Privacy Policy

Who are we?

Privacy and Security Policy – Volta Medical
Edition 1 – Updated on May 20, 2021

Volta Medical is the trade name of SUBSTRATE HD SAS.

We are a company with our headquarters in Marseille (France) at 65 Avenue Jules Cantini, 13006 Marseille, FRANCE. You can contact us at the following address: contact@volta-medical.com

The contact details of our Data Protection Officer are provided at the end of this document.

General overview of the privacy and security policy

Volta Medical’s personal data protection policy is a document that details how we collect the data of natural persons, how we use these data, and how we may share them in the context of our business operations and research and development activity.

In accordance with the goals of transparency and fairness that we set for ourselves and pursuant to the European regulation on personal data (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, referred to by the term “GDPR” in this document), our goal is for this Privacy and Security Policy to be understandable and easily accessible.

We have therefore divided it into several sections so that you can easily find the information that you are looking for.

It contains general information and information on the specific ways we use it. You can request more information at any time about any examples that have not been explained.

To facilitate reading, we will refer to this privacy and security policy by the shortened term of “Policy” throughout the rest of the document.

Who does this Policy apply to?

‍This policy applies to any natural person who has a relationship with our company and whose personal data is processed by us. It does not apply to employment relationships; another policy available to Volta Medical employees governs this relationship.

This Policy applies in particular to individuals who have agreed to participate in research. It also serves as an information document for anyone interested in the way in which we process personal data.

This Policy is available on our websites and may also be obtained free of charge on request by any other method. This request can be addressed to our Data Protection Officer whose contact details are provided below.

As part of our operations, we may work with entities which are not part of our group; if you would like to know how these entities process your data, we encourage you to contact them directly to learn about their commitments and/or to exercise your rights under the GDPR.

‍Policy changes

‍We may occasionally amend this Policy in order to reflect changes in our operations and/or to comply with our legal obligations.

In the event of any amendments, these will be made to the relevant pages of the Policy on the Platforms available online and we recommend that you consult this on every visit. However, if the amendments to this Policy are substantial, we will draw your attention to this by publishing a notice on our website and, where applicable, in the relevant section of each Platform.

What are personal data?

‍According to the GDPR, personal data are information about an identified or a directly or indirectly identifiable person. In this policy we refer to them by the terms “personal data” or “data”. The personal data that we process may be private or professional. Anonymous, anonymized, or aggregate data are not personal data.

What is the processing of personal data?

‍Processing is an operation on one or more personal data. We process personal data in accordance with the GDPR:

• for ourselves; in this case, we are the controller because we determine the purpose and the methods of the processing of the personal data, or
• for our customers, partners, or organizations; in this case we act as a processor as defined by the GDPR.

What are our commitments?

‍Transparency: Volta Medical undertakes to process personal data in a transparent, fair, and lawful way.

To this end, we will provide you with relevant information when we collect your data or when they come from a third party or technology. When we collect data, we will notify you if this collection is mandatory, which mandatory data you should provide, if this collection is to satisfy a statutory or contractual requirement, and if it is a condition for the provision of a service or a contract, as well as the consequences of failing to provide this data. If we do not collect your personal data directly from you, you will still receive, either at the time of our first contact (through our intermediary or one of our processors) or at the time when the data are collected by the intermediary, information that is identical to that which we must provide in the case of direct collection. You will, in particular, be informed about the source of the data. Where necessary, we will notify you about any automatic decision-making (and the rationale for it), including profiling. This means that we will strive to inform you of the expected scope and consequences of any processing involving you.

