Privacy notice
Effective date: August 2023
Introduction
This Privacy Notice describes CVRx’s use of your personal data. CVRx is committed to respecting your online privacy and recognizes the need for appropriate protection and management of any personal data collected by or submitted to us.
This Notice describes how we use your personal data, and your data protection rights, including, where applicable, a right to object to the processing which we carry out. More information about your rights, and how to exercise them, is set out in the section “What rights do you have in relation to your data?” below. For purposes of this Privacy Notice, “personal data” means any information that relates to you and identifies you personally, either alone or in combination with other information available to us.
Who are we?
CVRx is a commercial-stage medical device company focused on the developing, manufacturing and commercializing innovative neuromodulation solutions for patients with cardiovascular diseases. Barostim™ is the first medical technology approved by FDA that uses neuromodulation to improve the symptoms of patients with heart failure. Barostim is an implantable device that delivers electrical pulses to baroreceptors located in the wall of the carotid artery. Baroreceptors activate the body’s baroreflex, which in turn triggers an autonomic response to the heart. The therapy
is designed to restore balance to the autonomic nervous system and thereby reduce the symptoms of heart failure. Barostim received the FDA Breakthrough Device designation and is FDA-approved for use in heart failure patients in the U.S. It has also received the CE Mark for heart failure and resistant hypertension in the European Economic Area.
CVRx will be referred to as “CVRx“, “we” or “us” and is the “controller” for all processing of your personal data submitted via our website.
Scope of this Notice
This Privacy Notice applies to our processing of personal data submitted through our website, including from customers, healthcare professionals (HCPs) or others with an interest in our products or business, as the case may be. To the extent a different privacy notice is provided to you by us or on our behalf, that notice will apply to our processing of your personal data.
What information we collect and for which purposes
| Contract |
| We process your personal data when it is necessary for the performance of a contract with you, or where you have requested us to take steps prior to us entering into a contract together. |
| Purpose(s) | Type(s) of personal data |
|---|---|
|
Contact Information:
Interest / Position (HCP, HCP Administration, Patient, Other) |
| Legal obligation |
| We process your personal data to meet legal (including tax and accounting), regulatory, pharmacovigilance, quality, medical inquiry and compliance requirements. |
| Purpose(s) | Type(s) of personal data |
|---|---|
|
Information as required by the applicable laws. |
|
Information as required by the applicable laws. |
|
Information as required by the applicable laws. |
|
Information as required by the applicable laws. We maintain records of any consents, preferences or other settings to enable us to comply with data protection law. |
| Legitimate interest |
| We also process your personal data when it is necessary for the purposes of our legitimate business interests (or those of a third party where relevant). |
| Please contact us for more information on our legitimate interests balancing tests by emailing to [email protected] |
| Purpose(s) | Type(s) of personal data | |
|---|---|---|
|
Personal identifiers, including:
We also maintain records of our communications with you. |
|
|
Personal identifiers, including (but not limited to):
Third Party account information. |
|
|
Contact details, including (but not limited to):
Other related (financial) information |
|
|
Information you provide, including (but not limited to):
Any commentary or other information you provide when you contact CVRx. |
| Consent |
| Generally, we do not rely on consent as a legal basis for processing your personal data, except for certain circumstances such as sending direct marketing communications to you via email or when we collect personal data through cookies where appropriate. If we require your consent to process your personal data in any other circumstance we will contact you separately to request such consent. |
| You have the right to withdraw consent („opt-out”) to marketing at any time by contacting us at [email protected] |
Where we collect personal data to perform our contract with you or to comply with our legal obligations, this is mandatory and we will not be able to perform the contract or we may be prevented from complying with our legal obligations to you or third parties (such as mandatory reporting, tax and accounting) without this information. In all other cases, provision of the requested personal data is optional, but this may affect your ability to receive certain services or take part in certain activities where the information is needed for those purposes.
We also collect information on the use of our website via cookies. Please view the Cookie Notice for more information about the use of cookies. With regards to cookies, you can withdraw your given consent at any time and manage your preferences by clicking on the icon on the lower left corner of the website.
