent the processing concerns your health data, we also rely on your consent as the lawful basis for this purpose.
• training on the use of the DASH or EROS System: we process your personal data to invite you to and provide you with trainings on the use of the DASH or EROS System, or other Insulet products or services. We process your contact details, information on which product you use, information you provide during the training and information we may receive from your health care provider. After the training, we may send you a survey by email to request your feedback on the training, in order to evaluate and improve the training. We process your personal data based on the necessity of processing for reasons of public interest in the area of public health, namely to ensure a high standard of quality and safety of our products and services. Further, we evaluate your survey feedback to improve our trainings based on your consent.
• setup and use of your Omnipod® ID: we process your personal data (your contact details and date of birth) for the set-up of your Omnipod® ID. Based on the personal data you provide, we verify in our systems whether you are an Insulet customer and are authorized to create an Privacy Policy Omnipod® ID. We also process your personal data for use of your Omnipod® ID, for access to the online Omnipod® account, and maintenance of your Omnipod® ID. We process your personal data based on your consent.
  
  Your Omnipod® ID is necessary to the online Omnipod® account. For completeness, we inform you that if you do not consent or withdraw your consent to the processing of personal data necessary for the use and maintenance of the Omnipod® ID, we cannot provide you with the online Omnipod® account. If you have any questions on this point, please contact the Omnipod® Customer Care Team at 0800 011 6132 or +44 20 3887 1709 if calling from abroad.* You can also withdraw your consent via our privacy webform.
• use of the online Omnipod® account: we process your personal data (e.g. your Omnipod® ID, personal and contact details, privacy settings, order history, training history, complaint history, and complaints you lodge) when you use the online Omnipod® account, e.g. to authenticate you, allow you to update your personal and contact details, process your orders, investigate complaints you lodge in the portal, determine warranty replacement eligibility, implement your privacy preferences, and maintain the online Omnipod® account. You can change your Omnipod® ID/username, password, and phone number for multi-factor authentication in the online Omnipod® account. We process your personal data on the basis of your consent for this purpose. You can withdraw your consent at any time by contacting contact the Omnipod® Customer Care Team at 0800 011 6132 or +44 20 3887 1709 if calling from abroad* or by updating your choices in the online Omnipod® account.
• evaluating and improving our products and services: we may process your personal data to request feedback on your satisfaction of our products and services, analyse information about how you use our services, analyse feedback that you provide via surveys regarding our products and services, provide an improved experience for our customers, and improve and evaluate our products and services. This may include pseudonymizing your data to perform data analytics and internal reporting to understand how our products and services are used. As a legal basis for these purposes, we rely on your consent. Further, we may record or monitor your phone calls to the Omnipod® Customer Care Team for quality control and training purposes. We will inform you before recording the phone call and you can choose not to be recorded.
• marketing, newsletters and email communications: we may process your personal data to send you marketing communications, such as information on any of our new and/or existing products and services. We may personalise these messages to make them more relevant and interesting for you, for example based on the type of Insulet product or CGM you use, and on whether you are a customer or legal guardian. We will obtain your consent first before sending you marketing messages and newsletters. Further, we may review your interaction with our emails, for example to improve the effectiveness of our marketing messages. We may also use your personal data to send you reorder reminder emails, if applicable in your jurisdiction. You can always unsubscribe from marketing messages and newsletters by clicking the "Unsubscribe" link included in each marketing communications or contacting us directly via the following privacy webform.
• complaint investigation: we process diagnostics data providing information on your use of the EROS or DASH System and how it functioned in the last couple of days (e.g. related to the insulin pump functioning, or insulin delivery) to investigate a complaint you may lodge regarding the EROS or DASH System, and to maintain the EROS or DASH System if necessary. We may combine such data with other data we hold on you, such as your contact details, to address your complaint. We receive diagnostics data for investigation purposes if you return your Controller or Pod to Insulet. In the event your Controller needs to be replaced, we may ask you to return it and we may analyse the EROS or DASH System diagnostics data on your Controller to investigate your complaint. We process your data for complaint investigation based on our legitimate interest to ensure high standards of quality and safety of medical devices, and may use the outcome to fix bugs.
• reasons of public interest in the area of public health: we may process and disclose your personal data, such as your complaint data in the event an issue is recognized by the Pod or Controller, for reasons of substantial public interest in the area of public health (including ensuring high standards of quality and safety of medical devices, or to prevent or lessen a serious and imminent threat to the health or safety of a person or the public). We process your personal data based on a legal obligation we are subject to or based on our legitimate interests to cooperate with or report to a competent authority in cases where we believe this is necessary. Such processing, including disclosure of your personal data, may for example be necessary to:
  1. provide you with relevant regulatory information, including safety notices;
  2. to identify and analyse trends on e.g. incidents or undesirable side-effects and report such trends to competent authorities; and
  3. to cooperate with or report to a competent authorities (e.g. health authorities, authorities that oversee the healthcare system, the U.S. Food and Drug Administration, or authorities responsible for criminal law enforcement) regarding e.g. activities authorised or required by law, such as audits, investigations, and inspections, or to report incidents.
• reasons of public interest: we may process and disclose your personal data for reasons of substantial public interest (e.g. compliance with tax requirements). We process your personal data based on a legal obligation we are subject to or based on our legitimate interests to cooperate with or report to a competent authority in cases where we believe thisis necessary.
• exercising our rights or to comply with legal or regulatory obligations: we may process and disclose your personal data to the extent necessary to establish, exercise or defend legal claims, for example to detect, prevent and respond to any product liability claims, fraud claims, intellectual property infringement claims or violations of law or the contract, when it is in our, or our partners’ legitimate interests. You will be notified of any such uses or disclosures to the extent permitted by law. For this purpose, we may process among others diagnostics data (log files) (e.g. related to the insulin pump functioning or insulin delivery) from your EROS or DASH System in the event of an issue, or when you lodge a complaint and your complaint data. We may also process your data to investigate and respond to whistleblowing activities, based on a legal obligation or our legitimate interest.
• emergencies: if you require emergency treatment and we are unable to obtain your consent, we may disclose your health data to a family member,relative or health care professional who is involved in your care. We rely on our legitimate interest to protect your vital interests for this purpose.
• identification and authentication: we use your identification information to verify your identity when you access and use our services, for example when you contact the Omnipod® Customer Care Team. We process your personal data based on our legitimate interest to provide you with a secure service
• clinical trial and related research: we may collect health data about you if you participate in a clinical trial. If you participate in such trial, we will inform you about how we process your personal data for the purpose of the clinical trial or related research in that context, for example in the informed consent form.

