Privacy Notice
Last updated: July
2023
You deserve to be
aware of how your personal data is used. Moreover, data protection laws give
you certain rights over your personal data, no matter when or where it is being
processed. This Privacy Notice is meant to give you information about what
personal data we collect about you, how we use it, why we use it, and how you control
the data processing.
1. The Basics
2. Personal Data We Collect as a Processor
3. Personal Data We
Collect as a Controller
4. Sharing
the Personal Data We Collect
6. Security
7. Your
Rights - How to Control Our Use of Your Personal Data
9. Cookies
and Similar Technologies
11. Children
12. Changes
to the Privacy Notice
1.1. Who We Are. Cordio Medical Ltd. offers a technology that monitors several health conditions by
analyzing voice and speech samples using sophisticated and proprietary
algorithms, available through its flagship HearO™ mobile application. Our
offices are located at 6 Yehonatan
Netanyahu St., 6037604 Or-Yehuda, Israel, and our registration number is
514975374. If you have questions about our company or your privacy, or want to
exercise your rights, you can contact us at info@cordio-med.com.
1.2. Our Services. When we refer to "services", we mean a technology that monitors, by analyzing
the patient's speech, fluid accumulation related to congestive heart failure
and notifications prior to clinical symptoms and hospitalization. We provide
the services to and on behalf of clinics or other healthcare providers that
have engaged us for this purpose. The services are available to the doctors and
other healthcare practitioners of these clinics through the "Clinic
Portal." Through the Clinic Portal, doctors can make the services
available to their patients through the HearO® system ("App").
1.3. Our Role: Controller and Processor. Certain data
protection laws, including the laws in the EU, differentiate between a party
that determines why and how personal data is processed (called a "controller")
and a party that processes personal data solely on the controller's behalf and
according to the controller's instructions (called a "processor"). In
respect of certain personal data we collect, we act as
a controller and with respect to other personal data, we act as a processor.
Please see the sections below on Personal
Data We Collect as a Processor and Personal Data We Collect as a Controller for more
information.
1.4. Definitions and Recommendations
1.4.1.When we refer to "personal
data", we mean information that
is defined as personal data under the law. This includes information that
identifies you directly or indirectly, including unique identifiers like IP
addresses or cookie IDs.
1.4.2.When we refer to "you",
we mean a user of the services, either as a patient using the App, or as a
physician or other health professional using the Clinic Portal.
1.4.3.This Privacy Notice is meant to be read together with our Terms of
Service. In general, we recommend that you routinely review this privacy notice
and your preferences through our services.
1.5. A Note on Legal Bases. Certain jurisdictions only allow the
processing of personal data where a legal basis has been established. Under the
EU's General Data Protection Regulation ("GDPR"), the possible
legal bases include: your consent, the processing is necessary to perform a
contract with you, the processing is necessary to fulfill our legal
obligations, or a company has a legitimate business interest to process your
personal data. Where we are a controller, we only collect and process data
where we have established a legal basis. Below you can find more details about
specific legal bases.
2. Personal Data We
Collect as a Processor. We process certain personal data
about both doctors using the Clinic Portal and patients using the App as part
of the services we provide to the clinics that are our customers, including
support services. In these cases, we serve as a processor and the applicable
clinic serves as a controller. We process that data on behalf of the relevant
customer and according to its instructions. To learn more about the legal basis
established by the clinic, our processing activities in this capacity or to
exercise your privacy rights regarding them, please contact the applicable
clinic.
2.1. Doctors. If you are a doctor or other healthcare
practitioner using the Clinic Portal, we will process your username, email
address and password as a processor on behalf of the clinic. This information
will be available to the clinic to review.
2.2. Patients. If you are a patient using the App, we will
process personal data that the clinic has provided about you, namely your name,
phone number, email address, and clinic ID number, and logs about your use of
the app, as a processor on behalf of the clinic. Additionally when you record
your speech through the App, we use these recordings and details about your
usage of the App (type of phone, operating system version, App version, and date
and time of recordings) as a processor on behalf of the clinic, unless you have
explicitly consented to our use of this data for additional purposes (see Personal
Data We Collect as a Controller), in which case both we and the clinic will
serve as controllers of this data. When you contact us directly or are referred
to us for support services, we will collect information about your inquiry for
the purpose of providing support services to you at the direction of the
clinic.
3. Personal Data We
Collect as a Controller.
