Global Privacy Notice

This Privacy Notice was last updated in January 2026.

1. The Purpose of this Privacy Notice

Protecting your information is incredibly important to us, and part of our promise to be forever caring. This Privacy Notice explains how and why we collect, use, and share your personal information. It also lets you know the rights you have in relation to your personal information and how to exercise them. By engaging with us, you confirm that you agree to this Privacy Notice. We suggest you read it in full.

If there are any discrepancies in interpretation between the English version of this Privacy Notice and its translations, the English version will prevail.

Residents of California, Colorado, Connecticut, Texas, Maryland, and Florida:

Please review our State-Specific Supplemental Privacy Notice (the “Supplemental Notice”) in annex 1 below (you can jump to it by clicking this link). The Supplemental Notice supplements this Privacy Notice and applies to Consumers (this term is defined in the Supplemental Notice) of the following US states: California, Colorado, Connecticut, Texas, Maryland, and Florida. It provides additional details about our privacy practices related to your personal information as required by the applicable laws in your state of residence. Some portions of the Supplemental Notice apply only to Consumers resident in particular states, and we have indicated where this is the case.

Residents of Washington or Nevada:

Please review our Washington and Nevada Health Data Privacy Notice (the “Washington and Nevada Privacy Notice”) in annex 2 below (you can jump to it by clicking this link). The Washington and Nevada Privacy Notice supplements this Privacy Notice and applies to Consumers (this term is defined in the Washington and Nevada Privacy Notice) living in the following US states: Washington and Nevada. It provides information about rights you may have as a Consumer relating to your Consumer Health Data (this term is also defined in the Washington and Nevada Privacy Notice).

2. Some Definitions

When we say “Convatec”, “we”, “us”, and “our”, we mean Convatec Inc., on behalf of itself and its subsidiaries and affiliates.

When we refer to “personal information”, we mean any information that directly or indirectly identifies you. There are further details in section 5 below on exactly what sort of information this includes. It doesn’t include any anonymous information (i.e. any information from which it’s impossible to identify you or distinguish you from someone else). Under applicable US laws, personal information also doesn’t include any publicly available information, or lawfully obtained, truthful information that is a matter of public concern.

When we refer to “applicable laws”, we mean all privacy-related laws in the countries that we operate in and/or in which you reside. This includes: the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) in the EU and UK; various U.S. state privacy laws; the Lei Geral de Proteção de Dados (LGPD) in Brazil; Law 1581 of 2012 and Decree 1377 of 2013 in Colombia; the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada; the Personal Information Protection Law (PIPL) in China; the Act on the Protection of Personal Information (APPI) in Japan; and the Privacy Act (PA) in Australia, including the Australian Privacy Principles (APPs).

When we refer to “patients”, we mean someone who uses, is thinking about using, or otherwise interacts with our products and services. This includes caregivers supporting a loved one with their condition and anyone who uses a patient-focused App or visits or interacts with our Website, Social Media Sites, or online adverts.

When we refer to “HCPs”, we mean individuals employed by or otherwise affiliated with a healthcare organization or other third party (e.g. partners and service providers) that we work with. This includes healthcare professionals and other individuals working in non-medical roles.

3. Who We Are and How to Contact Us

Convatec is the data controller of your personal information. Data controllers determine how and why personal information is collected, used, and shared.

If you have a question or any concerns about how we collect, use, and share your personal information, would like to withdraw any consent you’ve given, or exercise any of your rights set out in section 11 below, you can contact our Data Protection Officer by emailing dataprivacy@convatec.com or by post to: Convatec Group Data Protection Officer, Floor 7, 20 Eastbourne Terrace, Paddington, London, W2 6LG, United Kingdom.

4. When We Collect or Use Your Personal Information

Details about how we collect and use your personal information is set out below but note that the information differs according to whether you are a patient or HCP.

When we collect personal information directly from you

Whether you’re a patient or HCP, we may collect your personal information directly from you in the following circumstances:

In person – for example in hospitals, care facilities, GP surgeries, in clinics, or at events held by Convatec or third parties.
Over the phone – for example if you speak with, or are contacted by, one of our employees or contractors.
Via mail – for example if you post us any forms or other documents.
Via SMS or instant message. Note that we won’t contact you via this method if you’re located in the US unless we have your consent, if required under applicable laws.
Via email – for example if you receive email newsletters from us or we interact with you over email in your professional capacity.
Via our mobile apps (the “Apps”).
Via our website at www.convatec.com (the “Website”) – for example, if you fill out a webform or use a chatbot.
Via our social media sites (the “Social Media Sites”) – for example, Facebook, Instagram, or LinkedIn.
Via online third-party platforms – for example, survey, marketing, competition, or webinar platforms.

When we collect personal information indirectly from you

Whether you’re a patient or HCP, we may collect your personal information indirectly from you in the following circumstances:

When you interact with communications that we send you (e.g. if you open our emails).
When you interact with our Social Media Sites (e.g. if you “like”, “comment” or “re-share” a post on Instagram).
When you interact with our adverts (e.g. if you click on a banner advert that you see when you’re browsing the web).
When you interact with our Apps (e.g. if you register with the app and use its functionality).
If you allow cookies when visiting the Website (this allows us to collect information about how you use the Website and other sites on the web).

When we receive personal information from third parties

Whether you’re a patient or HCP, we may receive your personal information from third parties, including from:

Other companies in the Convatec group (for example Amcare Inc, 180Medical Inc, or Livramedom S.A.R.L), or companies we enter corporate transactions with (such as mergers, acquisitions, and sales).
Third party service providers who help us provide our products and services or execute our general business operations (for example, product distributors, companies that provide cloud storage solutions, security and fraud prevention services, customer service platforms, survey software, or tracking technology functionality).

