Endo Medical Inc., with a registered address at 2345 Yale Street Palo Alto, CA, 94306, USA, hereinafter referred to as the “Company” or “we” or “us”, provides a software that automatically analyzes metabolic information to provide an in depth personalized analysis of heart, lung, muscular, and neuromuscular function in real time.
Anyone who has purchased or rented our Company’s equipment, namely trainers or other professionals and companies related to training activities etc. (hereinafter referred to as the “Trainers”) can create personalized metabolic profiles of their customers in our online platform “API MyPnoe Platform” (hereinafter referred to as the “Platform”), to use our Company’s equipment and related services.
Our company’s mobile application “PNOĒ Precision App”, hereinafter referred to as the “Application”, makes it possible for you, as a Trainer’s customer, to have direct access (meaning from now on without your Trainer’s assistance) to your active metabolic profile in our Platform and update it.
In any case, we inform you that we process your personal data on behalf and under the instructions of your Trainer. In this context, we implement all the appropriate technical and organizational measures, and we assist your Trainer in compliance with the applicable legal framework, among others and in particular, the European General Data Protection Regulation (GDPR) and the US applicable framework (see specific disclosures for EU residents below).
“Personal Information” Or “Personal Data” (hereinafter these terms are used interchangeably) means any information relating to an identified or identifiable natural person/an individual /consumer that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Sensitive personal information/data” means personal information/data which is, by their nature, particularly sensitive and merit specific protection because if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual as the context of their processing could create significant risks to the fundamental rights and freedoms of the individual/consumer. Sensitive information/ data may include, Social Security Numbers, financial information, health information, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
The data stored and processed in our systems relate to your fitness and wellness goals as these have been collected by your Trainer and may include your full name, email, phone number, login credentials, height, year of birth, gender, weight, primary Goal for PNOE, body Fat percentage, body composition percentage, preferred diet, training intensity and schedule as well as data that you have chosen to be shared with the Application when you use or interact with a wearable or other connected device.
We process your data on behalf of your Trainer to allow your Trainer to create a personalized metabolic profile for you in our Platform, which will necessarily include types of your personal data, such as identification data, personal details, data related to your training and nutrition routine, and health data (such as data about biomarkers related to human breath or heart rate). You may also choose to allow your Trainer and us to use your data to create a nutrition plan tailored to your metabolism and needs. You may gain access to your profile by creating an account on our Application after receiving an invitation link via email sent upon your request by your Trainer. In order to be identified as the owner of your existing profile in our Platform and be able to directly update it via the Application, you need to fill your identification data (e.g., your first and last name) after following the invitation link. Then you may directly complete your profile by providing us with personal data of all the above-mentioned data categories, including your health data, via the Application.
We process this data to provide our services as a data processor as specified in our agreement with your Trainer. We only perform processing activities that are necessary and relevant to the services agreed among our Company and your Trainer.
You are aware and understand that for your Trainer to build a personalized metabolic profile for you in our Platform and offer you the services agreed upon, you need to provide the aforementioned information. Such personal information is necessary to perform the contract concluded between you and your Trainer and the provision of services and you explicitly provide your consent to the collection and use of your personal information.
We only share information which is relevant and necessary for each of the above-mentioned purposes.
We have security measures in place to protect your information. The company, its employees, processors, assistants, have implemented appropriate technical and organizational measures to ensure, as much as possible, the most appropriate protection of personal data against accidental or unlawful destruction, loss, alteration, unlawful disclosure or access to them and any unlawful processing, as well as to ensure the possibility of restoring availability and access to them. The security measures we use include (not exhaustive list) firewalls and data encryption, physical and electronic access controls to our data centers, use of unique and complex passwords, regular change, and renewal in case of reassignment/exit of employees, strict designation of roles, work tasks and processing of data.
Under California Law you may have the right to access, correct, request deletion or request restriction of our usage of your personal information stored in our systems. Any such request must be submitted to your Trainer. We have the appropriate internal procedures to assist your Trainer in fulfilling your requests to the extent this is required and permitted by applicable law. Please note that we do not sell or share our consumers’ PII with 3rd parties for marketing purposes.
