Privacy Policy

1 GENERAL

1.1 This privacy policy (this ”Privacy Policy”), describes how AMRA Medical AB, registration number 556804-3227, Badhusgatan 5, SE-582 22 Linköping, Sweden (“AMRA”), collects, uses, discloses, stores, and otherwise processes your personal data.

1.2 AMRA respects your right to privacy and is committed to complying with applicable data protection legislation. This Privacy Policy describes, amongst other things, which personal data that AMRA processes about you, how such personal data is processed, and for which purposes. This Privacy Policy also describes your rights and how you can contact AMRA regarding the processing of your personal data.

1.3 AMRA is the data controller responsible for the processing of your personal data in accordance with applicable data protection legislation.

2 WHAT TYPES OF DATA DO WE PROCESS?

2.1 Personal data means all types of information which can, directly or indirectly, be used to identify a living physical person, including any information collected in accordance with this Section (“Personal Data”).

2.2 AMRA collects and processes Personal Data about you when you visit AMRA’s website, including:

• (i) information about how you use the website; and
• (ii) technical data, which may include your URL, IP address, unique device ID, network and computer performance, browser type, language and identifying information, general geographical location and operating system.

2.3 In addition, AMRA collects and processes Personal Data about you when you provide your Personal Data to AMRA in connection with marketing, such as when you request information from AMRA in order to be able to obtain services offered by AMRA or when you sign up to AMRA’s newsletter, including your name, email, address, and any other information that you chose to provide to AMRA.

2.4 Furthermore, AMRA collects and processes Personal Data about you when (i) a health care provider engages AMRA as a service provider and uses AMRA’s services in connection with its provision of health care to you, and (ii) you choose to participate in a study which AMRA conducts or otherwise participates in, including unique identifiers (such as pseudonymized data key), MRI images, sex, age, weight, height, and if applicable nationality, ethnicity, any relevant disease states, pseudonymized data required for the interpretation of results (such as results from analysis of blood samples, medical history, and other relevant tests).

2.5 AMRA also collects and processes Personal Data about you when you agree to AMRA’s use of your MRI image in marketing, including name, age, sex, height, weight, BMI, and MRI images.

2.6 Information about how AMRA stores and uses cookies is described in AMRA’s cookie policy, available on this link.

3 WHY DO WE PROCESS YOUR DATA?

3.1 AMRA collects and process Personal Data relating to you for the following purposes:

• (i) to ensure the technical functioning of AMRA’s website;
• (ii) to analyse your use of the website in order to develop and improve the website;
• (iii) to provide our services;
• (iv) to communicate with you;
• (v) to send newsletters that you have requested;
• (vi) to market ourselves and our services (provided however, that you may at any time object to marketing);
• (vii) to develop and improve our services;
• (viii) to conduct clinical studies (only with your prior consent);
• (ix) to produce marketing material in relation to MRI images (only with your prior consent); and
• (x) to fulfil requirements by law.

4 LEGAL GROUNDS FOR THE PROCESSING OF PERSONAL DATA

4.1 AMRA’s processing of your Personal Data is based on the following legal grounds.
Legitimate interests

4.2 The legal basis for the processing of Personal Data for the purposes set out in Section 3, subsections (i)-(vii) is that the processing is necessary for the purposes of the legitimate interests pursued by AMRA. The legitimate interests of AMRA are as follows.

• (i) to provide a website, ensure the technical functioning of the website, and to develop and improve the website;
• (ii) to provide, develop, and improve the services;
• (iii) to communicate with customers and potential customers; and
• (iv) to market its brand and services.

Consent

4.3 The legal basis for the processing of Personal Data for the purposes set out in Section 3, subsections (viii) and (ix) is your consent. You may at any time withdraw your consent by contacting us. For contact details, please see Section 10 below.
Legal obligation

4.4 The legal basis for the processing of Personal Data for the purposes set out in Section 3, subsection (x) is that the processing is necessary for compliance with AMRA’s legal obligations.

5 FOR HOW LONG WILL AMRA STORE YOUR PERSONAL DATA?

5.1 Your Personal Data is stored only for as long as there is a need to retain the data in order to fulfil the purposes for which the data was collected in accordance with this Privacy Policy.

5.2 The Personal Data will be deleted when the purpose of the processing of Personal Data has been achieved, or, where the processing is based on your consent, when you withdraw your consent, whichever occurs first.

