Ocular’s Compliance Program

C.  HOW WE COLLECT YOUR PERSONAL DATA
Our collection of your Personal Data depends on the nature of the Services, how you interact with our Services, and our relationships with third parties.

Personal Data You Provide
We ask and collect Personal Data directly from you, your representatives or agents, or through our Services, when, for example, you:

• Contact us by email, phone or mail, either using addresses or numbers posted on our websites or when you contact our employees directly;
• Sign up on our websites to receive clinical, promotional, disease awareness, or other information about products or services we offer or plan to offer in the future;
• Sign up for investor relations information, including our financial performance information;
• Process reports of Suspected Adverse Reactions or Product Quality Complaints; Request donations from us;
• Process complaints or allegations of non-compliance with company policy or law;
• Evaluate partnership opportunities with you or your organization;
• Subscribe to receive email notifications or other publications;
• When you call us or visit us (automatically), such as when we record calls to our call centers or use CCTV cameras in our facilities;
• Enter a promotion or survey;
• Give us some feedback;
• Provide unsolicited information to us;
• Provide information to us as our business partner;
• Apply for employment, consulting, outsourcing, or vendor opportunities with us or when you become an employee, consultant, service provider, or vendor;
• Provide, manage, and monitor access of our facilities, equipment, systems, and Services;
• Express interest in participating in our clinical trials or other studies and research programs; and/or
• Take steps towards consummating, managing, and performing a contractual relationship with Ocular, including compensation, payment, and compliance.

Depending on the Services and interactions with us, we may not be able to provide you with access to or use of the Service if you do not provide us with your Personal Data where required. Also, with respect to the Personal Data of another person, you are responsible for ensuring that you have the permission or legal right to provide us with such Personal Data.

Collected From Other Sources
Where permitted by applicable law, we may obtain your Personal Data from various other third-party sources, including the following categories:

• Our affiliated entities;
• Healthcare providers (including specialty pharmacies);
• Health insurance companies (health plans) and other payors;
• Your authorized/legal representatives, employer, family members, and caregivers;
• Payment processors and other financial institutions;
• Recruitment agencies, research facilitators, and clinical research organizations;
• Publicly available sources such as government records;
• Consumer reporting agencies and other third parties who verify the information you provide;
• Advertising partners and other third parties and vendors who provide digital marketing services;
• Third parties who provide website and online security services;
• Third parties who provide benefit verification, program enrollment, and product fulfillment services in connection with our products and Services;
• Third parties who help us maintain the accuracy of our data and data aggregators that help us complete and enhance our records;
• Third parties who provide digital marketing and analytics services for us using Usage Technologies that contain a unique identifier, such as an advertising ID;
• Third parties that provide access to information you make publicly available, such as social media platforms;
• Third parties who provide us with supplemental consumer data or data analytics and market research services, such as data aggregators;
• Third parties who assist us with fraud prevention, detection, and mitigation;
• Third parties who facilitate, process, and complete business processes for us, such as resellers, deliverers, sales agents, payment facilitators, program partners, and IT and business process outsourcing providers;
• Third-party contract research organizations managing clinical research on our behalf; and
• Academic institutions and data analytics providers.

Collected Through Automated Means
We also may obtain your information through automated means that identifies you or that is combined or linked with other Personal Data we collect from or about you. Such Personal Data includes the following:

• Technical Activity and Usage Data from analytics providers such as Google, advertising networks, search information providers, social media networks, and other digital marketing and advertising partners and providers;

For more information on the collection and use of Technical Activity and Usage Data through the use of Usage Technologies, see the section below “Cookies and Other Tracking Mechanisms” and our Cookie Notice.

Cookies and Other Online Tracking Mechanisms
Our online Services collect certain information automatically from the device or browser that is used to access and use such Services. This information is analyzed when interacting with these Services, our marketing or advertising, social media pages, and email communications. Some of this information is also automatically collected by others on our behalf. The collection is generally done through the use of technical activity and usage technologies, known as cookies, web beacons, tags, pixels, and other similar technologies (collectively, “Usage Technologies”) to recognize you, the device, or browser used to visit our digital Services, such as websites or mobile apps. Usage Technologies can consist of small bits of data cached or stored on your device while you use these Services, visit other third-party sites or tools, or navigate to our Services from such third-party sites or tools. Our emails to you also contain these Usage Technologies to help understand when you open an email, interact with images or links within it, or otherwise reply to the communication. We collect and use this information to help our Services function effectively, improve the Services, and assist us with our marketing. For more information on our use of Usage Technologies and the information we collect, see our Cookie Notice.

