Health data privacy policy

We at Sunrise SA (together with its affiliated company, “Sunrise” or “us” or “we”), whose head office is located at 5101 Namur, Chaussée de Marche 598/02, Belgium VAT (BE) 0632 607 373 RLE Liège, Namur division (www.hellosunrise.com) process health-related and other personal data (“Personal data” or “Personal information”).

We process data concerning (i) users using our (medical) device (the "Device") and (ii) health care professionals (a "Practitioner") using our platform (the "Platform"). Users using our Device and Practitioners using our Platform (i)-(ii) are further described in this privacy policy as "you".

For the purpose of this privacy policy, the Application, the Platform and the Sensor constitute together the Device used by you. The intended use of the Device is detailed in the instructions for use supplied with the Device.

If you are using our Device, it can be used on your own initiative, or prescribed by a Practitioner. In the latter case, the Device is linked to the Practitioner and the Practitioner has access to some of your personal and health information after you consented to it via our Device (see hereunder for more information about this). This privacy policy covers namely both situations and describes more generally how we handle, process, and make available your Personal information in accordance with Applicable Law (as defined below).

We may also come into possession of your data in the context of our partnering with third parties such as research institutions, pharmaceutical or medical devices companies conducting trials, investigations or other research activities. This privacy policy also applies in that context.

1. Roles and responsibilities

Certain data protection laws and regulations, such as the EU General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA"), typically distinguish between two main roles for parties processing Personal data: the “Data Controller” (or under the CCPA, “business”), who determines the purposes and means of processing; and the “Data Processor” (or under the CCPA, “service provider”), who processes the data on behalf of the Data Controller.

Both us and the Practitioner (when applicable) are separate Data Controllers, each being responsible for processing your Personal data within the meaning of European regulations, more specifically the GDPR and any applicable national act and/or decree implementing it, as well as any other applicable data protection legislation (together the “Applicable Law”).

We act as a Data Controller and process your Personal data in accordance with the purposes described hereunder. We comply with Applicable Law when processing your Personal data.

More information about the processing activity conducted by your Practitioner, where applicable, is to be asked directly to your Practitioner.

2. Personal data processed and its purposes

2.1 DATA PROCESSED WHEN USING OUR DEVICE

If you are using our Device, we process your Personal data for two main reasons: on the one hand for the proper operation of the Device, and on the other hand for the improvement and further development of our services and technology.

2.1.1. Data processed to operate the Device

Personal data that may be considered as health related data within the meaning of Applicable Law, are processed with your consent (see hereunder) for the purposes listed below in connection with the operation and functioning of the Device. In accordance with the Applicable Law, the Device is designed to process your health-related information only subject to receiving your explicit consent. As a result, if you do not consent, we are not able to provide you with our services.

By checking the corresponding boxes on our Device's interface, you are giving us your consent to the processing of your health-related data that may be collected as specified hereunder.

Type of Personal data	Purposes	Legal basis
Your account data, such as your user name, password, e-mail address, country	Account creation Contacting you in case of problems with the use of the Device Security Address to receive post-test emails (report, ...)	Necessity for the performance of the contract concluded with you.
General information about you, such as your name, surname and date of birth – this may include health-related data	Your identification on the test report (personalised and user-specific medical follow-up)	Necessity for the performance of the contract concluded with you. To the extent this includes health-related data it is processed with your consent.
Feedback from you – this may include health-related data	Updating/Improving our Device, our products and services	Our legitimate interests to improve our Device, products and services. To the extent this includes health-related data it is processed with your consent.
E-mails or telephonic exchange between you and us – this may include health-related data	Improving our services Managing/Resolving any dispute	Our legitimate interests to keep a record of our exchanges with you, in order to improve our services and manage/resolve any dispute between you and us. To the extent it includes health-related data it is processed with your consent.
	Supporting your interaction with us	Necessity for the performance of the contract concluded with you. To the extent this includes health-related data it is processed with your consent.
Your date of birth and your physical data, such as your height, weight, neck size, and gender – this includes health-related data	Personalized medical evaluation adapted to you Calculation of your sleep parameters	Necessity for the performance of the contract concluded with you. Health-related data is processed by us with your consent.
	Improving our Device, products and services	Our legitimate interests to improve our Device, products and services Health-related data is processed by us with your consent.
Medical data collected via the Device, your health status	Calculation of your sleep parameters	Necessity for the performance of the contract concluded with you.
	Personalized medical evaluation adapted to you	Health-related data is processed by us with your consent.
	Improving our Device, products and services	Our legitimate interests to improve our Device, products and services. Health-related data is processed by us with your consent.
Data collected via questionnaires about your quality of life and sleep habits – this includes health-related data	Personalized medical evaluation adapted to you	Necessity for the performance of the contract concluded with you. Health-related data is processed by us with your consent.
	Improving our Device, products and services	Our legitimate interests to improve our Device, products and services. Health-related data is processed by us with your consent.
Phone information and your interactions with our Device: phone model, OS type, OS version, crash reports, system activity and corresponding date and time	Support in case of problems	Necessity for the performance of the contract concluded with you.
	Improvement of our products and services	Our legitimate interests to improve our products and services.
Phone information such as the Bluetooth connection, the camera and the location of the smartphone	Allow the scan of the QR code and the connection to the Device	Necessity for the performance of the contract concluded with you.
All of the data described above, except for the last two types of data which are phone-related data.	Post-market surveillance and vigilance purposes	Legal obligation to collect and evaluate clinical data such as feedback from users, side-effects or data on misuse / off-label use of our products. Legal obligation to analyse complaints and reports regarding our products and, where applicable, to report incidents or serious incidents to a competent authority.

