Privacy
1. Introduction
Empatica S.r.l. ( "Empatica"), with registered office in Via Stendhal 36, 20144 Milan, Italy, which can be contacted at the email address privacy@empatica.com, explains how we collect, use, disclose and otherwise process the personal data collected through the Embrace watch ( "Embrace") and the Empatica applications and web portal ( "App") connected to the Embrace as used by the user (the "User") in order to provide the services (the "Services") offered by Empatica. This privacy policy does not apply to the Empatica website, located at www.empatica.com.
2. What and who this privacy policy covers?
Empatica is the data controller of the personal data collected from the User through Embrace and the App. Embrace and the App may be used by adults and by children. Where Embrace is to be worn by a minor, we require that a parent registers with the App on behalf of the minor. Where such minor is under 16 years old, the parent must provide verifiable parental consent to the collection and use of the personal data by Empatica.
3. What kind of personal data does empatica collect about the user?
Empatica collects the following categories of personal data:
App Service Registration. Empatica collects the name, date of birth, and contact details of the User (and its parents if the User is under 16) and any designated caregivers. With regard to the designated caregiver, the User declares and warrants to have provided him with Empatica's privacy information notice and have obtained his prior consent to the processing of his personal data by Empatica for the provision of the Services prior to providing his personal details to Empatica;
Other Information. Empatica automatically collects the following information via Embrace and the App, whenever the User's device is connected to the Internet:
Other Information. Empatica automatically collects the following information via Embrace and the App, whenever the User's device is connected to the Internet:
- Physiological Information. Embrace tracks, in real-time skin conductance, temperature, movement, and acceleration as well as heart rate and other physiological information from the Embrace sensor information (the "Special Categories of Personal Data"). This information is transmitted, automatically, from Embrace to the App, using Bluetooth®, and then from the App to Empatica via the User's mobile device’s WiFi connection or other cellular network.
- Personal Health Information - you may choose to use certain features of the MATE that will allow you to input other Personal Information with respect to your health, such as the medications you take, how often you take your medication, and dosage (collectively your “Health Information”).
- Technical Information. Empatica also collects other technical information such as IP address, Embrace identifier, geolocation information (which is collected exclusively when the Service detects a distress), the dates and times of access to the App, the phone/device type, as well as the software version, operating system, Bluetooth® and WiFi settings (On/Off).
4. How does empatica use the user's personal data?
Empatica processes the above mentioned personal data of the user for the following purposes:
a) the provision of the services available through Embrace and the App, including the billing of the relevant fees, gathering activity information;
b) the provision to the User of customer support and technical assistance, including the delivery of communications relating to the provision of the services through Embrace;
c) the measurement of the service quality and relevant metrics provided through Embrace and the App;
d) the management of complaints and disputes;
e) the performance of the activities necessary to ensure compliance with the applicable national/EU laws and/or respond to request from public and government authorities (the purposes from letters a) to e) are jointly referred to as "Contractual Purposes");
f) the performance of credit recovery procedures and credit assignment to authorized companies, also by means of third parties;
g) the performance of tests, updates, and developments of Embrace, the App and more in general the services provided by Empatica, in order to optimize the services provided to the User also by way of machine learning systems and artificial intelligence provided that the process of personal data, albeit limited to the necessary, is essential in order to carry out such tests activities;
h) the performance of technical assessment and due diligence activities by third parties such as acquirers and/or their advisors for a potential merger, sale of assets or transfer of all or a material part of its business, by disclosing and transferring the Client's personal data to the third party or parties involved in the transaction as part of the transaction; (the purposes of letters from f) to h) above are jointly referred to as "Legitimate Interest Purposes");
i) the delivery of direct marketing communications concerning products and services of Empatica (e.g., sending of advertising materials, market researches). The communications, may be sent by both automated (e.g., SMS, MMS, fax, calling systems, email and web applications) and traditional (e.g., calls by human operators) means of contact;
j) the delivery of marketing communications customized on the User's interests and needs by means of the channels of communication set out under letter i) above;
(the purposes of letters i) and j) above are jointly referred to as "Marketing Purposes").
5. On what legal basis does empatica process the User's personal data?
The processing of the User’s personal data is necessary with regard to the Contractual Purposes as it is essential:
Should the User not provide its personal data with regard to the Contractual Purposes, Empatica will not be able to provide the Services to the User.
In addition to the above, with reference to the collection of Special Categories of Data processed for Contractual Purposes Empatica will collect the User's consent. However if the User does not provide its consent to the processing of Special Categories of Data Empatica will not be able to provide the Services.
