Introduction
We are committed to protecting your privacy and ensuring transparency in the processing of your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP).

This Privacy Notice informs you about the personal data we collect when you access and use our products and services, including our website and mobile application, and how we process that data. It applies generally to our activities related to user data, but we may also have additional privacy notices for specific products or services.

By using our products and services, you explicitly consent to the collection and processing of your personal data in accordance with this Privacy Notice.

Who is responsible for processing your personal data?
QluPod AG is responsible for the processing of your personal data. You can find our contact details in section 13 below.

What types of personal data does QluPod process?
QluPod collects personal information for various purposes. Below is a list of the types of personal data we may collect, either directly from you or from other sources, to achieve those purposes.

Customer Data

• Personal data: First and last name, address, email, date of birth, age, gender, height, weight, sleeping patterns.
• Payment data: Credit card information.
• Health data: Blood pressure, heart rate.

Professional Data

• Contact details: Name of contact person, address, telephone number, company name, email.

How we collect your personal data?

We collect personal information that you provide to us or that is transmitted via the QluPod device you use. This data may be collected in the following ways:

• When you use our website, mobile application, and/or services (the “Services”), for example, when you place an order, communicate with us, set up and/or manage your account, use our monitoring services, or complete forms.
• Some information is mandatory, and other information is optional. The data fields marked with an asterisk (*) must be filled in. If one or more mandatory fields are not completed, we will not be able to grant you access to the Services. Optional fields can be filled in at any time.

Additionally, we may collect data automatically through the use of cookies, app analytics, or sensors on the QluPod device, depending on your usage and preferences.

Legal Basis for Processing Personal Data

We process your personal data based on one or more of the following legal grounds:

• Consent: When you provide us with your explicit consent to process your data.
• Contractual necessity: For the performance of a contract with you or in order to take steps at your request before entering into a contract.
• Legitimate interest: For purposes such as improving our services, ensuring security, or direct marketing (with your consent where required).
• Legal obligation: Where we are required by law to process your personal data.

Security of Personal Data
We take appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, or loss. This includes encrypting data during transmission and ensuring secure storage practices.

Automated Collection of Personal Data
Certain personal data is collected automatically when you use QluPod products or visit our website. This includes data collected through tools, web forms, cookies, and other active elements, as described in this Privacy Notice.

You can configure specific permissions for the automatic collection of your personal data when you set up your device or internet browser, according to the available features. Additionally, you can adjust the automatic collection of personal data through the cookie settings plugin available on our website. For more detailed information on this, please refer to our Cookie Policy.

Sensitive Data
The personal data we collect may include sensitive data, such as health-related information (e.g., blood pressure, heart rate, weight, etc.). This data is classified as Sensitive Data under applicable data protection laws. We process such sensitive data in accordance with applicable privacy laws, including the GDPR and the Swiss Data Protection Act, where necessary.

How We Process Your Personal Data
We process your personal data by automated means for the purposes outlined in this Privacy Policy and in compliance with applicable laws. Specifically, we process your personal data in accordance with the Swiss Data Protection Act, the EU General Data Protection Regulation (GDPR), and the UK General Data Protection Regulation.

Personal data is processed using computers or automated tools, and for the purposes specified in this Privacy Policy.

Automated Decision-Making and Profiling
We do not engage in decision-making based solely on automated processing that produces legal effects concerning or significantly affects you (automated individual decision-making). For example, we may use automated data processing to create a profile of you and provide a more personalized experience when using our services (profiling). Under applicable data protection laws, you may have the right to object to such profiling (see section 12 below for more details on your rights).

Anonymisation of Personal Data
We may process your personal data to anonymize information that allows us to identify you. After anonymization, we may use this data for purposes not covered by this Privacy Policy, such as data mining, benchmarking, analytics, or the development and marketing of new services. You may object to the anonymisation of your personal data for these purposes at any time (for more information, see section 12 below regarding your rights).

Data Security
We take appropriate technical and organizational measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction, as outlined in section 11 below.

