Biofourmis Privacy Policy

THIS PRIVACY POLICY AND NOTICE (“NOTICE”) DESCRIBES HOW PERSONAL DATA ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice is being provided to you by Biofourmis Singapore Pte Ltd., a company incorporated in Singapore ("Biofourmis", "us", "we" or "our"). Our contact details are included below. This Notice refers to us and other companies in our corporate group, collectively, as the "Group".

This Notice applies to our or any third party wearable medical devices that are used in conjunction with our Software (as defined below) (each a "Device" and collectively the “Devices”,), our website located at https://www.biofourmis.com (“Site”), the BiovitalsHF® platform or any other software that we make available to you (“Software”), the Biofourmis web applications and mobile applications (each an “App” and collectively the “Apps”) and all of the services available therein (collectively referred to in this Notice as the “Biofourmis Service”) that may be provided by one or more of our affiliates.

This Notice is only about the technical and account data, and to the support queries and feedback, that we collect as part of our operation of the Biofourmis Service. Except in rare circumstances (for instance a legal dispute), Biofourmis does not make its own use of personal data relating to your health, genetic data, biometric authentication data, biometric templates, racial or ethnic origin, sexual orientation, sex life, political opinions or membership, religious or philosophical beliefs, trade union, trade body or professional body membership, criminal records or precise location data ("Sensitive Data"). Normally, we process Sensitive Data only on behalf of our partner, The University of Hong Kong (they are "controllers" of your Sensitive Data, as are the persons in charge of your care, collectively the "Partners"), and it is therefore very important that you review their Privacy Notices and any other privacy information they make available to you.

1. Summary

• We have aimed to make this Privacy Notice straightforward to read and understand – starting with this very short summary of the really important parts. If you have any questions or feedback, get in touch with us at privacy@biofourmis.com.
• Biofourmis contracts with and provides services to various health care providers. At the heart of Biofourmis is our BiovitalsHF® Analytics Engine, which predicts clinical exacerbation in advance of a critical event. It allows clinicians to deliver more personalized care and enables better patient outcomes. Biofourmis is the owner and operator of the BiovitalsHF® Analytics Engine and of the other platforms and services that constitute the Biofourmis Service and does not provide healthcare services.
• We use your personal data to provide, personalise and improve our services, websites, apps, and devices; to promote and demonstrate devices and services; and to address customer support needs. Your personal data is also used and shared as required by law or in connection with legal matters. The Partner is the "controller" of personal data relating to your health (and other Sensitive Data, defined below); if we process that data, we normally do it just on their behalf.
• Data is shared with other Group companies for these purposes, as well as a number of service providers and partners. In the event of a sale of all or part of our business, your personal data will (to the extent permitted by law, and subject to us obtaining any necessary consents from you, if required by applicable law) be transferred to the new owner.
• Where we rely on your consent, you can withdraw this consent at any time. Where permitted by applicable law, you can also object to other processing of your personal data.
• We can be required or requested to collect, retain and in some cases share Sensitive Data without your consent, for example by public authorities monitoring the prevalence of infectious diseases.
• The full Notice, below, sets out more details of this processing, and details of your data protection rights.

2. What information do we collect about you?

If you are a user of the Biofourmis Service, we may collect personal data about you. "Personal data" is information that can be related to an identified or identifiable person. The type of information collected depends on the type of user you are.

• If you are a patient, we aim to only collect personal data (such as sex and age) that does not include your physical address.
• If you are a medical professional (e.g. clinician, doctor, nurses, etc.), we may collect personal data such as your name, email address, phone number, role and country of residence so that we can contact you with regards to your and your patient's use of the Biofourmis Service.

We will also collect information about consents you give us, and customer service notes and other records.

We will indicate if the collection and provision of certain categories of personal data is mandatory. For any such categories, we may not be able to provide you with access to the Biofourmis Service, or to parts of it, if you do not provide us with the required information.

Please see below for more details on the types of personal data that we may collect from you.

When you (as a patient) activate an App

When activating an App, you may be asked to enter personal data about yourself, such as user name, password and email address.

Depending on the specific Device you use, it can also collect Sensitive Data such as your heart rate, respiration rate, blood pressure and weight on an ongoing basis and transmit this data to our Partner and the people in charge of your care. However, as explained at the outset of this Notice, we only handle that Sensitive Data as directed by (and on behalf of) our Partner, or as required by law; they are the "controller" of the processing of your Sensitive Data, and therefore you should read their Privacy Notices to understand how they handle the Sensitive Data, or how they ask us to handle it on their behalf.

