Privacy Policy
Precordior Ltd. (“Precordior”, “we”, “us”) is committed to protecting your privacy and the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect personal data when you use CardioSignal or interact with us. This Privacy Policy also serves as our privacy notice under Articles 13 and 14 of the EU General Data Protection Regulation (2016/679, “GDPR”).
This Privacy Policy applies when you use CardioSignal or interact with us, including when you use the CardioSignal mobile app or CardioSignal as part of a partner service or application. It also applies when you contact us, visit our website, or participate in programs, campaigns, events, or research activities supported by Precordior.
Precordior acts as a data controller when processing personal data described in this Privacy Policy.
In some cases, you may be introduced to CardioSignal through a partner organisation (for example, a healthcare provider, insurer, research partner, or other service provider). Partners may inform you about CardioSignal, invite you to join a program, and either sponsor access to or sell access to CardioSignal Paid Content.
A partner typically acts as an independent controller for personal data they process about you in connection with its services, and the partner’s privacy notice applies, for example, when CardioSignal is provided inside a partner’s service or application. In these situations, Precordior also processes personal data on the partner’s behalf in accordance with their instructions. Please contact the partner with any questions or requests about your personal data in this context, as described in the partner’s privacy notice.
Regardless of how you access CardioSignal, we process certain personal data as a controller to ensure that CardioSignal operates safely, securely, and reliably, and to meet our legal responsibilities.
This Privacy Policy is provided electronically. You may request a paper copy or contact us with any questions about this Privacy Policy or your personal data at support@cardiosignal.com
Who collects my data and who can I contact?
Controller: Precordior Ltd.
Data Protection Officer of Precordior Ltd
phone +358102021200
Aurakatu 6
20100 Turku, Finland
www.precordior.com
support@cardiosignal.com
UK representative
DataRep
datarequest@datarep.com
(quoting <CardioSignal> in the subject line)
www.datarep.com/data-request
DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom
(please ensure that the letter post request is addressed to ‘DataRep’ and not CardioSignal)
Swiss representative
DataRep
datarequest@datarep.com
(quoting <CardioSignal> in the subject line)
www.datarep.com/data-request
DataRep, Leutschenbachstrasse 95, Zurich, 8050, Switzerland
(please ensure that the letter post request is addressed to ‘DataRep’ and not CardioSignal)
Manufacturer Representative, Republic of India
Grievance Redressal Officer (GRO) and Data Protection Officer (DPO) - For India
Mr. Shankar R. Pai
GenePath Diagnostics India Private Limited
Safire Park Galleria, Pune-Mumbai Road
Wakdewadi, Shivaji Nagar, Pune 411005
Maharashtra, India
Email: contactus@genepathdx.com
Tel: +91 204 856 6661
Legal bases and our reasons for processing your personal data
We collect the minimum personal data needed to provide and improve our services, manage our business and meet our legal obligations. We process your data on the legal bases and for reasons described below in this section and in Section 3 of this Privacy Policy. The types of personal data that we process depend on how you use our services or interact with us.
Performing a contract with you
· We process the personal data necessary to conclude and perform our contract with you under the applicable CardioSignal Terms of Use or End-User License Agreement, and to provide you with CardioSignal services, including any related mobile applications, CardioSignal technology inside a partner’s service or application, and cloud-based functions. If you do not provide the data required from you for this purpose, we cannot grant you access to use CardioSignal.
Your consent
· CardioSignal collects and analyses measurement data as well as displays analysis results that qualify as health data under data protection laws, including GDPR. We therefore require your explicit consent to process this data before you start using CardioSignal. This consent is obtained during the account creation process and is necessary in order to use CardioSignal. Your consent for processing health data is mandatory in order to use the services and core functionalities of CardioSignal.
· We also ask for your consent to send you marketing communications per email, for example, to inform you about new products and services, special offers and upcoming events.
· We ask for your consent for the use of non-essential cookies on our website. Consent for this purpose is voluntary and does not affect your use of our website. For more details, please see our Cookie Policy (https://cardiosignal.com/cookie-policy), which explains cookie purposes and how to manage your choices.
