A. GENERAL INFORMATION

Sonova AG is incorporated under the laws of Switzerland, with its registered address at Laubisrütistrasse 28, 8712 Stäfa, Switzerland. Sonova AG, acting as a data controller, is operating its business through its globally located affiliates (collectively referred to as “Sonova” or the “Company” or “we” or “our”), acting as independent or joint data controllers in regard to their specific customers, users of products, mobile applications and websites, contractors, and partners (“Data Subjects”).

The Company processes Personal Data in its day-to-day business. Therefore, this Global Privacy Policy (“Policy”) has been drafted and implemented in order to describe the Company’s practices regarding the use of Personal Data relating to its Data Subjects. Some of the Company’s products and services and certain services provided by this website may also have supplemental privacy policies that apply in addition to this Policy.

“Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person.

“Sensitive Personal Information” or “Special Categories of Personal Data” means any Personal Data that,  once leaked or illegally used, may easily cause infringement upon the human dignity or harm to the personal or property safety of a natural person, including, depending on Applicable Laws, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation,  financial account, personal whereabouts and other information of a natural person, as well as the Personal Information of minors.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Data Subjects” means any identified or identifiable natural person from whom or about whom information is collected and/or processed. For the purposes of this Policy, the term Data Subjects shall encompass customers, users of products, mobile applications and websites, contractors and partners.

“Data Controller” means the natural or legal person, which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. In conformity with Applicable Laws and relevant terminology, the term "Data Controller" as utilized in this Policy may be referenced with different terms, ensuring consistency with Applicable Laws, provided that the fundamental role remains unaltered. For example, but not limited to, in accordance with the application of the Personal Information Protection Law (PIPL) in China, this role may alternatively be referred to as the "Personal Information Processor".

B. APPLICABLE LAWS

The Company undertakes to comply with the relevant applicable data protection laws (“Applicable Laws”) although certain requirements may vary from one country to another.

For example, but not limited to, the Company is committed to complying with the following laws, where applicable:

• The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”)
• The Swiss Federal Act on Data Protection of June 19, 1992 (“FADP”), modified in 2020 and effective from September 2023
• The California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”)
• Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, Sections 261 through 264, as amended by the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 (“HITECH”) and all applicable implementing regulations, including without limitation, the Standards for Privacy of Individually Identifiable Health Information, the Security Rule and Breach Notification Rule, codified at 45 C.F.R. Parts 160 and 164 (all such laws and regulations to be collectively referred to as “HIPAA”)
• The Personal Information Protection Law (“PIPL”), the Cybersecurity Law (“CSL”), the Civil Code, the Data Security Law (“DSL”) and other applicable laws and regulations, regulatory requirements and national standards (collectively, the “China Data Privacy Laws”)

C. PERSONAL DATA COLLECTED

The Company may process the following Personal Data:

• Identity data: last name, first name, alias, nationality, and date of birth
• Contact details: postal address, private phone number, private email address or emergency contact
• Social security number and insurance company
• Financial data: means of payment (including credit card or debit card number), financial institution and potentially banking information, IBAN, health insurer or insurance information
• Data relating to health, including weight, height, medical history, doctor’s prescription, hearing capacity, physical activity tracking (step count, exercise intensity, exercise minutes), fitness data (heart rate, energy expenditure, blood pressure)
• Data relating to the user behavior on the website: browsing data, Internet Protocol (IP) address, cookies and other tracking tools
• Data relating to the products purchased: model, serial number, usage data
• Data relating to any accounts established by Data Subjects, including account access credentials (e.g., usernames, account numbers)
• Data relating to the services provided
• Data relating to the feedback the Data Subjects provide on our products and services, including comments and notes.

D. PURPOSES OF PROCESSING PERSONAL DATA

The Company relies on the following legal bases for processing Personal Data whereby other legal bases may be used depending on where the Data Subject is located and the Applicable Laws.

