Privacy Notice

This Privacy Notice ("Notice") is provided to you by Establishment Labs^® S.A., with registered office at Coyol Free Zone, B15, Alajuela, Costa Rica, ("ESTA", "we", "us"), together with European Distribution Center Motiva BV, with registered office at Nijverheidsstraat 96, 2160 Wommelgem, Belgium and VAT number BE 0881.512.541 RPM/RPR Antwerp (" EDC"), which processes the data together with ESTA as data controller if you are located in the EU and acts as ESTA's representative in the EU. This Notice relates to personal data that ESTA and EDC collect through miafemtech.com and other websites (establishmentlabs.com, miafemtech.com) (individually, the "Website" or collectively, the "Websites"), applications, products and services that are owned or controlled by ESTA, EDC and our affiliates (collectively referred to as "Affiliates") or by websites that post a link to this Notice. Personal data is information, either in combination with other information or on its own, that allows you to be directly or indirectly identified ("Personal Data").

This Notice is to inform you how we collect, use, disclose and store Personal Data in our role as the data controller of Personal Information when you:

• You interact with our websites, or other communication channels, such as WhatsApp, phone call, call centre, email or any electronic means, including when downloading information.
• You provide your personal data to enable the administration of our services and to manage our relationship with you (" Services"), such as when setting up a website or application account or collecting data to process an invoice for accounting purposes.
• When you explicitly consent to provide health-related data for registration of Mia^® comprehensive coverage or product support ("Products"), such as the responsible doctor, Mia^® diamond and minimally invasive system serial numbers, date of purchase and procedure details.
• You register for or attend one of our events, webinars, live events or conferences (collectively, the "Events").

What Personal Data does ESTA collect?

Information you provide to us

We may collect Personal Data that you choose to provide to us when you access or use our websites, such as when you register for an online account or contact us through our websites, or other communication channels, such as WhatsApp, telephone call, call center, email or any electronic means. If you contact us, a record of our correspondence will be kept.

We receive and store Personal Data that you explicitly agree to provide to us in connection with the Products, such as when you register your Mia^® diamonds and the minimally invasive system for Mia^® comprehensive coverage. This data may include name, address, information about the procedure, the surgeon responsible, implant serial numbers, photographs, documents and other information that is necessary for the procedure.

When you use our Services or Events, we store the Personal Data you provide to us, including name, email address or other contact details. We keep records of our communications.

You may refuse to provide the requested information anywhere on our websites or application, but if you refuse, we may not be able to provide you with the requested services related to the creation of your account, the registration of your Mia^® diamonds and the minimally invasive system or your right to participate in any benefits.

Automatic data collection

Websites

Depending on your tracking preferences, ESTA may use a variety of technologies, such as trackers and cookies, that collect and provide information about how our websites or applications are accessed and used. Such information may relate to your web browser, operating system, service provider, the web pages you have visited, the time and duration of your visit, as well as demographic information.

Please see our Cookie Notice for more information about the cookies and trackers used on our website.

Services

When you use the Services, network data may also be collected. The data may include log information about users ( including IP addresses), usage information (types of services users use, performance metrics and computer settings) and data collected by cookies or similar technologies.

Information we collect from trusted third parties:

If your Personal Information has been collected through your (i) interactions or uses of our website, or other communication channels, such as WhatsApp, phone call, call center, email or any electronic means, (ii) registrations or attendances at our events, or (iii) for the provision of the Services, your Personal Information, as stored with our CRM service provider, may be expanded or updated to ensure that it is accurate and up to date and allows us to achieve the purpose for which it was originally collected. Please note that information used to augment and update your Personal Information, obtained from the use of third party data sets, does not constitute Personal Information but merely refers to data elements relating to your organisation's name, structure, industry and similar attributes.

Please note that we may also obtain non-personal information to supplement or update the Personal Information we already hold about you.

How and on what legal basis do we use your Personal Data?

Personal information we collect from you on our Websites, Products or Events:

• To customise the Website according to your interests.
• To set up a user account.
• To improve our websites and ensure they are presented in the most effective manner for you and your device.
• To conduct marketing and advertising activities, to improve products and services, and to conduct surveys or trend analysis.
• To carry out internal operations such as data analysis, testing, troubleshooting, surveys and for statistical purposes.
• To help maintain the security of our websites.
• To contact you by email, telephone, fax, WhatsApp, any electronic means or regular mail for medical research purposes.
• To register your Mia^® diamonds and minimally invasive system through your account, including internal record keeping, to provide customer service and to answer your questions about your Products.
• To enable your participation in our comprehensive Mia^® coverage to which you subscribe.