· We also ask for your consent to process your personal data in connection with registrations for our online or onsite seminars. We also ask for your separate consent to communicate about and organise your participation in market or other research, collection of feedback where the respondent can be identified, or to obtain testimonials (where applicable). Consent for these purposes is voluntary.
· We also ask for your explicit consent in advance if you choose to answer the voluntary Health Background Questionnaire in CardioSignal. We use your responses together with other data we already process about you to better understand the characteristics of CardioSignal users and to develop, improve, and conduct research on our products and services. Results of such analyses may also be used in an anonymised form for scientific publications or shared insights.
· In collaboration with our partners (for example healthcare providers and research organisations), we may ask for your explicit consent to share specific personal data we have collected about you in connection with your use of CardioSignal. This allows them to process such specific data for the purpose mentioned in the consent request.
Legitimate interest
· We process your personal data to observe app and website usage for secure and efficient operation, develop, and improve our products and services (including developing new features) and for internal business functions, such as reporting.
· We process your personal data to send you product and service-related communications to inform you about new features, updates, user tips, and other information relevant for the use of CardioSignal. We do this as part of our customer service to give you the best possible user experience, but also to understand our customer base better.
· We process your personal data, including health-related data, to create anonymised and aggregated datasets. This processing is done to take additional safeguards to protect your privacy, and develop, improve and ensure the safety and performance of our products and services. Once the data has been anonymised, it no longer contains information that can identify you and is no longer subject to data protection laws. We use such anonymised data to produce statistical and research analyses, and to prepare scientific publications and reports.
· We use your contact details to send you invitations to participate in customer satisfaction or feedback surveys regarding our services and events. Participation in such surveys is always voluntary. Most surveys are designed so that we review results on a group level and do not need to identify individual respondents.
· We process business contact information of representatives of our customers, partners, suppliers, and other organisations we interact with. This processing is done to manage, conduct, and develop our business and business relationships, handle inquiries, and communicate effectively with our stakeholders for contractual and operational purposes. We may also use such business contact details to send relevant product or service-related updates and invitations as part of maintaining and developing our business relationships.
· We also process personal data to protect against, identify and prevent fraud and other unlawful activity; to comply with and enforce any applicable obligations under the Terms of Use or End-User License Agreement for CardioSignal and this Privacy Policy; and to handle claims and liabilities.
We have assessed that our legitimate interests do not override your rights and freedoms through a balancing test.
Legal obligations
· We process the personal data necessary to meet the requirements under applicable laws, for example applicable data protection regulations and the EU medical device regulation (2017/745). This means that we, as an example, process personal data to investigate and diagnose technical problems with CardioSignal and analyse data on performance and security as part of our quality control and post-market surveillance. We also process personal data as necessary to respond to and meet requests from authorities.
The data we collect and why
Below is a more detailed description of the categories and types of personal data we process. Please note that CardioSignal is only intended for persons that are at least 18 years old. We do not knowingly collect personal data from persons younger than that. If you believe that a person not eligible to use CardioSignal has provided us with personal data in violation of the Terms of Use and this Privacy Policy, please contact us so we can delete such information.
User identification and contact information
· When you register to use the CardioSignal Mobile Application, we collect your email address to create, verify, and manage your account and to provide you access to the service. The email address serves as your username and may also be used to contact you by email or push notifications (if enabled) for account-related and operational purposes (such as verification, instructions, alerts, reminders, or maintenance notices).
· In cases where CardioSignal is used through a partner program, campaign, or collaboration project (for example, with healthcare or technology partners), we record information indicating that your registration is linked to that specific partner or project. This information may include the partner organisation’s name, program or project identifier, partner-specific internal ID, or location or locale information related to that partnership, or, where provided by the partner, a pseudonymous ID used to recognise your registration within that partner’s program.
· When CardioSignal technology is embedded in a partner’s application, the partner manages your authentication. In these cases, CardioSignal identifies you through a unique pseudonymous identifier provided by the partner’s application instead of an email address. This identifier does not directly reveal your identity to Precordior.
· Where applicable, your email address may also be used for customer communications and with your consent for marketing, such as newsletters or updates about our services not directly related to your customer relationship.
