Privacy

Masimo SafetyNet™ Privacy Notice

 

Last updated: January 27, 2022

Part I

Table of Contents

1.      Introduction

2.      What types of personal data do we collect?

3.      From what sources do we collect personal data?

4.      For what purposes do we use personal data?

5.      To whom do we disclose, share or transfer personal data?

6.      How long do we store personal data?

7.      How do we protect personal data?

8.      Children

9.      Your Rights

10.    Effect of this Privacy Notice; Changes

11.    Contact Us

 

1. Introduction

We, Masimo, provide this Privacy Notice to explain how we process personal data when you use the Masimo SafetyNet™ mobile application or the Masimo SafetyNet clinical portal designed to help healthcare providers to remotely manage patient’s care and conditions, and any of the data processing or storage features associated with these services (collectively, “SafetyNet”). Only patients who have been authorized by their healthcare provider to use SafetyNet may do so, and only healthcare providers who have signed up with us to use SafetyNet may authorize individual healthcare professionals they supervise to use the services. We use the term “personal data” or “personal information” to mean any information relating to an identified or identifiable natural person. This Privacy Notice also provides information about rights you may have under applicable privacy laws.

If you are located in the European Economic Area, United Kingdom, Switzerland or Turkey, “Masimo” refers to Masimo Österreich GmbH, Mariahilfer Straße 136, 1150 Wien, Austria. If you are located in other jurisdictions, “Masimo” refers to Masimo Americas, Inc. 52 Discovery, Irvine, 92618, USA.

If you reside in California, please see our California Consumer Privacy Act Privacy Policy here for additional information we are required to provide to you under California law.

If you are located in the European Economic Area, United Kingdom, Switzerland or Turkey, please refer to the corresponding Jurisdiction-Specific Disclosures further below for additional information we are required to provide to you under your local laws.

If you are located in Singapore, Hong Kong or Japan, please refer to the corresponding Jurisdiction-Specific Disclosures at the end of our Masimo Services General Privacy Notice here for additional information we are required to provide to you under your local laws.

 

2. What types of personal data do we collect?

We collect the following types of personal information about patients who use SafetyNet, which we have grouped together as follows:

  • Registration Information: We ask you to provide information to register for and activate SafetyNet. This includes your name, phone number, email address, age, date of birth and gender.
  • Third-Party Contact Information: We ask you to choose certain settings within SafetyNet. This includes the names of third parties to whom you wish to disclose your information (e.g., healthcare professionals, friends, family, or any other third party you have designated to receive your data to help care for you) and their contact information (e.g., telephone numbers and email addresses).
  • Device Information: This is information collected from any devices you connect with SafetyNet, including information about your mobile device or computer (e.g., IP address, login credentials) and the type of Masimo device used to capture your data.
  • Usage Information: This is information about how you use SafetyNet when you are logged into SafetyNet. With your consent as provided within the mobile application, we also collect your geolocation information.
  • Health Information: This is information about your physical activity and health (the categories of data collected depend on the type of device used to capture your data and may include oxygen saturation, respiration rate, perfusion index, pulse rate, Pleth Variability Index, temperature, and current/past trends regarding these metrics).

We collect the following types of personal information about healthcare professionals who use SafetyNet, which we have grouped together as follows:

  • Professional Information: We collect personal data to allow you to access the Masimo SafetyNet clinical portal as a healthcare professional. This includes your name and contact details, and information about the healthcare provider you work for.
  • Device Information: This is information collected from any devices you connect with SafetyNet, specifically IP address.
  • Technical Device Data: raw data from the sensors, wave form and high fidelity sensor data, technical diagnostic data including hardware diagnostics, raw measurement data of de-identified or anonymized health data.
  • Usage Information: This is information about how you use SafetyNet when you are logged into SafetyNet.

You are under no obligation to provide us with the data we ask you for. However, if you do not provide your personal data, you will not be able to use SafetyNet.

If you are a patient, please obtain the consent of your contacts before inputting their personal data into SafetyNet.

We refer to the above groups of personal information by their respective sub-heading (e.g., Registration Information) throughout this Privacy Notice.

 

3. From what sources do we collect personal data?

If you are a patient, we collect Registration Information, Device Information, Usage Information and Third-Party Contact Information directly from you. We also collect Health Information from(i) medical devices that you connect with SafetyNet, (ii) other applications such as Apple Health and Google Fit that you connect with SafetyNet, and (iii) hospitals and other healthcare providers if you have given them your consent to transfer your personal data to us.

