Privacy Notice for Patients usingthe Empatica Health Monitoring Platform (EHMP)
Last updated: v1.0 Feb, 2026
This Privacy Notice (“Notice”) explains how Empatica Inc., with offices at 1 Broadway, 14th Floor, Cambridge, MA 02142, USA (“Empatica,” “we,” “our,” or “us”), processes personal information relating to patients of hospitals or clinical centers that are Empatica customers (“Customers”) in the United States who use the Empatica Health Monitoring Platform (“EHMP”) and its related components and services (together, the “Services”).
Empatica provides digital-health and medical-device technologies that enable the remote collection, transmission, and analysis of physiological data from patients with Parkinson’s disease (“patients,” “you,” or “your”) under the direction and control of the Customers.
The Customers determine how patient information is processed for diagnosis, care, and treatment. When Empatica processes patient information to support those purposes, Empatica does so on behalf of the Customer and under the Customer’s instructions. Those processing activities are not covered by this Notice and are addressed by the Customer’s own patient privacy notices and policies.
However, Empatica also processes certain information as an independent controller in connection with the Services, meaning Empatica determines the purposes and means of that processing. This Notice describes those independent processing activities (for example, activities related to safety/safeguarding, regulatory compliance, and quality management), and explains the choices and rights that may apply to you under applicable U.S. privacy laws, depending on where you live and the nature of the information.
If you are a resident of certain U.S. states, you may have additional rights or we may provide additional disclosures relating to “consumer health data” or similar concepts under applicable state law. Where applicable, these are described in the relevant section(s) of this Notice
1. Who is this Notice intended for?
2. Data Sources and Categories
3. Purposes and legal grounds for the processing of personal data
Appendix D — Colorado Privacy Addendum (Colorado Privacy Act)
Appendix E — Connecticut Privacy Addendum (Connecticut Data Privacy Act)
Appendix F — Texas Privacy Addendum (Texas Data Privacy and Security Act)
1. Who is this Notice intended for?
This Notice describes how Empatica processes the personal data of patients of Customers who use the Services in the United States.
If the patient is a child, Empatica may process limited non-health data relating to the patient’s parent, guardian, or authorized healthcare professional. Accordingly, in such cases, the term “Data Subjects” should be interpreted to include these individuals.
Age groups
Children over the age of 6 but under 18: may use the Services only under the supervision of a parent, guardian, or authorised healthcare professional. They may not register as users of the Services directly; registration and any required authorizations must be completed by their parent, guardian, or the responsible investigator or clinician.
Children under the age of 6: the Services are not intended for children under 6 years of age. Therefore, Empatica will not process any data relating to children under 6 years of age.
2. Data Sources and Categories
Empatica mainly collects personal information from patients through their use of the Services. However, Empatica may collect patients’ information from the Customer in the course of post-market monitoring or technical support.
Empatica may process:
Identifiable contact data such as name, surname, date of birth, age, gender, email address;
Device and technical information, online identifiers and device usage data, such as IP address, device identifiers, device operational metrics, device calibration and validation reports, firmware and app version, timestamps, operating system, connectivity logs, technical logs, mobile device identifiers (e.g., IMEI/device ID);
Health-related data such as physiological signals, wearing time, movements, sleep, Parkinson's related scores (e.g. tremor, bradykinesia, dyskinesia), medication logs, and other device performance data.
However, the specific data processed may vary, depending on the EHMP configuration chosen by the Customer and the device used by the patients.
3. Purposes and legal grounds for the processing of personal data
Empatica processes patients’ personal information only for the limited purposes where Empatica acts as an independent controller in connection with the Services (i.e., Empatica determines the purposes and means of processing). These purposes are described below.
Safeguarding (safety and performance monitoring)
Empatica processes health-related information, device identifiers, and device/technical information to monitor and assess the performance and safety of EHMP, including diagnostics, troubleshooting, remediation, and responding to safety issues and adverse event reports. This information is generally generated automatically by the device or the Services, and in some cases may be provided by the Customer in the course of post-market monitoring or technical support. This processing is necessary to support patient safety and to meet applicable safety and vigilance requirements.
Regulatory and quality-management compliance
Empatica processes health-related information and device and technical information as needed to meet applicable regulatory, quality-management, audit, and recordkeeping requirements (for example, maintaining quality and performance documentation, addressing complaints, and supporting compliance activities). Information may be generated automatically through the Services or provided by the Customer in connection with compliance activities. This processing is necessary to meet applicable legal and quality obligations; without it, Empatica may be unable to satisfy relevant requirements.
