This Privacy Policy describes how Powerful Medical Inc., including its affiliates, collects, uses and discloses data, and what your rights are in relation to the data. When we refer to “PM”, we refer to Powerful Medical Inc. or as may be applicable any of its affiliates who process personal data, in particular POWERFUL MEDICAL s.r.o. with registered seat at Bratislavská 81/37, 931 01 Šamorín, ID No. 50 948 431, registered with the commercial register maintained by the District Court Trnava, section Sro, file No. 46781/T.
Applicability
This Privacy Policy applies to PM’s services, subscription services, including the associated PM mobile application, PM web platform and PM service account utilizing API (collectively, the “Services”), www.powerfulmedical.com and other PM’s websites (collectively, the “Websites”) and other interactions (e.g., customer service inquiries, user conferences, etc.) you might have with PM.
If you do not agree with the terms of this Privacy Policy, do not access or use the Services, Websites or any other aspect of PM’s business.
This Privacy Policy does not apply to any third party applications or software that integrate with the Services through the Services (“Third Party Services”), or any other third party products, services or businesses.
In addition, a separate agreement governs delivery, access and use of the Services (the “Customer Agreement”), including the processing of any messages, files or other content submitted through use of the Services or in connection with the Services (collectively, “Personal Data”) and the Services are provided on the basis of an End User Licence Agreement which everyone who uses our Services (“User”) must enter into (the “EULA”). The organization (e.g., your employer or another entity or person) that entered into the Customer Agreement (“Customer”) controls certain aspects of their instance of the Services (their “Deployment”) and associated Personal Data, for example, how long PM will retain Personal Data, subject to terms and conditions of the Customer Agreement.
To the extent any information we process is associated with an identified or identifiable natural person and is protected as personal data under applicable data protection law, it is referred to in this Privacy Policy as “Personal Data.” You are under no statutory obligation to provide any Personal Data. However, certain information is collected automatically and, if some information, such as contact information, is not provided, PM may be unable to provide the Services.
This Privacy Policy applies to all data subjects, including those who fall under the jurisdiction of the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”) and those who fall under similar U.S. regulations such as the in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Depending on your location and the applicable law, either GDPR or relevant U.S. privacy laws will govern our handling of your personal data.
Specifically, any reference to the GDPR within this policy is applicable solely to Users who fall under its jurisdiction. For U.S. residents, particularly those whose data is regulated under HIPAA or other relevant U.S. laws, our practices will adhere to those specific regulations.
Health Information
Within the Services the User scans ECG recordings of individuals selected by the User (patients) uploads the image to our severs, where our AI algorithms digitize, analyze, and interpret the ECG recording for further analysis. Based on the ECG analysis, disease-specific patient history questions are generated. Upon answering the User is provided with a patient management recommendation. Personal Data may in some instances include “Protected Health Information” as defined in the HIPAA or Article 4 (15) of the GDPR. Protected Health Information is governed either by the HIPAA Business Associate Agreement or by the GDPR Data Processing Agreement between the Customer and PM and not by this Privacy Policy.
Protected Health Information is governed either by the HIPAA Business Associate Agreement or by the GDPR Data Protection Agreement between the Customer and PM and not by this Privacy Policy.
How We Use Personal Data
Personal Data will be used by PM in accordance with applicable terms in the Customer Agreement, the EULA and Customer’s use of Services functionality, and as required by applicable law. PM primarily acts as a processor of Personal Data and the Customer acts as the controller, unless stated otherwise in this Privacy Policy. Customer may, for example, use the Services to grant and remove access to an authorized user, assign roles and configure settings, access, modify, export, share and remove Personal Data and otherwise apply its policies to the Services. For details on specific roles, please refer to Section ‘Processing of Personal Data’.
PM uses certain Personal Data in furtherance of our legitimate interests in operating our Services, Websites and overall business.
If Personal Data is aggregated or de-identified so it is no longer reasonably associated with an identified or identifiable natural person, PM may use it for any business purpose.
Processing of Personal Data
We process your Personal Data for the following purposes:
- Deployment and Account Information. To create or update an authorized User account or a User glossary, you or the Customer (e.g. your employer) supply PM with an email address, phone number, role or title, and other similar account details. In addition, Customers provide PM (or its payment processors) with its own billing details such as banking information and a billing address.
- Roles: PM acts as a controller.