On What Legal Basis Do We Process Your Personal Data?
We only process your personal data if we have a valid legal basis to do so. Depending on the nature of the processing, the legal grounds for processing your personal data may include the following:

1. Contractual Necessity
   We process your personal data when necessary to fulfill our contractual obligations towards you or to take pre-contractual measures at your request (contractual necessity). This applies, for example, when the processing of your personal data is required to provide you with access to the website, mobile application, and related services, as further explained in Section 6. Under the GDPR, the legal basis for processing in this case is Article 6(1)(b).

2. Legitimate Interests
   We may process your personal data to protect our legitimate interests, provided that your rights and freedoms do not override these interests (legitimate interest). Our legitimate interests include, but are not limited to:
   • Ensuring the efficient and secure operation of the website, mobile application, and related services (e.g., internal analysis of website/application stability, security, updates, troubleshooting, and support services).
   • Improving and developing the website, mobile application, and services (e.g., performance monitoring, use of services, statistical analysis).
   • Obtaining cost-effective services (e.g., opting for third-party suppliers for certain services).
   • Achieving our business objectives.

   • Other legitimate purposes explicitly outlined in Section 6.
     Under the GDPR, the legal basis for processing in this case is Article 6(1)(f).

3. Consent
   We process your personal data if we have obtained your explicit consent in a clear and unambiguous manner (consent). This applies to situations where consent is required under applicable data protection laws. Under the GDPR, consent is based on Article 6(1)(a).

4. Legal Obligation
   We process your personal data when necessary to comply with our legal or regulatory obligations (legal obligation). This includes circumstances where processing is required to meet legal requirements. Under the GDPR, the legal basis for processing in this case is Article 6(1)(c).

5. Sensitive Data
   We will only process sensitive data (e.g., health data) if we have obtained your explicit consent for specific purposes or if we can rely on another lawful justification under applicable data protection laws, such as necessity for medical purposes or to comply with legal obligations.

For What Purposes Do We Process Your Personal Data?
We process your personal data only for legitimate and clearly defined purposes, and we will not process your data in a way that is incompatible with these purposes. The personal data we collect is necessary to achieve the following purposes:

1. To Operate the Website and Mobile Application and Provide Related Services
   We process your personal data primarily to operate the website and mobile application and provide the associated services. This includes:
   • Creating and maintaining a user account.
   • Interacting with you.
   • Providing requested information and services.
   • Delivering products, goods, and services.

   When you use our blood pressure monitoring services and devices, we collect device sensor data, monitoring data, and sensitive health data (such as blood pressure and heart rate). We process this information to deliver our services. Additionally, we may collect information about the country or time zone from which you access our services, but we do not track your exact location.

   We also collect technical data about your interactions with the website and/or the mobile application, such as the content accessed, the date and time of access, and browser information. This data is processed to monitor and ensure the stability and security of our services and is based on our legitimate interest. We may also use this data to improve our services, as described further below.

   Your account information will be retained as long as your account remains active. If you cancel your account, we will delete or anonymize your account information within 30 days, unless retention is required for other legitimate reasons (e.g., for legal or tax obligations). Log files are automatically deleted or anonymized 30 days after collection.

2. Processing of Product Orders and Payments

   To process your orders, we collect the required information such as contact details, billing and delivery addresses, payment method, and other relevant information. This data is processed based on the contractual need to fulfill your order.

   We also automatically collect data related to your use of the website and/or mobile application in accordance with our cookie policy. For data processed through essential cookies, the legal basis is our legitimate interest, while other data processing via cookies is based on your consent.

   Third-party payment providers process payments and dispatch orders. Depending on the payment method selected, you may be redirected to a third-party website for payment processing. We only share the necessary information with these providers to complete the payment process. This is done based on our contractual obligation.

   To offer QluPod’s payment methods, we may share your contact and order details with Klarna (for example) during checkout to assess eligibility for payment methods and tailor options to your needs.