Analytics and research (if authorised)
Where permitted and if you have provided any required authorisation, Empatica may conduct analytics and research using data derived from personal information, device information, activity information, and health-related information, in pseudonymised or aggregated form, to improve algorithms, validate performance, and support future regulatory or clinical submissions. This processing is optional. If applicable, you may decline to authorise this use or withdraw authorisation without affecting your clinical care or the Services as provided by the Customer.
Marketing and advertising
Where permitted by law and consistent with your choices, Empatica may use identification and contact information (such as name and email address) to send marketing communications about Empatica products and services (for example, by email). This processing is optional, and you can opt out at any time using the unsubscribe mechanism in the message or as described in the “Your privacy choices” section.
Legal claims
Empatica may process personal information as necessary for the establishment, exercise, or defense of legal claims, including to protect Empatica’s rights and manage disputes. The categories of personal information involved may vary depending on the specific situation and may include identification and contact details and relevant device/technical information.
Corporate transactions
Empatica may process and disclose personal information as part of evaluating or carrying out corporate transactions such as a merger, acquisition, restructuring, financing, or sale of assets. The categories of personal information involved will vary depending on the transaction, and disclosures may be made to advisers and other parties involved in the transaction, subject to appropriate protections.
4. Sharing Your Personal Data with Others
Empatica shares personal information covered by this Notice only as necessary for the independent-controller purposes described in this Notice and in accordance with applicable U.S. privacy laws.
a) Affiliates
Empatica may share personal information with its affiliates on a need-to-know basis for the purposes described in this Notice, including:
Empatica S.r.l. (Italy), which supports EHMP operations and certain corporate functions
b) Service providers
Empatica engages carefully selected third-party service providers that perform specific functions on Empatica’s behalf. These service providers process personal information only according to Empatica’s documented instructions and for the limited purposes described in this Notice. These may include providers of:
secure cloud-hosting and data-storage infrastructure;
device-connectivity and communication services;
maintenance, calibration, and quality-assurance support;
audit and certification services; and
customer-support and incident-management systems.
security monitoring, logging/observability, and vulnerability-management service
identity and access management / authentication services (to manage user accounts, access controls, and login security).
Empatica requires service providers to be bound by written agreements imposing appropriate confidentiality, data-protection, and security obligations.
c) Legal, regulatory, and safety disclosures
Empatica may disclose personal information to competent authorities, regulators, courts, law-enforcement agencies, or other public bodies where necessary to:
comply with applicable law or a binding legal process (e.g., subpoenas, court orders, or other lawful requests);
report, investigate, or respond to device-safety incidents or adverse events;
demonstrate conformity or compliance during regulatory audits or inspections; or
establish, exercise, or defend legal claims.
Such disclosures are limited to what is necessary to fulfil Empatica’s obligations and purposes described above.
d) Corporate transactions
In the event of an actual or contemplated merger, acquisition, restructuring, financing, or sale of assets involving Empatica, personal information may be disclosed to advisers and prospective or actual counterparties and may be transferred to the acquiring or successor entity as part of the transaction. Any such disclosure or transfer will occur subject to appropriate protections intended to preserve confidentiality and continuity of safeguards.
5. Aggregate and De-Identified Information
Where permitted by applicable U.S. laws, Empatica may generate and use aggregated information derived from personal information processed under this Notice (for example, statistics relating to EHMP usage patterns, device performance and reliability metrics, security and performance monitoring trends, and operational volumes) for quality control, analytics, research, development, and other business purposes consistent with the purposes described in this Notice.
Empatica may also create and use de-identified information (information that is no longer reasonably linked or linkable to an identified or identifiable individual, household, or personal or household device). Where Empatica uses, discloses, or otherwise processes de-identified information, Empatica will maintain and use it in de-identified form and will not attempt to re-identify it, except as permitted by applicable law (for example, to evaluate whether de-identification processes are reasonable and adequate).
6. Cookies and Similar Technologies
We and our service providers use cookies, pixel tags, and other similar tracking technologies to automatically collect information about browsing activity, device type, and similar information when you access our websites, online content, and any web-based resources that may be linked to or used in connection with the Services (for example, support resources linked from the app, pages you visit after clicking links in emails, and marketing-related web pages). This information, which may be considered personal information in some jurisdictions, is used, for example, to analyze and understand how you access, use, and interact with our Services and related online content; to identify and resolve bugs and errors; to assess, secure, protect, optimize, and improve performance; to personalize content; and for marketing, advertising, measurement and analytics purposes. We may also de-identify and/or aggregate such information to analyze trends, administer Services and web resources, and gather broad demographic information for aggregate uses, and for any other lawful purposes
Cookies. Cookies are alphanumeric identifiers used for tracking purposes. Some cookies allow us to make it easier for you to navigate our websites and web resources, while others are used to enable a faster log-in process (where applicable), to support the security and performance of the websites/resources, or to allow us to track activity and usage data within and across them.