- Legal basis: The processing is necessary for the performance of a contract to which the data subject is a party under Article 6(1)(b) of the GDPR, or processing is necessary for the purpose of legitimate interest under Article 6(1)(f) of the GDPR of the controller consisting in performance of contractual obligations, regulatory requirements and defence against legal claims. The applicable contract is the Agreement which is concluded between Us and the Customer and the EULA which is concluded between Us and the User
- Data subjects: The Customer and the User .
- Retention period: Data is kept until (i) Customer’s account in the Services or the Websites’ account is deleted; (ii) mandatory retention periods are satisfied (e. g. accounting); (iii) in case of other regulatory, legal requirements or litigation, kept until resolution of such requirements or litigation.
- Operation of the Services. ECG digitization / ECG interpretation consisting of segmentation, analysis and diagnosis; patient management recommendation. During such processing PM may process certain information such as name, surname and contact details of Users, as well as data provided by the User relating to patients, in particular ECG image, sex, age, patient’s personal number (optional), and further data required to determine patient management recommendations.
- Roles: In relation to this purpose, PM acts as a processor and the Customer acts as a controller. As such, the Customer is accountable for ensuring the provision of appropriate information to the underlying data subject and evidencing the right legal basis (e.g. consent or legal obligation to process personal data).
- Legal basis: We process personal data on the basis of a data processing agreement concluded between PM and the Customer under Article 28 of the GDPR.
- Data subjects: Such individuals as the Customer determines – User´s patients and Users.
- Retention period: Personal data will be retained in line with Customer’s instructions as the data controller. Deletion will be undertaken upon request by the Customer as the data controller.
- Technical Usage Information. To enhance the efficiency and reliability of the Services’ support and maintenance, PM may process the following data:
- Usage Information. PM may (a) collect usage data in connection with your use of the Services and the Websites; (b) conduct satisfaction surveys; and (c) use usage data, satisfaction surveys data and your feedback in connection with providing and improving the Services and the Websites.
- Services Metadata When an Authorized User interacts with the Services, metadata is generated that provides additional context about the way Authorized Users work.
- Log data. As with most websites and technology services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Services and record it in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the Websites or Services, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, language preferences and cookie data.
- Device information. PM information about devices accessing the Services, including for example type of device, what operating system is used, device settings, application IDs, unique device identifiers and crash data. What specific device information we collect depends on the type of device used and its settings.
- Roles: PM acts as a controller.
- Legal basis: The processing is necessary for the performance of a contract to which the data subject is a party under Article 6(1)(b) of the GDPR, or processing is necessary for the purpose of legitimate interest under Article 6(1)(f) of the GDPR of the controller consisting in performance of contractual obligations, regulatory requirements and defence against legal claims.
- Data subjects: The Customer and the User.
- Retention period: Data is kept until (i) Customer’s account in the Services or Websites’ account is deleted; (ii) in case of other regulatory, legal requirements or litigation, kept until resolution of such requirements or litigation.
- Location information. To ensure optimizing resource allocation, and facilitating quicker response times in Services we may receive information from you, your Customer and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer, or an IP address received from your browser or device to determine approximate location. PM may also collect location information from devices in accordance with the consent process provided by your device.
- Roles: PM acts as a controller.
- Legal basis: The processing of personal data for communication is based on your consent under Article 6(1)(a).
- Data subjects: User.
- Retention period: Data is kept until (i) Customer’s account in the Services or Websites’ account is deleted; (ii) in case of other regulatory, legal requirements or litigation, kept until resolution of such requirements or litigation.
- Cookie Information. PM uses cookies and similar technologies in our Websites and Services that help us collect certain information. The Websites and Services may also include cookies and similar tracking technologies of third parties, which may collect certain information about you via the Websites and Services and across other websites and online services.
- Roles: PM acts as a controller.
- Legal basis: The processing of personal data for communication is based on your consent under Article 6(1)(a), unless the processing is necessary for the purpose of legitimate interest under Article 6(1)(f) of the GDPR.
- Data subjects: The Customer and the User.
For further information on how and what type of cookies we use, please visit our Cookies Policy.
- Research to further improve the existing technologies. This includes using provided ECG and related health data to improve the used technologies. All of the used data is de-identified and does not allow for identification of the patient and may include ECG image, sex, age, and further data required to determine patient management recommendations.
- Roles: PM acts as a controller.