Business contact information
· We process personal data of representatives of our customers, partners, suppliers, and other organisations we interact with. Such data may include name, position, organisation, contact details (such as email address, phone number, and postal address), and related correspondence. We process this information to manage and maintain our business relationships, handle inquiries, communicate about cooperation, and for other legitimate business purposes, as described under ‘Legitimate interest’ above.
General information on each measurement you make with CardioSignal
· To help us with post-market surveillance and support related quality control, we process certain information on each measurement that you make with CardioSignal. The table below shows the information collected for this purpose.
Data | Description |
Time and time zone | The date and time when the measurement was made |
Device manufacturer | For example Apple, Samsung, Huawei, etc. |
Device model | For example iPhone 12 |
Operating system version | For example iOS14 or Android 10 |
Application version | For example 2.5.3 |
Information related to your health
· Based on your consent, we analyse your measurement data and show you the results in CardioSignal. More specifically we process the following data:
Data | Description | Reason |
Measurement data | Recorded motion sensor data originating from the kinetic movement reflecting the movement of the chest. | This information is collected so that we can analyse the data and show the results to you. |
Analysis result: · Signs of AFib detected/not detected · Average heart rate (HR) · Error code · Quality parameters | Every measurement has a result and parameters related to the measurement quality. | This is the primary function of the app. The result is shown to you after the analysis has been completed. This is also used for post-market surveillance and support-related quality control. |
Health Background Questionnaire
· CardioSignal includes an optional Health Background Questionnaire. If you choose to use it, and give your explicit consent, we ask about your year of birth, weight, height, sex category and certain health conditions, such as sleep apnea, diabetes mellitus, heart failure, hypertension, prior stroke and coronary artery disease.
· We use these answers to understand the general characteristics of people who use CardioSignal and to develop and improve our products and services, as well as for research purposes. For example, we look at age groups and common health conditions among people who use CardioSignal. We may combine your questionnaire responses with other personal data we already process about you, such as your measurement results, how you use CardioSignal, and other data generated when you use CardioSignal.
· Your responses are health data and are stored securely with limited access. We do not disclose your identifiable questionnaire responses to third parties. When we publish results, share insights with partners or use the data in research or scientific publications, we use only aggregated or anonymised data so that no individual can be identified.
Customer support and other information relating to the use of our services
· When you contact us for customer support or other communication, you may share details relevant to your request, such as your device information, account ID (email address or pseudonymous identifier), contact information and any additional context you choose to provide — for example, information about app performance, the partner or campaign you are using CardioSignal through, or other issues.
Customer Relationship Management System (CRM)
· We process the following information within our CRM system for the purposes described below. The CRM system is used to manage CardioSignal user relationships, partner-linked programs, and business communications in a secure and organised manner.
Data | Description | Purpose/Reason |
User account and contact information | Your account details, such as your email address and, in some partner-specific implementations, limited identification or contact details (e.g., name, address, phone number, or local identifier provided by the partner to recognise you within their service environment). | Used to create, verify, and manage your account; provide you access and support; and communicate with you about your account and service use. |
Measurement and activity information | Information about measurement activity, including latest measurement date, time, and time zone. | Used for evaluating service functionality, providing customer support, monitoring country- or region-specific usage. Also used for automated engagement actions, such as sending reminder emails, if you have not used the service for a while. |
Language preferences | Language you select in the app or service. | Used to communicate with you in your preferred language. |
Marketing consent | Record of whether you have provided consent for receiving newsletters or other promotional communications. | Used to manage and respect your marketing preferences and to ensure that marketing communications are sent only if you have given consent. |
Partnership information | Data linking you or your account to a specific partner organisation, project, or campaign (e.g., partner name, program or project identifier, internal partner ID, region or locale, or pseudonymous membership ID). | Used to manage and report on partner-specific implementations, projects, and cooperation, and to ensure correct linkage between your registration and the partner context. |
Partnership-specific consent information | Records of consents related to specific partner projects (e.g., data sharing with the partner organisation). | Used to ensure compliance with partnership-specific data use and consent requirements. |
Business contact information | Contact details of representatives of customers, partners, and suppliers, such as name, position, organisation, address, phone number, email, and related correspondence or meeting notes. | Used to manage and maintain business relationships, handle inquiries, and document relevant communications with business stakeholders. |
Automatically collected information
· We collect limited technical and usage information automatically from CardioSignal, to ensure secure, reliable, and compliant operation. This may include IP-address, device and system details, usage activity, and event logs collected through analytics SDKs and backend monitoring tools.
