Privacy Policy for End Users

Last updated: June 25, 2023

Who we are and what do we do?

We at Itamar Medical Ltd. (together with our affiliated companies Itamar Medical , we , us or our ) develop and operate proprietary medical devices and related mobile applications and web-based platforms for diagnosis and care management of sleep apnea (collectively our Products ). We provide such Products to our corporate customers and business partners, including hospitals, clinics, and healthcare professionals (collectively our Customer(s) ).

To whom does this policy relate?

This Privacy Policy for End Users ( Policy ) describes our privacy practices with respect to identified or identifiable information ( personal data or personal information ) relating to patients, physicians, and office administrators of our Customers who use the Products at our Customers direction ( Patient , Physician or Admin , respectively, and collectively End User or you ).

As further explained in Section 9 below, the responsibility for complying with most legal requirements applicable to a Data Controller (or a Covered Entity under the U.S. Health Insurance Portability and Accountability Act ( HIPAA )) with respect to your personal data processed by us, lies with our Customer typically, the organization providing you with healthcare services as a Patient, or by which you are engaged as a Physician or Admin. In other words, we process your personal data on your healthcare provider s instructions, and are not responsible for its privacy practices. Your healthcare provider may have additional privacy notices explaining its own specific privacy practices, in which case, we encourage you to read them.

Note that this Policy does NOT cover our processing of personal data relating to individuals who interact with Itamar Medical s assets outside the Products (such as our website visitors and business contacts) with regard to whom we act as a Data Controller. To learn more about our privacy practices regarding the personal data of such individuals, please visit our Privacy Policy for Website Visitors and Business Contacts.

Specifically, this Policy describes our practices regarding:


1.      Data Collection

2.      Data Uses

3.      Data Location

4.      Data Retention

5.      Data Disclosure

6.      Communications

7.      Data Security

8.      Your Rights

9.      Roles & Responsibilities

10.  Additional Notices & Contact Details


 

We respect your privacy and are strongly committed to making our practices regarding your personal data transparent and fair. Please read this Policy carefully and make sure that you fully understand it.

1.    Data Collection

We collect certain types of personal data regarding Patients, Physicians and Admins as instructed by the relevant Customer. Such data is typically generated automatically through your interaction with the Products; collected directly from the Patient or their Physician, including via a Patient screening questionnaire; or from third parties (including Service Providers, defined in Section 5 below) as may be instructed by the Customer who directed you to use our Products.

Specifically, depending on the Products you use and at your Physician s direction, we may collect the following categories of personal data about you:

        End User Profile: Full name, government-issued ID or social security number, Customer-issued Patient ID, gender, date of birth or age, PIN code, the Customer and clinic you are associated with, and the referring and interpreting Physician s medical specialty.

        Contact Details: Email address, home address, and mobile or landline phone numbers.

        Delivery Status: If your healthcare provider is enrolled in our WatchPAT Direct program, we may track the location and shipment status of the Product you were assigned in order to facilitate its delivery to you in time for your pre-scheduled sleep study date, and its return to us following use (in the case of reusable Products).

        Medical Data: This may include sensory data about your sleep patterns as collected through the Products (such as Peripheral Arterial Tone (PAT ) signal, heart rate, oximetry, body position, snoring, and chest motions); your or your Physician s responses to a Patient screening questionnaire regarding your sleep habits and overall health (such as medical history, medications, current or past treatment for high blood pressure, BMI, height, weight, neck size, sleepiness during daytime, and observed breath stoppage during sleep); and diagnostic inferences drawn from such data.

        Product Usage Data: When our U.S. Customers and their End Users use our Products, we collect certain data about such interactions. This includes technical and usage data transmitted by your mobile phone or computer, such as device type and operating system, app version, pages viewed within the app, date and time stamp, Patient screening questionnaire section, module, question and answer, as well as Customer clinic and Patient UUID (unique CloudPAT identifiers). We use such technical data to provide our U.S. Customers and their End Users with better customer support and to improve our services as they relate to such support activities.

        Mobile Phone Location: If you install our WatchPAT One or SleePATh mobile applications on a mobile phone that runs Android operating system 11 or lower, we will ask for access to your phone s location data. We only ask for such access because Google requires us to do so in order to enable Bluetooth scans on such phones. We will NOT access or use your location data in any way.