Proportionality: We also undertake to only process your personal data for specific, explicit, and legitimate purposes or in order to comply with our legal/statutory obligations. Your personal data are not subsequently processed in any way that is incompatible with these purposes. If there is compatibility with the purpose for which the data are collected, and we intend to carry out further processing of said data, we will provide you with any information you may need to understand this new purpose and any relevant information. When the processing falls within our legitimate interests, this means that we have determined that it does not harm your interests nor your fundamental rights and freedoms. You may request information on how we weigh these factors at any time

Necessity:  We will restrict the collection and processing of your personal data to only what is adequate, relevant, and limited to what is needed for our operations. We will only retain the data in question for a period not exceeding that which is necessary for the purposes for which they are processed. They may nonetheless be retained for research or statistical purposes as long as we implement appropriate technical and organizational measures to ensure your rights and freedoms.

We only disclose certain portions of your data to authorized recipients, such as departments at our group who have need of them, as well as to any relevant third parties for the efficient performance of our services, operations, and/or research, but also to parties participating in potential business transactions (for example, prospective buyers or investors or parties involved in a legal reorganization). We oversee relationships with the recipients of these data and our processors through the implementation of appropriate safeguards and in line with our legal obligations. We also disclose your data when required to do so under a legal or statutory obligation or if the recipients are legally entitled to access the data (such as competent judicial or administrative/health authorities, court-appointed bailiffs, etc.). The disclosure of these data is detailed in legal/statutory documents.

Accuracy:  We will ensure that your personal data are accurate and kept up to date. We will implement reasonable measures to ensure that inaccurate data, with respect to the purpose for which they are collected, are erased or rectified as soon as possible.

Security:  Your data are processed in a way that ensures appropriate security, particularly with respect to unauthorized or illegal processing and against loss or destruction by means of relevant technical and organizational measures.

Generally, we undertake to comply with all legal principles incumbent on us concerning personal data protection, including in particular:

• respect for rights conferred on individuals,
• obligations concerning international transfers, for which we will take the necessary measures to ensure compliance with European regulations in the case of recipients who are not located in a European Union member State.
• educating employees about data protection and the necessity of confidentiality,
• implementing organizational and technical measures to ensure effective compliance with these principles.

What personal data do we collect?

‍We may collect personal data directly from you or via a third party and by means of various sources. For example, directly from you means that when you submit a job or internship application or when you contact us for a product or service but also when you register for a training session or when you use our products and services.

We can also collect your personal data in the case of interaction with us, for example through an Internet connection (we can also collect your connecting IP address).

We can also collect your personal data through your healthcare facility in the context of healthcare that you receive: either because your physician/healthcare facility uses one of our products or services (we are then their processor) or because you have explicitly agreed to participate in research (we are then the controller).

The collection of personal data that we carry out is not the same for all processing. Personal data that is collected will vary according to the processing in question, their purpose, but also depending on the kind of relationship that exists with the data subject. These data may also vary in accordance with the category of the data subject.

For this reason, we collect data on the following categories of individuals:

• job/internship applicants, or similar,
• prospective customers, customers,
• training participants,
• visitors to our Platforms,
• individuals participating in research with their consent in the framework of a research protocol validated by the research center authorities,
• healthcare professionals including (investigating physicians, physicians using our products, members of our scientific advisory board)
• healthcare staff or staff involved in research,
• investors,
• employees and/or representatives of our service providers, partners, suppliers, contractors.

Information categories that we directly or indirectly collect:

NB: Depending on your relationship with us (research participant, employee of one of our suppliers, physicians using our products or services or a physician belonging to the scientific advisory board, etc.), the information that you directly or indirectly provide to us is not the same.

The information categories that you can provide us depending on our relationship with you are:

• personally identifiable information such as your last name, first name, mailing address, date of birth, your electronic mailing address, your telephone number (personal or work depending on the case), your country of residence, your nationality, your picture or clips of you, your place of practice,
• professional data such as your training, your qualifications, your professional experience, your salary, and your current and previous employers, your business identification number, your trade and specializations, any gifts and hospitality that you might receive;
• data concerning your health, such as care received by the data subject (duration of the procedure, radiofrequency, fluoroscopy, type of intervention carried out by the physician, procedure parameters, procedure outcome), extra-cardiac electrical signals collected as part of the procedure, electroanatomical data; these data are disclosed to us by the healthcare facility in the framework of research and in a pseudonymized and encrypted format;
• commercial data: data concerning an invoice, payment methods and dates, banking details, information about the offered/sold products/services,
• data concerning your consent to the collection of personal data.