Cookies
· On our website, we use cookies and similar technologies to understand how our site is used, display relevant content, and remember your preferences (for example, language choices). Some cookies are essential for the website to function properly, while non-essential cookies are used only with your consent. For more details, please see our Cookie Policy (https://cardiosignal.com/cookie-policy ), which explains cookie purposes and how to manage your choices.
Events
· When attending online or on-site events organised by us, we collect the relevant personal data, such as contact or demographic information or dietary preferences, needed to deliver a good event experience to you. If you have explicitly given us consent, we process the relevant contact details to communicate with you and inform you of future events via email.
Surveys
· From time to time, we invite CardioSignal users and business contacts to answer surveys about CardioSignal, our services and events. These surveys ask about your experience, customer satisfaction and feedback so we can understand how we perform and how to improve our products, usability, support and operations. Surveys may be targeted differently depending on whether you use CardioSignal as a consumer or as part of a partner program or cooperation. Taking part is always voluntary.
· Survey content depends on the situation. Some surveys focus only on service experience and communication. Others may also include questions about your health history or background, for example existing diagnoses or conditions. Answering health-related questions is always optional. When surveys include health-related questions, we treat this information as health data and apply the safeguards described in this Privacy Policy.
· Most surveys are anonymous. They do not collect direct contact details, and we review the results on a group level rather than looking at individual responses. We may run non-anonymous surveys where your responses are linked to your contact details or account, for example if we want to follow up with you personally or consider using your feedback as a testimonial. In these situations, we clearly inform you that the survey is not anonymous and ask for your explicit consent before you submit your answers.
Other data
· The CardioSignal Mobile Application also collects other data that is used for personalising your user experience.
Data | Description | Reason |
Language code | The language you select in the application. | Used to display the application and communication in your preferred language. |
Approved Terms of Use or End User License Agreement (EULA) | Information on which version of the Terms of Use or EULA you have approved. | You must approve the current Terms of Use or EULA to access the application. This information ensures that the approval corresponds to the latest applicable version. |
Health Data Processing Consent | Record that you have given explicit consent for processing health-related data. | Required to lawfully process health data as part of providing the CardioSignal service in compliance with data protection laws. |
Health Information Questionnaire Consent | Record that you have voluntarily responded to an optional health information questionnaire and provided explicit consent to process this information. | Used to process optional health questionnaire responses lawfully and to support service development, characterisation of the user base, and research or study purposes, where applicable. |
Latest measurement information | Information on when you took the previous measurement and the related result summary. | Used to personalise the CardioSignal experience, for example by reminding you to take a new measurement. |
Latest login information | Information on when you last logged in to the CardioSignal application. | Used to determine whether your account is active or inactive for assessing how long your personal data should be retained. |
Your modifiable options | The application settings you have selected and your preferences. | Used to personalise the CardioSignal experience based on your chosen options. |
Where we get your data
We collect personal data mainly from you. This happens when you:
create and use a CardioSignal account
make measurements in the CardioSignal mobile application
use CardioSignal inside a partner’s service or application
visit our websites
contact us for support or other questions
sign up for events, webinars, programs or campaigns
respond to surveys or give feedback
We also collect some data automatically when you use CardioSignal or visit our websites. This includes technical and usage information, such as device details, app version, log data, and cookie data, as described in this Privacy Policy and in our Cookie Policy.
In collaboration with third parties, such as healthcare providers, hospitals, insurers, research sponsors or technology partners, we may receive personal data about you from these partners. For example, they may give us your contact details or an internal identifier to enrol you into a program that uses CardioSignal. The partner’s own privacy notice explains how they process your data, on which legal basis, and what they share with us. In these cases, the partner usually acts as an independent controller for its own processing, and Precordior acts as a processor for the partner when we process personal data strictly according to the partner’s written instructions.