        Direct Communications with Us: If you reach out to us or our authorized Service Providers for technical or professional support, any personal data you may provide us during such communications will be processed by us. Depending on the instructions of the Customer you are associated with, this may include recordings and transcripts of calls, emails, form submissions, and chats with us, which we will process for technical support, sleep study analysis, training, recordkeeping, and legal-related purposes.

For the purposes of the California Consumer Privacy Act ("CCPA"), with regards to Physicians and Admins, End User Profile includes Identifiers and Professional or Employment-Related Information, Contact Details includes Identifiers, and Direct Communications with Us include Audio, Electronic, or Similar Information; and with regards to Patients who install or Products on phones that run Android 11 or lower, Mobile Phone Location includes Geolocation Data (on Android 9 or lower) or Precise Geolocation (on Android 10 or 11), which we will NOT use or disclose in any way. For added clarity, any other data relating to U.S. Patients that we collect as described above is governed by HIPAA and not by the CCPA. In the last 12 months, we have collected the above categories of personal data. We do not use or disclose sensitive personal information as defined by the CCPA beyond what is necessary to provide our Products and related services.

In any event, personal data processed via any of our Products and related support channels, will only be processed by Itamar Medical on behalf of your healthcare provider our Customer, in accordance with such Customer s instructions and as further agreed upon in our mutually executed Data Processing Agreement or Business Associate Agreement, any other agreements between us and the relevant Customer, and this Policy.

2.    Data Uses

In general terms, your healthcare provider may use our Products to process your personal data in order to improve sleep apnea diagnosis and management for its Patients, while offering its Physicians and Admins a secure and user-friendly interface for reviewing and analyzing sleep apnea data, monitoring Patient progress, making informed decisions, and providing effective treatment.

Itamar Medical may process your personal data as is necessary for the performance of our services, and to facilitate, operate and maintain the Products (all in accordance with the instructions provided to us by your healthcare provider in its role as a Data Controller or a HIPAA Covered Entity, as detailed in Section 9); to comply with our legal and contractual obligations; to provide you with customer service and technical support; and to protect and secure our Customers and End Users, our Products, and ourselves.

Additionally, as mentioned in Section 1 above, we will ask for access to your Mobile Phone Location if you install our Products on a phone that runs Android 11 or lower, for the sole purpose of enabling Bluetooth scans as required by Google.

We do not sell nor share your personal information for the intents and purposes of the CCPA.

3.    Data Location

Your personal data may be maintained, processed, accessed and stored by us and our authorized Service Providers (defined in Section 5 below) in different locations.

While privacy laws may vary between jurisdictions, Itamar Medical and its Service Providers are each committed to protecting your personal data in accordance with this Policy, customary industry standards, as well as appropriate lawful mechanisms and contractual terms executed by the relevant Customer, Itamar Medical and such providers, as required.

Itamar Medical maintains global offices and local representatives in various locations worldwide, including but not limited to Israel, the U.S., UK, EU, and Singapore. Your personal data may be accessed from any of those locations (or other locations as reasonably necessary for the Products activity) by Itamar Medical employees tasked with handling your healthcare provider s data.

The Service Providers we use to process your personal data on behalf of your healthcare provider, deemed our Sub-processors (or our HIPAA Business Associates, as further explained in Section 9 below), are typically located in the U.S. if your healthcare provider is based in the U.S. or in the EU or the UK if your healthcare provider is based elsewhere.

To the extent we transfer End Users personal data originating from the European Economic Area (EEA), the UK, or Switzerland to countries that are not considered as offering an adequate level of data protection by the relevant authorities, we and our relevant Service Providers rely on appropriate data transfer mechanisms as established under applicable law, such as the standard contractual clauses adopted by the EU (available here) or the UK (available here).

4.    Data Retention

We retain your personal data on behalf of your healthcare provider and in accordance with its instructions. We may retain some of your personal data after the termination of our engagement with your healthcare provider, to the extent reasonably necessary for us to comply with our legal and contractual obligations; to perform and enforce our agreements; and to resolve and protect ourselves against legal disputes all in accordance with our agreements with the relevant Customer, applicable laws and our data retention policies (where applicable).