When you provide personal data, you must ensure that such personal data is your own and does not relate to a third party. Therefore, please do not share devices or accounts with anyone, and make sure you log out of shared devices.

When medical professionals create a Biofourmis account

When you create a Biofourmis account, we ask for some personal data, including your name, email address and telephone number.

When you sync your data

As the Partner's Privacy Notice explains to you, when you sync your data, your Sensitive Data recorded on your Device is transferred from your Device to our servers, where we process it on the Partner's behalf. Each time you sync your data, we log data about the transmission, and use that technical data ("log data") for our own purposes (in other words, we are "controllers" of the log data, and use it in accordance with this Notice – unlike the Sensitive Data that was synchronized). Some examples of the log data are the sync time and date, device series number, device battery level and the IP address used when syncing.

When you contact us for help

Whenever you contact Biofourmis for help, we collect your name and email address along with additional information you provide in your request so that we can provide you with assistance and improve the Biofourmis Service. Please do not include Sensitive Data in your messages to us.

Information from third parties

We may obtain personal data about you from third party sources (e.g. healthcare providers, insurance providers, etc.) when that is necessary to provide you with the Biofourmis Service. We may also obtain information about you from people that contact us, e.g. concerned family members or public officials. Examples of personal data we may obtain from third party sources include your name and contact details.

3. How we use your personal data

In connection with the Biofourmis Service, Biofourmis will process your Sensitive Data on behalf of the Partner (the "controller" of that data, under applicable data protection law), and their Privacy Notice will provide further information about this. They will instruct us to anonymise Sensitive Data, at which point it is no longer personal data, and can be used for things like analytics, population health, and the testing, development or demonstration of products and services, without privacy or confidentiality risks to you. We will not (and cannot) re-identify anonymised Sensitive Data unless instructed to do so by the Partner, or if it is required by applicable law, or if you consent.

We process personal data in order to enter into and perform our contract (the Terms of Use) with you. This includes using personal data to:

• verify your identity to provide you with access to the Biofourmis Service (e.g. generating one-time passwords “OTP”);
• secure and facilitate your creation of a Biofourmis account; and
• provide support.

We will process personal data as required or authorized by applicable law, for instance to:

• comply with court orders, or with mandatory requests from permitted regulatory authorities, e.g. regarding disease or virus management; and
• maintain business or compliance records.

Where permitted by applicable law, we will process personal data when it is in your or another personal's vital interests.

Where permitted by applicable law, we will process personal data where there is a public interest in us processing the data (e.g. sharing data to help track disease patterns or trends); or where we or someone else has another overriding "legitimate interest" (provided it is applicable in your country), e.g.:

• To maintain and test the security and adequate performance of our services and systems;
• To study how people use services and devices, and analyse the performance and characteristics of devices (e.g. devices on which the Mobile App is installed), to find ways to better to serve their needs and improve our service offering;
• To demonstrate and promote existing and new services and devices;
• To provide products and services to you and/or our clients, including in connection with account opening and maintenance (other than pursuant to a contract with you for those services);
• To communicate with you and verify your identity when you contact us or when we contact you;
• To manage and administer our or any Group business and improve relationships with you and our clients;
• To investigate and respond to any complaints about us or our or any Group company's business;
• To meet requirements or requests of laws or public authorities in other parts of the world;
• To assign or subcontract, procure goods or services for, or to outsource any part of our normal business functions (or the normal business functions of any other Group company) to third parties;
• For the establishment, exercise or defence of legal claims;
• In order to protect and enforce the rights, property or safety of us, our business, any Group company, our clients or others (where permitted by applicable law);
• For any other purpose that we specifically tell you about (or that someone tells you about on our behalf).

Even if we or third parties have a legitimate interest (provided it is applicable in your country) in a proposed use of your personal data, this does not automatically mean we can engage in that use; companies must also consider your own interests, for instance risks to your privacy.

If you have any questions, or would like to object to data processing based on "legitimate interests" (provided it is applicable in your country), or have any concerns about our use of your personal data, you can get in touch using the contact details set out below. We will respond to any concerns you may have within 30 days.

