Introduction – Data Controller
Endo Medical provides a software that automatically analyzes metabolic information to provide an in depth personalised analysis of heart, lung, muscular, and neuromuscular function in real time.
The website found at https://www.mypnoe.com, hereinafter referred to as the “Website”, is owned by Endo Medical Inc., with a registered address at 2345 Yale Street Palo Alto, CA, 94306, USA, hereinafter referred to as the “Company” or “we” or “us”. The designated representative within the European Union is XHALE S.A., 3 Evangelistrias str. Kallithea, Attica, Greece.
In order to provide our services to you and comply with our legal obligation, we process information through our Website, which may lead, directly or indirectly, to your identification, as users.
According to the applicable legal framework on data protection, some of this information is “personal data”, while you, as users, are characterized as “data subjects” and we, the Company, are the “controller” of your data.
This Policy aims at providing information in a clear and simple way about the data we process, the purpose and the legal ground for the processing, the recipients of your data and, finally, your rights and how you can exercise them.
Our key data processing principles
We are committed to ensuring that your personal data are processed in a fair and transparent way, in compliance with the applicable legal framework, among others and in particular, the General Data Protection Regulation (GDPR) [Regulation (EU) 2016/679] and the US applicable framework.
To put it simply, this means that:
- We process your data only for specified, explicit and legitimate purposes, as defined in this policy. We do not process your data further for purposes incompatible to the original ones (purpose limitation).
- We only process data which are adequate, relevant and limited to what is necessary in relation to the purposes that we have set (data minimisation).
- We make every effort to ensure that your data are accurate and that you can ask for their correction or deletion where applicable (data accuracy).
- We keep your data in a form which permits your identification only for as long as it is necessary for the purposes that we have determined in advance, as described in this policy (storage limitation).
- We make every effort to ensure the security of your data, and to prevent, among others, any unauthorized or unlawful processing, and accidental loss, destruction or damage (integrity and confidentiality).
To ensure the adequate protection of your data, the Company implements internal security policies, takes all appropriate technical and organisational measures and trains its staff, which is bound by confidentiality and privacy clauses. In addition, we use technologies which ensure the security of your data, e.g. Secure Sockets Layer (SSL) certificate, as well as encryption and physical security.
Our goal is to integrate information security and data protection principles in all aspects of the Company’s operation. In this context, we monitor the security measures on a regular basis and, if deemed necessary, we align them with the new best practises.
What data we process through our Website and under which conditions
n principle, we process your data only when you provide them in an active manner to us, e.g. by contacting us. Τhis rule does not fully apply to certain technical data which are automatically collected with the help of cookies or similar technologies. Please visit our cookies policy for further information.
Information we receive automatically
Due to the nature and function of the Internet, as soon as you visit our Website, your IP address and other information, such as the date and time of your visit, the website from which your visit originated, the type of your browser and operating system, is recorded in our server’s special log files. Although we are not in a position to identify you on our own based on this information, your IP address is considered to be personal data.
The legal basis for collecting and storing data in our server’s special log files is our legitimate interests, since our goal is to ensure network, information and services security, in case of accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data [e.g. avoiding “denial of service” (DoS) attacks], as well as to effectively resolve any technical issues.
This processing is in compliance with the applicable legal framework, as it does not entail serious risks for your rights and freedoms. Furthermore, it is necessary for the purposes of the legitimate interests pursued by us, according to the GDPR and the national legislation.
Information provided to us by you
We process personal data provided by you in the following cases:
Data we process Purpose Legal Basis
- Email address
- First name
We process this data, in order to make it possible for you to contact us and, in addition, enable subsequent required communication between us in response to your questions.
We consider it as our legitimate interest (art. 6 (1) (f) GDPR) to reply to your questions through the special contact form in our site.
Data we process Purpose Legal Basis
- Email address
- First name
- Last name
- Mobile phone
We process this data in order to send you updates on news, offers and other issues that we consider to be of interest to you regarding our services. For this purpose we may send you newsletters via email, SMS or also call you.
We process this data provided by you based on your consent (article 6 (1) (a) GDPR), which you can withdraw at any time and request the erasure of your data.
The withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal. Any withdrawal will prevent us from communicating with you in the future.
We may also process the same data to inform you about our news, offers and other issues regarding our services without your prior consent, as part of our existing customer relationship, only as long as you do not let us know of your intention to stop receiving this communication from us (opt out through unsubscribing).
Online training for professionals (Academy)
Data we process Purpose Legal Basis
- Email address
- First name
- Last name
- Address, Country, City, State/province, Zip
- Phone (optional)
We process this data in case you want to order online training courses and workshops addressed exclusively to professionals.