Pixel Tags and Similar Technologies. Pixel tags (sometimes called web beacons or clear GIFs) are tiny graphics with a unique identifier, similar in function to cookies. We may use these tracking technologies to understand users’ activities, to help manage content and compile usage statistics, and in emails to let us know when they have been opened or forwarded so we can track response rates and gauge the effectiveness of our communications.
Local Storage Objects. Local storage is a web storage mechanism that allows us to store data on a browser that persists even after the browser window is closed. Local storage may be used by our web pages to cache certain information in order to enable faster loading of pages and content when you return. You can clear data stored in local storage through your browser settings. Please consult your browser help menu for more information.
Analytics. We use analytics tools to evaluate usage and traffic on our websites and web resources. These analytics providers use cookies, pixels, and other tracking technologies to collect usage data to provide us with reports and metrics that help us analyze, improve, and enhance performance and user experience. You can learn more about how Google uses your information at www.google.com/policies/privacy/partners/ (“How Google uses information from sites or apps that use our services”). You can also download the Google Analytics Opt-out Browser Add-on to prevent your information from being used by Google Analytics at https://tools.google.com/dlpage/gaoptout.
Cross-Device Tracking. We and ad networks we work with may use the information we collect about you within our websites and web resources, and on other third-party websites and services, to help us and these third parties identify other devices that you use (e.g., a mobile phone, tablet, other computer, etc.) to interact or engage with us or our Services.
Advertising Networks. We work with ad networks, channel partners, mobile ad networks, analytics and measurement services, and others (“ad networks”) to personalize content, as well as to manage our advertising on third-party websites, mobile apps, and online services. We may share certain information with ad networks, and we may each use cookies, pixel tags, and other tools to collect usage and browsing information within our websites/resources, as well as on third-party websites, apps, and services. This information may include IP address, location information (where enabled on your device or inferred at a general level), cookie and advertising IDs, and other identifiers, as well as browsing information.
Custom Lists and Matching. We may share or make available certain customer list information (such as your name, email address and other contact information) with third parties (i) so that we can better target ads and content to you across third-party sites, platforms and services, and (ii) in some cases, these third parties may help us to enhance our customer lists with additional demographic or other information, so we can better target our advertising and marketing campaigns.
Do-Not-Track. Currently, our websites do not recognize web browser “Do-Not-Track” requests. You may, however, disable certain tracking as discussed below (e.g., by disabling all but necessary cookies).
7. Your Privacy Rights and Choices
Depending on where you live in the United States and the nature of the personal information processed under this Notice, you may have certain rights and choices with respect to that information. Requests and choices under this section apply only to personal information that Empatica processes as an independent controller as described in this Notice.
Your Privacy Choices (opt-in / opt-out)
Marketing communications. Where we send marketing communications (for example, by email), you may opt out at any time by using the unsubscribe mechanism included in the message or by contacting us as described below.
Analytics and research. Where we offer an optional choice (for example, analytics/research where authorized), you may withhold or withdraw your authorization/permission at any time. Withdrawal will not affect the lawfulness of processing carried out before the withdrawal.
Your Privacy Rights (U.S.) and State-Specific Disclosures
Your rights may include the right to request access to, correction of, or deletion of certain personal information; and, in some states and circumstances, the right to obtain a copy of certain information in a portable format and/or to opt out of certain processing (for example, “sale”/“sharing” or targeted advertising, as those terms are defined under applicable state law). Where applicable, additional disclosures and state-specific instructions for exercising rights—including any disclosures relating to “consumer health data” (such as under the Washington My Health My Data Act)—are provided in the State Privacy Addenda at the end of this Notice.
How to exercise your rights
You can submit a request by contacting us at privacy@empatica.com. We may ask you for additional information to confirm your identity (or your authority to act on behalf of another person) and for security purposes before responding to a request. We will respond within the timeframes required by applicable law, and we may deny a request where permitted or required by law (for example, where we must retain certain information for safeguarding, regulatory, quality-management, or legal purposes).
Requests relating to your clinical care records
This Notice does not cover your hospital/clinic’s processing for diagnosis, care, or treatment. If your request relates to information processed by your hospital/clinic for those purposes, you should contact your hospital/clinic directly.