We may also receive business contact details (such as name, role, email address and phone number) from your employer or colleagues if you represent a customer, partner, supplier or other organisation we work with. In some cases, we may complement this information with data from publicly available sources, such as company websites or professional networking services, where this is allowed by law.
In addition, we generate new data from the information we already hold. For example, we create measurement results, quality parameters, risk scores, survey summaries, usage statistics and anonymised or aggregated reports based on how CardioSignal is used.
Patient medical data is protected by medical secrecy rules and by contractual confidentiality and data processing agreements with our partners.
How long do we keep your data?
We keep your personal data only as long as needed for the purposes described in this Privacy Policy or as required by law.
· Account, measurement and Health Background Questionnaire data.
We keep your CardioSignal account data, measurement data and Health Background Questionnaire data while your account is active. If you do not log in for two years, we consider your account inactive. When an account becomes inactive, we close it and start our deletion and anonymisation process. Measurement and other app data in our medical device system are anonymised so they can no longer be linked to you, and identifiable information related to that account in our CRM is deleted, unless we must keep some details for legal reasons as explained below. You can also ask us to delete your account at any time.
· Events and surveys.
We keep personal data related to events, webinars, campaigns and surveys for up to two years. After that, the relevant personal data is deleted if there has been no further contact or engagement during that time that justifies keeping such personal data for a longer period or unless a longer period is needed for legal reasons.
· Business contacts and CRM data.
If you are a contact person for a customer, partner, supplier or other organisation, we keep your contact details for as long as the relationship exists and for a reasonable period after it ends, for example to manage follow-up, documentation and potential claims.
· Marketing data.
We keep your contact details for direct marketing, such as newsletters, until you opt out or we no longer send such communications. We may keep a record of your opt-out to make sure we respect your choice.
· Technical logs and back-ups.
System logs, security logs and back-ups that may contain personal data are kept only for limited periods (max 5 years) needed for security, troubleshooting, business continuity and compliance.
In some cases, we must keep certain personal data for longer periods to meet legal obligations or to handle potential claims or regulatory requirements, for example under medical device or bookkeeping laws. In these cases, we keep the data only for as long as those obligations or limitation periods require. When we delete or close your CardioSignal account, we remove or anonymise personal data that is no longer needed as described above.
Is my data secure?
We are committed to protecting your privacy and providing a secure environment for using our products and services in line with applicable data protection laws. We take administrative, technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, access, disclosure or use. For example, we restrict access rights and CardioSignal uses encrypted data transmissions. Our organisation is certified to the ISO/IEC 27001 standard for information security management, demonstrating our commitment to maintaining high standards of data protection and security. At the same time, you also share responsibility for maintaining privacy and security. Keep your account credentials safe and tell us immediately about any unauthorised use of your account.
Transfer of data to third parties and outside of EU/EEA
We do not sell your personal data. We share it with others only in the situations detailed below or when the law requires it.
Service providers
We use trusted service providers to run CardioSignal and our business. For example, we use companies that provide cloud servers, email and messaging tools, customer support systems, CRM, survey tools and analytics.
Before we start using a new service provider, we review them as part of our information security management system. We check that they are suitable for the task, that they protect your data properly, and that our contract with them sets clear rules on privacy and security.
Partners and collaborations
Sometimes we work together with partners, such as healthcare providers. In these cases, we may share your personal data with that partner so they can provide services to you, for example by viewing your CardioSignal use as part of your care.
Any such sharing follows what we tell you in the app, in this Privacy Policy or in information from the partner. Where the law requires consent for this sharing, we ask for your explicit consent before sharing your data.
Cookies, analytics and advertising
If you accept non-essential cookies on our websites, we may share limited data, such as online identifiers and usage information, with our analytics and advertising partners. They use this data only to provide analytics or advertising services to us and must follow data protection laws and our agreements.
Corporate transactions
If Precordior is involved in a merger, acquisition, sale of assets, or similar change in ownership or control, your personal data may be shared with or transferred to the acquiring entity and its advisors as part of the transaction. In such cases, we ensure that your data continues to be protected in accordance with applicable data protection laws and this Privacy Policy until any change becomes effective. If the new owner’s privacy policy will replace or differ from this Privacy Policy, you will be informed about the change and about your options regarding your personal data.