In certain jurisdictions, consent is the primary ground on which personal data may be processed. In those jurisdictions, processing personal data in connection with legitimate purposes is not recognised as an accepted ground on which personal data may be processed. Accordingly, if you are a resident in such a jurisdiction, you agree that consent will be the ground on which we will process your personal data instead of legitimate purposes (as detailed above).

In other cases, we may process data if you explicitly consent. We will make the purpose of such processing clear to you when we are obtaining your consent.

Wherever we rely on your consent to process your data for a particular purpose, you will always be able to withdraw that consent, although there may be remaining (lawful) reasons for processing your data for other purposes (such as those set out above, if applicable in your jurisdiction). You will be able to revoke consent either using controls made available to you on the Biofourmis Services or your device, or by contacting us using the Contact details below. Note that if you revoke a consent, certain features or activities that depended on that consent may no longer be able to function.

4. Who will we share this data with, where and when?

We will share your personal data internally and between Group companies involved in our business, as necessary for the purposes described above.

Personal data may be shared with your carers, insurer, or with regulators, health authorities, law enforcement officials, courts or parties to litigation if required for the purposes above, for example if required by law or for the protection of our, your or a third party's interests, such as for complying with applicable rules, preventing or prosecuting fraud, or establishing, defending or exercising legal claims. If you have a bad experience (e.g. an adverse safety event) when using a product, we may inform the manufacturer, distributor or relevant regulator for such product.

Personal data will also be shared with third party service providers, who will process it on behalf of our Group for the purposes identified above. In particular, we use third parties for services including website hosting; IT maintenance; customer support and call centre operation; identity and fraud checking; shipping and returns; manufacturers or suppliers.

In the event that the business is sold or integrated with another business, your details may (to the extent lawfully permitted) be disclosed to advisers, and eventually to the new owners of the business.

Transfer requirements under UK and EU data protection law

If personal data is transferred outside the UK or of the European Economic Area, and the recipient is in a country that is not subject to an "adequacy decision" by the EU Commission or equivalent, that personal data will so far as possible be subjected to additional safeguards provided by officially-approved standard contractual clauses, an appropriate Privacy Shield certification (or similar), or a vendor's Processor Binding Corporate Rules. More details, such as a copy of the relevant safeguards, can be obtained by contacting us at the details provided below. Note that those additional safeguards may not be available in all circumstances, for example in the case of (i) disclosures to foreign authorities, (ii) where an urgent data transfer is necessary in your or another person's vital interests, or (iii) where you have expressly consented to the data transfers.

Transfer requirements under Australia data protection law

If you are located in Australia, we may disclose your personal information to entities in the United States, the UK and the European Economic Area, India and Singapore.

Transfer requirements under Singapore data protection law

If you are located in Singapore, we may disclose your personal information to our affiliates and other entities located outside of Singapore. Some of these countries may not have the same or substantially similar privacy laws than those of Singapore. In those circumstances, Biofourmis will ensure that recipients in those countries will provide you with a standard of protection that is at least comparable to the protection of your home jurisdiction.

Transfer requirements under Taiwan data protection law

If you are located in Taiwan, we may disclose your personal information to our affiliates and other entities located outside of Taiwan, unless restricted by government authorities. Some of these countries may not have the same or substantially similar privacy laws than those of Taiwan. In those circumstances, Biofourmis will ensure that recipients in those countries will provide you with a standard of protection that is at least comparable to the protection of your home jurisdiction.

5. Retention of your personal data

Where we process registration data, we do this for as long as you are an active user of our Services and for 6 years after this.

Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of that request indefinitely, so that we can continue to respect your request in future.

Where we process personal data for site security purposes, we retain it for 6 months.

Where we process personal data in connection with performing a contract (including our terms of service, or individual transactions), we keep the data for 6 years from your last interaction with us.

We retain accounting records for the minimum periods or, where applicable, the maximum periods specified by applicable law pertinent to those records

The above periods may not apply in all cases, for instance we may need to lengthen or reduce the amount of time we keep data, for legal reasons.

6. Your rights

Under UK and EU data protection law

You normally have the right:

• to ask us for a copy of personal data about you;
• to correct or delete that personal data;
• to restrict the processing of that personal data;
• in the case of personal data you provided, or which is used to perform a contract with you, to obtain a "portable" copy of that personal data and to ask us to share that data with another organisation.

