Privacy

Masimo SafetyNet™ Privacy Notice

 

Effective Data: April 30, 2023

Table of Contents

1.      Introduction

2.      What types of personal data do we collect?

3.      From what sources do we collect personal data?

4.      What legal bases for processing does Masimo rely on?

5.      For what purposes do we use personal data?

6.      To whom do we disclose personal data?

7.      How long do we retain personal data?

8.      How do we protect personal data?

9.      Children

10.    Your Rights

11.    Transfers

12.    Effect of this Privacy Notice; Changes

13.    Contact Us

14.    ADDITIONAL INFORMATION FOR CERTAIN JURISDICTIONS

 

1. Introduction

Masimo Corp. and its affiliates and subsidiaries (“Masimo,” “we,” “us,” “our”), provide this Masimo SafetyNet™ Privacy Notice (“Privacy Notice”) to explain how we collect, use, disclose and otherwise process the personal data of our healthcare provider and patient end-users (“you”)  who use the Masimo SafetyNet™ mobile application or the Masimo SafetyNet clinical portal (collectively, “SafetyNet”) designed to help healthcare providers to remotely manage patient’s care and conditions, and any of the data processing or storage features associated with these services (collectively, “Services”).

Only patients who have been authorized by their healthcare provider to use SafetyNet may do so, and only healthcare providers who have signed up with us to use SafetyNet may authorize individual healthcare professionals they supervise to use the services. This Privacy Notice also provides information about rights you may have related to your personal data under applicable privacy laws.

If you are located in the European Economic Area (EEA), United Kingdom, Switzerland or Turkey, “Masimo” refers to Masimo Österreich GmbH, Mariahilfer Straße 136, 1150 Wien, Austria.

If you reside in California, please also see our California Consumer Privacy Act Privacy Policy for additional information about the categories of personal data we collect and your rights under California law.

 

2. What types of personal data do we collect?

From Patients:  We collect the following types of personal data about patients who use SafetyNet, which we have grouped together as follows:

  • Registration Information: We ask you to provide information to register for and activate SafetyNet. This includes your name, phone number, email address, age, date of birth and gender.
  • Health Information: This is information about your physical activity and health (the categories of data collected will depend on the type of device used to capture your data and may include oxygen saturation, respiration rate, perfusion index, pulse rate, Pleth Variability Index, temperature, and current/past trends regarding these metrics) as well as any information you share with your healthcare provider and information your healthcare provider may share with you about your health.
  • Third-Party Contact Information:  First and last name, contact information (e.g., telephone numbers and email addresses), and the type of relationship, of third parties with whom you choose to share your health information (e.g., healthcare professionals, friends, family, or any other third party you have designated to receive your health data to help care for you).  You are responsible for obtaining your contacts’ consent before inputting their information into SafetyNet.  Please remember to share your personal data with only those persons who you trust and with whom you have clearly communicated your expectations regarding the confidentiality of your information.
  • Device Information: Information from third-party devices, such as your mobile device or computer that you use to connect with SafetyNet. The information can include your IP address, login credentials, device ID, other device information, and the type of Masimo device you connect to SafetyNet capture your health data.
  • Usage Information: Information about how you use and interact with SafetyNet when you are logged into SafetyNet (e.g., features used, usage statistics, time spent within SafetyNet, app permissions, Bluetooth use).
  • Technical Device Data: raw data from the sensors, wave form and high-fidelity sensor data, technical diagnostic data including hardware diagnostics, raw measurement data of de-identified or anonymized health data.
  • Geolocation Data:  Location data from your own device to determine in which country you are accessing SafetyNet.  There may be times the healthcare provider through the Care Program in the Clinician Portal may request the location data. However, you will be given the opportunity to refuse to provide this information.

Health Care Professionals: We collect the following types of personal data about healthcare professionals (such as employees of our customers) who use SafetyNet, which we have grouped together as follows:

  • Professional Information: We collect personal data to allow you access to SafetyNet clinical portal which is accessible only to healthcare providers. This includes your name, title, work contact details, and information about the healthcare provider you work for.
  • Device Information: Information collected from any devices you use to access the Clinician Portal, including IP address and device identifiers.
  • Usage Information: Information about how you use and interact with the Clinician Portal.