Data that will be transferred to your Practitioner in order to achieve the intended use of our Device, if your Device is linked to your Practitioner, are the following:

General information about you: such as your name, surname and date of birth;
Your physical data: such as your height, weight and neck size, and gender;
Medical data collected via the Device, including your health status;
(Medical) data collected via the questionnaires in our Device, about your quality of life and sleep habits.

More information about the processing activities conducted by your Practitioner on your Personal data is to be asked directly to your Practitioner.

2.1.2 Data processed for research purposes

A. Data processed when using our Device

Please note that we may also process your Personal data for statistical and scientific research purposes in the healthcare field. Such purposes may include but are not limited to the improvement of our algorithms, scientific publications, medico-socio studies, correlation between (health-related) data and diseases or people's quality of life. We do so to improve our services and technology and to support or develop knowledge in the healthcare field.

Research activities described in this section shall be strictly non-interventional and of a prospective nature. This means that you will not be contacted specifically for such research activities and that we must obtain your data from existing records or by interviewing your Practitioner in accordance with the applicable studies and patient’s rights' regulations.

Your data that will be processed for the research purposes described above are the following:

Type of Personal data	Purposes	Legal basis
Your date of birth and your physical data, such as your height, weight, neck size, gender	Statistical and scientific research purposes in the healthcare field (see paragraph above)	Our legitimate interests to improve our services and technology and to support and develop knowledge in the medical field Health-related data is processed by us based on the legal basis of scientific research under Applicable Law (article 9(2)(j) of the GDPR and any corresponding article under any Applicable Law)
Medical data collected via the Device, your health status	Statistical and scientific research purposes in the healthcare field (see paragraph above)	Our legitimate interests to improve our services and technology and to support and develop knowledge in the medical field Health-related data is processed by us based on the legal basis of scientific research under Applicable Law (article 9(2)(j) of the GDPR and any corresponding article under any Applicable Law)
Data collected via questionnaires about your quality of life and sleep habits	Statistical and scientific research purposes in the healthcare field (see paragraph above)	Our legitimate interests to improve our services and technology and to support and develop knowledge in the medical field Health-related data is processed by us based on the legal basis of scientific research under Applicable Law (article 9(2)(j) of the GDPR and any corresponding article under any Applicable Law)

When processing of your Personal data is taking place in accordance with this section, your data will be pseudonymised. This means that your data will no longer be attributed to you without the use of additional information that we will keep separately and that will be subject to technical and organisational measures. This means, for instance, that your name and surname will be kept separately from your health-related data.

Please note that we are not using your consent as legal basis because it would not be compatible with the purpose of our non-interventional prospective research, as withdrawal of your consent would have disastrous consequences for our scientific research and investment.

B. Additional data processed when you are participating in a research activity such as a clinical trial, clinical investigation, performance studies or experiments on the human person (including interventional studies and prospective non-interventional studies)

We may also receive pseudonymised (health-related) data about you for statistical and scientific research purposes in the medical field, such as but not limited to the improvement of our algorithms, scientific publication, medico-socio studies, correlation between (health-related) data and diseases or people's quality of life. We do so in order to improve our services and technology and to support/develop knowledge in the medical field.

2.2 DATA PROCESSED IF YOU ARE A PRACTITIONER ACCESSING OUR PLATFORM

If you are a Practitioner and are accessing our platform, we may collect and process the following Personal data about you in accordance with this Privacy Policy:

Type of Personal data	Purposes	Legal basis
Account information, such as your name, surname, country, telephone number, password, e-mail address	Account creation (login and access to the platform) Contacting you in case of problems with the use of the Platform or Device Security	Necessity for the performance of the contract concluded with you
Your e-mail address	To send you health reports	Necessity for the performance of the contract concluded with you
List of users of Sensors which are related to your account	Account management, access rights and security	Necessity for the performance of the contract concluded with you

3. Your rights

3.1 WHEN YOUR DATA IS PROCESSED FOR THE PURPOSE OF THE DEVICE OPERABILITY

This section applies if (i) you are using our Device for the purpose of the operability of our Device, or if (ii) you are a Practitioner using our Platform.

