1. Data Controller
Corvia Medical, Inc.
One Highwood Drive
Tewksbury, MA 01876
(hereinafter also “we” or “us”).
2. Data Security
We take appropriate technical and organizational measures to ensure an adequate level of protection appropriate to the risk of the data processing to keep your data safe. These measures include ensuring the confidentiality, integrity and availability of your data through appropriate controls on physical and electronic access to the data as well as controls on input, disclosure, availability and segregation.
3. Accessing the Website
When you access our website, we automatically collect and process various data, such as:
- Information about the accessing end device and the software used
- Date and time of access
- IP address
The storage of the IP address is at least temporarily technically necessary to enable the website’s delivery to the user’s device. Our servers also store your IP address for up to 7 days for our own security purposes.
We use web hosting providers including technical security and maintenance services to provide our website. Through these hosts we collect data on access to our website (log files), including the date and time of access, the browser type and version, the operating system and the IP address. These log files may be used for security purposes (e.g., in the event of abusive attacks) and to ensure the server stability based on our legitimate interests.
4. Contacting Us
If you contact us by email, telephone, via social media or using our contact form, we store your contact data and the content of your enquiry for the purpose of processing your request and contacting you if necessary.
You may have the option to take part in surveys on our websites, that help determine if you may be a candidate for one of our clinical trials. In this case, we will ask for certain data about your health. This data is only used to determine whether you are a suitable candidate for such studies and will not be permanently stored.
As a potential candidate you then have the option to provide us with your contact data and age so that our patient advisors can contact you to explore your participation in the trial. We process this data on the basis of your consent.
If your request relates to pre-contractual measures or an existing contract, for example a request for a quote, this forms the legal basis for the data processing. In all other cases, processing of your request is based on our legitimate interests. We will store your data until fulfilling the purpose (normally this is the completion of your request) or until you request us to delete it, provided that there is no legal retention period.
For providing the contact form and for technical processing of your request, we use the service provider HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA;
For dispatching our newsletters and for evaluating their use we use: Constant Contact, Inc., Waltham, Massachusetts (USA), 1601 Trapelo Road, Waltham, MA 02451 USA;
If you subscribe to the newsletter, you can withdraw your consent to the storage of your contact information at any time, for example using the “unsubscribe” link at the end of each newsletter. We will store your data until you unsubscribe and will then delete it from the distribution list and transfer your email address to a so-called blacklist to prevent future unintentional mailings to you, based on our legitimate interest.
6. Online Presence in Social Networks (social media)
We maintain online presences within social networks to communicate with users or to offer them information about us. In this context, user data is processed outside the European Union.
User data is regularly processed within social networks for market research and interest-based advertising purposes and to create user profiles based on the user preferences and the identified interests. For this purpose, cookies and, if you are logged into your social media account, further user data will be stored on your device and in your user profile. For a detailed description and opt-out options see the privacy policies of the respective network operators.
Note, that requests for information and other data subject rights can be asserted most effectively with the providers themselves, as only they have access to their own user data and can respond appropriately. If you still need help with this, please feel free to contact us.
We are jointly responsible with Facebook Ireland Ltd. for the collection of, but not for the further processing of data of visitors to our Facebook page (so-called “Fanpage”). This data includes, in particular, information about content viewed or interacted with, as well as information about the devices used by users, e.g. IP addresses, operating system, browser type, and language settings. See Facebook`s data policy: https://www.facebook.com/policy. As explained in the Facebook Data Policy under “How do we use this information?” Facebook also uses information to provide analytics services (“Page Insights”) to page operators to provide them with insights into how people interact with their pages and with content associated with them. We have entered into a specific agreement with Facebook (“Page Insights Information”, https://www.facebook.com/legal/terms/page_controller_addendum), which specifically sets out the security measures that Facebook must observe and in which Facebook agrees to comply with data subjects’ rights. For example, users can send information or deletion requests directly to Facebook. Further information can be found in Facebook’s “Information on Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data).
Facebook: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA;
Option to object (Opt-Out): https://www.facebook.com/adpreferences/ad_settings (Facebook login is required).
LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland;
Option to object (Opt-Out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Twitter: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland;
Parent company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA;
YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA;
Possibility to object (Opt-Out): https://adssettings.google.com/authenticated.
7. Plugins and Embedded Content
To enable user-friendliness and provide adequate customer service on our website we use functional and content elements (videos or city maps; hereinafter: “content”) from different service providers (hereinafter: “third-party providers”) in our online services. These third-party providers regularly process the IP address, which is necessary for displaying the website content.
Third-party providers may also store pseudonymous so-called pixel tags on the users’ device (invisible graphics, also known as “web beacons”) to collect information such as page visits and device specifications for statistical or marketing purposes.
9. Storage Period
We process personal data only as long as it is necessary for the underlying processing purpose (until you revoke your consent or other authorizations cease to apply). The data is then deleted, or where legally permitted or required, access to the data is restricted.
11. Data Privacy – EU Residents – with Reference to the EU General Data Protection Regulation (GDPR)
If asked by you, we will provide you with information as to whether personal data relating to you is being processed. If this is the case, you have a right to information about, and a copy of this personal data, and the information listed in detail in Art. 15 GDPR. In addition, you have the right to rectification (Art. 16 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to erasure (Art. 17 GDPR) and the right to data portability (Art. 20 GDPR), all rights subject to the respective legal requirements.
Right to object: You have the right at any time to object to the processing of your personal data, which is carried out on the basis of our legitimate interest, on grounds relating to your particular situation. This also applies to profiling based on these provisions.
If your personal data is processed for direct marketing, you have the right to object to this form of processing at any time. This also applies to profiling insofar as it is connected with direct advertising.
Right of withdraw: You have the right to withdraw your consent at any time with effect for the future.
Requests may be submitted to email@example.com. Please note that the law may require we verify your identity before responding to the request.
Complaint to a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the requirements of the GDPR.
Corvia has contracted with DataRep as its Data Protection Representative in the European Union. When contacting DataRep, please address your request to DataRep directly and not to Corvia Medical. Communications addressed to Corvia Medical but sent to a DataRep location will likely not be received.
|Austria||DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria|
|Belgium||DataRep, Place de L’Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium|
|Croatia||DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia|
|Czech Republic||DataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic|
|Denmark||DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark|
|France||DataRep, 72 rue de Lessard, Rouen, 76100, France|
|Germany||DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany|
|Italy||DataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy|
|Netherlands||DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands|
|Poland||DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland|
|Spain||DataRep, Calle de Manzanares 4, Madrid, 28005, Spain|
|United Kingdom||DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom|
As a U.S. company, we also process your data in countries outside the European Union and the European Economic Area (“EEA”), primarily in the United States. Further, we will only process your data or have your data processed in countries outside the EEA, if an adequate level of data protection in accordance with the requirements of Articles 44 to 49 GDPR is ensured. This can be achieved, for example, by concluding so-called standard contractual clauses (e.g. with our service providers such as HubSpot or Google).
We will only transfer your personal data to third parties in accordance with the legal requirements and if the transfer is necessary in order to fulfill our contractual obligations to you, we are otherwise entitled or obligated to transfer the data, or you have given us your consent to do so.
12. Data Privacy Rights – California Residents
Residents of California may have specific rights under the California Consumer Privacy Act, including:
- The right to know what specific personal information we hold about you, the categories of sources of that information, the purpose(s) for collecting the information, disclosures that have been made for business purposes, and the categories of third parties to whom it was disclosed.
- The right to copies of the personal information we hold about you.
- The right to have your personal information deleted, although the law identifies several instances in which you will not be entitled to deletion.
- The right to know what data has been sold, and to opt out of sales of your personal data.
- If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note, however, that this will not affect the lawfulness of the processing before its withdrawal.
Please note that Corvia Medical does not sell Personal Data.
Requests may be submitted to firstname.lastname@example.org. Please note that the law requires we verify your identity before responding to the request.
We will not discriminate against you for exercising any of your privacy rights.
Last updated: 2022 April 12