Whether you are a patient or a healthcare provider, you are under no obligation to provide any of the requested personal data. However, if you do not provide the data, you will not be able to use SafetyNet.

For ease of reference, we refer to the above groups of personal data by their respective sub-heading (e.g., Registration Information) throughout this Privacy Notice.

 

3. From what sources do we collect personal data?

From Patients:  If you are a patient end-user, we collect Registration Information, Device Information, Usage Information and Third-Party Contact Information directly from you. We may also collect Health Information from (i) Masimo medical devices that you connect with SafetyNet, and (ii) hospitals and other healthcare providers if you have given them your consent to transfer your personal data to us. If you do not complete your registration, then we would not be able to collect any personal information from you.

From Health Care Professionals: If you are a healthcare professional, we collect Professional Information, Device Information and Usage Information directly from you.

 

4. What legal bases for processing does Masimo rely on?

SafetyNet is available and used globally.  Most data protection laws require that we inform you of the legal bases for processing your personal data, including the data protection laws applicable in Europe such as the General Data Protection Regulation (“GDPR”), UK data protection laws and Swiss data protection laws, as well as others. Pursuant to such applicable data protection laws, we process your personal data generally on the legal bases set forth below:

Preventative or Occupational Medicine and Consent to Process Health Information:  For patient users, the primary legal basis of processing your Health Information is preventative or occupational medicine, i.e., to assist in your healthcare provider’s prevention, diagnosis, and care of your health.  In addition, we also collect your consent before you register to use SafetyNet; you must review this Privacy Notice and consent to, among other things, the Terms of Use and to this Privacy Notice. 

The legal bases for processing of personal data which is not Health Information are:

  • Contract Performance:  Necessary for us to perform a contract with you or take steps at your request prior to entering into a contract;
  • Legal Obligations:  Necessary for us to comply with an applicable legal obligation;
  • Legitimate Interest:  Necessary for us to realize a legitimate interest based on an assessment of that interest and your privacy and other fundamental interests;
  • Defend Our Rights:  Necessary for us to establish, exercise or defend against legal claims; and
  • Consent: In these cases, you can withdraw your consent at any time with future effect.

 

5. For what purposes do we use personal data?

The primary reason why we collect, use, and otherwise process the categories of personal data listed above is to:

  • Services:  Operate SafetyNet and provide you with related services, manage your relationship with the HCP, communicate with you about SafetyNet services, and for similar support purposes. (Legal Bases: preventative and occupational medicine, contract performance; legitimate interest; and in some cases, consent to general terms of use and this Privacy Notice)
  • Support:  Respond to or fulfill your requests, communicate with you about your use of the Services, provide troubleshooting and technical support regarding our product and services.  (Legal Bases: legitimate interest; contract performance; and in some cases, consent to terms of use and this Privacy Notice)
  • Analytics and improvement:  For research and analytical purposes, as input for algorithm development, and for statistical purposes.  This is in order to evaluate and improve user experience, services, business operations, usability and effectiveness, to better understand how users access and use SafetyNet, and our other products and offerings, and for and to develop new services and features for both the SafetyNet product and new products, and for internal quality control and training purposes.  All personal data processed for these purposes is anonymized or aggregated.  
  • Customization and personalization: To tailor content we may send or display on the services, including to offer location customization and personalized help and instructions, and to otherwise personalize your experiences. (Legal Bases: contract performance; legal obligation; legitimate interest; consent to terms of use and this Privacy Notice)
  • Security:  To protect the services and our business operations, ensure the security of our services, to prevent and detect fraud, unauthorized activities and access, and other misuse. (Legal Bases: contract performance; legitimate interest; legal obligations; defend our rights)
  • Protection of rights. To protect the services and our business operations, exercise our legal rights, including to defend against claims and advance our legal interests, where we believe necessary to investigate, prevent, protect against or take action regarding actual or suspected fraudulent, harmful and illegal activity, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our Terms of Use.  (Legal Bases: contract performance;  legitimate interest; legal obligations; defend our rights)  
  • Compliance and legal process. To comply with applicable laws, to respond to legal process and related to legal proceedings. (Legal Basis: legal obligations)
  • General business and operational support. To administer our general business, auditing, compliance, recordkeeping, and legal functions. In addition, if we consider or take steps to enter into a reorganization, restructuring, merger, acquisition or transfer of assets, and other business transaction (“Business Transfer”), we may also use your personal data to consider or give effect to that Business Transfer.  (Legal Bases: legitimate interest; legal obligations; defend our rights)

