Privacy policy
Last Updated: November 15, 2024
The protection of your privacy is a top priority for ndd Medical Technologies (“ndd” or “we”). We are committed to looking after your personal data in a responsible manner when you access our services or when you visit our homepage and browse our sites. We collect and process your data in accordance with legal provisions, in particular those of the California Consumer Privacy Act (“CCPA”), the Swiss Data Protection Act and the European General Data Protection Regulation (“GDPR”).
This Privacy Policy applies to the processing of personally identifiable information (“Personal Data”) collected by us when you:
· Use our cloud-based services on nddCloud;
· Visit this website or our offices;
· Register for events;
· Request additional information; or
· Send or receive communications to or from us, including emails, phone calls, chat dialogue, texts or fax.
“Personal Data” can include information such as your name, date of birth, email address, postal address, phone number, mobile number, information about the device you use, and information relating to your personal circumstances and how you use our sites and services. The online services we provide include our nddCloud services, our website, all functions and contents connected with our website, including the live chat function, as well as related external online platforms (such as our social media profiles). For the purpose of this policy, we will refer to all of these collectively as “online services.” With regard to the terms used in this policy, e.g., “processing” or “controller,” we refer to the definitions in the GDPR.
This Privacy Policy informs you of the following:
· What Personal Data is collected from you, how it is used and with whom it may be shared.
· What choices are available to you regarding the use of your Personal Data.
· The security procedures in place to protect the misuse of your information.
· How you can correct any inaccuracies in the information.
What Personal Data We Process
· general information (e.g., your name and postal address)
· contact information (e.g., your email address and telephone number)
· health information about yourself, if you choose to provide it
· health information about your patients or clients submitted to nddCloud by you or your patients or clients (e.g. lung function test results)
· data relating to content provided by you (e.g., text, chat content)
· your browsing history on our sites (e.g., websites you visited, contents you viewed, access times)
· meta data or communication data (e.g., information relating to your device, such as your IP address).
Whose Data We Process
We process the data of visitors and users of our online services (referred to as “users”). Individuals may submit their Personal Data to us as users of our website and as medical professionals using the nddCloud. This information is generally limited to contact information, browsing history and meta data.
Separately from our general website, we process Personal Data in the form of medical test results submitted to our nddCloud. nddCloud is licensed by medical practices, hospitals, surgical facilities or other health care organization that subscribe to our nddCloud service (called our “Subscribers”). If you are an individual patient whose medical practitioner directed you to use an ndd testing device, and your personal test results or other Personal Information were transmitted to the nddCloud, you are not the “user” as that terms is used throughout this Privacy Policy. In that situation, if not stated otherwise in this Privacy Policy or in a separate disclosure, we process your Personal Data in the role of a “data processor” or “service provider” to the Subscriber (medical practitioner) that is legally responsible for the collection and use of the Personal Data concerned, taking direction from the Subscriber. We are not responsible for the privacy and data security practices of our Subscribers, which may differ from those set forth in this Privacy Policy.
Why We Process Personal Data
We use the information:
· to provide the nddCloud services and other medical system offerings
· to provide, maintain and enhance our other online services
· to respond to queries and communicate with users
· to ensure safety
· to measure reach and to carry out marketing analysis
Legal Grounds for Using Personal Data
We process Personal Data lawfully, in a transparent manner and in accordance with individuals’ rights (as applicable). The use of information collected through our online services will be limited to our legitimate interests, where we have considered these are not overridden by your rights, or based upon your informed consent.
We aim to process only adequate, accurate and relevant data limited to the needs and purposes for which it is gathered. We also aim to store data for the time period necessary to fulfill the purpose for which the data is gathered. We only collect data in connection with a specific legitimate purpose and only processes data in accordance with this Privacy Policy.
We may share information about you for legal, safety, and security reasons. We may share information about you if we reasonably believe that disclosing the information is needed:
· to comply with any valid legal process, governmental request, or applicable law, rule, or regulation.
· to protect the rights, property, or safety of us, our users, or others.
· to detect and resolve any fraud or security concerns.
Security of Your Personal Data
We have implemented appropriate technical and organizational measures to protect Personal Data adequately. We have done so specifically by taking into account the state of the art, the costs of implementation, the nature, scope, context and purpose of our processing your Personal Data, as well as the various risks to your rights and freedoms.