Combination of Information
Subject to and in accordance with applicable law, we combine the information we receive from and about you, including information you provide to us and information we automatically collect through our Services, as well as information collected from other online sources or from third-party sources, to help us tailor our communications to you and to improve our Services.

D. WHY WE PROCESS AND DISCLOSE YOUR PERSONAL DATA
Our Processing of Personal Data
During the past year we have used and disclosed, and will continue to collect and maintain, your

Personal Data to:

• Comply with or fulfill a request that you have made, including where coordination with third parties is required, such as to deliver Services that you have requested;
• Determine program, product, and service eligibility;
• Respond to your questions, comments, or concerns;
• Enter into, maintain, and develop our business, professional or contractual relationship with you and your representatives;
• Validate, confirm, verify, and track your account, and products or services you have ordered or received (including to contact you about these);
• Manage communications with you or about you;
• Run our business in the ordinary course, including improving user experience, ensuring the proper functioning of the company and our Services, to procure vendor/supplier products and services, to manage and satisfy our contractual relationships and obligations, for product and service development, improvement, and maintenance, engage in joint marketing initiatives, advertise and promote products and services, and provide access to, monitor, and secure our facilities and other property, for adverse experience and product complaint reporting, and manage outsourcing relationships and services;
• Provide and maintain personalization, including to process and manage your participation in unique interactive features of our Services (when you choose to do so), provide secure access to your account, technical support, respond to your inquires, deliver personalized content and communications, send you requested notifications, manage your enrollment in our programs and services, send you personalized surveys and feedback requests, and to analyze and better understand your needs, preferences, and interests, and that of others;
• Protect and manage the security and integrity of the Services, data, products, technology, and our business, and to enforce our policies, procedures and compliance;
• Provide access to, monitor, and secure our facilities, equipment, and other property;
• Conclude or consider a sale, merger, consolidation, change in control, transfer of substantial assets, reorganization, or liquidation of our business (in whole or in part);
• Convert your Personal Data into aggregate, non-identifying, anonymized, or pseudonymized information as permitted under applicable law;
• Interact with third-party services based on your requests or when use any of the Services to connect with third-party services; and
• For any other purpose where you have provided consent where it is legally required.

Marketing
In addition to the above, we may use your Identity Data, Contact Data, Technical Activity and Usage Data, and Profile Data for unique or interest-based marketing and advertisements, such as to form a view on what we think you may want or need, or what may be of interest to you, and to send or have sent to you information about products, services, and information you may want or need. Depending where you live, our use of your Personal Data for marketing and advertisements are based on the following permissions:

• At your request: You have requested this information from us.
• Consent/Opting in: You provided your express consent for our use and sharing of your Personal Data for marketing and advertising communications and related purposes.
• Opting out: You have not opted out from receiving our and our partners’ marketing communications using the features or preference tools made available to you under applicable law.  Note, however, that even if you opt out of receiving these marketing communications, we may still email you in order to provide a product or service that you request.
• Usage Technologies: You have enabled the use and delivery of Usage Technologies in your device or browser which permits delivery and management of personalized or contextual marketing and advertising.
• Third-Party Analytics: You have not disabled or opted out from marketing, tracking, or profiling with third-party web analytics services (such as those of Google Analytics).  For more information on third-party Usage Technologies, see the section “Cookies and Other OnlineTracking Mechanisms” above and our Cookie Notice.

Do-Not-Track Signals
Our system may not respond to Do Not Track requests or headers from some or all browsers. Certain parts of our digital Services also include advertisements from third parties. You can opt out of being targeted by certain third-party ad-servers and Ocular-served ads online by following the instructions described in our Cookie Notice.