 

6. To whom do we disclose personal data?

We may disclose the personal data that we collect for the purposes described above, to provide our Services to you, as otherwise directed or consented to by you, and as follows:

  • To healthcare professionals who you and your healthcare provider have authorized to access and download your personal data for the purposes of managing your health care and conditions. To the extent authorized by you, these healthcare professionals and healthcare providers will have the option to locally download and access your personal data without the use of SafetyNet; and
  • To third parties selected by you with whom you wish to share your personal data. If you designate a contact to receive your personal data, we may disclose your personal data to your designated contact(s) until you remove them as a contact in the mobile application or delete your SafetyNet account.
  • If you are a healthcare professional who use SafetyNet, your professional information may be disclosed to the hospital or other healthcare providers that supervise the patient user for the purposes of administering his or her health through SafetyNet.

Whether you are a patient or healthcare professional, your personal data may be disclosed to:

  • our affiliates or subsidiaries, Masimo employees and affiliated processors of Masimo that develop, operate and support SafetyNet and perform functions on Masimo’s behalf. These may include, for example, IT service providers, customer service or technical support, and help desk;
  • We may make certain information that includes personal information available to third party service providers such as, payment processors, cloud providers, analytics providers, consultants, advertising and marketing agent, auditors and legal counsel in support of our marketing, analytics, advertising and campaign management;
  • We may also disclose personal data to third parties to comply with our legal and compliance obligations and to respond to legal process. For example, we may disclose information in response to subpoenas, court orders, and other lawful requests by regulators and law enforcement, including responding to national security or law enforcement disclosure requirements.  This may include regulators, government entities, and law enforcement as required by law or legal process.  In addition, it may include certain disclosures that we are required to make under applicable laws; and
  • We may disclose personal data where we believe doing so is necessary to protect our services, rights and property, or the rights, property and safety of others.  For example, we may disclose personal data in order to (i) prevent, detect, investigate and respond to fraud, unauthorized activities and access, illegal activities, and misuse of the services, (ii) situations involving potential threats to the health, safety or legal rights of any person or third party, or (iii) enforce, and detect, investigate and take action in response to violations of, our Terms of Use . We may also disclose information, including personal data, related to litigation and other legal claims or proceedings in which we are involved, as well as for our internal accounting, auditing, compliance, recordkeeping, and legal functions.

In the event of a Business Transfer, whether as part of a bankruptcy or insolvency proceeding or otherwise, we or our affiliates may transfer the personal data we have collected from or about you to the acquiring or surviving entity in accordance with applicable law, and we may also share certain personal data as necessary prior to the completion of such a transfer, such as to lenders, auditors, and third-party advisors, including attorneys and consultants, as part of due diligence or as necessary to plan for the transfer.

 

7. How long do we retain personal data?

In general, we store your personal data for as long as is necessary to provide you with the functionality of SafetyNet and the services that you requested, or as required by applicable law.  Otherwise, if you are no longer using SafetyNet or have been inactive (e.g., not logged into SafetyNet App) for 12 consecutive months we will permanently delete your account and the personal data we hold about you.  Any previously anonymized or aggregated data that is not identifiable to you may be retained.  We will also contact your healthcare professional to notify them that you have been inactive for 12 consecutive months and that your personal data held by Masimo in SafetyNet will be deleted within 2 weeks, and ask that the healthcare provider take immediate action to delete the personal data they have about you unless the healthcare professional is required by law to retain your personal data, or you have instructed the healthcare professional to retain your personal data. 

