Published Time：

Article I Purpose

Joincare Pharmaceutical Industry Group Co., Ltd. ("the Company") attaches great importance to privacy and data security. This Information Security and Privacy Protection Policy ("this Policy") aims to establish the Company's principles and governance framework for the protection of personal privacy and data, to ensure the integrity and protection of such data across the Company and its subsidiaries (collectively referred to as "the Group," "we," or "our").

We strictly comply with the Personal Information Protection Law, the Data Security Law, the Cybersecurity Law of the People's Republic of China, and applicable national standards and regulatory requirements. We are committed to adopting appropriate security measures in accordance with applicable laws and industry best practices to protect personal data (as defined in Article 2), and to continuously improve our data security governance and information security systems.

We value and respect your privacy and are committed to safeguarding your personal data. This Policy will help you (as defined in Article 2) understand our principles and practices regarding data protection, including what data we collect, why and how we collect it, how we use it, how we protect it, and your rights.

We recommend that you read and understand this Policy before using our products/services or engaging with us. If you have any questions regarding this Policy or the processing of your data, please contact us (see Article 13). We may update this Policy from time to time through our official website (see Article 12).

Our websites may contain links to third-party sites/services not owned or controlled by us. We are not responsible for how such third parties operate or handle your data and encourage you to review their privacy policies.

Article II Scope and Definitions

This Policy applies to the entire operations of the Company, including its subsidiaries and suppliers. All Group entities shall fully comply with this Policy when formulating internal data privacy policies.

"Personal data" or "personal information" under this Policy refers to any information, whether recorded electronically or otherwise, that relates to an identified or identifiable natural person, excluding anonymized data.

"You" or "individual" as used in this Policy refers to, but is not limited to:

1. Our customers;
2. Our patients;
3. Our employees;
4. Our shareholders;
5. Our business partners and their employees (including but not limited to suppliers, distributors, contractors);
6. Visitors to our premises;
7. Users of our websites;
8. Individuals in contact with us;
9. Any other individuals interacting with us.

Article III Collection and Use of Personal Information

 We collect and use personal information in accordance with the principles of lawfulness, fairness, necessity, integrity, transparency, and for legitimate purposes as outlined below. Your personal information is collected with your informed consent (Opt-in consent is required). If we intend to use your personal information for purposes not stated herein, we will notify you and seek your separate consent. The opt-out option is available if you do not wish us to continue using your personal information.

We adhere to the principle of data minimization and only collect personal data necessary for business or operational needs, and consistent with our contractual and privacy commitments. Once the purpose is fulfilled, we cease data collection and delete or anonymize your personal information after the retention period.

1. Nature of Information Captured 

Depending on your interactions with us, we may collect the following types of personal data:

• Basic information: name, date of birth, gender, ethnicity, nationality, family relationships, address, phone number, email, etc.
• Identification: ID card, passport, military ID, driver’s license, work permit, access card, social security card, residency permit, etc.
• Biometric data: genetic information, fingerprints, voiceprints, facial features, biological samples, etc.
• Online identifiers: account ID, IP address, digital certificates, etc.
• Health and Physiological Information: Records generated in connection with illness and medical treatment, such as medical records, hospitalization notes, physician’s orders, laboratory reports, surgical and anesthesia records, nursing records, medication records, information on drug and food allergies, reproductive information, past medical history, diagnosis and treatment details, family medical history, present illness history, infectious disease history, smoking history, alcohol abuse history, and drug abuse history; as well as information related to an individual’s physical health status, such as weight, height, and similar data.
• Education and Employment Information: An individual’s occupation, position, employer, department, employee identification number, academic qualifications, degrees, educational background, employment history, training records, transcripts, separation certificates, professional licenses, and similar information.
•  Property Information: Bank accounts, deposit information (including amounts of funds and records of payments and receipts), real estate information, credit records, credit reporting information, transaction and consumption records, account statements, tax information, financial disclosure forms, social security certificates, as well as information on virtual assets such as cryptocurrencies and virtual transactions. Communication data: messages, emails, metadata, etc.
• Contacts: emergency contacts, address book, email contact lists, etc.
• Online activity: browsing history, click records, app usage logs, etc.
• Device data: hardware serial numbers, MAC address, software details, etc.
• Location data: geographic location, travel history, lodging information, etc.
• Other data: marital history, religion, sexual orientation, social credit, criminal records, etc.

If you provide information about another individual, you confirm that you have the right to do so and allow us to process such data under this Policy.