Our use of Personal Data may be based on our legitimate interests in ensuring security, improving business performance and network operations. In addition, our legitimate interests may be based on our legitimate interests to improve business and marketing practices or to communicate with you to provide you with services or products similar to those you have already purchased from us. Direct marketing purposes are based on your consent.

The use of Personal Data for Mia^® comprehensive coverage may be based on the conclusion of a contract with you and your explicit consent to use this data in the performance of the contract. In these cases, the provision of Personal Data is necessary to enable the proper execution of the Mia^® comprehensive cover and to register your Mia^® diamonds and the minimally invasive system. Without your permission it may be exceedingly difficult, if not impossible, to accurately obtain data to verify the implantation dates of your Mia^® diamonds.

Personal information we collect from you through the administration of our Services:

• To send customers technical notices, updates, security notifications and administrative communications.
• To process and complete transactions and send related information, including transaction confirmations and invoices.
• To investigate and prevent fraudulent activity, unauthorised access to the Services and other illegal activity.
• To manage our customers' use of the Services, respond to enquiries and feedback, and provide customer service and support.
• For any other purpose of which we notify customers and users.
• Cookies: When users access our websites or applications, we use strictly necessary cookies and other trackers to provide authentication tools, enhance security and prevent fraud. For more information about our use of cookies and other trackers, please see the ESTA Cookie Notice.

Generally, our legitimate interests may justify the use of your Personal Data in these contexts, whether for security purposes or to improve business, such as in the investigation and prevention of fraudulent activity.

The provision of Personal Data in these cases may be necessary to enable access to some of the Services. If you choose not to provide Personal Data, you may experience unavailability of some Services.

Business Data Analytics:

If your Personal Data has been collected (i) directly from you through our Websites, Products or Events, or (ii) as part of the administration of our Services, your Personal Data may be used for business data analytics purposes, depending on the scope and purpose of such analytics.

How we may share Personal Data with third parties

Where necessary to achieve the purposes described above, ESTA or EDC may share Personal Data in the following limited circumstances:

Among our affiliates:

We may share your Personal Data within our family of companies, including ESTA, EDC and other affiliates of our organization for purposes consistent with this Notice and in accordance with our legitimate interests.

Protection of ESTA, EDC and others:

We reserve the right to access, read, preserve and disclose any Personal Data as necessary to i) comply with a law or court order, ii) enforce or apply our Agreements with you and other agreements, or iii) protect the rights, property or safety of ESTA, EDC, our affiliates, our employees, our users or others.

Disclosures for national security or law enforcement:

In certain circumstances, we may be required to disclose your Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, based on our legitimate interests or legal obligations.

Business Transfers:

We may choose to buy or sell assets and may share or transfer customer information, including Personal Data, in connection with the evaluation of such transactions and the contracts relating thereto, and also in our legitimate interests. In addition, in the event that we or our assets are acquired, or if we go out of business, file for bankruptcy or undergo some other change of control, Personal Information may be one of the assets that may be transferred to or acquired by a third party.

Vendors, consultants and other service providers:

We may share your Personal Data with third-party consultants, service providers and other vendors we use to perform certain tasks on our behalf. For example, these companies may use web-related service providers, data warehousing, advertising or analytics services so that we can administer web servers and store information in a secure database or on backup disks.

If we transfer your Personal Data to a service provider or third party for processing, ESTA will remain responsible for ensuring that such agent or service provider processes your Personal Data to the standard required by applicable privacy laws, including the GDPR. These transfers are generally based on our legitimate interests.

For more information, please see the International Data Transfers section below.

How long we may keep personal data

Your Personal Data will be retained for different periods of time depending on the purposes identified herein. Some Personal Data may be automatically deleted based on specific plans, such as marketing information. Other information, such as account information, may be retained for longer periods of time as necessary to fulfil our contracts with you. Finally, we may retain data based on our legitimate interests or for legal purposes, such as record keeping, applicable laws or enforcement of legal rights.

Security

We are committed to ensuring the security of your personal data. We implement a variety of security measures to prevent accidental or unlawful destruction or accidental loss, misuse, unauthorised access, disclosure, alteration or destruction of data.

However, please note that no company can guarantee complete security. Therefore, despite the security measures we have implemented to protect personal data about you, we cannot guarantee that loss, misuse or alteration of data will not occur.

What are your privacy rights?

What choices do I have?