For this purpose we work in cooperation with “Inspire360”, a company which provides related professional services. This is the minimum amount of data which we can process to provide our services in collaboration with “Inpire360”.
We process this data provided by you in order to take appropriate measures before entering into a contract with you as well as to execute our contractual obligations (article 6 (1)(b) GDPR).
Who has access to your data (Recipients, Data processors)
Access to your data is permitted only to authorized members of our staff, who process your data in a strictly confidential manner, only to the extent and in the context of the purposes which you have already been informed about.
Furthermore, to be able to provide our services to you, we share some of your data with our partners. These companies (Data Processors) do not process your data for their own commercial purposes but only for the purposes mentioned above and only on behalf of and for the Company, with the exception of any legal obligations imposed by the applicable laws. When transferring your data, the Company takes all appropriate technical and organisational measures to ensure the highest level of security possible.
One of the key criteria when choosing our partners is the respect for the rules regarding the security of the processing of your data. In addition, our partners are contractually bound to provide the necessary safeguards and to take all appropriate technical and organisational measures to ensure the lawful processing and protection of your data and rights.
These third-party companies provide us with support or other services such as:
- customer support
- market research
- fraud detection and prevention services, including anti-fraud screening service
- payment services
- internet services, web hosting services, internet service providers and e-commerce providers, technical support
- marketing services.
Last but not least, we share some of your data with “Inspire360”, a company which provides via our Website online training courses and workshops addressed exclusively to professionals. “Inspire360” is, as all our above partners, contractually bound to provide the necessary safeguards and to take all appropriate technical and organisational measures so as to ensure the lawful processing and protection of your data and rights.
Within our Website you can find hyperlinks which allow you to access third party websites. These links have the sole purpose of facilitating your browsing in the Web and they do not imply, in any way, our endorsement or approval of the content of other websites.
We consider it as our legitimate interest to appear on these social networks and to try to promote our products and services. We rely on our legitimate interests to establish a presence on electronic social networks and to attempt to promote our products and services.
Our Website has an official Facebook page (https://www.facebook.com/PnoeAnalytics/).
The Website use hyperlinks that direct you to the above page. You may contact us via our Facebook page in order to get more information about our products and services using the “send message” function.
By clicking the “LIKE” button on our Facebook Page you provide us with your consent to process your data so that you are able to see our news and promotional activities (via your newsfeed). If you do not wish to receive such updates, you can click “UNLIKE” at any time and withdraw your consent.
Facebook Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin, Ireland, is responsible for Facebook’s operations in the European Union. Facebook has its own data policy over which we exercise no control and are not in a position to influence.
Our Website has an official Instagram account (https://www.instagram.com/pnoe_analytics/).
You can follow our account on Instagram and comment on its posts, thus providing data to be processed on the platform.
Facebook Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin, Ireland, is responsible for Instagram’s operations in the European Union. Instagram has its own cookies and data protection policies, over which we exercise no control and are not in a position to influence.
Our Website has an official YouTube channel (https://www.youtube.com/channel/UCNqCL_TkoFfV1aF3W63Zqsw).
You can visit our channel, subscribe, watch its videos, share and comment on them, thus providing data to be processed on the platform.
Google Ireland Limited Company, Dublin, Gordon House Barrow St Dublin 4 Ireland, is responsible for YouTube’s operations in the European Union. YouTube has its own cookies and data protection policies, over which we exercise no control and are not in a position to influence.
Our Website has an official Linkedin account (https://www.linkedin.com/company/pnoe/).
You can follow our account on Linkedin and comment on its posts, thus providing data to be processed on the platform.
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, is responsible for Linkedin’s operations in the European Union. Linkedin has its own cookies and data protection policies, over which we exercise no control and are not in a position to influence.
General information regarding social media
Based on the case-law of the Court of Justice of the European Union, the Company, by processing social media (Facebook, Instagram, YouTube, Linkedin) users’ personal data, as the page administrator, may be considered a joint Controller with the social media (Facebook, Instagram, YouTube, Linkedin) provider. This relationship concerns only the user's data processing operations that take place through the page, e.g. the use of a like button on a post. This processing is based on the consent given by the user, as described above.
The Company takes all appropriate technical and organisational measures to ensure the security of data processing via social networking platforms, including, but not limited to, applying restrictions to the number of persons with administrator-level access to each page.
The Company is responsible only for the means it processes your data for its own purposes (communication, provision of services and promotion) and to the extent that it exercises control over your data. On the other hand, it bears no responsibility for the way any social networking platform processes your data.
