Privacy Notice
Last updated: January 2023
You deserve to be aware of how your personal data is used. Moreover, data protection laws give you certain rights over your personal data, no matter when or where it is being processed. This Privacy Notice is meant to give you information about what personal data we collect about you, how we use it, why we use it, and how you control the data processing.
Personal Data We Collect as a Controller Sharing the Personal Data We Collect
International Transferss
Who We Are. Cordio Medical Ltd. offers a technology that monitors several health conditions by analyzing voice and speech samples using sophisticated and proprietary algorithms, available through its flagship HearO™ mobile application. Our offices are located at 6 Yehonatan Netanyahu St., 6037604 Or-Yehuda, Israel, and our registration number is 514975374. If you have questions about our company or your privacy, or want to exercise your rights, you can contact us at info@cordio-med.com.
Our Services. When we refer to "services", we mean a technology that monitors, by analyzing the patient's speech, fluid accumulation related to congestive heart failure and notifications prior to clinical symptoms and hospitalization. We provide the services to and on behalf of clinics or other healthcare providers that have engaged us for this purpose. The services are available to the doctors and other healthcare practitioners of these clinics through the "Cordio HearO Portal for the medical center." Through the Cordio HearO Portal for the medical center, doctors can make the services available to their patients through the HearO® system ("App").
Our Role: Controller and Processor. Certain data protection laws, including the laws in the EU, differentiate between a party that determines why and how personal data is processed (called a "controller") and a party that processes personal data solely on the controller's behalf and according to the controller's instructions (called a "processor"). In respect of certain personal data we collect, we act as a controller and with respect to other personal data, we act as a processor. Please see the sections Personal Data We Collect as a ProcessorPersonal Data We Collect as a ProcessorPersonal Data We Collect as a Processorbelow on Personal Data We Collect as a Processor and Personal Data We Collect as a Controller for more information.
Definitions and Recommendations
When we refer to "personal data", we mean information that is defined as personal data under law. This includes information that identifies you directly or indirectly, including unique identifiers like IP addresses or cookie IDs.
When we refer to "you", we mean a user of the services, either as a patient using the App, or as a physician or other health professional using the Cordio HearO Portal for the medical center.
This Privacy Notice is meant to be read together with our Terms of Service. In general, we recommend that you routinely review this privacy notice and your preferences through our services.
A Note on Legal Bases. Certain jurisdictions only allow the processing of personal data where a legal basis has been established. Under the EU's General Data Protection Regulation ("GDPR"), the possible legal bases include: your consent, the processing is necessary to perform a contract with you, the processing is necessary to fulfill our legal obligations, or a company has a legitimate business interest to process your personal data. Where we are a controller, we only collect and process data where we have established a legal basis. Below you can find more details about specific legal bases.
Doctors. If you are a doctor or other healthcare practitioner using the Cordio HearO Portal for the medical center, we will process your username, email address and password as a processor on behalf of the clinic. This information will be available to the clinic to review.
Patients. If you a patient using the App, we will process personal data that the clinic has provided about you, namely your name, phone number, email address, and clinic ID number, and logs about your use of the app, as a processor on behalf of the clinic. Additionally when you record your speech through the App, we use these recordings and details about your usage of the App (type of phone, operating system version, App version, and date and time of recordings) as a processor on behalf of the clinic, unless you have explicitly consented to our use of this data for additional purposes (see Personal Data We Collect as a Controller), in which case both we and the clinic will serve as controllers of this data.
Recording Data. When patients using the App provide voice or speech recordings, we generally process these recordings as a processor on behalf of the applicable clinic. However, some patients may choose to allow us to use these recordings for the purposes of improving our services and algorithms. Similarly, if users consent and give us access to certain features on their mobile device, we also collect data that may be provided through Google Health Kit or which may be collected through sensors on the mobile device. Note that voice or speech recordings may be considered biometric data, and along with data from the Health Kit or sensors, would be subject to special protections under the law. When we use voice or speech recordings in this capacity, we do so as a controller and solely for this purpose of improving our services and algorithms. The legal basis for this use is the consent of the patient, which may be withdrawn at any time.
Clinic. Personal data that we collect about doctors and patients will be shared with the relevant healthcare practitioner in accordance with the roles assigned by the applicable clinic that serves as a controller of this information.
Service Providers. Below is a list of the types of service providers we use, the service each provides, and the types of data shared with each. All service providers have agreed to confidentiality restrictions and have undertaken to use your personal data solely as we direct.
Type of Service | Description | Personal Data Shared |
Cloud Computing | We use service providers that offer cloud computing services. They offer us space on their servers for us to store our files and programs, including your personal data. | All personal data that we collect from you is stored on third party servers. |
Analytics Providers | We use a service provider to assist us with analytics services. | Data collected automatically through our site, including IP addresses and cookie information. |
Change of Ownership. If we are looking to sell our company, liquidate assets, or merge with another, we may share your personal data with other interested parties as part of negotiations toward that transaction. In such case, or where we do sell our company, your personal data shall continue to be subject to the provisions of this Privacy Notice.