The processing of the User's personal data with regard to the Legitimate Interest Purposes as per Section 3 letters f) and h) is carried out in compliance with article 6, letter f) of the EU General Data Protection Regulation No. 679/2016 (the "Privacy Regulation"), for the pursuit of Empatica legitimate interest, which is adequately balanced with the User's interest since the data processing is performed within the limits strictly necessary to perform such activities. This data processing activity with regard to the Legitimate Interest Purposes is not mandatory and the User can object to the data processing at any time through the modalities as per Section 10 of this privacy policy.
Finally, the data processing with regard to the Marketing Purposes is based on the User's prior consent. Such data processing is not mandatory however should the User refuse to provide the relevant consent the User will not receive marketing communications as per Section 4 letters i) and j) above. In any case, the User can withdraw its consents at any time through the modalities as per Section 10 of this privacy policy.
- * for the performance of the contract regarding the provision of the requested Services with regard to the cases as per Section 4 letters from a) to d); and
- * in order to comply with provisions as provided by the applicable laws as per Section 4 letter e).
Should the User not provide its personal data with regard to the Contractual Purposes, Empatica will not be able to provide the Services to the User.
In addition to the above, with reference to the collection of Special Categories of Data processed for Contractual Purposes Empatica will collect the User's consent. However if the User does not provide its consent to the processing of Special Categories of Data Empatica will not be able to provide the Services.
The processing of the User's personal data with regard to the Legitimate Interest Purposes as per Section 3 letters f) and h) is carried out in compliance with article 6, letter f) of the EU General Data Protection Regulation No. 679/2016 (the "Privacy Regulation"), for the pursuit of Empatica legitimate interest, which is adequately balanced with the User's interest since the data processing is performed within the limits strictly necessary to perform such activities. This data processing activity with regard to the Legitimate Interest Purposes is not mandatory and the User can object to the data processing at any time through the modalities as per Section 10 of this privacy policy.
Finally, the data processing with regard to the Marketing Purposes is based on the User's prior consent. Such data processing is not mandatory however should the User refuse to provide the relevant consent the User will not receive marketing communications as per Section 4 letters i) and j) above. In any case, the User can withdraw its consents at any time through the modalities as per Section 10 of this privacy policy.
6. How does empatica process the user's personal data?
The User's personal data will be processed both electronically and/or manually, in any case in such a way as to guarantee the security, protection, and confidentiality of the data, thanks to appropriate administrative, technical, personnel, and physical measures against loss, theft, and unauthorized use, disclosure, or modification.
7. Who can have access to the User's personal data?
For the Contractual Purposes, personal data may be transferred to the following categories of recipients located both within the EU and, within the limits as per Section 8 below, outside of the EU: (a) the caregiver within specific limits [third parties service providers entrusted with processing activities that provide services or assistance and advice to Empatica, with special but not exclusive reference to technology, accounting, administrative, legal, insurance, IT matters; (c) companies of the Empatica group, (d) persons and authorities whose right to access personal data is recognized by law, regulations, or provisions issued by legally empowered authorities. The aforementioned recipients will process personal data as data controllers, data processors, or persons in charge of processing, depending on the circumstances. For the Legitimate Interest Purposes, personal data may be transferred to the following categories of recipients located both within the EU and, within the limits as per Section 8 below, outside of the EU: (a) third parties service providers entrusted with processing activities that provide services or assistance with reference to credit recovery procedures and credit assignments, as well as tests, updates, and developments of Embrace and the App, (b) companies of the Empatica Group, (c) potential purchaser of Empatica and the entities resulting from mergers or any other transformation involving Empatica, (d) competent authorities.
For the Marketing Purposes, personal data may be transferred to the following categories of recipients located both within the EU and, within the limits as per Section 8 below, outside of the EU: (a) third parties service providers entrusted with processing activities that provide services or assistance with regard to the delivery of marketing communications, (b) companies of the Empatica group.
A complete list of the data processor is available upon request through the modalities as per Section 9 below.
For the Marketing Purposes, personal data may be transferred to the following categories of recipients located both within the EU and, within the limits as per Section 8 below, outside of the EU: (a) third parties service providers entrusted with processing activities that provide services or assistance with regard to the delivery of marketing communications, (b) companies of the Empatica group.
A complete list of the data processor is available upon request through the modalities as per Section 9 below.
