Privacy Policy

for AITIO Services

  1. Preamble

The SAS Hometrix Health (the « Company ») publishes a mobile application (the « Application ») aimed at supporting individuals diagnosed with lupus.

 

The Application provides, to individuals diagnosed with lupus (the « Users »), a space for exchange with other Users suffering from the same disease, thematic advice, physical activity goals, and monitoring of their overall condition (the « Services »).

 

In this context, the Company processes, for the purpose of providing the Services, the personal data of Users registered on the Application, in compliance with the applicable regulations, namely, as of the date of Regulation No. 2016/679 (EU) of April 27, 2016, known as the General Data Protection Regulation (« GDPR »), the Data Protection Act of January 6, 1978, in its updated version (« DPA ») (together, the « Applicable Regulations »).   

 

In this regard, the purpose of this privacy policy is to inform Users about the characteristics of the processing of personal data implemented by the Company in the context of providing the Application and Services – notably to enable them to freely consent to the processing of their health-related personal data – and about their rights.  

 

  1. Definitions

The terms beginning with a capital letter are either defined herein or have the meaning given to them by the Applicable Regulations, notably the GDPR, such as the terms « Personal Data » (or « Data »), « Data Subject », « Processing », « Controller », « Processor », « Recipient », or « Data Breach ».

 

  1. Identity of the Data Controller

In the context of providing the Application and Services, the Company acts as the Data Controller for Users' Data.

 

The Company is the Data Controller for User Data in the following contexts :

  • Creation and management of the User Account ; 
  • Provision of Services ;
  • Anonymization of User Data for the purpose of conducting studies and statistics in the healthcare and social fields, including by partners. These studies and statistics will always be conducted using anonymous data, and the User cannot be reidentified under any circumstances ;
  • Technical management of the Application (management of User identification and navigation on the Application) .

 

In this context, the Company takes appropriate measures to ensure the protection and confidentiality of the personal data it processes, in accordance with the provisions of the GDPR and national legislation.

 

  1. Characteristics of the Processing carried out by the Company

 

 

 

  1. Recipients of Personal Data

The Company may disclose User Data to authorized Recipients bound by appropriate confidentiality obligations, who may be internal or external depending on the circumstances :

 

  • Internal recipients are Company personnel whose roles, functions, and duties justify processing User Data for purposes related to their roles, functions, and duties, as outlined in this Privacy Policy. This is done in accordance with the technical and organizational measures implemented by the Company to preserve the confidentiality and security of the Data ;
  • External recipients, depending on the purpose, include :
    • Subcontractors engaged by the Company, including DevOps, developers, and the hosting service provider ;

 

  1. Data Hosting

The User is informed that the Company engages a certified service provider as defined in Article L1111-8 of the Public Health Code for hosting health data processed within the scope of the Application.

 

The User may object to the hosting of their health data for legitimate reasons under the conditions outlined below.

 

  1. User Rights and Withdrawal of Consent

In accordance with the Applicable Regulations, Users have the right to access their personal data. They also have, depending on the situation, the rights to rectify and erase their personal data, as well as the right to object to their processing when applicable. Furthermore, they have the right to data portability, to limit their processing, and the right to issue directives regarding the processing of their data after their death.

The User also has the right to withdraw consent for the processing of their health data; however, it is specified that withdrawing consent implies renunciation of the benefits of the Services.

 

Users can exercise these rights by mail to the Company's Data Protection Officer at the following address: 11 rue de Lourmel, 75015 Paris, or by email at the following address: contact@aitio.co.

 

The User's request must come from the User (unless a duly authorized mandate is given to a third party) and should be as clear and comprehensive as possible to enable the Company to respond promptly.

The Company may ask the User to provide additional information if the request is not sufficiently precise, if the right the User wishes to exercise is not easily identifiable, or if the User is unable to establish their identity. In such cases, the Company may ask for additional information, including proof of identity, which will be deleted after identity verification.

 

  1. Transfer of Personal Data Abroad

The personal data of Users is not subject to any transfer to countries outside the European Economic Area.

 

  1. Cookies/span>

The Application uses the functional cookie _aitio_session to manage User identification and navigation on the Application. Users can block these cookies using their browser settings; however, it is noted that blocking cookies may degrade the user experience on the Application.

 

  1. Update of this Policy

The Company may modify, supplement, or update this policy at any time to reflect legal, regulatory, and/or jurisprudential developments, changes in the characteristics of the processing, or the implementation of a new processing. Any new version of this policy will be communicated to Users through any means. 

 

Last modified on : 25/04/2023

 

  1. Complaint to the CNIL

Users can also ask any questions to the CNIL or file a complaint with the following address: CNIL Complaints Department, 3 Place de Fontenoy – TSA 80751, 75334 Paris Cedex 07, or by phone at 01.53.73.22.22, or online by clicking on the following link : https://www.cnil.fr/fr/plaintes