We may also automatically collect information at our discretion during our relationship with you. For example, when you attend events that we organize.

The information categories that we collect when you browse on one of our Platforms or when you use our products or services:

• personally identifiable information such as your IP address
• geographical area, date and time of connection.

What processing do we carry out on personal data?

‍We process personal data for specific, explicit, and lawful purposes. All processing set out below do not apply to the same individuals; that depends on our relationship with you.

This relationship may be related to management of our business relationship and communication with you.

Your data will consequently be processed for the purposes of:

• making contact with prospective customers that we think may be interested in our products and services (except where such solicitation is explicitly unwanted) or our research, marketing, and advertising operations. Processing is based on our legitimate interest (legal basis for the processing).
• sales, technical and commercial support, after-sales/Maintenance, signing contracts, invoicing, managing litigation, contracting with processors, buying goods and services. Processing is here based on a contract currently in effect between us or pre-contractual steps (legal basis for processing).
• We are the controllers. Data are only sent to authorized departments when necessary for their assigned tasks. Data may also be disclosed to processors when the transmission and processing of these data have been contractually codified to ensure sufficient safeguards with respect to personal data protection. Data are only stored for the period needed for each purpose and, where necessary, in compliance with legal storage obligations.

‍In the context of the provision of healthcare services

Volta Medical will carry out personal data processing for its customers (healthcare facilities, physicians) in the framework of providing operational support software called VX1 and The Recorder. The Recorder is an operational annotating tool that physicians are free to use. VX1 is a decision-making solution but is not a substitute for a physician who remains the sole decision-maker about the intervention to be carried out. This is not a diagnostic tool. Data processing is carried out under the supervision of physicians. The physician and/or healthcare facility is/are responsible for both the VX1 or The Recorder processing. Processing is based on a contract between us and the healthcare facilities or physicians (legal basis for the processing).

‍In the framework of our research operations not involving human subjects

To acquire and improve knowledge about the occurrence of cardiac rhythm disorders and the mechanisms and interactions affecting the heart, we have undertaken research based on using artificial intelligence algorithms on healthcare data collected during interventions. Upon completion of the research, our aim is to make it easier for physicians to make diagnoses. During the research, algorithms are applied to patients’ electrical signals which are collected after the medical intervention, with the consent of the patient or of their legal representative. The algorithms have no bearing on decision-making with respect to the data subjects in question. Data are collected on our behalf by healthcare facilities with whom we have a scientific research protocol and are submitted to us in a pseudonymized format. Processing of personal data is based on Volta Medical’s legitimate interest in research and development (legal basis for the processing), without, however, affecting the rights and freedoms of the data subjects. In the context of this research, we are controllers and the healthcare facilities/physicians who participate in collection on our behalf, are our processors as defined by the GDPR. Since participation in the research is optional, individuals participating in this research are notified by means of a specific notice to ensure they understand what it consists of and are aware of their rights. They are free to either participate in the research or refrain from doing so without any impact on the healthcare they receive. They are free to withdraw their consent at any time. Data are only sent to authorized departments when necessary for their assigned tasks. Data may also be disclosed to third-party processors when the transmission and processing of these data have been contractually codified to ensure sufficient safeguards with respect to personal data protection. Data are stored throughout the period needed for the research in addition to the period authorized by the regulations. At the end of this period, personal data are either anonymized or destroyed.

As part of this research, we also collect personal data concerning the professionals involved in the research, such as scientific officers (the legal basis for processing here is the contract made with us), participating physicians, and, where applicable, staff involved in research (the legal basis for processing is our legitimate interest or the contract made with them). A specific information notice is sent to these professionals within statutory timeframes and states the legal basis applicable to the processing. The personal data of professionals involved in the research are stored for the period needed for the research in addition to the period authorized by regulations. They are then archived in paper or electronic format for a period compliant with current regulations.

