STRATX® PRIVACY NOTICE
Last modified: February 11, 2022
This Privacy Notice informs you of important information about how Pulmonx International Sarl (“we”, “us”, “Pulmonx” or “Company”) processes data, including personal data, that we collect directly or indirectly through the portal hosted at https://www.PulmonxStratX.com and associated web pages (the “Website”) and the StratX® Lung Analysis Platform made available therein (collectively, the “Platform”). Please read this Privacy Notice carefully to understand our policies and practices regarding your information and how we will treat it. The StratX® Terms of Service, including definitions of certain capitalized terms, are available online at https://www.PulmonxStratX.com (“Terms”).
The words “Customer” or “You” refers to the Customers using the Platform or the Website.
We may update this Privacy Notice and/or the Terms from time to time and in our sole discretion. We encourage Customers to check this page and the Terms frequently for any changes to them.
StratX® is a cloud-based quantitative computed tomography (“CT”) analysis service that supports patient selection and treatment targeting using Pulmonx products by providing information on emphysema destruction, fissure completeness and lobar volumes and procedural success based on post-treatment scans. The Platform allows Pulmonx Customers to upload fully de-identified/pseudonymised lung CT scans for patients that it wishes to be assessed for potential use of the Zephyr Valve or other Pulmonx products, or for post-implantation revisions (“Scans”). Pulmonx then generates a report, including associated data and information, unique to that Scan which contains, among other things, tabulated data on fissure completeness by lobe, destruction score by lobe, and inspiratory lobar volume by lobe and valve occlusion status by airway (the “Report”). Pulmonx makes StratX® available to regular Pulmonx Customers.
This Privacy Notice describes the types of information we may collect through the Platform and our practices for collecting, using, maintaining, protecting, and disclosing that information. This Privacy Notice applies to information we collect through the Platform. It does not apply to information collected by us offline or through any other means, including on any other website operated by Company or any third party; or any third party, including through any application or content (including advertising) that may link to or be accessible from the Platform.
Pulmonx acts as a data controller for the processing of personal data performed within the scope of its direct relationship with its Customers (physicians and healthcare practitioners) and acts as a data processor for the processing of personal data performed on behalf of its Customers (physicians and healthcare practitioners).
Information We Collect About You and How We Collect It
We collect several types of information from and about users of our Website and Platform, including information:
- By which you may be personally identified, such as an individual’s name, username / email address, first name, last name and name of affiliated institution (“personal data”); and
- About your internet connection, the browser or other equipment you use to access our Website, and usage details.
We collect this information:
- Directly from you when it is provided to us.
- Automatically as you navigate through the Platform. Information collected automatically may include usage details, internet connection information, such as the IP address of your computer and/or Internet service provider, the date and time you access the site and information collected through cookies, web beacons, and other tracking technologies.
- From third parties, for example, our business partners.
Information You Provide to Us
The information we collect on or through the Platform may include:
- Any Scans uploaded to the Platform.
- Information that you provide through the Platform.
Information We Collect Through Automatic Data Collection Technologies
As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information. We use automatic data collection to log information about your use of our Website, which is temporarily stored in association with your account. The log data is aggregated and used to improve the Platform and to deliver a better and more personalized service.
How We Use Your Information
As a data processor, Pulmonx collects and uses personal data that you provide through the Platform and/or the Website. This can include patient reference numbers and patients’ pseudonymised personal data concerning health contained in Scans and Reports. The data concerned is: information on emphysema destruction, fissure completeness and lobar volumes and fissure completeness by lobe, destruction score by lobe, valve occlusion status by airway, and inspiratory lobar volume by lobe.
We use information that we collect about you or that you provide to us, including any personal data for the reasons set out in the table below. Under applicable data protection legislation, we may only process your personal data if we have a “legal basis” (i.e. a legally permitted reason) for doing so.
Pulmonx undertakes to process personal data concerning health only when such processing is necessary for the implementation and the performance of our services to Customers through the Platform and the Website and only for the purposes of:
- preventative medicine, medical diagnosis, care or social and medico-social monitoring activities, carried out by Customers as members of a health profession, or by another person to whom the duty of professional secrecy is imposed by reason of their duties on behalf of a Customer or on behalf of patients; and
- studies on the basis of the data collected as described above in the course of preventative medicine, medical diagnosis, care or social and medico-social monitoring activities when these studies are carried out by the Customers and intended for their exclusive use.
Pulmonx may also anonymize all such personal data concerning health then use all such anonymized data for its internal purposes, including for the research and development of its products and services.
|Why We Use Your Information||The legal basis for processing personal data is...|
|To present the Platform and its contents to you.||for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.|
|To generate Reports based on the Scans.|
|To provide you with information, products, or services that you request from us.|
|To facilitate diagnostic and treatment discussions.|
|Share Scans and Reports within our organization and with third parties as appropriate.|
|Transfer Scans and Reports among cloud servers as reasonably necessary.|
|To fulfill any other purpose for which you provide it.||for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. Outside of such, this processing is necessary for the legitimate interests we pursue, subject to you raising an objection, requiring us to check that our interest in the processing is not overridden by the resulting risk to your rights and freedoms.|
|To notify you about changes to our Website or any products or services we offer or provide though it.|
|In any other way we may describe when you provide the information.|
|For research purposes in order to improve and develop our products and new products.|
|For any purpose required by applicable law.||this is necessary to comply with our legal obligations, including obligations relating to the protection of personal data.|
How Long We Keep Your Information
We will keep personal data and information we collect only for:
- as long as it is necessary, and six years thereafter (if legally permissible) where the legal basis for the processing is that it is necessary for the performance of the contract between us;
- as long as it is necessary, and six years thereafter (if legally permissible) where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
- as long as it is necessary, where the legal basis for the processing is that it is necessary to comply with our legal obligations; or
- six years or until consent is withdrawn (whichever is sooner), where the legal basis is express consent.
The periods set out above apply unless we are required to hold information or personal data for longer periods in order to comply with our legal or regulatory obligations.
Disclosure of Your Information
We may disclose (deidentified) aggregated information about you, and information that does not identify any individual, without restriction, including pursuant to the uses discussed above. We may disclose personal data that we collect or you provide as described in this Privacy Notice:
- To our subsidiaries and affiliates.
- To contractors, service providers, and other third parties we use to support the Platform to deliver you products and services and need access to such personal data or information to carry out their work for us; for example, we may partner with other companies to fulfill requests, optimize our services, send newsletters and marketing emails, support email and messaging services, and analyze information.
- To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Pulmonx’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal data held by Pulmonx about the Platform Users is among the assets transferred.
- To fulfill the purpose for which you provide it.
- For any other purpose disclosed by us when you provide the personal data or information.
- With your consent.
We may also disclose your personal data:
- To comply with any court order, law, legal process, or regulatory requirement including to respond to any government or regulatory request or support improvements to the Platform.
- To enforce or apply our Terms and any other agreements with you.
- To conduct our business, including managing our contractual relationships, monitoring access to our websites, and managing safety and security risks.
Your Consent To Processing
As noted above, you will be required to give consent to certain processing activities before we can process your personal data and information you provide, as set out in this Privacy Notice. Where applicable, we will seek this consent from you when you first submit personal data to or through the Platform.
If you have previously given consent you may freely withdraw such consent at any time. You can do this by notifying us in writing (see contact details below).
If you withdraw your consent, and if we do not have another legal basis for processing your personal data and information, then we will stop processing that personal data and information. If we do have another legal basis for processing your personal data and information you provide then we may continue to do so subject to your legal rights.
Please note that if we need to process your personal data or information you provide in order to operate the Platform and/or provide our services, and you object or do not consent to us processing that personal data and information, the Platform and/or those services may not be available to you.
Choices About How We Use and Disclose Your Information
We strive to provide you with choices regarding the personal data you provide to us. We have created mechanisms to provide you with the following control over your information and personal data:
We seek to use reasonable organizational, technical and administrative measures to protect personal data within Pulmonx. Unfortunately, no data transmission or storage system can be guaranteed to be secure at all times. If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us in accordance with the “Contact Us” section below.