We may also collect information from you if you apply for a job at CVRx through our website.
Whenever we collect personal data directly from you, we will indicate whether the provision of personal data is mandatory. Such will be the case where we require personal data to comply with legal or contractual obligations: if such data is not provided, then we will not be able to manage our contractual relationship, or to meet obligations placed on us. In all other cases, the active provision of requested personal data is optional.
Who will we share this data with?
If necessary to perform a service you request from us, to execute an order you have placed or to follow-up on your enquiries, we will share your information with other CVRx entities or third-party service providers, for example email and hosting providers, suppliers and delivery services.
We (or any third party on our behalf) disclose or transfer personal data to others as follows:
- to service providers that provide hosting services and technology service providers, business process outsourcing service providers and call centre service providers who are bound by contractual obligations to keep your personal data confidential and appropriately secure;
- as required in order to establish, exercise or defend or to protect legal claims, including in relation to our contracts with our customers and in order to protect the rights, property or safety of us, our business, any affiliate, our customers or others, including to legal advisors, government and law enforcement authorities and with other parties involved in, or contemplating, legal proceedings;
- to competent regulatory, prosecuting, tax or governmental authorities, courts or other tribunals in any jurisdiction or markets, domestic or foreign, upon their request or in accordance with or as desirable in respect of any applicable Law; if you are a healthcare professional, relevant regulators as required, such as EMA and pharmaceutical self-regulatory bodies such as EFPIA in Europe;
- to any other third parties to the extent such disclosure is required under applicable law or to enable products and services to be provided to you and/or our customers;
- payment infrastructure providers and persons from whom we receive or to whom we make payments on your or our customer’s behalf in the event that the business is sold or integrated with another business, potentially our advisers, any prospective purchaser’s advisers and any new owners of the business and third parties (and their advisors) with whom we merge with or acquire in future.
Third party service providers will process your information on behalf of CVRx for the purposes above. When we share your data with these parties, we make sure that appropriate safeguards are taken to protect your information.
Where will we send your data?
CVRx operates internationally and will transfer your information to the recipients set out in the “Who will we share this data with?” section. When transferring personal data outside your country CVRx follows local privacy legislation.
For the European Economic Area (EEA), UK and Switzerland: when transferring personal data to countries with a European Commission adequacy decision, we rely on said adequacy decision (or local equivalent); when transferring personal data within the CVRx group or when transferring personal information to other countries outside the EEA that are not subject to an “adequacy decision” by the EU Commission (or equivalent), CVRx generally relies on EU Commission approved standard contractual clauses (read more here). Information on the relevant mechanism can be provided upon
request by contacting us via [email protected].
How long do we store your data?
We retain information about you only for as long as we need it for the purposes for which it was collected. After that time your personal data will be erased (unless we have the statutory right or obligation to further keep this data).
For example, if you are a customer of CVRx, we will keep your information for the duration of the contractual relationship you have with us, and, to the extent permitted, after the end of that relationship for as long as necessary to perform the purposes set out in this notice. The criteria to determine the storage period are statutory and contractual requirements, the nature of our relationship with you, the nature of the data concerned, technical necessities. Laws may require us to hold certain information for specific periods.
Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future.
How do we protect your data?
We strive to maintain a high standard of security and have put in place robust technical and organizational measures for the protection of your data in accordance with the current, general state of the art technologies, especially to protect the data against loss, falsification or access by unauthorized third persons. However, the transmission of information via the internet is not completely secure. So, whilst we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website. Any transmission is at your own risk. Once we have received your personal data we will use strict procedures and security features to prevent unauthorized access.
We have a number of measures in place to ensure the security of digitally stored personal data, such as a strict Notice on access authorization, instructions on how to ensure security of personal data, a back-up procedure and secured connections. We also have adequate measures in place to secure personal data on hard copy and to physically secure back-up tapes of our digital data.
Access to your personal data is restricted to individuals who need such access in order to assist with our services. We have strict confidentiality obligations that apply to these individuals. Failure to meet these obligations may result in disciplinary and other actions, including dissolution of a contract, termination of employment and criminal prosecution.
