Privacy is very important to us. We also understand that privacy is very important to you. Because privacy is important, we provide this privacy notice to you so you can have transparency into and understand our data practices.

Medtronic’s privacy notice describes how Medtronic, Inc. and its processors and affiliated companies (together, “Medtronic” or “we”) collect, use, and share your data. Any sections specific to particular geographies will be noted as applying to those specific locations. Please take a moment to familiarize yourself with these privacy practices and contact us with any questions.

Scope and last update.

• This privacy notice is particular to the Meplis platform and applies worldwide.
• In this case, the entity processing your data is Medtronic, Inc, unless a different entity is listed for your geography.
• This notice was last updated on and is effective as of 27 August 2022.

Joint controller. As the controller of this platform, Meplis may receive your name, email address, and telephone number under their own Privacy Notice terms.

Exceptions and disclaimers.

• Employees and applicants. This notice does not apply to our data processing activities and practices specifically on current or former Medtronic employees or applicants. A separate notice is available and may be requested by contacting AskHR@Medtronic.com.
• Subcontracting for others. This notice will not apply unless otherwise noted if Medtronic is acting as a subprocessor or subcontractor to another entity, like a health care provider. In that case, we act under their instructions for processing your personal data and their privacy notice will apply.
• External and out-of-scope sites. This notice will not apply to services not controlled by Medtronic like other websites or applications, nor will it apply to other Medtronic sites that are outside the scope noted above. You should review the privacy notice for those other services to see how they use your data.
• Approvals in your jurisdiction. This page may include information about products that may not be available in your region or country. Please consult the approved indications for use. Content on specific Medtronic products is not intended for users in markets that do not have authorization for use.

Medtronic-wide Notice. Our enterprise-wide privacy notice is available at the “Privacy Statement” link at the version of https://www.medtronic.com for your geography.

Medtronic treats any data relating to an identified or identifiable individual or linked or linkable to them as “personal data”. Personal data would include data that directly identifies you, like your name, and data that can reasonably be used to identify you even if it does not do so directly, like your telephone number.

Deidentified data. Under this notice and subject to applicable law, personal data does not include anonymized or aggregate data (data that is no longer linked to an individual, household, or device, or that is combined with other data so that it is no longer about an individual) that we do not intend to or cannot re-link to you later. This data is called “deidentified data” within this notice. Where Medtronic has deidentified data, we may use or disclose it for our business purposes, such as internal research, collecting crash statistics, debugging, creating and analyzing statistics, and internal reporting. However, Medtronic will not try to reidentify deidentified data unless required by applicable law and will require any third parties to whom deidentified data is disclosed to make the same commitment.

Non-personal data. Medtronic may also collect information that cannot identify you or be tied to you in any way, such as the links on which you click, your time of access, some basic information about the computer, browser, and network you use to access our services, and other similar data. This non-personal data is collected from the systems you use to interact with us, and we cannot and will not use that data to identify you except as we describe in this notice.

To provide our services, interact with you, perform analytics and product improvement, and other purposes described below:

What we collect and how

We collect, based on what you directly submit to us:

Contact information including name, email address, telephone number, demographic information including country of residence, preferences including preferred language, device and network identifiers including IP address and any content posted or submitted by you (including your relationship to Medtronic that you indicate, the type of health care provider you are if applicable, stage of education or training, and areas of interest).

How we use it

Create and manage your account and maintain our services, personalize content based on your interests, interact with you at your request, perform analytics and research, improve our products and services, perform quality assurance and complaint handling functions, detect, investigate, and respond to malicious and fraudulent activities, and debug and repair our products and services. for U.S. healthcare providers, to link your name, National Provider Identifier (NPI), state license number, and/or your IP address to web pages you visit, for compliance, marketing, and sales activities deidentify your information by removing any personal identifiers (your name, e-mail address, social security number, etc.) so that it may be used for other purposes. In this case, the deidentified information would no longer identify you and may be treated like other non-personal information. enforce this Privacy Statement and other rules about your use of this website protect our rights or property.