If you are a healthcare professional, we collect Professional Information, Device Information and Usage Information directly from you. We may also collect or verify Professional Information from or with the hospital or other healthcare provider that supervises you.

 

4. For what purposes do we use personal data?

We use all of the categories of personal data we collect as necessary to:

  • Provide you with SafetyNet and manage your relationship with us;
  • Respond to or fulfill your requests;
  • Ensure the security of our services;
  • Analyze the performance of, troubleshoot issues with our product and services;
  • Analysis of raw technical and hardware device data for research, development, algorithms and statistical purposes in order to improve user experience, services, usability and effectiveness, and to develop new features for both the SafetyNet product and new products;
  • Exercise our legal rights, including to defend against claims and advance our legal interests, protect against fraudulent, harmful and illegal activity; and
  • Comply with applicable laws such as data protection and consumer laws.

In addition, if we take steps to enter into a reorganization, restructuring, merger, acquisition or transfer of assets (“Business Transfer”), we may also use your personal information to give effect to that Business Transfer.

 

5. To whom do we disclose, share or transfer personal data?

Personal data of patients who use SafetyNet may be disclosed, shared or transferred to:

(i)             healthcare professionals whom your healthcare provider has authorized with your consent to access and download your personal data for the purposes of managing your care and conditions. Once authorized by you, these healthcare professionals and healthcare providers will have the option to locally download and access your personal data without the use of SafetyNet; and

(ii)            third parties selected by you with whom you wish to share your personal data. If you designate a contact to receive your personal data, we may disclose your personal data to that contact until you remove them as a contact in the mobile application or deactivate your SafetyNet account.

Personal data of healthcare professionals who use SafetyNet may be disclosed to the hospital or other healthcare provider that supervises you for the purposes of administering your healthcare provider’s use of SafetyNet.

Whether you are a patient or healthcare professional, your personal data may be disclosed, shared or transferred to employees and affiliated and unaffiliated processors (i.e., service providers) of Masimo that develop, operate and support SafetyNet. Masimo relies on processors in the European Economic Area, Canada, United Arab Emirates, Singapore and United States to process your personal data.

In the event of a Business Transfer, we may transfer personal information to the acquiring or surviving entity in accordance with applicable law.

 

6. How long do we store personal data?

In general, we store personal data only as long as necessary to fulfil the purpose for which we collected it (the “General Retention Period”), except in the following situations: (1) where applicable laws require us to retain your personal data for a legally prescribed period beyond the General Retention Period. In these cases, we will keep that personal data for the legally prescribed time period before deleting it; (2) where your personal data is relevant to potential legal claim(s) by or against us. In these cases, we will keep that personal data for as long as the legal claim(s) can be made or, if it has been made, for as long as the personal data is relevant to the resolution of the claim(s) or any appeal thereto; (3) if we are instructed by a court order, subpoena, or other legal directive to retain your personal data; and (4) we will retain your personal data for a reasonable period of time necessary for us to verify the purposes for which we collected your data no longer apply and to delete the data following such verification.  If any of these exceptions apply to certain personal data, we will retain personal data for as long as the exception applies. For additional information about how long we retain your personal data specifically, please email privacy@masimo.com.

 

7. How do we protect personal data?

We have taken steps intended to protect the personal data we collect from loss, misuse, and unauthorized processing, including entering into data protection agreements with our service providers and encrypting personal data in transit and at rest. Please note, however, that while we have endeavored to create a secure and reliable online experience for users, the confidentiality or accuracy of any communication or material transmitted to or from us over the Internet cannot be guaranteed. It is your responsibility to safeguard the username and password that you use to access SafetyNet, and to notify us immediately at the contact information below if you ever suspect that your username or password has been compromised.

 

8. Children

We only collect personal data about children with the consent of their parent or legal guardian. You must be at least 18 years of age to use SafetyNet. Children may only use Masimo’s hardware products on the instructions, under the supervision, and with the consent, of their healthcare providers and parent or legal guardian.

 

9. Your Rights

You may have rights under applicable privacy laws, which may include to access, review, modify or delete the personal data we hold about you, and to access a copy of any privacy-related consent you have given to us.

To submit a request to exercise any rights you may have under applicable privacy laws, please contact us using the contact details under “Contact Us” below and clearly describe your request. If you have rights under applicable privacy laws and your request complies with the requirements under such laws, we will give effect to your rights and respond within any mandatory timeframes as required by law.

