PRIVACY POLICY WITHINGS – HEALTH MATE

YOUR PRIVACY AT THE HEART OF OUR SOLUTIONS

We thank you for your trust and do our best to honor it. We process the personal data you entrust to us to help you improve your health with the utmost care. Respect for privacy is a core principle that we place at the heart of our strategy for developing our Products and Services. We are committed to a process of continuous improvement to ensure the utmost respect for your personal data. If you have any question please contact us.

THE SECURED HOSTING OF HEALTH DATA, OUR DAILY PRIORITY

We pay maximum attention to the security of the hosting of your health data. We apply demanding regulations and standards. Thus, in addition to our compliance with the GDPR, we are certified ISO 27001 and HDS (Health Data Hosting) which allows us to provide you with the same level of security as health professionals. We host health data on our certified health data processing platform, whose servers are located in France, at a European operator (BSO).

GLOBAL AND UNIFORM APPLICATION

This Policy applies uniformly to all Users of the WITHINGS Health Mate application, regardless of where you live. We take into consideration the regulations on the protection of personal data applicable to the markets in which WITHINGS sells its Products and Services.

SUMMARY

I. FEW KEY CONCEPTS

The personal health data you entrust to us is sensitive data that we process in accordance with identified legal bases and with the highest security standards.

II. SOURCE OF THE PERSONAL DATA WE PROCESS

Personal Data is collected when you visit our website, use our Products and Services, browse on the application and contact customer support.

III. YOUR CONSENT

Your consent is collected in specific cases. You may withdraw it at any time.

IV. PROCESSING PERSONAL DATA

We process all Personal Data (as identified below) for a specific purpose and on an identified and necessary legal basis. We retain Personal Data for a specified period of time.

V. DATA RETENTION

When you use the Products and Services in Europe, your Personal Data is hosted in France and Health Data is not transferred outside the EEA.

VI. EXERCISING YOUR RIGHTS

You can exercise your rights under GDPR by contacting us at [email protected]. You may also file a complaint with the data protection supervisory authority.

VII.APPLICATION OF THE PRIVACY POLICY

This Privacy Policy tells you how we collect and use personal data about you when you use our Products and Services. This policy is part of our Terms of Service. Parental permission is required to create a Health Mate account.

VIII. PATIENT PRIVACY POLICY

Specific provisions regarding the collection and use of your Personal Information, its security and sharing with third parties apply to you if you use our Remote Patient Monitoring ("RPM") services.

I. FEW KEY CONCEPTS

This Privacy Policy applies to the use of the Health Mate application published by WITHINGS. Health Mate is a free application (web and mobile) that focuses on three areas: (i) health monitoring, (ii) motivation maintenance, (iii) installation of WITHINGS products. The Health Mate app can be used alone or in conjunction with our products. The personal health data you entrust to us is sensitive data that we process in accordance with identified legal bases and with the highest security standards.

1.1. Personal Data relating to you

« Anonymized Data » means data resulting from the processing of personal data in such a way as to prevent the identification of the data subject in an irreversible manner, taking into account the techniques that can reasonably be implemented.

« Pseudonymized Data » means Personal Data that is not directly linked to a natural person without the use of additional information.

« Personal Data » means any information relating to an identified or identifiable individual. This includes all kinds of information: last name, first name, postal address, e-mail address, etc. It also covers the notion of Personally Identifiable Information (PII) provided for by the American regulation.

« Health Data » means personal data relating to your past, present or future state of health (physical or mental). Health Data is particularly sensitive data and is therefore subject to special protection measures.

1.2. GDPR Glossary

GDPR means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. WITHINGS applies the GDPR all over the world.

Legal basis designates the basis on which the Data controller may process personal data (including consent, performance of a contract, legitimate interest, safeguarding vital interests, legal obligation).

Legitimate interest means the pursuit of the essential mission of the Data controller (WITHINGS processes non-identifying data to improve research on the basis of the legitimate interest).

II. SOURCE OF THE PERSONAL DATA WE PROCESS

Personal Data is collected when you visit our website, use our Products and Services, browse on the application.