You can also delete your personal data at any time by using the “Delete Account” function on the SafetyNet App.  When you use this function, all of your personal data that we hold will be permanently deleted immediately. It is your responsibility to delete any locally saved personal data and to ask those with whom you have shared your personal data to delete any personal data that they may have saved locally.

Please note, we may be legally required to retain some personal data about you.  Therefore, if we are legally obligated to retain any of your personal data we will retain those until we are no longer legally required to keep them in compliance with applicable law (e.g., for tax purposes, legal compliance, health records retention requirements, etc.). 

 

8. How do we protect personal data?

We have taken steps intended to protect the personal data we collect from loss, misuse, and unauthorized processing, including entering into data protection agreements with our service providers/processors and encrypting personal data in transit and at rest. In addition, SafetyNet is both HITRUST and ISO 27001 security certified, and HDS certified in France.  You can obtain copies of the security certification or if you are in France, you can obtain a copy of the CE mark or the HDS certification by contacting us per the information stated in Section 13 “Contact Us” below.

Please note, however, that while we have endeavored to create a secure and reliable experience for users, the confidentiality or accuracy of any communication or material transmitted to or from us over the Internet cannot be guaranteed. It is your responsibility to safeguard the username and password that you use to access SafetyNet, and to notify us immediately at the contact information provided in Section 13 “Contact Us”  below if you ever suspect that your username or password has been compromised.

 

9. Children

Our Services are not specifically designed for children. We only collect personal data about children with the consent of their parent or legal guardian. You must be at least 18 years of age to use SafetyNet. Children under the age of 18 may only use Masimo’s hardware products on instructions, under the supervision, and with the consent, of their healthcare providers and parent or legal guardian.

 

10. Your Rights

You may have rights under applicable privacy laws, which may include access to, review of, modify or delete the personal data we hold about you. Residents of certain jurisdictions may also have additional rights, which are set forth in Section 14 “Additional Information for Certain Jurisdictions.” If you are a California resident, please review our California Consumer Privacy Act Privacy Policy for specific information about your California privacy rights and how to exercise them.

 

11. Transfers

There may be times where Masimo and its service providers may transfer your personal information to, or access it in, jurisdictions (including the United States and other jurisdictions where we, our affiliates, subsidiaries, and service providers have operations) that do not have equivalent levels of data protection as your home jurisdiction. We will take steps to ensure that your personal data receives the required adequate level of protection in the jurisdictions in which we process it, including through appropriate written data processing terms, data transfer agreements and/or other legally acceptable mechanisms including your consent to the transfer, in accordance with applicable local laws.

If you are in the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland and we process your personal information in a jurisdiction that the European Commission has deemed to not provide an adequate level of data protection (a “third country”), we will implement measures to adequately protect your personal information, such as by putting in place standard contractual clauses as approved by the European Commission (the form for the standard contractual clauses can be found at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

To obtain additional details of the mechanism under which your personal information is transferred, you may request such details by contacting us at the contact details listed in Section 13. “Contact Us” below.

 

12. Effect of this Privacy Notice; Changes

This Privacy Notice is current as of the Last Effective date set forth above and applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us. We may revise this Privacy Notice from time to time and will make the revised document available here and through the SafetyNet application and update the “Last Effective” date above.  If we make material changes to how we collect, use and disclose the personal data we have previously collected about you, we will endeavor to provide you with prior notice, such as by emailing you or posting prominent notice on our website or within the SafetyNet application. Where required by applicable law, we will also obtain your consent before processing your personal data for any purpose incompatible with the purposes for which it was collected as disclosed to you at the time of collection.

 

13. Contact Us

If you have any questions about this Privacy Notice, please contact our privacy department at privacy@masimo.com.  To exercise any rights you may have under this Privacy Notice, please submit a request using our online form available here.