 

10. Effect of this Privacy Notice; Changes

This Privacy Notice applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us. We may revise this Privacy Notice from time to time by making the revised document available through SafetyNet and updating the “last updated” date above. We will also obtain consent from you where required by applicable law before processing your personal information for any purpose incompatible with the purposes set forth in prior versions of this Privacy Notice.

 

11. Contact Us

If you have any privacy-related inquiries or concerns, please contact our privacy department at privacy@masimo.com.

 

Part II

Jurisdiction-Specific Disclosures - For users in the European Economic Area, the United Kingdom and Switzerland

Table of Contents

1.      What laws apply?

2.      Who is the data controller?

3.      What legal basis of processing does Masimo rely on?

4.      Where is your personal data processed and on what basis do we transfer personal data across borders?

5.      Your Rights.

1. What laws apply?

  • If you are located in the EEA, the EU General Data Protection Regulation applies to the processing of your personal data.
  • If you are located in the UK, the UK General Data Protection Regulation applies to the processing of your personal data.
  • References to the “GDPR” are references to the General Data Protection Regulation as it applies in the country where you are located.
  • If you are located in Switzerland, the provisions of the Swiss Federal Data Protection Act (the “FDPA”) apply to you. References to the GDPR below shall be interpreted analogously for the purposes of applying the FDPA.
  • If we use a term that the GDPR defines in this section for users in the EEA, UK and Switzerland, the term has the same meaning as under the GDPR. 

 

2. Who is the data controller?

Masimo Österreich GmbH, Mariahilfer Straße 136, 1150 Wien, Austria. You can contact its data protection officer at privacy@masimo.com. Its UK GDPR representative is Masimo Europe Limited, Matrix House, Basing View, Basingstoke - Hampshire RG21 4DZ.

 

3. What legal bases of processing does Masimo rely on?

For patients’ Health Information, the legal basis of processing is your express consent per Article 9(2)(a) GDPR. Health data is considered a special category of personal data. You have the right to withdraw your consent at any time. Such withdrawal does not affect the lawfulness of processing based on your consent before your withdrawal. However, after such withdrawal, we will no longer be able to provide SafetyNet. In extenuating circumstances, such as where the processing is necessary to protect the data subject’s vital interests or to establish, exercise and defend legal claims, the legal basis of processing special categories of personal data may be another legal basis set forth under Article 9(2) GDPR.

The legal basis for processing of personal data which is not Health Information are:

  • Necessary for us to perform a contract with you or take steps at your request prior to entering into a contract per Article 6(1)(b) GDPR (“Contract Performance Legal Basis”);
  • Necessary for us to comply with an applicable legal obligation per Article 6(1)(c) GDPR (“Legal Obligations Legal Basis”);
  • Necessary for us to realize a legitimate interest based on an assessment of that interest and your privacy and other fundamental interests per Article 6(1)(f) GDPR (“Legitimate Interest Legal Basis”); or
  • According to your consent per Article 6(1)(a) GDPR (“Consent Legal Basis”). In these cases, you can withdraw your consent at any time with future effect.

More information is provided below. For additional details regarding the lawful bases of processing your personal data specifically, please contact privacy@masimo.com.

Purposes of use, disclosure, sharing or transfer

Legal Basis and Legitimate Interest

To provide you with SafetyNet and manage your relationship with us.

  • Consent Legal Basis.
  • If we are legally obligated to perform the processing (such as to respond to your requests to exercise your rights under consumer or data protection laws), Legal Obligations Legal Basis.
  • If we are contractually obligated to perform the processing based on the contract between you and us, Contract Performance Legal Basis.
  • In all other cases, Legitimate Interest Legal Basis—namely, to provide you and our other users with a good experience, administer and enforce our contractual and legal rights, and manage our business operations and relationships with third parties.

To respond to or fulfill your requests.

  • Consent Legal Basis.
  • Legitimate Interest Legal Basis—namely, to address your comments, requests or other communications in an appropriate manner that also reflects positively on us.

To ensure the security of our services, and analyze the performance of, troubleshoot issues with our product and services.