We protect the confidentiality, integrity and availability of your Personal Data (which includes Personal Data of your patients or clients submitted to the nddCloud service by you or under your supervision or direction) in a number of ways: e.g., by controlling physical access to where the data are stored; by controlling the means to access, enter and transfer them; by ensuring the data are indeed available to authorized persons when needed; and by ensuring that appropriate means to separate the data from direct identifiers are available (e.g. to allow pseudonymization). Pseudonymization, as defined by the GDPR, is the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific data subject without the use of additional information that is kept separately. Furthermore, we have established procedures which allow us to observe the rights of data subjects adequately, to delete data as needed and to act appropriately when data appear to be threatened. We integrate the necessary safeguards to protect your data both at the time of the determination of the means for processing them and at the time of the processing itself. We do so by taking into account data protection requirements early on, i.e., even as we develop or select the hardware, software and technologies we intend to use for our services.
Collaboration With Other Processors and Third Parties
We will only grant access to, disclose or transfer Personal Data to other persons or companies (processors or third parties) where we have legal grounds to do so. In every case, when applicable, the legal grounds will be one referred to in the CCPA and the GDPR, which includes the following: you have given consent to the transfer or you have requested it, the processing is necessary in order to comply with a legal obligation, or our legitimate interests require it (e.g., when we employ other processors or use web hosts to deliver our services).
When we engage third parties to process Personal Data for us or for you (by means of what is commonly referred to as an “order processing contract”), we do so in compliance with the CCPA and the GDPR.
We will not sell or rent your Personal Data to anyone. We may share your Personal Data with the following selected third parties:
· our website hosting and operating suppliers located in the US, which store your Personal Data in the US and other countries, to enable us to operate our website and deliver web content to you and who enable you to conduct certain activities on our website, such as downloading a document;
· our data processer suppliers for nddCloud services, based in the US, which store your Personal Data in the US and other countries, to enable us to provide data transmission services;
· health care organizations which will request Personal Data, specifically lung function test data from nddCloud, in order to provide treatment and diagnosis services for your patients or clients, and subject to your request or informed consent;
· our analytics and search engine providers, located in the US and other countries, which store your Personal Data in the US, the EU and other countries, to assist us in the delivery, improvement and optimization of the website;
· the provider or providers of remote software hosting services that we engage to host our software, which may store Personal Data in the US, EU, UK and other countries depending on the location from which you are accessing the software and whether you have authorized storage of your Personal Data in that location, if you are a user of our services;
· (unless you opt out) our marketing partners located in the US, UK and EU, which store your Personal Data in the US, UK, EU and other countries, provided that we will not share any medical or health information for these purposes;
· our third-party partners for the ndd website that may access your Personal Data include:
Cloudflare network:
· Hosting: Cloudflare Pages
· Media Storage: Cloudflare R2
· Global distribution: Cloudflare CDN
Third-party services loaded on all pages:
· Plausible
· Intercom
· GA4 (opt-in consent required)
· Microsoft Advertising Tag (opt-in consent required)
· Marketo Tracking (opt-in consent required)
Additional third-party services on forms and landing pages only:
· Marketo forms
· FormAssembly (iframe embed)
· Our cloud service provider for nddCloud services (part of EasyOne Mobile App) is:
Microsoft Azure
· in individual instances, professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in countries in which we operate who provide consultancy, banking, legal, insurance and accounting services, and to the extent we are legally obliged to share or have a legitimate interest in sharing non-medical Personal Data; and
· if we are involved in a merger, reorganization, dissolution or other fundamental corporate change, or sell a website or business unit, or if all or a portion of our business, assets or stock are acquired by third party, with such third party. In accordance with applicable laws, we will use reasonable efforts to notify you of any transfer of Personal Data to an unaffiliated third party.
Because we value your privacy, we have taken the necessary precautions to be in compliance with the CCPA. We therefore will not sell your Personal Data to outside parties without your consent. You have the right not to receive discriminatory treatment by the business for the exercise of the privacy rights conferred by California law.
