EpiMonitor

Next-Gen Epilepsy Monitoring

Available in the US, UK & EU

Embrace2

Peace of Mind

No longer available for purchase

EmpaticaEmpatica
  • Solutions
    Empatica Health Monitoring Platform

    Empatica Health Monitoring Platform

    One platform, multiple applications

  • Scientific Evidence
  • Resources
  • Company
EmpaticaEmpatica

Epilepsy Monitoring

EpiMonitor
Next-Gen Epilepsy MonitoringAvailable in the US, UK & EU
Embrace2
Peace of MindNo longer available for purchase

Privacy Notice for the Empatica Health Monitoring Platform (EHMP) – EU Version

Last updated: Nov 6, 2025


This Privacy Notice (“Notice”) explains how Empatica S.r.l., with registered offices at Via Stendhal 36, 20144 Milan, Italy (“Empatica”, “we”, “our”, or “us”), processes personal data on behalf of its institutional and enterprise customers (“Customers”) located in the European Union (EU) and European Economic Area (EEA) in connection with the Empatica Health Monitoring Platform (EHMP) and its related components and services (together, the “Services”).

Processing of personal data is carried out in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, or “GDPR”) and applicable domestic data-protection laws (collectively, the “Data Protection Laws”).

Empatica provides digital-health and medical-device technologies that enable the remote collection, transmission, and analysis of physiological data from participants, patients, or study subjects (“Participants”) under the control of hospitals, universities, or research sponsors.

In this context, Empatica acts as a Data Processor, processing personal data solely on the documented instructions of the Customer, which acts as the Data Controller. Any requests to exercise data-subject rights under the GDPR should normally be directed to the relevant Customer (the Controller). However, you may contact Empatica using the details provided in Section 14 if you have questions about how your data are processed or wish to facilitate the exercise of your rights through the appropriate Controller.


1. Scope

Except as otherwise described below, this Notice applies to the personal data that Empatica S.r.l. collects and processes in relation to the Empatica Health Monitoring Platform (EHMP) and its components, including:

  • Wearable devices such as Embrace Plus or Embrace Mini (the “Hardware”);
  • Mobile applications, including the Care App (used in clinical trials) and the PKG Monitor by Empatica (used in Parkinson’s clinical care); and
  • Empatica’s secure cloud portal, which allows authorized investigators, clinicians, or research staff to view, manage, and analyze data (together, the “Services”).

Under the Medical Device Regulation (EU) 2017/745 (MDR), each of these components is considered a stand-alone medical device, with its own conformity assessment and CE marking. However, for the purposes of this Notice, these elements are collectively referred to as the Empatica Health Monitoring Platform (EHMP).

The Services may be used in two primary contexts:

  • Clinical trials or research studies, where Empatica provides technology and support to research sponsors and investigators; and
  • Parkinson’s clinical care, where the platform is used by healthcare professionals for remote monitoring of patients (“EHMP for Parkinson’s”).

Where used in this Notice, “you” or “your” refers primarily to individuals whose personal data may be processed through the Services, including:

  • Participants, patients, or study subjects who use the wearable devices and associated applications;
  • Authorized healthcare professionals, researchers, and site staff who access the data through the portal; and
  • Other individuals whose personal data may be collected in connection with the Services (for example, caregivers or technical support contacts).

2. Our Collection and Use of Personal Data

Empatica processes, on behalf of the Customer, only the personal data that are necessary to operate, maintain, and support the Empatica Health Monitoring Platform (EHMP) and its components (the Embrace Plus or Embrace Mini wearable devices, the Care App or PKG Monitor by Empatica mobile applications, and the secure cloud portal).

The specific data processed depend on the configuration chosen by the Customer, the device used, and the context of use (clinical trial / research or Parkinson’s clinical care).

a) Data subjects and information we process

Empatica processes personal data on behalf of its Customers in connection with different types of relationships and roles within the EHMP ecosystem. The scope of the data processed differs between clinical trials and research studies and clinical care.

A. Common to clinical trials and clinical care

  • Account representatives (Customers): the legal entities that contract with Empatica (e.g., a pharmaceutical company or hospital). Data may include names and contact details of authorised representatives.
  • Staff or authorised users: health-care professionals, investigators, research assistants, or site personnel with portal access. Empatica processes their name, surname, institutional email address, and IP address of the device used to access the portal.

