Privacy Policy

TGCT & Me

1. What information does this Privacy Policy provide?

This Privacy Policy explains how Remepy Health Ltd. ("Remepy", "we", or "us") processes Personal Data of users of the TGCT-A mobile digital health application (the "App"), a digital program designed for individuals experiencing Tenosynovial Giant Cell Tumor (TGCT).

The App includes personalized wellness tracking, symptom journaling, behavioral insights, adherence tools, and engagement features.

Users whose Personal Data may be processed include individuals using the App for wellness support related to TGCT.

The App is operated by Remepy Health Ltd., located at 40 Tuval St., Ramat Gan, Israel. You can contact us at legal@remepy.com.

2. Compliance and roles under Applicable Privacy Law

For the purposes of this Privacy Policy:

Remepy acts as the Data Controller for processing activities described in this Privacy Policy (meaning we determine the purposes and means of processing Personal Data), except where explicitly stated otherwise (e.g., ATSA and/or relevant Merck group entities acting as independent controllers upon receipt of certain exported data and/or AE information, as detailed in Sections 5 and 6).

Our designated data processor ("Atos") stores and manages direct identifiers (first name, last name, email, and password) separately from our internal systems, under a data processing agreement with Remepy.

The App complies with applicable privacy laws, including the General Data Protection Regulation (EU Regulation 2016/679, "GDPR") and U.S. state privacy laws (see US Addendum).

"Personal Data" means any information relating to an identifiable individual, including health and behavioral data.

Use of this App requires the processing of your health-related information, which is only conducted based on your explicit consent, in accordance with Article 9(2)(a) GDPR. Other types of data may be processed based on additional lawful grounds, including:

Contract (Article 6(1)(b)) – for core functionality and account setup

Legitimate interests (Article 6(1)(f)) – for technical operations, security, usage analytics, and demographic-based personalization

Customer Support and Safety Reporting
Remepy operates the App’s customer support function and serves as the primary point of contact for users regarding technical issues, account access, and general App inquiries. We also provide self-help resources (such as FAQs) that do not require you to submit a support request or personal information. Support interactions are handled through our designated support platform (Zendesk) as the system of record, so that communications are securely logged, classified, and auditable. Support requests may be escalated internally for investigation or resolution (including complaint-handling or safety review where applicable), and are managed within Zendesk. Support personnel are trained on data-protection obligations and, where applicable, receive pharmacovigilance awareness training so that potential safety-related information reported through support channels is identified and handled appropriately. Privacy rights requests (data subject requests) submitted via email or support channels are also tracked through a dedicated Zendesk workflow to support deadline management and auditable handling.

3. What Personal Data is processed when using the App?

a) Profile and Account Data (Direct Identifiers)

Email address

Password

First name and last name

These identifiers are used for authentication, account administration, and personalized display within the App. Direct identifiers are handled through our identity-protection processor (Atos) and stored separately from Remepy's internal systems (see Sections 5 and 6). Remepy uses a pseudonymized identifier for ongoing processing and does not store raw direct identifiers in its backend systems.

b) Health and Wellness Information

With your explicit consent and based on your settings and permissions, we process health and wellness information you provide or that is retrieved from your device health frameworks (such as Apple HealthKit, Health Connect, or Samsung Health, depending on your device). This may include:

Physiological and activity metrics (e.g., heart rate and activity/fitness measures such as steps, distance, exercise/workout summaries, calories, and similar device-health metrics)

Symptom reports (e.g., pain, stiffness, fatigue, swelling) including structured symptom attributes such as severity ratings, timing, duration, and pre-defined descriptors

Medication tracking: dosage, timing, form (e.g., capsule/tablet/injection), and intake-tracking status and timestamps. Medication names are stored locally on your device and are not received by Remepy; where applicable, Remepy may receive a non-readable representation (e.g., hashed value) for internal functionality

Physical assessments (e.g., range-of-motion (ROM) and angle values (e.g., flexion and extension)). ROM measurement is performed on-device and the app transmits the resulting values and related assessment metadata (e.g., date/time).

