Privacy Policy

1. Introduction

Empatica S.r.l. (“Empatica”), with registered office in Via Stendhal 36, 20144 Milan, Italy, which can be contacted at the email address privacy@empatica.com, explains how we collect, use, disclose and otherwise process the personal data collected through the Embrace watch and/or the E4 watch ("Device") and the Empatica applications (including but not limited to: the Research Portal, the Mate app, the Alert app, the E4 Manager, the E4 Real Time, the E4 Server) ("App") connected to the Device as purchased by the user (the "User") in order to provide the services (the "Services") offered by Empatica. This privacy policy does not apply to the Empatica website, located at www.empatica.com.

2. What and who this privacy policy covers?

Empatica is the data controller of the personal data collected from the User through Device and the App. Device and the App is exclusively sold to researchers belonging to not for profit research institutions (like hospitals and universities) and for profit research institutions (like pharmaceutical companies). For the purpose of this document, the User is the institution purchasing the Device to be used in a clinical and/or research study. For the scope of this document, the User agrees that Empatica does not have access to the final users wearing the Device, as in accordance with regulations concerning medical research and clinical studies. The User also declares that only the User has access to the personal information of the people physically wearing the Device.

3. What kind of personal data does empatica collects about the user?

Empatica collects the following categories of personal data:

1. Service Registration. Empatica collects the name, and contact details of the User
2. Other Information. Empatica does not collect personal data from people physically wearing the Device.

4. How does empatica use the user's personal data

Empatica processes the above mentioned personal data of the user for the following purposes:

1. the provision of the services available through Device and the App, including the billing of the relevant fees, gathering activity information;
2. he provision to the User of customer support and technical assistance, including the delivery of communications relating to the provision of the services through Device;
3. the measurement of the service quality and relevant metrics provided through Device and the App;
4. the management of complaints and disputes;
5. the performance of the activities necessary to ensure compliance with the applicable national/EU laws and/or respond to request from public and government authorities
6. (the purposes from letters a) to e) are jointly referred to as "Contractual Purposes")
7. the performance of credit recovery procedures and credit assignment to authorized companies, also by means of third parties;
8. the performance of tests, updates and developments of Device, the App and more in general the services provided by Empatica, in order to optimize the services provided to the User also by way of machine learning systems and artificial intelligence provided that the process of personal data, albeit limited to the necessary, is essential in order to carry out such tests activities;
9. the performance of technical assessment and due diligence activities by third parties such as acquirers and/or their advisors for potential merger, sale of assets or transfer of all or a material part of its business;
10. (the purposes of letters from f) to h) above are jointly referred to as "Legitimate Interest Purposes")
11. the delivery of direct marketing communications concerning products and services of Empatica (e.g., sending of advertising materials, market researches). The communications, may be sent by both automated (e.g., SMS, MMS, fax, calling systems, email and web applications) and traditional (e.g., calls by human operators) means of contact;
12. the delivery of marketing communications customized on the User interests and needs by means of the channels of communication set out under letter i) above;
13. (the purposes of letters i) and j) above are jointly referred to as "Marketing Purposes").

5. On what legal basis does empatica process the user personal data?

The processing of the User personal data is necessary with regard to the Contractual Purposes as it is essential:

• for the performance of the contract regarding the provision of the requested Services with regard to the cases as per Section 4 letters from a) to d); and
• in order to comply with provisions as provided by the applicable laws as per Section 4 letter e).

Should the User not provide its personal data with regard to the Contractual Purposes, Empatica will not be able to provide the Services to the User. The processing of the User's personal data with regard to the Legitimate Interest Purposes as per Section 3 letters f) and h) is carried out in compliance with article 6, letter f) of the EU General Data Protection Regulation No. 679/2016 (the "Privacy Regulation"), for the pursuit of Empatica legitimate interest, which is adequately balanced with the User's interest since the data processing is performed within the limits strictly necessary to perform such activities. This data processing activity with regard to the Legitimate Interest Purposes is not mandatory and the User can object to the data processing at any time through the modalities as per Section 10 of this privacy policy. Finally, the data processing with regard to the Marketing Purposes is based on the User's prior consent. Such data processing is not mandatory however should the User refuse to provide the relevant consent the User will not receive marketing communications as per Section 4 letters i) and j) above. In any case, the User can withdraw its consents at any time through the modalities as per Section 10 of this privacy policy.

6. How does empatica process the user's personal data?

User's personal data will be processed both electronically and/or manually, in any case in such a way as to guarantee the security, protection and confidentiality of the data, thanks to appropriate administrative, technical, personnel and physical measures against loss, theft and unauthorized use, disclosure or modification.

