PRECISION APP PRIVACY POLICY

PNOĒ Precision App Privacy Policy

Welcome to PNOĒ Precision App!

We take the protection of your personal data and private life very seriously. In accordance with transparency principles, we have created this policy, which is an integral part of our Terms of Use, to provide you with adequate information regarding the processing of your data by our Company through our Platform and related Application.

Please read our Privacy Policy carefully to get a clear understanding of how we collect, use, protect or otherwise process your data.

NON-US RESIDENTS/USERS:

BY USING OUR APPLICATION, YOU DECLARE THAT YOU UNDERSTAND AND AGREE TO THE COLLECTION, USE AND TRANSFER OF YOUR PERSONAL DATA FOR PROCESSING IN THE UNITED STATES AS DESCRIBED IN THIS PRIVACY POLICY.

Please note that our databases and systems are hosted on servers in the United States. If you are located outside of the United States, please be aware that information we collect will be processed and stored in the United States. This Application is subject to U.S. laws, which may not afford the same level of protection as the applicable laws in your country or region. By using our Services and providing information to us, you consent to the transfer to and processing of the information in the United States. You will be asked for your explicit consent to this data transfer as part of account registration. If you do not agree with this or any part of this Privacy Policy, please do not access or continue to use any of the Services or otherwise submit your Personal information/ Data (defined below) to us.

European Union Residents: In order to comply with the requirements of the European General Data Protection Regulation (GDPR) for our European consumers and users, this Privacy Policy contains EU specific provisions below. 

Introduction

PNOĒ Inc., with a registered address at 67 Maplewood St., Suite 202, Malden, MA 02148, USA, hereinafter referred to as the “Company” or “we” or “us”, provides a software that automatically analyzes metabolic information to provide an in depth personalized analysis of heart, lung, muscular, and neuromuscular function in real time. 

Anyone who has purchased or rented our Company’s equipment such as healthcare professionals, Affiliates or other professionals and companies engaged in related activities etc. (hereinafter referred to as the “Affiliates”) can create personalized metabolic profiles of their customers in our online platform which is currently commercialised under the name “API MyPnoe Platform” or however it may be renamed in the future  (hereinafter referred to as the “Platform”), to use our Company’s equipment and related services. 

Our company’s mobile application “PNOĒ Precision App”, hereinafter referred to as the “Application”, makes it possible for you, as a Affiliate’s customer, to have direct access (meaning from now on without your Affiliate’s assistance) to your active metabolic profile in our Platform and update it.  Similarly, we have developed a mobile application “PNOĒ Monitor,” which allows the Affiliate to have access to data concerning your metabolic profile obtained through the tests conducted with the PNOĒ device, any wearable devices, or other lab data, your demographic and biometric data, nutrition preferences, as well as your nutrition plans.   

This Privacy Policy is to inform you that in order to provide our services related to the purchase or rental agreement between our Company and your Affiliate and, also, comply with our legal obligations, we process information through our Platform and Application, which may lead to your identification as users. 

In any case, we inform you that we process your personal data on behalf and under the instructions of your Affiliate. In this context, we implement all the appropriate technical and organizational measures, and we assist your Affiliate in compliance with the applicable legal framework, among others and in particular, the European General Data Protection Regulation (GDPR) and the US applicable framework (see specific disclosures for EU residents below).

Definitions 

“Personal Information” Or “Personal Data” (hereinafter these terms are used interchangeably) means any information relating to an identified or identifiable natural person/an individual /consumer that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Sensitive personal information/data” means personal information/data which is, by their nature, particularly sensitive and merit specific protection because if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual as the context of their processing could create significant risks to the fundamental rights and freedoms of the individual/consumer. Sensitive information/ data may include, Social Security Numbers, financial information, health information, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

What data do we process?

The data stored and processed in our systems relate to your fitness and wellness goals as these have been collected by your Affiliate and may include your full name, email, phone number, login credentials, height, date of birth, gender, weight, primary Goal for PNOE, body Fat percentage, body composition percentage, preferred diet, physical activity intensity during the day, training intensity, dietary restrictions and habits, sleep schedule, medical conditions such as diabetes, hypothyroidism, hyperthyroidism, pulmonary illnesses, high blood pressure and asthma, medication you receive, and schedule, as well as data that you have chosen to be shared with the Application, or the Application collects, when you use or interact with a wearable or other connected device such as data on biomarkers such as Resting Energy Expenditure, Maximum VO2, RER, VC/VO2 ratio, End-tidal carbon monocide, Estradiol, Testosterone, Cortisole, Leptin, Insulin.

How do we collect your Information? 

  • From Your Affiliate: Based on your contractual relationship with your Affiliate, your Affiliate creates a personalized metabolic profile of you in our online platfοrm, in order to use our Company’s equipment and related services. Your Affiliate-created profile includes your personal data, such as identification data, contact information, data related to your training and nutrition routine,  health data  etc. 
  • Directly from you:  When you download the Application and create an account on our Application after receiving an invitation link via email sent upon your request by your Affiliate. Upon verification of your identity, you may directly access your profile and provide additional personal data or modify your existing ones.