If you’re a patient, we may also receive your personal information from the following third parties:

Third parties who are helping with your healthcare (for example, national healthcare providers, hospitals, care facilities, caregivers, healthcare professionals supporting you with your care, or other healthcare companies that we partner with to provide our products and services).

If you’re an HCP, we may also receive your personal information from the following third parties:

The company you’re employed by or affiliated with to which we supply products and services.
Third party data brokers from whom we purchase HCP contact information to use for sales and marketing purposes.

5. The Personal Information We Collect or Use About You

We are required under applicable laws to give you specific information about exactly what personal information we collect, use, or share about you; the legitimate purpose that we do this for; and the legal basis we are relying on to do so.

We want to provide this information to you in a meaningful and understandable way. We’ve therefore categorized it according to the relevant purpose, and you can find it below. Before we get to that, though, here’s some explanations.

Categories of Personal Information

When we refer to personal information below, we’ve grouped it into various categories. They have the following meanings:

Contact Data: your title, first name, last name, personal email address, personal postal address, personal phone number, broad geographic information.
Demographic Data: your gender*, age*, date of birth*, race*, ethnicity*, religion*, sexuality*, nationality*, philosophical beliefs*, trade union membership*.
Professional Data: your job title, the healthcare provider you are employed or affiliated with, your licence to practice number, your work email address, your work telephone number.
Government Identification Data: your passport number*, drivers licence number*, tax identification number (e.g. NI number, Social Security Number or other state identification number*).
Insurance Data: the name of your insurer, policy and claim number, and plan details.
Prescription Data: the products prescribed to you and which we provide to you, your prescription history*.
Product Data: the sample(s) or accessories requested*, quantity requested, the order number, invoice number, your billing and shipping address.
Financial Data: your bank card details including card number, expiry date, and security code*.
App Log-in Data: your username*, your password*.
Communication Data: the content of your communications with us (for example, recordings of telephone calls with our customer care agents or sales representatives)*.
Health Data: information about your physical or mental health, or information which makes an inference about your physical or mental health* (including data relating to your fitness and nutrition), data relating to your sex life*, or genetic data*.
Audiovisual Data: any photographs, video recordings, or audio recordings of you (including of parts of your body).
Feedback Data: your feedback, reviews, testimonials, complaints, or other thoughts or opinions on our products and services.
Usage Data: unique identifier information about the device you use to access or view our Website or other sites on the web, adverts, Social Media Sites, Apps, or emails (e.g. IP address, browser type and plug-ins, operating system, time zone); information about your interaction (e.g. pages or videos viewed and how long you stayed on them, things you’ve clicked or searched for, emails you’ve opened); information about your preferences and the things you’ve consented to (e.g. your marketing preferences or consent provided as part of a research study).
Profile Data: we may use your Usage Data (e.g. your social media “likes” or the pages you view on the web), combined with other information about you to draw inferences and build a profile of your preferences, characteristics, attitudes, and other information. These are built by us or a third party and are used for the purposes set out below.

Some of this information is categorised under applicable laws as “sensitive”. Sensitive personal information is typically more private to you, and we take extra measures to make sure it is securely protected in accordance with applicable laws. We’ve indicated with an asterix (*) above where personal information is seen as sensitive under applicable laws.

We do not knowingly collect personal information from individuals online who are under the age of majority in their country of residence. If we become aware that we have inadvertently done so, we will take steps to delete such information promptly in accordance with applicable legal requirements. If you believe we may have collected personal information online from such an individual, please notify us immediately at dataprivacy@convatec.com. Any personal information that we collect from someone under the age of majority in their country of residence on mediums other than online (for example, face to face or via paper forms) is only collected with the consent of their parent or guardian.

Note that, per the terms and conditions of the Apps, if you are under the age of 18 you are not permitted to use the Apps and, by extension, the services available via the App.

We may use tracking technology (for example, cookies, web beacons, pixel tags, APIs, or SDKs) on our Website, Apps, other sites on the web, and other apps to collect Usage Data about you. For more information about how we use tracking technologies for profiling and other purposes, see our Cookies Notice.

We may use your personal information to conduct segmentation and profiling. Segmentation is where we group you with others according to things we know about you (for example, your age or demographic information), so that we can send you more accurate and personalized promotional information. Profiling is when we (or companies we work with) look at your Usage Data, combined with other information about you, to draw inferences and build Profile Data which helps us personalize our communications to you according to what we think you might be interested in. In accordance with applicable laws, we always ensure that segmentation or profiling doesn’t have a legal or similarly significant effect on you.

We may use your personal information to help develop our products and services. More information about how we use your personal information for purposes relating to analytics and artificial intelligence can be found in section 7.

Legal Bases

The legal bases that we refer to below have the following meanings:

Consent – when you tell us, in a freely-given, specific, informed, and unambiguous statement or action, that you agree to us collecting, using, and/or sharing your personal information. This often looks like a checkbox that you tick, or you saying “I agree”. In some countries, we use additional verification processes when collecting your consent (sometimes called a “double opt-in”). You can withdraw your consent at any time by emailing dataprivacy@convatec.com.
Contract – when we collect, use, or share your personal information to perform a contract we’ve entered into, or are contemplating entering into, with you. This can be a contract that you sign with us, or if you signify agreement to terms and conditions that we’ve provided to you.
Legitimate Interest – when we collect, use, or share your personal information for our own (or a third party’s) legitimate interest. Where we process your personal information based on a legitimate interest we will only do so where the processing is relevant, adequate, and limited to what is necessary for the purpose it was collected for. We’ll always ensure our legitimate interests don’t unfairly impact your rights and freedoms.
Legal Obligation – when we collect, use, or share your personal information to comply with applicable laws or other international laws, or if required for litigation (for example, to defend legal claims or rights in judicial, administrative, or arbitration proceedings).
Vital Interests – when we may need to collect, use, or share your personal information to ensure your personal safety.
Public Task – when we may need to collect, use, or share your personal information to carry out a task in the public interest or to exercise official authority that we hold.

