SHIMANO CONNECT LAB WEB APP DATA PROTECTION NOTICE

1.Introduction and Scope

This Data Protection Notice (the "Notice") describes the data processing activities in connection with your use of the following web app developed and offered by Shimano Inc.

• SHIMANO CONNECT Lab Web App (the "Web App")

Unless stated otherwise, the information provided herein applies to the Web App in general.

This Notice also informs you about the most relevant aspects of the arrangement concluded between the Shimano entities responsible for the data processing activities in connection with the Web App.

Personal Data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental economic, cultural or social identity of that natural person ("Personal Data").

Special categories of personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation (also referred to as "Sensitive Data").

You can find more information about how we process the Personal Data of California consumers by reviewing the “Additional Disclosures for California Consumers” section of this Notice below.

2.Data controller

Shimano Inc. ("SIC")
3-77 Oimatsu-cho, Sakai-ku, Sakai City
Osaka 590-8577, Japan

SHIMANO EUROPE B.V. ("SEU")
High Tech Campus 92, 5656 AG Eindhoven,
The Netherlands,

SHIMANO NORTH AMERICA HOLDING, INC. ("SNAH")
One Holland, Irvine, California 92618 U.S.A.

SHIMANO SALES CO., LTD. ("SSJ")
1-5-15 Chikukou-Shinmachi, Nishi-ku, Sakai-shi, Osaka, 592-8331, Japan

are the entities responsible for the processing of your Personal Data in relation to the Web App as joint data controllers (SIC, SEU, SNAH and SSJ together referred to hereinafter as "we", "our" or "us").

In derogation of the above, the controller(s) responsible for the processing of your Personal Data in relation to the Web App in

• Australia, Taiwan and New Zealand is SIC,
• Switzerland are SIC and SEU, and
• Canada are SIC and SNAH.

If you are from these countries, by referring to "we", "our" or "us" and by referring to SIC and/or SSJ and/or SNAH and/or SEU we only refer to the respective company or companies named above for the respective country.

You can contact each joint controller by postal mail at the address above.

3.Data Protection Officer

We have appointed a group Data Protection Officer ("DPO") to manage all matters related to data protection and privacy. If you have any questions regarding the processing of your Personal Data, please contact our DPO at privacy@shimano-eu.com.

4.Information we collect

The Web App offers you a variety of functionalities, services and features (the "Services") which require or allow you to provide us with Personal Data about you. Additionally, we automatically collect information about you, including Personal Data, upon download and installation of the Web App on your device.

4.1Information you provide to us

When using the Web App you have the option to enjoy our contents and Services which may require or allow you to provide us with Personal Data.

If certain information is required for us to be able to provide you with a specific service, we will mark it as such. Failure to provide us with the information results in the impossibility of providing you with the requested service.

• User information: username (nickname), Shimano ID, login password (encrypted), gender, year and date of birth, place of residence (country/state/prefecture level), email address, and date of account creation, last login, last update, user image, authentication data for third party services
• Settings: language, region, measuring unit (metric/yard), date/time format, private location, IP Address
• Sensor device information: used sensor, sensor ID, type/manufacture
• Bike ride log: (max./ave.) power, latitude/longitude of Sensor device, obtained elevation, elapsed/riding time, distance, (max./ave.) speed, (max./ave.) pedaling cadence, (max./ave.) pedaling vector and efficiency, ave. torque, heading, gear shifts, connected sensor device (name/type/manufacture/ID), health related information (max./ave. heart rate, body weight)
• Any additional information you choose to provide (e.g. log-in details like usernames or email addresses used for third party services or devices by connecting the Web App to such third party services or devices, like Today’s Plan, Garmin, WAHOO)

4.2Information we automatically collect

When using the Web App and Services we automatically collect Personal Data as described below:

• Web App usage log information: Log (information about your interactions with the Web App, including access, error logs and crash recovery logs, date/time stamps and clickstream data)

4.3Information we receive from other sources

As a general rule, we collect information directly from you. However, we also receive Personal Data about you from other sources in the following situations:

You can register to the Web App by email address or by connecting with existing accounts on social media networks such as Facebook, Google, Apple and Twitter.

If you choose to use a social media account to register to the Web App, we will process the data of your social media user account. This information varies depending on the settings of your social media account and can consist of the following: account name, location, gender, age, email address, etc. Please note that by logging in via your Social Media accounts the providers of the Social Media platform can receive certain information about the fact that you have created an account with the Web App.

You can choose to connect your Web App account with those services provided by third parties that are indicated in the settings of your Web App account (e.g. Garmin, WAHOO). In order to activate the connection via your Web App settings you have to provide the log in information for your third party account as requested in the connection procedure. By activating the connection you agree that the information stored by these third parties are transferred to us, stored by us, and further processed by us to the extent the Web App’s functionalities are capable of processing this information (e.g. ride logs and information contained in them). For further information on the contents of the third party ride logs please refer to the data protection notice or the ride log descriptions provided by the third parties. You can prevent the data transfer to us by disconnecting the services from the Web App.