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction
any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her,
personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
According to the GDPR, this information we process on behalf of your Trainer is “personal data”, while you, as users, are characterized as “data subjects”, and your Trainer, as long as they determine the purposes and means of the processing of personal data, is the “controller” of your data. We, the Company, are the “processor” of your data, as we exercise no control of the purposes and means of the processing of your personal data, and we have the obligations of the processor under Article 28 GDPR.
Your data is collected (either directly by you or by your Trainer) and stored in our database to receive the services you have agreed upon with your Trainer, to allow initially your Trainer to create a personalized metabolic profile for you in our Platform and then allow you to access and edit your profile on our platform via our App.
The Legal Basis for this processing undertaken by your Trainer under the GDPR is:
For non-sensitive (special categories of) data: processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract [Art. 6 (1) (b) GDPR]. In addition, non-sensitive personal data, maybe processed based on the legitimate interest [Art. 6 (1) (f) GDPR], such as ensuring the security of the systems, providing you with information related to your selected program etc., or your consent [Art. 6 (1) (a) GDPR] for specific purposes as these are determined by your Trainer.
For sensitive (special categories of) data: processing is based on your explicit consent [Art. 9(2) (a) GDPR], given when you registered to the Application and created your account.
We, as a data processor, are contractually bound to provide the necessary safeguards and to take all appropriate technical and organizational measures to ensure the lawful processing and protection of your data and rights.
We inform you that we process your data only on documented instructions from the controller, including transfers of personal data to a third country or an international organization unless required to do so by law to which our Company is subject.
In case that in our opinion an instruction by the controller infringes the GDPR, we will immediately inform them and not execute the instruction until it has been confirmed or modified.
To ensure the adequate protection of your data, our Company implements internal security policies, takes all appropriate technical and organizational measures and trains its staff, which is bound by confidentiality and privacy clauses.
We ensure that persons authorized to process your data have committed themselves to confidentiality and, also, that your data will only be made available to personnel that require access to such data for the provision of services relating to processing.
In addition, we use technologies which ensure the security of your data, e.g., Secure Sockets Layer (SSL) certificate, as well as encryption and physical security.
Our goal is to integrate information security and data protection principles in all aspects of the Company’s operation. In this context, we monitor the security measures on a regular basis and, if deemed necessary, we align them with the new best practices.
In case of a data breach that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored, or otherwise processed, we give immediate notice to the controller.
In addition, we make reasonable efforts to identify the cause of such a breach and take those steps as they deem necessary to establish the cause, and to prevent such a breach from reoccurring.
We delete all your data upon the request of the controller or after the end of the provision of services relating to processing and, also, destroy existing copies unless we are obligated by law to store your data (e.g., by tax legislation).
We make available to the controller all information necessary to demonstrate compliance with their obligations as a controller and we cooperate, if requested, with the supervisory authority for the performance of its tasks.
Under GDPR you have the following rights:
Considering the nature of the processing of your data we will assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising your rights as data subject. Namely:
If the controller receives a request from you related to the exercise of your rights as a data subject, and the correct and legitimate reply to such a request necessitates our assistance, we will assist within reasonable time the controller by providing the necessary information and documentation. On the other hand, if we receive a relevant request from you, we will immediately forward the request to the controller and assist them, if needed, to properly respond.
In particular regarding your right to erasure of your data, we inform you that if you erase your Application account or/and uninstall the Application, your profile in our Platform will not be deleted! To exercise your right to erasure, you may submit this request to your Trainer, who will delete with our assistance without undue delay your profile in our Platform and, therefore, your related personal data.
We inform you that we are given general authorization to engage third parties to process your data (“sub-processors”) without obtaining any further written, specific authorization from the controller. If the controller objects to a new sub-processor and we cannot accommodate their objection, the controller may terminate our contract by providing written notice to us.
We assure you that our sub-processors provide at minimum the same data protection obligations as the ones applicable to us and that we are accountable to the controller for any sub-processor in the same way as for our own actions and omissions.
The Personal Data we process on behalf of your trainer is stored on servers in the United States, a third country under the GDPR. To ensure the lawfulness of such transfers we have adopted and implemented the appropriate safeguards as defined in the GDPR, namely the Standard Contractual Clauses.
In any case, to seek further information regarding the processing of your data which is performed in relation with the use of our Company’s equipment and related services you may contact your Trainer.