   We process order, inventory, and billing data based on our contractual obligation to provide the requested goods and services. Certain information, such as invoices and contracts, must be retained for legal or regulatory purposes (typically for 10 years). Data related to uncompleted orders is retained for 12 months before being deleted.

3. To Contact You and Answer Your Inquiries

   You have the option to contact us via the website, mobile application, or email. In such cases, we process the data you provide (including your contact details and the subject of your inquiry) in order to respond to your requests and provide you with the requested information or services, based on our contractual obligation.

   The retention period for your data depends on the nature of your inquiry. For example, data related to order inquiries will be retained according to the retention period for orders.

4. For Internal Analysis and Statistical Purposes to Improve Our Website and/or Mobile Application and ServicesWhere we have obtained your valid consent, we may process your personal data, including data about your usage of the website and/or mobile application and your habits and preferences (such as device information [serial number, software version, error/crash reports], the content you access, the date and time of access, and your preferences). This data is used for internal analysis and statistical purposes to better understand our users’ needs and improve the overall user experience. We also aim to enhance the ergonomics and functionality of the website, mobile application, and services. You may object to such processing at any time. For more information on your rights, please refer to section 12 below.

5. To Provide You with Targeted Information or Advertising Based on Your Interactions

   Where we have obtained your valid consent, we may use third-party services such as Google, YouTube, or Facebook to show you personalized advertising based on your interaction with the website. These services may place cookies on your device to serve ads relevant to your preferences. The privacy policies of these third-party providers govern their activities.

   You can withdraw your consent at any time. For more information on how to manage your consent and your rights, please see section 12 below. Please consult our Cookie Policy for further details on the use of cookies for advertising purposes, including data retention periods, and links to the privacy policies of these third-party providers.

6. To Comply with Our Legal Obligations or Pursue Other Legitimate Interests
   We may process your personal data if required by law or based on other legitimate interests. This could include situations where we need to disclose information to authorities, retain data for tax or accounting purposes, or defend ourselves in legal claims. Personal data processed for these purposes will be retained for as long as required to fulfill the legal obligation or pursue the legitimate interest.

7. When We Have Received Your Consent
   In certain cases, we may process your personal data if we have obtained your explicit consent for specific purposes. You can withdraw your consent at any time, but this will not affect the legality of the data processing that occurred before the withdrawal.

Disclosure of Your Personal Data to Third Parties
We may disclose your personal data to third parties if necessary for the operation of the website and/or mobile application, or to comply with legal obligations.

We may share your personal data with third parties and subcontractors, such as IT service providers, cloud service providers, database providers, automated marketing solutions, and consultants, in connection with the operation of the website and/or mobile application.

By using the website and/or mobile application, you acknowledge that third-party service providers may have access to certain personal data as part of the services they provide.

Our website and/or mobile application may contain links to other websites. This privacy notice only applies to our practices and does not cover the activities of third-party websites. We encourage you to review the privacy policies of any third-party websites you visit via links on our website or mobile application. Any collection and use of your personal data by third-party websites are subject to their privacy policies, and we are not responsible for their practices.

Disclosure of Your Personal Data to Third Parties
We may disclose your personal data to third parties when required by law or when we have a legitimate interest to do so. Examples of when we may disclose your personal data include, but are not limited to:

• Compliance with Legal Obligations: To comply with requests from judicial authorities or other legal obligations.
• Legal Claims: To bring or defend a claim or lawsuit.
• Corporate Transactions: As part of a reorganization, merger, or the transfer of our assets to another company.

International Data Transfers
Your personal data is generally stored in your country of residence, but it may be transferred to other countries under certain circumstances.

For residents of the European Union, Switzerland, or the United Kingdom, we store your personal data on servers within the EU. However, in some cases, such as when we use subcontractors (e.g., Google or Amazon Web Services, which are based in the USA), your data may be transferred internationally. We ensure that appropriate safeguards are in place to protect your data, in compliance with applicable data protection laws, including using standard contractual clauses approved by the European Commission.

You can request additional information regarding these safeguards and obtain a copy of the relevant security measures by contacting us at the address provided in Section 13.