Sleep metrics (self-reported or device-based)

Mood and wellness journaling inputs (e.g., mood ratings, mindfulness session details such as activity name, duration, and date/time)

Disease characteristics and relevant medical background (e.g., TGCT type, impacted joints, affected side, previous surgeries)

Demographic attributes used for personalization and analytics, such as age and gender (which may be reported by your device/health framework depending on your permissions and settings)

c) Location Data

City-level location (used for app functionality, aggregate analytics, and personalization)

You may object to this processing at any time by turning off location in your app/device settings or through in-app toggles (where available). If you object, we will stop collecting and using city-level location data going forward, while previously collected data will continue to follow our retention schedule unless you also exercise your right to erasure.

d) Technical and Usage Data

We collect technical and usage information to operate the App, improve performance, provide customer support, and maintain security, such as:

App usage and interaction data (e.g., feature use, time per screen, navigation between screens, scrolling, clicks/interactions)

Session data (e.g., session start/end times and authentication events such as sign-in/sign-out)

Device information (e.g., operating system version, device model, device time zone)

Crash logs and performance metrics (e.g., app load time and related diagnostics)

Connection logs (e.g., API endpoint calls, timestamps, and request processing times)

Customer support identifiers: when a support request is submitted, the ticket may include a pseudonymized user ID generated by the App (where applicable) to enable troubleshooting. Submitting a support request requires providing an email address so that we can respond to and manage your request.

City-level location (where enabled in your device/app settings and used as described in Section 3(c))

Account communications metadata: We may send service/transactional messages (e.g., account verification, password reset, security notices). Delivery requires processing of email routing information and related technical metadata.

Push notifications: If you enable push notifications, we process a device/app notification token (e.g., an FCM token) needed to deliver notifications to your device.

Attribution data: We use a third-party attribution and analytics provider, AppsFlyer, to understand how users arrive at our App. For this purpose, AppsFlyer processes limited technical data, which may include: device and advertising identifiers (such as mobile advertising IDs); IP address and general device information; information about how you arrived at the App (such as referral links or campaign data); and app install and first-use events. We do not use AppsFlyer to track your activity within the App. AppsFlyer processes this information on our behalf and does not use it for its own independent purposes, such as advertising or selling data.

Note: IP addresses are collected for connection purposes but are not retained in audit logs or exported to third parties.

e) Support Communications

You may contact Remepy for support by submitting a support request via a form in the TGCT & Me Help Center, which can be accessed via the App or through a direct URL. Submitting a support request requires providing an email address so that we can respond to and manage your request. Support tickets may include a pseudonymized user identifier (where submitted in-app) to enable troubleshooting. Support requests and related communications are processed and stored through our service provider, Zendesk, which acts on our behalf and in accordance with applicable data protection obligations. Support tickets do not receive an automated feed of your health/wellness data from Remepy systems; only what you choose to include in your support request is stored.

f) Weather and Environmental Data

The App may display local weather conditions using Apple WeatherKit to support contextual wellness insights. To retrieve local weather results, the App may use your device's current location (e.g., latitude and longitude) and related requested information (which may include IP address). This location data is not stored by Remepy.

4. Engagement and Personalization Features

The App may tailor your experience through personalized features that support wellness engagement and adherence. These include:

Wellness prompts and reminders

Adherence scores and progress feedback (e.g., badges, streaks)

Tailored messaging based on your inputs and interaction patterns

These features are designed to support your personal wellness goals. They do not involve behavioral advertising or commercial profiling.

5. Who may access or process Personal Data?

(i) Remepy Health Ltd. (Data Controller)

Remepy Health, Ltd., incorporated in Israel with registered offices at 40 Tuval St., Ramat Gan, Israel, is the primary Data Controller for the App.

Remepy generally processes pseudonymized data and has no access to direct identifiers stored by Atos (such as your name, registration email and password). However, if you contact support, a support ticket will include your email address and may include additional contact details that you choose to provide, which may be visible to authorized Remepy support personnel for the purpose of responding and resolving your request.

We use pseudonymized data for providing app functionality and personalization, wellness insights, technical operations and troubleshooting, product improvement and service optimization, and research (aggregated).