Sometimes we list more than one legal basis below. This is because we may handle your personal information in a number of different ways, and according to different legal bases, for the same purpose. It is also because the exact legal basis that applies depends on which country-specific applicable laws govern our handling of the personal information. If you have any questions, you can reach out to us at dataprivacy@convatec.com.

Purpose 1: To provide our products and services to you, or if you are providing services to us

We may collect, use, or share your personal information to provide you (if you’re a patient) or your employer (if you’re an HCP) our products and services. Or we may engage you to provide services to us.

If you’re a patient, this includes things such as: sending you prescribed products, a free sample, or accessories you’ve bought from us; providing functionality in the Apps.

Personal information: Contact Data, Demographic Data, Professional Data, Government Identification Data, Insurance Data, Prescription Data, Product Data, Financial Data, App Log-in Data, Communication Data, Health Data, Audiovisual Data.
Legal bases: Consent, Contract, Public Task.

If you’re an HCP, this includes things such as: educating you on our products, working with you to ensure our products are available to patients affiliated to your healthcare provider, or if you are providing services in one of our clinics or speaking at a conference.

Personal information: Contact Data, Professional Data.
Legal bases: Consent, Contract, Legitimate Interest.

Purpose 2: To provide promotional information about our other products and services to you.

We may collect, use, or share your personal information to provide you with updates or information (which sometimes may be personalized to you) on our products and services, and to let you know about our news, events, contests, and other promotions.

If you’re a patient, this includes things such as: sending you communications about our products and services or upcoming events, showing you adverts as you browse the web, or tracking how you use the Website and other sites on the web to understand your preferences.

Personal information: Contact Data, Professional Data, Prescription Data, Product Data, Health Data, Usage Data, Profile Data.
Legal bases: Consent.

If you’re an HCP, this includes things such as: sending you communications about our products.

Personal information: Contact Data, Professional Data, Usage Data.
Legal bases: Consent, Legitimate Interest.

Purpose 3: To improve or protect our products, services, systems, and communications.

We may collect, use, or share your personal information to help us run, protect, improve, or expand our products, services, systems, and communications.

If you’re a patient, this includes things such as: recording calls to our customer care agents to ensure high standards of customer care, generating one-time passcodes to help with fraud prevention, sending you surveys, conducting clinical research or other studies, or collecting information on which parts of the Apps or our Website are the most popular. We might also use your personal information to help develop our products and services. More information about how we use your personal information for purposes relating to analytics and artificial intelligence can be found in section 7.

Personal information: Contact Data, Demographic Data, Prescription Data, Product Data, Communication Data, Health Data, Audiovisual Data, Feedback Data, Usage Data, Profile Data.
Legal bases: Consent; Legitimate Interests.

If you’re an HCP, this includes things such as: sending you surveys about our products and services, collecting testimonials from you, or sending you one-time passcodes for secure login to our platforms. We might also use your personal information to help develop our products and services. More information about how we use your personal information for purposes relating to analytics and artificial intelligence can be found in section 7.

Personal information: Contact Data, Professional Data, Communication Data, Feedback Data, Usage Data, Profile Data.
Legal bases: Consent, Legitimate Interests.

Purpose 4: To comply with the law or legal processes.

We may collect, use, or share your personal information to comply with obligations we have under applicable laws and other international laws, or if required for litigation.

If you’re a patient, this includes things such as: collecting information about your stoma to ensure our compliance with medical regulations; collecting information to operate our complaints handling process; or storing information about the products you use to comply with product safety laws.

Personal information: Contact Data, Government Identification Data, Insurance Data, Prescription Data, Product Data, Health Data, Usage Data.
Legal bases: Legal Obligation.

If you’re an HCP, this includes things such as: asking for your professional registration details to ensure transparency and fraud prevention, or collecting information to operate our complaints-handling process.

Personal information: Contact Data, Professional Data, Product Data, Usage Data.
Legal bases: Legal Obligation.

Purpose 5: To keep you safe.

We may collect, use, or share your personal information to ensure your personal safety.

Whether you’re a patient or HCP, this includes things such as: if you fall ill, we would use your personal information to ensure you received the medical care you needed from the emergency services.

Personal information: Contact Data, Demographic Data, Health Data.
Legal bases: Vital Interests.

6. Our Use of Tracking Technologies

For information on how we use tracking technologies on our Website, Apps, other sites on the web, and other apps, please see our Cookies Notice.

7. Our Use of Your Information for Analytics and AI Purposes

It’s our promise to be “forever caring” and we’re constantly working to improve our existing products and services and develop new ones so that we can better help patients and those that support them. We use the information that you provide us when interacting with our products and services to continually improve and develop them. Whether you’re a patient or HCP, we will never use your sensitive personal information in identifiable form for analytics and AI without your prior consent . Otherwise, before using your Health Data for this purpose, we take steps to anonymise and de-identify it according to strict legal requirements to protect your privacy. We achieve this by:

Working with anonymization experts to remove any identifiers from your information that would allow us to link it back to you specifically. It may still be possible for us to make associations between your information and other information we might already hold about you, but we do not know that the information belongs to you specifically.
Enacting rigorous internal protocols (such as encryption, access controls, physical and logical separation, enforcing documented policies and procedures, and governance oversight) to make sure that your data stays anonymous.