8. Data Retention
We retain your personal information for as long as reasonably necessary to fulfil the purposes for which it was collected and processed under this Notice, including to comply with applicable legal, regulatory, and quality-management obligations, resolve disputes, maintain appropriate records, and enforce our rights and agreements, unless a longer retention period is required or permitted by applicable law:
Safeguarding, regulatory and quality-management compliance – for the period prescribed by applicable law and applicable quality/vigilance recordkeeping requirements (including for post-market surveillance, diagnostics and remediation, vigilance reporting, and other regulatory-compliance activities), which may require Empatica to retain certain pseudonymised data for up to twenty-five (25) years.
Research and analytics – where personal information is processed for research or analytics purposes (where offered/authorised), it may be retained for up to twenty-five (25) years where necessary to support future regulatory and clinical submissions, in accordance with applicable record-keeping obligations
Marketing and advertising – until you opt out/withdraw your permission for such processing or, in any event, for no longer than twenty-four (24) months from the last interaction related to marketing communications (e.g., an opt-in event)
Establishment, exercise or defense of legal claims – personal information processed for this purpose may be retained until the expiration of the applicable statutory limitation period.
Corporate transactions – personal information processed for this purpose is retained for the period applicable to the specific processing activities described above.
After the applicable retention period expires, Empatica securely deletes or irreversibly anonymises the data in accordance with its information-security and data-retention procedures. No specific retention limit applies to data that have been permanently anonymised.
9. Children’s Privacy Notice
We are committed to protecting the privacy of children who use our Services. This section includes disclosures required under the Children’s Online Privacy Protection Act of 1998 and its implementing regulations (collectively, “COPPA”). This section applies only to children under the age of 13 (a “child” or “children”) and supplements the other provisions of this Notice. The other provisions of this Notice apply to individuals age 13 and older.
Scope. This Notice (including this COPPA section) applies only to personal information that Empatica processes as an independent controller as described in this Notice (for example, for safeguarding, regulatory compliance, and quality management, and—where offered—optional analytics/research with appropriate authorization). This Notice does not cover the hospital/clinic’s processing for diagnosis, care, or treatment, which is addressed in the hospital/clinic’s patient privacy notices and policies.
This section notifies parents/guardians of:
the types of personal information we may collect from children under 13 (“Children’s Personal Information”);
how we use Children’s Personal Information; and
our practices for disclosing Children’s Personal Information.
We collect only as much information about a child as is reasonably necessary for the child to participate in the Services, and we do not condition a child’s participation on the disclosure of more personal information than is reasonably necessary.
Information We May Collect from Children
Information collected directly. Depending on the circumstances, we may collect the following information from a parent/guardian (and, where relevant, from the child) when supporting the Services:
Contact information. When you contact us (including via email, phone, or webform), we may collect contact details such as name, email address, phone number, and any other information you choose to provide.
Communications and interactions. If a parent/guardian communicates with us regarding the child’s use of the Services (for example, troubleshooting, safety issues, or support), we may maintain a record of contact details and the history of those interactions.
Information collected automatically. We may automatically collect technical and usage information about users of the Services, including children, such as:
Device and technical information. IP address; device identifiers; device operational metrics; firmware/app version; operating system; timestamps; connectivity logs; and technical logs.
Activities and usage. Information about use of the Services and device performance relevant to safeguarding and quality activities (for example, diagnostics and reliability metrics).
Health-related information. To the extent necessary for the independent-controller purposes described in this Notice (for example, safeguarding, complaint handling, and regulatory/quality recordkeeping), we may process health-related information generated through the Services, such as physiological signals and derived measures or scores, and related device performance data. The specific health-related information processed may vary depending on the EHMP configuration chosen by the hospital/clinic and the device used.
How We Use Children’s Personal Information
We use Children’s Personal Information only for the limited independent-controller purposes described in this Notice, including:
Safeguarding and safety monitoring. To monitor and assess the performance and safety of EHMP, including diagnostics, troubleshooting, remediation, complaint handling, and responding to adverse event reports or other safety issues.
Regulatory and quality-management compliance. To meet applicable regulatory, audit, and recordkeeping requirements and to support quality-management obligations.
Optional analytics and research (where offered and appropriately authorized). Where we offer an optional choice and obtain any required authorization/permission, to conduct analytics or research using pseudonymised or aggregated information to improve algorithms or validate performance.
Security and protection of rights. To secure our Services and business operations; prevent and detect fraud, unauthorized activities, and misuse; and to establish, exercise, or defend legal claims.
Corporate transactions. To evaluate or implement mergers, acquisitions, reorganizations, bankruptcies, or other transactions such as financings, consistent with the “Corporate transactions” section of this Notice.
