Last Updated 1 December 2022

This SmartHQ Application Privacy Statement describes the personal information Fisher & Paykel Appliances Limited (“FPA”, “we”, “our”, or “us”) collects when you use the SmartHQ Application (the “Application”), how we use this information, with whom we share it, and the choices you have in connection with this.

The Data Controller, i.e., the party taking decisions on processing methods and purposes, is Fisher & Paykel Appliances Limited, with its registered office at 78 Springs Road, East Tamaki, Auckland 2013, New Zealand.

You may contact FPA at the contact information provided in the “Your Rights” section of this SmartHQ Application Privacy Policy.

1. INFORMATION WE COLLECT AND USE

Through your use of the Application, FPA will collect personal information, which is information that identifies you directly or indirectly, as outlined below.

A. Information Collected From You

As you use the Application, we collect personal information when you:

Register for the Application: When you register for the Application, we collect from you your personal identifiers (preferences, email address, country of residence, and information relating to your account login). You provide these personal identifiers by completing online forms during the Application setup process. The Application also creates a User ID to identify you as a registered user of the Application. We use these personal identifiers to manage your account, provide you the Application and allow you to connect your appliance to the Internet using the Application. The legal basis for this processing is performance of our contract with you. If you do not provide this information we would not be able to provide the services. We also ask whether you would like to provide your name, surname, address, telephone number. Your are not required to provide this information. If you do, we will use it to provide you secondary services not essential to the functioning of the App. The legal basis for processing is your consent. You may revoke your consent any anytime, with effect going forward, by removing this information from your account profile by using the settings in the Application.

B. Information Collected From Your Mobile Device and Smart Appliance

As you use the Application, we collect personal information when you:

Connect an Appliance: When you connect an appliance to the Application utilizing WiFi or Bluetooth (the “Connected Appliance”), we automatically collect, from the appliance, data related to the Connected Appliance (software version, product information, and appliance performance and diagnostics data) from your mobile device: data related to your mobile device (make, model, operating system, software version) as well as information about your WiFi network (MAC Address, IP Address). We use this information to allow you to control your Connected Appliances via the Application, to notify you if your Connected Appliance has an issue, and to determine the version of the Application you are using. The legal basis for this processing is performing the contract with you. If you do not provide this information we would not be able to provide the service. We also ask whether you would like to save your home network SSID and password so that you do not need to re-type it when adding a new Connected Appliance. Your are not required to save this information. If you do, it will be used only to autopopulate your login. The legal basis for processing is your consent. You may revoke your consent any anytime, with effect going forward, by changing your user settings.

Utilize a Connected Appliance in Conjunction with the Application: After you have registered your account and provisioned your Connected Appliance, we automatically collect the following information (the “Connected Appliance Data”) as you use your Connected Appliance in conjunction with the Application:

1. Real-time usage information for your Appliancethat depends on the type of Appliance, such as the (number of) times an Appliance is turned on or off, the type and/or number of cycles run by an Appliance, different modes used, and the date your Appliance was installed. This information is used to permit you to monitor and control your Connected Appliance. The legal basis for this processing is performance of our contract with you. If you do not provide this information we would not be able to provide the service.

2. Communication Information. We will collect information from your Appliance such as the Appliance’s IP address, MAC address, RFID and/or wifi connection. The legal basis for this processing is performance of our contract with you. If you do not provide this information we would not be able to provide the service.

3. Status and diagnostic information for your Appliances, specifically information that permits us to understand and alert you in the event there are issues that need to be repaired or corrected to keep your Connected Appliance operating as it should. The legal basis for this processing is performance of our contract with you. If you do not provide this information we would not be able to provide the service.

4. Alerts and tips for your Appliances, specifically information to provide with alerts and tips for your use of the Appliances The legal basis for this processing is performance of our contract with you. If you do not provide this information we would not be able to provide the service.

When you use Digital Assistants to Activate Interactive Functions: If you use a digital assistant (such as Google Assistant, Alexa or Siri) to activate the voice commands, we will collect and process the information set forth above, as conveyed by the digital assistant. Please bear in mind that the information conveyed by the digital assistant is subject to the relevant digital assistant provider’s privacy disclosures and terms. Please review them carefully.

FPA also uses your personal information collected for the above purposes to efficiently maintain our business, to comply with the law, and for other limited circumstances as described in HOW WE SHARE YOUR INFORMATION.

C. Information Collected Automatically From the Application via SDKs

In addition to the personal information identified above, when you use the Application, we and our third party providers collect via SDKs and similar tracking technologies certain information required to authenticate you and your network when you login and use the Application as well as information required to store your preferences for the operation of your Connected Applicance. This information is used to make the app work as you expect it to and to provide enhanced functionality as described below. Some of the SDKs we use will store and retrieve information on your device, like a cookie or other similar tracker would.

Essential SDKs. We use essential SDKs that are necessary for the Application to function. The legal basis for the placement of these essential SDKs is that they are necessary for our provision of the Application. If you do not provide this information we would not be able to provide the service.

For more information on SDKs and other trackers, see our SDK Notice.

2. HOW LONG WE RETAIN YOUR PERSONAL INFORMATION

We keep your personal information for as long as needed or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include (i) to provide you with services available on the App or with your appliance, (ii) for as long as we have an ongoing relationship with you (such as maintaining your online account or sending you a newsletter); (iii) as required by a legal obligation to which we are subject; or (iv) as is advisable in light of our legal position (such as in regard of applicable statutes of limitations, litigation, or regulatory investigations).

