Privacy notice for the App

1. INTRODUCTION

1.1 This Privacy Notice explains how WSA collects and processes your personal data when you use this Allure App (hereinafter “the App”).

1.2 WSA shall be understood as WS Audiology Denmark A/S, established in Denmark (hereinafter referred to as “WSA”, “we”, “us”, “our”) and we are considered the data controller for the processing of your personal data when you use this App.

1.3 WSA is part of a global organization, and should you consent to our processing of your personal data for research and development purposes please be aware that we will process your personal data together with some of our group companies. In legal terms, we are considered so-called joint controllers. You can read more about how we jointly process your personal data in Section 2.2.

1.4 You can find contact information of all data controllers in Section 2.1 and how we have shared responsibilities between us in Section 2.2.

1.5 Your personal data will be processed in accordance with this Privacy Notice and applicable law. WS Audiology Denmark A/S is established within EU and for that reason the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”) applies to our processing in addition to any applicable local privacy regulation. ‘Personal data’ means any information relating to an identified or identifiable natural person.

2. RESPONSIBLES

2.1 WS Audiology Denmark A/S is responsible for the processing of your personal data when you use this App, see more in Section 4. The contact information of WS Audiology Denmark A/S is:

WS Audiology Denmark A/S
Reg. no. 15771100
Nymøllevej 6,
3540 Lynge Denmark
Phone +45 44 35 56 00
E-mail: privacy@wsa.com

If you consent and allow us to process your personal data for research & development purposes, WS Audiology Denmark A/S is jointly responsible for such processing together with our two group companies, Sivantos GmbH and Sivantos Pte. Ltd. The contact information of Sivantos GmbH and Sivantos Pte. Ltd. is:

Sivantos GmbH,
Reg. no. DE30144051,
Henri-Dunant-Straße 100,
91058 Erlangen, Germany
Phone number: +49 91313080
E-mail: privacy@wsa.com

Sivantos Pte. Ltd.,
Reg. no. 198600657G,
18 Tai Seng Street, #08-08,
Singapore 539775
Phone number: +65 6370 9666
E-mail: privacy@wsa.com

2.2 WS Audiology Denmark A/S, Sivantos GmbH and Sivantos Pte. Ltd. have made an agreement that governs our respective responsibilities under Art. 26 of GDPR.

In summary, we have agreed that WS Audiology Denmark A/S is primary responsible for ensuring a lawful basis for our processing, i.e. to obtain your consent, and that you are informed of our processing and your rights. Further, WS Audiology Denmark A/S is responsible for responding to any request you may have and in relation to securing and deleting or anonymizing the personal data when required.

Notwithstanding the foregoing, you may assert your rights with and against any of the data controllers.

3. DATA PROTECTION OFFICER

You can always contact the data protection officer (“DPO”), who is the responsible person to answer questions about personal data protection and exercising your rights under applicable law. Please use the following email address: dpo@wsa.com.

4. DATA PROCESSED WHEN YOU USE THE APP AND ITS FEATURES

DATA WE ARE REQUIRED TO COLLECT

4.1 As a manufacturer of medical devices we are obliged to fulfill regulatory requirements. To ensure and document that your App and hearing aids comply with current rules & standards regarding quality, safety and performance we collect certain personal data about you. The categories of personal data that we collect are:

4.1.1 Data about your mobile device, including your phone type and the country the device is used.

4.1.2 Data about your App and the usage of the App, including brand of your App and how the App is used by you.

4.1.3 Data about your hearing aids, including the serial number and model.

4.1.4 IDs and timestamps.

4.1.5 The legal basis for our processing is legal requirements (article 6(1)(c) and 9(2)(i) in the GDPR).

5. DATA USED FOR RESEARCH AND DEVELOPMENT PURPOSES

5.1 If allowed in your country and only with your consent, we will collect and use your data related to your hearing loss and your hearing aids for research & development purposes so we can make even better hearing solutions in the future.

5.2 The categories of personal data that we collect are:

5.2.1 Data about you and your hearing loss, including the audiogram that represents your hearing loss, your gender and age.

5.2.2 Data about your hearing aids, including serial number and model, as well as data about the configurations of your hearing aids, including any changes to the configurations.

