BreatheSmart’s Privacy Policy

ADH is the data controller of your personal data to the extent that it determines the purposes of the processing related to BreatheSmart’s services..

ADH also acts as the data controller of your personal data:

• when it operates personal data processing in order to comply with its legal and regulatory obligations, in particular regarding the materiovigilance obligations; and
• when it operates personal data processing in order to improve the App, the Site and/or its services.

This Policy describes how ADH collects, uses and shares information about you through BreatheSmart. Please read this Policy carefully to understand what we do. If you do not understand any aspects of our Privacy Policy, please feel free to contact us as described at the top of this Policy. This Privacy Policy applies only to information we collect through the App and the Site. BreatheSmart also contains links to third party sites that are not owned or controlled by ADH. We are not responsible for the privacy practices of such other sites. ADH does not share Personal Information (defined below) with those sites. We encourage you to be aware when you leave BreatheSmart and to read the privacy statements of each and every website that collects personal information.

ADH collects two types of information: (1) information received from you, and (2) information received from others (i.e: Apple Health or Google Health depending on your device and your authorization).

Find below the detailed list of all personal data provided by you via BreatheSmart, or collected from other application, or generated by BreatheSmart (also BreatheSmart automatically collects data via cookies⁽¹⁾ and other trackers):

⁽¹⁾ Cookies are small packets of data that a website stores on your computer’s or mobile device’s hard drive so that your computer will “remember” information about your visit.

⁽²⁾ These data are necessary for the proper functioning of BreatheSmart, as well as internal analytics purposes.

As data controller, ADH processes your personal data for the following purposes:

ADH may also process your personal data for legitimate interests as:

• improving the BreatheSmart’s services or,
• taking action against any identified breach or,
• managing any dispute or litigation.

ADH will not sell or rent your Personal Data. Your personal data may be transmitted to the following recipients when you use BreatheSmart and the services it provides:

If you have any questions or wish to exercise your rights, you may directly contact ADH by sending an email to informationgovernance@aptardigitalhealth.com.

• you can request the access to your personal data in order to obtain clear, transparent and understandable information on how ADH processes your personal data and on your rights (as provided in this policy), as well as a copy of your personal data (you can access certain information relating to your account (name, contact information and preferences) by signing into your account and going to the “PROFILE” section of our mobile or web application).
• you can request the rectification of your personal data in order to obtain the modification of your personal data if they are obsolete, inaccurate or incomplete.
• you can request the closure of your online account. If you close your account, we will no longer use your online Personal Information or share it with third parties. ADH may, however, retain a copy of the information for legal purposes and to avoid identity theft or fraud.
• you have a right to ask to get an Accounting of Disclosures of when and why your health information was shared.
• you may decide if you want to give your authorization before your health information may be used or shared for certain purposes, such as for marketing.
• you have the right to receive your information in a confidential manner.
• you have a right to restrict who receives your information.

Under certain circumstances, ADH may ask you for specific information in order to confirm your identity and ensure the exercise of your rights. This is another appropriate security measure to ensure that personal data is not disclosed to an individual who does not have the right to receive it.

If needed (fraud, scams, rip-off, bogus product, etc.), you may also report a complaint to your national data protection agency,the Federal Trade Commission ‘FTC’.

To do so you may:

• directly use the FTC complaint form available on their website : ftc.gov/complaint
• or call 1-877-FTC-HELP

ADH has implemented technical and organizational measures in order to protect your personal data, in particular against potential data breaches likely to cause, either by accident or unlawfully, the destruction, loss, modification, unauthorized access or divulgation of your personal data. These measures will guarantee a level of security adapted to the data and will take into account the state of the art and the cost of implementation in relation to the risks and nature of the data to be protected.

In particular, your health data are stored on servers operated by duly certified hosting providers (“HDS”). This is a French-specific certification standard mainly based on the ISO 27001 standard on the management of information security systems.

ADH also guarantees that all members of its personnel and any other person processing your personal data will respect the internal rules and procedures related to the processing of personal data, including the technical and organizational security measures put in place to protect your personal data. In this context, ADH reviews and updates its practices regularly to enhance your privacy and ensure that its internal policies are followed.

However, even with these safeguards, ADH cannot guarantee, ensure, or warrant the security of any information you transmit to us. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information. Please note that e-mails and other communications you send to voluntis-privacy.glo@aptar.com are not encrypted, and we strongly advise you not to communicate any confidential information through these means.

If you have found a vulnerability or would like to report a security incident, you may send an email to informationgovernance@aptardigitalhealth.com or use the dedicated message service available through the App or contact your national data protection agency FTC (as described in section 7).

BreatheSmart mobile and Dashboards are hosted and managed on servers located within the United States. By using and accessing BreatheSmart, you agree and consent to the transfer to and processing of Personal Information on servers located in the United States, even when you travel outside the United States, and you recognize that the protection of such information may be different than required under the laws of any location that you visit.

As a general rule, your personal data will only be retained for ten (10) years following your last use of the services, or as necessary to fulfill legal or regulatory obligations.

In the absence of applicable exceptions, your traffic data will be kept for a period of thirteen (13) months from the connection date.

This Privacy Policy may be amended from time to time, in particular to reflect the changes in the services provided by BreatheSmart or the applicable regulations. Any revised version of the Privacy Policy will be posted on this page and at other places deemed appropriate.

If you have any questions, concerns, complaints or suggestions regarding our Privacy Policy or otherwise need to contact us, please email our Data Protection Officer at informationgovernance@aptardigitalhealth.com or use the dedicated message service available through the App.

In the event of any fraud or scams, you may report a complaint to your national data protection agency (the FTC) as described in section 7.