How We May Disclose Children’s Personal Information
We may disclose Children’s Personal Information only as described in this Notice and only as necessary for the purposes above, including:
Service providers. To vendors, service providers, contractors, or agents who perform functions on our behalf, subject to appropriate confidentiality and security obligations.
Legal, regulatory, and safety disclosures. To regulators, government entities, courts, and law enforcement where permitted or required by applicable law, including in connection with safety/vigilance reporting, compliance obligations, or legal claims.
General business operations / corporate transactions. If we or our assets are involved in a merger, acquisition, financing, reorganization, or similar transaction, we may disclose personal information to advisers and counterparties and transfer information to a successor entity, subject to appropriate protections.
Aggregate and de-identified information. We may share aggregate or de-identified information in accordance with the “Aggregate and De-Identified Information” section of this Notice.
Parental Choices and Controls
Where COPPA applies, we will obtain verifiable parental consent before collecting Children’s Personal Information in circumstances where such consent is required. At any time, parents/guardians may:
review the child’s personal information maintained by Empatica (to the extent applicable to Empatica’s independent-controller processing);
request that we correct or delete the child’s personal information (subject to applicable legal, safeguarding, regulatory, and quality-management obligations);
withdraw consent/authorization for any optional processing where consent/authorization is relied upon; and/or
request that we stop further collection or use of the child’s personal information in contexts where COPPA applies.
To exercise these choices, contact us at privacy@empatica.com. We may require you to take certain steps or provide additional information to verify your identity and authority before we provide information or make changes.
10. International Transfers of Personal Data
Empatica is headquartered in the United States and has operations, affiliates, and service providers in the United States, the European Union, and other jurisdictions around the world. As a result, personal information processed in connection with the Services may be transferred to, stored in, or accessed from jurisdictions outside the United States, including jurisdictions that may not provide the same level of legal protection for personal information as your home jurisdiction.
Where we transfer or make personal information available internationally, we take steps designed to ensure that such personal information receives an appropriate level of protection in the jurisdictions in which it is processed, including through appropriate contractual protections (such as written data processing terms and/or data transfer agreements, where required) and technical and organisational safeguards (such as encryption and access controls).
For further information about international transfers, please contact us using the details provided in the “Contact Us” section of this Notice.
11. Security
We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information processed under this Notice against unauthorized access, disclosure, alteration, or destruction. These measures include, as appropriate, access controls, logging and monitoring, encryption, and security procedures intended to support the confidentiality, integrity, and availability of personal information.
No method of transmission or storage is completely secure. If you believe your interaction with us is no longer secure, please contact us using the details in the “Contact Us” section
12. Third-Party Links
The Services may contain links to third-party websites, applications, or services that are not operated or controlled by Empatica. This Notice does not apply to the privacy practices of those third parties. We encourage you to review the privacy notices of any third-party site or service you visit before providing personal information.
Empatica is not responsible for the content, security, or privacy practices of third-party sites or services.
13. Changes to this Privacy Notice
We may update this Notice from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the “Last updated” date at the top of this Notice. If the changes are material, we will take additional steps to notify you as required by applicable law.
14. Contact Us
If you have questions about this Notice, our privacy practices, or you would like to exercise your rights and choices described in this Notice, you may contact us at:
Empatica Inc.1 Broadway, 14th Floor Cambridge, MA 02142, USA Email: privacy@empatica.com
State Privacy Addenda
The addenda below provide additional disclosures and instructions that apply to residents of certain U.S. states under applicable state privacy laws (including laws addressing “consumer health data,” such as the Washington My Health My Data Act). Each addendum applies only to the extent it is relevant based on your state of residence and the nature of the information at issue, and only to personal information that Empatica processes as an independent controller as described in this Notice.
Appendix A — Washington Consumer Health Data Privacy Addendum (My Health My Data Act)
This Washington Consumer Health Data Privacy Addendum (“Washington Addendum”) supplements the EHMP Privacy Notice for Patients — Parkinson’s Clinical Care (U.S. Version) (the “Notice”) and applies only to the extent Empatica collects, uses, shares, or otherwise processes “consumer health data” subject to the Washington My Health My Data Act (“MHMDA”) in connection with the Services.
This Washington Addendum applies only to personal information that Empatica processes as an independent controller as described in the Notice. It does not apply to information or practices that are not subject to the MHMDA (for example, publicly available information or information governed by certain federal laws).
