Last revised: November 2022
At VoiceMed, we care about your privacy. Therefore, we are committed to the protection of your Personal Data in accordance with the applicable regulation.
Please note that the content of this Policy may change from time to time, for instance, in case of a change in the applicable regulation.
- Who are we? A bit of history
VoiceMed was created in 2020 through VoiceMed S.a.r.l, a company registered under the laws of Luxembourg and whose registered address is at 98 Route d’Arlon, L-8008, Strassen, Luxembourg.
With VoiceMed, our intention is to design software to analyse breathing sounds in order to monitor respiratory health. Some of our software is registered as medical device software which means that it meets the required standards of safety or effectiveness to be considered a medical product and is validated through clinical studies.
- Reminder: Some Key Notions
We are conscious that the Data Protection Laws use specific legal terms that might induce confusion.
In this respect, we have chosen to remind you of the key notions at use in this Policy. Therefore, unless the context requires otherwise, the following words and expressions of this Policy shall have the following meanings:
“Data” means “Personal Data”, as defined below.
“Controller” means the VoiceMed group (VoiceMed S.a.r.l and its subsidiaries), which decides how and why Personal Data is processed.
“Data Protection Laws” means the data protection laws, including the GDPR, applicable to VoiceMed’s activities and Technologies.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Personal Data” is defined as any information that relates to an individual (the “Data Subject”), such as a name, an identification number, location data, or an online identifier.
“Processing activities” means any operation which is performed on Personal Data, whether or not by automated means, including, but not limited to, the collection, the recording, the consultation and the use of Personal Data.
Terms used but not defined in this Policy shall have the same meanings set out in the GDPR.
3. Why do we process Personal Data?
VoiceMed only processes Personal Data for the purpose of developing its Technologies and accurately monitoring respiratory health. To reach this objective, VoiceMed needs to rely on Personal Data. More precisely, collecting and processing Personal Data enable VoiceMed to:
- develop and perform Technologies to monitor respiratory health;
- communicate with Data Subjects;
- continually reassess our performance and perform quality control; and
- perform, via the Technical Data, the following services: analytics, displaying content from external platforms and platform services and hosting.
3.1 Legal ground
To process your Personal Data, VoiceMed only relies on your consent.
Before you use our Technologies, you are asked whether you agree to share some Personal Data with us (in practice, this will mean that you are asked to tick a box). We give you the possibility to read this Policy before making your decision so that you freely decide whether to consent or not.
- Which Personal Data do we process?
- The Personal Data concerned
VoiceMed may process the following categories of Personal Data about you:
- Identity Data (i.e. name);
- Contact Data (i.e. email address);
- Health data (smoking status, symptoms, pre-existing health conditions, such as asthma)
- Sound samples (respiratory sounds when you perform breathing exercises)
Our Technologies mainly rely on your breathing sounds to enable us to provide you with accurate monitoring of your respiratory health.
- Technical Data, such as internet protocol address, cookies, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Sources of Personal Data
The Personal Data is either provided:
- directly by you when using either one of our websites or mobile apps, and provided that you have consented to the processing of your Personal Data by VoiceMed, as set out in this Policy; or
- for Technical Data, automatically when using one of our websites.
- Recipients of Personal Data
- Categories of Recipients
VoiceMed may transfer your Personal Data externally to third-party service providers for the purposes of operating our Technologies.
Also, VoiceMed may transfer your pseudonymised Personal Data to research partners for the purposes of improving our Technologies. In this case, your data will be identified by a code (pseudonym), and we will not transfer your Contact data.
We also use third-party platforms to host and design our websites, such as Google Analytics, Google Cloud Platform, MongoDB and Google Fonts. This may have certain cookies (a text file that is stored on your device when you visit any website). You can change, delete, and block the cookies from your browser settings.
- Transfer of Personal Data
Transfers of personal data outside the European Union are carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the Data Protection Laws. This depends partly on the European Commission’s judgement as to the adequacy of the safeguards for personal data applicable in the receiving country, and this may change over time.
VoiceMed currently transfers Personal Data to some Recipients located in Switzerland, where part of VoiceMed’s scientific team is based (the team has access to pseudonymised Personal Data for the purpose of developing and validating the algorithm). Based on Article 45 of the GDPR, the European Commission has recognized the legislation of Switzerland (Federal Data Protection Act of the 19 of June 1992) as countries offering an adequate level of data protection (2000/518 / EC and 2002/2 / EC), allowing the transfer of data on the basis of an adequacy decision.
In the event VoiceMed needs to transfer Personal Data to other locations outside the EU, one of the measures set out in the GDPR (Articles 44 et s.) will be implemented.
