1. Controller and Scope of Processing Activities
This privacy notice (“Notice”) describes how Nevro Medical Ltd. (“Nevro”, “us” or “we”) collects and processes patient (“Patient”, “you”, “your” or “yours”) information obtained when using the App (“Personal Data”). We are committed to protecting the privacy of our customers and patients (“Patients”, “you” or “your”).
This Notice may be amended and replaced from time to time and Nevro will notify you of material amendments in advance of such amendments becoming effective.
Nevro’s contact details are the following:
Controller’s name: Nevro Medical Ltd.
Address: Fourth Floor St James House, St James’ Square, Cheltenham, Gloucestershire GL50 3PR, United Kingdom
Contact details: you can reach Nevro privacy team at: [email protected]
EU Date Protection Representative: Nevro Germany GmbH
Address: c/o Rüter & Partner, Prielmayerstraße 3, 80335 Munich, Germany
Contact details: [email protected]
2. Collection of Personal Data
We process Personal Data that is collected directly from you when you input Personal Data into the App. We also automatically collect Personal Data, such as device-related data, when you interact with the App.
We collect and process the following Personal Data:
- (a) Basic identification information and contact details: your name, mobile telephone number, address, e-mail address, Nevro patient ID, date of birth;
- (b) Information about your health: pain scores and outcomes data (activity level increase or decrease, medication increase or decrease, overall pain relief), other information you input into forms or text boxes in the App, effectiveness of particular programming settings, desired activities;
- (c) Data about your Nevro device: unique device identifier (medical device model and serial number), programming history, device diagnostics, device programming settings;
- (d) Usage data: data about your activities and use of the App, usage history, browser history, IP address;
- (e) Data about your mobile device: device ID, operating system, browser type, other device or network information.
3. Use of Personal Data
We may process your Personal Data for the purposes set out below:
- (a) To enroll you into the App for account activation and to communicate with you (including, to provide you with customer support);
- (b) To provide you with the therapy optimization services;
- (c) To provide you with technical support;
- (d) To provide, maintain, and increase the safety and security of the App, including uploading patches to the App;
- (e) To operate, maintain, improve, provide, create, and develop all of the features, functionalities (new and existing) found on the App or other Company products;
- (f) To comply with regulatory obligations and other legal obligations.
We may process your Personal Data in reliance on the legal bases set out below:
- (a) Necessary to enter into and perform the Terms of Use with you (Article 6(1)(b), GDPR);
- (b) Nevro has a legitimate interest to maintain an ongoing relationship with you and to support
the ongoing maintenance of your Nevro device (Articles 6(1)(f) and 9(2)(h), GDPR); - (c) Necessary to maintain a customer relationship entered into by you accepting the Terms of Use
(Article 6(1)(b), GDPR); - (d) Nevro has a legitimate interest to ensure that its products and services are safe and reliable
(Article 6(1)(f), GDPR); - (e) With your consent (Article 6(1)(a), GDPR); and
- (f) Nevro has a legitimate interest to research how you use the App to develop updates, improvements and upgrades in the future (Article 6(1)(f), GDPR).
You have a right to object to the processing of your Personal Data where that processing is carried out for Nevro’s legitimate interests. Please note however that we may not be able to fulfil this request in all instances.
You are able to request a copy of the legitimate interest assessment carried out by us. Where we need to collect the above mentioned categories of Personal Data by virtue of a legal obligation or in light of a contract entered or to be entered into with you, and you do not provide this Personal Data when requested, we may not be able to comply with our legal obligations, provide you with a service or perform the contract we have or are trying to enter into with you. In such case, we may have to terminate our relationship with you.
4. Sharing of Personal Data with Third Parties
Nevro may disclose certain Personal Data for the above purposes to the following third-party recipients:
We disclose your Personal Data to service providers and partners who work on our behalf, such as:
- (a) Analytics partners that provide analytic data resources such as crash reports, including
Snowflake (https://www.snowflake.com/en/) and DataDog (https://www.datadoghq.com/); - (b) Service providers of cloud computing and storage facilities and resources to store the Personal Data, including Salesforce (https://www.salesforce.com/eu/) and Amazon Web Services (https://aws.amazon.com/).