When we rely on your consent to use your personal data you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Please change your privacy settings in the online Omnipod® account or contact us using the following privacy webform if you wish to withdraw your consent.

Where we rely on our legitimate interests to process personal data, you can find out more about this basis for processing, or object to these uses of personal data by contacting us using the following privacy webform.

1.3. Processing personal data of customers <18 years old

We may process personal data of minors in the event a customer has not yet reached the age of 18 years old ("dependent"). We process the dependent's personal data in accordance with this Privacy Policy.

We request the legal guardian of the dependent to manage the dependent's contact and interaction with Insulet, including the managing of their privacy rights. For example, we request the legal guardian to create an Omnipod® ID in order to set up and activate the Omnipod® System for their dependent, manage their consent preferences, and access the online Omnipod® account. The legal guardian can also contact the Omnipod® Customer Care Team with questions and request regarding our processing of their dependent's personal data.

For more information on our processing of the legal guardian's personal data, please see the section.

1.4. Sharing of your personal data

We may share your personal data, including your health data, with third parties under the following circumstances and to the extent permitted by law:

• service providers and business partners: we may share your personal data with our service providers and business partners that perform customer support services and other business operations for us. For example, we may partner with other companies to process secure payments, fulfil orders, optimize our services, provide online product trainings, support email and messaging services and analyse information.
• IT service providers and business partners: we may share your personal data with our IT service providers and other business partners, such as the service providers of our customer relationship management system, cloud storage locations, identification management system, application security providers, and resource planning system.
• Insulet Group of companies: the entities that form the Insulet Group of companies work closely together to provide our products and services to you. We may share certain of your personal data with the Insulet Group of companies for business operations and marketing purposes.
• billing or payment services: we may share your personal data with companies who will process payment for the products you use, or with your insurer for reimbursement purposes.
• authorities responsible for criminal law enforcement, court, regulator, public authority or other third party: we may share your personal data with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party.
• asset purchasers: we may share your personal data with any third party that purchases, or to which we transfer, all or substantially all of our assets and business. Should such a sale or transfer occur, we will use reasonable efforts to try to ensure that the entity to which we transfer your personal data uses it in a manner that is consistent with this Privacy Policy.

Version: June 2023

This section describes how we process personal data relating to health care professionals and business contacts (referred to as 'you' in this notice. Navigate to the relevant section for more information on:

1.1 What personal data we collect
1.2. Why we process your personal data
1.3. Sharing of your personal data

1.1. What personal data we collect

The categories of personal data that we may collect about you include:

• personal details (e.g. name, title, job title, area of practice, qualifications);
• contact details (e.g. phone number, email address, practice or hospital address);
• technical device information (e.g. the Internet Protocol address for your device or device identifier if you use our websites);
• training data and certifications (e.g. training completion data, training history, training dates, certifications, resumé);
• financial data, (bank account details, payment details, financial disclosure information);
• Authentication data / user credentials, logging details when you create an account to use our services or to verify your identity.
• Insulet customer data – information about your past or present patients which use our products or services (e.g. their name, the fact you referred them to us, how long they used our products or services); and
• personal data you provide directly to Insulet when using our web-services or applications: e.g. when filling in surveys or using other communication platforms to contact or tag Insulet, such as social media.

We collect this information either directly from you or from other sources, which may include your patients if they contact us directly before speaking to you, or we may obtain it from industry databases to whom you have consented to the sharing of your information or through publicly available sources such as your public profiles online. We require some of thisinformation before entering into any contract with you (e.g. your name and details of your qualifications).