What rights do you have in relation to your data?
You have the right to ask us:
- for access to and a copy of your personal data that we hold of you;
- for a copy of the personal data you provided to us and to provide it to you or send to a third party in a commonly used, machine readable format;
- to update or correct your personal data in order to make it accurate;
- to delete your personal data from our records in certain circumstances;
- to restrict the processing of your personal data in certain circumstances;
and you may also:
- object to us processing your personal data in certain circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing;
- withdraw your consent at any time, where we are using your personal data with your consent. This will not affect our use of your personal data prior to the withdrawal of your consent.
These rights may be limited in some situations – for example, where we can demonstrate that we have a legal requirement to process your data. In some instances, this may mean that we are able to retain data even if you withdraw your consent.
We hope that we can satisfy queries you may have about the way we process your data. If you have any concerns about how we process your data, or would like to opt out of marketing, you can always contact [email protected]. When addressing us, please always provide your name, address and/or email address as well as information about your request.
In the event you have unresolved concerns, you also have the right to complain to a data protection authority in the country from the local CVRx entity with whom you may interact. Please find an overview of the EU data protection authorities here.
Links on our Website
Our website may contain links to other websites, e.g. Facebook, LinkedIn, Instagram, YouTube and Twitter. CVRx does not control these parties, their sites or their privacy practices. This CVRx Privacy Notice does not apply to external parties or external web areas and any processing of personal data by parties outside CVRx or its Affiliates will not be covered by this Privacy Notice.
We encourage you to review the Privacy Notice of any company or website before submitting any Personal Data. Information on the purpose and scope of data collection and its processing by those parties can be found in the respective data protection policies of these providers, where you will also find further information on your rights and options for privacy protection.
|
Facebook
|
Meta Platforms Ireland Ltd.
4 Grand Canal Square
Grand Canal Harbour
Dublin 2, Ireland
|
|
|
LinkedIn
|
LinkedIn Corporation,
2029 Stierlin Court, Mountain View,
California 94043, USA
|
|
|
Instagram
|
Meta Platforms Ireland Ltd.
4 Grand Canal Square
Grand Canal Harbour
Dublin 2, Ireland
|
|
|
YouTube
|
Google Ireland Ltd.
Gordon House, Barrow Street, Dublin 4,
Ireland
|
|
|
Twitter
|
Twitter, Inc., 1355 Market St, Suite 900, San
Francisco, California 94103, USA
|
Google Analytics
Our website uses Google Analytics, which is a web analytics service provided by the third-party provider Google, Inc. (“Google”). Google Analytics is used for the purpose of evaluating your use of our website, compiling reports on website activity and other services relating to website activity and internet usage. The information generated by the cookie about your use of the website is usually transmitted to and stored by Google on servers in the United States. This transfer is covered by Standard Contractual Clauses approved by the European Commission (see: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc) and a separate data processing agreement that we have concluded with Google.
On this website we have also activated the IP anonymization tool provided by Google to help protect your privacy. This means that your IP address will automatically be shortened after it is collected so it
can no longer be connected to you (see https://support.google.com/analytics/answer/2763052). For more information see https://support.google.com/analytics/answer/6004245 (information on Google Analytics and data privacy).
Changes to this Notice
We regularly review this Privacy Notice in order to ensure that it is free of errors and clearly visible on our websites, that it contains appropriate information about your rights and our processing
activities, and that it is implemented and is compliant with applicable law.
We may update this Privacy Notice from time to time to keep it up to date, to keep pace with new developments and opportunities relating to the Internet and to stay in line with applicable law. If we make
material changes to this Privacy Notice, we will inform you accordingly and in an appropriate manner, such as via email or a notice on our website.
If you have any questions about your data
If you have any questions about the processing of your personal data, please feel free to contact us at:
CVRx, Inc.
9201 West Broadway Avenue, Suite 650
Minneapolis, MN 55445, USA
Phone: +1 763-416-2840
We will address your possible concerns and attempt to resolve any problem. You can also reach out to our Data Protection Officer via [email protected].