Other Disclosures of Personal Data
In addition to the above, we may also disclose any Personal Data we collect to the following recipients for the purposes listed above:

• Our Affiliates and Business Partners: Our affiliates and business partners may use your Personal Data for the purposes described above, including for market research, academic research, evaluation of interest in clinical research, and business intelligence and analysis.
• Service Providers: We may share your personal data with contractors, suppliers, and other vendors who provide services on our behalf and at our instruction, such as assisting with processing and fulfilling orders; delivery and logistics; data storage; fraud prevention; data and services analytics, including the placement and use of Usage Technologies, our communications, advertising, and marketing, including to assess the effectiveness of our advertising and marketing efforts; or other services in support of our business.
• Third Parties as Required by Applicable Law: We may be required to disclose your Personal Data where required under applicable laws, such as to show compliance with a legal obligation, conduct audits, comply with our regulatory monitoring and reporting obligations, in defense of claims against us and to protect the health and safety of others, respond to a subpoena, enforce a contact, or to comply with specific disclosure obligations by the U.S. Customs and Border Protection, U.S. Internal Revenue Service, the U.S. Food and Drug Administration, and other government agencies, regulators and authorities.
• Professional advisers: advisors (e.g., lawyers, bankers, auditors and insurers) who, for example, may provide consultancy, banking, financial, legal, insurance and accounting and payroll services.

We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

E. DATA RETENTION
We will retain your Personal Data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements, or we are otherwise permitted to retain the Personal Data for other uses, such as to process returns, recalls, or other administrative needs related to our products and Services. Where Personal Data is used for more than one purpose, we will retain the Personal Data until the purpose with the longest retention period expires.
In some circumstances we may anonymize or pseudonymize your Personal Data (so that it can no longer be associated with you) for research or statistical purposes. There may also be circumstances where data is retained until it is manually deleted by Ocular.

F. THIRD-PARTY SITES
Our digital Services may contain links to other third-party websites that are not owned, controlled, reviewed or monitored by us. Please be aware that we are not responsible for the privacy policies of such other sites or how these sites operate or treat your information. We encourage you to read the privacy policies and terms and conditions of each and every third-party website.

Please note that linked third-party websites may also use cookies or other Usage Technologies. We cannot control the use of these Usage Technologies by these third-party websites.  For example, when you link from this site to a third-party website, that website may have the ability to recognize that you have come from our site by using Usage Technologies.  If you have any questions about how third-party websites use these Usage Technologies, you should contact such third parties directly.

G. CHILDREN’S PRIVACY
Ocular does not expect that any portion of its Services will be used by persons under the age of 16, and we do not knowingly collect Personal Data from anyone under the age of 16. If we learn that we have received Personal Data from someone under the age of 16, we will delete that information in accordance with applicable law.

If a parent or guardian becomes aware that his or her child has provided us with Personal Data, he or she should contact us as described in Section M, “How to Contact Ocular.”

H. DATA SECURITY
We take appropriate measures to manage the privacy of your Personal Data and the security of the Services. We have implemented certain commercially reasonable physical, administrative, and technical measures to safeguard Personal Data from unauthorized or accidental loss, use, access or acquisition. While we take reasonable steps to protect the integrity and security of our data, network and systems, due to the nature of the Internet, there is a possibility that unsecured (unencrypted) email or Internet transmissions could be intercepted and read by third parties. Therefore, you should take special care in deciding what information you transmit via e-mail, in a sign-up form or via other Internet transmission, and that your connection is secure.

When we share your Personal Data with our third-party providers and business partners, we impose obligations of confidentiality and security consistent with this Notice.

I. CROSS-BORDER TRANSFERS OF PERSONAL DATA 
International data transfers refer to transfers of your Personal Data outside the country in which you reside, either directly by you (such as when you access our Services located in the U.S. from outside the U.S.) or by a third-party exporter that has collected your Personal Data on our behalf.  This includes the transfer of Personal Data to a jurisdiction that may not have the same levels of data protection as the country where you reside.  In certain cases, we may need to share, transfer, store, or otherwise process your Personal Data in locations outside of the jurisdiction in which you reside or are located. When we transfer Personal Data, we do so in accordance with applicable laws.

Where we transfer data outside of the European Economic Area or the United Kingdom to other countries, we adopt appropriate and suitable safeguards, including the European Commission’s Standard Contractual Clauses and the United Kingdom’s Addendum thereto, to safeguard Personal Data being transferred to countries where an adequate level of protection is not already guaranteed. For more information on our safeguards, contact us using the information in Section M, “How to Contact Ocular.”

Australia has adopted the Privacy Act 1988 (Privacy Act) and the Australian Privacy Principles (collectively “Australian Privacy Laws”). If you are in Australia, you acknowledge and consent to us not being required to take any steps to ensure that overseas recipients of your Personal Data comply with the Australian Privacy Laws. If the overseas recipient handles your Personal Data in breach of the Australian Privacy Laws, we will not be liable, and you will not be able to seek redress under the Act.