1.2. Why we process your personal data

We use your personal data for the following purposes:

• Providing our services: we use your personal data to make deliveries of products, provide online product training and services which you can pass on to your patients, if requested, and to enable us to provide invoices for our products. We also may process your personal data in order to communicate service and product updates to you. This is to meet our contractual obligations to you, or to meet our legitimate interests in providing our customers with products they have requested to be delivered to you;
• Responding to your requests and inquiries: we use your personal data to respond to any requests and inquiries you make to us, in order to make sure that we provide the best service to health care professionals that recommend our products;
• Marketing: we may use your personal data to send marketing messages to you, and to make them more relevant and interesting, and to invite you to participate in company events we feel are of interest to you. This may include providing you with information on any of our new and/or existing products. It is in our legitimate interest to carry out marketing in order to promote our business and, where required by law, we will obtain your consent first. You can always unsubscribe from marketing messages and newsletters by clicking the "Unsubscribe" link included in each marketing communications or contacting us directly via the following privacy webform.
• Training on the use of the Omnipod® Systems: we process your personal data to invite you to and provide you with trainings on the use of the Omnipod® System, or other Insulet products or services. We process your contact details and training completion data. After the training, we may send you a survey by email to request your feedback on the training, in order to evaluate and improve the training. We process your personal data based performance of a contract or based on our legitimate interests.
• Improving our product and/ or services: we analyse information about how you use our products and/ or services to provide an improved experience going forward (for example monitoring the sorts of questions we get asked to provide consistent responses). We also may use your personal data when you are invited to, and participate in, market research studies or surveys. This is in our legitimate business interests in understanding any issues with ours ervices in order to improve them where required by law, however, where necessary, we will obtain your consent first. Further, we may record or monitor your phone calls to the Omnipod® Customer Care Team for quality control and training purposes. We will inform you before recording the phone call and you can choose not to be recorded.
• Participation in clinical studies: if you are involved as a health care professional in a clinical study we may process financial disclosure information, education, certifications and resume to determine if you can support Insulet with performing the clinical study. Furthermore, Insulet or Insulet’s service providers may process your contact details and authentication details to access websites and applications used in the clinical study. We process your personal data based on the performance on a contract we have with you or based on our legitimate interests.
• Exercising our rights or to comply with legal or regulatory obligations and industry self regulations: we may use any of the categories of your personal data to exercise our legal rights where it is necessary to do so to defend our, or our business partners’, business interests, for example to detect, prevent and respond to fraud claims, intellectual property infringements, claims or violations of law or the contract or to process and respond to whistleblowing activities. We may use your personal data to comply with a legal or regulatory obligation, for example when we collect product complaints and other safety information regarding our products or when we collect your personal data in order to grant you access to information that is only accessible to Health Care Professionals. We also may use your personal data to comply with industry self-regulations such as transparency registers. We may use any of the categories of your personal data to exercise our legal rights where it is necessary to do so to defend our business interests, for example to detect, prevent and respond to fraud claims, intellectual property infringement claims or violations of law or the contract or to process and respond to whistleblowing activities. We may use your personal data to comply with a legal or regulatory obligation, for example when we collect product complaints and other safety information regarding our products or when we collect your personal data in order to grant you access to information that is only accessible to Health Care Professionals. . We also may use your personal data to comply with industry self-regulations such as transparency registers.