B. Specific to clinical care

  • Clinics: hospitals or clinical centres that receive devices and manage patients through the platform. Clinic information is mainly institutional, but designated contacts may be identifiable.
  • Patients: individuals receiving clinical care for Parkinson’s disease. Empatica processes identifiable data including name, surname, date of birth, age, gender, IP address, and health data such as physiological signals, movement, tremor and bradykinesia scores, and medication logs.

C. Specific to clinical trials and research

  • Study information: study title, identifier, and protocol number (administrative data).
  • Sites: hospitals or research centres where the study is conducted; includes site identifiers and contact details of investigators or coordinators.
  • Participants: pseudonymised study subjects whose physiological and health data are collected via Empatica devices and mobile apps. Empatica does not receive any directly identifying information; re-identification keys remain with the study sponsor or site.

b) Identifiability of the data

The degree to which personal data processed through the Services may identify an individual depends on the context of use:

  • Clinical trials and research studies – Personal data are pseudonymised (coded) by the Customer before being processed by Empatica. Empatica does not receive or access direct identifiers (such as name, address, or contact information) and cannot re-identify Participants. The key linking the pseudonym or study code to an individual is retained exclusively by the Customer or research site.
  • Clinical care – When the Services are used in clinical-care settings, authorised health-care professionals may enter identifiable patient information (e.g., name and surname) into the platform to manage patient records. In these cases, Empatica processes identifiable health data under the instructions of the health-care provider, applying the same security and confidentiality standards described in this Notice.

In both situations, Empatica acts as a Data Processor and processes the information strictly on behalf of, and under the responsibility of the Customer. The same technical and organisational safeguards—including encryption, access controls, and ISO 27001:2022-certified security measures—are applied regardless of whether the data are pseudonymised or directly identifiable.

3. Lawful basis of processing

The lawful basis on which personal data are processed for each specific purpose is described in the table in Section 2 above and supplemented by the additional information below. While Empatica processes personal data only on the documented instructions of its Customers (who act as the Data Controllers), this section provides transparency about the main legal grounds under the General Data Protection Regulation (GDPR) that may apply to such processing.

Processing on the basis of performing a contract or public task

Where we indicate that processing is necessary for the performance of a contract or for the performance of a task carried out in the public interest, this refers to situations where the Customer (for example, a hospital, research sponsor, or healthcare provider) processes personal data to deliver healthcare, conduct research, or fulfil its contractual or statutory obligations to participants or patients. Empatica processes such data only as required to provide and maintain the Services on behalf of the Customer. In these cases, Empatica does not rely on consent as a lawful basis, as the processing is essential for the Customer to deliver the clinical or research services requested by the data subject.

Processing on the basis of legitimate interests

Where we indicate that processing is carried out based on legitimate interests, this relates to activities that are necessary for Empatica’s or the Customer’s operational and security needs, such as:

  • maintaining system integrity and preventing unauthorised access;
  • ensuring accurate service delivery and troubleshooting; and
  • managing communications with Customer representatives and authorised users.

Empatica and its Customers have assessed that these activities are necessary for the operation and safety of the Services and that they do not override the fundamental rights and freedoms of individuals. Individuals may have a qualified right to object to processing based on legitimate interest (see Section 7 – Data Subject Rights).

Processing of health-related information

Processing of health-related data is an integral part of delivering the EHMP Services and is subject to additional safeguards under the GDPR. Such data are processed only as necessary and under one or more of the following conditions:

  • Provision of healthcare or research services: processing is necessary for the management of health or research services under Art. 9(2)(h) or Art. 9(2)(j) GDPR.
  • Compliance with legal and regulatory obligations: processing is required to meet medical-device safety and post-market surveillance obligations under the EU Medical Device Regulation (MDR), in accordance with Art. 9(2)(i) GDPR.
  • Customer-authorised research and analytics: when the Customer instructs Empatica to process data in anonymised or aggregated form for research, validation, or service-improvement purposes.
  • Legal claims and defence: processing is necessary for the establishment, exercise, or defence of legal claims, under Art. 9(2)(f) GDPR.

Empatica applies the same high standards of security and confidentiality to all health-data processing, whether the data are pseudonymised or directly identifiable.