(ii) Identity-Protection Processor: Atos SE

To protect your privacy, Remepy uses a dedicated identity-protection service operated by Atos SE, headquartered at River Ouest, 80 Quai Voltaire, 95870 Bezons, France.

Atos acts as a data processor under a Data Processing Agreement with Remepy.

Atos operates the RegData Protection Suite ("RPS"), which provides an additional technical security layer that prevents Remepy and its partners from accessing or reconstructing your direct identifiers.

Atos processes only direct identifiers, while all health and wellness data processed by Remepy are pseudonymized before reaching our systems.

Certain system emails (e.g., password reset) are routed through Atos/RegData so that Remepy systems do not handle raw email addresses for delivery.

Atos operates this service on Microsoft Azure's France Central region.

(iii) Cloud Infrastructure Provider: Amazon Web Services (AWS)

Pseudonymized data is hosted on Amazon Web Services, Inc., headquartered at 410 Terry Ave N, Seattle, WA, USA. Data is stored in one of AWS’s data centers in the U.S..

AWS acts solely as an infrastructure provider and does not access or use Personal Data for its own purposes. All data is encrypted in transit and at rest.

(iv) Ares Trading S.A. (ATSA)

Our commercial partner, Ares Trading S.A. (ATSA), receives certain aggregate and/or pseudonymized datasets from Remepy ("Insights Data") containing wellness, health-related, behavioral, and app usage information identified only by coded user IDs. No names, emails, phone numbers, or other direct identifiers are shared, and ATSA does not receive the information needed to re-identify users. Data is stored by ATSA on secure servers located in the European Union. ATSA's roles and purposes are detailed in Section 6 below. ATSA may subsequently make this Insights Data available for use within the Merck KGaA (Darmstadt, Germany) group of companies. ATSA will act as a separate and independent Data Controller upon receipt of Insights Data, and where Insights Data is made available within the Merck Group, ATSA and/or the relevant Merck group entity will act as an independent Data Controller for that use.

(v) Support Services Provider: Zendesk, Inc.

Customer support operations are managed through Zendesk, Inc., headquartered at 989 Market Street, San Francisco, CA 94103, USA. Zendesk acts as a data processor for support ticket management under a Data Processing Agreement.

Support tickets may contain:

Information you provide in support requests (including your email address, which is required so that we can respond, and may include your name and issue descriptions)

Pseudonymized user identifiers for technical troubleshooting

No health data is automatically transmitted to Zendesk; only information you choose to include in your support request

Zendesk is configured with enterprise-grade security controls including single sign-on (SSO), multi-factor authentication (MFA), role-based access control, encryption in transit and at rest, and is HIPAA-ready.

Remepy remains responsible for first-line review and handling of all support requests. Zendesk is used solely as a ticket-management tool.

Where a support request requires technical investigation, Remepy support personnel may reference a pseudonymized user identifier to enable internal debugging. Engineering and technical teams do not receive direct identifiers and do not access health data unless strictly necessary and authorized under Remepy’s internal procedures.

Access to Zendesk tickets is limited to authorized Remepy support personnel under role-based access controls. When a support issue requires internal escalation, Remepy shares only the pseudonymized user identifier with engineering/technical teams; user-provided direct identifiers (e.g., email) are not shared with higher-tier teams unless strictly necessary for exceptional troubleshooting and approved under Remepy’s customer-care support instructions.

Support personnel do not have access to the RegData/Atos identity-protection system. Support personnel also do not have routine access to health-related or behavioral data stored in Remepy systems; where such data is strictly necessary to resolve a ticket, retrieval is performed by higher-tier teams using the pseudonymized identifier and under applicable internal procedures.

(vi) Push Notification Provider: Google (Firebase Cloud Messaging)

We use Firebase Cloud Messaging (FCM), a push notification service provided by Google, to deliver push notifications. When you enable push notifications, your device/app instance generates a notification token which we use to route notifications to your device. For iOS devices, notifications are delivered via Apple Push Notification service (APNs); when using FCM, FCM routes notifications through APNs for iOS delivery. Google and Apple process notification routing information (such as device/app notification tokens and related technical identifiers) for the purpose of delivering notifications. Notification content is intended to be generic and not include direct identifiers (such as name, email, or phone number).