Where your data is processed
CardioSignal medical device data, including your account and measurement data used to provide the CardioSignal medical device service, is processed and stored on servers located in the EU/EEA.
For some supporting tools and services that are not part of the medical device itself, limited personal data (for example contact details, technical identifiers or usage data) may in some cases be accessed or processed outside the EU/EEA by our service providers. When this happens, we ensure that proper legal protections, such as EU adequacy decisions or standard contractual clauses, are at hand. We also limit access, reduce the amount of data our service providers can view or otherwise process, and require that they process your personal data only for our purposes and under our instructions.
Third-party websites or applications
Our application or website contains links to third-party services, such as social media or app stores. We are not responsible for the privacy practices of these third parties, and this Privacy Policy does not apply to these third-party websites or applications.
Automatic decision-making and profiling
CardioSignal automatically analyses your measurement data to generate and display measurement results to you. If you choose to respond to the voluntary health questionnaire in the app, your responses may be automatically processed together with other data we already process for statistical analysis to understand overall user characteristics and to support service development and research. These analyses may include limited profiling (for example, grouping individuals into cohorts by age bands or health conditions) for statistical and development purposes. They are not used to make any automated decisions that produce legal effects or similar consequences for you.
10. Your rights
As a data subject, you have the following rights:
Right to be informed: you have the right to be informed about the collection and use of your personal data. This Privacy Policy serves that purpose.
Right of access: you have the right to request access to the personal data which we hold or process on you.
Right of rectification: you have the right to request that we correct any erroneous or incomplete personal data, free of charge.
Right of erasure: you have the right to request the erasure of your personal data.
Right to data portability: if the processing of your personal data is based on your consent or relies on the contract with you, you have the right to receive your data in a structured, commonly used and machine-readable format, and to transmit that data to another controller.
Right to object or restrict processing: you have the right to object to or demand restriction of the processing, for example for direct marketing purposes, of your personal data when the legal basis for processing is legitimate interest. When you exercise this right, you shall identify the situation that your objection or request for restriction of processing is based on. We can refuse the request only on legal grounds.
Withdrawal of consent: you can withdraw your consent for Precordior to process your personal data at any time by removing the application and notifying us. Withdrawal of consent does not affect processing that has taken place before the withdrawal. Withdrawal of consent also does not affect the continued processing of your personal data, if there is another valid legal basis for such processing. Please note that you can separately withdraw your consent for receiving newsletters and marketing communications without it affecting the processing of your account and measurement data as part of the continued use of the application.
Right to refer the matter to a supervisory authority: if you feel the processing of your personal data infringes data protection legislation, you have the right to lodge a complaint to the supervisory authority of your place of residence. In Finland, this is the Office of the Data Protection Ombudsman (tietosuoja@om.fi).
11. Contact us to exercise your rights
To exercise your rights or if you have questions about this Privacy Policy, please contact us by email or by writing to:
Precordior Ltd.
Data Protection Officer of Precordior Ltd
Telephone: +358102021200
Street address: Aurakatu 6, 20100 Turku, Finland
www.precordior.com
support@cardiosignal.com
If you are based in Finland, you can also contact the Office of the Data Protection Ombudsman:
Street address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PL 800, 00531 Helsinki, Finland
Switchboard: +358 29 566 6700
Registry: +358 29 566 6768
Email (registry): tietosuoja@om.fi
If you are based in the UK, you can also make a complaint to the Information Commissioner’s Office (ICO) or get advice from the ICO:
ICO
0303 123 1113
18001 0303 123 1113
Information Commissioner’s Office
Wycliffe House Water Lane
Wilmslow
Cheshire
SK9 5AF
If you are based in Switzerland, you can also contact the Federal Data Protection and Information Commissioner (FDPIC):
Federal Data Protection and Information Commissioner (FDPIC)
Address: Feldeggweg 1, CH-3003 Bern, Switzerland
Telephone: +41 58 462 43 95
12. Updates or changes to this Privacy Policy
We will update this Privacy Policy from time to time. If we make significant changes, we will notify you through our website or CardioSignal and ask for renewed consent if necessary. You can always request a paper copy of this Privacy Policy by emailing support@cardiosignal.com.