1. General information
Thank you for your interest in the MQuant® StripScan App (Merck App) and MQuant® StripScan Web (Merck Web Application) of the Merck KGaA, Darmstadt, Germany, hereinafter referred to as "Merck ". We take data protection and privacy issues very seriously and comply with the applicable national and European data protection regulations. Therefore, we would like to inform you with this declaration about data protection measures and which data we may store and how we use this data.

2. Merck App
The Merck App is an application that is operated by the Merck KGaA, Darmstadt, Germany. The Merck App is installed by the technical providers (iTunes) according to their conditions.

3. Merck Web Application
The Merck Web Application is an application that is operated by the Merck KGaA, Darmstadt, Germany.

4. Is my contact or telephone connection data accessed?
No data of your contacts or telephone connections are collected.

5. Will my photos/videos or other device data be accessed?
There is no access to your photos or videos or other device data. The MQuant® StripScan App uses the phone’s camera to take photos for reading out the MQuant® and MColorpHast® test strips. The photos are stored on the device for the result calculation and transferred to a web server for improving our services.

6. Is my location data accessed?
We collect your location, when you perform a measurement, via the GPS to display the information for you in the App. Data about your location will only be provided for you as an additional information to your result. Your location data is transferred via an encrypted connection. You can prevent access to your location data at any time by deactivating the corresponding function in the settings of your device.

7. Which connection data is collected automatically?
You can use the Merck App without having to provide any personal information. The data we store and analyze are used exclusively for statistical purposes, so that we can continuously improve our services.

Each time a user accesses the Merck App, the following data is automatically transferred to Mercks web server or to Google Analytics for technical reasons:

• address of the requesting device

• date and time of access

• name and URL of the retrieved file

• transferred data volume

• access status (file transferred, file not found etc.)

• identification data of the browser and operating system used

• name of the provider of users internet access

• website from which access is made, if applicable

This data is collected, processed and used for enabling the use of the Merck App (connection setup), system security and technical administration of the network infrastructure. A comparison with other databases or a transfer to third parties, also in excerpts, does not take place. The legal basis for processing is Art. 6 para. 1 b GDPR.

8. Is other personal data collected and processed?
We collect and process your personal data only if you request certain services and we need your data for this purpose or if you have voluntarily given us your express consent. The legal basis for processing is Art. 6 Para. 1 b GDPR and Art. 6 Para. 1 a GDPR.

You can do this, for example, by completing a registration form or sending us an e-mail, ordering products or services, submitting inquiries to us, requesting materials or registering. Unless otherwise required by law, we will only use your personal data for the purposes for which you have given your consent.

For special services such as newsletters, sweepstakes, etc. the respective special data protection provisions apply. Please refer to the data privacy statement for our newsletter.

9. Which web analysis tools are used?
The Merck App uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your device, to help the app analyze how users use the Merck App. The information generated by the cookie about your use of the Merck App is usually transferred to a Google server in the USA and stored there. Your IP address will be shortened previously by Google within Member States of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases the full IP address is transferred to a Google server in the USA and shortened there. On behalf of the operator of the Merck App, Google will use this information to evaluate your use of the Merck App, to compile reports on Merck App activity and to provide the Merck App operator with further services related to Merck App and internet use. The IP address transmitted by your browser within the scope of Google Analytics will not be aggregated with other Google data.

For more information on terms of use and privacy, please visit http://www.google.com/analytics/terms/de.html or https://www.google.de/intl/de/policies/. Please note that on the Merck App Google Analytics has been extended by the code "anonymizeIp" in order to guarantee an anonymous registration of IP addresses (so-called IP masking).

The legal basis for processing is Art. 6 para. 1 f GDPR, whereby Mercks authorization arises from the fact that, on the one hand, Merck has an interest in evaluating the app data for purposes of app optimization and, on the other hand, a concerned person can reasonably foresee at the time when the personal data is collected and in view of the circumstances under which it is carried out (in particular the above-mentioned measures) that it will possibly be processed for this purpose.

10. Which cookies are used?
We use a cookie on our Merck Web Application. If you do not want to take advantage of the cookie, you can find out in the help function of your browser how to set your browser to prevent it from accepting new cookies or deleting existing cookies. There you will also learn how to block your browser for all new cookies or which settings you have to make in order to receive a notification of new cookies. We use the cookie: PHPSESSID that stores an id of the actual session.