You have a number of privacy rights and you can always choose not to disclose your Personal Data to us. Please note that some data may be required in order to register with us or take advantage of certain features of our Products or Services.

Right to withdraw consent:

If you have consented to any personal data processing activity as described in this privacy policy, you may withdraw this consent at any time. Such withdrawal will not affect the lawfulness of the processing prior to the withdrawal of consent.

If you withdraw your consent to the use of your health-related data in order to give effect to an agreement between you and ESTA or EDC relating to your subscription to Mia^® comprehensive coverage, such withdrawal will also be understood as a waiver of any right or claim that exists or may exist to Mia^® comprehensive coverage that may have been granted under the condition of providing the required information.

Marketing communications:

You may unsubscribe from our promotional or marketing communications at any time by accessing the following link: Contact Us - Mia Femtech^™. Please note that if you have an account with us and opt out of receiving marketing communications, we may still send you non-promotional communications (such as service-related communications).

Cookies:

You can change your cookie and other tracking preferences at any time by clicking on the cookie icon at the bottom of the screen on all of our websites or applications.

How do I exercise my Privacy Rights?

If you wish to access your personal data or exercise any of the rights detailed below, please submit a request to ESTA using the contact details identified in the "How to contact us" section below. Alternatively, if you are located in the EU, you may also contact EDC at the address mentioned in the Introduction to this Notice, which will then transfer your request to ESTA.

We will review your request and respond as quickly as possible, but please note that we may still use any aggregated and de-identified Personal Data that does not identify a Data Subject and use your Personal Data, as necessary, to comply with our legal obligations, resolve disputes and enforce our agreements.

Right of access:

You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to request access to such personal data, as well as to other information about such processing which is also set out in this policy. Before we can provide you with access, we will first request verification of your identity in order to ensure data security.

Right of rectification:

You have the right to have inaccurate personal data about you rectified or completed if it is incomplete.

Right to erasure ("right to be forgotten"):

You have the right to request that we delete your personal data.

Right to restriction of processing:

You have the right to ask us to restrict how we use your personal data.

Right to data portability:

You have the right to receive the personal data you have provided, in a structured, commonly used and machine-readable form, and to transmit that data to another controller or to have it transmitted directly from us to another controller.

Right to object:

At any time you have the right to object, on grounds relating to your particular situation, to the processing of your personal data and we may have to stop processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims. You have the right to object, at any time, to the processing of your personal data for direct marketing purposes.

Read more about the Data Subject Rights Policy.

International data transfers

ESTA is a globally operating company. Due to this fact, Personal Data of individuals who visit our Websites, use our Products or use our Services or otherwise interact with us may be transferred or accessed from around the world, such as from countries where ESTA, its affiliates or our service providers operate.

We will always protect your Personal Data in accordance with this Notice wherever it is processed. ESTA does not voluntarily or actively transfer or disclose our customers' Personal Data to governmental or law enforcement authorities ("Authorities") or grant any Authorities access to your Personal Data. In the event of a request from the Authorities, we have procedures and controls in place to ensure that such a request is assessed in accordance with our internal data protection policy.

Information for users in the European Economic Area ("EEA") or the United Kingdom ("UK"):

Due to the global nature of its operations, ESTA may transfer Personal Data from the EEA or the UK to the United States, Costa Rica and other countries, including Personal Data we receive from individuals residing in the EEA or the UK who visit our Websites or use our Services or otherwise interact with us. Where ESTA may transfer your Personal Data outside the EEA or the UK, this is based on:

• Adequacy Decisions:
  • European Commission, pursuant to Article 45 of Regulation (EU) 2016/679 (GDPR).
  • UK Secretary of State, based on Article 45 of the UK's GDPR and Section 17A of the Data Protection Act 2018; or
• Standard contractual clauses:
  • European Commission
  • Information Commissioner's Office (ICO)

The European Commission and the ICO have determined that the above standard contractual clauses can provide sufficient safeguards to protect personal data transferred outside the EEA and the UK. For more information, please visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.

ESTA conducts impact assessments of transfers and monitors such transfers to ensure that they maintain a level of protection that is essentially equivalent to that provided by European and UK data protection laws.

Links to other websites

This website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

How to contact us

Contact information for the data controller:

Establishment Labs^® S.A., Coyol Free Zone, B15, Alajuela, Costa Rica, +506 2434-2400.

European Distribution Center Motiva BV, Nijverheidsstraat 96, 2160 Wommelgem, Belgium, +32 3 432 41 70

Data Protection Officer:

dpo@establishmentlabs.com

This Agreement was last revised on 19 February 2024.