We urge you to be extremely careful about the content you post on our social media pages, especially when you provide your own or any third party’s personal information, in particular when it comes to data concerning health. In case you choose to communicate with us, please make sure that the page you are contacting is indeed our official page.
Comments on Social Media
In an effort to improve our services, we encourage users to comment on posts and/or on our pages on social media in a way that promotes public debate and pluralism.
We make every effort to provide a safe online environment, however we do not have a general obligation to review the content that is submitted by users on these platforms.
Social Plug-ins, Buttons Facebook, Instagram, Twitter, Youtube, Pinterest etc.
You can use them if you want. These buttons link to third-party websites that collect and process personal data in accordance with their own policies. We are not responsible for the content of or data processing performed by these websites, and it is your responsibility to be informed about their own privacy policies. We have set these additions to make our website more functional for its visitors, as well as to advertise our activity and services if you voluntarily share our content on the respective websites.
Where and for how long we store your data
Your data is stored in the Website’s server, which is located at the East US Virginia Azure Datacenter. The data center is operated by an external third party acting as a contractor for data management on our behalf and it is a certified company which takes state of the art technical and organisational measures in order to avoid data breaches.
Your data is stored strictly for a period of time which is considered necessary for our processing purposes, as detailed above. In addition, we may store data required to be retained by law (for instance in order to comply with tax legislation), to comply with any ongoing or prospective legal proceedings or to establish, exercise, defend our legal rights, property or personal safety of our Company, its users and the public.
Important note: When personal data are transferred to the Company and the GDPR is applicable, the transfer is subject to appropriate safeguards under art. 44 seq. such as the standard data contractual clauses adopted by the European Commission.
What are you rights and how you can exercise them
According to the applicable legal framework (mainly GDPR, Articles 12-22), you have a set of rights regarding the processing of your data by our Company. In particular, you have the right:
- To submit a request to the Website to be informed whether we process your data and, if so, what types of data (right of access).
- To have inaccurate personal data rectified, or completed if it is incomplete (right to rectification). To request, under conditions, the erasure of the data (right to erasure).
- To request, under conditions, the restriction of the data processing (right to restriction of processing). To object, under conditions, to the processing of your data by us (right to object), especially with respect to the processing relating to marketing purposes (e.g. newsletter).
- To request the data that you have provided to us in a structured, commonly used and machine-readable format (right to data portability), as long as it is technically feasible.
- In case of data breach, which is likely to pose a high risk to your rights and freedoms and as long as it does not fall under any of the exceptions provided in the GDPR and the national legislation, the Company has the obligation to communicate the breach to you without undue delay.
Compliance with the legal framework on the processing of personal data and the exercise of your rights guaranteed by that framework, are our top priority. Therefore, we have the right to request additional information necessary for your identification before you can exercise the rights described above.
In principle, the Company has the obligation to respond to your request promptly and, at the latest, within one month. If deemed necessary, taking into account the complexity of the request and the number of the requests, that period may be extended by two further months. In any event, we will inform you as soon as possible, and always within one month after the submission of your request, concerning the progress made and the reason for any possible delay.
In case your requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either i) charge a reasonable fee taking into account the administrative costs for providing the information or making a communication or performing the action requested, or ii) refuse to act on the request.
Where GDPR applies, if you consider that we do not comply with the personal data protection laws, you have the right to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr, 1-3 Kifissias Ave., Athens, P.C. 115 23 Greece, email: email@example.com).
The Company offers its services exclusively to individuals over 18 years of age. When a request is submitted to the Company, the user is presumed to be over 18 years of age.
Since it is not technically feasible to effectively control the age of the users of the Website, in case a minor submits personal data in violation of our terms, we will delete all relevant information. We will not delete this information if it is deemed necessary to establish, exercise or defend legal claims or fulfil a legal obligation.
Changes in policy and updates
This policy may be changed at any time and without prior notice. Guided by the principle of transparency, we will inform you on any major changes in our policy. However, we strongly advise you to regularly review our policy.
California Residents: "Shine the Light" and Do Not Track Disclosures
Please note that do not sell or share our consumers’ PII with 3rd parties for marketing purposes.
Additionaly, we do not currently respond to browser Do Not Track signals or other browser or device-based mechanisms that provide a method to opt out of the collection of information across the networks of websites and online services in which we participate. We do provide consumers with the ability to manage their cookie choices as described in our cookies policy. For more information on Do Not Track, please visit allaboutdnt.com.