1.3. Sharing of your personal data

We may share your personal data with third parties under the following circumstances and to the extent permitted by law:

• Service providers and business partners: we may share your personal data with our service providers and business partners that perform marketing services (e.g. sending marketing messages) and other business operations for us (e.g. conducting data analytics, providing online product training, market research and webinars);
• IT service providers and business partners: we may share your personal data with our IT service providers and other business partners, such as the service providers of our customer relationship management system, cloud storage locations, identification management system, application security providers, and resource planning system.
• Insulet Group companies: we are owned by Insulet Corporation and our main European entity is Insulet Netherlands BV, so we work closely with other businesses and companies that fall under the Insulet family. We may share certain information about our business relationship with you includingthe products and services provided to you and your use of the same, your browsing history on our website, etc., with Insulet Corporation, Insulet Netherlands BV and other Insulet companies for business operations and marketing purposes.
• Law enforcement agencies, courts, regulators or government authorities: we may share your personal data with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party; and
• Asset purchasers: we may share your personal data with any third party that purchases, or to which we transfer, all or substantially all of our assets and business. In such a case, we will use reasonable efforts to try to ensure that the entity to which we transfer your personal data uses it in a manner that is consistent with this Privacy Policy.

Your personal data may be transferred to,stored, and processed in a country that is not regarded as ensuring an adequate level of protection for personal data under European Union law or by the European Commission, in particular to the USA, where Insulet Corporation is located.

We have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your data is adequately protected.

Version June 2023

This section describes how we process personal data of legal guardians of (minor) customers using the Omnipod® 5 Automated Insulin Delivery System ("Omnipod® 5 System"). Navigate to the relevant section for more information on:

1.1 What personal data we collect
1.2 Why we process your personal data
1.3 Sharing of your personal data

1.1.What personal data we collect

We will collect personal data directly from you, and in some instances from other sources.

1.1.1. Personal data we collect directly from you

The categories of personal data that we may collect directly from you include the following:

• personal and contact details: e.g. name, date of birth, phone number, email address, gender and postal address;
• order details: e.g. date of order, pod start date, purchase order;
• payment details: e.g. card information, insurance details and billing information;
• technical device information: e.g. the Internet Protocol address for your device, device identifiers, diagnostics data (log files) providing information on the functioning and use of the Omnipod 5® System;
• personal data you provide directly to Insulet when using our web-services or applications: e.g. when using your Omnipod® ID, the online Omnipod® account, www.omnipod.com or our other websites (the "Websites"), filling in surveys or using other communication platforms to contact or tag Insulet, such as social media.