3. HOW WE SHARE YOUR INFORMATION

A. General Sharing

FPA may share the personal information identified in this Privacy Policy in the following instances:

• Within FPA: Where necessary, FPA will share your personal information within the Fisher & Paykel Appliances Group in order to efficiently carry out business and to the extent permitted by law. The legal basis for this processing is our legitimate interest in conducting our operations efficiently.

• With service providers: FPA will share your personal information with service providers that perform services on FPA’s behalf. Service providers include Salesforce and AWS.

• With our Application provider:FPA will share your personal information with GE Appliances, which administers the Application. GE Appliances occasionally transfers your personal information, on an as-needed basis, to its support staff in the US and its service provider in India to provide information technology services and troubleshooting. Connected Data and account information (Device ID, User registration data (name, email, address, phone), user consent, and User ID) are stored on Salesforce servers located in Germany and France and managed by FPA.

FPA engages its processor GE Appliances to collect and store Connected Appliance Data (SmartHQ User ID, MAC address, Device ID, customer usage) on AWS servers located in Ireland with access to GE Appliances on a restricted basis. A pseudonymized extract of this data (Device ID, SmartHQ User ID, MAC address) can be accessed by GE Appliances in the United States. This information is collected directly, through your use of the SmartHQ Application.

In addition, GE Appliances employees from the US and service providers in India can access your personal information and Connected Appliance information in these cloud instances for the purpose of providing technical support and troubleshooting.

The US and India have not been granted a recognition of adequacy for the protection of information by the EU as their legal regimes allow, in certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities to access your personal information. Some of these transfers are necessary for the provision of the Application and thus These transfers are carried out pursuant to the GDPR Article 49 derogation for contractual necessity.

• In the event of a corporate reorganization: In the event that FPA enters into, or intends to enter into, a transaction that alters the structure of FPA , such as a reorganization, merger, acquisition, sale, joint venture, assignment, consolidation, transfer, change of control, or other disposition of all or any portion of its assets, FPA would share your personal information with third parties, including the buyer or target (and their agents and advisors) for the purpose of facilitating and completing the transaction. The legal basis for this processing is our legitimate interest in conducting our operations efficiently.

• For legal purposes: FPA will share your personal information where legally required, in response to court orders, law enforcement or legal process; to establish, protect, or exercise our legal rights, as required to contracts; to defend against legal claims or demands; to detect, investigate, prevent, or take action against illegal activities, fraud, or situations involving potential threats to the rights, property, or personal safety of any person; or to comply with the requirements of any applicable law. The legal basis for this is our compliance with the law.

4. YOUR RIGHTS

The law affords you the right to check how your data are processed and, if applicable, to restrict their use. You may exercise these rights at any time and free of charge by contacting our company and writing to the addresses specified above.

Under The EU General Data Protection Regulation and UK GDPR, you have rights we need to make you aware of. The rights available to you depoend on our reason for processing your information.

• Right of Access. You have the right to ask us for information about the personal data we have about you as well as copies of it.
• Right to Rectification. You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Right to Erasure and Right to Restriction. You have the right to ask us to erase your personal information in certain circumstances. Where our processing is based on legitimate interest, you have the right to restrict the processing of personal data. You can do that by contacting privacy@fisherpaykel.com
• Right to Data Portability. Where we process your personal information based on the legitimate bases of your consent or the performance of a contract, you have the right to receive the personal data we hold in a commonly used format and send the data to another controller or use it for your personal purposes.

In the event of your death the above-mentioned rights regarding to your personal data may be exercised by those who have their own interest in doing so, or act to protect you as an agent, or for family reasons deserving of protection. You may expressly prohibit the exercise of certain rights listed above by those entitled by sending a written statement to FPA at the email address provided below. The statement may be revoked or modified later on using the same procedures.

Please note that requests to erase data are subject to current legal and regulatory obligations on the storage of documents.

To exercise your rights, you may send an email at any time to privacy@fisherpaykel.com or write to:

Legal and Compliance Fisher & Paykel Appliances Limited P O Box 58550 Botany Auckland 2163 New Zealand f.a.o. Global Privacy Officer

4. INFORMATION SECURITY

FPA implements and maintains reasonable security measures to help protect the personal information that FPA collects and maintainsIn accordance with industry standards, including encryption, access controls and firewalls. These measures include cyber security policies, security incident response processes (PSIRT), penetration and vulnerability testing and annual maturity assessments. While there are adequate process and technical controls in place, howeverwe cannot guarantee that our security measures will prevent malicious attacks to our systems 100% of the time.

5. AGE RESTRICTION

The Application is not intended for individuals under the age of eighteen (18). If we realise that we have inadvertently obtained the personal data of a minor, we will immediately erase their personal data.

6. CHANGES TO THIS PRIVACY POLICY

FPA may change this Privacy Policy from time to time. We may notify the changes to this application, through a push notification, by email or through an update of the application and indicate the date the changes go into effect. We encourage you to review our Privacy Policy to stay informed. If FPA make changes that materially affect your privacy rights, we will notify you with a notification sent through the Application and obtain your consent, if required.

7. CONTACT

If you have any questions about this Privacy Policy, please contact us at: privacy@fisherpaykel.com.