Respi.me’s Privacy Policy

Your medical center is the data controller of your personal data to the extent that it determines the purposes and means of the processing related to Respi.me’s services.

ADH is the data processor of your personal data to the extent it ensures, on behalf of your medical center and under its documented instructions, the implementation of processing related to Respi.me’s services.

ADH acts as the data controller of your personal data:

• when it operates personal data processing in order to comply with its legal and regulatory obligations, in particular regarding the materiovigilance obligations; and
• when it operates personal data processing in order to improve the App, the Site and/or its services.

This Policy describes how ADH collects, uses and shares information about you through Respi.me. Please read this Policy carefully to understand what we do. If you do not understand any aspects of our Privacy Policy, please feel free to contact us as described at the top of this Policy. This Privacy Policy applies only to information we collect through the App and the Site. Respi.me also contains links to third party sites that are not owned or controlled by ADH. We are not responsible for the privacy practices of such other sites. ADH does not share Personal Information (defined below) with those sites. We encourage you to be aware when you leave Respi.me and to read the privacy statements of each and every website that collects personal information.

ADH collects two types of information: (1) information received from you, and (2) information received from others.

Find below the detailed list of all personal data provided by you via Respi.me or generated by Respi.me (also Respi.me automatically collects data via cookies⁽²⁾ and other trackers):

Type of Data	Examples of Data
Identification data	Fist name, last name, date of birth
Contact details	Email address, phone number,
Health data	Symptoms Medication (type, dates, times, inhalation technique when you use your inhaler with a HeroTracker Sense add-on), symptoms Sensor data: forced expiratory volume, forced vital capacity, peak expiratory flow
Exchanges with ADH	Date, hour, and subject of your exchanges with ADH
Electronic network activity information (2)(Traffic data)	Date and time of the visit, viewed pages and files, amount of time spent on particular pages, IP address, device type, browser type and language, operating system, system configuration data, referring URLs, carrier and country location, hardware and processor information.
Information from cookies and trackers	Use of the Platform, compile reports on activity, demographic data, analyze performance metrics, Services usage
Other personal information	environmental conditions, triggers, geolocational information, tagging data, favorites, preferences, session lengths

⁽¹⁾ Cookies are small packets of data that a website stores on your computer’s or mobile device’s hard drive so that your computer will “remember” information about your visit.

⁽²⁾ These data are necessary for the proper functioning of Respi.me, as well as internal analytics purposes.

The provision of certain types of personal data may be necessary or optional, depending on your requests. Mandatory data will be marked as such at the moment of collection of your personal data. If you refuse to provide mandatory data, ADH may not be able to process your request (e.g., creation of your patients account, provision of the requested Respi.me’s service).

As data processor acting on the behalf of your medical center, ADH processes your personal data for the following purposes only:

Purposes	Examples of use of your Personal Data	Legal Bases
Creating and managing your Respi.me’s account	to create your patient account to enable you to sign in on Respi.me to provide you with the Respi.me’s services to enable you to update your patient account	Performance of the contract
Providing Respi.me’s services	to provide symptom management to facilitate Professional use of Respi.me in connection with your treatment and care. to receive medication reminders	Performance of the contract
Managing after-sales service (call support)	to contact you to answer your questions to solve your technical issues	Performance of the contract
Compliance with legal and regulatory obligations	to comply with legal and regulatory obligations (i.e for billing and/or health care reimbursement) to process your requests to exercise your rights	Legal and regulatory obligations to which your medical center is subject as data controller

As data controller, ADH processes your personal data for the following purposes only:

Purposes	Examples of use of your Personal Data	Legal Bases
Improving the Respi.me’s services	to evaluate and improve Respi.me to facilitate your use of Respi.me to take steps designed to protect the security of the Respi.me	Legitimate interest of ADH to improve Respi.me and the patient experience
Pre-litigation or litigation management	to take action against any identified breach to manage any dispute or litigation	Legitimate interest of ADH in defending its rights and interests
Compliance with legal and regulatory obligations	to comply with legal and regulatory obligations, in particular regarding the materiovigilance obligations to process your requests to exercise your rights	Legal and regulatory obligations to which ADH is subject as legal manufacturer
Sending monthly newsletters	provide regular and updated information on events and/or conferences related to a medical theme, or specific information on new medical advancements.	Legitimate interest of ADH in engaging and maintaining contact with users.

ADH will not sell or rent your Personal Data. Your personal data may be transmitted to the following recipients when you use Respi.me and the services it provides:

Recipients	Purposes
ADH and its duly authorized employees	Exclusively for the purposes detailed in the Section 5 of this privacy policy
Your medical center and its duly authorized employees	Exclusively for the purposes detailed in the Section 5 of this privacy policy
Companies of the ADH Group and their duly authorized employees	Exclusively for administrative, operational and technical purposes related to the management of Respi.me and its services
ADH' service providers(hosting provider, IT service providers, etc.)	Exclusively for operational and technical purposes related to the management of Respi.me and its services
Administrative or judiciary authorities	Exclusively in the case of an express and justified request or in case of an alleged violation of legal or regulatory provisions
Lawyers and all interested parties	Exclusively in the case of the management of possible disputes and other legal matters where appropriate
Other third parties	Following or during a restructuring, reconstitution, acquisition, debt financing, merger, sale of assets of ADH or a similar transaction, as well as in case of insolvency, bankruptcy or receivership where personal data are transferred to one or more third parties as assets of ADH

As far as possible, your personal data are processed within the European Union (EU)/European Economic Area (EEA). However, some of ADH’ service providers being located outside of the EU/EEA, your personal information may therefore be processed in third countries.