2. Use of the collected information

We will process and use your personal information within the scope of our daily business activities for the purposes specified in this Policy, or when permitted or required to do so under applicable information security laws. These purposes may vary depending on where you live and where we operate. If the laws of a certain country restrict or prohibit certain activities described in this Policy, we will comply with such requirements.

The main purposes for which we use your personal information are listed below:

(1) Information You Voluntarily Provide to Us or Allow Us to Collect
(a) Drug Development
We may collect and process your personal information throughout the full lifecycle of the development of the Group’s pharmaceutical products (including finished dosage forms, active pharmaceutical ingredients and intermediates, diagnostic reagents, and equipment), covering pre-clinical, clinical, marketing, and post-marketing stages. In this process, you may choose to voluntarily provide to us, or allow us to collect, your personal information.
In certain specific circumstances, and in accordance with applicable laws and regulations, we may request to collect your personal sensitive information (as defined in Article 3, paragraph 3). Such requests are necessary to safeguard and improve product efficacy, address health-related matters, conduct scientific research, and market our pharmaceutical products.
We will retain and process the personal information you voluntarily provide to us, or allow us to collect in this process, solely for our scientific research and business activities, and use it for our commercial purposes to the extent permitted by law.

(b) Marketing and Promotion

In the course of our business, we may promote our products, services, academic knowledge, news, and other content to you in various ways. In this process, you may choose to voluntarily provide to us, or allow us to collect, your personal information.
We will retain and process the personal information you voluntarily provide to us, or allow us to collect in this process, solely for carrying out our marketing and promotional activities, and use it for our commercial purposes to the extent permitted by law.

(c) Purchase and Use of Products and Services

When you purchase and use our products and services, you may choose to voluntarily provide to us, or allow us to collect, your personal information so that we can provide you with the products and services you have ordered.
We will retain and process the personal information you voluntarily provide to us, or allow us to collect in this process, solely for fulfilling your purchase and use of our products and services, and use it for our commercial purposes to the extent permitted by law.

(d) Account Registration

To use certain of our services, you may be required to register in advance to create your account. In this process, you may choose to voluntarily provide to us, or allow us to collect, your personal information. We will process and use your personal information for the entire duration of your account’s existence for our service and technical management.

We will retain and process the personal information you voluntarily provide to us, or allow us to collect in this process, solely for our service and technical management, and use it for our commercial purposes to the extent permitted by law.

(e) Contract Execution

We will collect your personal information to sign and execute contracts entered into with you. If you choose not to provide your personal information, we may be unable to establish or maintain contact with you or your employer, or to conduct business.

We will retain and process the personal information you voluntarily provide to us, or allow us to collect, solely for initiating, signing, and executing our contracts, and use it for our commercial purposes to the extent permitted by law.

(f) Contact Requests

When you need to contact us for business or other reasons, you will need to provide your personal information so that we can establish and maintain contact with you. In this process, you may choose to voluntarily provide to us, or allow us to collect, your personal information.

We will retain and process the personal information you voluntarily provide to us, or allow us to collect in this process, solely for responding to and handling your contact requests, and use it for our commercial purposes to the extent permitted by law.

(g) Newsletters

To maintain contact with you and keep you informed of our latest updates, we offer various newsletter services for your use. In this process, you may choose to voluntarily provide to us, or allow us to collect, your personal information.
We will retain and process the personal information you voluntarily provide to us, or allow us to collect in this process, solely for providing you with newsletter services, and use it for our commercial purposes to the extent permitted by law.

(h) Access Management

When you visit our premises or use wireless networks provided by us, we may request that you provide your personal information for necessary security management.
We will retain and process the personal information you voluntarily provide to us, or allow us to collect in this process, solely for providing you with relevant services and safeguarding our security, and use it for our commercial purposes to the extent permitted by law.

(i) Human Resources Management

To maintain our normal business operations, we carry out routine human resources management activities, including but not limited to recruitment management, management of employees during employment, and workplace management. In this process, you may choose to voluntarily provide to us, or allow us to collect, your personal information.
We will retain and process the personal information you voluntarily provide to us, or allow us to collect in this process, solely for conducting human resources management activities, and use it for our commercial purposes to the extent permitted by law.

(j) Accounting

We may collect and process your personal information for legitimate accounting purposes to fulfil our obligations under tax, corporate, and other applicable laws. For example, when recording and processing invoices, making remittances, or issuing refunds, the personal information we need to collect from you primarily includes: your contact information (including name, phone number, email address, etc.), accounting data (including purchased goods and services, banking information, tax identification number, invoice number, invoice date, etc.), and your employment information (including position, employee number, department, etc.).