Improving and developing our products and services includes us:

Building and improving our artificial intelligence (“AI”) technology (such as our machine learning models and algorithms). Machine learning is when we train our technology to recognize specific patterns in information and make predictions about new sets of information based on those patterns. We also train our human analysts to perform those tasks so they can assist when our machine learning models aren’t best suited for the task or are still learning. For example, we may train our machine learning models to:
- Recognise different types of stomas or skin colours, to minimize bias and improve performance.
- Help our customer care agents provide more tailored guidance to you more quickly.
- Assist you in choosing the best woundcare dressing for your patient.
Conducting analytics. For example, analysing data to understand how our products are used by different people and how this might contribute to their health outcomes.
Ensuring our services are working correctly. For example, we might re-run new App functionality to make sure it is providing the right experience.

These processes help make our products and services more effective for all patients and their caregivers. If you have any questions about any of the above, you can reach out to us at dataprivacy@convatec.com.

8. Third Party Content on the Website or Apps

Our Website and Apps may provide links to or embed third party websites, apps, plug-ins, or other content. For example:

reCAPTCHA – a Google technology that enables the Website to distinguish between human users and automated systems by monitoring information like typing patterns, mouse clicks or screen touches. You can find more information about how Google uses this information by reading its privacy policy.
Video player platforms (for example, YouTube or Vimeo) – we use these to host videos on the Website and Apps. When you play the video, the platform may capture information such as which video you watched and how long you watched it for. This may be linked to your name, email address, IP address, device identifiers, or any data that can be linked to your video viewing behavior. We will only disclose such information to third party advertisers or analytics platforms:
- With your prior, informed, written consent given via our cookies banner on the Website (you may withdraw your consent at any time by using the “Manage Cookies” link at the bottom of the Website, by updating your browser or device settings, or by contacting us at dataprivacy@convatec.com);
- As required by law, subpoena, or court order; or
- As part of internal operations necessary to deliver and improve our services.
Chatbot services – we may use these to interact with you on the Website. When you use the chatbot, the platform will capture personal information including your name and what you type into the chatbot, and information to monitor how the chatbot is being used.

These third parties may use their own tracking technologies or otherwise collect your personal information themselves. Your use of third-party websites, apps, plug-ins, or other content is governed by the terms and conditions and privacy policy of that third party. We do not control these third parties, or how they use your personal information. We encourage you to read the privacy notice of any third parties that you interact with.

9. Personal Information We Share With Third Parties

We occasionally may need to share your personal information with third parties.

Most third parties will only use your personal information according to our instructions and in line with the requirements in this Privacy Notice. Sometimes third parties may use your personal information for their own purposes. If that’s the case, we will ensure we always have a legal basis for transferring your personal information to the third party, and the third party will get in touch with you with their own privacy information. In certain circumstances, as required by applicable law, you may request that we disclose the specific third parties with whom we have shared your personal information.

Whether you’re a Patient or HCP, third parties we may share your personal information with include:

Other companies in the Convatec group or companies we enter into corporate transactions with (for example, mergers, acquisitions, or sales).
- Purposes:
  - Purpose 1: to provide our products and services to you.
  - Purpose 2: to provide promotional information about our other products and services to you.
  - Purpose 4: to comply with the law or legal processes.
- Personal information:
  - Contact Data; Demographic Data; Professional Data; Government Identification Data; Insurance Data; Prescription Data; Product Data; Financial Data; App Log-in Data; Communication Data; Health Data; Audiovisual Data; Feedback Data; Usage Data; Profile Data.

These third parties include : Amcare Inc, 180Medical, Livramedom S.A.R.L.

Service providers or who help us provide our products and services or execute our general business operations (for example, product distributors, companies that provide cloud storage solutions, security and fraud prevention services, customer service platforms, survey software, or tracking technology functionality).
- Purposes:
  - Purpose 1: to provide our products and services to you.
  - Purpose 2: to provide promotional information about our other products and services to you.
  - Purpose 3: to improve or protect our products, services, systems, and communications.
  - Purpose 4: to comply with the law or legal processes.
  - Purpose 5: to keep you safe.
- Personal information:
  - Contact Data; Demographic Data; Professional Data; Government Identification Data; Insurance Data; Prescription Data; Product Data; Financial Data; App Log-in Data; Communication Data; Health Data; Audiovisual Data; Feedback Data; Usage Data; Profile Data.

These third parties include : Microsoft, MNT Limited, ON24.

Certain third parties required by law.
- Purposes:
  - Purpose 4: to comply with the law or legal processes.
- Personal information:
  - Contact Data; Demographic Data; Professional Data; Government Identification Data; Insurance Data; Prescription Data; Product Data; Financial Data; Communication Data; Health Data; Feedback Data; Usage Data.

These third parties include : legal authorities, healthcare regulators, or law enforcement agencies.

If you’re a Patient, we may also share your personal information with the following third parties:

Third parties who are helping with your healthcare (for example, national healthcare providers, hospitals, care facilities, caregivers, or healthcare professionals supporting you with your care, or other healthcare companies that we partner with to provide our products and services).
- Purposes:
  - Purpose 1: to provide our products and services to you.
  - Purpose 4: to comply with the law or legal processes.
  - Purpose 5: to keep you safe.
- Personal information: Contact Data, Demographic Data; Insurance Data; Prescription Data; Product Data; Health Data.

These third parties include: your GP or hospital, Corstrada Inc.

If you’re an HCP, we may also share your personal information with the following third parties:

The company you’re employed by or affiliated with to which we supply products and services.
- Purposes:
  - Purpose 1: to provide our products and services to you.
  - Purpose 4: to comply with the law or legal processes.
- Personal information: Contact Data; Professional Data; Product Data.