From time to time we may need to store and/or transfer your information to other countries, which may include countries outside the European Economic Area, which comprises the EU member states plus Norway, Iceland and Liechtenstein (“EEA”). Non-EEA countries that we may need to store and/or transfer your personal data and information you provide to may include Switzerland and the USA, because we have group companies based there.
Such countries may not have similar protections in place regarding protection and use of your data as those set out in this Privacy Notice. Therefore, if we do transfer your personal data and information you provide to countries outside the EEA we will take reasonable steps in accordance with applicable data protection legislation to ensure adequate protections are in place to ensure the security of your personal data and information you provide, including:
- use of approved contractual clauses;
- ensuring that we only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
- where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US;
- ensuring that we only transfer your personal data and information to persons or entities that are appropriately authorised and/or accredited to process personal data in compliance with applicable law; and
- taking reasonable steps to ensure that any overseas recipient will deal with your personal data in a manner that is consistent with this Privacy Notice.
By submitting your personal data and information to us in accordance with this Privacy Notice you consent to these transfers for the purposes specified in this Privacy Notice.
If you are an individual whose personal data is protected under the General Data Protection Regulation 2016/679 or other applicable data protection legislation, this section sets out your legal rights in respect of any of your personal data that we are holding and/or processing. If you wish to exercise any of your legal rights you should put your request in writing to us (using our contact details below) giving us enough information to identify you and respond to your request.
You have the right to request access to information about personal data that we may hold and/or process about you, including: whether or not we are holding and/or processing your personal data; the extent of the personal data we are holding; and the purposes and extent of the processing.
You have the right to have any inaccurate personal data we hold about you be corrected and/or updated. If any of the information that you have provided changes, or if you become aware of any inaccuracies in such information, please let us know in writing giving us enough information deal with the change or correction.
You have the right in certain circumstances to request that we delete all personal data we hold about you (the ‘right of erasure’). Please note that this right of erasure is not available in all circumstances, for example where we need to retain the personal data for legal compliance purposes. If this is the case, we will let you know.
You have the right in certain circumstances to request that we restrict the processing of your personal data, for example where the personal data is inaccurate or where you have objected to the processing.
You have the right to request a copy of the personal data we hold about you and to have it provided in a structured format suitable for you to be able to transfer it to a different data controller (the ‘right to data portability’). Please note that the right to data portability is only available in some circumstances, for example where the processing is carried out by automated means. If you request the right to data portability and it is not available to you, we will let you know.
You have the right in certain circumstances to object to the processing of your personal data. If so, we shall stop processing your personal data unless we can demonstrate sufficient and compelling legitimate grounds for continuing the processing which override your own interests. If, as a result of your circumstances, you do not have the right to object to such processing then we will let you know.
You have the right in certain circumstances not to be subject to a decision based solely on automated processing, for example where a computer algorithm (rather than a person) makes decisions which affect your contractual rights. Please note that this right is not available in all circumstances. If you request this right and it is not available to you, we will let you know.
You have the right to object to direct marketing.
If you have questions, comments, or concerns about this Privacy Notice or our privacy practices, or if you would like to request to update your information, other than as provided above, please send an email to info@PulmonxStratX.com, write us at: Pulmonx, Rue de la Treille 4, 2000 Neuchâtel, Switzerland, or call us at +41 32 475 20 70.
If you think we have breached applicable local privacy law, or you wish to make a complaint about the way we have handled your personal data, please contact us using the contact details above. We may ask you to put your complaint in writing and to provide relevant details.
If you disagree with our decision, you also have the right to lodge a complaint with a supervisory authority, which for
- the UK is the UK Information Commissioner’s Office (“ICO”). Complaints can be submitted to the ICO through the ICO helpline by calling 0303 123 1113. Further information about reporting concerns to the ICO is available at https://ico.org.uk/concerns/;
- Switzerland is the Federal Data Protection and Information Commissioner (FDPIC / EDOEB). Please find the respective contact details under www.edoeb.admin.ch