Empatica

Privacy Notice

Last updated: [April, 2025]

This Privacy Notice (“Notice”) describes how Empatica S.r.l., its global affiliates, brands (collectively, “Empatica,” “we,” “our,” or “us”) collect, use, disclose, and otherwise process information relating to identifiable individuals ("personal data") and the rights and choices individuals have regarding such personal data.

Empatica is the ‘data controller’ for the processing set out in this Notice. This means that we are responsible for such processing, and you can contact us if you have any questions or want to exercise any rights under applicable data protection laws. Information on how to contact Empatica can be found at section 14 below.

This Notice should be read alongside the "Terms and Conditions" for use of the Services (defined below), which are available on our website here.

Table of Contents

1. Scope
2. Our Collection and Use of Personal Data
3. Sharing Your Personal Data with Others
4. Lawful Basis of Processing
5. Aggregate and De-Identified Information
6. Cookies and Tracking
7. Your Data Subject Rights
8. Retention
9. Processing of Children’s Personal Data
10. International Transfers of Personal data
11. Security
12. Third-Party Links
13. Changes to this Privacy Notice
14. Contact Us

1. Scope

Except as otherwise described below, this Notice applies to the personal data Empatica collects and processes to relation to the EmbracePlus watch, the associated EpiMonitor mobile phone applications ("App"), and the associated EpiMonitor Account page (“Portal”) (collectively, the “Services”).

Where used in this Notice, "you" and "your" refers primarily to current or prospective users of the Services, and also includes: minors and other individuals on whose behalf you are acting; and Caregivers (as defined below) and other individuals whose personal data we may receive in relation to the Services.

Not in Scope. This Notice does not apply to the personal data that we collect and process other than in relation to use of the Services, such as personal data about Empatica employees, contractors, personnel, job applicants, or candidates.

Additional Notices. In some cases, additional or supplemental privacy notices may be provided and will apply to certain personal data collected and processed by us. These additional notices will prevail over this Notice control to the extent there is a conflict with respect to processing subject to that additional notice.

1. Our Collection and Use of Personal data

As further described below, we collect personal data directly from you, from third parties, and automatically through your use of our Services.

How we collect personal data

In most cases, we will collect personal data directly from you or from your use of the Services.

We may also collect personal data other than from you in some circumstances, such as:

• if you are a registered caregiver in relation to the Services ("Caregiver") we will receive your contact information from a user of the Services in accordance with the Terms and Conditions;

and

• If you post information about us or engage with us on third-party platforms, such as through your social media account, we may collect personal data about you from that third-party platform or account (e.g., your social media username and/or handle). These third-party platforms and services control the information that they collect and share about you. For information about how they may use and disclose your information, including any information you make public, please consult their respective privacy policies

How we process personal data

The table below summarises the purposes for which we process your personal data, along with the lawful basis we rely on for this processing as per applicable data protection law. For more information on the application of lawful basis, please see section 4 below.

Purpose of Processing

Categories of Personal Data

Lawful basis

Providing the Services, including operating the EmbracePlus Watch and providing App functionality; sending alerts to Caregivers; providing support regarding your use of our Services; and sending servicing communications.

Personal details including name, date of birth, gender, age, other demographic data and any personal data otherwise submitted to us as part of your registration and use of the Services.

Contact information, including name, address, phone number, email address, postal address, practice name.

Health-related information, including physiological information, physical condition(s) and diagnoses, biometrical information (bodily functions, vital signs, symptoms, temperature, EDA data), computed biomarkers (e.g., sleep, movement); and medications and other treatments or interventions.

Device information; including IP address, EmbracePlus identifier, the dates and times of access to the App, the phone/device type, as well as the software version, operating system, Bluetooth® and WiFi settings (On/Off).

Activities and usage: information related to your use of the Services, such as features used.

Location Information: geolocation information via your device settings

Performance of a contract with you, your explicit consent (for health-related information), and/or our legitimate interest

Account and relationship management; managing our relationship with you, including communicating with you and managing transactions, account and subscription management; responding to your queries, feedback and fulfilling requests; and tailoring content to personalize your experience

Personal details and Contact Information (as set out above)

Transaction Information, relating to purchases and payments in connection with the Services, including a record of your purchases and shopping behaviour, card number, expiration date, billing address, shipping information and records about your past purchases.

