PRIVACY POLICY FOR CUSTOMERS, PROSPECTS, WEBSITE USERS, HEALTHCARE PROFESSIONALS, AND TECHNICIANS
1. IDENTITY AND CONTACT INFORMATION OF THE DATA CONTROLLER FOR DATA PROCESSING
Your data is processed, as applicable, by Bioserenity Life or Bioserenity Group (hereinafter “Bioserenity”), whose contact information is as follows:
- 8 RUE JEAN ANTOINE DE BAIF, 75013 PARIS
- contact@bioserenity.com
2. DESCRIPTION OF DATA PROCESSING
| Data processing | Purpose | Legal basis | Retention periods |
|---|---|---|---|
| Customer relationship management | To monitor service delivery, billing, technical support, and contract management. | Performance of a contract | Duration of the contractual relationship, plus 5 years (civil and commercial statute of limitations) and 10 years for accounting records |
| Marketing | Developing business, sending professional newsletters, and offering new services. | Legitimate interest | 3 years from the last incoming contact from the prospect |
| Management of contact requests on the website | Responding to requests for information via the website’s contact form. | Legitimate interest | The time required for data processing of the request |
| Placement of cookies and other trackers | Analyzing website traffic and improving the user experience. | Consent / Legitimate interest | See cookie policy |
| Site security and maintenance | Ensure the proper functioning of the site and detect intrusions (Logs). | Legitimate interest | 6 months |
| Communication with contact points at the partner/supplier | Interacting with staff within the scope of the contractual relationship | Performance of a contract | Contract term, plus five years |
| Internal directory of healthcare professionals (care and teleinterpretation) | Contact healthcare professionals as needed | Performance of a contract | Contract duration, extended by five years |
| Internal directory of healthcare professionals (research on physiological signals) | Monitoring of professionals involved in care and research | Public interest related to research | 15 years after the end of the last research study in which they participated |
| Directory of technicians working with medical devices | Continuity of care services | Performance of a contract | Contract duration, plus five years |
3. CATEGORIES OF DATA RECIPIENTS
Your data is shared, depending on the data processing activities, with the following recipients:
- Internal recipients — our teams specifically authorized for data processing
- External recipients—our service providers and partners, including the technical service providers we engage.
4. CROSS BORDER DATA FLOWS
Bioserenity reserves the right, including through its data processors, to transfer data outside the European Union.
In the event of data transfers outside the European Union, we ensure that such transfers are governed by specific safeguards as required by the GDPR. You may request access to the documents authorizing such transfers from our data protection officer when they occur.
5. YOUR RIGHTS
5.1 Right of access
You may obtain confirmation that data concerning you is being processed and, if so, access such data as well as various information regarding data processing.
Please note that the Right of access, and the right to obtain a copy, does not apply to the files themselves but to the personal data being processed.
5.2 Right to request rectification
You may request the correction of inaccurate or incomplete data concerning you.
5.3 Right to erasure or “right to be forgotten”
You may request the erasure of your personal data. However, this right is not absolute: it applies only when one of the following cases applies:
– Your data is no longer necessary for the purposes for which it was collected or processed;
– You withdraw your consent to the data processing and there is no other legal basis for continuing the data processing;
– You object to the data processing and there are no overriding legitimate grounds for continuing it;
– Your data has been subject to unlawful data processing;
– Their erasure is necessary to comply with a legal obligation under European Union law or French law; or
– The data was collected from a minor in connection with the provision of information society services.
If your data has been made public, we will take reasonable steps to inform other data controllers that you have requested the erasure of any links, copies, or reproductions of such data.
This right does not apply where data processing remains necessary:
– to exercise the right to freedom of expression and information;
– to comply with a legal obligation or perform a Public interest mission;
– for reasons of public interest in the field of health;
– for archiving, research, or statistical purposes, where erasure would render these purposes impossible or seriously compromised; or
– for the establishment, exercise, or defense of legal claims.
5.4 Right to restriction of data processing
You may request the restriction of data processing of your personal data. This right applies only in the following cases:
– You contest the accuracy of the data: data processing is then suspended for the time necessary to verify it;
– The data processing is unlawful, but you do not wish for the data to be erased and instead request the restriction of its use;
– We no longer need your data for the purposes of data processing, but you still need it to establish, exercise, or defend a legal claim;
– You have objected to the data processing, and a review is underway to determine whether our legitimate grounds override yours.
When the restriction on data processing is lifted, you will be notified in advance.
5.5 Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the data processing of your personal data when such data processing is based on our legitimate interest or on a Public interest mission.
In this case, we will no longer perform data processing on your data, unless we demonstrate that there are legitimate and compelling grounds that override your interests, rights, and freedoms, or if the data processing is necessary for the establishment, exercise, or defense of your rights in court.
You may also object at any time to the data processing for marketing purposes. In this case, no exceptions apply: your data will no longer be used for this purpose.
5.6 Post-Mortem Directives
In accordance with the French Data Protection Act, you have the right to establish guidelines regarding data retention, erasure, and disclosure of your personal data after your death.
These guidelines may be:
– General: they concern all of your personal data, regardless of the type of data processing. They may be registered with a trusted third party certified by the French data protection authority; or
– Specific: these apply to specific data processing operations and must be addressed directly to the relevant data controller. They require explicit consent and cannot be validly expressed by simply accepting the general terms of use.
You may modify or revoke your instructions at any time.
You may also designate a person responsible for implementing them. If you do not do so, or if that person has passed away, your heirs may access your instructions and request their implementation.
6. DATA PROTECTION OFFICER
For any questions regarding the data processing of your personal data by Bioserenity, our data protection officer can be reached by email at dpo@bioserenity.com or by mail at the address listed above.
7. RIGHT TO FILE A COMPLAINT WITH THE FRENCH DATA PROTECTION AUTHORITY
As permitted by law, you may file a complaint with the French data protection authority at the following address: French data protection authority Complaints Department, 3 Place de Fontenoy – TSA 80751, 75334 Paris Cedex 07, or by phone at 01.53.73.22.22
In accordance with Article 77 of the GDPR, you have the absolute right to lodge a complaint with the competent Supervisory Authority of the European Union Member State in which you have your habitual residence, your place of work or the place where any alleged data breach is said to have occurred. The list and contact details of all European data protection authorities are available on the website of the European Data Protection Board (EDPB).