Empatica S.r.l.

Privacy Notice

Last updated: [April 2, 2025]

This Privacy Notice (“Notice”) describes how Empatica S.r.l. (collectively, “Empatica,” “we,” “our,” or “us”) collects, uses, discloses, and otherwise processes information relating to identifiable individuals ("personal data") and the rights and choices individuals have regarding such personal data.

Processing of personal data will be carried out in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, or "GDPR") and domestic data protection laws (collectively, the "Data Protection Laws"). Empatica is the "data controller" for the processing set out in this Notice. This means that we are responsible for such processing, and you can contact us if you have any questions or want to exercise any rights under applicable data protection laws. Information on how to contact Empatica can be found at section 14 below.

This Notice should be read alongside the "Terms and Conditions" for use of the Services (defined below), which are availablehttps://emp.is/epimonitor-eula-eu-en

Table of Contents

1. Scope
2. Our Collection and Use of Personal Data
3. Sharing Your Personal Data with Others
4. Lawful Basis of Processing
5. Aggregate and De-Identified Information
6. Cookies and Tracking
7. Your Data Subject Rights
8. Retention
9. Processing of Children’s Personal Data
10. International Transfers of Personal data
11. Security
12. Third-Party Links
13. Changes to this Privacy Notice
14. Contact Us

1. Scope

Except as otherwise described below, this Notice applies to the personal data Empatica collects and processes in relation to the EmbracePlus watch, the associated EpiMonitor mobile phone applications ("App"), and the associated EpiMonitor Account page (“Portal”) (collectively, the “Services”).

Where used in this Notice, "you" and "your" refers primarily to current or prospective users of the Services, and also includes: minors and other individuals on whose behalf you are acting; and Caregivers (as defined below) and other individuals whose personal data we may receive in relation to the Services.

1. Our Collection and Use of Personal data

As further described below, we collect personal data directly from you, from third parties, and automatically through your use of our Services.

How we collect personal data

In most cases, we will collect personal data directly from you or from your use of the Services.

We may also collect personal data other than from you in some circumstances, such as:

• if you are a registered caregiver in relation to the Services ("Caregiver") we will receive your contact information from a user of the Services in accordance with the Terms and Conditions;
• If you post information about us or engage with us on third-party platforms, such as through your social media account, we may collect personal data about you from that third-party platform or account (e.g., your social media username and/or handle). These third-party platforms and services control the information that they collect and share about you. For information about how they may use and disclose your information, including any information you make public, please consult their respective privacy policies.

How we process personal data

The table below summarises the purposes for which we process your personal data, along with the lawful basis we rely on for this processing in compliance with the Data Protection Laws. For more information on the application of lawful basis, please see section 4 below.

Purpose of Processing

Categories of Personal Data

Lawful basis

Providing the Services, including operating the EmbracePlus Watch and providing App functionality; sending alerts to Caregivers; providing support regarding your use of our Services; and sending servicing communications.

Personal details including name, date of birth, gender, age, other demographic data and any personal data otherwise submitted to us as part of your registration and use of the Services.

Contact information, including name, address, phone number, email address, postal address, practice name.

Health-related information, including physiological information, physical condition(s) and diagnoses, biometrical information (bodily functions, vital signs, symptoms, temperature, EDA data), computed biomarkers (e.g., sleep, movement); and medications and other treatments or interventions.

Location Information: geolocation information via your device settings

Performance of a contract with you, your explicit consent (for health-related information and geolocation data), and legitimate interest (sending alerts to Caregivers)

Account and relationship management; managing our relationship with you, including communicating with you and managing transactions, account and subscription management; responding to your queries, feedback and fulfilling requests; and tailoring content.

Personal details and Contact Information (as set out above).

Transaction Information, relating to purchases and payments in connection with the Services, including a record of your purchases, card number, expiration date, billing address, shipping information and records about your past purchases.

Our interactions with you, including communications and information about your use of the Services and preferences.