Other parties receiving it

As the controller of this platform, Meplis may receive your name, email address, and telephone number under their own Privacy Notice terms.

Medtronic will not share your data except as we describe in this section or above.

Sales of data, cross-contextual tracking/beacons, and data broker disclosures

For the scope of the activities covered by this notice, Medtronic does not sell your personal data, disclose it to data brokers, nor disclose to unrelated third parties for their own direct marketing purposes. Except as stated below, we do not share your data for cross-contextual retargeted marketing purposes.

Cookies, beacons, and retargeted marketing. Medtronic use cookies, pixels, web beacons, and similar technologies (“cookies”), that work through placing a small file (like a text file or graphic) in your browser files.

Cookies are used to collect information for business purposes, such as enabling essential website functions and improving the user experience. Some of these collect personal data on you, and those companies receive information about your interaction with our communications or services that is associated with your browser, device, or profile. They may use that data to provide you with relevant marketing material on our or other websites about our or others’ products and services and may therefore be used to collect and share your data for cross-contextual retargeted marketing purposes.

For more information on cookies and how to opt out of some cookies as you choose, see our Cookie Policy and our cookie preferences link on applicable webpages.

Do Not Track. Medtronic does not respond to Do Not Track signals sent by your browser at this time as there is currently no industry or legal standard for recognizing these signals.

Service providers/processors

We share some personal data with companies we hire to perform services or functions for us. For example, we may use different vendors to provide certain apps or websites, or to ship you the products you ordered. In those cases, we provide these vendors (also known as processors, service providers, subcontractors, or Business Associates, depending on the context) the personal data they need to provide their services for us. These vendors are prohibited from keeping, disclosing, or using your personal data except to provide the services we agreed they would provide.

In this case, we use vendors to:

Manage your account information, sending marketing or transactional communications, host the services, analyze data, and provide network security, accounting, auditing, and other services.

Affiliates and corporate transactions

Medtronic may share data among our affiliated companies, like Medtronic USA, Inc. and other companies listed as an exhibit to our most recent form 10-K filing with the Securities and Exchange Commission (available here). Information may also be exchanged if Medtronic is in the process of acquiring or being acquired by another corporate entity as is required to enable any sale, dissolution, merger, or acquisition.

Third parties and other disclosures

At times, Medtronic may partner with third parties to provide services or other offerings. We require partners to protect your personal data in accordance with our privacy principles.

We may share your personal data with others at your direction or with your consent, as well as in the other ways we describe in this notice.

We may also be compelled by applicable law to release your personal information to comply with a court order, subpoena, search warrant, law, or regulation. We may also share information with law enforcement and others to investigate and prosecute persons engaging in unlawful, harmful, or otherwise malicious behavior.

In some circumstances, we may share personal data to exercise or defend against legal claims, to protect our rights, operations, or property, or to protect the health, safety, or welfare of another person.

External sites and services

This website may contain links or references to other websites, apps, or services. Some of those websites are run by Medtronic affiliates or vendors. Others are run by third parties. When you leave this service, we recommend you review the privacy practices applicable to the information you provide on the external site or service. We do not review, control, or monitor the privacy practices of sites operated by others, nor can we be responsible for those sites and services operated by third parties or for your dealings with them.

Public and social media

We operate social media accounts on other platforms, as well as other places where information you provide or distribute may be observed by others. As with other external sites and services, we cannot control the privacy practices or content of places or platforms that we do not control. Therefore, content you submit or post to these platforms and places or other public forums may be accessible by other members of the public. Also, when you log into a social media account to interact with us through or log in to our services via their services, your personal data is used by that account provider in connection with your login and may be governed by their privacy policy.

Retention

We will only keep your personal information for so long as necessary to fulfill the purposes for which we are allowed to use them, as set out in this Privacy Notice or as required by law.