As part of our statutory obligations concerning transparency and the avoidance of conflicts of interest.

In strict compliance with applicable regulation, we may compensate, pay, or award hospitality to healthcare professionals. We may also make donations and/or gifts for research or for organizations, or fund training in the field of healthcare. Consequently, we collect information needed for completing procedures required by regulations concerning transparency and the avoidance of conflicts of interest. The legal basis for this processing is compliance with our legal obligations. A GDPR-compliant notice is provided in this regard to the healthcare professionals and data subjects by appropriate means. The necessary data are processed by authorized staff internally and are also disclosed to certain authorized third parties (in particular regulatory bodies, such as the Council of the Order of Physicians, the French Transparency Register, and their foreign equivalents, etc.). You are encouraged to consult the confidentiality policies of these bodies. Depending on the context, the storage period that we apply may vary (duration based on the performance of a contract or research, duration of the requirement)

‍In the context of hiring

‍We collect information concerning you in order to manage job applications. These data are sent to both internal and external authorized hiring staff. We only store the data you disclosed to us for the period needed for assessing your application and for a longer period if we do not hire you, in order to offer future opportunities that might be suitable for you. You may nonetheless object or exercise any of your rights as stated below. Processing is based on the following principles: pre-contractual measures or a contract made between us on the basis of our legitimate interest (legal basis for the processing).

Cookies/Trackers

Cookies and tracers are sets of information stored as a file on the hard disk of your terminal (computer, phone, tablet) at the request of the server of the site or application visited in order to transmit certain information. Your terminal will store it for a certain period of time, and will send it back to the web server each time you connect to our site.

1.1 Cookies placed when you browse our websites volta-medical.eu or volta-medical.com

Typology of cookies placed on our Volta-medical.eu and volta-medical.com websites

- Cookies necessary for the provision of the service

Purposes of processing: We use technical cookies on our websites (volta-medical.eu and volta-medical.com) to the extent strictly necessary for the provision and optimal functioning of our sites, and also to allow us to provide you with content that complies with the applicable regulations imposed on us within the country in which you are located. We also store and manage your cookie preferences.

The data generated by these cookies are as follows: Connection IP address, Data relating to your approximate geographical area of connection (country), Data relating to your cookie preferences (content of the selected preferences as well as date, time of choice and time zone), URL from which consent was submitted, as well as an anonymous identifier,  encrypted and randomly generated which is assigned, for statistical purposes, by our subcontracted consent management platform: CookieFirst.

Legal basis(s) of processing: The legal basis for processing depends on the sub-purposes of the processing.

With regard to the geolocation of your terminal allowing us to provide you with content that complies with our legal requirements in the country in which you are located: the legal basis is Volta Medical's compliance with its legal obligations.

For other sub-purposes, the legal basis for processing your data is our legitimate interest in providing you with an optimal browsing experience on our websites.

Retention period : Cookies have a lifespan of 12 months beyond which they will be deposited again when you visit our sites. The data relating thereto are kept for a period of 12 months from the deposit of the cookie.

Whether or not cookies must be deposited: These functional cookies being necessary for the proper functioning of the site and the conformity of the content to which you access, they do not require your prior consent. However, you may delete these cookies at any time in accordance with Article 1.3 of this policy.

Data source: direct collection from users of our websites

Data recipients:  Internal staff authorized to access the data in order to be able to accomplish their missions, as well as our subcontracted consent management platform: Cookie First.

- Cookies not necessary for the provision of the service

Purposes of processing: When you visit our volta-medical.ue website through equipment located in the European Union, we use a geolocation cookie to improve your browsing experience and allow you to directly access content in your language.

The data generated by this cookie are as follows : country and city of connection.

Legal basis: The legal basis for the processing is Volta Medical's legitimate interest in providing you with an optimal browsing experience.

