Privacy Notice

BASIC INFORMATION ON DATA PROTECTION

INFORMATION TO HEALTH CARE PROFESSIONALS (HCPS) / HEALTH CARE ORGANISATIONS (HCOS) AND THEIR CONTACT PERSONS

Data controller and Data Protection Officer	Medison Pharma Trading AG (address: Neuhofstr. 4, 6340 Baar, Switzerland, "we", "us" or "Medison").
Purposes and legal basis	We will use your personal data to (i) perform contractual obligations with you as our contractual partner or with the entity you work for or you represent; (ii) communicate with you regarding congresses or other events or services that may be of interest to you and sending you advertising communications on our goods, services, scientific events and market research; (iii) send to you pharma safety notifications (iv) handle adverse effects reports you made to us. (v) conduct and schedule visits and meetings with you or the entity you work for or represent; (vi) conduct business intelligence for strategy planning by analysing and profiling you for the better understanding of the characteristics and dynamics of the particular market and its professional participants (including you). (vii) comply with our legal obligations so we may report to the organization and sponsorship of events and we comply with related record keeping obligations; and to comply with our tax and accounting obligations regarding sponsored events and grants. If you do not provide your personal data, we may not be able to provide to you services or otherwise achieve the purposes of data processing.
Data recipients	Within our company only those employees have access to your data whose access is necessary for carrying out the above-mentioned purposes. Your data may be shared with other affiliated Medison group companies, third parties (e.g., business partners, our service providers) and, in accordance with applicable law, governmental authorities, courts, external advisors, and similar third parties. We will share your data with recipients within and outside the European Union; however if we do so, we will provide appropriate guarantees while preserving the security of your data.
Rights	You have the right to access, rectify and delete your data, or to object to the data processing; as well as other rights, as detailed in the Additional information.
Additional information	For more information, please refer to our Full Privacy Notice last updated on October 2025

FULL PRIVACY NOTICE

INFORMATION TO HEALTH CARE PROFESSIONALS (HCPS) / HEALTH CARE ORGANISATIONS (HCOS) AND THEIR CONTACT PERSONS

This Full Privacy Notice ("Notice") is intended for Health Care Professionals (HCPs) / Health Care Organisations (HCOs) and their contact persons being in contact with Medison Pharma Trading AG (Address; Neuhofstr. 4, 6340 Baar, Switzerland, e-mail: privacy@medisonpharma.com, "We" or "Us" or "Our company", including all grammatical permutations of each of those words) who are natural persons and who serve as contact persons for HCOs, such as managers and employees (collectively referred to below as "contact persons" in the following).

Information about contact persons is referred to as "personal data". We act as a responsible controller of your personal data.

Please note that this is a master Notice and some of its provisions only apply to individuals in certain jurisdictions. For example, the legal bases explained below are only relevant to GDPR-protected individuals.

What kind of personal data do we process?

Your personal data may be provided to us directly by you, contact persons of HCOs or we may source your data from public sources (such as the company register). Such personal data may broadly be grouped into the following categories:

• Identification data, such as name; representative's name, place and date of birth; passport, tax ID and other identification documents;
• Contact details, such as address, e-mail address and telephone number(s);
• Job related information, such as profession, working place, CV of HCPs, physician masterfile;
• Contract information, such as the subject of the agreement and description of the economic transaction, grant provided to HCPs, copy of the professional service agreement concluded with HCPs;
• Banking details, such as bank account number and payment details;
• Communication details, such as email content, business letter content and business documents.

If you are our contact person, typically, we (i) would have information about your name, position and contact details such as e-mail address, telephone number and (ii) will not obtain or otherwise keep information that could be deemed to be "sensitive". We will use the information about you for purposes that are routine within our business relationship with you and your employer such as regular contacts in respect of our services, including information, as well as invitations to certain events or general information about us.

If you do not provide your data, we may be unable to perform the contract with you or your employer or the entity you represent, to provide services to you or to comply with the applicable legislation.

What is our legal basis for processing personal data?

We rely on the following legal bases in order to process your personal data:

• Contract: If you are a natural person contractor, the normal basis for using personal data is the performance of the contract or ancillary agreements between us and you or taking steps to enter into such agreements upon your request based on Article 6(1)(b) of the GDPR. Providing your personal data is voluntary; however, if you do not provide your data, we might not be able to enter into a contract with you or perform the contract.
• Legitimate interests:
  • Performing contractual obligations: We have a prevailing legitimate interest in performing our contractual obligations and to exercise our rights deriving from our contractual relationships with the company or entity you work for or represent. If you have an agreement or business contact with us, it is reasonable for you to expect that your data will be processed to facilitate contract performance, including communications.
  • Conducting business intelligence: We have a prevailing legitimate interest in developing our business strategy reflecting the characteristics and dynamics of the particular market and its professional participants by analysing and profiling our partners' professional activities in market research projects. You as HCP may reasonably expect that your data will be processed for this purpose and you may any time object to data processing.
  • Data transfers within Medison group companies: Our company is the member Medison group and we have a legitimate interest in transferring personal data to other group member companies in order to facilitate these companies in performing supervising activities over our operations, including compliance, financial and legal obligations (e.g. pharmacovigilance reporting). This data processing is necessary to achieve our internal management goals and the realization of corporate functions connected to our operations and corporate structure involving the transfer of personal data within the corporate group for administrative purposes. The relevant intra-group data transfer guarantees include strict data security and confidentiality obligations among Medison Group Members and the fact that, on a "need-to-know" basis, only a limited range of specific persons will have access to your personal data. In light of the foregoing our position is that data subject rights relating to the protection of personal data are not affected disproportionately by the intra-group data transfers.
• Consent: in certain cases we may ask for your consent to process your data (pursuant to Article 6(1)(a) of the GDPR); this may include sending newsletters and other promotional communications to you. If and to the extent we rely on consent to process your data, you will have the right to withdraw your consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal
• Legal obligation: we may process your data on the basis of our legal obligations including but not limited to obligations under taxation and/or accounting laws (pursuant to Article 6(1)(c) and (e) of the GDPR) or to comply with our reporting obligations to the applicable government entities regarding events sponsored by us and grants provided by us.