J.  YOUR PRIVACY RIGHTS AND CHOICES
If you are a clinical trial subject, please contact the Principal Investigator on the relevant study to inquire about and exercise your data protection rights.

All other individuals may have various choices with respect to how and when we collect, use, or share Personal Data. For example:

• You may choose to opt out of receiving direct marketing, commercial emails, and other educational materials from us about our products and services by following the instructions contained in the communications we send or, at any time. Please allow five (5) business days for your request to be processed. Please also note that even if you unsubscribe, we may still send you transactional or administrative communications, including, for example, to manage any account you have with us, respond to your requests, execute agreements with you, provide you with products requested, and manage your interaction with us.
• If you are located in the European Economic Area or the United Kingdom, we will only send you direct marketing communications with your consent, unless otherwise permitted by applicable law.
  You may opt out from the collection of your Personal Data through automated means, such as Usage Technologies, as explained in our Cookie Notice.
• Ocular may require you to provide certain Personal Data in order for you to, for example, receive additional product information or information about a disease state. You could decide not to submit any Personal Data at all by not entering it into any forms or data fields and not using any available personalized services.
• If you have filled out a form that stores data within our database and wish for the data to be anonymized or removed, or believe the Personal Data we have collected is out of date or incorrect, you may contact us as provided in Section M, “How to Contact Ocular.”

You may also have certain data protection rights and choices under applicable data protection laws concerning the processing of your Personal Data, in addition to those described elsewhere in this Notice.  For example, in some locations, including the European Economic Area, the United Kingdom, and certain U.S. states (such as California), privacy or data protection laws may give you certain rights with respect to your Personal Data. These rights may include:

• The right to request access to your Personal Data, which includes the right to obtain confirmation from us as to whether or not Personal Data concerning you is being processed, and where that is the case, access to the Personal Data and information related to how it is processed;
• The right to rectification or erasure of your Personal Data, which includes the right to have incomplete Personal Data completed, including by means of providing a supplementary statement, and certain rights to request that we erase your Personal Data without undue delay;
• The right to restrict or object to processing concerning your Personal Data, which includes restricting us from continuing to process your Personal Data under certain circumstances (e.g., where you contest the accuracy of your Personal Data, processing is unlawful, your Personal Data is no longer needed for the purposes of processing, or you have otherwise objected to processing related to automated individual decision-making);
• The right to data portability, which includes certain rights to have your Personal Data transmitted from us to another controller;
• Where data processing is based on your consent, the right to withdraw consent at any time; and
• The right to lodge a complaint with the competent supervisory authority.

Ocular will not discriminate against you for exercising a privacy right granted to you by law.

Otherwise, to find out more about your legal rights or to exercise any privacy rights that apply to you, please contact us using the information included in Section M, “How to Contact Ocular.” In your email, please include your full name, zip code or postal code, the email address at which you prefer to be contacted, and the privacy right(s) you are requesting, such as the removal of information about a particular transaction or the correction of specific information. Please check your incoming email messages in case we need to ask you more questions about your request. Note that there applicable law may restrict or otherwise provide exceptions to the exercise of these rights depending on the jurisdiction where you reside or whose laws apply to your request.  We will note these for you when responding to your request.

Certain laws allow an authorized agent acting on your behalf to make these requests, which they may do by following the instructions above. When you use an authorized agent to submit a request, you must provide the authorized agent with written permission to do so, and, in certain circumstances, we may ask you to verify your own identity directly with us. We may deny a request from an authorized agent that does not submit proof that they have been authorized by you to act on your behalf. In some instances, we may decline to honor your request if an exception applies under applicable law. We will respond to your request consistent with applicable law.

K. ADDITIONAL NOTICE FOR U.S. CONSUMERS
This additional notice applies only to information collected about residents (“consumers”) of California, Colorado, Connecticut, Maryland, Minnesota, New Jersey, Texas, Tennessee, Utah, Kentucky, and Virginia, which have comprehensive privacy legislation (collectively, “U.S. Privacy Laws”) that requires provision of a consumer privacy notice. For additional disclosures required by the Washington My Health My Data Act, the Nevada My Health My Data Act and Nevada Revised Statutes Chapter 603A:

NOTICE TO NEVADA RESIDENTS 
Section 603A of the Nevada Revised Statutes permits Nevada residents who are Ocular Therapeutix “consumers” to at any time, submit a request to an “operator” of a website in Nevada directing the operator not to make any sale of any “covered information” the operator has collected or will collect about the consumer. We do not currently “sell” or plan to sell covered information as defined in the Nevada law. If you are a Nevada resident, you may submit a verified request by contacting us by sending an email to [email protected] or calling 877-628-8998 to opt out of sales and we will record your instructions and incorporate them in the future if our policy changes. We will respond within the time required by law.