If we transfer your personal information out of the geographical area that defines the applicable laws relevant to the information (for example, if our use of your personal information is subject to US or EU applicable laws and we transfer your data outside those areas), we ensure appropriate safeguards are in place. These include relying on adequacy decisions under applicable laws or using prescribed contractual documentation (for example, Standard Contractual Clauses or Convatec intra-group agreements) to enact the transfer. We always make sure that your personal information has the same level of protection in the hands of the recipient as it does when it was collected from you.

How Convatec protects personal information transferred outside of China

Your personal information collected by our entity in the People's Republic of China (PRC) is stored within the PRC and not transferred outside the country. If we need to transfer your personal information to countries or regions outside of PRC for processing in the future, we will comply with relevant PRC regulations governing such transfers and take all necessary measures to ensure that your personal information remains adequately protected in accordance with applicable laws.

10. How We Protect Your Personal Information

Protecting your information is incredibly important to us. We take lots of precautions to ensure that your personal information is secure. These include:

Lawful basis – where relevant, we always make sure we have a valid legal basis on which to collect, use, and share your personal information. You can find more information on this in section 5.
Transparency – we have ensured that all information about how we collect, use and share your personal information that is set out in this Privacy Notice is provided in a clear and accessible format.
Purpose limitation – we make sure to only collect, use, and share your personal information for specific and legitimate purposes. You can find more information on these purposes in section 5. We don’t re-use or share your personal information for new purposes unless the new purpose is compatible with the original, we have your consent to do so, or we need to under applicable laws.
Data minimization – we will only collect, use, and share the amount of personal information that is necessary to fulfil a specific and legitimate purpose.
Data retention – we will only use and share your personal information for as long as is necessary for the relevant specific purposes outlined in this Privacy Notice or under applicable laws, and always with consideration of its sensitivity and the potential risk of harm involved. We sometimes may need to retain your personal information for longer than our business relationship with you, for compliance with applicable laws. When we no longer need to retain your personal information, we will delete or anonymise it.
Data accuracy – we will try our best to always make sure that the personal information we hold about you is accurate and kept up to date.
Data Security – we implement appropriate technical and organizational measures to protect your data from unauthorized or accidental disclosure, damage, or loss. We also ensure that third party recipients of your personal information who are acting under our instruction maintain adequate data protection measures. The transmission of information via the internet or a mobile phone network connection may not be completely secure, and we cannot guarantee the security of the personal information you transmit to us via these methods.
Accountability – we take responsibility for ensuring that we collect, use, and share your personal information in accordance with all applicable laws.
Data protection by default – we put privacy concerns at the heart of everything we do and ensure that the protection of your personal information is built into our products, activities, and practices.

11. Your Rights

You have various rights in relation to your personal information, which you (or your authorized agent) can exercise at any time by contacting us at dataprivacy@convatec.com.

You will need to provide verification of your identity to us (and maybe other documentation, if needed) before we can comply with your request. If an authorized agent makes the request on your behalf, we will need them to provide proof that they have your permission to do so. We will only use personal information that we request to verify your identity or your agent’s authority.

The exact rights you have will vary according to which applicable laws apply to your personal information, but generally these rights include:

Right to be informed and to confirm processing – to obtain clear and accessible information about whether we process your personal information and, where we do, how we collect, use, and share it. You can find that information in this Privacy Notice.
Right of access – to access the personal information (or categories of it) that we hold about you and to obtain further details about where we got it, the purposes we’re using it for, and who we’ve shared it with. Making this request is sometimes known as a “data subject access request” or the “right to know”.
Right of rectification – to edit or correct the personal information we hold about you, including requesting we remove any content or information that you have posted to our Website, App, or Social Media Sites. Fulfilment of the request may not ensure complete or comprehensive removal (e.g., if the information has been reposted by another user).
Right of erasure and anonymization – to request that we delete personal information we hold about you. This is also known as the “right to be forgotten”. You may also request that we anonymize or block unnecessary or excessive personal information from further processing.
Right to restriction of processing – to limit further use of personal information we hold about you.
Right to data portability – to receive the personal information we hold about you so that you could share it with another company.
Right to object – to object to how we currently use and share personal information we hold about you, including your personal information that we process for direct marketing purposes. This is sometimes called “opting-out”. Another way you can exercise this right (apart from by getting in touch with us) is by using the “unsubscribe” link in the promotional communication you’ve received from us or updating your preferences (relating to e.g. location sharing or notifications) through the settings on your browser or device. Objecting to one channel of marketing or Convatec brand (for example, Amcare) may not automatically opt you out of other marketing channels or brands. To check you are opted out of all marketing channels and brands, you can email privacy@convatec.com. Note also that opting out of receiving marketing communications from us doesn’t apply to other communications we may send you (for example, communications containing education information about our products and services as part of the me+ services, or communications we make to comply with our legal obligations).
Right to decline consent – to receive information about your right to decline consent for the processing of your personal data where consent is requested, and the potential consequences of withholding consent.
Right to request proof of authorization – to request evidence that your authorization or consent for data processing was validly obtained.
Right not to be subject to automated decision making – to not have solely automated decisions made based on the personal information we hold about you, if such decision would have a legal or other significant effect on you, unless you consent.
Right to withdraw consent – to withdraw any consent you’ve provided to us relating to how we use your personal information. If you ask to withdraw your consent to us processing your personal information, this will not affect any processing which has already taken place at that time.
Right to make a complaint – to file a complaint about how we collect, use and share your personal information with a relevant supervisory authority. You can find more information about your supervisory authority by visiting the website of the EDPB (if you live in the EU), the ICO (if you live in the UK), the FTC (if you live in the US), the ANPD (if you live in Brazil), the SIC (if you live in Colombia), or otherwise the supervisory authority in the country you live in.
Right to limit the use of sensitive information – If you live in the US or in jurisdictions such as Brazil, you have specific rights to control our use of your sensitive personal information, where the legal requirements are met.