International transfers

In some cases, Medtronic may transmit or store personal data collected to affiliates, vendors, or sites in other countries. We will only transfer personal data as allowed by applicable law to further the purposes set out in this document. Where data is transferred to another country, we take administrative and technical measures to ensure your data receives an adequate level of safeguards and protections as provided for by applicable law. The Medtronic entity that controls your personal data may differ depending on where you live.

In cases where personal information is transmitted from Europe to other countries, we will ensure that safeguards equivalent to those provided by European data protection laws are in place. Personal data relating to individuals in China mainland may be processed by Medtronic in countries outside of China mainland. Where this occurs, it will be done in compliance with local laws, including the Personal Information Protection Law.

In this case, data will be stored on an Amazon Web Services instance located in Frankfurt, Germany.

For more information on the safeguards implemented by Medtronic please contact us via email at rs.globaldataprivacyoffice@medtronic.com.

Medtronic respects your ability to make choices about your personal data.

Your privacy rights

While these rights vary depending on where you are, you may have some or all of the following rights:

• Know: you may have a right to know of or confirm the existence of your personal data, any processing we do with it, and review our practices of data collection and processing, such as knowing what categories of personal data we process, our purposes of processing, and categories of party to whom we disclose.
• Access and portability: you may have a right to access your personal data, accessing specific pieces of information, and knowing to which third parties your data was disclosed. You may have a right to obtain a copy of your data, including in a machine-readable format.
• Correction: you may have a right to correct or amend your data if it is incomplete, inaccurate, or outdated.
• Deletion or elimination: you may have a right to request your personal data be deleted or eliminated. Subject to applicable law, we may deidentify this data in certain circumstances.
• Restriction: you may have a right to restrict processing of your data in some circumstances, such as if processing is excessive or unlawful, the accuracy of the data is contested, the controller no longer needs the data for its primary processing purposes but is needed for legal or compliance purposes, or if (in California) the data is sensitive personal data like health information and it is being used for purposes beyond those reasonably necessary to perform services or provide goods requested.
• Objection and opt-out: you may have a right to object to or opt-out of processing of your data in certain circumstances, including in cases where that data is used for direct marketing (including email or telephonic marketing), shared with third parties for their own marketing or for retargeted/cross-contextual marketing, sold to third parties, used to make certain decisions or profiles about you by automated or artificial means, used for historical or scientific research, or used to place automated/prerecorded voice telephonic messages to you in some cases.
• Consent: you may have a right to consent, and to withhold or withdraw that consent, for some practices, including processing of sensitive personal data or data on children, or where we use consent as our lawful basis for processing or transfer. If you withdraw consent, we will not further collect or process the personal data covered by that consent unless allowed or required by applicable law
• Non-discrimination: you will not be discriminated against for your exercise of your rights. This does not necessarily include, depending on applicable law in your jurisdiction, cases where a difference in price or services offered is reasonably related to the value provided by your data, or where you consent to participate in a voluntary loyalty or similar incentive program.
• Appeal internally: you may have a right to appeal a decision we make about the exercise of your rights within Medtronic.
• Complain externally: you may have a right to complain to a regulator, including a Data Protection or Supervisory Authority or a trade standards authority, if you are not satisfied with our response to your request, such as not having responded to you within a reasonable time or you disagree with our determination, or have concerns about our data practices. If you ask us, we will try to provide you with information about complaint pathways that may be open to you depending on your location and circumstances.

Exercising your rights

You or your authorized agent may exercise these rights at any time or contact us with any inquiries by contacting us using the information provided in the “Contact Medtronic” section below. United States residents can file a rights request here as well. You do not have to create an account with us to submit a request.