Performance of a contract with you

Safeguarding: monitoring and assessing the performance and safety of the EmbracePlus Watch and related Services, including diagnostics and remediation, and assessing and responding to adverse event reports.

Health-related information and device information (as set out above).

Other personal data contained in adverse event reports.

Device information, including IP address, EmbracePlus identifier, the dates and times of access to the App, the phone/device type, as well as the software version, operating system, Bluetooth® and WiFi settings (On/Off).

Compliance with our legal and regulatory obligations as a medical device provider and/or our legitimate interest (for normal personal data).

Undertaking research and analytics regarding the Services, including though anonymization of personal data, to evaluate and improve our services and business operations.

Personal details, device information, activities and usage, transaction information. Health-related information.

Our legitimate interest and, regarding health-related information, your prior consent.

Marketing, advertising, and public relations, including offering promotions and planning and managing events and undertaking market research and surveys.

Personal details and Contact Information (as set out above)

Survey responses: any information you may provide such as demographics, preferences, and your opinion about our products and Services.

Your explicit consent to send direct marketing.

Business operations including: accounting, auditing, compliance, recordkeeping, and legal purposes; to prevent and detect fraud and security incidents; to defend and enforce our legal and contractual rights; credit recovery including assignment to authorized companies; and transactions such as the sale or reorganization of our business.

Any of the above categories of personal data where applicable to our business operations.

Our legitimate interests, and where necessary for compliance with laws or to defend or assert legal claims.

1. Sharing your personal data with others

Other than where directed by you, we only disclose the personal data that we collect in order to provide our Services, respond to and fulfill your transactions or requests, and as follows:

• Global affiliates, subsidiaries, branches, or associated offices. We may disclose the personal data we collect to our global affiliates, subsidiaries, branches, or associated offices who will use and disclose this personal data in accordance with the principles of this Notice. In particular, we may transfer your personal data to our mother company Empatica Inc., a company incorporated under the Laws of Delaware, with registered office at 1 Broadway, 14th Floor Cambridge, MA 02142, United States, for the purpose of improving our services, enhance operational efficiency, ensure compliance with international laws and standards, and support collaborative research and development efforts. For more information regarding the transfer of personal data outside of the European Economic Area, please see section 10.
• Vendors and service providers. We may disclose the personal data that we collect to our service providers and others who perform functions on our behalf or provide us services only for the purposes of providing you with the Services, as data processors or data controllers. These may include, for example, service providers that host or operate the Services, payment processors, analytics providers, information technology service providers, communication service providers, customer service vendors, consultants, auditors, and legal counsels. We only appoint service providers that provide adequate guarantees that they will safeguard your personal data and only process data as permitted by our contracts with them. In particular, we may disclose the personal data mentioned above to the third parties listed below:

https://emp.is/epimonitor-third-parties

In any case, upon your request, we will provide you with an updated list of the vendors and service providers to whom we communicate your personal data.

• General business operations. If we, our affiliates, or our subsidiaries are acquired by, merged with, financed by, or invested in by another company, or if any of our assets are or may be transferred to another company, whether as part of a bankruptcy or insolvency proceeding or otherwise, we may transfer the information we have collected about you to the other company. We may also share certain personal data as necessary prior to the completion of such a transaction or corporate transactions such as financings or restructurings, to lenders, auditors, and other advisors, including attorneys and consultants, as part of due diligence or as necessary to plan for a transaction.
• Others as permitted or required by applicable law. We may disclose personal data to other parties to the extent permitted or required by applicable law. This may include regulators, government entities, and law enforcement. It may also include certain disclosures that we are required to make.
• Security and protection of rights. We may disclose your personal data when we believe it is appropriate to do so to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Use or this Notice, or as evidence in litigation in which we are involved.
• With permission. We may disclose personal data in ways not described above. If we do so, we will notify you, and if necessary, obtain your consent. For example, where you have a designated Caregiver, or we may share information with that Caregiver.
• Where the personal data relates to children: we may share a child's personal data with parents, guardians and/or Caregivers as set out in section 9 below.