We will respond to any request made within timeframes required under applicable laws. Sometimes, applicable laws may mean we can’t comply (or comply fully) with a request. For example, if your request is excessive or it affects other rights (like the freedom of expression); if complying with your request would mean we didn’t comply with applicable laws or couldn’t make or defend ourselves from legal claims; or if we have other compelling legitimate reasons to not do so. However, where we can, we will always endeavour to comply with a request you make to us, and we won’t discriminate against you if you do make a request. Note that exercising some of the rights above may mean you’re not able to benefit (or benefit fully) from our products and services.

12. Complaints

If you wish to make a complaint, you can contact our Data Protection Officer by emailing dataprivacy@convatec.com or by post to: Convatec Group Data Protection Officer, Floor 7, 20 Eastbourne Terrace, Paddington, London, W2 6LG, United Kingdom.

Without prejudice to any other remedies, you also have the right to lodge a complaint with a supervisory authority at any time. You can find more information about your supervisory authority by visiting the website of the EDPB (if you live in the EU), the ICO (if you live in the UK), the FTC (if you live in the US), ANPD (if you live in Brazil), or otherwise the supervisory authority in the country you live in.

13. Changes To This Privacy Notice

We might make small changes to this Privacy Notice over time. However, we’ll always let you know if we make any significant changes to it.

-----------------------------------------------------------------------------------------------------------------------------

Annex 1

State-Specific Supplemental Privacy Notice

Convatec Inc. and its affiliates subject to U.S. State Consumer Privacy Laws (as defined below) (“Convatec,” “we,” “us,” or “our”) are committed to protecting the privacy of individuals whose Personal Information we collect. This State-Specific Supplemental Privacy Notice (the “Supplemental Notice”) is provided pursuant to the California Consumer Privacy Act, Colorado Privacy Act, Connecticut Data Privacy Act, Texas Data Privacy and Security Act, Maryland Online Data Privacy Act and the Florida Digital Bill of Rights (collectively, the “U.S. State Consumer Privacy Laws”).

This Supplemental Notice supplements the Privacy Notice and applies to Consumers (as defined in the U.S. State Consumer Privacy Laws) who live in U.S. states that have enacted the U.S. State Consumer Privacy Laws. If anything in this Supplemental Notice contradicts what is contained in the Privacy Notice, this Supplemental Notice will take precedence. It outlines our practices regarding the collection, use, and disclosure of Personal Information through both online and offline interactions with Convatec’s products, services, and representatives.

Definitions

Unless otherwise defined, terms used in this Supplemental Notice have the meanings assigned to them under the applicable U.S. State Consumer Privacy Laws.

Consumer Health Data and Other Data We Collect

Convatec and our vendors collect, and have collected within the past twelve (12) months, the following categories of Personal Information about Consumers, as permitted under applicable U.S. State Consumer Privacy Laws:

Category	Examples
Demographics and Identifiers	Name, postal address, email address, phone number, IP address, account name
Personal Information (as defined in Cal. Civ. Code §1798.80(e))	Signature, physical characteristics, financial account information
Protected Classification Characteristics	Age, gender, disability status, or other legally protected classifications
Commercial Information	Records of products, medical devices, or services purchased, obtained, or considered
Internet or Other Electronic Network Activity	Browsing history, search history, interactions with websites or advertisements or apps
Audio, Electronic, Visual, or Similar Information	Call recordings, voicemails, or other audio/visual data
Inferences Drawn from Other Personal Information	Profiles reflecting preferences, characteristics, or behaviors

The specific types of Personal Information collected may vary depending on the nature of your relationship with Convatec.

In addition to the categories of Personal Information described above, Convatec may collect and process certain types of information that are considered Sensitive Personal Information under applicable U.S. State Consumer Privacy Laws. This may include:

Racial or ethnic origin.
Religious or philosophical beliefs.
Health-related information.
Sexual orientation.
Government-issued identifiers such as Social Security number, driver’s license number, state identification card number, or passport number.

Use of Personal Information

We may process Personal Information for the following business purposes, as permitted by law:

Performing services on your behalf, such as account maintenance, customer service, order fulfillment, payment processing, analytics, data storage, and providing the goods or services you request.
Detecting, preventing, and investigating security incidents that compromise the confidentiality, integrity, or availability of Personal Information.
Protecting against malicious, deceptive, fraudulent, or illegal activity and prosecuting those responsible.
Short-term, transient use, including personalized advertising during your current interaction with us.
Providing educational information about health conditions and the products and services that can support you.
Providing promotional information about our other products and services to you (including engaging in personalized advertising, where permitted by law).
Verifying or maintaining the quality or safety of our products, services, or devices, performing analytics and improving or enhancing our products, services or devices.
We may use personal information to infer characteristics like preferences or interests to improve and personalize our services.

Sources of Personal Information

Convatec collects Personal Information from a variety of sources, including:

Directly from you: When you interact with our websites, products, services, customer support, or participate in surveys, promotions, or events.
Automatically through your devices: Via cookies, web beacons, and similar technologies when you use our websites or apps, other websites or apps, or open our emails.
From vendors and service providers: Including analytics providers, and marketing and IT partners who assist in delivering services or improving user experience.
From other third parties: Such as your healthcare provider, distributors, business partners, and publicly available sources.
From other companies in the Convatec group: For example, 180Medical Inc.
From government entities: Where legally permitted or required.

These sources help us deliver services, personalize experiences, improve product offerings and comply with legal and regulatory obligations.