The legal basis for processing is Art. 6 para. 1 f GDPR, whereby Mercks authorization arises from the fact that, on the one hand, Merck has an interest in evaluating the app data for purposes of app optimization and, on the other hand, a concerned person can reasonably foresee at the time when the personal data is collected and in view of the circumstances under which it is carried out (in particular the above-mentioned measures) that it will possibly be processed for this purpose.

11. Will my data be transferred to third parties, e. g. authorities?
At Merck, those bodies within Merck receive your data that are required to fulfill our contractual and legal obligations. Some data must be disclosed under strict contractual and legal requirements:

• Due to legal obligation:

In certain cases, we are required by law to transfer data to a requesting public authority.

Upon submission of a court order, we are obliged pursuant to § 101 of the German Copyright Act to provide owners of copyright and ancillary copyrights with information about customers who are alleged to have offered copyright-protected works on internet file-sharing sites. In these cases, our information contains the user ID of an IP address allocated at the time requested and, if known, the name and address of the customer.

In other respects, personal data will only be transferred to state institutions and public authorities within the framework of mandatory national legal provisions or if disclosure is necessary in the event of attacks on the network infrastructure for legal or criminal prosecution. The legal basis for processing is Art. 6 Para. 1 c GDPR or § 24 Para. 2 No. 1 German Federal Data Protection Act.

• To external service providers for data processing:

When service providers get access to our customer\’s personal data, this usually takes place in the course of so-called order processing of personal data. This is expressly provided for by law. In this case, Merck remains responsible for the protection of your data – in addition, the processor may also be responsible. The service provider works strictly in accordance with our instructions, which we ensure by means of strict contractual regulations, technical and organizational measures and supplementary controls.

Merck works with service suppliers as processors. These are Merck Group companies and service providers for IT services (e. g. for technical-administrative tasks and for usage analysis), telecommunications, consulting and advisory services as well as sales and marketing.

The data protection regulations for instruction-bound order processing of personal data are complied with.

• To Merck Group companies:

Merck may transfer your personal data to Merck Group companies in order to carry out a business relationship with you or for the purposes of legitimate interests.

If data are transferred abroad, they are based within the EU or the EEA or in a country which, according to the decision of the EU Commission, has an appropriate level of data protection. In the case of data transfers to Merck Group companies domiciled in other countries, Merck ensures by way of guarantees that the data-importing Merck Group company has been obligated to an appropriate level of data protection.

Beyond this, we do not transfer data to third parties unless you have given your express consent, the transfer is obviously necessary for the provision of an offer or service requested by you or this is provided for by law. We also do not intend to transfer your data beyond this to a third country or international organization.

12. How long will my data be stored?
We store data for as long as it is legally necessary or necessary for the provision of the service requested by you, or as long as it has been agreed upon in a declaration of consent. If you delete data in the Merck Web Application, such as results, photos, data series, or even your account, the data are not any longer accessible for you or other users immediately afterwards. The data are then physically and irrevocably deleted after a maximal time of 30 days.

13. Do I have a right to information and rectification of my stored data? What other rights do I have with regard to my stored data?
You may at any time and free of charge request information about the scope, origin and recipients of the stored data as well as the purpose of the storage; in addition, you have the right to rectification, erasure or restriction of the processing of your data in accordance with data protection regulations, a right to object to the processing as well as a right to data portability. Please note that there is a right of appeal to a supervisory authority.

14. Can I withdraw my consent to the use of my data??
If our data processing is based on your voluntary consent, you have the right to withdraw your consent to the use of your data at any time. If you would like to withdraw your consent to the use of your data, please do so by deleting your account.

15. Who is my contact person if I have questions about data protection?
If you have any questions or comments, please feel free to contact the Group Data Protection Officer of Merck KGaA at any time:

Merck KGaA
Group Data Protection Officer
Frankfurter Strasse 250
64293 Darmstadt
datenschutz@merckgroup.com

16. How long is this data privacy declaration valid?
This data privacy declaration is up-to-date and dates from 10.04.2018. We reserve the right to amend the data privacy declaration at any time with effect for the future, in particular to adapt it to a further development of the website or the implementation of new technologies.