If you act in the name and on behalf of a legal entity or you are an employer, by providing personal data to us, including your contact person's data, you warrant that: (i) you have been authorized by the contact person individual to provide such data; (ii) you have notified the contact person about the contents of this notice; and (iii) you will provide us with any updates or changes to that personal data.

Why do we use your personal data?

• To perform contractual obligations arisen from contractual relationships with you as our contract partner.
• To perform contractual obligations arisen from contractual relationships with your employer or entity your represent.
• To communicate with you including, direct marketing /advertising communications to you, communication for market research purposes, providing information on our goods and services and information on congresses, scientific events; sending scientific information.
• Pharmacovigilance reporting, including receiving and handling of adverse effects reports you made to us.
• To send Pharma Safety notifications to you.
• To conduct and schedule visits and meetings with you
• To conduct business intelligence for strategy planning with the analysis and profiling your professional activities in market research projects.
• To comply with our reporting and document retention requirements regarding the organization and sponsorship of events and the sponsoring.
• To comply with our tax and accounting obligations regarding sponsored events and grants.

How long do we retain your personal data?

Your personal data will be stored until we delete the record and we proactively delete it or you send a valid deletion request. Please note that in some circumstances we may store your personal data for longer periods of time, for example (i) where we are required to do so in accordance with legal, regulatory, tax or accounting requirements, or (ii) for us to have an accurate record of your dealings with us in the event of any complaints or challenges, or (iii) if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.

How do we secure your personal data?

We have implemented appropriate technical, organizational and security measures designed to protect your personal data. However, please note that we cannot guarantee that the information will not be compromised as a result of unauthorized penetration to our servers. As the security of information depends in part on the security of the computer, device or network you use to communicate with us, please make sure to take appropriate measures to protect this information.

Who may have access to personal data?

Within our company only selected employees may have access to your data on a "need to know" basis.

We may transfer personal data to third parties for the following reasons:

• Medison group companies: Our company as the member Medison group may transfer your personal data to our group member companies.
• Vendors: our company uses externally provided IT-systems or services provided by third party vendors to support our internal processes. Personal data may be made available to such vendors to be used for the purposes of the particular system or service, and subject to appropriate data processing agreements between our company and the relevant vendor.
• Contractual partners: Your data may be transferred to our partners in case of a joint event sponsored by them.
• To the extent necessary, with regulators, courts or competent authorities, to comply with applicable laws, regulations and rules (including, without limitation, federal, state or local laws), and requests of law enforcement, regulatory and other governmental agencies or if required to do so by court order.

In the event that we are acquired by, or merged with, a third party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign your personal data in connection with the foregoing events, including, in connection with, or during negotiations of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or to another company.

In order to receive the full list of the recipients of your personal data, please contact us at privacy@medisonpharma.com.

International data transfers

In the event your personal data is transferred to persons in third countries that are located outside the European Economic Area ("EEA"), we will ensure that the personal data is subject to measures that provide an equivalent level of protection as provided by data privacy laws in the EU (such as the EU General Data Protection Regulation; GDPR).

Your personal data for data hosting purposes may be transferred to Medison Pharma Ltd. (Hashiloach 10 Petach Tikva, Israel). Israel has been recognized as a country providing adequate protection to personal data pursuant to Article 45 GDPR.

What are the rights of private individuals?

A consent given to us to keep or otherwise use personal data can always be withdrawn. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In addition, under the conditions set out under applicable law (i.e., the GDPR), you have the following rights:

1. Right of access: You have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, to request access to the personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed. You have the right to obtain one copy of the personal data undergoing processing. If you request additional copies, we may charge a reasonable fee based on administrative costs.
2. Right to rectification: You have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. Right to erasure (right to be forgotten): You have the right to ask us to erase your personal data.
4. Right to restriction of processing: You have the right to request the restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes.
5. Right to data portability: You have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format and the right to transmit that personal data to another entity without hindrance from us.
6. Right to object: You have the right to object, on grounds relating to your particular situation, at any time, to the processing of your personal data by us and we can be required to no longer process your personal data. Doing so you may prevent us from being able to provide you with information on our services going forward. If you have a right to object and you exercise this right, your personal data will no longer be processed for such purposes by us. Exercising this right will not incur any costs. Such a right to object may not exist, in particular, if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded.

Please note that the aforementioned rights might be limited under the applicable national law.

In case of complaints you also have the right to lodge a complaint with the competent supervisory authority in the particular Member State of your habitual residence for alleged infringement of the GDPR.