1. Lawful basis of processing

The lawful basis on which we process your personal data for specific purpose is as set out in table in section 2 above and is supplemented by the additional information in this section.

Processing on the basis of performing the contract with you

Where we indicate that we process your personal data on the basis of performing the contract with you, this means that such processing is necessary for the fulfillment of our contractual obligations to you. In these cases, your consent is not required for us to process your personal data, as the processing is essential to provide you with the services or products you have requested.

Processing on the basis of our legitimate interests

Where we indicate that we process personal data on the basis of our legitimate interests, we have determined and documented that (a) the processing is necessary for legitimate business purpose and (b) our interest in doing so is not outweighed by a risk to the rights and freedoms of data subjects arising from such processing. You have a qualified right to object to us processing on this basis – please see section 7 below.

Processing of health-related information

Processing your health-related information is an integral aspect of providing the Services. This type of personal data is subject to additional protections under the Data Protection Laws. We will process your health-related information only as necessary:

• To provide the Services on the basis on your consent. We will obtain this consent from you when you use the Services for the purposes set out in this Notice and the Terms and Conditions. See below for more information regarding consent.
• To comply with our obligations as a provider of a medical device to monitor the operational and technical performance and safety of the EmbracePlus Watch and related services, including via adverse incident reports.
• If you give your prior consent, to undertake research and analytics regarding the Services, including though anonymization of personal data, to evaluate and improve our services and business operations.
• to defend or enforce our legal rights and comply with other legal requirements.

Processing based on your consent

Where we require your consent for the processing of your personal data as part of the Services, you can revoke your consent at any time by contacting us (see contact details at section 14 below) or via the App (in relation to location data). However, if you withdraw your consent, you will no longer be able to use the features of the EmbracePlus watch and related Services, including notifications to Caregivers, as these require the processing of health data and location data. If you withdraw your consent to undertake research and analytics regarding the Services, including though anonymization of personal data, we will not be able to carry out data processing activities for this purpose any longer.

Processing for marketing purposes

We may process your personal data as part of our marketing activities. We will only send you direct marketing with your prior consent. You may unsubscribe from such communications at any time via the link provided in each message. If you opt out of receiving promotional emails from us, we may still send you communications that you have requested to receive from us.

1. Aggregate and De-Identified Information

We may use and disclose anonymized data related to our business and the Services for quality control, analytics, research, development, and other purposes. This processing is based on our legitimate interests, except where it involves health data, in which case we rely on your prior consent (please see above).

1. Cookies and Tracking

We use cookies in some areas of our website. We ask you to read the Cookie Notice available [here], to be consulted together with this Notice.

1. Your Data Subject Rights and Data Protection Officer

At any time, you can exercise the rights that the Data Protection Laws grant you regarding your personal data by writing to privacy@empatica.com and/or at the contacts set out in section 14. In particular, you can exercise the following rights:

• To access your personal data
• To rectify / erase your personal data
• To restrict the processing of your personal data
• To transfer your personal data to another controller (‘data portability’)
• To object to the processing of your personal data
• To obtain information regarding and/or a copy of personal data safeguards used for transfers outside the EU/EEA to non-adequate countries
• To lodge a complaint with your local supervisory authority

We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

You can exercise your rights by contacting us. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly and, anyway, within the timeframe set out by the Data Protection Laws. If we require further information to fulfill your request, we will inform you accordingly.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way. We have appointed a Personal Data Protection Officer, who is responsible for monitoring compliance with personal data protection regulations and acting as a point of contact for requests from the subjects to whom the personal data refers. The Data Protection Officer appointed by Empatica pursuant to Section 37 of the GDPR can also be contacted at the following email address: [privacy@empatica.com].

1. Retention

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected or as otherwise necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements.