6 WITH WHOM MAY PERSONAL DATA BE SHARED?

6.1 AMRA will not disclose, sell, or share your Personal Data to third parties except as set out in this Privacy Policy.

6.2 AMRA may share Personal Data with trusted subcontractors and co-operation partners in order to provide you with our services. Such parties may access to your Personal Data in the course of or for the performance of their assignment for AMRA, but will not be permitted to use the Personal Data for any other purpose than for the performance of the assignment.

6.3 AMRA is part of a group of companies that collaborate in the performance of the services and that share certain central functions. Your Personal Data may therefore be shared with companies within the AMRA group.

6.4 Personal data may be transferred to suppliers of cloud solutions since AMRA stores certain information in cloud solutions.

6.5 Personal Data may be disclosed if necessary to comply with legal requirements, in the event of a merger or sale of the business, or if necessary to safeguard AMRA’s legal interests, or to prevent, detect, or investigate fraud or other safety or technical problems.

7 TRANSFERS OF PERSONAL DATA OUTSIDE OF THE EU/EEA

7.1 Except as set forth below, AMRA will not transfer your Personal Data to any country outside the EU/EEA.

7.2 If you are located in a country outside of the EU/EEA, AMRA’s communications with you will constitute a third country transfer. If the country in which you are located is not subject to a so-called adequacy decision (which are published on the European Commission’s website, https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en), a transfer of Personal Data may, due to the lack of appropriate safeguards, entail the following risks: lack of data protection in the third country, loss of control of Personal Data, including the inability to access, modify, or correct Personal Data, discrimination, embarrassment, or reputational harm due to the exposure of Personal Data, economic or financial loss, exploitation of Personal Data, and surveillance and/or monitoring. If you do accept these risks, do not consent to the transfer of your Personal Data outside of the EU/EEA. Kindly note however, that if you do not consent to the transfer of Personal Data outside of the EU/EEA, AMRA may not be able to communicate with you or provide its services to you.

7.3 AMRA is part of an international group of companies, some of which are based outside of the EU/EEA, namely in the USA and the UK. AMRA has ensured the safety of Personal Data transferred to group companies located outside of the EU/EEA e.g. by entering into the European Commission’s Standard Contractual Clauses.

7.4 Personal Data may be transferred to IT service providers based outside of EU/EEA, namely in the USA, as a part of such service provider’s provision of services to AMRA (including the provision of cloud service solutions). AMRA has ensured the safety of Personal Data transferred to IT providers located outside of the EU/EEA by entering into the European Commission’s Standard Contractual Clauses.

7.5 For further information on European Commission’s Standard Contractual Clauses, please visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

8 PROTECTION OF YOUR PERSONAL DATA

8.1 You should always feel secure when you provide your Personal Data to us. We have employed a wide range of technical, physical, administrative and organizational security measures reasonably designed to protect your Personal Data against unauthorized access, modification, and deletion. These measures include data encryption, firewalls, automatic timeouts and pseudonymization where applicable. While we have employed security technologies and procedures to assist safeguarding your Personal Data, no system or network can be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any information you provide to us. Any transmission of Personal Data is at your own risk.

8.2 To the extent that the Health Insurance Portability and Accountability Act and the associated regulations, 45 C.F.R. parts 160-165, and the Health Information Technology for Economic and Clinical Health Act and the associated regulations, as they may be amended, are applicable to your Personal Data, AMRA will process your Personal Data also in accordance with the provisions of those laws.

9 YOUR RIGHTS

9.1 Right of access. You have the right to access your Personal Data and to obtain a copy of the personal data concerning you that is processed by AMRA.

9.2 Right to rectification. If the Personal Data concerning you that is processed by AMRA is inaccurate, incomplete or outdated, you have the right to obtain rectification of such Personal Data.

9.3 Right to erasure. You have the right to request the erasure of Personal Data. Unless AMRA has a legal basis to continue the processing of the Personal Data, such Personal Data shall be erased.

9.4 Right to object. Under certain circumstances you have the right to object against AMRA’s processing of your Personal Data.

9.5 Right to restriction of processing. Under certain circumstances you have the right to obtain restriction of the processing of your Personal Data. Where processing has been restricted, AMRA may only under certain circumstances carry out other processing activities concerning the Personal Data than storage. In accordance with applicable law, you may request to opt-out of the processing of your Personal Data for the purpose(s) of: (1) targeted advertising; (2) sale of personal information; or (3) profiling to make decisions that have legal or other significant effects on you.

9.6 Right to data portability. Where your Personal Data is processed based on your consent or on a contract with you, you have the right to receive the Personal Data in a machine-readable format and request that those data are transmitted to another controller.

