HCP PRIVACY STATEMENT

Effective date: 01/01/2026
Last updated: 01/01/2026

Introduction

In this Privacy Notice, we, Recor Medical, explains how we processes Personal Data relating to healthcare professionals who interact with us. It applies to activities such as professional communications, event participation, consultancy engagements, clinical investigations, and regulatory compliance. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR), applicable national laws, and industry standards including the MedTech Europe Code and the MecoMed Code.

This HCP Privacy Notice applies additionally to the general Privacy Notice.

Clause 1. What Data We Collect

We may collect the following categories of personal data about you:

• Identification and contact details such as name, title, email, phone number.
• Professional details such as medical specialty, hospital or clinic affiliation, professional license number, work address, CV, and career history.
• Financial details including bank account information for payments under consultancy or service agreements.
• Interaction data including event registrations, training participation, and relevant records in our Customer Relationship Management (CRM) systems.
• Travel and hospitality arrangements for professional events (e.g., transport, accommodation, meal preferences).
• Regulatory and compliance-related information required for reporting to competent authorities or compliance organizations.

We do not process any special categories of personal data about healthcare professionals through these activities.

Clause 2. Where We Get Your Data

We may collect your data from:

• You directly, for example when you complete a form, sign a contract, communicate with us, or participate in an event or study.
• Publicly available sources such as professional registers or healthcare directories.
• Event organizers, professional associations, or partners involved in joint activities.
• Our affiliates or authorized distributors where permitted.

When we obtain your personal data from a source other than you, we will inform you within the timeframes required by GDPR (no later than one month, or at the first communication or disclosure, whichever comes first), including the source of the data and the purposes of processing.

Where we collect personal data from publicly available sources or professional databases, we rely on our legitimate interest in identifying and engaging with healthcare professionals in your field (Art. 6(1)(f) GDPR).

Clause 3. Why We Use Your Data and Legal Basis

We process your personal data for the following purposes and legal bases:

Clause 4. Transparency Reporting

In compliance with applicable MedTech transparency laws and industry codes, we may disclose information about transfers of value, including payments, hospitality, and other benefits provided to you. Examples of recipients include:

• Conseil National de l’Ordre des Médecins (CNOM) in France;
• Mdeon in Belgium;
• Transparantieregister Zorg in the Netherlands;
• Sanità Trasparente in Italy;
• MedTech Europe and its national associations;
• These disclosures are made to meet legal or code of conduct obligations.

In some cases, these disclosures are required by law or professional codes, and we are legally obliged to provide the information regardless of your preferences.

Clause 5. Studies, like GPS or Investigator-Initiated Study (IIS)

If you propose a study to us and complete and send us the Investigator-Initiated Study (IIS), we process contact data (name, address, e-mail or telephone number), data on your company (address, business area, job description, title) and data on your proposal (study design, study timeline, study synopsis, support request etc.) in order to consider if an Investigator Initiated Study can be supported. The legal basis is Art. 6 (1) (b) and (f) GDPR, respectively Art. 31 (1) and (2) (a) FDPA.

Furthermore, we will not process any personal data of patients, participating in studies. The patients’ data are pseudonymized before transmission and the additional information to re-identify the patients remains with the Investigator and the Institution.

Clause 6. How We Share Your Data

We may share your personal data with:

• Recor Medical Inc., our parent company in the United States (see International Transfers Clause).
• Our affiliates and authorized distributors in certain markets.
• Service providers acting under contract with us, including Salesforce, MedCompli, Coupa, DocuSign, Brevo, Evisort and Collaborate by Thomson Reuters, All such service providers act as data processors under written agreements in accordance with Article 28 GDPR and process your personal data only on our documented instructions.
• Regulatory authorities and compliance organizations as required by law.

Affiliates, including our parent company, and authorized distributors may act as independent controllers when processing your personal data for their own purposes, or as processors when acting solely on our documented instructions.

Clause 7. Data Retention

We keep your personal data for as long as necessary to fulfil the purposes described in this Notice and to meet regulatory, contractual, and legal obligations. Criteria for determining retention include applicable statutory periods, contract duration, and the need to maintain records for compliance or to respond to legal claims.

Anonymized or aggregated data, which no longer identifies you, may be retained indefinitely for statistical and reporting purposes.

Clause 8. Your Rights

Under the GDPR, you have the right to:

• Access your personal data;
• Request correction of inaccurate or incomplete data;
• Request erasure of your data in certain circumstances;
• Restrict or object to processing in certain circumstances;
• Withdraw consent at any time (without affecting prior lawful processing);
• Request data portability (for data you provided to us);
• Not be subject to automated decision-making with legal or similar significant effects;
• Lodge a complaint with your local Data Protection Authority.

You have the right to object at any time to the processing of your personal data where it is based on our legitimate interests, including processing for relationship management purposes. If you object, we will stop processing your data for these purposes unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Supervisory authority in our location:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)

Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany

www.datenschutz.hessen.de

If you are based in another EU or EEA country, you may also lodge a complaint with your local supervisory authority. A list of national authorities and their contact details is available on the European Data Protection Board’s website.

We respond to rights requests within one month. To exercise your rights, contact: Dpo@recormedical.com

Clause 9. Ethics Hotline

We provide an Ethics Hotline. You find a respective Link to the Ethics Hotline under EthicsPoint – Otsuka America. You are free to call us or fill out a report by selecting “Make a Report” to inform us about an incident such as Bribery & Kickbacks, Harassment, Fraud or similar.

The incident can be reported anonymously. However, you are also welcome to give us your identity by providing your first and last name, phone number, and e-mail address. We only process your Personal Data in order to investigate and process the reported incident and to contact you if necessary.

We use the platform of the provider NAVEX Global, Inc. (“NAVEX”) to provide you with our Ethics Hotline. Further information on data protection at NAVEX are available at https://www.navex.com/en-us/privacy-statement/.