Retention of Personal Information

We retain each category of Personal Information described above only for as long as necessary to fulfill the purpose for which it was collected or to comply with applicable laws and regulations. We consider the following criteria when determining how long to retain Personal Information: the purpose for which we collected the Personal Information; the nature of the Personal Information; the sensitivity of the Personal Information; our legal obligations related to the Personal Information, and risks associated with retaining the Personal Information.

Disclosures to Third Parties

We may disclose Personal Information to third parties for the following business or operational purposes, in accordance with applicable U.S. State Consumer Privacy Laws:

Service Providers and Contractors: We share Personal Information with trusted third parties that perform services on our behalf, such as:
- Payment processing.
- Customer support.
- Data analytics.
- IT and security services.

These parties are contractually obligated to use the Personal Information only for the services they provide and to protect it appropriately.

Affiliates and Subsidiaries: We may share Personal Information with our corporate affiliates and subsidiaries for internal administrative purposes and to provide consistent services across our organization.
Legal and Regulatory Disclosures: We may disclose Personal Information:
- To comply with legal obligations or respond to lawful requests.
- In connection with legal proceedings or investigations.
- To protect the rights, safety, or property of our company, users, or others.
Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, Personal Information may be transferred as part of that transaction.
With Your Consent: We may disclose your Personal Information to other third parties when you direct us to do so or provide your explicit consent.

Do Not Sell or Share My Personal Information

Under U.S State Consumer Privacy Laws, you may request to opt-out of the sale or sharing of your Personal Information to third parties. We do not sell Personal Information in exchange for money. However, we may share certain Personal Information with third-party partners to improve your experience, personalize content, or measure performance - which may be considered a “sale” or “sharing” under some U.S State Consumer Privacy Laws. You may opt-out of such sharing via the cookie banner shown on the Website, using your browser settings, or by using the “Do Not Sell or Share My Personal Information” link below. Some browsers may transmit "Do Not Track" ("DNT") or Global Privacy Control (“GPC”) signals to the websites you visit. Because there is not common agreement about how to interpret DNT or GPC signals, Convatec currently does not act in response to them.

Do Not Sell or Share My Personal Information: link here.

Website Browsing and Online Tracking Technologies

For a detailed explanation of the types of cookies we use, the data they collect, and your choices regarding their use, please refer to our Cookies Notice.

Website Browsing and Online Tracking Technologies

For a detailed explanation of the types of cookies we use, the data they collect, and your choices regarding their use, please refer to our Cookies Notice.

Your Privacy Rights

Convatec recognizes and accommodates the following privacy rights for eligible Consumers, subject to verification and applicable legal exceptions. These rights may vary depending on your state of residence and the nature of your relationship with Convatec.

Please note: Job applicants, employees, contractors, healthcare professionals, and other business-to-business contacts are only considered “Consumers” under certain U.S State Consumer Privacy Laws if they reside in a state where such laws explicitly include these categories. These individuals may not be eligible for the rights described below unless otherwise required by law.

Right to Know: You may have the right to know the following details about our privacy practice at or before the point of collection. We have provided such information in this Supplemental Notice. You may also request that we provide you with information about the following aspects of how we have handled your Personal Information specifically in the 12 months preceding your request:
- The categories of Personal Information we have collected about you.
- The categories of sources from which we collected such Personal Information.
- The business or commercial purpose for collecting, selling, or sharing Personal Information about you.
- The categories of Personal Information about you that we disclosed and the categories of third parties to whom we disclosed such Personal Information.
- The categories of Personal Information about you that we sold or shared, and the categories of third parties with whom we sold or shared such Personal Information.
- If we collect Sensitive Personal Information, the categories of Sensitive Personal Information we have collected, the purposes for which it is collected or used, and whether that information is sold or shared.
- The length of time we intend to retain each category of Personal Information, or if that is not possible, the criteria used to determine that period.

Right to Deletion: You may request that we delete any Personal Information about you.
Right to Correction: You may request that we correct any inaccurate Personal Information we maintain about you.
Right to Opt-Out of the Sale or Sharing of Your Personal Information: You may have the right to opt out of the sale or sharing of your Personal Information, including its use for targeted advertising. You can do this via the “Manage Cookies” link in the website footer or through the pop-up presented when you visit our website.
Right to Revoke Consent for or Limit the Use of Your Sensitive Personal Information: You may have the right to withdraw your consent for certain uses of your Sensitive Personal Information, or to ask us to limit how we use and share it for specific business purposes allowed by law.

How to Submit a Privacy Rights Request

To exercise your consumer privacy rights—or to submit a request as an authorized agent—please email us at dataprivacy@convatec.com. You must respond to any follow-up inquiries we make to verify your identity and the legitimacy of the request.

Verification Requirements

All requests must be verifiable Consumer requests. This means we may ask you to provide identifying information such as your name, email address, phone number, and account details. We may also request additional information (e.g., transaction history) to confirm your identity. We will not fulfill requests unless we can reasonably verify that you are the Consumer to whom the Personal Information relates.

Non-Discrimination/No Retaliation

We will not discriminate or retaliate against you in a manner prohibited by applicable U.S. State Consumer Privacy Laws for your exercise of your consumer privacy rights.

Notice of Financial Incentive Programs

We do not offer programs requiring you to limit any of your Consumer rights or otherwise require you to limit your Consumer rights in connection with charging a different price or rate or offering a different level or quality of good or service, or that would otherwise be considered a financial incentive related to the collection of Personal Information.

Our Rights and the Rights of Others

Notwithstanding anything to the contrary, we may collect, use, and disclose your Personal Information as required or permitted by applicable law and this may override your rights under U.S. State Consumer Privacy Laws. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or third party’s rights or conflict with applicable law.