1. The Categories of Consumer Health Data We Collect
Due to the broad definition of “consumer health data” under the MHMDA, some of the categories of information described in the Notice may also be considered consumer health data. In connection with the Services, consumer health data we may collect includes, as applicable:
Individual health conditions, treatment, diseases, or diagnosis, including Parkinson’s-related information reflected in monitoring outputs;
Use of prescribed medication, such as medication logs where used within the Services;
Bodily functions, vital signs, symptoms, or measurements, including physiological signals, movements, sleep, wearing time, and derived Parkinson’s-related scores (e.g., tremor, bradykinesia, dyskinesia) generated through the Services;
Data that identifies a consumer seeking healthcare services, which may include certain online identifiers and device/technical information when associated with health-related use of the Services; and
Information derived or extrapolated from non-health information that is processed to associate or identify a consumer with the consumer health data described above.
(For the related non-health categories processed in connection with the Services—such as identifiable contact data and device/technical information—see “Data Sources and Categories” in the Notice.)
2. Purposes of Collection and How We Use Consumer Health Data
Generally, we collect and use consumer health data only for the independent-controller purposes described in the Notice, including:
Safeguarding, including monitoring and assessing EHMP performance and safety, diagnostics, remediation, and responding to adverse-event reports;
Regulatory and quality-management compliance, including required documentation, audits/inspections, and recordkeeping;
Analytics and research (where offered and appropriately authorized), typically using pseudonymised or aggregated data to improve algorithms, validate performance, and support future regulatory or clinical submissions;
Marketing and advertising (where applicable), such as sending marketing communications where permitted and consistent with your choices;
Establishment, exercise, or defense of legal claims; and
Corporate transactions (e.g., mergers, restructurings, acquisitions, sale of assets).
3. The Categories of Sources From Which We Collect Consumer Health Data
In general, we may collect consumer health data from the following categories of sources:
Directly from you (for example, where you or a parent/guardian contacts us for support, or where optional authorizations are collected through Empatica channels);
Those authorized to provide information on your behalf, such as your parent/guardian, caregiver, or authorized representative (as applicable); and
Your device(s) and the Services, which generate health-related data and related device/technical information during monitoring.
4. The Categories of Consumer Health Data We Share
We may share the categories of consumer health data described above (Section 1) to the extent necessary for the purposes described in the Notice and this Washington Addendum.
5. The Categories of Third Parties and Affiliates With Whom We Share Consumer Health Data
We may share consumer health data with:
Affiliates, including Empatica S.r.l. (Italy), on a need-to-know basis for the purposes described in the Notice;
Service providers that perform functions on our behalf (e.g., secure hosting, support tooling, security monitoring, audit/certification support), subject to appropriate contractual protections;
Regulators, government entities, courts, and law enforcement where required or appropriate for safety/vigilance reporting, regulatory compliance, or legal process; and
Others authorized to act on your behalf (as applicable), such as a parent/guardian or authorized representative, in connection with requests or controls described below.
Sale of consumer health data. We do not sell consumer health data. (MHMDA treats “sale” separately from “sharing.”)
6. Your Privacy Rights Under the MHMDA (Washington Residents)
The MHMDA provides Washington consumers with the following rights regarding consumer health data:
Know/Access: the right to confirm whether we collect, share, or sell your consumer health data and to access such consumer health data;
Withdraw consent: the right to withdraw consent from our collection and sharing of your consumer health data; and
Deletion: the right to have your consumer health data deleted.
7. Exercising Your MHMDA Rights
Requests to Know/Access and Delete.
To make a request to know/access or delete your consumer health data, please email us at privacy@empatica.com. Before completing your request, we may need to verify your identity (or your authority to make a request on behalf of another person). Solely for verification purposes and depending on the type of request, we may send you a link to verify your email address, request additional documentation or information, send a code to verify your phone number, and/or ask for additional identifying information.
Requests to Withdraw Consent.
You may withdraw consent for our collection and/or sharing of your consumer health data by contacting us at privacy@empatica.com . Please note that if you withdraw consent for our collection of consumer health data, we may be unable to continue providing the Services (to the extent consumer health data is necessary for the applicable features and purposes, such as safeguarding and regulatory/quality obligations).
Appeals and complaints.
If your request to exercise a right under the MHMDA is denied, we will provide instructions for how you can appeal our decision. If your appeal is unsuccessful, you may file a complaint with the Washington State Attorney General.
Appendix B — California Privacy Addendum (CCPA/CPRA)
This California Privacy Addendum (“California Addendum”) supplements the Notice and applies only to California residents to the extent Empatica processes personal information that is subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”).
This California Addendum applies only to personal information that Empatica processes as an independent controller as described in the Notice.