3.1. Recording Data. When patients using the App provide
voice or speech recordings, we generally process these recordings as a
processor on behalf of the applicable clinic. However, some patients may choose
to allow us to use these recordings for the purposes of improving our services
and algorithms. Similarly, if users consent and give us access to certain
features on their mobile device, we also collect data that may be provided
through Google Health Kit or which may be collected
through sensors on the mobile device. Note that voice or speech recordings may
be considered biometric data, and along with data from the Health
Kit or sensors, would be subject to special protections under the law. When we
use voice or speech recordings in this capacity, we do so as a controller and
solely for this purpose of improving our services and algorithms. The legal
basis for this use is the consent of the patient, which may be withdrawn at any
time.
4. Sharing the
Personal Data We Collect. We share your
personal data as follows:
4.1. Clinic. Personal data that we collect about doctors
and patients will be shared with the relevant healthcare practitioner in accordance
with the roles assigned by the applicable clinic that serves as a controller of
this information.
4.2. Service Providers. Below is a list of the types of service
providers we use, the service each provides, and the types of data shared with
each. All service providers have agreed to confidentiality restrictions and
have undertaken to use your personal data solely as we direct.
|
Type of
Service |
Description |
Personal
Data Shared |
|
Cloud Computing |
We use service
providers that offer cloud computing services. They offer us space on their
servers for us to store our files and programs, including your personal data.
|
All personal
data that we collect from you is stored on third party servers. |
|
Analytics
Providers |
We use a
service provider to assist us with analytics services. |
Data is collected
automatically through our site, including IP addresses and cookie
information. |
|
Customer
Support Provider |
We engage a
service provider to assist us in providing support services to you on behalf
of the clinic. |
Identifying
details such as your name and username, information in your account that you
make available, and information regarding your request or inquiry. |
4.3. Change of Ownership. If we are looking to sell our
company, liquidate assets, or merge with another, we may share your personal
data with other interested parties as part of negotiations toward that
transaction. In such case, or where we do sell our company, your personal data
shall continue to be subject to the provisions of this Privacy Notice.
4.4. Law Enforcement Related Disclosure. We may share your personal data with government agencies or
other relevant parties, such as a law office or independent auditor: (i) if we believe that such disclosure is
appropriate to protect our rights, property or safety (including the
enforcement of the applicable Terms of Service and this Privacy Notice) or
those of a third party; (ii) if required by law or court order; or (iii) as is
necessary to comply with any legal and/or regulatory obligations, such as audit
requirements.
5. International
Transfers. Some of our
service providers are located in countries other than
your own. When we transfer your personal data internationally, we will do so
safely and securely and in accordance with applicable law.
5.1. If you are located in the EU, when we share your personal data
with third parties based outside of the European Economic Area ("EEA"), we will ensure that they
sign agreements that require them to comply with applicable law, keep your data
secure at similar levels to the level described in this Privacy Notice, and
make sure that your data protection rights are protected. We will also
implement the following safeguards:
5.1.1.When we transfer your personal data to Israel or the UK, we rely
on the decision by the European Commission that says that those countries are
considered to provide an adequate level of data protection.
5.1.2.Where we transfer your personal data to other countries, we (i) take additional security measures to protect the data
and (ii) use specific contracts approved by the European Commission, known as
the Standard Contractual Clauses, to give your personal data the same
protection it has in the EEA.
5.1.3.Please contact us at info@cordio-med.com if you would
like further information on the specific mechanism used by us when transferring
your personal data out of the EEA.
6. Security. The security of your personal data is our
highest priority. We work hard to make sure that your personal data will be
held securely and that it will not be shared or lost accidentally. However, it
is impossible to guarantee absolute security. The security of your data also
depends on the security of the devices you use and the way in which you protect your user IDs and
passwords. The measures we take include:
6.1. Technical Measures. The electronic safeguards we employ to
protect your personal data include secure servers, firewalls, and antivirus
protections. We encrypt data in transit and at rest using secure SSL protocols.
6.2. Access Control. We limit access to your personal data only to
authorized personnel who have a need to know, including account managers,
customer support staff software developers, and the research and development
staff. We review these permissions regularly and revoke an employee's access
immediately after his/her termination.
6.3. Internal Policies. We maintain and regularly review and update
our privacy related and information security policies.
6.4. Personnel. We require employees to sign non-disclosure
agreements according to applicable law and industry customary practice.