 

14. ADDITIONAL INFORMATION FOR CERTAIN JURISDICTIONS

A. IF YOU RESIDE IN CALIFORNIA

If you are a California resident, please see our California Consumer Privacy Act Privacy Policy.

B. IF YOU ARE IN THE EUROPEAN ECONOMIC AREA (EEA), THE UNITED KINGDOM (UK), SWITZERLAND AND TURKEY

Data controller. For purposes of this Privacy Notice, Masimo Österreich GmbH, Mariahilfer Straße 136, 1150 Wien, Austria is the controller of your personal data.

DPO Information.

In addition to emailing us or using our webform as described under Section 13 “Contact Us”, individuals in the EEA, UK, and Switzerland can also contact our data protection officer Dr. Sebastian Kraska at skraska@iitr.de.   Masimo’s UK representative is Masimo Europe Limited, Matrix House, Basing View, Basingstoke - Hampshire RG21 4DZ.

Additional Rights.

In the EEA, UK, Switzerland, and Turkey you have the following additional rights, subject to the conditions and limitations under the GDPR or other applicable local data privacy and protection laws:

  • To receive confirmation as to whether your personal data is being processed, and if so, to request access to details about how we process your personal information and copies of the personal information.
  • To rectify any inaccurate or incomplete personal information concerning you.
  • To ask us to erase your personal information to the extent no exception applies.
  • To request restriction of processing of your personal information.
  • To object, on grounds relating to your particular situation, to the processing of your personal information by us where our processing is based on our legitimate interests (other than marketing purposes).
  • To object to marketing and ask us to stop processing your personal information to the extent we do so based on our legitimate interests for marketing purposes. If you do so, we will stop such processing for our marketing purposes.
  • To receive your personal information which you have provided to us in a structured, commonly used and machine-readable format and you have the right to transmit the personal information to another entity.
  • To request to not be subject to a decision when it is based on automatic processing if it produces a legal effect or similarly significantly affects you unless it is necessary for entering into or performing a contract between us.
  • To withdraw your consent, in the event your personal information is processed based on your consent. Please note that your withdrawal will not affect the lawfulness of processing based on consent prior to your withdrawal.
  • To lodge a complaint with a supervisory authority, where available.
  • In certain jurisdictions such as France and Portugal, you also have the right to provide Masimo with guidelines as to the processing of your personal information after your death.

Individuals in Turkey, also have the following additional rights, subject to the conditions under applicable data protection law:

  • To request notifying third persons to whom the personal information is transferred, about deletion and correction.
  • To request indemnification if you suffered damage because of illegal processing of your personal information.

You may view a list of supervisory authorities in the EEA, UK and Switzerland and their respective contact information here:

 

You can exercise your rights by submitting a webform available here .  Alternatively, you can also contact the Data Protection Officer Dr. Sebastian Kraska by email at skraska@iitr.de or Masimo’s Data Privacy Office by email at privacy@masimo.com.  You can also contact us by mail at Masimo Österreich GmbH, Attn: Data Privacy Office, Mariahilfer Straße 136, 1150 Vienna, Austria.

C.   IF YOU ARE IN SINGAPORE

If you reside in Singapore, the Personal Data Protection Act of Singapore (the “PDPA”) applies. If we use a term that the PDPA defines in this section for users in Singapore, the term has the same meaning as under the PDPA. 

Your Rights

In Singapore, you have the following additional rights, subject to the conditions and limitations set forth under the PDPA:

(1)  To withdraw consent and request that we stop collecting, using and/or disclosing your personal data for any or all the purposes listed in this or any other Privacy Notice we provide to you. The consent that you provide for the collection, use and disclosure of your personal data will remain valid until such time that it is withdrawn by you in writing.