(vii) Weather Services Provider: Apple (WeatherKit)
We use Apple WeatherKit to display local weather information. Apple processes request data (which may include latitude/longitude and IP address) to return weather results. Remepy does not store latitude/longitude for this feature.

(viii) Attribution Service Provider: AppsFlyer

We use AppsFlyer as a service provider to support attribution measurement for the App. Please see “Attribution data” above for more information.

6. Where is Personal Data processed and how is it protected?

Processing Locations and Legal Safeguards

Remepy uses a combination of segregated identity services and secure cloud infrastructure to operate the App. Personal Data is processed in the following locations, with safeguards as described below. Where Personal Data is subject to GDPR and is transferred outside the EEA/UK to a country that is not subject to an adequacy decision, Remepy will ensure that such transfers are made using an appropriate legal mechanism and safeguards in accordance with GDPR requirements.

Pseudonymized App data (including health/wellness and usage data) is processed and stored on Amazon Web Services (AWS) servers in the United States.

Direct identifiers used for account registration and login (e.g., first name, last name, registration email, password) are processed by Atos SE using Microsoft Azure in the France Central region.

Support requests and related information you provide are processed using Zendesk. Zendesk may host service data in a location outside your country/region.

Remepy personnel in Israel, including support personnel handling Zendesk tickets, may access App data for operational and support purposes; access is generally limited to pseudonymized App data, and support personnel access to direct identifiers is limited to what users provide in support tickets. Israel is recognized by the European Commission as an adequate jurisdiction under GDPR.

If you enable push notifications, delivery is performed using Firebase Cloud Messaging (FCM) (Google). For iOS devices, notifications are delivered via Apple Push Notification service (APNs) (routed through FCM). These services process device/app notification tokens and related technical identifiers needed to route notifications.

Where the weather feature is used, local weather results are retrieved using Apple WhetherKit as the weather data provider (see Section 3(f) and Section 5(vii)).

Security measures

We implement technical and organizational measures designed to protect Personal Data, including:

Data is encrypted (TLS in transit, AES-256 at rest)

Access to all systems is governed by role-based controls and multi-factor authentication

Logging and monitoring for security and operational integrity

Segregation of direct identifiers (handled by Atos) from pseudonymized App data processed by Remepy

Export of Insights Data to ATSA (and possible onward availability within the Merck group)

Ares Trading S.A. (“ATSA”), registered at Zone Industrielle de l’Ouriettaz 1170, Aubonne, Switzerland, an affiliate of Merck KGaA (Darmstadt, Germany), receives certain aggregate and/or pseudonymized datasets from Remepy (the "Insights Data").

ATSA acts as a separate and independent Data Controller for Insights Data upon receipt. ATSA receives no direct identifiers, no token keys, and has no technical ability to re-identify any user. These exports are performed periodically through a secure, encrypted SFTP process.

Insights Data may include aggregate and/or pseudonymized individual-level records such as (i) health and wellness tracking data (e.g., activity and physiological metrics from your device health framework, symptoms, sleep, mood/wellness journaling, and physical assessments such as ROM values), (ii) TGCT-related characteristics and relevant medical background (e.g., affected joints/side and prior surgeries), (iii) demographic attributes used for personalization and analytics (age and gender), and (iv) app technical and usage data (e.g., session/activity logs, feature interactions, device time zone, and city-level location). Medication exports are limited to intake tracking metadata (taken/not taken and date/time) and do not include medication names (medication names are stored locally in the App and are not received by Remepy). Insights Data may also include limited pseudonymized account activity records (e.g., sign-in/sign-out events) for program administration and security. These datasets do not contain names, emails or any identifiers stored by Atos, and ATSA does not receive the information needed to re-identify users.

ATSA processes Insights Data for analysis of engagement and usage trends, product development and optimization of current digital wellness features, research and development of future digital health solutions. analysis of patient patterns to improve content relevance and educational resources, internal reporting, and program evaluation.