How and why do we process your data?

We process your data on behalf of your Affiliate to allow your Affiliate to create a personalized metabolic profile for you in our Platform, which will necessarily include types of your personal data, such as identification data, personal details, data related to your training and nutrition routine, and health data (such as data about biomarkers related to human breath or heart rate). You may also choose to allow your Affiliate and us to use your data to create a nutrition plan tailored to your metabolism and needs. You may gain access to your profile by creating an account on our Application after receiving an invitation link via email sent upon your request by your Affiliate. In order to be identified as the owner of your existing profile in our Platform and be able to directly update it via the Application, you need to fill your identification data (e.g., your first and last name) after following the invitation link. Then you may directly complete your profile by providing us with personal data of all the above-mentioned data categories, including your health data, via the Application. 

We process this data to provide our services as a data processor as specified in our agreement with your Affiliate. We only perform processing activities that are necessary and relevant to the services agreed among our Company and your Affiliate.  To the extent permitted by applicable laws, we use this data for data aggregation purposes to permit data analyses that relate to the operations of your Affiliate.  We may de-identify any and all data we create or receive under the aforementioned processing in accordance with our agreement between our Company and your Affiliate.  Once de-identified such data is no longer considered personal data covered by this policy, and we may use and disclose such de-identified data for our own purposes.  

You are aware and understand that for your Affiliate to build a personalized metabolic profile for you in our Platform and offer you the services agreed upon, you need to provide the aforementioned information. Such personal information is necessary to perform the contract concluded between you and your Affiliate and the provision of services and you explicitly provide your consent to the collection and use of your personal information. 

Do we share your personal information? 

  • We will share certain information with third parties who perform services on our behalf. These third-party companies provide us with support or other services such as technical support and database hosting services.
  • We may share certain information in order to comply with the law, legal proceedings, and as authorized by law, for instance to comply with our legal requirements, enforce our User Agreement and this Policy. We may also share personal information with law enforcement or governmental agencies or authorized third parties in response to a subpoena or a court order, a verified request or legal process relating to a criminal investigation or alleged or suspected illegal activity or any other activity that exposes us, you, or any other of our users to legal liability. 
  • We may share certain information with any successor to all or part of our business. In the event of a merger or acquisition with/by another company, we may share information with them. In such an event, we will require that the new combined entity follow this Privacy Notice with respect to your personal information. 

We only share information which is relevant and necessary for each of the above-mentioned purposes.

What Security Measures do we use?

We have security measures in place to protect your information. The company, its employees, processors, assistants, have implemented appropriate technical and organizational measures to ensure, as much as possible, the most appropriate protection of personal data against accidental or unlawful destruction, loss, alteration, unlawful disclosure or access to them and any unlawful processing, as well as to ensure the possibility of restoring availability and access to them. The security measures we use include (not exhaustive list) firewalls and data encryption, physical and electronic access controls to our data centers, use of unique and complex passwords, regular change, and renewal in case of reassignment/exit of employees, strict designation of roles, work tasks and processing of data.

Specific disclosures regarding the location of the users

Your California Privacy Rights

 

Under California Law you may have the right to access, correct, request deletion or request restriction of our usage of your personal information stored in our systems. Any such request must be submitted to your Affiliate. We have the appropriate internal procedures to assist your Affiliate in fulfilling your requests to the extent this is required and permitted by applicable law. Please note that we do not sell or share our consumers’ PII with 3rd parties for marketing purposes.

EU residents

 

This section of this Privacy Policy is addressed in particular to European users of our Platform and Application aiming to ensure that we process your personal data as data processor on behalf of your data controller, always in compliance with the requirements of the GDPR. 

Definitions

«Personal data» 

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

«Special categories of personal data »  

Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation 

«Processing»

any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction

«consent»  of the data subject

any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her,

«personal data breach» 

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

 

Our Role

According to the GDPR, this information we process on behalf of your Affiliate is “personal data”, while you, as users, are characterized as “data subjects”, and your Affiliate, as long as they determine the purposes and means of the processing of personal data, is the “controller” of your data. We, the Company, are the “processor” of your data, as we exercise no control of the purposes and means of the processing of your personal data, and we have the obligations of the processor under Article 28 GDPR.

General Information on your Data Processing

Your data is collected (either directly by you or by your Affiliate) and stored in our database to receive the services you have agreed upon with your Affiliate, to allow initially your Affiliate to create a personalized metabolic profile for you in our Platform and then allow you to access and edit your profile on our platform via our App. 