D.1 PROCESSING BASED ON CONSENT OF DATA SUBJECTS

Processing of Personal Data may be based on the consent of Data Subjects. The processing of Personal Data for this purpose may involve:

• Marketing purposes such as sending newsletters and information about products and services offered by the Company to leads/prospects and users of products, mobile applications and websites
• Creation of the Data Subjects’ account  Performance of the online hearing test
• Profiling to send updates on products and services designed and tailored by the Company for the Data Subject, based on the Data Subject’s experiences, interests or preferences
• Allowing the Data Subjects’ participation to clinical studies, research or testimonial initiatives
• Enrollment in our communities via online forms
• Participation to competitions and raffles
• Participation in online surveys
• Participation in events, trainings, or webinars.
• Publication of comments in our platform: please note that if you freely decide to share your opinion on our blog’s content, the information you disclose in your comment, along with your name, willbecome public and, hence, can be read by the community for as long as the article will remain published and/or you will freely decide to delete it. Please be aware, we are not responsible for the personal information you choose to submit, and we have no responsibility to publish, take down, remove or edit any of your public comment.

For the processing of Personal Data indicated above, we will request specific, clear and informed consent at the contact point, ensuring compliance with Applicable Laws and consentrelated requirements.

D.2 PROCESSING BASED ON A CONTRACT

Processing of Personal Data may be based on the execution of a contract or pre-contractual measures with Data Subjects and may involve:

• Fulfillment of our contractual or pre-contractual obligations towards Data Subjects, including the technical operation and functionality of the products and services they have acquired
• Provision of after-sales services after the purchase of products and services
• Social Security / insurance processing, including billing the Data Subject’s insurance provider for any products or services acquired
• Administration and resolution of claims
• Advising and interacting with the Data Subject when the Data Subject contacts the Company, for example through contact forms, comment function, chat function, emails
• Contacting the Data Subject to reply to technical requests, complaints and inquiries the Data Subject may arise through our forms and to offer the Data Subjected the required support
• Contacting the Data Subjects to offer the Data Subjects or someone they represent the requested commercial assistance / services in order to make an appointment to try our products and services with the Hearing Care Professional or provider closest to the Data Subjects.

D.3 PROCESSING BASED ON LEGITIMATE INTEREST

To the extent allowed by local Applicable Laws, Processing of Personal Data may be based on the Company’s legitimate interest to improve our products and services, our Data Subjects’ experience and our internal processes. The processing of Personal Data for this purpose may involve:

• Conducting statistical/usage analysis
• Performing internal administrative functions
• Preventing fraudulent activity and improving security. For example, but not limited to, pursuant to the implementation of our Multi-Factor Authentication mechanism designed to enhance the security and protection of personal data, we will process your email address for the purpose of transmitting a randomly generated code to validate the completion of your login process
• Managing relationships with Data Subjects
• Evaluating the relevance of our products and services
• Analyzing the website performance, to improve our services and our website functionality
• Marketing products or services offered by the Company to existing business partners, contractors, or vendors. Note that where necessary, Sonova shall secure Data Subjects’ consent before processing Personal Data for marketing purposes.

D.4 PROCESSING BASED ON OTHER BASES

The Company may also process Personal Data to respond to legal requirements and to comply with any Applicable Laws and their respective additional legal basis (where applicable).

Depending on the country where the Data Subject resides, our processing of certain Sensitive or Special Categories of Personal Data may require a different legal basis for processing or may benefit from special protection, particularly in terms of security and confidentiality measures implemented.

E. COOKIES AND OTHER TRACKING TOOLS

Cookies and other tracking tools are small files stored by most internet browsers to track visitor information and they enable Sonova to make its web-offering more relevant to you. During your visit to our website, Sonova may use four categories of cookies and other tracking tools, depending on the website concerned. Their retention period depends on each country and the relevant applicable law. Depending on the relevant applicable laws, we have supplemental cookie privacy notices that inform you about the cookies used by the website you are visiting.

We use cookies and other tracking tools in order to:

• Obtain information about your browser settings, domain name, internet service provider, your operating system, the date and time of access, location, type of device used to access our website and conduct system administration
• Get information about other websites you have visited or the type of searches you perform to refine your experience
• Prevent fraudulent activity and improve security
• Know and analyze your browsing preferences and the products you are interested in
• Associate your previous website behavior after you have registered with your details on a Sonova website for business and technical purposes.

Some of the cookies and other tracking tools used by our websites are set by us, and some are set by third parties on Sonova’s behalf. Our use of cookies and other tracking tools from third parties enables tailored advertising, meaning that you may see advertisement for Sonova on other websites that you visit.