You have the following rights:

The right to access your Personal data;
The right to obtain rectification of your Personal data which would be inaccurate if and to the extent you can prove such data is inaccurate (or, where appropriate, taking into account the purposes of the processing, the right to obtain any incomplete Personal data to be completed);
The right to obtain the deletion of your Personal data when (i) these data are no longer necessary for the purposes for which they were collected or processed, (ii) you have withdrawn your consent to the processing of your Personal data and there is no other legal basis for processing such data, (iii) you fulfil the conditions of the Applicable Law to oppose the data processing, for reasons related to your personal circumstances, (iv) Personal data have been unlawfully processed, or when (v) Personal data must be erased to fulfil a legal obligation under the Applicable law;
The right to limit the Personal data that we process when (i) you dispute the accuracy of the data, for a period of time allowing us to verify the accuracy of said data, (ii) the processing is unlawful and you object to their complete deletion, (iii) we no longer need the data for the purposes of the intended processing, but these data are nevertheless still necessary to you for the recognition, the exercise or the defence of rights in court, or when (iv) you objected to the data processing, during the verification period as to whether our legitimate grounds prevail over yours;
The right to oppose the processing of your Personal data for reasons relating to your particular situation, unless we can demonstrate that there are legitimate and compelling reasons for the Personal data processing that prevails over your interests, rights and liberties, or for the recognition, exercise or defense of rights in court;
The right to oppose the processing of your Personal data for direct marketing purposes;
The right to receive a copy of your Personal data in a structured, commonly used, and machine-readable format and the right to have such data transmitted directly to another controller when technically feasible ("right to data portability").

You also have the right to withdraw your consent for the processing of your Personal data at any time. You however acknowledge that any processing carried out prior to such withdrawal will not affect the lawfulness of the processing based on your consent before the withdrawal.

You can exercise the aforementioned rights by contacting our Data Protection Officer (DPO) at the following address: DPO@hellosunrise.com.

If your requests are manifestly unfounded or excessive, for example because of their repetitive character, we may however either (i) charge a reasonable fee taking into account the administrative costs incurred in providing the information, proceeding with or taking the action you requested or (ii) refuse to respond to such requests.

If you deem it appropriate, you also have the right to file a complaint regarding our use of your Personal data with the competent supervisory authority.

3.2 WHEN YOUR DATA IS PROCESSED FOR RESEARCH PURPOSES

This section applies for the purposes of statistical and scientific research in the healthcare field.

In principle, you have the same rights towards us as described above in section 3.1. However, in some instances, you will be prevented to exercise your right of access, as your Personal data will be inextricably linked with Personal (sensitive) data of other data subjects. You may also be prevented to use your right of rectification, deletion, limitation, and objection to the processing of your Personal data, if the exercise of those rights would impede our research.

4. Personal data recipients and transfer

Your Personal data that we process are only accessible to the following persons:

Our employees, partners and consultants, to the extent strictly necessary for the performance of their duties while working for us;
Healthcare professionals;
Our subcontractors and Affiliated companies used to process and store data collected and / or produced by the Device;
Any official authority requesting Personal data in compliance with legal or regulatory obligations.

We may disclose your Personal data to our affiliates, agents and (sub)contractors (including to parties located outside the European Economic Area – “EEA”) for the purposes stated above. We will however not share your Personal data to any other third parties, unless legally obliged by law, such as by court order or otherwise requested by you.

Any transfer of Personal data to a country outside of the EEA will be made in accordance with Applicable Law and appropriate and suitable safeguards will be taken, such as the conclusions of standard contractual clauses. You have the right to obtain a copy of the appropriate and suitable safeguards taken by contacting us at the following address: DPO@hellosunrise.com.

5. Personal data storage

Your Personal data are stored on our secure servers and / or the secure servers of our subcontractor (in an encrypted form), including those providing the services used in the management of the computer systems we use, as well as communication networks within the European Economic Area (EEA).

We store your Personal data for the duration of the contract concluded with you. After this time period, your Personal data are either anonymised or deleted from our databases. However, your Personal data may be pseudonymised and kept for a longer period in accordance with our legal obligations (including for regulatory compliance (including vigilance) purposes) or if we use your Personal data for research purposes. In this case, your Personal data are kept for no longer than ten years. After this time period, your data are either anonymised or deleted. For regulatory compliance (including vigilance) purposes, the retention period of ten years may start running only after the last Device has been placed on the market, within the meaning of articles 1, 2, 5 and 23 of regulation (EU) 2017/745 on medical devices.

6. Personal data security

We take appropriate technical and organizational measures to ensure a level of security appropriated to the risks and to avoid, as far as possible, any unauthorized destruction, loss, alteration, communication, or unauthorized access to your Personal data.

7. Changes to this Privacy Policy

We retain the right to update, change and delete any part of this Privacy Policy at any time. Any changes will be published [here] and we recommend you to check this Privacy Policy on a regular basis. We will however contact you directly if we decide to modify substantially this Privacy Policy to inform you about the substantial modifications made.

No part of this document may be reproduced without prior permission of the company.
WD-068 V09