The Legal Basis for this processing undertaken by your Affiliate under the GDPR is:

For non-sensitive (special categories of) data: processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract [Art. 6 (1) (b) GDPR]. In addition, non-sensitive personal data, maybe processed based on the legitimate interest [Art. 6 (1) (f) GDPR], such as ensuring the security of the systems, providing you with information related to your selected program etc., or your consent [Art. 6 (1) (a) GDPR] for specific purposes as these are determined by your Affiliate.

For sensitive (special categories of) data: processing is based on your explicit consent [Art. 9(2) (a) GDPR], given when you registered to the Application and created your account. 

Our Obligations

We, as a data processor, are contractually bound to provide the necessary safeguards and to take all appropriate technical and organizational measures to ensure the lawful processing and protection of your data and rights.

Instructions

We inform you that we process your data only on documented instructions from the controller, including transfers of personal data to a third country or an international organization unless required to do so by law to which our Company is subject.

In case that in our opinion an instruction by the controller infringes the GDPR, we will immediately inform them and not execute the instruction until it has been confirmed or modified.  

Security and Confidentiality

To ensure the adequate protection of your data, our Company implements internal security policies, takes all appropriate technical and organizational measures and trains its staff, which is bound by confidentiality and privacy clauses. 

We ensure that persons authorized to process your data have committed themselves to confidentiality and, also, that your data will only be made available to personnel that require access to such data for the provision of services relating to processing. 

In addition, we use technologies which ensure the security of your data, e.g., Secure Sockets Layer (SSL) certificate, as well as encryption and physical security.

Our goal is to integrate information security and data protection principles in all aspects of the Company’s operation. In this context, we monitor the security measures on a regular basis and, if deemed necessary, we align them with the new best practices.

Data breach

In case of a data breach that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored, or otherwise processed, we give immediate notice to the controller. 

In addition, we make reasonable efforts to identify the cause of such a breach and take those steps as they deem necessary to establish the cause, and to prevent such a breach from reoccurring.

Erasure of your data

We delete all your data upon the request of the controller or after the end of the provision of services relating to processing and, also, destroy existing copies unless we are obligated by law to store your data (e.g., by tax legislation).

Information and assistance

We make available to the controller all information necessary to demonstrate compliance with their obligations as a controller and we cooperate, if requested, with the supervisory authority for the performance of its tasks.

Rights of the data subjects

Under GDPR you have the following rights:

  • Right of access to your Personal Data (Art. 15 GDPR) 
  • Right to correction (Art. 16 GDPR): You have the right to have your Personal Data corrected, as permitted by law.
  • Right to erasure (Art. 17 GDPR): You have the right to ask us to delete your Personal Data, as permitted by law. 
  • Right to restriction of processing (Art. 18 GDPR): You have the right to request the limiting of our processing under limited circumstances as permitted by law.
  • Right to data portability (Art. 20 GDPR): You have the right to receive the Personal Data that you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit that information to another controller, including to have it transmitted directly, where technically feasible.
  • Right to object (Art. 21 GDPR): You have the right to object to our processing of your Personal Data, as permitted by law. 
  • Right to File a Complaint to the competent Data Protection Authority.

 

Considering the nature of the processing of your data we will assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising your rights as data subject. Namely:

 

If the controller receives a request from you related to the exercise of your rights as a data subject, and the correct and legitimate reply to such a request necessitates our assistance, we will assist within reasonable time the controller by providing the necessary information and documentation. On the other hand, if we receive a relevant request from you, we will immediately forward the request to the controller and assist them, if needed, to properly respond. 

In particular regarding your right to erasure of your data, we inform you that if you erase your Application account or/and uninstall the Application, your profile in our Platform will not be deleted! To exercise your right to erasure, you may submit this request to your Affiliate, who will delete with our assistance without undue delay your profile in our Platform and, therefore, your related personal data.    

Sub-Processors

We inform you that we are given general authorization to engage third parties to process your data (“sub-processors”) without obtaining any further written, specific authorization from the controller. If the controller objects to a new sub-processor and we cannot accommodate their objection, the controller may terminate our contract by providing written notice to us.

We assure you that our sub-processors provide at minimum the same data protection obligations as the ones applicable to us and that we are accountable to the controller for any sub-processor in the same way as for our own actions and omissions.

International Transfers 

The Personal Data we process on behalf of your Affiliate is stored on servers in the United States, a third country under the GDPR. To ensure the lawfulness of such transfers we have adopted and implemented the appropriate safeguards as defined in the GDPR, namely the Standard Contractual Clauses. 

Contact us

If you have any questions regarding this Privacy Policy and how we process your personal data on behalf of your Affiliate, you may contact XHALE S.A., which has been appointed to be responsible for facilitating such inquiries and is also our EU Representative.

EU Representative

XHALE S.A.

Tatoiou 4 & Othonos 77 str. 

Kifissia, Attica, Greece

tel.: +30 210 9531294 

email at: privacy@pnoe.com

In any case, to seek further information regarding the processing of your data which is performed in relation with the use of our Company’s equipment and related services you may contact your Affiliate.