We will retain and process the personal information you voluntarily provide to us, or allow us to collect in this process, solely for conducting accounting-related activities, and use it for our commercial purposes to the extent permitted by law.

(k) Complaints and Reports

When you lodge a complaint with us regarding the quality of our products or services, or for other reasons, or when you report something to us, you may need to provide your personal information so that we can establish and maintain contact with you and provide feedback on the results of our investigation and handling.
You may also lodge complaints and reports anonymously through other channels provided under our company’s policies and procedures. In such cases, we will process the description of the issue you provide (including the specific complaint/report content, etc.) to conduct relevant investigations.

We will retain and process the personal information you voluntarily provide to us, or allow us to collect in this process, solely for handling and responding to your complaints and reports, and use it for our commercial purposes to the extent permitted by law.

(l) Artificial Intelligence (AI)

To improve our work efficiency, we may use artificial intelligence tools in our business activities. In such cases, we will inform you in various ways of content generated by artificial intelligence so that you can identify it as AI-generated content. In this process, you may choose to voluntarily provide to us, or allow us to collect, your personal information.

We will retain and process the personal information you voluntarily provide to us, or allow us to collect in this process, solely for the normal use of artificial intelligence tools, and use it for our commercial purposes to the extent permitted by law. At the same time, when using artificial intelligence tools in our business activities, we will de-identify your personal information to avoid various biases arising in this process.

(2) Information Collected Automatically

When you visit our websites or other online resources, or when you use our newsletter services, we and our service providers may automatically collect your personal data, such as browser type, operating system, device type, device model, unique device identifier, IP address, pages you view, links you click, your location information, search terms you enter, information you view/hover over/click, and the length of time you visit our websites.

We collect such data to ensure our network security, analyze user behavior to maintain service quality, personalize settings for you, and diagnose and resolve technical issues to improve our services.

1. Network Security

To ensure the secure operation of our websites and services, improve operational quality and efficiency, and prevent malicious programs, we automatically collect your personal data, including but not limited to the following types: network identifiers such as IP address; personal device information (including device MAC address, operating system version, browser type and version, screen resolution, language used, etc.); and personal access behavior records (including website browsing history, page URLs, request times, click records, etc.).

2. Improving Access Experience and Usage Analysis

Our webpages use cookie technology to make our websites more user-friendly, efficient, and secure. The main purpose of our use of cookies is to improve your browsing experience. For example, they are used to record your preferences during browsing (such as language, region, etc.) for use in future visits. Information recorded by cookies also enables us to improve our websites by estimating user numbers and usage patterns, including customizing content according to your interests and speeding up your searches.

Most of the cookies we use are “session cookies,” which are automatically deleted after your visit ends. You can configure your browser to be informed of cookie usage so that you can decide on a case-by-case basis whether to accept cookies.

For cookies necessary to enable electronic communication or to provide certain features you wish to use, we will store and process data in accordance with the laws and regulations of China and other countries and regions where we operate.

(3) Information Collected from Public Sources

We may, from time to time, collect and use information obtained from other sources (such as public databases, social media platforms, or other third parties) to supplement the personal information we already have about you. The main purpose of such collection is to carry out necessary internal verification and validation processes.

(4) Information Collected from Third Parties

We may collect and use your personal information from third parties (such as clinical trial institutions, hospitals, etc. cooperating with us) within the scope of your explicit authorization and consent. We will use your personal information only after confirming the legality of the source and in accordance with agreements with such third parties, and only under compliance with applicable laws and regulations.

Article IV Disclosure of Personal Information

We may share your personal information within the Group or with third-party service providers, suppliers, partners, and affiliates for legitimate business purposes. We enter into confidentiality agreements with such third parties and require them to handle your personal information in accordance with this Policy and applicable laws.

In the event of mergers, acquisitions, or asset transfers, we will inform you through public announcements or notifications and ensure the transferee complies with this Policy.

We may disclose your personal information to comply with laws, court orders, or regulatory requirements, or to protect public interests or the safety, rights, or property of others.

Where permitted, we may disclose your personal information with your consent for other purposes.

Article V Cross-Border Transfers

 In principle, personal information collected within the PRC will be stored within the PRC. With your consent, your data may be stored or accessed overseas as required by global operations. Regardless of location, your data will be protected as per this Policy.

Article VI Children’s Personal Information

We do not knowingly collect personal data from children under the age of 14 without verifiable parental or guardian consent. If you are under 14, do not provide any personal information.

If your child has provided us with personal data, you may contact us to request its deletion (see Article 13).