Data Retention
We do not store your personal data longer than necessary.

Personal data will be deleted or anonymized once it is no longer required for the purposes outlined in this privacy notice. The retention period depends on the type of data and applicable legal requirements. For further details on specific data retention periods, refer to Section 6. If you delete your user account, your personal data will be deleted within 30 days, unless retention is required for a valid reason.

In some cases, we are required by law to retain certain data, such as information related to the contractual relationship, for at least 10 years.

Security Measures
We take physical, technical, and procedural safeguards to protect your personal data.

We are committed to securing your personal data and have implemented physical, administrative, and technical measures to prevent unauthorized access. These measures include two-factor authentication, virus protection, a strict password policy, and encryption of sensitive data using Transport Layer Security (TLS) technology. Access to personal data is limited to individuals who need it for the purposes described in this privacy policy.

Although we take reasonable precautions to secure your data, no system can be completely secure. We cannot guarantee the complete security of the data you provide, and we disclaim any liability in this regard.

As the internet is a global environment, submitting information electronically may involve international transmission, depending on your location. This privacy notice applies only to the use and disclosure of your personal data once it is under our control. All internet transmissions are made at your own risk.

If we believe that your personal data has been accessed by an unauthorized person and applicable law requires us to notify you, we will inform you of the breach as soon as possible, either via email (if available) or through other communication channels, including posting a notice on the website and/or mobile app.

Your Rights Regarding the Processing of Your Personal Data
You have several rights in relation to the processing of your personal data. These rights enable you to control how we handle your information.

Unless otherwise provided by law, you have the right to know if we are processing your personal data. You may contact us to:

• Access your personal data.
• Verify its accuracy.
• Request that we update, supplement, rectify, or erase it.
• Stop processing that has been conducted unlawfully, or object to processing on legitimate grounds.

You can also review, update, correct, or delete the personal data associated with your user account (if you have one).

If you wish to delete your personal data from our systems, please contact us. We will comply with your request unless retention is required by law or for other legitimate reasons. Please note that data may remain in backup storage for a while after deletion.

When we process your personal data based on your consent, we do so after obtaining your freely given, informed, and unambiguous consent. You can withdraw this consent at any time.

For more details, please refer to sections 4 and 5 of this privacy notice for specific processing activities.

This section does not limit other rights you may have under applicable data protection laws, particularly under the GDPR, if applicable to your personal data processing. These include:

• Right of Access (Art. 15 GDPR): Request copies of your personal data.
• Right to Rectification (Art. 16 GDPR): Ask us to correct inaccurate data or complete incomplete data.
• Right to Erasure (Art. 17 GDPR): Request the deletion of your personal data in certain circumstances.
• Right to Restrict Processing (Art. 18 GDPR): Request a temporary restriction on processing in specific situations.
• Right to Data Portability (Art. 20 GDPR): Request that we transfer your personal data to you or another organization in a structured, commonly used, and machine-readable format.
• Right to Object to Processing (Art. 21 GDPR): Object to processing based on our legitimate interests, with the possibility of us stopping the processing unless we can demonstrate overriding legitimate grounds or the processing is necessary for legal claims.

You can exercise these rights without any charge. We have one month to respond to your request.

Your Right to Lodge a Complaint
If you are not satisfied with the way we process your personal data, you have the right to lodge a complaint with the relevant data protection authority. This can be done in the Member State where you reside, work, or where the alleged infringement occurred.

While this is not mandatory, we encourage you to contact us first (see section 13), as we may be able to address your concerns directly.

Contact Information
If you believe your personal data has been mishandled, or if you have any questions regarding the collection or processing of your data, please contact us:

Tel: +41 (0)71 510 05 45
Mail: office@qlupod.com

Translation
The original language of this privacy policy is English. Any translations are for convenience only. In the case of discrepancies between the English version and any translation, the English version will prevail.

QLUPOD AG
Bahnhofstrasse 23
9100 Herisau
Switzerland