- Legal basis: Legitimate interest of the controller under Article 6(1)(f) and Article 9(2)(j) of the GDPR consisting in research of artificial intelligence. The processing is necessary for further development of the Services, its algorithm and software.
- Data subjects: Individuals whose data has been uploaded by the User.
- Retention period: Data is kept in de-identified form for such time as needed to achieve the purpose.
- Medical device vigilance – Protecting and improving safeguards for patients, Users and others by preventing the likelihood of recurrence of incidents. The data of patients may include ECG image, sex, age, and further data required to determine patient management recommendations; name, surname and occupation of Users.
- Roles: PM acts as a controller.
- Legal basis: In accordance with Article 6(1)(c) of the GDPR, processing is necessary for compliance with a legal obligation (EU MDR 2017/745) to which PM is a subject.
- Data subjects: Users and patients.
- Retention period: Data is retained during period stipulated by law, which is 10 years.
- Communication with you – For the purpose of provision of Services PM may communicate with you by responding to your requests, comments and questions. We may also send you service, technical and other administrative emails, messages and other types of communications such as messages via notifications build into the Services. We may also contact you to inform you about changes in our Services such as new features, changes in our offerings, and important Services-related notices (e.g. security and fraud notices). These communications are considered part of the Services and you cannot opt out of them. In addition, we may sometime send you emails about promotional communications or other news about PM.
- Roles: PM acts as a controller.
- Legal basis: The processing is necessary for the performance of a contract to which the data subject is a party under Article 6(1)(b) of the GDPR, or processing is necessary for the purpose of legitimate interest under Article 6(1)(f) of the GDPR of the controller consisting in performance of contractual obligations, or based on your consent under Article 6(1)(a) and legitimate interest under Article 6(1)(f) of the GDPR consisting in direct marketing.
- Retention period: Data is kept until (i) Customer’s account in the Services or Websites’ account is deleted; (ii) in case of other regulatory, legal requirements or litigation, kept until resolution of such requirements or litigation.
- Third Party Services and Third Party Data – Customer can choose to permit Third Party Services for their Deployment. Typically, Third Party Services are software that integrate with our Services. When enabled, the provider of a Third Party Service may share certain information with PM. For instance, if a cloud storage application is enabled to permit files to be imported to a Deployment, we may receive username and email address of authorized users, along with additional information that the application has elected to make available to PM to facilitate the integration. Authorized Users should check the privacy settings and notices in these Third Party Services to understand what data may be disclosed to PM. When a Third Party Service is enabled, PM is authorized to connect and access certain Personal Data made available to PM in accordance with our agreement with the third party provider. PM may receive data about organizations, industries, Websites visitors, marketing campaigns and other matters related to our business from affiliates, our partners or others that we use to improve our own information. This data may be combined with Personal Data we collect and might include aggregate level data, such as which IP addresses correspond to zip codes or countries. Or in some cases it might be more specific, such as, how well a certain marketing campaign performed.
- Roles: PM acts as a controller.
- Legal basis: The processing is necessary for the performance of a contract to which the data subject is a party under Article 6(1)(b) of the GDPR, or processing is necessary for the purpose of legitimate interest under Article 6(1)(f) of the GDPR of the controller consisting in performance of contractual obligations.
- Retention period: Data is kept until (i) Customer’s account in the Services or Websites’ account is deleted; (ii) in case of other regulatory, legal requirements or litigation, kept until resolution of such requirements or litigation.
Data Retention
PM will retain Personal Data in accordance with a Customer’s instructions, subject to any applicable terms in the Customer Agreement and Customer’s use of Services functionality, and as required by applicable law. Typically, PM will retain Personal Data for the duration of a Customer’s subscription term in the Customer Agreement only for as long as is necessary for the purposes set out in this Privacy Policy. PM may retain certain Personal Data after you have deactivated your account for the period of time needed for PM to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce our legal contracts.
How We Share and Disclose Information
- Customer’s Instructions. PM will solely share and disclose Personal Data in accordance with the Customer Agreement, a Customer’s instructions, subject to any applicable terms in the Customer Agreement and Customer’s use of Services functionality, and in compliance with applicable law.
- Displaying the Services. When an authorized User submits information, it may be displayed to other authorized Users. For example, an authorized User’s account details may be displayed with their Deployment profile in order to use the Services.
- Customer Access. Authorized Users and other Customer representatives and personnel may be, subject to the Customer Agreement, able to access, modify or restrict access to certain information. This may include, for example, your employer using Service features to see or export logs of your activity, or accessing or modifying your profile details.