This section supplements Ocular’s disclosure of privacy practices in other sections of this Notice and provides additional instructions for submitting requests. Some portions of this section apply only to consumers of particular states. In those instances, we have indicated that such language applies only to those consumers.

The following sections also apply to this section with respect to the Personal Data we collect from or about U.S. consumers (Section B, “Personal Data We Collect”) and the sources from which we collect Personal Data (Section C, “How We Collect Your Personal Data”). We have also explained our purposes for collecting Personal Data and how we disclose it to others (Section D, “Why We Process and Disclose Your Personal Data”). Finally, you can find information about how to exercise your privacy rights (Section J, “Your Privacy Rights and Choices”) and how we retain Personal Data (Section E, “Data Retention”) above.

Please also note that this Notice does not address our collection and processing of Personal Data from employees, job applicants, other individuals with whom we interact in an employment-related context, healthcare professionals (HCPs), or other business-to-business contacts. California residents who fall into one of those categories may access our privacy disclosures applicable to them by selecting the notice that applies to them below.

• For California HCPs, click here
• For California non-HCP Business Contacts, click here
• For California Job Applicants, click here

Defined Terms User in This Section
The term “Personal Data” or “Sensitive Personal Data” as used in this section includes corresponding terms such as “Personal Information” and “Sensitive Personal Information” as defined by U.S. Privacy Laws.  The terms “Third-Party” and “Vendor” also have the meanings as defined by U.S. Privacy Laws. To the extent other terms used in this section are defined by U.S. Privacy Laws, such terms shall have the meanings afforded to them in those statutes, whether or not capitalized herein. As there are some variations between such definitions in each of the U.S. Privacy Laws, the definitions applicable to you are those provided in the statute for the state in which you are a consumer. For example, if you are a Virginia consumer, terms used in this section that are defined terms in the Virginia Consumer Data Protection Act (VCDPA) and shall have the meanings afforded to them in the VCDPA to the extent this section applies to you as a consumer residing in Virginia at the time we collect your Personal Data.

Additional Collection, Processing and Disclosure of Personal Data
During the past 12-month period, we and our Vendors have and will collect the following additional categories of Personal Data about U.S. consumers, and disclose to Vendors and Third Parties for a business purpose:

• Medical information: Information in possession of or derived from a healthcare provider, healthcare service plan, pharmaceutical company, or contractor regarding medical history, mental or physical condition, or treatment.
• Health insurance information: Insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify you, or any information in your application and claims history.
• Data Relating to a Protected Class: Characteristics of protected classifications under U.S. state or federal law.
• Commercial Information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
• Inference Data: Information about inferences drawn from Personal Data to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes, including inferences used to indicate Sensitive Personal Data; and
• Sensitive Personal Data: State identification card, account log-in information; financial account number in combination with any required security or access code, password, or credentials for allowing access to an account; contents of a consumer’s email and text messages, unless the business is the intended recipient.

Retention of Personal Data
In addition to how Ocular determines retention of Personal Data as provided in Section E, “Data Retention,” retention periods for Personal Data subject to U.S. Privacy Laws are also designated in Ocular’s Record Retention Policy.

Sale and Sharing of Personal Data
State privacy laws may permit consumers to opt-out of the sale of Personal Data, including when that Personal Data is provided to others in exchange for non-monetary value or to facilitate targeted advertising. Ocular does not engage in these activities as they are defined in the state consumer privacy laws applicable to Ocular.

• Disclosure for California Consumers: We will not sell or share any of the categories of Personal Data we collect about you, and we have not sold or shared Personal Data about California consumers in the past twelve months. Relatedly, we do not have actual knowledge that we sell or share Personal Data of California consumers under 16 years of age.
• Disclosure for Consumers in Other States with U.S. Privacy Laws: We do not sell or share Personal Data to Third Parties or process Personal Data for purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer as the terms “sell,” “share,” “process,” “targeted advertising, “ and “profiling” are defined in such U.S. Privacy Laws.