Please note that except as required by applicable law or our specific agreements with your healthcare provider, we will not be obligated to retain your personal data for any particular period, and are free to securely delete, anonymize or restrict access to it for any reason and at any time, with or without notice to you.

If you have any questions about our retention practices as regards your personal data, please contact your healthcare provider.

5.    Data Disclosure

We may disclose your data to certain third parties, including law enforcement agencies and our Service Providers (defined below), in accordance with this Policy and as described below:

        Service Providers: We engage selected third-party companies and individuals to perform services complementary to our own. Such service providers may include, without limitation, hosting and server co-location services, communications and content delivery networks (CDNs), data and cyber security, package delivery and tracking services, customer support call centers, session, call or activity recording and analysis, remote access, performance measurement, customer management systems, and any other relevant service (collectively our Service Providers ).

These Service Providers may have access to your personal data, depending on each of their specific roles and purposes, and may only use the data for such limited purposes as determined in our agreements with them.

        Customers and their End Users and service providers: We may disclose your personal data to your healthcare provider (including data and communications concerning your End User Profile, Delivery Status, and Medical Data). In such cases, disclosing such data means that your Physician and/or your healthcare provider s Admins may access your data on behalf of your healthcare provider, and will be able to monitor, process, and analyze it. If so instructed by your healthcare provider, we may also disclose your personal data directly to third-party service providers engaged by your healthcare provider, or receive certain relevant data from your healthcare provider s account on the third-party provider s service.

        Legal compliance: In exceptional circumstances, we may disclose or allow government and law enforcement officials access to your personal data, in response to a subpoena, search warrant, or court order (or similar requirement), or in compliance with applicable laws and regulations. Such disclosure or access may occur if we believe in good faith that: (a) we are legally compelled to do so; (b) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or (c) such disclosure is required to protect our legitimate business interests, including the security or integrity of our Products and related services.

        Protecting rights and safety: We may disclose your personal data to others if we believe in good faith that this will help protect the rights, property, or personal safety of Itamar Medical, its employees or stakeholders, any of our End Users or Customers, or any member of the general public.

        Itamar Medical affiliates and organizational changes: We may disclose your personal data internally within our group, for the purposes described in this Policy. In addition, if Itamar Medical or any of its subsidiaries or affiliates undergo any change in control or ownership, including by means of merger, acquisition, or purchase of substantially all or part of its assets, your personal data may be shared with the parties involved in such an event. If we believe that such change in control might materially affect your personal data then stored with us, we will notify you of this event and the choices you may have via any communication means available to us.

        Additional disclosures: For the avoidance of doubt, Itamar Medical may disclose personal data in additional circumstances, pursuant to your healthcare provider s or your own explicit approval, or if we are legally obligated to do so, or (where applicable) if we have successfully rendered such data non-personal, non-identifiable and anonymous.

For the purposes of the CCPA, in the past 12 months, we may have disclosed Physicians and Admins Identifiers, Professional or Employment-Related Information, and Audio, Electronic, or Similar Information, to our Service Providers, Customers and their End Users and service providers, law enforcement officials, our affiliates, and in the context of a change of control. We have not disclosed Patients personal information that is governed by the CCPA to any third party.

6.    Communications

We may contact you with important information regarding our Products. For example, we may call you on the phone or send you SMS or email notifications to encourage you to use a Product sent to you and offer assistance regarding its use. Your healthcare provider may also send you notifications, messages, and other updates regarding your use of the Products. Depending on the Customer with which you are associated, you may be able to control your communications and notifications preferences by contacting your healthcare provider. However, please note that you will not be able to opt out of receiving certain service communications which are integral to your use of the Products (like Product PIN code allocation).

7.    Data Security

We and our Service Providers implement and maintain systems, applications, and procedures to secure your personal data, and to minimize the risks of personal data theft, damage, loss, or unauthorized access to or use of such data. These measures provide sound industry-standard security. However, please be aware that regardless of any security measures used, we cannot and do not guarantee the absolute protection and security of any personal data stored with us or any third parties (as described in Section 5 above).