In addition, you can object to the processing of your personal data in some circumstances (in particular, where we do not have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing).

Under Australian, Hong Kong and Singapore data protection law

You normally have the right to ask us for a copy of personal data about you, or to correct that personal data. We may charge a fee for providing access to personal data about you.

Under Taiwan law

You normally have the right:

• to make an inquiry of and to review your personal data;
• to ask us for a copy of that personal data;
• to correct or supplement that personal data;
• to demand the cessation of collection, processing or use of that personal data; and
• to delete that personal data.

We may charge a fee for providing access to personal data about you.

Under data protection laws generally

These rights may however be limited, for example if fulfilling your request would reveal personal data about another person, would infringe the rights of another person or legal entity (including our rights), or if you ask us to delete or change data which we are required by law to keep (or have other compelling legitimate interests in keeping). We will inform you of relevant exemptions we rely upon when responding to any request you make.

To exercise any of these rights, or to obtain other information, you can get in touch with us – or our data protection officer – using the details set out below.

Deletion of your account with us or uninstalling a Mobile App will not automatically delete all personal data held about you. If you would like to request that we delete all personal data together with the deletion of your account, please contact us using the details below. Our ability to comply with your deletion request is subject to any applicable legal, contractual or other requirement to maintain certain records.

As previously noted, in respect of Sensitive Data, you must direct your questions, concerns and requests to our Partner or to persons looking after your care. They make the key decisions about the handling of your Sensitive Data, which means that we cannot act on Sensitive Data requests unless they or the law require it.

7. Security of your personal data

We will maintain appropriate technical and organisational measures to protect the confidentiality, integrity and availability of personal data. However, any device or application connected to the Internet is susceptible to a security breach, despite the level of administrative, technical, and physical safeguards employed. This means that there is a risk that unauthorized persons may be able to access, read and/or modify your personal data.

You are responsible for keeping your password confidential. Do not share your password with anyone.

Please contact us immediately if you become aware or have reason to believe there has been any unauthorized use of your personal data in connection with the Biofourmis Service.

8. Cookie Policy

Some of the information that we collect will not directly identify you but will instead track your use of the Biofourmis Service so that we can better understand how the Biofourmis Service is used by end users and in turn enhance and improve your experience in using the Biofourmis Service. This information can be obtained through the use of cookies, or similar technologies, such as "local storage objects". Cookies are a small data file transferred to your device that recognises and identifies your device and allows your device to 'remember' information for future use. We may collect technical information from your web browser or mobile device or your use of our services through a web browser or mobile device, for example, performance data about your device, carrier/operating system including device and connection type and IP address.

You have a number of options to control or limit how we and our partners use cookies and similar technologies.

• Although most browsers and devices accept cookies by default, their settings usually allow you to clear or decline cookies. If you disable cookies, however, some of the features of the Biofourmis Service may not function properly.
• To prevent your data from being used by Google Analytics, you can install Google’s opt-out browser add-on by visiting https://tools.google.com/dlpage/gaoptout.

9. Changes to our Privacy Policy/Notice

Biofourmis reserves the right to amend all or any part of this Notice. Any changes will be communicated to you through Biofourmis Service and/or, where appropriate, through e-mail notification. 

10. Other Apps

The Apps may have links to other apps or websites. We are not responsible for the security or privacy of any information collected by such apps or websites and, while we do not permit those apps or websites to track your use of the Biofourmis Service, we are unable to control whether such tracking mechanisms are implemented by those apps or websites. You should exercise caution and review the privacy statements applicable to the third-party websites and services you use. The use of online tracking mechanism by those third-party websites and services is subject to those third parties' own privacy policies, and not this Notice.

11. Effect of Notice

This Notice applies in conjunction with any other policies, notices, contractual clauses and consent statements that apply in relation to the collection, use and disclosure of your personal data by us.

12. Contact Us

All comments, queries and requests relating to our use of your personal data are welcomed and should be addressed to our Privacy Officer at privacy@biofourmis.com.

Our registered office address is 2 Venture Drive, Vision Exchange #23-01, Singapore 608526.

If you believe that your privacy rights have been violated, please contact us. We will not take action against you for filing a complaint. You also may file a complaint with your local data protection regulatory authority. Relevant data protection authorities in the EU are listed here: https://edpb.europa.eu/about-edpb/board/members_en.

This Notice is effective as of September 2020