International Data Transfer
When you interact with our English-language online services, your Personal Data is stored in the United States. Your data may be transferred outside of the United States, in case of a service or support request initiated by yourself during the usage of an ndd device.
If we transfer Personal Data from the European Union (EU) or the European Economic Area (EEA) to a third country (i.e., outside of the EU or EEA), we only do so on legal grounds. Your Personal Data may need to be transferred when we process information in a third country, when we use services provided by third parties, or when we disclose or transfer Personal Data to third parties. In every case, the legal ground will be one of the following: the transfer is necessary for us in order to comply with contractual or with legal obligations, you have given consent or instructions, or our legitimate interests require it. Subject to legal or contractual permission, we allow Personal Data submitted to us in the EEA to be processed in a third country only if the conditions laid down in the GDPR are complied with.
“Malicious actors” are persons or organizations who intentionally cause harm to ndd online services or to users of ndd’s online services through breach of user data privacy or security. ndd is entitled to exchange its customers’ Personal Data with its affiliates and third parties in order to document, analyze and prevent cases of fraud and instances of “malicious actors”, and to process the Personal Data relating to these actions.
If you have harmed or injured other customers, ndd can also disclose your non-medical Personal Data and information in connection with the harm and injury to other third parties (e.g. the authorities, harmed persons and insurance companies).
The basis for this data processing is Art. 6 para. 1 lit. a and f DSGVO.
Your Rights with Regard to Personal Data
When we receive information directly from visitors to the website who are citizens or residents of countries in the EEA, that information is likely to include “personal information,” as regulated by GDPR. As the recipient of this information (generally just contact information), we are a “data controller” under the GDPR. As such, we will use that information only for the limited purpose of providing information about our products and services until the person who submitted the information no longer wishes that to occur, and anyone who submits personal information to the online services consents to our use of that data for those purposes.
Data subjects’ rights
As mandated by the GDPR, you can contact us with regard to the following rights in relation to your Personal Data:
· If you would like to have a copy of the Personal Data we hold regarding you or your patient(s), or if you think that we hold incorrect Personal Data about you or your patient(s), we will honor your request.
· Where you have provided us with consent to use Personal Data, you can withdraw this at any time.
· You also have the right to ask us to delete your Personal Data or restrict how it is used. There may be exceptions to the right to erasure for specific legal reasons which, if applicable, we will set out for you in response to your request. Where applicable, you have the right to object to processing of your Personal Data for certain purposes.
If you want to make any of these requests, please contact us using the contact information provided below.
We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy.
Transfer of personal information
Whenever we transfer your Personal Data from the EEA to a location outside of the EEA, we put in place at least one of these safeguards:
· We will only transfer Personal Data to countries that have been found to provide an adequate level of protection for Personal Data.
· We may also use specific approved contracts with our service providers that are based in countries outside the EEA. These contracts give Personal Data the same protection it has in the EEA.
We may transfer Personal Data from the EEA to the United States of America for the following reasons:
· To store Personal Data
· To communicate with you
· To monitor the behavior of visitors to the online services
· To provide you with nddCloud services, particularly for data transfer between ndd medical systems and your healthcare providers.
California Consumer Privacy Act Compliance
Because we value your privacy, we have taken the necessary precautions to be in compliance with the CCPA. We therefore will not distribute your Personal Data to outside parties without your consent.
Modification or deletion of Personal Data gathered through nddCloud
If your Personal Data has been submitted to us by or on behalf a Subscriber and you wish to exercise any rights you may have under applicable data protection laws, please inquire with the Subscriber directly. If you wish to make your request directly to us, please provide to us the name of the Subscriber who submitted your data to us. We will refer your request to that Subscriber, and will support them as needed in responding to your request within a reasonable timeframe. Upon request, we will provide Subscribers with information about whether we hold any Personal Data collected from them and their patients.
If you are a user of our online services, including nddCloud, you may have a legal right under certain applicable laws (for instance if you are residing in the EEA or in California as applicable) to receive, rectify, erase, and restrict Personal Data about them that is held by us, to object to processing and, if processing occurs based on consent, to withdraw their consent. Users of our online services may also have the right to withdraw consent for processing for statistical and research purposes and in some cases (subject to applicable laws) to request cessation of any collection of Personal Data. We will never discriminate against any person based on his or her exercising of their rights hereunder.