Data retention period : Cookies have a lifespan of 12 months beyond which your consent will be required again. The data relating to it are kept for a period of 12 months from the moment of your consent.

Whether or not cookies must be deposited: The deposit of cookies is optional. You can oppose the deposit of this cookie, or proceed at any time to the deletion of it under the conditions specified in article 1.3 below. In case of opposition to the deposit of this cookie we inform you that the navigation language will be English by default.

Data source: direct collection from users of our website volta-medical.eu.

Recipients of the data:  Internal staff authorized to access the data in order to be able to accomplish their missions, as well as our subcontractor of geolocation of users: Geotargetly.

- Audience measurement

Purposes of processing: In order to allow us to improve our site, and to measure and analyze the number of visitors and use of it, we use an audience measurement tool carried out through local storage technology on your terminal. Please note that this local storage does not allow us to track your browsing or perform profiling.

The data generated by this local storage are as follows: Each visit to our site generates an anonymous, encrypted and randomly generated identifier which is assigned, for statistical purposes, by our subcontracted consent management platform: CookieFirst.

Legal basis: The legal basis for the processing is Volta Medical's legitimate interest in generating audience measurement statistics for the purposes of analyzing site traffic and determining possible improvements.

Whether or not cookies must be deposited:  Insofar as this local storage has a purpose strictly limited to audience measurement and is used to produce anonymous statistical data (without other data collection), your consent is not necessary for the deposit.

Retention period: This technology generates an identifier each time you visit the site after depositing information stored locally on your browser. Once the identifier is generated, no more requests are possible between us and the local storage. However, some information remains permanently stored on your device. You may delete them under the conditions specified in Article 1.3 below.

Data source: direct collection from users of our websites

Data recipients:  Internal staff authorized to access the data in order to be able to accomplish their mission and our subcontracted consent management platform: Cookie First.

- Third-party services

In addition, from our websites, you can access certain third-party sites such as YouTube® or LinkedIn ®. We do not use the deposit of cookies on your terminal by these companies. However, by accessing these platforms via our sites, you may see your browsing data collected and used by this company for their own purposes. For more information, we invite you to consult their Privacy Policy.

1.2 Cookies placed when you access the Lever recruitment platform via our websites

As part of the use of the recruitment candidate management tool, Lever Inc. uses certain cookies on its behalf. The company Lever is then responsible for processing. This platform collects personal data such as your IP address and other data on your device. Data is also collected about your engagement with the candidate management platform such as the pages you visit. Where necessary, your consent is sought.

In some cases, browsing data is collected and processed by our partners who may act as controller, processor or joint controller. You can contact us if you want to know more.

If you do not wish to consent to the deposit of cookies by Lever Inc., you have the option of sending us the elements of your application by email to hr@volta-medical.com. For more information, we invite you to consult their privacy policy.

1.3 How to prevent cookies being stored on your terminal

You may, at any time, choose to disable all cookies placed on our sites and/or the Lever application platform. However, we inform you that your user experience may be degraded.

How to disable cookies?

Regarding the non-necessary cookies of our site: you can disable the deposit of unnecessary cookies at any time by configuring the cookie management tool available via the blue button at the bottom left of your navigation screen.

With regard to the necessary cookies of our site, local storage used for audience measurement and cookies deposited during your navigation on the Lever ® recruitment platform: You can, at any time, block any cookies from the privacy management tools of your browser. For the main browsers, you can refer to the following links:
-      Firefox
-      Chrome
-      Explore
-      Safari
-      Opera

Can we change this Policy?

We may modify the content of this Policy, at any time, according to the evolution of our activities and / or in order to comply with our legal obligations in particular.

If we make changes, they will be made in the pages relating to this Policy on the Platforms available online and we recommend that you refer to them each time you visit. On the other hand, in the event of substantial changes to the characteristics of the processing, we draw your attention by publishing a warning on our website.

Do we transfer your data outside the EU?