We also disclose your Personal Data to Nevro’s affiliates including, Nevro Corp. (in the U.S.) and to physicians and other medical staff that provide healthcare and treatments to you.
Your Personal Data may also be transferred as part of a bankruptcy, merger, acquisition, reorganization, or sale of Nevro’s assets if we are involved in such a transaction, including any evaluation of such a transaction.
We may disclose your Personal Data if we believe it is necessary to comply with law, regulation, legal process, or governmental requests such as court orders, subpoenas, or warrants in the manner allowed by law. We also may disclose your Personal Data when we believe, in good faith, that disclosure is appropriate or reasonably necessary to: (i) protect Nevro from fraudulent, abusive, or unlawful uses; (ii) to investigate and defend ourselves against third-party claims or allegations; (iii) to protect the security or integrity of Nevro; or (iv) to protect your rights, property, or safety, of Nevro’s and of others.
5. International Transfers
Your Personal Data may be stored in and transmitted to countries outside the EEA / UK, including, the United States of America, and which are not currently considered by the European Commission and/or UK Government to provide an adequate level of data protection. In these circumstances, Nevro will take steps to ensure that the Personal Data is protected, including by entering into Standard Contractual Clauses (“SCCs”) with the recipient, seeking assurances from the recipient that they have Binding Corporate Rules in place, or otherwise relying on a derogation for the transfer (e.g., where the transfer is necessary for the defense of legal claims). We have entered into SCCs for transfers of Personal Data to our affiliates outside of the EEA/UK.
You may request a copy of the standard contractual clauses and/or further information in relation to international transfers by contacting Nevro at [email protected].
6. Retention of your Personal Data
Your Personal Data will be stored for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting or reporting requirements, including statutory retention obligations.
To determine the appropriate retention period, the amount, nature and sensitivity of the Personal Data are considered, together with the necessity and purposes for the processing (including, whether such purposes can be achieved through other means) and the potential risk of harm from unauthorized use or disclosure of the Personal Data. In exceptional cases your Personal Data may need to be kept for longer periods of time, for example due to ongoing litigation procedures, or where the law requires us to do so.
7. Data Security
We take reasonable steps and use industry standard security safeguards of a physical, electronic and procedural nature to protect Personal Data from loss and unauthorized access, modification, disclosure, inappropriate alteration or misuse.
You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. Data security incidents and breaches can occur due to a variety of factors that cannot reasonably be prevented; therefore, our safeguards may not always be adequate to prevent all breaches of security.
8. Your Rights
Subject to restrictions or limitations, you have certain rights with respect to your Personal Data, as follows:
- Right of access – to obtain information regarding the processing of your Personal Data, including the right to obtain a copy of the processed Personal Data;
- Right to rectification – to request amendments to any inaccurate Personal or to complete any incomplete Personal Data;
- Right erasure – to request for the deletion of your Personal Data that we hold. However, we may not always be able to delete your Personal Data for legal and regulatory reasons;
- Right to restriction of processing – to request that we restrict or suppress the processing of your Personal Data which means that whilst we are permitted to store the Personal Data we cannot otherwise process it;
- Right to object the processing of your Personal Data – to object to the processing of your Personal Data which we carry out in reliance on our legitimate interests;
- Right to withdraw your consent to the processing of your Personal Data – note that withdrawing your consent may prevent us from further providing all or part of our services to you but does not affect the lawfulness of our processing of your Personal Data based on such consent before the withdrawal; and
- Right to data portability – to receive certain Personal Data that you have provided to us, in a machine-readable form and/or that we transmit it to a third party with your express authorisation.
You can exercise your data subject rights by submitting a request at the link at the top of Nevro’s Online Privacy Notice available here: https://nevro.com/English/en/privacy/default.aspx or by emailing us at [email protected].
9. Contact Details
You may contact our Data Privacy Officer if you have any inquiries or feedback on our Personal Data protection policies and procedures, or if you wish to make any request, by reaching out to us at [email protected].
Please click “Accept” to electronically sign this document and accept these Terms of Use as well as the Privacy Notice and the Online Privacy Notice (https://nevro.com/English/en/privacy/default.aspx).