If you choose to connect the Web App with your third party service account, we will process information about your user account. This information can consist of the following: account name, email address. Please note that by connecting the Web App to your third party service account the respective third party service provider can receive information about the fact that you have linked your Web App to your account.

4.4Cookies and other tracking tools

The Web App uses cookies and other tracking mechanisms to collect information.

Cookies are small text files stored on your device with a variety of purposes. You can manage and delete the cookies on your device in the corresponding device settings.

5.Purposes and legal bases

We process your Personal Data only for specified, explicit and legitimate purposes and provided that we have a legal basis to rely on. Your Personal Data will not be processed for any purpose other than the one they were originally collected, unless the new purpose is compatible with the initial one or in the event you give us your consent.

We have summarized the purposes for which we process your Personal Data and the legal bases we justify the processing with in the list below:

• User identification:

  We use your Personal Data to verify your identity when registering and logging into the Web App.

  The processing of your Personal Data for this purpose is necessary for the performance of the contract concluded with you for the use of the Web App, see Art. 6 (1)(b) General Data Protection Regulation ("GDPR").

• Use of the Web App and the Services:

  The Web App operates and the Services are provided on the basis of the user profile you have created. We use your Personal Data to manage your sensor device information and ride log associated with your user account. Our aim is to offer you a seamless experience by enabling you to access your data from any place and any device. We base the processing of your Personal Data for the above purposes on the performance of a contract to which you are party, see Art. 6 (1)(b) GDPR.

  When configuring your user profile, you can choose to submit more information than the strictly required to provide you with the Services. The provision of optional information to complete your user profile enables you to benefit from a more personalized experience on the Web App. Some of the Services may also enable you to provide us with health related data (heart rate and weight information).

  We rely on your consent to process any Personal Data you have freely chosen to provide us with (see Art. 6 (1)(a) GDPR) or which are health related (see Art. 9 (2)(a) GDPR). In case you withdraw your consent, for example, by updating your user profile, we will stop processing your Personal Data for this purpose.

• Communication with you:

  We use your Personal Data to contact you, either upon your request, or when you have allowed us to do so, for example, to obtain feedback from you in order to improve our Web App, the Services and/or Shimano products.

  We base the processing of your Personal Data on your consent, as well as on the performance of a contract to which you are party and our legitimate interests to provide customer support, to improve the quality of our services and to grow as a business, see Art. 6 (1)(a), (b) and (f) GDPR.

• Product development and quality improvement:

  We process your Personal Data (specifically, your bike ride log information including your health related data) for product development and quality improvement purposes, e.g. to detect and analyze problems in our products, to carry out predictive maintenance and calculate the necessary product replacement timing, to develop and introduce new products and test their compatibility, etc.

  We base the processing of the bike ride log on our legitimate interests to improve the quality of our products and services, for product development research and to expand and grow as a business, see Art. 6 (1)(f) GDPR. We base the processing of health related information on your consent, see Art. 9 (2)(a) GDPR. In case you withdraw your consent, we will stop processing these Personal Data for this purpose.

  We further aggregate user data collected in our database in order to provide data analysis services (e.g. regarding model usage, gender ratio, average speed/distance/bike time, firmware status) to manufacturers of bikes or bike components. By way of data aggregation, all Personal Data is anonymized before it is transmitted to the respective recipient so that it is not possible for the manufacturer to directly or indirectly identify you.

  For this purpose, we rely on our legitimate interests to provide the added services to our cooperation partners and on the legitimate interests of our cooperation partners to be able to analyze model usage, see Art. 6 (1)(f) GDPR.

• Web App user measurement and usage analysis for product development and quality improvement:

  We analyze the performance of the Web App and Services, the users’ content and the users’ handling of the Web App and Services in order to understand how users interact with the Web App and Services and improve them accordingly and to develop and introduce new products and test their compatibility, etc.

  We rely on your consent to process your Personal Data for this purpose, see Art. 6 (1)(a) GDPR. In case you withdraw your consent, we will stop processing your Personal Data for this purpose.

• Detect and avoid misuse of the Web App:

  We analyze technical data gathered via the Web App to detect and avoid misuse thereof, for example, by a breach of the terms of use of the software license agreement.

  We base the processing of your Personal Data on the performance of a contract to which you are party, as well as on our legitimate interests in prosecuting any misuse of the Web App which could affect Shimano and could have legal consequences, see Art. 6 (1)(b) and (f) GDPR.

Where the above purposes require or involve the processing of Sensitive Data, we will ask for your express consent, as required by law, see Art. 9 (2)(a) GDPR.