1. Categories of personal information we collect (controller-only)
For the categories of personal information we collect and the sources from which we collect it, please see Section 2 (Data Sources and Categories) of the Notice. For California purposes, those categories may include:
Identifiers (e.g., name, email address)
Online identifiers / device and technical information (e.g., IP address, device identifiers, logs)
Sensitive personal information, which under California law can include health-related information
2. Purposes for which we use personal information
We use personal information for the purposes described in Section 3 of the Notice (Safeguarding; Regulatory and quality-management compliance; Optional analytics/research where authorized; Marketing where applicable; Legal claims; Corporate transactions).
3. How we disclose personal information
We may disclose personal information to the categories of recipients described in Section 4 of the Notice (Affiliates, service providers, legal/regulatory/safety disclosures, and corporate transactions).
4. Sale or sharing of personal information
Empatica does not sell personal information. Empatica also does not share personal information for cross-context behavioral advertising (as “sell” and “share” are defined under the CCPA). If our practices change, we will update the Notice and provide any required choices.
5. Retention
Please see Section 8 (Data Retention) of the Notice for the retention periods that apply to personal information processed under the Notice. California law requires businesses to disclose retention periods (or the criteria used) and not retain personal information longer than reasonably necessary for the disclosed purposes.
6. Your California privacy rights
Subject to certain exceptions, California residents have the right to:
Know / Access: request access to and information about our collection, use, and disclosure of personal information;
Delete: request deletion of personal information;
Correct: request correction of inaccurate personal information; and
Limit the use and disclosure of sensitive personal information (in certain circumstances).
7. How to exercise your California rights
To submit a request, contact us at privacy@empatica.com. We will take steps to verify your request (and, where applicable, your authority to act on behalf of another person). We generally respond within 45 days of receiving a verifiable consumer request, with an extension where permitted by law.
Authorized agents. You may designate an authorized agent to make a request on your behalf. We may require proof of the agent’s authority and may also require you to verify your identity directly.
Non-discrimination. We will not unlawfully discriminate against you for exercising your CCPA rights.
This Nevada Privacy Addendum (“Nevada Addendum”) supplements the Notice and applies only to Nevada residents to the extent Empatica is an “operator” of an Internet website or online service covered by Nevada Revised Statutes Chapter 603A and processes “covered information” in scope.
This Nevada Addendum applies only to personal information that Empatica processes as an independent controller as described in the Notice.
1. Nevada right to opt out of “sale” of covered information
Nevada law provides consumers the right to submit a verified request through a designated request address directing an operator not to sell covered information the operator has collected or will collect about the consumer.
For Nevada purposes, “sale” is narrowly defined as the exchange of covered information for monetary consideration by the operator to another person for that person to license or sell the covered information to additional persons, with specified exclusions (for example, disclosures to service providers processing on behalf of the operator).
2. Empatica’s position
Empatica does not sell personal information as “sale” is defined under Nevada law.
However, Nevada residents may still submit a verified request as described below.
3. How to submit a Nevada verified request (designated request address)
You may submit a verified request by contacting us at privacy@empatica.com
(our designated request address). A “designated request address” may be an email address, toll-free phone number, or website established by the operator.
We may request information reasonably necessary to verify your identity and the authenticity of the request before acting on it.
4. Timing and response
We will respond to a verified request within 60 days after receipt. We may extend that period by up to 30 additional days if reasonably necessary, and if we do so, we will notify you of the extension.
Appendix D — Colorado Privacy Addendum (Colorado Privacy Act)
This Colorado Privacy Addendum (“Colorado Addendum”) supplements the Notice and applies only to Colorado residents to the extent Empatica processes personal data subject to the Colorado Privacy Act (“CPA”). Colorado provides consumer rights and requires controllers to provide certain opt-out mechanisms, including via recognized universal opt-out mechanisms for certain opt-outs.
This Colorado Addendum applies only to personal information that Empatica processes as an independent controller as described in the Notice.
1. Your Colorado privacy rights
Subject to applicable exceptions, Colorado residents may have the right to:
Access personal data;
Correct inaccuracies;
Delete personal data; and
Obtain a portable copy of personal data (where applicable).
Colorado residents may also have the right to opt out of certain processing, including the processing of personal data for:
Targeted advertising; and/or
Sale of personal data (as defined under applicable law); and
Certain profiling in furtherance of decisions that produce legal or similarly significant effects (where applicable).
Empatica’s practices. Empatica does not sell personal data and does not process personal data for targeted advertising, as those terms are defined under applicable state law. If our practices change, we will update the Notice and provide any required choices.
2. Universal opt-out mechanisms (Colorado)
Where required by the CPA, Empatica will honor opt-out requests submitted through user-selected universal opt-out mechanisms that meet the applicable technical requirements, as described by the Colorado Attorney General.