If, for any reason, you wish to modify, delete or retrieve your Personal Data collected through the online services and are entitled to under applicable laws, you may do so by contacting us at the address detailed below. We shall perform the necessary process to identify you as an individual who has the right to retrieve the specific information and then we will ask for specific identification information (as shall be applicable for the requested Personal Data – for instance IP address and time of uploading the information to our servers (IP address is not enough for an identification of user or data)). We shall make efforts to respond to a request within 30 days or as required under applicable law however, deletion of data may take longer (see below).
Please note that Personal Data may be either deleted or retained in an aggregated manner, without being linked to any identifiers or Personal Data, depending on technical commercial capability.
For any request or question regarding deletion or amendment of Personal Data, you can contact our Data Protection Officer at the contact details listed below, and we shall make efforts to respond and support your request within no more than 30 days.
The Information gathered through the online services shall not be retained longer than legally permitted.
Opting Out
You may opt out of receiving future communications from us by sending us an email at the address below under “How to Contact Us.” You may also opt out of receiving commercial e-mail from us, or other target advertising, by following the instructions in each email.
Use of Cookies and Your Right to Opt Out from Direct Marketing
Cookies are small text files that are placed on your computer or mobile device by the websites you visit. They are able to record various types of data. A cookie is used primarily to store information about the user (or about the user’s device on which the cookie is set) during or after the user’s browsing of a particular website. Temporary cookies, also called “session cookies” or “transient cookies,” are created temporarily while you are visiting a website. They are deleted once you leave the site or close your browser. Typical examples of such cookies are the online shopping cart feature or your login status. “Permanent” or “persistent cookies,” on the other hand, remain stored in your browser’s subfolder even after you have closed your browser. This allows the website to, for example, store your login status for several days and to remember it when you accesses the website again. Such cookies are also used to store information reflecting your interests, which can be used for reach measurement and for marketing purposes. The term “third-party cookie” refers to cookies placed on your device by a website other than the one you are actually visiting (cookies created by the website you are visiting are called “first-party cookies”).
We may use temporary as well as permanent cookies in the manner described in this privacy policy.
If you do not want cookies to be saved on your device, you can set your browser to remove or reject cookies. You can do so by changing the system settings of you browser. The drawback of disabling cookies on your browser is that certain features and services may not function properly for you.
You can opt out from receiving personalized advertising. Personalized advertising (also known as “interest based advertising”) enables advertisers to reach users based on their interests. You can opt out of interest based advertising, particularly with regard to tracking technologies, through the US-website http://optout.aboutads.info/choices or the EU-website http://www.youronlinechoices.com/. Tracking technologies follow and record your digital habits. They are used by providers to, e.g., understand how you navigate their websites and to determine which of their messages you open. It is also possible to stop your browser from saving cookies altogether by changing your browser’s cookie settings. You can usually find these settings in the “options” or “preferences” menu of your browser. Please be aware that disabling cookies will mean that certain functions may no longer be available to you.
How Long We Keep Your Data
Personal Data collected for marketing activities is generally deleted as soon as the purpose of the activity has been met.
In the case of nddCloud services, some or all of users’ Personal Data and that of their patients will be deleted upon the Subscriber’s request. In addition, our retention of medical information is governed by federal law, and to the extent applicable law or our agreements with Subscribers require different retention and deletion policies, we will comply with applicable law and our agreements with Subscribers. After expiration of the applicable retention periods, Personal Data will be deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of such data.
How to Contact Us
If you have questions or concerns about this Privacy Policy, or our collection and use of your Personal Data, you are welcome to send us an email or otherwise contact us at the following address and we will make an effort to reply within a reasonable timeframe. You may contact us through our Data Protection Officer, by email at [email protected]; by telephone at +41 44 512 65 00; or by postal mail at ndd Medizintechnik AG, Technoparkstrasse 1, CH-8005 Zürich, Switzerland, attention IT Manager.
E.U. residents have the right to lodge a complaint with a supervisory authority (Data Protection Authority in your jurisdiction) in case of a breach of any EU data protection and privacy regulations. If the supervisory authority fails to deal with a complaint or inform you within the time frame set under applicable law, you have the right to an effective judicial remedy.