We may transfer data to a country outside the European Union as part of our business. In this case, we take all appropriate measures to ensure compliance with the regulations applicable in the European Union. You can obtain a copy of these guarantees from our Data Protection Officer by sending request to dpo@volta-medical.com.

What are your rights concerning personal data?

Any natural person enjoys rights concerning their personal data granted by law. When the law allows it, we may invoice you for this service, for example when your request is manifestly unfounded or excessive.

Your rights will be exercised vis-a-vis the controller. Consequently, we are only able to respond to requests concerning processing for which we are the controller. We cannot fulfill your request when we act in the capacity of processor.

When you wish to exercise any of your rights, we may require information and documentation from you in order to verify your identity. This ensures no confidential information is disclosed to unauthorized individuals.

Subject to legal considerations allowing it or, for example, that we do not infringe on our duty of confidentiality towards a third party, or subject to it not seriously compromising the purpose of the processing, we will send you the requested information or will notify you of any additional data needed to process your request in a timely manner.

Your requests may be made in writing or verbally but in the case of the latter, you must be able to prove your identity by other means. However, we will keep a written paper record enabling us to know that: you made your request verbally, how you verified your identity, and the information that you provided to us.

What are your rights?

• You have the right to be informed when we directly or indirectly collect data from you.
• You have the right to be informed of whether or not we hold data about you, and if so, the personal data we hold about you, as well as the identity and contact information of the controller, the contact information of the Data Protection Officer, the purposes of the processing and its legal basis, our legitimate interests where applicable, the data categories collected, the recipients of the data, information about transfers to countries outside of the European Union, information about adequate safeguards, the storage period or if this is not possible, the criteria used to determine this period.
• You have the right to have your personal data rectified in the event they are inaccurate and to have them completed (including by means of a supplementary statement) according to the type of processing in question,
• You have the right to erasure of your data when specific conditions have been met:

• they are no longer necessary in relation to the purposes for which they were collected, or
• When you withdraw your consent on which the processing was based, or

• You have the right to request the restriction of the processing in some circumstances, namely:

• when you contest the accuracy of the data (this restriction will be in effect for a limited period of time),
• in the event of unlawful processing by us for which you prefer that your data be restricted rather than erased,
• in the event that we no longer need your data but these are needed by you for the establishment, exercise, or defense of legal claims,
• if you have contested processing, we will restrict processing during the period needed to verify that the lawful grounds invoked by Volta Medical for the processing prevail over yours. We will also notify you before removing the restriction of the processing;

• You have the right to have your data transferred to a third party in a structured, commonly used, and machine-readable format. This right is only available when the processing that we carry out is based on a contract made between us or when we process your data because you have consented to it;
• You have the right to object to your data being processed for the purposes of direct marketing.
• You have the right to object to your data being processed, to a certain extent, with respect to your specific circumstances, when the basis for this processing is our legitimate interest (particularly in the case of automated individual decision-making);
• If you believe that we have not satisfactorily dealt with the exercise of your rights, you may contact the relevant supervisory authority which, for Volta Medical, is the French Data Protection Authority (Commission Nationale Informatiques et Libertés) www.cnil.fr

Volta Medical undertakes to consider all requests concerning personal data. If you have any questions about this Policy or you wish to exercise one of your rights, please contact us. We will reply in a timely manner and in all cases within the regulatory mandated time frames. We will respond to you in writing, including by electronic means, or also verbally if you request it (please see above for the terms and conditions applicable to verbal replies).

To exercise your rights, please contact the Data Protection Officer (DPO) appointed by Volta Medical at the following address: dpo@volta-medical.com

‍Data Protection Officer

‍Volta Medical has appointed a data protection officer whose role is to ensure the dissemination of a culture of personal data protection at Volta Medical, but also with its partners, providers, and customers. He/she is involved in processing projects to ensure that individual rights are taken into account. He/she will also respond to any questions you might have about regulations concerning personal data and to your requests to exercise your rights.

His/Her address is: dpo@volta-medical.com