Article VII Data Security and Storage

We implement reasonable security measures aligned with industry standards to prevent unauthorized access, disclosure, modification, or loss of personal information.

Despite our best efforts, absolute data security cannot be guaranteed. If a data breach occurs due to force majeure or reasons beyond our control, we disclaim liability for resulting losses.

We retain your personal information only for the period necessary to fulfill the purposes outlined in this Policy or as required by law. After that period, we delete or anonymize your data. Account data is retained while the account is active. Upon account cancellation, we stop providing services and delete or anonymize data unless otherwise required.

We regularly review data handling practices to ensure ongoing security.

Article VIII Your Rights

To the extent permitted by applicable laws, you have the following rights with respect to your personal data:

(1) Right of Access: To access, review, and obtain copies of the personal data held by the company;

(2) Right to Rectification: To request your personal data to be correct, update, or supplement;

(3) Right to Deletion: To request your personal data to be deleted;

(4) Right to Object: To refuse or restrict our collection, processing, or use of your personal data;

(5) Right to Withdraw Consent: To change the scope of your authorization or withdraw your consent;

(6) Right to Data Portability: To request your personal data to be transferred to other service providers designated by you;

(7) Other rights granted to you under applicable laws.

We place great importance on protecting your rights. If you wish to exercise your rights, please contact us (see Article 13 for contact information). For security purposes, you may be required to submit a written request. We will verify your identity in accordance with applicable laws and regulations.

To the extent permitted by applicable laws, you have the right to withdraw your request at any time while we are processing your personal data based on such request. However, such withdrawal will not affect the lawfulness or validity of our processing of your personal data prior to the withdrawal, nor will it affect our processing of your personal data on other appropriate legitimate grounds.

Subject to compliance with laws and regulations, we may be unable to accommodate your request to exercise your rights under the following circumstances:

(1) Where your request conflicts with our obligations under laws and regulations;

(2) Where your request is directly related to national security or national defense security;

(3) Where your request is directly related to public safety, public health, or major public interests;

(4) Where your request is directly related to criminal investigations, prosecutions, trials, or enforcement of judgments;

(5) Where we have sufficient evidence that you have acted in bad faith or are abusing your rights;

(6) Where it is necessary to safeguard your or another individual’s life, property, or other significant lawful rights and interests, but it is difficult to obtain your consent;

(7) Where responding to your request would cause serious harm to the lawful rights and interests of you or other individuals or organizations;

(8) Where your request involves trade secrets.

If you are dissatisfied with the way we handle your personal information, you may submit a request to us (see Article 13 for contact information), and we will promptly investigate and address your concerns.

Article IX Security Measures

We employ encryption, access controls, firewalls, and other safeguards to prevent unauthorized access, disclosure, or destruction of personal information.

Article X Management Measures

The Group is committed to monitoring and promptly responding to identified information security threats. To prevent potential risks in data protection and to address possible data breaches and security incidents, the Group adopts both proactive prevention measures and reactive response measures, and has established corresponding management measures for incident identification, incident response, and incident reporting, in order to promptly contain and mitigate the adverse impact of data breaches and security incidents on individual rights and interests as well as on the Group.

The IT Department is responsible for information security and privacy issues management. We establish individual responsibilities for information security for the entire workforce. In addition, we establish information security requirements for third parties (e.g., suppliers). All employees and third parties must comply with information security requirements. We have a zero-tolerance policy for any breach of this policy, and disciplinary actions will be taken in case of breach or violation.

Article XI Audits

This Policy is embedded in group-wide compliance management. We conduct internal audits regularly to ensure compliance with this policy and engage independent third parties for annual or ad hoc audits to ensure its effectiveness.

Article XII Updates to the Policy

 This Policy is effective as of its publication. If legal or business changes occur, we may update this Policy. We will not reduce your rights without your consent. Material changes will be communicated prominently. If you disagree, contact us before continuing to use our services.

Article XIII Governance

This Policy has been reviewed and approved by the Sustainable Development Committee under the Board of Directors. The Committee shall report regularly to the Board on the implementation of this Policy and provide recommendations to support the Board’s decision-making and oversight.

The Sustainable Development Committee holds overall responsibility for the implementation, supervision, and periodic review of this Policy. It is also responsible for the interpretation and amendment of this Policy.

Any matters not covered herein shall be handled in accordance with applicable laws, regulations, and normative documents.

This Policy shall become effective as of the date of issuance.

Joincare Pharmaceutical Industry Group Co., Ltd.

25 July 2025