- Third Party Service Providers and Partners. PM may engage third party companies or individuals as service providers or business partners to process Personal Data and support our business.
- Affiliates. PM may share Personal Data with its corporate affiliates as needed to provide you with the Services in which case PM will require those affiliates to honour this Privacy Policy. Affiliates include our subsidiaries, joint venture partners or other companies that PM controls or that are under common control with PM.
- PM Change of Control. If PM engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of PM’s assets or stock, financing, public offering of securities, acquisition of all or a portion of PM’s business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence), some or all Personal Data may be shared or transferred, subject to market standard confidentiality arrangements.
- Aggregated or De-identified Data. Subject to the Customer Agreement, we may use or disclose aggregated or de-identified Personal Data for various purposes. For example, we may share aggregated or de-identified Personal Data with prospects or partners for business or research purposes.
- To Comply with Laws. If we receive a request for information, we may disclose Personal Data if we reasonably believe disclosure is in accordance with or required by any applicable law or other binding regulation or judicial or administrative decision.
- To enforce our rights, prevent fraud, and for safety. To protect and defend the rights, property or safety of PM and/or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.
- With Consent. In addition to the above, PM may share Personal Data with third parties when we have the consent to do so.
Security
PM takes security of data very seriously. PM works hard to protect Personal Data you provide from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the Personal Data we collect, process and store, and the current state of technology. To learn more about PM’s commitment to security and various internationally security standards we adhere to, please visit our trust center at: https://trust.powerfulmedical.com/.
Age Limitations
To the extent not prohibited by applicable law, PM does not allow use of our Services and Websites by anyone younger than 16 years old. If you learn that anyone younger than 16 has unlawfully provided us with personal data, please contact us and we will take appropriate steps to delete such information.
Changes to This Privacy Policy
PM may at its discretion change this Privacy Policy from time to time. Laws, regulations and industry standards evolve, which may make those changes necessary, or we may make changes to our business. We will post the changes to this page and encourage you to review our Privacy Policy to stay informed. If you disagree with the changes to this Privacy Policy, you should deactivate your Services account. Contact the Customer if you wish to request the removal of Personal Data under their control.
Data Protection Officer
To communicate with our Data Protection Officer, please email dpo@powerfulmedical.com
Contacting Powerful Medical
Please also feel free to contact PM if you have any questions about this Privacy Policy, our privacy practices, or if you want to exercise any of your statutory rights. You may contact us at legal@powerfulmedical.com or at our mailing address below:
U.S.:
Powerful Medical Inc.
7th floor, 33 West 17th Street
New York, NY, USA
EMEA:
POWERFUL MEDICAL s. r. o.
CBC I, Karadičova 8/A, 821 08,
Bratislava, Slovak Republic
Rights applicable to individuals located in EMEA
If you are located within the EMEA, you may have the following rights:
- Request access to your Personal Data. The right to access, update or delete the information We have relating to you. You may also access, update or request deletion of your Personal Data directly within your account settings section. If you are unable to perform these actions yourself, please contact Us to assist you. This also enables you to receive a copy of the Personal Data We hold about you.
- Request correction of the Personal Data that We hold about you. You have the right to have any incomplete or inaccurate information We hold about you corrected.
- Object to processing of your Personal Data. You may have the right to object if we process Personal Data for direct marketing purposes or based on specific grounds relating to your situation, if we process Personal Data for our legitimate interests listed above.
- Request erasure of your Personal Data. You may have the right to ask Us to delete or remove Personal Data, in specific cases outlined under the applicable laws.
- Request the transfer of your Personal Data. We will provide to you, or to a third-party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for Us to use or where We used the information to perform a contract with you.
- Withdraw your consent. You have the right to withdraw your consent on using your Personal Data, if such Personal Data was obtained on such legal basis. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the Service.
Exercising of your GDPR Data Protection Rights
You may exercise your rights by contacting Us using the email address below. Please note that we may ask you to verify your identity before responding to such requests. If you make a request, we will try our best to respond to you as soon as possible.
You have the right to complain to a Data Protection Authority about Our collection and use of your Personal Data, namely the Office of Personal Data Protection of the Slovak Republic, Hraničná 12 820 07 Bratislava 27 Slovak Republic, E-mail: statny.dozor@pdp.gov.sk.