Processing based on consent

Where the Customer or Empatica relies on consent (for example, when authorised users register for communications, events, or surveys), such consent is collected in accordance with GDPR requirements and may be withdrawn at any time by contacting Empatica (see Section 14 – Contact Details).

Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. For data processed as part of Customer-led research or clinical programmes, requests to withdraw consent should be directed to the relevant Customer (the Data Controller).

Processing for marketing and professional communications (B2B only)

Empatica may process personal data of Customer representatives or professional contacts as part of its marketing and professional communications activities. Such processing is based on:

  • explicit consent for newsletters or promotional messages (Art. 6(1)(a) GDPR); or
  • legitimate interest for communications relating to similar services offered to existing Customers (Art. 6(1)(f) GDPR), subject to applicable opt-out rights.

Empatica does not conduct marketing directed at study participants or patients.

4. Sharing Your Personal Data with Others

Other than where directed by the Customer, Empatica does not share or disclose personal data except as necessary to provide the Services, fulfil contractual obligations, or comply with applicable legal and regulatory requirements. Empatica may disclose or grant access to personal data processed on behalf of the Customer as described below.

a) Affiliates

Empatica S.r.l. may share personal data with its affiliate Empatica Inc., located in the United States, to the extent necessary to deliver technical, hosting, or customer-support services. Empatica Inc. acts as an authorised sub-processor and processes personal data only on Empatica S.r.l.’s documented instructions and under the same contractual, technical, and organisational safeguards. Cross-border transfers to the United States are protected by the EU Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU) and Empatica’s internal data-protection framework.

b) Sub-processors and service providers

Empatica engages carefully selected third-party service providers (“sub-processors”) that perform specific functions on Empatica’s behalf and process personal data only according to Empatica’s documented instructions. These may include providers of:

  • secure cloud-hosting and data-storage infrastructure;
  • device-connectivity and communication services;
  • maintenance, calibration, and quality-assurance support;
  • audit and certification services; and
  • customer-support and incident-management systems.

Empatica ensures that all sub-processors are bound by written agreements imposing confidentiality, data-protection, and security obligations equivalent to those in Empatica’s agreements with its Customers. A current list of authorised sub-processors is maintained and made available to Customers upon request.

c) Legal, regulatory, and safety disclosures

Empatica may disclose personal data to competent authorities, regulators, or other public bodies where required to:

  • comply with obligations under the EU Medical Device Regulation (EU) 2017/745 (MDR) or other applicable laws;
  • report or investigate device-safety incidents or adverse events;
  • demonstrate conformity during regulatory audits or inspections;
  • respond to lawful requests by law-enforcement or supervisory authorities; or
  • defend or exercise legal claims.

Such disclosures are limited to what is strictly necessary to fulfil Empatica’s or the Customer’s legal obligations.

d) Corporate transactions

In the event of a merger, acquisition, restructuring, or sale of assets involving Empatica, personal data may be transferred to the acquiring or successor entity as part of that transaction. Any such transfer will occur only under conditions ensuring continuity of equivalent data-protection safeguards.

e) No unauthorised sharing

Empatica does not sell, lease, or otherwise disclose personal data to third parties for marketing or independent purposes. All processing and sharing occur solely within the framework of Empatica’s contractual and legal obligations to its Customers.

5. Aggregate and De-Identified Information

Empatica may use and disclose information that has been aggregated or anonymized so that it cannot reasonably be linked to an identified or identifiable individual. We use such data for quality control, analytics, research, development, and to improve the Services. Once data are anonymized, they are no longer personal data under the GDPR.

Where Empatica handles de-identified/pseudonymised data (i.e., still capable of re-identification by the Customer), it remains personal data and is processed only on the Customer’s documented instructions and under the safeguards described in this Notice.

If a Customer instructs Empatica to generate and use anonymized datasets derived from health data, Empatica will do so only where the Customer has established the appropriate lawful basis (e.g., consent or research/public-interest grounds) and will apply procedures designed to prevent re-identification.

6. Cookies and Tracking

The Care App, PKG Monitor by Empatica, and Empatica’s web portals may use cookies or similar technologies primarily for security, authentication, and service performance. Where non-essential cookies (e.g., analytics or preference cookies) are used, they are deployed only with the prior consent of the Customer or authorised users, where required by law.