6.Recipients of Personal Data

We share your Personal Data with the following recipients:

• Other group companies and distributors. Given the international footprint of our business, our group companies work closely together. To be able to do so, we share data, including Personal Data, within the group. This means that your Personal Data is shared with other group companies and distributors. You can find a list of all the group companies and distributors with whom we share your Personal Data as attached.
• Service providers acting on our behalf. We engage service providers to assist us in our daily business such as IT support and maintenance providers, web server providers. All service providers are legally and contractually required to respect and comply with applicable data protection legislation. Our service providers include:
  • Amazon Web Service, Inc. (“AWS”), 410 Terry Avenue North, Seattle, WA 98109-5210, USA (data processor; hosting provider);
  • SAP, Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany (data processor; provider of customer relations and identity management services); and
  • o Nippon Systemware Co., Ltd., 31-11 Sakuragaokacho, Shibuya City, Tokyo 150-8577, Japan (data processor; development and maintenance provider)
• Third-party apps. Our Web App allows you to automatically or manually share your bike ride log information with other third-party applications. Please note that we do not share any information with third-party providers unless the user so requests. If you turn on automatic forwarding the ride logs will be automatically sent to the third-party app accounts when the ride log is uploaded to Shimano’s servers. You can deactivate the automatic forwarding at any time with effect for the future. Please note that the data protection notices provided by the third-party app providers for the respective apps apply for any processing of your Personal Data by the third-party apps after the transfer. The third-party apps you may share your data with are:
  • Strava
  • Training Peaks
  • Today’s Plan

The transfer of your Personal Data to recipients located in third countries outside of the European Economic Area ("EEA") is subject to the provisions set out in Section 7 below ("international data transfers").

7.International data transfers

All data collected via the Web App will be stored in the Tokyo region of AWS and on EU-based servers of SAP. As (joint) data controller, SIC has access to that database. Accordingly, your Personal Data will be transferred and/or disclosed to recipients located outside of the EEA in Japan which has been recognized by the European Commission in its adequacy decision (Commission Implementing Decision 2019/419 of 23 January 2019) as providing for an adequate level of data protection.

8.Retention periods

We will not process your Personal Data longer than necessary for the purpose for which it was originally collected.

Subject to statutory retention periods, we will delete your Personal Data:

• in the event of inactivity of your user profile for a period of 5 years; and/or
• when you delete your user profile by using the functionality in the account management settings in the Web App.

9.Your rights

Under applicable data protection law, you have certain rights with regard to the processing of your Personal Data by us:

• Right of access to your Personal Data;
• Right to rectification of inaccurate or incomplete Personal Data;
• Right to erasure of your Personal Data;
• Right to restriction of processing;
• Right to data portability, when the processing of your Personal Data is based on your consent or on a contract, and the processing is carried out by automated means;
• Right to withdraw consent with effect for the future
• Right to lodge a complaint with a supervisory authority; and
• Right to object to the processing of your Personal Data on grounds relating to your particular situation, and right to object to the processing of your Personal Data for direct marketing purposes.

10.Joint controllership agreement

SIC, SSJ, SNAH and SEU jointly determine the purposes and the means of the processing of your Personal Data in connection with the Web App as described in Section 2 above. Consequently, as required by law, SIC, SSJ, SNAH and SEU have entered into a joint controllership agreement for personal data of users located in the EEA pursuant to Art. 26 GDPR. SIC, SSJ, SNAH and SEU will coordinate and cooperate with each other in order to comply with their data protection obligations, to observe your rights and to process your request and reply to any of your inquiries.

SEU is the designated point of contact for the Web App users requesting to exercise their rights under Section 9 above. If you want to do so, or in case you have questions regarding them, please contact SEU by phone at +31-40-2612222 or by email at privacy@shimano-eu.com. In addition, If you are located in the EU, please note that in addition to your designated point of contact, you may also contact SIC, SNAH and SSJ to exercise your rights.

11.Data security

We have implemented standard industry practices internally and with our service providers to maintain the security of your Personal Data depending on its sensitivity and to avoid disclosure of such Personal Data unpermitted under this Notice.

12.Third-party links and websites

Our Services offer you the possibility of accessing third party content, such as websites, apps and online services. Please note that we are not responsible for the data processing activities of these third parties. We encourage you to read the data protection notices of any third party website, app or online service you connect with.

13.Children

We do not knowingly process Personal Data from individuals under the age of 16 without parental or guardian consent. If you are the parent or the guardian of a child and you believe that we have processed Personal Data about him or her, please contact our DPO using the contact details described above in Section 3.

14.Miscellaneous

This Notice may be revised from time to time to reflect and comply with changes in applicable legislation. We will inform you about any updates in an appropriate manner, e.g. via email or a message in the Web App. The date of the last update is available at the top of this Notice.

Attachment