9.7 Right to Non-Discrimination. You have the right not to receive discriminatory treatment by covered businesses for the exercise of their rights conferred by the applicable privacy law.

9.8 Right to Appeal. If you are dissatisfied with the refusal of AMRA to take action in accordance with the exercise of your rights in this section above, you may request reconsideration by AMRA, by sending a written request for reconsideration to the mailing address found in the “How to Contact Us” section below. Within sixty (60) days of AMRA’s receipt of such written request for reconsideration, AMRA shall inform you in writing (at the address indicated in your initial written request) of any action taken or not taken in response to your request for reconsideration, including a written explanation of the reasons for the decision. In addition, if your request for reconsideration is denied, you have the right to appeal to the Attorney General in your state of residence if you reside in the United States.

9.9 Right to lodge complaints with a supervisory authority. You have the right to lodge complaints concerning AMRA’s processing of Personal Data to the Swedish Authority for Privacy Protection, Box 8114, SE-104 20 Stockholm or to any other supervisory authority.

9.10 Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your Personal Data. You may also make a verifiable consumer request on behalf of your minor child. To designate an authorized agent, please contact us as set forth in “How to Contact Us” below and provide written authorization signed by you and your designated agent.

9.11 Verification. To protect your privacy, we will take the following steps to verify your identity before fulfilling your request. When you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an authorized representative, which may include asking you to answer questions regarding your account and use of our services.

9.12 “Do Not Track”. “Do Not Track” (“DNT”) is a privacy preference you can set in certain web browsers. When you turn on this preference, it sends a signal or message to the websites you visit indicating that you do not wish to be tracked. AMRA responds to and honors DNT signals.

10 STATE PRIVACY RIGHTS

10.1 California Privacy Rights. The California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (CPRA) (together, “CCPA”) requires covered businesses to provide California residents with some additional information regarding how they collect, use, and share your “personal information” (as defined in the CCPA). While AMRA is not currently a covered business under the CCPA, we value privacy and strive to be transparent with our customers. As such, we have provided additional details below about the information we collect, how we disclose it, and how you can exercise your privacy rights under the CCPA, in the event it applies to our activities in the future.

10.1.1 Categories of Personal Information that is Collected, Disclosed and Shared. The CCPA provides California residents with the right to know what categories of personal information covered businesses have collected about them and whether such businesses have disclosed that personal information for a business purpose (e.g., to a service provider) in the preceding 12 months. California residents can find this information below:

10.3.2 “Sales” or Sharing for Targeted Advertising under VCDPA, CPA, CTPDA and UCPA. Residents of Virginia, Colorado, Connecticut and Utah have the right to opt-out of the “sale” of their personal data to third parties or the processing of their personal data for targeted advertising. For purposes of this paragraph the definition of “sale”, “sell” or “sold” has the meaning set forth in applicable privacy law. If a consumer wishes to exercise their right to opt-out of the sale of personal data or processing of personal data for targeted advertising, they may do so by following this link. The categories of personal data “sold” or processed for targeted advertising can be found below:

11 CHILDREN USING OR ACCESSING THE SERVICES

We are especially committed to protecting the privacy of children. AMRA’s services are directed at a general audience over the age of eighteen (18) and are not targeted to children. If we learn that we have inadvertently collected or received Personal Data from an individual under the age of eighteen (18), we will use reasonable efforts to immediately remove such information, unless we have a legal obligation to keep it. If you are a parent or legal guardian and think your child under the age of eighteen (18) has given us information without your consent, please contact us via the information found in the “How to Contact Us” section below.

12 THIRD-PARTY WEBSITES AND APPLICATIONS

AMRA’s services may offer links to websites or applications that are not run by us but by third parties. These third-party services, websites, or applications are not controlled by us, and may have privacy policies that differ from our own. We encourage our users to read the privacy policies and terms and conditions of each website and application with which they interact. We do not endorse, screen, or approve, and are not responsible for the practices of such third parties or the content of their application or website. Providing Personal Data to third-party websites or applications is at your own risk.

13 CHANGES TO THIS PRIVACY POLICY

AMRA may at any time make amendments to this Privacy Policy. AMRA will publish the amended version on AMRA’s website. If the amendments are substantial, AMRA will, if possible, send the amended Privacy Policy to you by email.

14 HOW TO CONTACT US

You can contact us by post at AMRA Medical AB, Badhusgatan 5, SE-582 22 Linköping, Sweden, or by email at dpo@amramedical.com.