  • Consent Legal Basis.
  • If we are legally obligated to perform the processing (such as to secure our services in accordance with the GDPR), Legal Obligations Legal Basis.
  • If we are contractually obligated to perform the processing based on the contract between you and us, Contract Performance Legal Basis.
  • In all other cases, Legitimate Interest Legal Basis—namely, to provide you and our other users with a good experience, new features and services, administer and enforce our contractual and legal rights, and manage our business operations and relationships with third parties.

Research and development including analysis of raw technical and hardware device data for research, development, algorithms and statistical purposes in order to improve user experience, services, usability and effectiveness, and to develop new features for both the SafetyNet product and new products.

  • Consent Legal Basis.
  • Legitimate Interest Legal Basis – in order to improve our SafetyNet product and related services, including for the development and implementation of new product features and to develop new products, and to improve overall user experience, usability and effectiveness.

To exercise our legal rights, defend and advance our legal interests, protect against fraudulent, harmful and illegal activity.

  • Consent Legal Basis.
  • If we are legally obligated to perform the processing (such as to disclose personal information to a law enforcement authority with authorization under criminal law), Legal Obligations Legal Basis.
  • If we are contractually obligated to perform the processing based on the terms that apply to the applicable Masimo Service, Contract Performance Legal Basis.
  • In all other cases, Legitimate Interest Legal Basis—namely, to exercise our legal rights, defend and advance our legal interests, and protect against fraudulent, harmful and illegal activity.

To comply with applicable laws such as data protection and consumer laws.

  • Legal Obligations Legal Basis.

To give effect to a Business Transfer

  • Consent Legal Basis.
  • Legitimate Interest Legal Basis—namely, to engage in a Business Transfer that our management team considers to be advantageous to our business interests.
  • But we will seek your consent if we wish to use your personal data for any new purpose incompatible with those set forth in this Privacy Notice, and if you provide such consent, the Consent Legal Basis applies.

 

4. Where is your personal data processed and on what basis do we transfer personal data across borders?

With patients’ explicit consent, we disclose, share or transfer your personal data to the individuals and healthcare providers you have chosen in SafetyNet and who may be within or outside the European Economic Area, Switzerland or the UK.

Moreover, Masimo operates SafetyNet with the assistance of affiliated and unaffiliated service providers in the European Economic Area (Frankfurt, Paris and Dublin) and outside the European Economic Area from time to time, if it is necessary for example for troubleshooting, research and development of improvements, new features, products and services, in the United States or Switzerland. In France, we use a HDS certified (Health Data Host) hosting service.

We only transfer your personal data to countries where the European Commission, Switzerland or the UK (as applicable) has decided that they have an adequate level of data protection or we take measures to ensure that all recipients provide an adequate level of data protection. We do this for example by entering into appropriate data transfer agreements based on Standard Contractual Clauses and performing data protection assessments of data transfer arrangements as appropriate. Data transfer agreements are accessible upon request by contacting us at the details shown further above.

 

5. Your Rights.

Please see the subsection entitled “Your Rights” under the section entitled “IF YOU ARE IN THE EUROPEAN ECONOMIC AREA (EEA), THE UNITED KINGDOM (UK) AND SWITZERLAND” in our Masimo Services General Privacy Notice here.

 

Part III

Jurisdiction-Specific Disclosures - For users in Turkey

Table of Contents

1.      What laws apply?

2.      Who is the data controller?

3.      What legal basis of processing does Masimo rely on?

4.      Where is your personal data processed and on what basis do we transfer personal data across borders?

5.      Your Rights.

1. What laws apply?

Turkey’s Law No. 6698 on Protection of Personal Data (the “KVKK”). If we use a term that the KVKK defines in this section for users in Turkey, the term has the same meaning as under the KVKK. 

 

 

2. Who is the data controller?

Masimo Österreich GmbH, Mariahilfer Straße 136, 1150 Wien, Austria. You can contact its data protection officer at privacy@masimo.com.

 

3. What legal bases of processing does Masimo rely on?

For patients’ Health Information, the legal basis of processing is your express consent per Article 6 of the KVKK. Health data is considered a special category of personal data. You have the right to withdraw your consent at any time. Such withdrawal does not affect the lawfulness of processing based on your consent before your withdrawal. However, after such withdrawal, we will no longer be able to provide SafetyNet. In extenuating circumstances, such as where the processing is necessary to protect the data subject’s vital interests or to establish, exercise and defend legal claims, the legal basis of processing special categories of personal data may be another legal basis set forth under Article 6(3) KVKK.