ATSA may subsequently make this Insights Data available for use within the Merck KGaA group of companies. Where this occurs, the relevant Merck group entity may receive and use only aggregate and/or pseudonymized Insights Data and will act as an independent Data Controller for that use. Remepy does not provide ATSA or Merck group entities with technical means to re-identify users, and Remepy does not share direct identifiers stored by Atos as part of Insights Data exports.

You may opt out of this data sharing by contacting dsr@tgctandme.com. Opting out will not affect your ability to use the App's core features.

Adverse Event (AE) and Safety-Related Reports
If you report a potential adverse event, product complaint, or safety concern through customer support, Remepy may be legally required to process and escalate that information for pharmacovigilance and/or medical-device reporting purposes. Support agents review tickets for potential AE indicators and escalate suspected cases to appropriately trained personnel.

Drug-related AEs are escalated to pharmacovigilance personnel and, where required, forwarded to ATSA. Device-related AEs (relating to the App as a Software as a Medical Device) are handled under Remepy's complaint-handling procedures and applicable FDA Medical Device Reporting guidelines.

Where reporting is required, Remepy forwards to ATSA and/or relevant members of the Merck Group only the information you voluntarily included in the ticket and any additional information necessary for safety assessment. Information transferred may include:
• Free-text description submitted by the user
• Reported symptoms or events
• Timestamp of the report
• Pseudonymized user ID (when relevant for case correlation)
• Any contextual metadata necessary for safety assessment.

Remepy does not share direct identifiers stored by Atos (such as your name or email) as part of these transfers. Remepy does not share any additional PII with ATSA beyond what the user voluntarily included in the ticket. Remepy does not link or enrich AE reports with internal health metrics unless explicitly required and approved under applicable procedures.

Upon receipt, ATSA and/or relevant Merck group entities act as independent controllers for AE data from the moment the data is received, including for any subsequent follow-up activities and reporting obligations that may apply.

Further processing and anonymization

We may further process pseudonymized data for product improvement, analytics, and program evaluation, and where permitted, for research and validation activities. Any further processing will comply with GDPR, including assessing whether the new purpose is compatible with the original purpose and obtaining consent where required. Where data is fully anonymized (so it can no longer be linked to you), it may be used for analytics and research outside the scope of GDPR.

7. Push Notifications

The App may send optional push notifications for reminders or wellness support. If enabled, we use Firebase Cloud Messaging (FCM) (Google) to deliver notifications to your device. For iOS devices, notifications are delivered via Apple Push Notification service (APNs) (routed through FCM). You can disable push notifications at any time in your device settings (and, where available, in the App). Notifications are intended to be generic and not include direct identifiers.

8. How long is your data retained?

Health data: Until you withdraw consent or delete your account, and for up to an additional 1 year thereafter for secure deletion and regulatory traceability.

Technical data: Up to 5 years

Location data: Up to 5 years. If you object, we will stop collecting and using location data going forward. Data already collected will continue to follow the retention schedule unless you also exercise your right to erasure.

Identifiers (PII): Up to 12 months after account deletion (held by Atos)

Support tickets: Routine support tickets are retained for 6 years from ticket closure. Tickets that constitute a complaint and/or are AE/MDR-relevant may be captured into regulated complaint/MDR records and retained as required by applicable regulations and SOPs. After the applicable retention period, tickets are deleted from Zendesk and only fully anonymized statistical metadata may be retained.

Upon the end of the retention period, data is either securely deleted or anonymized. Thereafter, we may retain only statistical information that can no longer be linked to you for research and service improvement.

9. Your rights

Depending on your jurisdiction, you may have the following rights:

Access: Receive a copy of your Personal Data.

Rectification: Request correction of inaccurate or incomplete data.

Erasure: Request deletion of your Personal Data.

Restriction: Request restricted processing under certain conditions.

Portability: Receive your Personal Data in a portable format.

Object: Object to processing where it is based on our legitimate interests.

Withdrawal of consent: You can withdraw consent at any time (this will not affect the lawfulness of processing carried out before withdrawal).

Lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EEA country where you live, work, or where you believe an infringement occurred.

You may exercise your rights by contacting us at dsr@tgctandme.com. You may also submit requests through our support channels; where appropriate, we will route them to the DSR process. Data subject requests are handled and logged via a dedicated Zendesk DSR ticket to ensure consistent tracking and auditability. We may need to verify your identity before fulfilling certain requests. We will respond within one month, as required by GDPR Article 12(3). If your request is complex, we may extend this period by up to two additional months, and we will inform you within one month of receipt and explain the reasons for the delay.

10. Your Data Control Options

You have three ways to control your data:

App Feature Controls: Turn specific data collection on/off in your app settings. This stops new data collection for that feature but previously collected data remains for personalized insights.

Withdraw Consent: Stop all use of your health data for app features by emailing dsr@tgctandme.com. Your data will be securely stored but not used for personalization or analytics. We may retain this data for up to 1 year, solely for regulatory compliance and legal defense.

Complete Data Deletion: Request full deletion of your personal information by contacting dsr@tgctandme.com. We will delete all your data within 30 days, except where required by law to retain audit records. Because our backups are encrypted and immutable, data stored in backups cannot be selectively deleted immediately. Our backups follow a rolling retention window (typically 30–90 days), after which they are automatically overwritten. Where applicable, such backup copies will be retained only until the backup retention period expires and are not used for operational processing except for disaster recovery. During this period, backup data remains encrypted, access-controlled, and inaccessible for day-to-day operations.

Deletion requests are treated as all-systems requests and, where applicable, include customer-support records (e.g., Zendesk tickets) associated with your use of the App, to the extent such records exist. Where we must retain certain records to comply with legal/regulatory obligations (e.g., complaints, AE/MDR), we will restrict use to compliance purposes and minimize identifiers where possible.

When you request deletion, internal engineering teams operate solely on pseudonymized identifiers and never access personal identifiers stored by Atos. Identifiers are deleted directly by Atos upon our instruction, and Remepy deletes or anonymizes all pseudonymized records associated with your account.

Important: Consent withdrawal and data deletion are different. Withdrawing consent stops data processing but may retain data. Deletion removes data entirely.

11. Contact

For privacy-related inquiries or to exercise your rights, contact:

Remepy Health Ltd.
40 Tuval St., Ramat Gan, Israel
Email: legal@remepy.com

US ADDENDUM: Supplemental Notice to Residents of the United States

This US Addendum applies to residents of states with privacy laws including California (CCPA/CPRA), Virginia, Colorado, Connecticut, and Utah. It supplements the general Privacy Policy.

Personal Information We Collect

We collect Personal Information as described in Section 3, including:

Identifiers (name, email)

Health and wellness data

Demographic information (age, gender)

Location data (city-level)

Device and technical data

Support communications

Some of this may be considered sensitive personal information under U.S. law. We use and disclose sensitive personal information only for purposes permitted by law, including providing the App's core functionality, ensuring security, and improving our services. You have the right to limit our use of your sensitive personal information by contacting dsr@tgctandme.com

Use and Sharing of Personal Information

We do not:

Sell your Personal Information

Share your Personal Information for targeted or cross-context behavioral advertising

We use your Personal Information to provide the App, support your experience, and conduct product improvement.

Your State Privacy Rights

As a resident of certain U.S. states, including California, Virginia, Colorado, Connecticut and Utah, you may have the following rights:

Right to Know: Request details about the personal information we collect, use, and share.

Right to Delete: Request details about the personal information we collect, use, and share.

Right to Correct: Request correction of inaccurate information.

Right to Opt-Out: Opt out of the sharing of your personal information.

Right to Limit Use of Sensitive Personal Information: Limit our use of your sensitive personal information to permitted purposes only.

Right to Non-Discrimination: Exercise your rights without discriminatory treatment.

We will verify your identity before fulfilling any requests.

Submitting Requests

To submit a request, contact: dsr@tgctandme.com

You may also designate an authorized agent to act on your behalf.

Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights.

If we make material changes to this Policy, we will notify you via the App.