8. Is the User's personal data transferred abroad?
The Client's personal data may be transferred to countries within and outside the European Economic Area, in particular in the United States. For transfers from EU to countries not considered adequate by the European Commission, Empatica has put in place appropriate and suitable safeguards to protect the User's personal data. Accordingly the User's personal data are transferred in compliance with the requirements and the obligations provided by applicable data protection laws, such as standard contractual clauses adopted by the European Commission as per Articles 45 and 46 of the Privacy Regulation.
9. Data retention periods applying to the User's personal data
Personal data of the User will be stored for the period necessary to fulfil the purposes for which the data was collected as outlined in this Privacy Notice. In any case the following retention periods will apply to the processing of the User’s personal data for the purposes indicated below:
data collected for Contractual Purposes and for Legitimate Interest Purposes is retained during the provision of the Services plus a period of 10 years after the termination or withdrawal from the contract with Empatica, except when the detention of the data is necessary to respond or to file legal actions, upon request of the competent authorities or in compliance with the applicable laws;
data collected for Marketing Purposes relating to the delivery of marketing communications and running of market searches as per Section 4 letter i) of this privacy policy is retained for the duration of the contract and a subsequent period of 24 months;
data collected for Marketing Purposes relating to the profiling of User's preferences for marketing purposes as per Section 4 letter j) of this privacy policy is retained for a period of 12 months from the time they are collected.
data collected for Contractual Purposes and for Legitimate Interest Purposes is retained during the provision of the Services plus a period of 10 years after the termination or withdrawal from the contract with Empatica, except when the detention of the data is necessary to respond or to file legal actions, upon request of the competent authorities or in compliance with the applicable laws;
data collected for Marketing Purposes relating to the delivery of marketing communications and running of market searches as per Section 4 letter i) of this privacy policy is retained for the duration of the contract and a subsequent period of 24 months;
data collected for Marketing Purposes relating to the profiling of User's preferences for marketing purposes as per Section 4 letter j) of this privacy policy is retained for a period of 12 months from the time they are collected.
10. What are the user's rights with regard to personal data?
The User, at any given time, can exercise the following rights, by sending an email to the following address privacy@empatica.com
(a) to obtain from Empatica confirmation of the existence of personal data and to be informed of its content and source, verify its accuracy and request its integration, update or amendment;
(b) request the erasure, anonymisation or restriction of the processing of personal data processed in breach of the applicable laws;
(c) object in whole or in part, on legitimate grounds, to the processing of the data;
(d) to withdraw the consent to the processing of the data (if and to the extent such a consent is necessary).In addition to the above the User will also have the right, in any given moment, to:
request Empatica to limit the processing of the User’s personal data where:
object to the processing of the User’s personal data;
request the erasure of the User's personal data without undue delay;
receive an electronic copy of the User's personal data, if the User would like to export its personal data to itself or a different provider, when Empatica is relying upon the User's consent or the fact that the processing is necessary for the provision of the Services and the personal data is processed by automatic means; and
lodge a complaint with the relevant data protection supervisory authority.
(a) to obtain from Empatica confirmation of the existence of personal data and to be informed of its content and source, verify its accuracy and request its integration, update or amendment;
(b) request the erasure, anonymisation or restriction of the processing of personal data processed in breach of the applicable laws;
(c) object in whole or in part, on legitimate grounds, to the processing of the data;
(d) to withdraw the consent to the processing of the data (if and to the extent such a consent is necessary).
request Empatica to limit the processing of the User’s personal data where:
- * the User contests the accuracy of the personal data until Empatica has taken sufficient steps to correct or verify its accuracy;
- * the processing is unlawful but you do not want us to erase the User’s personal data;
- * Empatica no longer needs the User’s personal data for the purposes of the processing, but the User requires them for the establishment, exercise, or defense of legal claims; or
- * The User has objected to processing justified on legitimate interests, pending verification as to whether Empatica has compelling legitimate grounds to continue processing.
object to the processing of the User’s personal data;
request the erasure of the User's personal data without undue delay;
receive an electronic copy of the User's personal data, if the User would like to export its personal data to itself or a different provider, when Empatica is relying upon the User's consent or the fact that the processing is necessary for the provision of the Services and the personal data is processed by automatic means; and
lodge a complaint with the relevant data protection supervisory authority.
11. Data protection officer
The Data Protection Officer appointed by Empatica pursuant to Section 37 of the Privacy Regulation can be contacted at the following email address: privacy@empatica.com
12. Updates
This privacy information notice might be subsequently updated or integrated. Changes will be notified in advance and in any case User will be able to review the updated version of the privacy information notice on the website www.empatica.com.