Purposes for Processing & Disclosing Personal Data During the Prior 12 Months
We and our Vendors have and will collect and process your Personal Data (excluding Sensitive Personal Data) for the purposes described in Section D, “Why We Process and Disclose Your Personal Data” and to identify you and your device(s) for any/all purposes identified above, including to monitor your use of and interactions with programs, products, Services, and advertisements for such purposes or to help ensure the integrity of our programs and the preservation of your privacy.

We and our Vendors have and will collect and process the Sensitive Personal Data for purposes described in Section D, “Why We Process and Disclose Your Personal Data” to the extent authorized by the CCPA and its implementing regulations. When we collect and process Sensitive Personal Data, we do so as reasonably necessary and proportionate for such purposes. This includes short-term, transient use, including non-personalized advertising shown as part of a consumer’s current interaction with us; provided that we will not disclose the consumer’s Personal Data to a Third-Party and or build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with our business.

For each category of Personal Data identified in Section D, “Why We Process and Disclose Your Personal Data,” we disclose such Personal Data to the following categories of Third Parties: Healthcare providers (including specialty pharmacies); Health insurance companies (health plans) and other payors; Authorized/legal representatives, family members, and caregivers; Third Parties that help administer, manage, and analyze our programs and services; Third Parties with whom we have joint marketing and similar arrangements; Third Parties who provide benefit verification, program enrollment, and product fulfillment services in connection with our products and services; Payment processors, financial institutions, and others as needed to complete transactions and for authentication, security, and fraud prevention; Third Parties who deliver our communications, such as the postal service and couriers; Third Parties who provide marketing and data analytics services, such as social media platforms used to deliver our ads, website/email optimization providers, email marketing vendors, and data analytics vendors; Third-Party network advertising partners; Third Parties who assist with our information technology and security programs; Third Parties who assist with fraud prevention, detection, and mitigation; Third Parties as reasonably necessary to facilitate a merger, sale, joint venture or collaboration, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings); Third Parties as necessary to complete transactions and provide our products/services, including delivery companies, agents, and manufacturers; Consumer reporting agencies; Our lawyers, auditors, and consultants; and Legal and regulatory bodies and other Third Parties as required by law.

We may also disclose your Personal Data to any Third-Party with your consent or at your direction.

State Privacy Rights
You may exercise the privacy rights applicable to you by using the contact information specified in Section M, “How To Contact Ocular”. Consumers in some states may also authorize an agent to make data subject requests on their behalf.

California, Colorado, Connecticut, Maryland, Minnesota, New Jersey, Texas, Tennessee, Utah, Kentucky, and Virginia consumers have the rights with respect to the collection and use of their Personal Data specified in Section J, “Your Privacy Rights and Choices.” In addition, please note the following:

• Right to Know: You may request that we provide you with information about the following aspects of how we have handled your Personal Data specifically in the 12 months preceding your request, which is also disclosed above:
  • The categories of Personal Data we collected about you;
  • The categories of sources from which we collected such Personal Data;
  • The business or commercial purpose for collecting, selling, or sharing Personal Data about you;
  • The categories of Personal Data about you that we disclosed and the categories of Third Parties with whom we disclosed such Personal Data;
  • The categories of Personal Data about you that we sold, shared, or used for targeted advertising purposes, if applicable, and the categories of Third Parties with whom we sold or shared such Personal Data;
  • If we collect Sensitive Personal Data, the categories of Sensitive Personal Data to be collected, the purposes for which it is collected or used, and whether that information is sold or shared; and
  • The length of time we intend to retain each category of Personal Data, or if that is not possible, the criteria used to determine that period.
• Right to Access Specific Pieces of Personal Data or Data Portability: You may not exercise this right more than two times in a calendar year.
• Right to Deletion:  Please note that we may not be required to delete information under certain circumstances when applicable U.S. Privacy Laws include exemptions that allow us to retain the data in response to a request for deletion when, for example, necessary to comply with legal obligations, including those pertaining to the quality, safety, or effectiveness of a product or activity regulated by the Food and Drug Administration (FDA); complete a transaction; detect security incidents; or for certain other internal purposes.
• Verification of Data Subject Requests. We may ask you to provide information that will enable us to verify your identity in order to comply with your data subject request. We use a third-party verification service for that purpose. To verify your identity, you must provide the required information when completing the online request form or making a request, including the last 4 digits of your social security number. We will ask you to provide your contact information and additional identifiers based on your relationship with us. Before we process your request, we may match these data points with a third-party identity verification service and data points we currently maintain to verify your identity and your relationship with us.
• Appeals. California, Colorado, Connecticut, Maryland, Minnesota, New Jersey, Texas, Tennessee, Utah, Kentucky, and Virginia consumers have the right to appeal to our decisions on their requests. This section does not apply to California or Utah consumers. To appeal our decision on your data subject requests, you may contact us using the contact information included in Section M, “How to Contact Ocular.”  Please enclose a copy of or otherwise specifically reference our decision on your request, so that we may adequately address your appeal. We will respond to your appeal in accordance with applicable law.