5.2.3 Data about your usage of the hearing aids.

5.2.4 Technical data such as logs and crash logs from the App and the hearing aids.

5.2.5 Your personal data will be associated with a unique ClientID as we are not interested in identifying you e.g. by name.

5.3 The legal basis for our processing is your consent (article 6(1)(a) and 9(2)(a) in the GDPR).

5.4 When you give your consent, we will collect your personal data not only from the time you provide your consent but already from the time your Hearing Care Professional ordered and made the first configurations of your hearing aids.

6. LOCATION

6.1 In the App, you are specifically asked to grant location access to pair the App with your hearing aids. The GPS-enabled location is only processed on your mobile device, not by WSA, and its only used to pair your hearing aids.

7. HOW DO WE COLLECT YOUR PERSONAL DATA

7.1 We will collect data from your mobile device, the App, your hearing aids and from the software that we have developed and that your Hearing Care Professional uses to make changes to the configuration of your hearing aids. We collect data from this software each time you have a consultation with your Hearing Care Professional.

8. OUR DATA PROCESSORS

8.1 We are using third parties for processing personal data as hosting providers. They process on strict instruction from us and consequently, they act as our data processors. We have entered into data processing agreements that comply with article 28 of the GDPR with our data processors to ensure that the data processors implement appropriate organizational and technical security measures in such a way that the processing complies with the requirements of the GDPR and other appliable laws and ensures the protection of your rights.

9. TRANSFER OF YOUR PERSONAL DATA TO THIRD COUNTRIES

9.1 Since WS Denmark Audiology A/S is established within EU, your personal data will be processed within the EU. In addition, if you consent to our data collection for research & development purposes, your personal data will be transferred to Singapore because the third data controller, Sivantos Pte. Ltd., is established in Singapore. Your personal data may also be transferred to data processors established outside the European Economic Area (“EEA”), including the United States of America. From the perspective of the European Union (“EU”), some countries outside EEA do not guarantee an “adequate level of protection” for the processing of personal data in accordance with EU standards. However, before we pass on the data, we always ensure that the recipient of your personal data remains subject to a level of protection comparable to what is required under the laws of your country (and in any event, in line with our commitments in this Privacy Notice). Specifically under GDPR, we ensure that such recipient either has an appropriate level of data protection and that the requirements of art. 44 of GDPR are met, e.g. due to an adequacy decision by the EU Commission for the respective country in accordance with Art. 45 of the GDPR, or that the so-called EU standard contractual clauses prepared by the European Commission have been agreed with the recipient in accordance with art. 46 of GDPR.

If you require further information on the above data transfers, you can request it from us – please send your request to us or our Data Protection Officer (DPO), as laid out above in Section 3.

10. DATA RETENTION

10.1 We only retain your personal data for as long as necessary to fulfil the purposes for which the data was processed, including for the purposes of satisfying any legal requirements.

10.2 The data that we collect and use, with your consent, for research & development purposes, see Sections 5.1-5.2, are stored for 5 years. Hereafter they are deleted or anonymized.

11. YOUR RIGHTS

You can contact us at any time. You may withdraw the consent you have provided to us at any time. Our App provides an easy way to do this.

You also have one or more of the following rights:

You have the right to receive information about how we process your personal data as well as to receive a copy of the data we keep about you (art. 15 of GDPR).
You have the right to ask us to correct any incomplete or inaccurate information that we store about you (art. 16 of GDPR).
You have the right to ask us to delete your data where there is no good reason for us to keep it anymore. To the extent that we need to keep your data, for example in order for us to comply with our legal obligations or for legal requirements to be established, enforced or defended, we are not required to delete your personal data (art. 17 of GDPR).
You may have the right to ask us to restrict our processing of your personal data. This enables you to ask us to suspend our processing, for example if you want us to establish its accuracy or the reason for processing it (art. 18 of GDPR).
You may have the right to receive the personal data that you have provided to us in a structured, common and machine-readable format (“data portability”) and the right to have this data transmitted to another person responsible (controller) if the requirement in art 20 (1) of GDPR or other applicable law are present.