3. How to exercise your Colorado rights
To submit a request, contact us at privacy@empatica.com . We may request information reasonably necessary to verify your identity (and, where applicable, your authority to act on behalf of another person). We will respond within the timeframes required by applicable law, and we may deny requests where permitted by law.
4. Appeals (Colorado)
If we deny your request, you may have the right to appeal our decision. We will provide instructions on how to submit an appeal in our response.
Appendix E — Connecticut Privacy Addendum (Connecticut Data Privacy Act)
This Connecticut Privacy Addendum (“Connecticut Addendum”) supplements the Notice and applies only to Connecticut residents to the extent Empatica processes personal data subject to the Connecticut Data Privacy Act (“CTDPA”). The Connecticut Attorney General provides resources describing consumer rights and covered business obligations, including honoring universal opt-out preference signals.
This Connecticut Addendum applies only to personal information that Empatica processes as an independent controller as described in the Notice.
1. Your Connecticut privacy rights
Subject to applicable exceptions, Connecticut residents may have the right to:
Access personal data;
Correct inaccuracies;
Delete personal data; and
Obtain a portable copy of personal data (where applicable).
Connecticut residents may also have the right to opt out of certain processing, including:
Targeted advertising;
Sale of personal data (as defined under applicable law); and
Certain profiling in furtherance of decisions that produce legal or similarly significant effects (where applicable).
Empatica’s practices. Empatica does not sell personal data and does not process personal data for targeted advertising, as those terms are defined under applicable state law. If our practices change, we will update the Notice and provide any required choices.
Where required by the CTDPA, Empatica will honor universal opt-out preference signals submitted by Connecticut residents for applicable opt-out rights.
3. How to exercise your Connecticut rights
To submit a request, contact us at privacy@empatica.com . We may request information reasonably necessary to verify your identity (and, where applicable, your authority to act on behalf of another person). We will respond within the timeframes required by applicable law, and we may deny requests where permitted by law.
4. Appeals (Connecticut)
If we deny your request, you may have the right to appeal our decision. We will provide instructions on how to submit an appeal in our response.
Appendix F — Texas Privacy Addendum (Texas Data Privacy and Security Act)
This Texas Privacy Addendum (“Texas Addendum”) supplements the Notice and applies only to Texas residents to the extent Empatica processes personal data subject to the Texas Data Privacy and Security Act (“TDPSA”). This Texas Addendum applies only to personal information that Empatica processes as an independent controller as described in the Notice.
1. Your Texas privacy rights
Subject to applicable exceptions, Texas residents have the right to submit an authenticated request to:
Confirm / Access: confirm whether we are processing your personal data and access that personal data;
Correct: correct inaccuracies in your personal data (taking into account the nature of the data and the purposes of processing);
Delete: delete personal data provided by or obtained about you;
Portability: obtain a copy of certain personal data you previously provided to us in a portable and, to the extent technically feasible, readily usable format; and
Opt out of processing for: (i) targeted advertising, (ii) the sale of personal data, or (iii) certain profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
With respect to personal data belonging to a known child, a parent or legal guardian may exercise these rights on the child’s behalf.
Empatica’s practices (in connection with the Services). Empatica does not sell personal data and does not process personal data for targeted advertising, as those terms are defined under applicable state law. If our practices change, we will update the Notice and provide any required choices.
2. How to exercise your Texas rights
You can submit a request by contacting us at privacy@empatica.com . We may ask you for additional information reasonably necessary to authenticate your identity (or your authority to act on behalf of another person) before responding.
Texas law requires controllers to provide two or more secure and reliable methods for submitting requests. We may also allow you to submit a request through an existing account (if you have one), but we will not require you to create a new account to exercise your rights.
3. Timing and our responses
We will respond without undue delay, and in any event no later than 45 days after receipt of your request. We may extend the response period once by an additional 45 days when reasonably necessary, and we will notify you within the initial 45-day period if an extension applies.
If we decline to take action on your request, we will explain why and provide instructions on how to appeal.
4. Appeals
Empatica maintains a process for you to appeal a refusal to take action on a request. We will provide a written response to your appeal within 60 days after receipt, including an explanation of the decision.
If we deny your appeal, we will provide information about the Texas Attorney General’s online complaint mechanism.
5. Authorized agents and opt-out preference technology (Texas)
Texas law permits a consumer to designate an authorized agent to submit an opt-out request for targeted advertising and the sale of personal data. Texas law also recognizes that a consumer may use certain technologies (such as a browser setting/extension or device-level setting) that communicate an intent to opt out, subject to verification and other conditions.