We may be required to collect some of this personal data from you to fulfil a contract (e.g. we cannot deliver products to you and your dependent(s) without your name and postal address or take payment without your card details).

1.1.2. Personal data we collect from other sources

The categories of personal data that we may collect from other sources include the following:

• personal and contact details, e.g. name, date of birth, phone number, email address, gender, postal address, from your dependent’s health care professional;
• health insurance information from your health insurance company or the national healthcare system, where applicable;
• technical usage data when you visit our Websites, use our applications or web-based communication channels or services we create, use, offer or operate. We receive such data via the use of cookies or similar technologies. Please find more information on the use of such technologies on our Website in our cookie policy.

1.2. Why we process your personal data

We may use your personal data, for the following purposes:

• order and payment management and product support: we may process your personal data to conclude and execute our contract with your dependant, such as for managing your Insulet product and service order(s) and relevant payments, providing product support, responding to any requests and inquiries you make to us, including to understand more about your particular situation and how our products and services might help, and providing you with relevant information (e.g. in relation to using a Controller). Where applicable, we process your personal data to obtain payment or reimbursement for products from your healthcare provider or insurer or the national healthcare system. If you request a replacement product via the online Omnipod® account, we may make use of an automated questionnaire to assess your eligibility to replacement products based on our internal product replacement guidelines. We may also use your personal data to send you reorder reminder emails, if applicable in your jurisdiction. You may always call the Omnipod® Customer Care Team to discuss your dependent’s eligibility. We are required to process your personal data based on a legal basis. The processing of your personal data to manage your orders and payment and to provide product support is necessary to perform our contract with you or to take steps at your request prior to entering into a contract.
• training on the use of the Omnipod 5® System: we process your personal data to invite you and your dependant and provide you with trainings on the use of the Omnipod 5® System, or other Insulet products or services. We process your contact details, information you provide during the training and information we may receive from your health care provider. After the training, we may send you a survey by email to request your feedback on the training, in order to evaluate and improve the training.
• setup and use of your Omnipod® ID: we process your personal data (your contact details and date of birth) for the set-up of your Omnipod® ID. Based on the personal data you provide, we verify in our systems whether you are an Insulet customer and are authorized to create an Omnipod® ID. We also process your personal data for use of your Omnipod® ID, such as for activation and use of your Omnipod® 5 System and for access to the online Omnipod® account, and maintenance of your Omnipod® ID. We process your personal data based on your consent.
  