When your personal data are transferred outside the EU/EEA, ADH will, in the absence of an adequacy decision and after having carried out an assessment of the level of protection of your rights on the territory of the third country where the recipient of your personal data is established, implement all necessary measures through the adoption of appropriate safeguards (such as standard contractual clauses).

Name of the recipient	Third country	Adopted safeguards
ADH LLC	United States	Technical and organizational measures in place
AWS (Amazon Web Services, Inc.)	United States	Technical and organizational measures in place + covered by the Data Privacy Framework
Google LLC	United States	Technical and organizational measures in place + covered by the Data Privacy Framework
Apple healthkit	United States	Technical and organizational measures in place

If you have any questions or wish to exercise your rights, you may directly contact ADH by sending an email to informationgovernance@aptardigitalhealth.com.

• you can request the access to your personal data in order to obtain clear, transparent and understandable information on how ADH processes your personal data and on your rights (as provided in this policy), as well as a copy of your personal data (you can access certain information relating to your account (name, contact information and preferences) by signing into your account and going to the “PROFILE” section of our mobile or web application).
• you can request the rectification of your personal data in order to obtain the modification of your personal data if they are obsolete, inaccurate or incomplete.
• you can request the closure of your online account. If you close your account, we will no longer use your online Personal Information or share it with third parties. ADH may, however, retain a copy of the information for legal purposes and to avoid identity theft or fraud.
• you can request that the processing of your data be restricted. This means that your data will no longer be used, but will be retained for legal purposes, for example.
• you may object at any time, on grounds relating to your particular situation, to the processing of your personal data. We will then cease all processing unless there are compelling legitimate grounds for the processing which override your interests and rights and freedoms, or for legal purposes.
• you can decide to withdraw your consent so that your personal information is not used or shared for certain purposes, for example for marketing purposes.
• you have the right to receive your information in a structured and readable form so that you can pass it on to a new data controller of your choice.

Under certain circumstances, ADH may ask you for specific information in order to confirm your identity and ensure the exercise of your rights. This is another appropriate security measure to ensure that personal data is not disclosed to an individual who does not have the right to receive it.

If needed, you may also lodge a complaint with your national data protection authority (ICO). This right may be exercised at any time and free of charge, at the exclusion of potential postal fees or expenses related to legal representation or assistance should you choose to engage third party assistance for the procedure.

You may:

-         directly use the ICO complaint form on the ICO web portal

-         Start a live chat or call ICO helpline on 0303 123 1113

-         Print and mail the completed complaint and consent forms to:

          Customer Contact, Information Commissioner’s Office,

          Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

-         Email the completed complaint by email to casework@ico.org.uk

 

 

ADH has implemented technical and organizational measures in order to protect your personal data, in particular against potential data breaches likely to cause, either by accident or unlawfully, the destruction, loss, modification, unauthorized access or divulgation of your personal data. These measures will guarantee a level of security adapted to the data and will take into account the state of the art and the cost of implementation in relation to the risks and nature of the data to be protected.

In particular, your health data are stored on servers operated by duly certified hosting providers (“HDS”). This is a French-specific certification standard mainly based on the ISO 27001 standard on the management of information security systems.

ADH also guarantees that all members of its personnel and any other person processing your personal data will respect the internal rules and procedures related to the processing of personal data, including the technical and organizational security measures put in place to protect your personal data. In this context, ADH reviews and updates its practices regularly to enhance your privacy and ensure that its internal policies are followed.

However, even with these safeguards, ADH cannot guarantee, ensure, or warrant the security of any information you transmit to us. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information. Please note that e-mails and other communications you send to informationgovernance@aptardigitalhealth.com are not encrypted, and we strongly advise you not to communicate any confidential information through these means.

If you have found a vulnerability or would like to report a security incident, you may send an email to informationgovernance@aptardigitalhealth.com or use the dedicated message service available through the App.

Respi.me mobile and Dashboards are hosted and managed on servers located within the United Kingdom. By using and accessing Respi.me, you agree and consent to the transfer to and processing of Personal Information on servers located in the United Kingdom, even when you travel outside the United Kingdom, and you recognize that the protection of such information may be different than required under the laws of any location that you visit.

As a general rule, your personal data will only be retained for the period necessary for the accomplishment of the purposes for which said data was collected, or as necessary to fulfill legal or regulatory obligations.

In the absence of applicable exceptions:

• the personal data processed in order to comply with ADH’ materiovigilance obligations will be kept one (1) year following the completion of the study.
• your traffic data will be kept for a period of thirteen (13) months from the connection date.

This Privacy Policy may be amended from time to time, in particular to reflect the changes in the services provided by Respi.me or the applicable regulations. Any revised version of the Privacy Policy will be posted on this page and at other places deemed appropriate.

If you have any questions, concerns, complaints or suggestions regarding our Privacy Policy or otherwise need to contact us, please email our Data Protection Officer at informationgovernance@aptardigitalhealth.com or use the dedicated message service available through the App.

In the event of a dispute, you may lodge a complaint with the UK data protection authority (ICO) as described in section 8.