Privacy policy
1. THE COMPANY’S COMMITMENTS
The Company is committed to the protection of Personal Data.
Personal Data is used only for explicit, legitimate purposes, determined and defined in this Policy and within the framework of an Agreement.
Personal Data is not kept beyond the period necessary for the operations for which it was collected, taking into account the nature of the operations, or those provided for by the Regulations, recommendations and reference documents of the authorities and, for France, the National Commission for Information Technology and Civil Liberties.
Personal Data is not transferred. Only authorized Recipients within the strict framework of the purposes previously defined in this Policy are likely to have access to Personal Data.
The Company entrusts certain Processing to subcontractors chosen on the basis of appropriate technical and organizational guarantees, in order to guarantee the protection of the Personal Data entrusted to them under the Company’s instructions.
The Data Subjects are informed in advance and regularly, in a clear and transparent manner, in particular on (i) the purpose of use of their Personal Data, (ii) the optional or mandatory nature of their responses in the forms, (iii) the rights they have in terms of protection of Personal Data and the methods of effectively exercising these rights and (iv) the Recipients.
Whenever the Regulations require it, explicit, informed, active and unequivocal consent from the Data Subjects is collected for the Processing.
Appropriate security measures, on a logical, technical, organizational and legal level, have been defined on the basis of a risk analysis of the different Processings, and are implemented by the Company and its Subcontractors engaged by contract, to ensure the protection of Personal Data.
Whenever the risks presented by a Treatment require it, the Companyrealizedan impact analysis on privacy and the protection of personal data, in order to adopt concrete measures adapted to these risks and to manage them.
The Company is committed to designing tools and systems that incorporate compliance with Regulations and the protection of the privacy of the persons concerned at the very heart of their functionalities, by integrating compliance with these rules at the very stage of design and development: the Company thus applies the concept of privacy by design which allows the development of responsible tools and systems.
Only Personal Data that is strictly useful is collected and processed: the Company thus applies the concept of “Privacy by default” which protects Users from any excessive collection of Personal Data.
The Company and its Subcontractors are committed to monitoring any possible and exceptional breach of Personal Data and to taking all protective and corrective measures following a breach by informing the competent authorities and, where appropriate, the persons concerned.
In the event of transfer of Personal Data to third countries within the meaning of the Regulations, the Company has implemented adequate measures and additional measures and in particular has concluded, within the framework of the Agreement, contractual clauses for the transfer of Personal Data and accessible to the Data Subjects upon simple request addressed to the Company by:privacy@srett.com
All employees and stakeholders involved in the design and operation of the Services are made aware of the principles of Personal Data protection, through regular training adapted to their activity and their responsibilities.
Employees only have access to the information necessary for their activity, sensitive Personal Data is subject to specific authorizations and controls, and in particular Personal Data concerning health is entrusted to an approved or certified Health Data host within the meaning of Article L. 1111-8 of the French Public Health Code.
2. DEFINITIONS
Administrator account: allows you to manage User accounts within the framework of the Subscription taken out by the Client, who designates the holder of his account with SRETT in the Subscription Form. The administrator has the possibility to deactivate an account, promote a User account to an administrator role or vice versa, transform a User account into an administrator, view all accounts attached to his entity and share access rights. Requests from the holder must comply with SRETT’s access management policy.
User Account: means the account opened for the benefit of a User in compliance with the Contract and the Platform’s access control policy.
Applicable regulations: means all applicable provisions relating to the protection of personal data, in particular those of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, referred to as GDPR. Where terms defined in the Applicable Regulations appear in this Annex, such as the following list of terms, they shall be understood as in the Applicable Regulations. The provisions of this Privacy Policy shall be read and interpreted in light of the provisions of the Applicable Regulations. They shall not be interpreted in a manner contrary to the rights and obligations provided for by the Applicable Regulations or in a manner that infringes the fundamental rights or freedoms of the data subjects.
Recipient: means the natural or legal person, public authority, service or any other body which receives communication of Personal Data, whether or not a third party.
Data: means all data provided directly or indirectly to SRETT, including Personal Data.
Personal Data: means, within the meaning of Article 4§1 of the GDPR, any information relating to an identified or identifiable natural person; an “identifiable natural person” is deemed to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, a telephone number, an email address, an identification number, location data, an online identifier, or to one or more specific factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
Health data: means Personal Data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveals information about that person’s health status.
Patient: means the natural person who is the subject of Remote Monitoring or Remote Surveillance and Remote Surveillance using the Solution
Healthcare Professional: means any healthcare professional as defined in Part 4 of the CSP collaborating or practicing within the Client, registered with their professional body or registration authority and, where applicable, the members of their team (employees or not) subject to professional secrecy and acting under the responsibility of the Healthcare Professional.
Data subject: means a person whose personal data is subject to Processing.
Data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing.
Subcontractor: means the natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller
Treatment: means any operation or set of operations applied to Personal Data.
3. ORIGIN OF PERSONAL DATA
The Personal Data of Professional Users is collected when their Account is created and when using the Services as part of the signing of the Subscription Form and the General Subscription Conditions by the User’s parent structure.
Personal Data concerning Patients is collected from: (i) communications between the Platform and the connected equipment used by Patients as part of their medical care, (ii) the use of the Services by Professional Users directly through the Application or indirectly via third-party software connected to the Platform, (iii) the use by Patients of dedicated applications connected to the Platform, (iv) digital algorithms applied to the Data by the Platform.