- Retention of Personal Data
VoiceMed only retains Personal Data for as long as necessary to fulfil the purposes we process it for unless the applicable regulations provide otherwise.
The length of time in which we will store your Personal Data will differ depending on the purpose for which we have collected and are processing your Data. In most cases, we will keep the Personal Data for five (5) years following our last interaction with you. We may, however, maintain your Personal Data for a longer period of time if we are required by law to maintain the Data.
To take all appropriate safeguards to protect your Personal Data, we have appointed a Head of Data Protection (“HDP”).
If you have any questions about this Policy or if you wish to exercise any of your rights granted by the Data Protection Laws applicable to you, please contact our HDP by using one of the channels set out below:
Email Address: email@example.com
Postal Address: 98 route d’Arlon, L-8008, Strassen, Luxembourg.
- Security measures
We are committed to ensuring your Personal Data has the best level of protection. Therefore, we have implemented technical security measures including, but not limited to, the following ones:
- Multi-stage encryption: our website is HTTPS encrypted, and your Personal Data is encrypted while it is transferred to storage;
- Authorized Access: your Personal Data is only accessed by specific members of the VoiceMed team who need to protect and analyse your data: a database manager (admin role) and the scientific team following the principles of need-to-know and least privilege;
- Storage: Personal Data is stored in a secured ISO27001-certified data centre located in the European Union. No Personal Data is stored outside the EU.
- Your rights
- List of rights granted
Under the Data Protection Laws, you are entitled to exercise the following rights in relation to your Personal Data:
- Right of access: you can ask us whether we process Personal Data about you and, where that is the case, ask us for a copy of it;
- Right to rectification: you can ask us to rectify inaccurate Personal Data. Moreover, you can provide us with supplementary information if your Personal Data is incomplete;
- Right to erasure: if you ask us to erase you’re the Personal Data we process about you, we will do so in the following circumstances:
- the Personal Data is no longer necessary for the original reason for which we processed it;
- you initially consented to the processing of your Personal Data, and you now wish to withdraw your consent;
- you have objected to the use of your Personal Data, and your interests outweigh those of VoiceMed processing it;
- you have objected to the use of your Personal Data for direct marketing purposes;
- we have been processing your Personal Data in an unlawful manner; or
- we must erase your Personal Data under a legal obligation.
- Right to object: in certain circumstances, you can object to the processing of your Personal Data and ask us to stop using it. However, following applicable Data Protection Laws, we may not stop the processing of your Personal Data if we believe we have legitimate reasons to continue to do so;
- Right to restriction of processing: you can ask us to restrict the processing of your Personal Data provided that one of the following applies:
- you have challenged the accuracy of the Personal Data that we process about you;
- the processing of your Personal Data is unlawful but you do not want us to erase it;
- we no longer need your data but you want us to keep it in order to create, exercise or defend legal claims; or
- you have exercised the right to object to processing.
- Right to data portability: you can ask us to provide you with the Personal Data we process about you. In addition, you can ask us to transfer your Personal Data to another controller where it is technically feasible, but also if the processing activities concerned are based on your consent and are carried out by automated means;
- Right to withdraw consent: you can withdraw your consent for the processing of your Personal Data at any time. However, it will not affect the lawfulness of any processing carried out before you withdraw your consent.
If you want to exercise any of the rights set out above, please contact our HDP using the contact details provided above.
We will process your request without undue delay and in accordance with our legal obligations and the requirements of applicable Data Protection Laws.
Fee: In accordance with the Data Protection Laws, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.
Ensuring your identity: If you exercise one of your rights, we must first be sure of your identity. To do so, we may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond: Each of the above rights is supported by appropriate procedures within VoiceMed. In line with the applicable Data Protection Laws, we will provide information or take action without undue delay, and in any event, within one month of receipt of the request.
- Exercise your rights
VoiceMed will be your interlocutor and will address all your queries in accordance with the applicable Data Protection Laws. If you want to exercise any of your rights, please contact our HDP.
- Complaint to a data protection supervisory authority
You also have the right to make a complaint at any time to your local data protection supervisory authority (you can find out more information here). If you reside in the UK, you can go here.
We would, however, appreciate the chance to deal with your concerns before you approach them so please contact us in the first instance.
- Status and update of this Policy
VoiceMed conducts regular control of its compliance with the Data Protection Laws and the CNPD guidance, the data protection supervisory authority of Luxembourg. Therefore, this Policy will be reviewed and updated when necessary to reflect legal changes, guidance, and good business practices.