For details about cookie types, purposes, retention, and how to manage your choices, please see our Cookie Notice available [here]. Please read it together with this Privacy Notice.

7. Your Data Subject Rights and Data Protection Officer

At any time, you can exercise the rights granted to you by the Data Protection Laws regarding your personal data by writing to privacy@empatica.com or using the contact details set out in Section 14 below.

Because Empatica processes personal data on behalf of its Customers (Data Controllers), requests to exercise your rights may need to be referred to the relevant Customer (for example, the hospital, research sponsor, or healthcare provider) that determines how your data are used. Empatica will assist the Customer in responding to such requests in accordance with Article 28(3)(e) of the GDPR.

In accordance with the Data Protection Laws, you may have the right to:

  • Access your personal data;
  • Rectify or erase your personal data;
  • Restrict the processing of your personal data;
  • Transfer your personal data to another controller (“data portability”);
  • Object to the processing of your personal data;
  • Obtain information and/or a copy of the safeguards used for international data transfers outside the EU/EEA; and
  • Lodge a complaint with your local supervisory authority if you believe your rights have been infringed.

We may ask you for additional information to confirm your identity and for security purposes before disclosing any personal data. We reserve the right to charge a reasonable fee, where permitted by law, for example if a request is manifestly unfounded or excessive.

You can exercise your rights by contacting us at the above address. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly and, in any case, within the timeframes set out by the Data Protection Laws. If further information is required to fulfil your request, we will inform you accordingly.

Please note that we may not always be able to fully address your request—for instance, if it would impact the duty of confidentiality we owe to others, or if we are legally required to handle the request differently.

Empatica has appointed a Data Protection Officer (DPO) who is responsible for monitoring compliance with data-protection regulations and acting as a point of contact for data-subject requests and supervisory authorities.

The Data Protection Officer, appointed by Empatica pursuant to Article 37 of the GDPR, can be contacted at: privacy@empatica.com

8. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, or as otherwise necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements.

Where Empatica acts as a Data Processor, retention periods are determined by the Customer (Data Controller) in accordance with the applicable clinical-research, healthcare, or regulatory requirements. Empatica retains data only for the time necessary to provide the Services and to meet its contractual or legal duties.

In particular, the following retention periods apply:

  • Providing the Services / Account and relationship management – For the entire duration of the contract entered into with the Customer, and for ten (10) years thereafter, corresponding to the statutory limitation period for Empatica’s contractual liability, unless a longer period is required for pending litigation, regulatory investigations, or requests by competent authorities.
  • Safeguarding – For the period prescribed by applicable law, including for post-market surveillance, diagnostics and remediation, vigilance reporting, and other regulatory-compliance activities.
  • Research and analytics – Personal data processed for research or analytics purposes are retained for one (1) year, after which they are deleted or anonymised. No specific retention limit applies to data that have been permanently anonymised.
  • Marketing, advertising, and public relations (B2B only) – Until you withdraw your consent to such processing or, in any event, for no longer than twenty-four (24) months from the last interaction related to marketing communications.
  • Business operations and compliance –
    • For accounting, auditing, and record-keeping, data are retained for the period required by applicable law.
    • For fraud prevention and cybersecurity, system and network logs are kept for seven (7) days from the time of collection, unless further retention is necessary to investigate incidents, comply with requests from authorities, or ensure compliance with quality and security standards.
    • For defending or enforcing legal and contractual rights or credit-recovery activities, data are retained for the same period described under Providing the Services / Account and relationship management above, or for a longer period where required to pursue or defend claims.
    • For corporate transactions such as mergers, acquisitions, or reorganisations, data are retained for the applicable period linked to those specific processing activities and as required by law.

After the applicable retention period expires, Empatica securely deletes or irreversibly anonymises the data in accordance with its Information Security and Data-Retention Procedures.

9. Processing of Children’s Personal Data

We are committed to protecting the privacy of children who use our Services. This section provides supplemental information regarding our processing of personal data relating to children in accordance with the General Data Protection Regulation (GDPR) and applicable national laws.