The legal bases for processing of personal data which is not Health Information are:

  • Necessary for us to perform a contract with you or take steps at your request prior to entering into a contract per Article 5(2)(c) KVKK (“Contract Performance Legal Basis”);
  • Necessary for us to comply with an applicable legal obligation per Article 5(2)(ç) KVKK (“Legal Obligations Legal Basis”);
  • Necessary for us to realize a legitimate interest based on an assessment of that interest and your privacy and other fundamental interests Article 5(2)(f) KVKK (“Legitimate Interest Legal Basis”); or
  • According to your consent (“Consent Legal Basis”). In these cases, you can withdraw your consent at any time with future effect.

More information is provided below. For additional details regarding the lawful basis of processing your personal data specifically, please contact privacy@masimo.com.

Purposes of use, disclosure, sharing or transfer

Legal Basis and Legitimate Interest

To provide you with SafetyNet and manage your relationship with us.

  • Consent Legal Basis.
  • If we are legally obligated to perform the processing (such as to respond to your requests to exercise your rights under consumer or data protection laws), Legal Obligations Legal Basis.
  • If we are contractually obligated to perform the processing based on the contract between you and us, Contract Performance Legal Basis.
  • In all other cases, Legitimate Interest Legal Basis—namely, to provide you and our other users with a good experience, administer and enforce our contractual and legal rights, and manage our business operations and relationships with third parties.

To respond to or fulfill your requests.

  • Consent Legal Basis.
  • Legitimate Interest Legal Basis—namely, to address your comments, requests or other communications in an appropriate manner that also reflects positively on us.

To ensure the security of our services, and analyze the performance of, troubleshoot issues with our product and services.

  • Consent Legal Basis.
  • If we are legally obligated to perform the processing (such as to secure our services in accordance with the GDPR), Legal Obligations Legal Basis.
  • If we are contractually obligated to perform the processing based on the contract between you and us, Contract Performance Legal Basis.
  • In all other cases, Legitimate Interest Legal Basis—namely, to provide you and our other users with a good experience, new features and services, administer and enforce our contractual and legal rights, and manage our business operations and relationships with third parties.

Research and development including analysis of raw technical and hardware device data for research, development, algorithms and statistical purposes in order to improve user experience, services, usability and effectiveness, and to develop new features for both the SafetyNet product and new products.

  • Consent Legal Basis.
  • Legitimate Interest Legal Basis – in order to improve our SafetyNet product and related services, including for the development and implementation of new product features and to develop new products, and to improve overall user experience, usability and effectiveness.

To exercise our legal rights, defend and advance our legal interests, protect against fraudulent, harmful and illegal activity.

  • Consent Legal Basis.
  • If we are legally obligated to perform the processing (such as to disclose personal information to a law enforcement authority with authorization under criminal law), Legal Obligations Legal Basis.
  • If we are contractually obligated to perform the processing based on the terms that apply to the applicable Masimo Service, Contract Performance Legal Basis.
  • In all other cases, Legitimate Interest Legal Basis—namely, to exercise our legal rights, defend and advance our legal interests, and protect against fraudulent, harmful and illegal activity.

To comply with applicable laws such as data protection and consumer laws.

  • Legal Obligations Legal Basis.

To give effect to a Business Transfer

  • Consent Legal Basis.
  • Legitimate Interest Legal Basis—namely, to engage in a Business Transfer that our management team considers to be advantageous to our business interests.
  • But we will seek your consent if we wish to use your personal data for any new purpose incompatible with those set forth in this Privacy Notice, and if you provide such consent, the Consent Legal Basis applies.

 

4. Where is your personal data processed and on what basis do we transfer personal data across borders?

With patients’ explicit consent, we transfer your personal data to the individuals and healthcare providers you have chosen in SafetyNet and who may be within or outside Turkey. Moreover, Masimo operates SafetyNet with the assistance of affiliated and unaffiliated service providers in the European Economic Area (Frankfurt, Paris and Dublin) and outside the European Economic Area from time to time, if it is necessary for example for troubleshooting, research and development of improvements, new features, products and services, in the United States or Switzerland. We take measures to ensure that service providers provide an adequate level of data protection by entering into appropriate data transfer agreements.

 

5. Your Rights.

Please see the subsection entitled “Your Rights” under the section entitled “IF YOU ARE IN TURKEY” in our Masimo Services General Privacy Notice here.

 

PLCO-005649/PLMM-12193A-0122