2.1. Our website. Regarding the data collected on the website of WITHINGS, please refer to our Cookies Policy.

2.2. Use of Products and Services. The use of our Products and Services generates the creation of personal data in the following cases.

a. Account creation. When you create a WITHINGS account, you fill in personal data relating to your identity, such as your name, surname(s), age, email address. This account allows you to access the Personal Data generated during the use of the Products and Services, and it also allows you to modify certain data.

b. Use of our Products and Services. When you use our Products and Services, Personal Data is collected (such as number of steps, distance traveled, calories burned, weight, heart rate, sleep patterns, minutes of activity, and in some cases your location). The data collected will depend on the device you use and how you use it. You may consult the Privacy User Guide to learn about all categories of Personal Data processed by the Product.

c. Partner Applications. When you connect your HEALTH MATE account with third-party applications or products, data from HEALTH MATE will be synchronized with those applications. WITHINGS may also collect data from these third-party applications or products to improve your experience and our Services. You should review the privacy policies of these third-party applications as our Policy Privacy only applies to our Products and Services.

d. Customer Support. When you contact customer support, certain Personal Data relating to your WITHINGS account may be momentarily accessible by our teams depending on the problem encountered, such as data relating to the Products you use. No Health Data is accessible to our customer support staff without your prior consent.

e. Event tracking. Some Personal Data is collected automatically when you use the Products and Services, including through the use of tracking devices. We collect technical information such as: IP addresses, language, operating system, location (as authorized by you), and smartphone information (model, version…).

III. YOUR CONSENT

Your consent is collected in specific cases. You may withdraw it at any time.

3.1. COLLECTION OF YOUR CONSENT. We collect your consent to process Personal Data for:

3.2. WITHDRAWAL OF YOUR CONSENT. At any time, you can withdraw your consent. To do so, simply:

IV. PROCESSING PERSONAL DATA

4.1. NECESSITY OF PROCESSING. We collect Personal Data from you in order to provide the different purposes listed below. If you do not wish to provide it, you will not be able to access certain parts of the Products and Services, or services offered by our customer support.

4.2. LIST OF PROCESSING.
A) USE OF OUR PRODUCTS AND SERVICES
1. Purchase and delivery of your WITHINGS products and services via our website

2. HEALTH MATE account creation

3. Graphic presentation of your Data, including Health Data, via HEALTH MATE

4. Optional sharing of Personal Data with third-party applications

5. Display of the path taken via the Health Mate application during an activity

6. Weather display on scales

7. [UNITED STATES ONLY]: Activation of the ECG functionality on ScanWatch

B) COMMUNICATION & SUPPORT

1. Marketing Communication

2. Improvement of the navigation on the Site

3. Customer support

4. Feedback on the Customer support experience

C) SECURITY AND EXERCISING YOUR RIGHTS

1. Activation of the double authentication (2FA)

2. Prevention and fight against computer fraud and cyberattacks

D) RESEARCH & DEVELOPMENT

1. Sending out "Research Questionnaires" and analyzing the responses received

2. Anonymization of data for research purposes

3. Product and Service Improvement (including algorithm performance improvement and statistics))

4.3. DATA SHARING. We only share such data in circumstances described below:

a. Your control over the Data. You may ask us to disclose information to others, such as when you use our community features like forums or programs that require sharing with third parties. You can change your choices at any time by changing your account settings or by visiting our Help Center.

b. Internal and Legitimate Sharing. Personal Data may be processed by the employees of WITHINGS SAS and its subsidiaries, within the limits of their respective responsibilities and exclusively for the purposes described in this Policy.

c. Use of our subcontractors. We share certain Data with subcontractors, who are experts in their field, in order to supply the Products and Services. Our subcontractors are required to comply with both the GDPR. They process the shared Data only for the intended purpose. Our subcontractors help us to provide you with high quality products and services, please find the list of subcontractors here.

d. Use of ScanWatch in the United States. WITHINGS may share certain personal information (name, date of birth, email, address, phone number) with Heartbeat Health, a U.S. company, which provides you with services such as the prescription necessary for the ECG functionality of the device, the organization of teleconsultations with our health professional partners, the provision of advice on your health. Your consent to receive text messages from Heartbeat Health is required to activate the ECG functionality on your device. Please see Heartbeat Health's privacy policy for more information.

e. Legal reasons. We may share Personal Data relating to you when required by law, upon request of a court, in connection with a legal proceeding, or if we believe in good faith that disclosure is reasonably necessary to (a) investigate, prevent, or take action regarding suspected or actual unlawful activities, or to assist public authorities; (b) investigate and defend against any third-party claims or accusations; or (c) protect our Services’ security or integrity. We will notify you of any legal proceedings that require access to your Data, unless we are prohibited by law from doing so. Where a court order specifies a period of non-disclosure of the request to data subjects, we will send you a deferred notification after the non-disclosure period has expired.