If you believe that the processing of your personal data violates data protection law, you also have the right under art. 77 of GDPR to complain to a data protection supervisory authority of your choice. This also includes the data protection supervisory authorities responsible for us:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
Denmark
Tlf. 33 19 32 00
dt@datatilsynet.dk

The Data Protection Supervisory Authority responsible for Sivantos GmbH:

Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18
91522 Ansbach
Germany
Phone: +49 (0) 981 180093-0
Telefax: +49 (0) 981 180093-800
E-Mail: poststelle@lda.bayern.de

The Data Protection Supervisory Authority responsible for Sivantos Pte. Ltd.:

Personal Data Protection Commission
10 Pasir Panjang Road
#03-01 Mapletree Business City
Singapore 117438
Phone: +65 6377 3131
Telefax: +65 65773888
Website: https://www.pdpc.gov.sg/

CANADIAN RESIDENTS

If your personal information was collected in Canada, please note the following additional aspects about how we process your personal information:

For your rights, including those relating to access, correction, and erasure, you may contact our DPO should you have any questions or concerns about the processing of your personal information, see Section 3 in the Privacy Notice. We strive to address all such requests in a timely manner. If you are located in the province of Quebec, we must reply to your request for access or rectification promptly and no later than 30 days after your request is received. Should you not be satisfied with our response, or you wish to file a formal complaint, you may always contact the Office of the Privacy Commissioner of Canada at 1-800-282-1376 (toll-free) or via regular mail: Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, QC K1A 1H3. You may also contact the Office of the Privacy Commissioner in the provinces of British Columbia and Alberta or the Commission d’accàs à l’information in the province of Quebec, as applicable.

RESIDENTS OF THE UNITED STATES

This section provides additional disclosures that solely apply to residents of the United States.

Personal Data We Collect. Sections 4-5 of the Privacy Notice describes the categories of personal data we have collected from consumers within the last twelve (12) months. California residents, please note that this includes the following types of “personal information” described under California law:

Identifiers and personal information identified in California’s Consumer Records Statute, including IP address, internal unique identifiers;
Commercial information, such as hearing aids and services you purchased, obtained, or considered;
Audio, electronic, visual, or similar information, such as changes to your hearing aids conducted via our App;
Sensitive personal information, such as the health-related data described below, and content of certain communications with third parties you may engage in via our App;
Geolocation data – you can enable our App to collect your location (if you do that, please note that it is only used to pair your hearing aids and you can deactivate the pairing at any time in your device settings);
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with our App.
Inferences drawn from the information listed above.

If you reside in a state that has passed a health data privacy statute, please note the personal data we collect may contain the following types of consumer health data:

Health conditions, treatment and diagnosis, including those related to hearing loss or hearing impairment;
Medical interventions, such as those related to hearing aids;
Health-related procedures;
Hearing functions, vital signs, symptoms, or measures of the foregoing;
Diagnoses or diagnostic testing or treatment.

10.2. Sources of Personal Data. We obtain the personal data described in this Privacy Notice (a) directly from you, (b) from your hearing aids and your interactions with our App, (c) from third parties, including Hearing Care Professionals, operating systems and platforms.

10.3. Uses of Personal Data. Sections 4-5 in the Privacy Notice describes the business and commercial purposes for which we collect personal data and how we use personal data.

10.4. Disclosures of Personal Data; No Targeted Advertising. Sections 4-5 in the Privacy Notice describes the categories of third parties (processors) with whom we share personal information. Please note:

All personal data may be disclosed for a business purpose: We disclose all or substantially all of the personal data described in this Privacy Notice with all categories of third parties identified in this Privacy Notice for our business purposes.
No “sales” of personal data or targeted advertising. We do not “sell” personal data as defined under U.S. privacy laws. We also do not share personal data for targeted advertising. We also do no let third parties target ads to you while using the App based on your activity over time and across different Internet websites or online services.

10.5. Your Privacy Rights. You may exercise the rights listed in Section 11 in the Privacy Notice. To exercise your rights, you can contact us as follows:

Email us at privacy@wsa.com
Call us at +1 888 857 5754

Residents of certain US states can elect to exercise their rights themselves, or to have an authorized agent submit requests on their behalf. If you use an authorized agent, we may verify your identity, your agent’s identity, your agent’s authority to act on your behalf, or any other matter permitted by law.

In certain US states, you may have the right to appeal our response to your rights requests. If so, we will inform you in our response to your request how to exercise your right to appeal.