Our interactions with you, including communications and information about your use of the Services and preferences

Performance of a contract with you, and/or our legitimate interest

Safeguarding: monitoring and assessing the performance and safety of the EmbracePlus Watch and related Services, including diagnostics and remediation, and assessing and responding to adverse event reports.

Health-related information and device information (as set out above).

Other personal data contained in adverse event reports.

Compliance with our legal and regulatory obligations as a medical device provider and/or our legitimate interest (for normal personal data).

Undertaking research and analytics regarding the Services, to evaluate and improve our services and business operations.

Personal details, device information, activities and usage, transaction information.

Our legitimate interest

Marketing, advertising, and public relations, including offering promotions and planning and managing events and undertaking market research and surveys.

Personal details and Contact Information (as set out above)

Survey responses: any information you may provide such as demographics, preferences, and your opinion about our products and Services.

Our legitimate interest, and/or your explicit consent to send direct marketing where required.

Business operations including: accounting, auditing, compliance, recordkeeping, and legal purposes; to prevent and detect fraud and security incidents; to defend and enforce our legal and contractual rights; credit recovery including assignment to authorized companies; and transactions such as the sale or reorganization of our business.

Any of the above categories of personal data where applicable to our business operations.

Our legitimate interests, and where necessary for compliance with laws or to defend or assert legal claims.

1. Sharing your personal data with others

Other than where directed by you, we only disclose the personal data that we collect in order to provide our Services, respond to and fulfill your transactions or requests, and as follows:

• Global affiliates, subsidiaries, branches, or associated offices. We may disclose the personal data we collect to our global affiliates, subsidiaries, branches, or associated offices who will use and disclose this personal data in accordance with the principles of this Notice.
• Vendors and service providers. We may disclose the personal data that we collect to our service providers and others who perform functions on our behalf or provide us services. These may include, for example, service providers that host or operate the Services, payment processors, analytics providers, information technology service providers, communication service providers, customer service vendors, consultants, auditors, and legal counsel. We only appoint service providers that provide adequate guarantees that they will safeguard your personal data and only process data as permitted by our contracts with them.
• General business operations. If we, our affiliates, or our subsidiaries are acquired by, merged with, financed by, or invested in by another company, or if any of our assets are or may be transferred to another company, whether as part of a bankruptcy or insolvency proceeding or otherwise, we may transfer the information we have collected about you to the other company. We may also share certain personal data as necessary prior to the completion of such a transaction or corporate transactions such as financings or restructurings, to lenders, auditors, and other advisors, including attorneys and consultants, as part of due diligence or as necessary to plan for a transaction.
• Others as permitted or required by applicable law. We may disclose personal data to other parties to the extent permitted or required by applicable law. This may include regulators, government entities, and law enforcement. It may also include certain disclosures that we are required to make.
• Security and protection of rights. We may disclose your personal data when we believe it is appropriate to do so to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Use or this Notice, or as evidence in litigation in which we are involved.
• With permission. We may disclose personal data in ways not described above. If we do so, we will notify you, and if necessary, obtain your consent. For example, where you have a designated Caregiver, or have we may share information with that Caregiver.
• Where the personal data relates to children: we may share a child's personal data with parents, guardians and/or Caregivers as set out in Section 9 below.

1. Lawful basis of processing

The lawful basis on which we process your personal data for specific purpose is as set out in table in section 2 above and is supplemented by the additional information in this section.

Processing on the basis of our legitimate interests

Where we indicate that we process personal data on the basis of our legitimate interests, we have determined that (a) the processing is necessary for legitimate business purpose and (b) our interest in doing so is not outweighed by a risk to the rights and freedoms of data subjects arising from such processing. You have a qualified right to object to us processing on this basis – please see section 7 below.

Processing of health-related information

Processing your health-related information is an integral aspect of providing the Services. This type of personal data is subject to additional protections under applicable data protection laws. We will process your health-related information only as necessary:

• to provide the Services on the basis on your consent. We will obtain this consent from you when you use the Services for the purposes set out in this Notice and the Terms and Conditions. See below for more information regarding consent.
• to comply with our obligations as a provider of a medical device to monitor the operational and technical performance and safety of the EmbracePlus Watch and related services, including via adverse incident reports.
• to defend or enforce our legal rights and comply with other legal requirements.