Other California Disclosures

• California Residents Under Age 18.
• Disclosure About Direct Marketing for California Residents. California Civil Code § 1798.83 permits California residents to annually request certain information regarding our disclosure of Personal Data to other entities for their direct marketing purposes in the preceding calendar year. We do not distribute your Personal Data to third parties (as defined by California Civil Code § 1798.83) for their own direct marketing purposes. If you are a resident of California under the age of 18 and a registered user of any of the Services, then you may request that we remove any of your posts, comments, or other forms of user-generated content you have publicly posted on or in the Services. To request this removal, please send a request with a detailed description of the specific post to us using the contact information located in Section M, “How To Contact Ocular.” You also may be able to log in to your account and delete your posts. Please note that our deletion of posts may not ensure complete or comprehensive removal of your content online, as various public search and archiving services may have retained this public information, or others may have reposted your content. This content may also be stored in backup media, cached or otherwise retained by Ocular for administrative or legal purposes. Ocular may also be required by law to not remove (or allow removal) of your content
• Financial Incentives for California Consumers. Under California law, we do not provide financial incentives to California consumers who allow us to collect, retain, sell, or share their Personal Data. We will describe such programs to you if and when we offer them to you.

L.  ADDITIONAL INFORMATION FOR NON-U.S. RESIDENTS
How this Notice Applies To You
If you reside outside the U.S. and use our Services or otherwise interact with us from outside the U.S., you may have certain rights under your local data protection laws, such as the European Union’s General Data Protection Regulation if you reside in a Members State of the European Union. We recognize the privacy rights of persons residing in a country outside the U.S. with data protection laws that apply to Ocular.  If you are using our Services from outside the U.S. with such data protection laws and have questions concerning this Notice, you may contact our Global Data Protection Officer using the contact information in Section M, “How To Contact Ocular.”

The following sections also apply to this section with respect to the Personal Data we collect from or about residents in a country outside the U.S. with data protection laws (Section B, “Personal Data We Collect”) and the sources from which we collect Personal Data (Section C, “How We Collect Your Personal Data”). We have also explained our purposes for collecting Personal Data and how we disclose it to others (Section D, “Why We Process and Disclose Your Personal Data”). Finally, you can find information about how to exercise your privacy rights (Section J, “Your Privacy Rights and Choices”) and how we retain Personal Data (Section E, “Data Retention”) above.

Our Legal Bases for Processing Personal Data
Some non-U.S. data protection laws require us to designate one or more legal bases for processing your Personal Data. When applicable, we rely on the following legal bases:

• Contractual Obligations. We use Personal Data to provide the products or services you request, including validating your access to our Services; processing your purchase orders; providing customer service; and sending you administrative or transactional communications.
• Our Legitimate Interests. We use Personal Data when we have legitimate interests in doing so, as long as our legitimate interests are compatible with your rights and expectations of privacy. We rely on our legitimate interests to operate, maintain, and improve the Services and our products; perform analytics and conduct customer research; and improve our customer service and overall user experience.
• Our Legal Obligations. We use Personal Data as needed to comply with our legal obligations, including as needed for fraud prevention; public safety; complying with public authorities and courts; and enforcing or defending our rights and those of others.
• Your Consent. We may use Personal Data as described in this Notice with your “opt-in” consent, including when needed for marketing communications and use of Usage Technologies. When you consent, you may revoke this consent at any time.

M. HOW TO CONTACT OCULAR
If you have additional questions about this Notice or our privacy practices, you may contact us as follows: