STRATX® PRIVACY NOTICE
Last modified: November 2023
This Privacy Notice informs you of important information about how Pulmonx Corporation and its affiliate companies (“we”, “us” or “Pulmonx”) processes personal data, that we collect directly or indirectly through the portal hosted at https://www.PulmonxStratXUSA.com and/or https://www.PulmonxStratX.com associated web pages (the “Website”) and the StratX® Lung Analysis Platform made available therein (collectively, the “Platform”). Please read this Privacy Notice carefully to understand our policies and practices regarding your information and how we will treat it. The StratX® Terms of Service, including definitions of certain capitalized terms, are available online on the Website (“Terms”).
If you are a California resident, please see Section 11 for information provided pursuant to the California Consumer Privacy Act.
We may update this Privacy Notice from time to time in which case we will post such changes on our website and, in the event of material changes including to the purpose, we will bring this to your intention, for example by emailing you using the contact details we have been provided with.
The words “Customer” or “You” refers to the customers using the Platform or the Website being health care professionals rather than patients.
StratX® is a cloud-based quantitative computed tomography (“CT”) analysis service that supports patient selection and treatment targeting using Pulmonx products by providing information on emphysema destruction, fissure completeness and lobar volumes and procedural success based on post-treatment scans. The Platform allows Customers to upload /pseudonymised lung CT scans for patients that it wishes to be assessed for potential use of the Zephyr Valve or other Pulmonx products, or for post-implantation revisions (“Scans”). Pulmonx then generates a report, including associated data and information, unique to that Scan which contains, among other things, tabulated data on fissure completeness by lobe, destruction score by lobe, and inspiratory lobar volume by lobe and valve occlusion status by airway (the “Report”).
Pulmonx acts only as a data controller for the processing of personal data of its Customers (physicians and healthcare practitioners) and this Privacy Notice only covers that processing. Pulmonx acts only as a data processor for the processing of pseudonymised personal data contained in the Scans and Reports where it acting on the instructions of Customers and only processes such data in the context of providing services to such Customers.
2. Information We Collect About You and How We Collect It
We collect several types of information from and about Customers which falls into two key categories:
- Information by which you may be personally identified, such as an individual’s name, username / email address, first name, last name and name of affiliated institution.
- Information about your internet connection, the browser or other equipment you use to access our Website, and usage details which may indirectly identify you.
We collect this information:
- Directly from you when it is provided by you to us.
- Automatically as you navigate through the Platform. Information collected automatically may include usage details, internet connection information, such as the IP address of your computer and/or Internet service provider, the date and time you access the site and information collected through cookies, web beacons, and other tracking technologies.
- From third parties, for example, our business partners.
3. Information You Provide to Us
The information we collect on or through the Platform comprises your name and contact details and log in credentials.
4. Information We Collect Through Automatic Data Collection Technologies
As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information. We use automatic data collection to log information about your use of our Website, which is temporarily stored in association with your account. The log data is aggregated and used to improve the Platform and to deliver a better and more personalized service.
The technologies we use for this automatic data collection may include Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. Depending on your jurisdiction, you can use the cookie preference tool presented to you in order to select your preferences or you can adjust your browser settings.
5. How We Use Your Information
We use information that we collect about you or that you provide to us, including any personal data for the reasons set out in the table below. Under data protection legislation applicable in certain jurisdictions, we may only process your personal data if we have a “legal basis” (i.e. a legally permitted reason) for doing so.
Pulmonx may also use anonymised data for its own internal purposes including for research and development.
|Why We Use Your Information
|The legal basis for processing personal data
|To provide the Platform and its contents to you including managing accounts, providing information in relation to Scans and Reports and corresponding with you in relation to such services.
|For the performance of a contract to which you are a party or in order to take steps at your request prior to entering into the contract.
|To notify you about changes to our Website or any products or services we offer or provide through it which we think may be of interest to you.
|It is necessary for the legitimate interests we pursue, in running and promoting our business.
|Analysing use of the Platform and services for product improvement and performance monitoring.
|To comply with applicable laws and defend our legal position (for example in record keeping and complaints management).
|This is necessary to comply with our legal obligations, including obligations relating to the protection of personal data and our legitimate interests in managing our business and complaints.
6. How Long We Keep Your Information
We will keep personal data and information we collect only for:
- as long as it is necessary, and six years thereafter (if legally permissible) where the legal basis for the processing is that it is necessary for the performance of the contract between us;
- as long as it is necessary, and six years thereafter (if legally permissible) where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
- as long as it is necessary, where the legal basis for the processing is that it is necessary to comply with our legal obligations; or
- six years or until consent is withdrawn (whichever is sooner), where the legal basis is express consent.
The periods set out above apply unless we are required to hold information or personal data for longer periods in order to comply with our legal or regulatory obligations.
7. Disclosure of Your Information
We may disclose aggregated information about you, and information that does not identify any individual, without restriction, including pursuant to the uses discussed above. We may disclose personal data that we collect or you provide as described in this Privacy Notice:
- To our subsidiaries and affiliates.
- To contractors, service providers, and other third parties we use to support the Platform but they cannot use such data for their own purposes, only to provide the relevant services to us and Customers.
- To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Pulmonx’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal data held by Pulmonx about Customers is among the assets which may be transferred.
- To any other person if we specifically disclose this to you on collection.
We may also disclose your personal data:
- To comply with any court order, law, legal process, or regulatory requirement including to respond to any government or regulatory request or support improvements to the Platform.
- To enforce or apply our Terms and any other agreements with you.
- To conduct our business, including managing our contractual relationships, monitoring access to our websites, and managing safety and security risks.
8. Data Security
We use appropriate organizational, technical and administrative measures to protect personal data within Pulmonx. Unfortunately, no data transmission or storage system can be guaranteed to be secure at all times. If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us in accordance with the “Contact Us” section below.
9. Overseas Transfers
We are based in the United States and have affiliate companies in different territories. This means that, depending on your location, your personal data may be transferred to other countries which have different or lesser data protection laws in place than your home territory.
Therefore, if we do transfer your personal data and information you provide to countries outside the EEA we will take reasonable steps in accordance with applicable data protection legislation to ensure adequate protections are in place to ensure the security of your personal data and information you provide, including:
- ensuring that we only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the relevant regulatory or administrative bodies or use of approved contractual clauses; and
- taking reasonable steps to ensure that any overseas recipient will deal with your personal data in a manner that is consistent with this Privacy Notice.
10. Your EU/UK/Swiss Privacy Rights
The rights that you have will depend on where you are located.
For the UK, European Economic Area and Switzerland, the following rights are available to you although we would note that such rights are not absolute and may be subject to certain exceptions. You can exercise them by contacting us using the contact details in this Privacy Notice.
- You have the right to request access to information about personal data that we may hold and/or process about you, including: whether or not we are holding and/or processing your personal data; the extent of the personal data we are holding; and the purposes and extent of the processing.
- You have the right to have any inaccurate personal data we hold about you be corrected and/or updated. If any of the information that you have provided changes, or if you become aware of any inaccuracies in such information, please let us know in writing giving us enough information to deal with the change or correction.
- You have the right in certain circumstances to request that we delete all personal data we hold about you (the ‘right of erasure’). Please note that this right of erasure is not available in all circumstances, for example where we need to retain the personal data for legal compliance purposes. If this is the case, we will let you know.
- You have the right in certain circumstances to request that we restrict the processing of your personal data, for example where the personal data is inaccurate or where you have objected to the processing.
- You have the right to request a copy of the personal data we hold about you and to have it provided in a structured format suitable for you to be able to transfer it to a different data controller (the ‘right to data portability’). Please note that the right to data portability is only available in some circumstances, for example where the processing is carried out by automated means. If you request the right to data portability and it is not available to you, we will let you know.
- You have the right in certain circumstances to object to the processing of your personal data. If so, we shall stop processing your personal data unless we can demonstrate sufficient and compelling legitimate grounds for continuing the processing which override your own interests. If, as a result of your circumstances, you do not have the right to object to such processing then we will let you know.
- You have a right to make a complaint as set out in more detail below.