Processing based on your consent

Where we require your consent for the processing of your personal data as part of the Services, you can revoke your consent at any time by contacting us (see contact details at section 14 below) or via the App (in relation to location data). However, if you withdraw your consent you will no longer be able to use the features of the EmbracePlus watch and related Services, including notifications to Caregivers, as these require the processing of health data and location data.

Processing for marketing purposes

We may process your personal data as part of our marketing activities and in reliance on our legitimate business interests. You may at any time object to this processing – please see section 7 for more information on exercising your rights as a data subject. We will only send you direct marketing with your prior consent or as otherwise permitted by applicable data protection laws - you may unsubscribe from such communications at any time via the link provided in each message. If you opt out of receiving promotional emails from us, we may still send you communications that you have requested to receive from us.

1. Aggregate and De-Identified Information

We may use and disclose aggregate and other non-identifiable data related to our business and the Services for quality control, analytics, research, development, and other purposes. Where we use, disclose, or otherwise process de-identified data (data that is no longer reasonably linked or linkable to an identified or identifiable natural person, household, or personal or household device) we will maintain and use the information in de-identified form and not to attempt to re-identify the information, except in order to determine whether our de-identification processes are reasonable and adequate pursuant to applicable privacy laws.

1. Cookies and Tracking

We and our providers use cookies, pixel tags, and other similar tracking technologies to automatically collect information about browsing activity, device type, and similar information within the Portal. This information, which may be considered personal data in some jurisdictions, is used, for example, to analyze and understand how you access, use, and interact with our Services; to identify and resolve bugs and errors; to assess, secure, protect, optimize, and improve the performance of our Services; to personalize content; and for marketing, advertising, measurement and analytics purposes. We may also de-identify and/or aggregate such information to analyze trends, administer Services, and gather broad demographic information for aggregate uses, and for any other lawful purposes.

Cookies. Cookies are alphanumeric identifiers used for tracking purposes. Some cookies allow us to make it easier for you to navigate our Services, while others are used to enable a faster log-in process, to support the security and performance of the Services, or to allow us to track activity and usage data within and across the Services.

Pixel Tags and Similar Technologies. Pixel tags (sometimes called web beacons or clear GIFs) are tiny graphics with a unique identifier, similar in function to cookies. We may use these tracking technologies to understand users’ activities, to help manage content and compile usage statistics, and in emails to let us know when they have been opened or forwarded so we can track response rates and gauge the effectiveness of our communications.

Local Storage Objects. Local storage is a web storage mechanism that allows us to store data on a browser that persists even after the browser window is closed. Local storage may be used by our web pages to cache certain information in order to enable faster loading of pages and content when you return to the Portal. You can clear data stored in local storage through your browser. Please consult your browser help menu for more information.

Analytics. We use analytics tools, such as Google Analytics, to evaluate usage and traffic on our Portal. These analytics providers use cookies, pixels, and other tracking technologies to collect usage data to provide us with reports and metrics that help us analyze, improve, and enhance performance and user experience. You can learn more about how Google uses your information at www.google.com/policies/privacy/partners/ (“How Google uses information from sites or apps that use our services”). You can also download the Google Analytics Opt-out Browser Add-on to prevent your information from being used by Google Analytics at https://tools.google.com/dlpage/gaoptout.

Cross-Device Tracking. We and ad networks we work with may use the information we collect about you within our Portal, and on other third-party websites and services, to help us and these third parties identify other devices that you use (e.g., a mobile phone, tablet, other computer, etc.) to interact or engage with us or our Services.

Advertising Networks. We work with ad networks, channel partners, mobile ad networks, analytics and measurement services, and others (“ad networks”) to personalize content, as well as to manage our advertising on third-party websites, mobile apps, and online services. We may share certain information with ad networks, and we may each use cookies, pixel tags, and other tools to collect usage and browsing information within our Services, as well as on third-party websites, apps, and services. This information may include IP address, location information, cookie and advertising IDs, and other identifiers, as well as browsing information.

Custom Lists and Matching. We may share or make available certain customer list information (such as your name, email address and other contact information) with third parties (i) so that we can better target ads and content to you across third party sites, platforms and services, and (ii) in some cases, these third parties may help us to enhance our customer lists with additional demographic or other information, so we can better target our advertising and marketing campaigns.