ADDITIONAL NOTICE FOR CALIFORNIA RESIDENTS

California Residents Under Age 18

If you are a resident of California under the age of 18, you may ask us to remove content or data that you have posted to the website by writing to dataprivacy@convatec.com. Please note that your request does not ensure complete or comprehensive removal of the content or data, as, for example, some of your content or data may have been reposted by another user.

Disclosure About Direct Marketing for California Residents

In addition to the California Consumer Privacy Act and without limitation, Californians that visit our online services and seek to acquire goods or services are entitled to the following notice of their rights:

Shine the Light

We do not disclose “personal information” subject to California Civil Code §1798.83 with third parties for the third parties’ direct marketing purposes absent your consent (the Shine the Light law). If you are a California resident, you may request information about our compliance with the Shine the Light law by contacting us at dataprivacy@convatec.com. Any such request must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are only required to respond to one request per Consumer each year, and we are not required to respond to requests made by means other than through the email address referred to above.

If you have any concerns about the way your Personal Information has been collected or handled by Convatec, queries regarding this Supplemental Notice, or would like to exercise your rights, you can contact Convatec’s Global Privacy Office at dataprivacy@convatec.com.

Convatec reserves the right to amend this Supplemental Notice at any time. If Convatec materially changes its privacy practices, this Supplemental Notice will be updated to reflect these changes and the effective date of our revised Supplemental Notice will be referenced above.

Annex 2

Washington and Nevada Health Data Privacy Notice

This Washington and Nevada Privacy Notice was last updated in January 2026.

This PRIVACY NOTICE FOR WASHINGTON AND NEVADA STATE RESIDENTS (the "Washington and Nevada Privacy Notice") supplements the information contained in the Privacy Notice of Convatec and its subsidiaries (collectively, "Convatec", "we", "us", or "our") and applies solely to Consumers (as defined in the Regulations) using our products and services who reside in the States of Washington or Nevada or a natural person whose Consumer Health Data (as defined in the Regulations) is collected in Washington or Nevada ("you"). It does not apply to our employees, contractors, or business contacts. We adopt this Washington and Nevada Privacy Notice to comply with the Washington My Health My Data Act and the Nevada Consumer Health Data Privacy Law (collectively the "Regulations"). Any terms defined in the Regulations have the same meaning when used in this Washington and Nevada Privacy Notice.

In the event of conflict between the Privacy Notice (or any other policy, statement, or notice) and this Washington and Nevada Privacy Notice, this Washington and Nevada Privacy Notice will prevail as to Consumer Health Data collected.

1. Consumer Health Data We Collect

Convatec may collect Consumer Health Data that is linked or reasonably linkable to a Consumer and that identifies the Consumer’s past, present, or future physical or mental health status. Consumer Health Data does not include publicly available data, de-identified data, or data explicitly excluded from coverage by the Regulations.

The Consumer Health Data we collect depends on your interaction with Convatec and the choices you make, including your privacy settings, products and features you use, your location, and applicable law. Because Consumer Health Data is defined broadly, many of the categories of data we collect could also be considered Consumer Health Data. We will only collect data about you that is necessary for one or more of our legitimate business purposes or is required by law.

Examples of Consumer Health Data we may collect include:

Individual health condition, treatment, disease, or diagnosis information.
Health-related information such as individual health condition, treatment or disease, medical procedure, use or purchase of prescribed medication or medical device, bodily function, vital signs, symptoms, or measurements of physical or mental health status, diagnosis or diagnostic testing, treatment, or medication information.
Data that may identify an individual seeking health care services such as: social, psychological, behavioral, and medical intervention information.
Inferences drawn from other personal data, such as: person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

2. The Sources from Which Convatec Collects Consumer Health Data

We collect personal data (which may include Consumer Health Data) directly from you, from your interactions with Convatec (online and offline), our products and services, from third parties, and from publicly available sources. We obtain the categories of personal information listed above from the following categories of sources:

Directly from you or your caregivers or agents.
Indirectly from you, your caregivers, or agents. For example, information we collect in the course of providing products and services.
Directly and indirectly from activity on our websites. For example, website registration information.
From third parties in connection with the services that we perform.

3. Categories of Consumer Health Data We Share

Convatec may share all the categories of Consumer Health Data listed above in Section 1.

4. Categories of Third Parties and Affiliates with Whom We Share

Convatec may share all the categories of Consumer Health Data listed above in Section 1 with:

Other companies in the Convatec group (for example: Amcare Inc, 180Medical Inc, or Livramedom S.A.R.L), or companies we enter corporate transactions with (for example, mergers, acquisitions, and sales).
Third parties who are helping with your healthcare (for example, caregivers or healthcare professionals who request samples for you or refer you to us, other healthcare companies that we partner with to provide products and services, or your discharge centre).
Service providers or who help us provide our products and services or execute our general business operations (for example, product distributors, companies that provide cloud storage solutions, security and fraud prevention services, customer service platforms, survey software, or tracking technology functionality).
Regulators, law enforcement, and/or government to comply with obligations we have under applicable laws and other international laws, or if required for litigation.

5. Your Privacy Rights and Choices

The Regulations provide certain rights with respect to Consumer Health Data, including a right to confirm, access, delete or withdraw consent relating to such data, subject to certain exceptions. If you have any concerns about the way your Consumer Health Data has been collected or handled by Convatec, queries regarding this Washington and Nevada Privacy Notice, or would like to exercise your rights with regard to your Consumer Health Data, you can contact Convatec’s Global Privacy Office at dataprivacy@convatec.com.

Convatec reserves the right to amend this Washington and Nevada Privacy Notice at any time. If Convatec materially changes its privacy practices, this Washington and Nevada Privacy Notice will be updated to reflect these changes and the effective date of our revised version will be referenced above.