In particular, the following retention periods will apply:

• Providing the Services/Account and relationship management: a period equal to the duration of the contract entered into with us, as well as for 10 (ten) years thereafter (the period in which the statute of limitations for Empatica’s contractual liability, if any, accrues), except where retention for a later period is required for any litigation, requests by the competent authorities or pursuant to applicable law.
• Safeguarding: the period prescribed by applicable law. This includes, among other purposes, post-market surveillance, diagnostics and remediation, and assessing and responding to adverse event reports, as well as other regulatory obligations.
• Research and analytics: a retention period of 1 (one) year applies to personal data, with no specific retention period for anonymized data.
• Marketing, advertising, and public relations: until you withdraw your consent to the processing for such purposes and, in any event, no longer than 24 (twenty-four) months.
• Business operations: for accounting, auditing, compliance, recordkeeping, and legal purposes, for the period prescribed by applicable law; to prevent and detect fraud and cybersecurity incidents for a period of 7 (seven) days from the time of collection, unless further retention is necessary to ascertain liability in case of cybercrimes against Empatica, to comply with requests by the authorities, and/or to ensure compliance with applicable quality and security standards; to defend and enforce our legal and contractual rights as well as credit recovery, including assignment to authorized companies, for the period indicated under paragraph "Providing the Services/Account and relationship management" above or the further period required to enforce such rights and interests; and for transactions such as the sale or reorganization of our business, for the applicable retention period regarding the relevant data processing activities.

1. Processing of Children’s Personal Data

We are committed to protecting the privacy of children who use our Services. This section includes supplemental information regarding our processing of personal data relating to children.

Age groups:

• Children over the age of 6 but under the age of 18: can be given the EmbracePlus but may not register as users of the Services unless their parents or legal guardians do so on their behalf.
• With regard to children under the age of 6, you are aware – as indicated in the EpiMonitor Instructions for Use – that EpiMonitor is a prescription-only medical device system composed of a wearable device “EmbracePlus” or “EmbracePlus” and paired mobile software application “EpiMonitor” intended as an adjunct to seizure monitoring in adults and children aged 6 and up in a home environment or healthcare facilities.

Processing and Sharing of Children's data

We will process personal data relating to children as set out in this Notice. Where you are a parent or guardian holding parental responsibility acting as the User on behalf of a child under 18, you may also access your child’s personal data collected by us and may choose to receive notices of certain activity through the App; you may also designate additional Caregivers to receive such notices.

Parental Changes and Controls. When children under the age of 18 create an account or otherwise engage with the Services, we will obtain verifiable parental consent prior to the collection of their Personal data. Parents may also review their child’s Personal data maintained by us, and exercise on their child's behalf any of their data subject rights set out at section 7 above.

1. International Transfers of Personal data

Empatica is headquartered in the United States, and has operations, entities, and service providers in the United States, European Union, and throughout the world. Empatica and our service providers may transfer your personal data to, or access in, jurisdictions outside the European territory. In this case, the transfer will take place in compliance with the provisions of the Data Protection Laws (in particular, the data will be transferred only after signing the Standard Contractual Clauses approved by the EU Commission with decision no. 2021/914/EU or to countries able to guarantee an adequate level of personal data protection and therefore recipients of an Adequacy Decision adopted by the EU Commission and the EU-US Data Privacy Framework with regards to data transfers to the United States). For further information concerning data transfers outside the EEA/EU, you can contact us (see contact details at section 14 below).

1. Security

We have implemented appropriate technical and organizational safeguards that are intended to protect the personal data we collect from loss, misuse, unauthorized access, disclosure, alteration, and destruction. 

1. Third-Party Links

Our Services may contain links to third-party websites. Any access to and use of such linked websites is not governed by this Notice but instead is governed by the privacy notices of those third-party websites. We are not responsible for the information practices of such third-party websites.

1. Changes to this Privacy Notice

We may make changes to this Notice from time to time, so please be sure to check back periodically. We will post updates to the Notice on our website. If we make any material changes to this Notice, we will endeavor to provide you prior notice, such as by emailing or posting prominent notice on our website.

1. Contact Us

Empatica welcomes your questions and comments about your privacy or this Notice. Please contact us by emailing privacy@empatica.com.