V. DATA RETENTION

5.1. RETENTION PERIOD. The retention period indicated in the list of treatments depends on the type of data, the purpose or our legal obligations. If you ask us to do so, WITHINGS will delete your data from its servers and will ask its subcontractors involved in the processing to perform the same operation. We use subcontractors to manage backup data. This data will be used in case of operational problems to ensure the continuity of our services and products. Please note that, for security reasons, we are not able to reflect the deletion or modification of data on backups already made, in order to protect the integrity of the backup data.

5.2. ANONYMIZED DATA. WITHINGS may anonymize your data in accordance with the applicable security standards and regulations. Once anonymized, it no longer identifies you and is no longer Personal Data. WITHINGS uses the data in this form to participate in research projects.

5.3. DATA SHARED WITH THIRD PARTIES. If you have chosen to share your data from WITHINGS Products and Services with third parties, we cannot ensure the deletion or anonymization of such data. We invite you to contact the third party for more information.

VI. HOSTING, TRANSFER AND SECURITY OF DATA

Your Personal Data is hosted in France and Health Data is not transferred outside the EEA. However, other data may be transferred to our partners located outside the EEA. WITHINGS will take several steps in the event of a data leak.

6.1. HOSTING IN EUROPE. Our Services are provided by our Platform certified for the processing of health data via a European host located in France. The processed Health Data are not transferred outside the territory of the European Economic Area.

6.2. SUBCONTRACTORS. Other data may be communicated with partners located outside the European Economic Area for specific purposes (such as telecommunication or security of banking transactions). The list of our subcontractors is available here.

6.3. SECURITY. We invite you to consult our dedicated page.

VII. EXERCISING YOUR RIGHTS

You may exercise your rights by contacting us at [email protected].

7.1. YOUR RIGHTS. You may exercise the following rights independently or with our assistance.

a. Right of Access. ou can access the Personal Data about you processed, collected or stored by WITHINGS. You can find this information directly from your account or via Customer support.

b. Right of rectification. If you find that the data about you is inaccurate, you have the right to request its correction. Some personal data can be changed directly from your HEALTH MATE account.

c. Right of Limitation and Right to Object. If you find that any data about you is inaccurate, you may ask us to stop processing that data until the situation is corrected. You may also ask Us to stop processing Data relating to you.

d. Right to Erasure. You may request the deletion of Personal Data relating to you. We will assist you in deleting Personal Data your account or Customer Support.

e. Right to Portability. You may request that we send you the Personal Data relating to you so that you can share it with another company. Details on how to exercise your right to portability are available in our Help Center, under the Data Import and Export section.

7.2. ASSISTANCE IN EXERCISING YOUR RIGHTS.

You may exercise your rights at any time by writing to [email protected]. Proof of identity may be requested if we have no other way to verify that you are the owner of the account to which the data relates. WITHINGS processes all requests that are not excessive in nature within the time limits set by the GDPR.

7.3. ASSISTANCE OF THE CNIL.

In case of dispute, you have the right to file a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) whose headquarters are located at 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 7.

VIII. PATIENT PRIVACY POLICY

Specific provisions regarding the collection and use of your Personal Information, its security and sharing with third parties apply to you if you use our Remote Patient Monitoring ("RPM") services.

8.1. SCOPE OF APPLICATION

a. Applicability to Patient Users. We also collect and use the Personal Data relating to you in the context of the use of the Health Mate application in the context of the WITHINGS remote patient monitoring (« WRPM ») services. This Privacy Policy, as well as the following specific provisions ("Patient Privacy Policy"), applies to Personal Data that We collect from Patient Users.

b. Patient Users Terms of Use. This Patient Privacy Policy is part of the WITHINGS Patient Users Terms of Use available here. By accessing or using our Patient Users Services, you acknowledge that you have read and agree to the applicable Terms of Use. If you do not agree, you must cease using our Patient Users Services. We will notify you if there are any material changes to Our Patient Privacy Policy.

8.2. PATIENT USERS’ RIGHTS. Some information is sent by your healthcare professional and is therefore not directly under our control. Questions or concerns about your medical records or Personal Information provided to us by your healthcare professional should be directed to your healthcare professional. This information is not under the direct control of WITHINGS.

IX. GENERAL TERMS AND CONDITIONS

The present privacy policy is subject to the General Terms and Conditions

Updated on 23 Feb 2023.