Age groups

  • Children over the age of 6 but under 18: may use the wearable devices (Embrace Plus or Embrace Mini) and related mobile applications (Care App or PKG Monitor by Empatica) only under the supervision of a parent, guardian, or authorised healthcare professional. They may not register as users of the Services directly; registration and consent must be completed by their parent, guardian, or the responsible investigator or clinician.
  • Children under the age of 6: as indicated in the Instructions for Use, the Empatica Health Monitoring Platform (EHMP) and its components are not intended for children under 6 years of age. The devices are medical-grade products intended for use only in adults and in children aged 6 and above, as prescribed by qualified healthcare professionals.

Processing and sharing of children’s data

Empatica will process personal data relating to children as described in this Notice and solely on the documented instructions of the relevant Customer (Data Controller)—for example, a hospital, university, or research sponsor. Where a parent or guardian holds parental responsibility and acts on behalf of a child user, they may access their child’s personal data processed through the Services and may choose to receive notices of certain activity through the App or the portal. They may also designate additional authorised caregivers to receive such notifications, where supported by the Services and permitted by the Customer.

Parental consent, changes, and controls

When children under 18 participate in programmes or studies using the Services, Empatica relies on the Customer to obtain verifiable parental or guardian consent before any personal data are collected or processed. Parents or guardians may review their child’s personal data maintained within the Services and may exercise, on the child’s behalf, any of the data-subject rights described in Section 10 above (access, rectification, erasure, restriction, or objection), by contacting the relevant Customer or Empatica at privacy@empatica.com.

Empatica does not use children’s data for any independent purpose, marketing, or profiling activities, and applies the same or stronger technical and organisational security measures to children’s data as to all other personal data.

10. International Transfers of Personal Data

Empatica is headquartered in the United States and has operations, affiliates, and service providers in the United States, the European Union, and other jurisdictions around the world.As a result, personal data processed through the Services may be transferred to or accessed from locations outside the European Economic Area (EEA).

Such transfers are carried out in full compliance with applicable Data Protection Laws, and appropriate safeguards are applied to ensure that personal data remains protected at all times. In particular:

  • Personal data may be transferred only after the execution of the Standard Contractual Clauses approved by the European Commission (Decision No. 2021/914/EU) or to countries that have been recognised by the Commission as providing an adequate level of data protection (“Adequacy Decisions”).
  • Transfers to the United States may rely on the EU–U.S. Data Privacy Framework, where applicable.
  • Empatica also implements technical and organisational safeguards, such as encryption and access controls, to protect personal data during transfer.

For further information about international data transfers or to obtain a copy of the relevant safeguards, please contact us using the details provided in Section 14 – Contact Us.

11. Security

Empatica has implemented appropriate technical and organisational measures to protect personal data from loss, misuse, unauthorised access, disclosure, alteration, or destruction. These measures include:

  • encryption of personal data at rest and in transit;
  • strict access-control and authentication procedures for authorised personnel;
  • continuous system monitoring, vulnerability management, and incident response;
  • segregation of environments and data; and
  • regular independent security audits.

Empatica’s Information Security Management System is certified to ISO 27001:2022 and integrated into its quality-management framework under the EU Medical Device Regulation (MDR). Despite these safeguards, no data-transmission system can be guaranteed to be fully secure; however, Empatica continually updates and tests its systems to maintain a high level of protection.

12. Third-Party Links

The Services may contain links to third-party websites or applications. Any access to and use of such linked resources is not governed by this Notice but rather by the privacy notices of those third parties. Empatica is not responsible for the information practices or content of third-party websites or services.

13. Changes to this Privacy Notice

We may update this Notice from time to time to reflect changes in legal requirements or in the way we provide our Services. Any updates will be posted on our website, and the “Last Updated” date at the top of this Notice will indicate when the most recent revisions were made. If we make any material changes, we will endeavour to provide advance notice—for example, by email to Customers or by posting a prominent notice on our website.

14. Contact Us

Empatica welcomes your questions, comments, or concerns regarding this Notice or our privacy practices. You can contact us at:

📧 privacy@empatica.com

📍 Empatica S.r.l. Via Stendhal 36, 20144 Milan, Italy

Empatica’s Data Protection Officer (DPO) can also be reached at the same email address. If you are located in the European Union, you have the right to lodge a complaint with your local supervisory authority if you believe your personal data have been processed unlawfully.