Depending on the website in question, we may use the following categories of cookies and other tracking tools:

• Strictly necessary cookies: these cookies are necessary for us to provide you with the basics functionalities of our website and cannot be switched off in our systems.
• Performance and analytical cookies:  these cookies allow us to count visits and traffic sources in order to measure and improve the performance of our website.
• Functional cookies: these cookies are used to provide enhanced functionality and personalization during your visit.
• Targeting or advertising cookies: these cookies may be set through our website by our advertising partners to build a profile of your interests and propose relevant adverts.

Each type of cookie reflects a specific purpose and, on our website, you can easily consent specifically to each purpose. By accepting all cookies, you will have a fully personalized web experience. We allow you to choose which types of cookies you accept or block, but it may impact your experience on the website and the services we offer (as mentioned above). You can use the service even in the case of a refusal to consent to some cookies, except where the refusal is for strictly necessary cookies. At any time, you can withdraw or modify your consent by going on the “Cookie Preferences” page.

The way to give your consent specifically to each purpose, or to accept all cookies will depend on the applicable laws concerning cookies in your country and be easily found and explained in the cookie banner.

If you are not interested in the advantages of our Cookies, the “Help” function of your browser can provide instructions on how to prevent Cookies or delete existing Cookies. Also, you can learn how to block all new Cookies on your browser and which configuration steps are required to receive a notification about new Cookies.

Helpful information on Cookies can be accessed on these websites: http://www.allaboutcookies.org/ or https://cookiepedia.co.uk.

Further details regarding the categories of cookies and other tracking tools collected by the website in question will be provided through the cookie banner and its dedicated cookie section.

F. SOCIAL MEDIA PLUGINS

Social media plugins are a part of certain web pages of Sonova and exist for social media providers (“Provider”); such as Facebook, Instagram, Twitter, LinkedIn, Google+, and YouTube. When you visit a page by clicking such a plugin your browser will connect to the respective social media server. At the same time, the Provider will know that you visited our website prior to landing on the social media site. If you are registered and have logged in with the relevant Provider, your visit can also be linked to your user account. Providers in general do not provide specific information about what data is transmitted in the use of their social media plugins. Therefore, we have no definitive ability to verify the content and scope of the transmitted data or its use by such Providers. For further information about social media plugins, please consult the data protection stipulations of the relevant Provider. If you do not want a Provider to collect data on you through our website, please deactivate the plugin(s) in your web browser. If you wish to avoid a link to any existing user account, you must log out of the social media web page before your visit to our website.

G. THIRD PARTY LINKS

This Policy applies solely to the use of this website. We may provide you with links to third party websites that may be of interest to you. However, please be aware that Sonova is not responsible for the content and availability of such websites and cannot guarantee the privacy practices of such websites.

H. RETENTION OF PERSONAL DATA

Personal Data will not be kept longer than necessary for the above-mentioned purposes. This means that Personal Data will be deleted as soon as the purpose of the processing of Personal Data has been achieved. However, the Company may retain Personal Data longer if required by any Applicable Laws to protect or exercise our rights, to the extent permitted.

At the end of the retention period, the Company may also need to archive Personal Data, to comply with Applicable Laws, for a limited period of time and with limited access.

These retention periods may vary depending on the country where the Data Subjects reside and in accordance with Applicable Laws.

I. DISCLOSURE OF PERSONAL DATA

The Company may share Personal Data based on the Data Subject’s consent and/or on a relevant legal basis, with the following third parties:

• Business partners providing services on our behalf, such as for technical support, for marketing purposes or for other types of services delivery.
• Governmental authorities and public authorities, as far as this is necessary to provide any services that have been requested or authorized, to protect Data Subjects’ rights, or our or others’ rights, property or safety, to maintain the security of our services or if we are required to do so because of Applicable Laws, court or other governmental regulations, or if such disclosure is otherwise necessary in support of any legal or criminal investigation or legal proceeding.
• Individuals authorized by the Data Subject or by Applicable Laws to participate in the Data Subject’s care, including family, close friends or others.

Depending on Applicable Laws, we implement contracts with some third parties to ensure that Personal Data is processed based on our instructions and in compliance with this Policy and any other appropriate confidentiality and security measures.