7. Who can have access to the users' personal data?

For the Contractual Purposes, personal data may be transferred to the following categories of recipients located both within the EU and, within the limits as per Section 8 below, outside of the EU: (a) the caregiver within specific limits [third parties service providers entrusted with processing activities that provide services or assistance and advice to Empatica, with special but not exclusive reference to technology, accounting, administrative, legal, insurance, IT matters; (c) companies of the Empatica group, (d) persons and authorities whose right to access personal data is recognized by law, regulations or provisions issued by legally empowered authorities. The abovementioned recipients will process personal data as data controllers, data processors or persons in charge of processing, depending on the circumstances. For the Legitimate Interest Purposes, personal data may be transferred to the following categories of recipients located both within the EU and, within the limits as per Section 8 below, outside of the EU: (a) third parties service providers entrusted with processing activities that provide services or assistance with reference to credit recovery procedures and credit assignments, as well as tests, updates and developments of Device and the App, (b) companies of the Empatica Group, (c) potential purchaser of Empatica and the entities resulting from mergers or any other transformation involving Empatica, (d) competent authorities. For the Marketing Purposes, personal data may be transferred to the following categories of recipients located both within the EU and, within the limits as per Section 8 below, outside of the EU: (a) third parties service providers entrusted with processing activities that provide services or assistance with regard to the delivery of marketing communications, (b) companies of the Empatica group. A complete list of the data processor is available upon request through the modalities as per Section 9 below.

8. Is the user personal data transferred abroad?

The Client personal data may be transferred to countries within and outside the European Economic Area, in particular in the United States. For transfers from EU to countries not considered adequate by the European Commission, Empatica have put in place appropriate and suitable safeguards to protect the Users' personal data. Accordingly the Users' personal data are transferred in compliance with the requirements and the obligations provided by applicable data protection laws, such as standard contractual clauses adopted by the European Commission as per Articles 45 and 46 of the Privacy Regulation.

9. Data retention periods applying to the users' personal data

Personal data of the User will be stored for the period necessary to fulfil the purposes for which the data was collected as outlined in this Privacy Notice. In any case the following retention periods will apply to the processing of the User personal data for the purposes indicated below:

1. data collected for Contractual Purposes and for Legitimate Interest Purposes is retained during the provision of the Services plus a period of 10 years after the termination or withdrawal from the contract with Empatica, except when the detention of the data is necessary to respond or to file a legal actions, upon request of the competent authorities or in compliance with the applicable laws;
2. data collected for Marketing Purposes relating to the delivery of marketing communications and running of market searches as per Section 4 letter i) of this privacy policy is retained for the duration of the contract and a subsequent period of 24 months;
3. data collected for Marketing Purposes relating to the profiling of Users' preferences for marketing purposes as per Section 4 letter j) of this privacy policy is retained for a period of 12 months from the time they are collected.

10. What are the users' rights with regard to personal data?

The User, at any given time, can exercise the following rights, by sending an email to the following address privacy@empatica.com

1. to obtain from Empatica confirmation of the existence of personal data and to be informed of its content and source, verify its accuracy and request its integration, update or amendment;
2. request the erasure, anonymisation or restriction of the processing of personal data processed in breach of the applicable laws;
3. object in whole or in part, on legitimate grounds, to the processing of the data;
4. to withdraw the consent to the processing of the data (if and to the extent such a consent is necessary).

In addition to the above the User will also have the right, in any given moment, to:

1. request the Empatica to limit the processing of the User personal data where:
• the User contests the accuracy of the personal data until Empatica have taken sufficient steps to correct or verify its accuracy;
• the processing is unlawful but you do not want us to erase the User personal data;
• Empatica no longer needs the User personal data for the purposes of the processing, but the User requires them for the establishment, exercise or defence of legal claims; or
• The User has objected to processing justified on legitimate interests, pending verification as to whether Empatica has compelling legitimate grounds to continue processing.
2. object to the processing of the User personal data;
3. request the erasure of the User's personal data;
4. receive an electronic copy of the User 's personal data, if the User would like to port its personal data to itself or a different provider, when Empatica is relying upon the User consent or the fact that the processing is necessary for the provision of the Services and the personal data is processed by automatic means; and
5. lodge a complaint with the relevant data protection supervisory authority.

11. Data protection officer

The Data Protection Officer appointed by Empatica pursuant to Section 37 of the Privacy Regulation can be contacted at the following email address: privacy@empatica.com.

12. Updates

This privacy information notice might be subsequently updated or integrated. Changes will be notified in advance and in any case User will be able to review the updated version of the privacy information notice on the website www.empatica.com.