Privacy Statement

The myBETAapp™ is an application offered by Bayer AG, Leverkusen, Germany ("we" or "us"), providing support to patients of Multiple Sclerosis by supporting the responsible use of Betaseron® (interferon beta-1b), tracking the injection history and offering multiple sclerosis related educational information. With this Privacy Statement, we would like to inform you about how we handle your personal data.

Which personal data is being handled?
When you use myBETAapp™ and subject to your prior explicit consent, the following personal data will be collected, processed and used:

• "Profile Data":
  • Name, place of residence, email address, password, contact data*, date of birth*, gender*, start date of using the app, opt-in date for the [Sharing of Data] functionality, last login timestamp (* if voluntarily provided by you)
• "Injection Data":
  • Date and time of your injections (manually entered or transmitted from the BETACONNECT™ auto-injector); Injection volume; Setting of the depth adjuster and the speed adjuster, Serial number of the BETACONNECT™ auto-injector
• "Wellness Tracker Data":
  • Date and time of manually entered wellness questionnaires, manually entered ratings for tracking health and wellness
• All other data which you enter yourself manually in the myBETAapp™ interface
  • e.g, used injection sites, injection notes

Please note that the fact that you are using Betaseron® and myBETAapp™ also reveals information about your health status.

How and where is my personal data stored and transferred to?
The myBETAapp™ is a cloud-based system. Hence, subject to your prior explicit consent, the above described personal data will be transmitted to and stored on a database located in the United Kingdom.

In case you make use of our call center services, the information you give to the operator will be transferred to our service provider located in the USA. In case you inquire information about your personal data stored on the database in the United Kingdom, the call center provider will receive respective information from our hosting service provider. However, we have taken appropriate safeguards to protect your personal data by having concluded the standard data protection clauses adopted by the EU Commission with our call center provider.

Who has access to my personal data?
Neither we as the sponsor of the BETACONNECT™ products, nor Medicom Innovation Partner a/s ("Medicom") - who has developed the BETACONNECT™ auto-injector, the myBETAapp™ and the BETACONNECT™ Navigator for us and who is responsible for these medical devices as legal manufacturer - wish to have access to your personal data.

Therefore, we have contracted the following service providers who handle your personal data on our behalf and who are either contractually or by law prohibited to provide us or Medicom with any access to your personal data:

• The database, where your personal data is stored, is operated by TWT Digital Health GmbH ("TWT Digital Health"), a service provider based in Germany who acts on our behalf as our data processor. TWT Digital Health has operational access to all of your personal data for technical support reasons.
• In case you have activated the [Sharing of Data] functionality and subject to your prior explicit consent, the BetaNurse and/or a HCP/Physician selected by you will have access to your personal data. An appointed Nurse Administrator will connect your account with the BetaNurse and/or HCP assigned to you. Limited to that purpose, the Nurse Administrator will have access to your Profile Data.
• In case you have technical problems or data privacy related requests, you have the possibility to contact a call center, which is operated by Convergys Global Services GmbH ("Convergys") that also acts on our behalf as our data processors.

For which purpose is my personal data handled?
Our service providers collect, process and use your personal data exclusively in order to be able to provide to you the functionalities of myBETAapp™ or for technical support reasons.

Furthermore, TWT Digital Health generates and shares with us and other companies of the Bayer Group aggregated data of at least 25 Betaseron® patients for statistical purposes (e.g. usage statistics). However, due to the aggregation process, the data we are using is anonymous and can thus not be used to identify any specific individual.

Finally, in case you report any untoward medical occurrence ("adverse event"), we are by law obliged to process and report the respective adverse event information to the competent regulatory authorities. However, these reports only contain your information in a pseudonymized form and thus no information that allows to directly identify you.

How long is my personal data stored and when will it be deleted?
Injection data older than 7 years will be deleted automatically. All other personal data will not be deleted automatically, but you can irrevocably delete your account including all data at any time by using the "Delete Account" functionality in the Settings.

What are my rights?
You have the right to

• request from us access to and rectification or erasure or restriction of processing of your personal data;
• object to a processing of your personal data;
• data portability;
• at any time withdraw any given consent or
• lodge a complaint with a supervisory authority

Who can I contact in case I have a data privacy related question or want to exercise my rights?
Since we have limited the access to your personal data to our service providers, we are not able to handle your data privacy related requests ourselves. Thus, please address any data privacy related request to our call center, who will process your requests on our behalf, using the following contact information:

Telephone: 1-844-351-5696 (Toll-free phone number)
Email: mybetaapp@bayer.com

You can reach the data protection officer of Bayer AG using the following address:
Data Protection Officer
Bayer AG
51373 Leverkusen, Germany

Changes to this Privacy Statement
We will update this Privacy Statement from time to time to reflect changes to our practices, technology, legal requirements and other factors. Please check the "Last Updated" legend at the bottom of this page to see when this Privacy Statement was last revised.

Last Updated: June 30, 2017
PP-721-US-0926