We will confirm and then respond to your request in the time required by applicable law. If we need more than that time, we will notify you that your request is being delayed as allowed by applicable law. Once we have received and verified the requested information from you, we will contact you with our response to your request, including any data, if applicable. If we do not hear from you or are unable to verify your identity for the request, we will contact you to inform you that we cannot process your request because we cannot verify your identity.

We can only respond to your request if it is verifiable. This means we are required to take reasonable steps to verify your identity or your authorized agent’s authority and your right to access the information you request. In verifying your request, we may contact you to ask for additional information that will help us do so, including government-issued IDs containing your name and address, utility bills containing that same information, and/or unique identifiers like usernames. We will only use that additional information in the verification process, and not for any other purpose.

We may charge a reasonable fee in some geographies to process or respond to your verifiable consumer request only if allowed by applicable law, for instance if your request is excessive, repetitive, or manifestly unfounded and assessing a fee is acceptable in that case in your location. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

We understand the importance of safeguarding the personal data of children. We consider children to be individuals under the age of 13 globally, or the equivalent age as specified by law in your jurisdiction if greater (such as 14, 16, or 18). We implement additional protections on data about children. We do not intentionally collect personal data from children unless we have received verifiable parental consent. If you believe we have collected personal data from a child, please contact us using the information found in the “Contact Medtronic” section below.

The privacy and security of your data are important to us and you. As data privacy requires data security, Medtronic implements security measures to protect your personal data from unauthorized processing, including disclosures, alteration, destruction, access, or use. While we implement security measures, please note that perfect security is not possible, and no transmission or storage of information is guaranteed to be completely secure. Please take care, especially when communicating with us via email or unencrypted methods, in deciding what information you send to us and how you send it.

United States of America

HIPAA and Protected Health Information. This notice does not apply to our data processing activities and practices for Protected Health Information, which is regulated under the Health Insurance Portability and Accountability Act of 1996. In those cases, you may have received a Notice of Privacy Practices from Medtronic or your health care provider which will govern that data use.

Deidentifying data under HIPAA. Where we operate under HIPAA (the Health Insurance Portability and Accountability Act of 1996) as a Covered Entity or Business Associate, we may deidentify data under HIPAA’s Privacy Rule using either the “Safe Harbor” method (which calls for the removal of a set list of identifiers) or the “Expert Determination” method (which calls for an independent expert to use statistical analysis to determine if a particular data set is reasonably identifiable). This data will be “deidentified data” as well.

Enterprise-wide data practices over the past twelve months. The statements in this notice indicate Medtronic’s data processing activities as currently effective as well as in the past twelve months for these products and services. In addition to those statements, Medtronic has not collected, used, or disclosed additional categories of data, sold or disclosed data, or sourced data from additional sources to those noted above in the past twelve months for the products and services described by this Privacy Notice. Additional information about data we have processed within Medtronic across products and services can be found at our enterprise Privacy Notice, noted at the top of this document.

We may change this notice at any time. When there is a change to our privacy notice, we will post the updated version of our notice here. We also detail significant changes to this statement below:

• At this time, no significant changes have been made to this statement.

General inquiries. You may contact us with data and privacy questions by emailing rs.globaldataprivacyoffice@medtronic.com (in all geographies) or calling us at +1 (866) 639-6907.

Our general-purpose corporate mailing address is at Medtronic, Inc. 710 Medtronic Parkway Northeast, Fridley, Minnesota 55432-5603, United States.

For questions from or relating to the European Union, you can also e-mail rs.privacyEurope@medtronic.com.

Data Protection Officers. Our European Data Protection Officer may be contacted by post at Medtronic Ireland, Attn: Data Protection Officer, 20 Lower Hatch Street, Dublin 2, Ireland, or by email at europeanDPO@medtronic.com.

Our ANZ Data Protection Officer may be contacted by post at Medtronic Australasia Pty Ltd, Attention: ANZ Privacy Office, 2 Alma Road, Macquarie Park, NSW 2113, Australia, or by email at askdpo@medtronic.com.