  Your Omnipod® ID is necessary for setup and use of the Omnipod® 5 System and for access to the online Omnipod® account. For completeness, we inform you that if you do not consent or withdraw your consent to the processing of personal data necessary for the use and maintenance of the Omnipod® ID, we cannot provide you with the Omnipod® 5 System and online Omnipod® account. If you have any questions on this point, please contact the Omnipod® Customer Care Team at 0800 011 6132 or +44 20 3887 1709 if calling from abroad.* You can also withdraw your consent via our webform.
• use of the online Omnipod® account: we process your personal data (e.g. your Omnipod® ID, personal and contact details, privacy settings, order history, training history, complaint history, and complaints you lodge) when you use the online Omnipod® account, e.g. to authenticate you, allow you to update your personal and contact details, process your orders, investigate complaints you lodge in the portal, determine warranty replacement eligibility implement your and your dependent’s privacy preferences, and maintain the online Omnipod® account. You can change your Omnipod® ID/username, password, and phone number for multi-factor authentication in the online Omnipod® account. We process your personal data on the basis of your consent for this purpose. You can withdraw your consent at any time by contacting contact the Omnipod® Customer Care Team at 0800 011 6132 or +44 20 3887 1709 if calling from abroad* or by updating your choices in the online Omnipod® account.
• marketing, newsletters and email communications: we may process your personal data to send you marketing communications, such as information on any of our new and/or existing products and services. We may personalise these messages to make them more relevant and interesting for you.. We will obtain your consent first before sending you marketing messages and newsletters. Further, we may review your interaction with our emails, for example to improve the effectiveness of our marketing messages. You can always unsubscribe from marketing messages and newsletters by clicking the "Unsubscribe" link included in each marketing communications or contacting us directly via the following privacy webform.
• reasons of public interest in the area of public health: we may process and disclose your personal data, such as complaint data for reasons of substantial public interest in the area of public health (including ensuring high standards of quality and safety of medical devices, or to prevent or lessen a serious and imminent threat to the health or safety of a person or the public). We process your personal data based on a legal obligation we are subject to in various EU Member States, or based on our legitimate interests to ensure the continued safety and performance of the Omnipod®5 System or to cooperate with or report to a competent authority in cases where we believe this is necessary. Such processing, including disclosure of your personal data, may for instance be necessary to:
  1. provide you with relevant regulatory information, including safety notices;
  2. to identify and analyse trends on e.g. incidents or undesirable side-effects and report such trends to competent authorities; and
  3. to cooperate with or report to competent authorities (e.g. health authorities, authorities that oversee the healthcare system, the U.S. Food and Drug Administration, or authorities responsible for criminal law enforcement) regarding e.g. activities authorised or required by law, such as audits, investigations, and inspections, or to report incidents.
• reasons of public interest: we may process and disclose your personal data for reasons of substantial public interest (e.g. compliance with tax requirements). We process your personal data based on a legal obligation we are subject to or based on our legitimate interests to cooperate with or report to a competent authority in cases where we believe this is necessary.
• exercising our rights or to comply with legal or regulatory obligations: we may process and disclose your personal data to the extent necessary to establish, exercise or defend legal claims, for example to detect, prevent and respond to any product liability claims, fraud claims, intellectual property infringement claims or violations of law or the contract, when it is in our, or our partners’ legitimate interests. You will be notified of any such uses or disclosures to the extent permitted by law.. We may also process your data to investigate and respond to whistleblowing activities, based on a legal obligation or our legitimate interest.
• identification and authentication: we use your identification information to verify your identity when you access and use our services, for example when you contact the Omnipod® Customer Care Team. We process your personal data based on our legitimate interest to provide you with a secure service.
• clinical trial and related research: we may collect health data about you if you participate in a clinical trial. If you participate in such trial, we will inform you about how we process your personal data for the purpose of the clinical trial or related research in that context, for example in the informed consent form.

When we rely on your consent to use your personal data you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Please change your privacy settings in the online Omnipod® account or contact us using the following webform if you wish to withdraw your consent. If you have any questions on this point, please contact the Omnipod® Customer Care Team at 0800 011 6132 or +44 20 3887 1709 if calling from abroad.*

Where we rely on our legitimate interests to process personal data, you can find out more about this basis for processing, or object to these uses of personal data by contacting us using the following webform

1.3.Sharing of your personal data

We may share your personal data, including your health data, with third parties under the following circumstances and to the extent permitted by law:

• service providers and business partners: we may share your personal data with our service providers and business partners that perform customer support services and other business operations for us. For example, we may partner with other companies to process secure payments, fulfil orders, optimize our services, provide online product trainings, support email and messaging services and analyse information.
• IT service providers and business partners: we may share your personal data with our IT service providers and other business partners, such as the service providers of our customer relationship management system, cloud storage locations, identification management system, application security providers, and resource planning system.
• Insulet Group of companies: the entities that form the Insulet Group of companies work closely together to provide our products and services to you. We may share certain of your personal data with the Insulet Group of companies for business operations and marketing purposes.
• billing or payment services: we may share your personal data with companies who will process payment for the products you use, or with your insurer for reimbursement purposes.
• CGM system providers: we may share your personal data with your CGM system provider in case you file a complaint related to the use of your dependant’s CGM system.
• authorities responsible for criminal law enforcement, court, regulator, public authority or other third party: we may share your personal data with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party.
• asset purchasers: we may share your personal data with any third party that purchases, or to which we transfer, all or substantially all of our assets and business. Should such a sale or transfer occur, we will use reasonable efforts to try to ensure that the entity to which we transfer your personal data uses it in a manner that is consistent with this Privacy Policy.