Do-Not-Track. Currently, our Portal does not recognize web browser “Do-Not-Track” requests. You may, however, disable certain tracking as discussed below (e.g., by disabling all but necessary cookies).

Cookie Settings. You can set your browser to block certain cookies or notify you when a cookie is set; you can also delete cookies. The “Help” portion of the toolbar on most browsers will tell you how to prevent your device from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to delete cookies. Visitors to our Portal who disable cookies might not be able to enter the Portal. If you visit the Portal from a different device or from a different browser on the same device, you will need to apply your cookie settings for that browser and/or device as well.

1. Your Data Subject Rights

Subject to certain exemptions, and in some cases dependent upon our legal basis (see section 4 above), you have certain rights in relation to your personal data. These are:

• To access your personal data
• To rectify / erase your personal data
• To restrict the processing of your personal data
• To transfer your personal data to another controller (‘data portability’)
• To object to the processing of your personal data
• To object to how we use your personal data for direct marketing purposes
• To obtain information regarding and/or a copy of personal data safeguards used for transfers outside the UK to non-adequate countries
• To lodge a complaint with your local supervisory authority

We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

You can exercise your rights by contacting us. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

At any time, if you need help, you may submit a request to exercise most of your privacy rights by emailing us at privacy@empatica.com.

1. Retention

We retain your personal data for as long as reasonably necessary to fulfill the purposes for which it was collected or as otherwise necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements. After such period will delete the Personal Data in a manner that follows the applicable legislation.

[Query re deletion of user personal data]

1. Processing of Children’s Personal Data

We are committed to protecting the privacy of children who use our Services. This section includes supplemental information regarding our processing of personal data relating to children.

Age groups:

• Children over the age of 13: can register as a user of the Services of their own accord.
• Children over the age of 6 but under the age of 13: can be given the EmbracePlus but may not register as users of the Services:
• Children under the age of 6 – should not use the EmbracePlus or related services.

Processing and Sharing of Children's data

We will process personal data relating to children as set out in this Notice. Where you are a parent or guarding acting as the User on behalf of a child under 13, you may also access your child’s personal data collected by us and may choose to receive notices of certain activity through the App; you may also designate additional caregivers to receive such notices.

Parental Changes and Controls. When children under the age of 13 create an account or otherwise engage with the Services, we will obtain verifiable parental consent prior to the collection of their Personal data. Parents may also review their child’s Personal data maintained by us, and exercise on their child's behalf any of their data subject rights set out at section 7 above.

1. International Transfers of Personal data

Empatica is headquartered in the United States, and has operations, entities, and service providers in the United States, European Union, and throughout the world. As such, Empatica and our service providers may transfer your personal data to, or access it in, jurisdictions (including the United States and other jurisdictions where we, our affiliates and service providers have operations) that do not include equivalent levels of data protection as your home jurisdiction. We will take steps to ensure that such personal data receives an adequate level of protection in the jurisdictions in which we process it, including through appropriate written data processing terms and/or data transfer agreements. Additional information regarding such safeguards is available on request using the contact details at section 14.

1. Security

We have implemented appropriate technical and organizational safeguards that are intended to protect the personal data we collect from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Please be aware that despite our efforts, no data security measures can guarantee security.

1. Third-Party Links

Our Services may contain links to third-party websites. Any access to and use of such linked websites is not governed by this Notice, but instead is governed by the privacy notices of those third-party websites. We are not responsible for the information practices of such third-party websites.

1. Changes to this Privacy Notice

We may make changes to this Notice from time to time, so please be sure to check back periodically. We will post updates to the Notice on our website. If we make any material changes to this Notice, we will endeavor to provide you prior notice, such as by emailing or posting prominent notice on our website.

1. Contact Us

The Data Protection Officer appointed by Empatica pursuant to Section 37 of the Privacy Regulation can be contacted at the following postal address: Data Protection Officer (DPO), Empatica Srl, Via Stendhal 36, 20144 Milano (MI), Italy. Email address: privacy@empatica.com.

Empatica welcomes your questions and comments about your privacy or this Notice. Please contact us by emailing privacy@empatica.com or calling us at +1 (866) 739-2049.