11. Your California Privacy Rights
If you are a California resident, please note the following regarding how we collect, use, and disclose your personal information as described in this Privacy Notice in connection with the Platform, including in the previous 12 months:
- We may collect, disclose, and use for our business and commercial purposes categories of personal information as set forth in applicable California law, including: identifiers; payment and customer records information; commercial, product, and preference information; Internet or other electronic network activity information; audio, electronic or visual information; professional or employment information; and inferences. See Sections 2, 3, and 4 of this Privacy Notice for additional details.
- We may collect the following categories of sensitive personal information: information revealing your Platform account log-in, in combination with any required security or access code, password, or credentials allowing access to your account on the Platform. We use this information only to provide you with access to the Platform.
- We collect and use these categories of personal information for the business and commercial purposes described in Section 5 of this Privacy Notice.
- We collect each of the foregoing categories of personal information from the sources described in Sections 2, 3, and 4 of this Privacy Notice.
- We may disclose categories of personal information for our business and commercial purposes to the extent permitted by applicable law to the categories of parties as described in Section 7 of this Privacy Notice.
- We do not sell or share your personal data, as those terms are defined under California law. For purposes of this Section, “sell” means the sale, rental, release, disclosure, dissemination, availability, transfer, or other oral, written, or electronic communication of personal data to an outside party for monetary or other valuable consideration and “sharing” means disclosure of personal data to third parties for cross-context behavioral advertising purposes, each subject to certain exceptions in applicable law.
- We retain personal information as described in Section 6 of this Privacy Notice.
If you are a California resident, the following rights are available to you although we would note that such rights are not absolute and may be subject to certain exceptions. You can exercise them by contacting us using the contact details in this Privacy Notice.
- You have the right to request access to information about personal data that we may hold and/or process about you, including: the categories of personal information we collected about you, the categories of sources from which we collected the personal information, the categories of personal information we disclosed, our business or commercial purpose for collecting or disclosing the personal information, the categories of third parties to whom we disclosed the personal information, and the specific pieces of personal information we collected about you.
- You have the right to request that any inaccurate personal data we hold about you be corrected and/or updated. If any of the information that you have provided changes, or if you become aware of any inaccuracies in such information, please let us know in writing giving us enough information to deal with the change or correction.
- You have the right in certain circumstances to request that we delete all personal data we hold about you. Please note that we are not required to delete personal data in all 7 circumstances, for example where we need to retain the personal data for legal compliance purposes. If this is the case, we will let you know.
- We will not discriminate against you because you exercised any of these rights.
- We will take reasonable steps to verify your identity prior to responding to certain of your requests. The verification steps will vary depending on the sensitivity of the personal information.
- We may deny certain requests, or fulfil a request only in part, based on our legal rights and obligations. For example, we may retain personal information as permitted by law, such as for tax or other record keeping purposes, to maintain an active account, and to process transactions and facilitate customer requests.
- You may designate an authorized agent to make a request on your behalf. When submitting the request, please ensure the authorized agent is identified as an authorized agent. We may request additional information to verify that the authorized agent is authorized to act on your behalf.
12. Contact Us
If you have questions, comments, or concerns about this Privacy Notice or our privacy practices, or if you would like to request to update your information, other than as provided above, please send an email to stratxUSsupport@pulmonx.com or info@PulmonxStratX.com; you may also write to us at: Pulmonx Corporation, 700 Chesapeake Drive, Redwood City, CA94063 or Pulmonx, Rue de la Treille 4, 2000 Neuchâtel, Switzerland, or call us at (866) 300-4550 or +41 32 475 20 70.
If you think we have breached applicable local privacy law, or you wish to make a complaint about the way we have handled your personal data, please contact us using the contact details above. We may ask you to put your complaint in writing and to provide relevant details.
If you disagree with our decision, you also have the right to lodge a complaint with a supervisory authority, which for
- the UK is the UK Information Commissioner’s Office (“ICO”). Complaints can be submitted to the ICO through the ICO helpline by calling 0303 123 1113. Further information about reporting concerns to the ICO is available at https://ico.org.uk/concerns;
- Switzerland is the Federal Data Protection and Information Commissioner (FDPIC / EDOEB). Please find the respective contact details under www.edoeb.admin.ch