  • Upon receipt of your written request to withdraw your consent, we may require a reasonable amount of time (depending on the complexity of the request and its impact on our relationship with you) to process your request and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within 30 days of receiving it.
  • We respect your decision to withdraw your consent.  However, please note that depending on the nature and scope of your request, we may not be able to continue providing SafetyNet services to you. and we shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in writing.  See Section 13 “Contact Us” above .
  • Please note that withdrawing consent does not affect our right to continue to use and disclose personal data where such collection, use and disclose without consent is permitted or required under applicable laws.

(2)  To request access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data.

  • Please note that a reasonable fee may be charged for such an access request. If so, we will inform you of the fee before processing your request.
  • We will respond to your request as soon as reasonably possible. Should we not be able to respond to your request within 30 days after receiving your request, we will inform you in writing within 30 days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA).

(3)  To correct or update any of your personal data which we hold about you.

  • We will respond to your request as soon as reasonably possible. Should we not be able to respond to your request within 30 days after receiving your request, we will inform you in writing within 30 days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA).
  • We generally rely on personal data provided by you (or your authorized representative). In order to ensure that your personal data is current, complete and accurate, please update us if there are changes to your personal data.

You can exercise your rights by submitting your request in writing or via email to our Data Protection Officer at privacy@masimo.com.

D.  IF YOU ARE IN AUSTRALIA

If you reside in Australia, the Australian Privacy Principles (“APPs”) as stated in the Privacy Act 1988 (the “Australian Privacy Act”) may apply to you.  The following additional information supplements the disclosures provided in this General Privacy Notice above. 

Your Rights

In addition to your rights stated above, in any requests to exercise your rights, please note to include:

1.     in the case of requesting access, specify how you would like access to the personal information (such as receiving a copy by email or post, or if you just want to look at the information); and

2.     where applicable, specify if you have authorized another person (e.g., legal guardian or authorized agent) to access or correct your personal information on your behalf.

Furthermore, you have the right to file a complaint to the Office of the Australian Information Commissioner by contacting 1300 363 992 or by visiting the website www.oaic.gov.au. Further information about the Australian Privacy Act and the APPs is also available from the Office of the Australian Information Commissioner.

E.  IF YOU ARE IN CANADA

If your personal information (as this term is defined under applicable Canadian federal and provincial law) was collected in Canada, it will be handled in accordance with the main body of this General Privacy Notice and applicable Canadian federal and substantially similar provincial privacy legislation. Please note the following additional aspects about how we handle your personal information:

Data Transfers Outside Canada/Quebec

In order to provide you with SafetyNet services, your personal information may be transferred to our affiliates, subsidiaries, or third-party service providers outside of Canada, including to the United States, unless you reside in Quebec, in which case your personal information is stored in our AWS server located in Quebec. While located in those jurisdictions outside Canada/Quebec, your information will be subject to local law, including potential access by local law enforcement, which may be less protective of your personal information than under Canadian or European data protection law.  As stated above, Masimo will ensure your personal information is transferred in accordance with applicable law and protected as described in this General Privacy Notice.  Please see Section 11 “Transfers”  above for additional information.

Consent

We will collect, use, or disclose your personal information when we have your consent, which may be express or implied depending on the circumstances, or as otherwise required or permitted by applicable law. You have the right to withdraw your consent, subject to legal and contractual restrictions. Should you withdraw your consent, we may not be able to provide all available SafetyNet services to you.

Your Rights

For rights including those relating to access, correction, and erasure, please see Section 10 above of the main body of this Privacy Notice. You may contact our Data Privacy Office should you have any questions or concerns about the handling of your personal information by using the methods set forth in Section 13 “Contact Us” above.   We strive to address all such requests in a timely manner.

If you are located in the province of Quebec, we must reply to your request for access or rectification promptly and no later than 30 days after your request is received.  If you are not satisfied with our response or if you wish to file a formal complaint, you may always contact the Office of the Privacy Commissioner of Canada at 1-800-282-1376 (toll-free) or via regular mail: Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, QC K1A 1H3.  You may also contact the Office of the Privacy Commissioner in the provinces of British Columbia and Alberta or the Commission d’accàs à l’information in the province of Quebec, as applicable.

 

PLCO-006725/PLMM-12193B-0523