Law Enforcement Related Disclosure. We may share your personal data with government agencies or other relevant parties, such as a law office or independent auditor: (i) if we believe that such disclosure is appropriate to protect our rights, property or safety (including the enforcement of the applicable Terms of Service and this Privacy Notice) or those of a third party; (ii) if required by law or court order; or
(iii) as is necessary to comply with any legal and/or regulatory obligations, such as audit requirements.
If you are located in the EU, when we share your personal data with third parties based outside of the European Economic Area ("EEA"), we will ensure that they sign on agreements that require them to comply with applicable law, keep your data secure at similar levels to the level described in this Privacy Notice, and make sure that your data protection rights are protected. We will also implement the following safeguards:
When we transfer your personal data to Israel or the UK, we rely on the decision by the European Commission that says that those countries are considered to provide an adequate level of data protection.
Where we transfer your personal data to other countries, we (i) take additional security measures to protect the data and (ii) use specific contracts approved by the European Commission, known as the Standard Contractual Clauses, to give your personal data the same protection it has in the EEA.
Please contact us at info@cordio-med.com if you would like further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Technical Measures. The electronic safeguards we employ to protect your personal data include secure servers, firewalls, and antivirus protections. We encrypt data in transit and at rest using secure SSL protocols.
Access Control. We limit access to your personal data only to authorized personnel who have a need to know, including account managers, customer support staff software developers, and the research and development staff. We review these permissions regularly and revoke an employee's access immediately after his/her termination.
Internal Policies. We maintain and regularly review and update our privacy related and information security policies.
Personnel. We require employees to sign non-disclosure agreements according to applicable law and industry customary practice.
Database Backup. Our databases are backed up and verified regularly. Backups are encrypted and stored within the production environment to preserve their
confidentiality and integrity.
Right of Access. You may have a right to know what personal data we collect about you. We may charge you with a fee to provide you with this information, if permitted by law. If we are unable to provide you with all the information you request, we will do our best to explain why. See Article 15 of the GDPR for more details, if your personal data is subject to GDPR.
Right to Correct Personal Data. You may have the request that we update, complete, correct or delete inaccurate, incomplete, or outdated personal data. See Article 16 of the GDPR for more details, if your personal data is subject to GDPR.
Deletion of Personal Data ("Right to Be Forgotten"). If you are located in the EU, you may have the right to request that we delete your personal data. Note that we cannot restore information once it has been deleted. Even after you ask us to delete your personal data, we may be allowed to keep certain data for specific purposes under applicable law. See Article 17 of the GDPR for more details, if your personal data is subject to GDPR.
Right to Restrict Processing. If you are located in the EU, you may have the right to ask us to stop processing your personal data. See Article 18 of the GDPR for more details, if your personal data is subject to GDPR.
Right to Data Portability. If you are located in the EU, you may have the right to request that we provide you with a copy of the personal data you provided to us in a structured, commonly-used, and machine-readable format. See Article 20 of the GDPR for more details, if your personal data is subject to GDPR.
Right to Object. If you are located in the EU, you may have the right object to certain processing activities. See Article 21 of the GDPR for more details, if your personal data is subject to GDPR.
Withdrawal of Consent. If we are processing your data based on your consent, you are always free to withdraw your consent, however, this won't affect processing we have done from before you withdrew your consent.
Right to Lodge a Complaint with Your Local Data Protection Authority. If you are located in the EU, you have the right to submit a complaint to the relevant data protection authority if you have any concerns about how we are processing your
personal data, though we ask that as a courtesy you please attempt to resolve any issues with us first.
Where we are a processor, we retain your personal data in accordance with the applicable clinic's instructions.
Where we are a controller, we retain your personal data as long as necessary to fulfill the purposes we described above. When deciding how long to store personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized access, the purposes for which the personal data was collected, as well as applicable legal requirements. Please note that we may delete information from our systems without notifying you first. Retention by any of our service providers or subcontractors may vary in accordance with each business's retention policy.
Please contact us at info@cordio-med.com if you would like details about the retention periods for each type of personal data we process.
What are Cookies? A cookie is a small piece of text that is sent to your browser by a website you visit. This piece of text acts as a sort of tag, letting the website know that it's you (really, your device) that's visiting. There are other technologies that act similarly, like web beacons, pixel tags, and device IDs for apps, but for simplicity's sake we'll refer to them all as "cookies".
How We Use Cookies. We use cookies in the Cordio HearO Portal for the medical center. These cookies are necessary for the functioning of the service, since they save a token and navigation history for the current session and allow the service to work correctly.