8.    Your Rights

You may have certain privacy rights under the laws that apply to you, including the EU or UK General Data Protection Regulation ( GDPR ), HIPAA, CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, or the Connecticut Personal Data Privacy and Online Monitoring Act. Such rights may include the right to know or request access to specific pieces of personal data collected, categories of data collected and sources from whom it was collected, as well as the purposes of collecting it and categories of third parties to whom we have disclosed it; the right to request rectification or erasure of your personal data held with Itamar Medical; the right to restrict or object to the processing of such data; the right to port it; or the right to equal services and prices (e.g., freedom from discrimination) (each to the extent available to you under the laws that apply to you). If you wish to exercise your rights or to make any request or query with regard to your personal data we process on your healthcare provider s behalf, please contact your healthcare provider directly.

9.    Roles & responsibilities

Certain data protection laws and regulations, such as the EU and UK GDPR, CCPA and HIPAA, typically distinguish between two main roles for parties processing personal data: the Data Controller (or under HIPAA, the Covered Entity and under the CCPA, Business ), who determines the purposes and means of processing; and the Data Processor (or under HIPAA, the Business Associate and under the CCPA, service provider ), who processes the data on behalf of the Data Controller.

Your healthcare provider is the Data Controller (or Covered Entity or Business) of the personal data uploaded or submitted to the Products. Itamar Medical processes such data as the Data Processor (or Business Associate or Service Provider) on behalf of your healthcare provider, in accordance with its instructions, the Data Processing Agreement or the Business Associate Agreement mutually executed by us and your healthcare provider, and any other commercial agreements we have in place with your healthcare provider.

Our Service Providers (as defined in Section 5 above), in turn, are Sub-processors (or under HIPAA, our Business Associates) acting under our instructions.

Your healthcare provider is responsible for meeting any legal requirements applicable to a Data Controller (or a HIPAA Covered Entity or a CCPA Business). If you wish to make any requests or queries regarding our processing of your personal data on behalf of your healthcare provider, please contact your healthcare provider directly.

Itamar Medical assumes the role of Data Controller (solely to the extent applicable under law) with regard to your Mobile Phone Location (as defined in Section 1 above) and with regards to the processing relating to our website visitors and business contacts, as further elaborated in our Privacy Policy for Website Visitors and Business Contacts.

10.      Additional Notices & Contact Details

Updates and amendments: We may update and amend this Policy from time to time. The amended version will be effective as of the date it is published. If we believe any substantial changes are involved, we will provide prior notice via any of the communication means available to us. After such notice period, all amendments will be deemed accepted by you.

Our Products are not designed for underage children: We do not knowingly collect personal data from children and do not wish to do so. If we learn that a person who is underage according to the law applicable to them is using the Products, we will attempt to prohibit and block such use and will make our best efforts to promptly delete any personal data stored with us with regard to such a child (except for data that must be retained for legal purposes). If you believe that we might have any such data, please contact us by e-mail at [email protected].

Data Protection Officer: Itamar Medical has a Data Protection Officer (DPO), who monitors and advises on Itamar Medical s ongoing privacy compliance and serving as a point of contact on privacy matters for data subjects and supervisory authorities. If you have any comments or questions regarding this Policy, if you have any concerns regarding your privacy, or if you wish to make a complaint about how your personal data is being processed by Itamar Medical, you can contact our DPO at [email protected].

EU representative: Arazy Group GmbH has been designated as Itamar Medical s representative in the EU for data protection matters pursuant to Article 27 of the GDPR and may be contacted on matters related to the processing of personal data of individuals in the EU. To make such an inquiry, please send an e-mail to one of the following email addresses: [email protected], [email protected].

UK representative: Medes Limited has been designated as Itamar Medical s representative in the UK for data protection matters pursuant to Article 27 of the UK GDPR and may be contacted on matters related to the processing of personal data of individuals in the UK. To make such an inquiry, please send an email to one of the following email addresses: [email protected], [email protected].

Additional questions: If you have any comments or questions regarding this Policy, please contact your healthcare provider or Itamar Medical s support at [email protected], or our Data Protection Officer at [email protected].