From time to time, it may be necessary to conclude such contracts within the Sonova group, with subsidiaries and affiliated companies, to fulfil regulatory requirements. For this purpose, Sonova subsidiaries and affiliates shall also be considered as “third parties”.

J. TRANSFERS OF PERSONAL DATA

The above-mentioned third parties, such as Sonova affiliates and subsidiaries, as well as business partners, public authorities, to whom we may disclose Personal Data, may be located outside of your country, potentially including countries whose data protection laws may differ from those in the country in which Data Subjects are located.

If Personal Data is processed within the European Union/European Economic Area, and in the event Personal Data is disclosed to third parties in a country not considered as providing an adequate level of protection according to the European Commission, the Company will ensure:

• The implementation of adequate procedures to comply with Applicable Laws, and in particular when a request for authorization from the competent supervisory authority is necessary
• The implementation of appropriate organizational, technical and legal safeguards to govern the said transfer and to ensure the necessary and adequate level of protection under Applicable Laws
• If necessary, the implementation of Standard Contractual Clauses as adopted by the European Commission
• If necessary and depending on the country of the third party importing the data take additional measures such as completing a data transfer adequacy assessment and, when required, supplementary measures for the protection of the transferred Personal Data.

If Personal Data is not processed within the European Union/European Economic Area, and in the event Personal Data is disclosed to third parties located outside your country, the Company will ensure that appropriate safeguards are in place to protect Personal Data by implementing appropriate legal mechanisms. Those mechanisms may differ depending on the country and relevant Applicable Laws.

If a Data Subject’s Personal Data falls under the application of the revised FADP or PIPL and is subject to international transfers, the Data Subject will be informed of these transfers through supplemental privacy notices. Such notices will provide additional details and safeguards regarding the transfer of Personal Data outside of Switzerland or China respectively.

K. PERSONAL DATA SECURITY

The security of Personal Data is extremely important to us. We take all steps reasonably necessary to ensure that Personal Data is treated securely and in accordance with this Policy.

Sonova implements a variety of security measures in order to protect Personal Data from security incidents or unauthorized disclosure. These security measures are based on appropriate industry security standards and include, inter alia, access controls, passwords, encryption, and regular security assessments.

All employees who may process any Personal Data are required to undergo appropriate training in accordance with Applicable Laws to ensure compliance with data protection regulations.

We regularly review our information security procedures to consider appropriate new technology and methods.

L. PRIVACY RIGHTS RELATED TO PERSONAL DATA

Depending on the relevant Applicable Laws, Data Subjects have rights related to their Personal Data, such as the right to request access, rectification, erasure of their Personal Data, restriction of Processing, object to Processing, request data portability, to be informed and withdraw their consent for Processing of Personal Data based on their consent. Data Subjects may also object to automated individual decision-making if they are concerned about such Processing.

The exercise of relevant data subject rights shall be conducted in accordance with the legal timelines stipulated by Applicable Laws.

In addition, some Applicable Laws may provide instructions relating to the retention, communication and erasure of Personal Data posthumously.

To exercise these privacy rights, Data Subjects may contact us as described in the “How To Contact Us” section below. We may ask proof of identity in order to respond to the request. If we cannot satisfy the request (refusal or limitation), we will document our decision in writing.

The exercise of such rights is not absolute and is subject to the limitations provided by Applicable Laws. No individual shall be subject to retaliation or discrimination on the basis of exercising these rights.

Data Subjects may have the right to lodge a complaint with the local supervisory authority or the competent regulator if they consider that the processing of their Personal Data infringes Applicable Laws.

M. UPDATES TO THIS POLICY

We may update this Policy from time to time in order to reflect new or different privacy practices. In this case, we will post updated versions of this Policy on this page. A revised Policy will apply only to data collected after its effective date. We encourage Data Subjects to periodically review this page for the latest information on our privacy practices.

N. HOW TO CONTACT US

For any questions, comments, or concerns about this Policy, or in order to exercise the privacy rights permitted by Applicable Laws related to Personal Data, please contact our Data Protection Officer at:

Sonova AG

Attn: Data Protection Officer

Laubisruetistrasse 28

8712 Stäfa, Switzerland +41 58 928 01 01 privacy@sonova.com

O. POLICY IDENTIFICATION SHEET & VERSION CONTROL

Sonova Policy Identification Sheet:

Version Control:

Page