6.5. Database Backup. Our databases are backed up and verified
regularly. Backups are encrypted and stored within the production environment
to preserve their confidentiality and integrity.
7. Your Rights - How
to Control Our Use of Your Personal Data. Depending on
which laws apply, you have certain legal rights over your data. Below is some
general information about rights that may apply to you
but we recommend checking the law or consulting with a lawyer to understand
what applies in your specific case. To exercise your rights, please contact us
at info@cordio-med.com. If you want to
exercise your rights regarding your personal data for which we are the
processor you can contact the applicable clinic (the controller) directly. We
may ask for reasonable evidence to verify your identity before we can comply
with any request.
7.1. Right of Access. You may have a right to know what personal
data we collect about you. We may charge you with a
fee to provide you with this information, if permitted by law. If we are unable
to provide you with all the information you request, we will do our best to
explain why. See Article 15 of the GDPR for
more details, if your personal data is subject to GDPR.
7.2. Right to Correct Personal Data. You may have a request that we
update, complete, correct or delete inaccurate, incomplete, or outdated personal
data. See Article 16 of the GDPR for
more details, if your personal data is subject to GDPR.
7.3. Deletion of Personal Data ("Right to Be Forgotten"). If you are located in the EU, you may have the right to request
that we delete your personal data. Note that we cannot restore information once
it has been deleted. Even after you ask us to delete your personal data, we may
be allowed to keep certain data for specific purposes under applicable law. See
Article 17 of the GDPR for
more details, if your personal data is subject to GDPR.
7.4. Right to Restrict Processing. If you are located
in the EU, you may have the right to ask us to stop processing your
personal data. See Article 18 of the GDPR for
more details, if your personal data is subject to GDPR.
7.5. Right to Data Portability. If you are located in the EU, you
may have the right to request that we provide you with a copy of the personal
data you provided to us in a structured, commonly-used,
and machine-readable format. See Article 20 of the GDPR for more details, if your
personal data is subject to GDPR.
7.6. Right to Object. If you are located in
the EU, you may have the right object to certain processing activities. See Article 21 of the GDPR for more details, if your
personal data is subject to GDPR.
7.7. Withdrawal of Consent. If we are processing your data based
on your consent, you are always free to withdraw your consent, however, this
won't affect processing we have done before you withdrew your consent.
7.8. Right to Lodge a Complaint with Your Local Data Protection
Authority. If you are located in the EU, you have
the right to submit a complaint to the relevant data protection authority if
you have any concerns about how we are processing your personal data, though we
ask that as a courtesy you please attempt to resolve any issues with us first.
8.1. Where we are a processor, we retain your personal data in
accordance with the applicable clinic's instructions.
8.2. Where we are a controller, we retain your personal data as long as
necessary to fulfill the purposes we described above. When deciding how long to
store personal data, we consider the amount, nature, and sensitivity of the
personal data, the potential risk of harm from unauthorized access, the
purposes for which the personal data was collected, as well as applicable legal
requirements. Please note that we may delete information from our systems
without notifying you first. Retention by any of our service providers or
subcontractors may vary in accordance with each business's retention policy.
8.3. Please contact us at info@cordio-med.com if you would
like details about the retention periods for each type of personal data we
process.
9. Cookies and
Similar Technologies
9.1. What are Cookies? A cookie is a
small piece of text that is sent to your browser by a website you visit. This
piece of text acts as a sort of tag, letting the website know that it's you
(really, your device) that's visiting. There are other technologies that act
similarly, like web beacons, pixel tags, and device IDs for apps, but for
simplicity's sake we'll refer to them all as "cookies".
9.2. How We Use Cookies. We use cookies
in the Clinic Portal. These cookies are necessary for the functioning of the service, since they save a token and navigation history for
the current session and allow the service to work correctly.
10. Third-Party
Services. You may have
access to third-party services through our services. Please note that all use
of third-party services is at your own risk and subject to such third party's
terms and privacy policies. We do not take any responsibility for the
performance of other services.
11. Children. We do not knowingly collect personal data
from children under the age of sixteen (16).
12.
Changes
to the Privacy Notice. We may update
this Privacy Notice from time to time to keep it up to date with legal
requirements and the way we operate our business. We will place any updates on
this webpage. Please come back to this page every now and then to make sure you
are familiar with the latest version.