4. DESCRIPTION OF TREATMENTS
4.1 Processing necessary for the provision of Services for which the Company acts as Data Controller
The Company acts asResponsibleprocessing for certain Processing, necessary for the provision of the Services.
| Purpose | Data category | Legal basis | Retention period |
| Creation and Management of Professional Administrator Accounts for Access to Services | Professional User Identification Data | Performance of the contract (Article 6.1 b) of the GDPR) | Duration of the contractual relationship with the Client resulting in the deletion of the account or 5 years from the last activity resulting in the deletion of the accountIntermediate archiving: 5 years |
| Application of the Data access control policy. | Professional user identification data. Patient Identification Data Patient Care Management Data | Performance of the contract (Article 6.1 b) of the GDPR) Health data processed with the consent provided for in the Contract (Article 9.2.a) of the GDPR) | Duration of the contractual relationship with the Client resulting in the deletion of the account Until the deletion of the Account or 5 years from the last activity resulting in the deletion of the accountIntermediate archiving: 5 years |
| Maintaining the Platform in operational condition | Audit trail of user-generated data queries. | Legitimate interest (Article 6.1 f) of the GDPR) | 5 years from the registration of the supervised or maintained activity. |
| Purpose | Data category | Legal basis | Retention period |
| Management of complaints and requests to exercise the rights of Data Subjects | Data relating to the claim/dispute (date, time, content, identification of the author, etc.) Any data necessary for processing the claim/disputeIdentification data of Professional Users and Patients Audit trail of user-generated data queries. Data relating to patient care management. Health Data from medical devices. | Legal obligation (Article 6.1 c) of the GDPR) Or Legitimate interest (Article 6.1.f) of the GDPRHealth data processed with the consent provided for in the Contract (article 9.2.a) | The data is kept for the duration of the processing of the claim or dispute and until the limitation period for any possible recourse in connection with said claim or dispute. |
4.2. Processing of data by the Company in its capacity as Data Controller for the purposes of information and communication with Professional Users
| Purpose | Data category | Legal basis | Retention period |
| Communication of personalized offers by electronic communication | Name First name Email address | Consent | Until withdrawal of consent or 3 years from last contactpeople with the organization |
4.3 Processing of data by the Company in its capacity as Data Controller for the purposes of research studies not involving human beings
The Company may apply data reuse processing for the purposes of research not involving human beings, studies and evaluations in the field of health for reasons of public interest. These processing operations are carried out in accordance with the regulatory framework and the Convention.
In France, the reference methodology is provided by the National Commission for Information Technology and Civil Liberties, within the regulatory framework CNIL MR-004.
The participation of the persons concerned by the research is optional and at the time of acceptance of the Privacy Policy, the person concerned or their legal representative may express their opposition to this clause.
The person who wishes to object to the processing of personal data concerning them for research purposes in the health field may express, at any time and without having to justify their decision, their objection by any means to either the research manager, the participating center or the professional holding this data, in accordance with the “Data Protection” law.
4.4 Data processing in connection with the use of the Services for which the Company acts as a subcontractor
The nature of the Data Processing in connection with the use of the Services and for which the Company acts as a subcontractor is specified by the Agreements which bind each professional User to the Company.
The Agreement may specify the data controller associated with the Services.
4.5 Processing of personal data relating to professional users
| Personal data concerned | Nature of operations performed on the data | Purpose of processing | Data retention period | Legal basis subject to analysis by the data controller (Client and/or Professional User) |
| NameFirst nameEmail addressPhone numberRPPS number | Collection / storage / provision / deletion | Creation and management of user accounts, settings | Duration of the user account, closed by the user or automatically 12 months after the last use of the account | Performance of the contract (Article 6.1 b) of the GDPR) |
4.6 Processing of personal health data relating to patients
| Personal data concerned | Nature of operations performed on the data | Purpose of processing | Data retention period | Legal basis subject to analysis by the data controller (Client and/or Professional User) |
| Patient identification details and means of contacting them:SexNameFirst nameMailing addressE-mail addressPhone numberNIRINS | Collection / storage / provision / deletion | Medical care | For the entire duration of the support corresponding to the duration of activation of the patient file by the Client on the Platform+ 12 months after the end of support for the exercise of rights Maximum legal retention period determined by the data controller | Legal obligation (Article 6.1 c) of the GDPR) Or Legitimate interest (Article 6.1.f) of the GDPR. Health data processed with the patient’s consent provided for in the Subscription Contract (article 9.2.a) |
| List of users involved in a patient’s care pathway and their role in the patient’s care pathway | Collection / storage / provision / deletion Evaluation of access rights according to the access control policy | Medical care | For the entire duration of the support corresponding to the duration of activation of the patient file by the Client on the Platform+ 12 months after the end of support for the exercise of rights Maximum legal retention period determined by the data controller | Legal obligation (Article 6.1 c) of the GDPR) Or Legitimate interest (Article 6.1.f) of the GDPR.Health data processed with the patient’s consent provided for in the Subscription Contract (article 9.2.a) |
| Personal data concerned | Nature of operations performed on the data | Purpose of processing | Data retention period | Legal basis subject to analysis by the data controller (Client and/or Professional User) |
| Information entered by users during medical care, including consultations and remote monitoring procedures. This includes prescriptions, reports, requests for advice, PREMS and PROMS. | Collection / storage / provision / deletion | Medical care | For the entire duration of the support corresponding to the duration of activation of the patient file by the Client on the Platform+ 12 months after the end of support for the exercise of rights Maximum legal retention period determined by the data controller | Legal obligation (Article 6.1 c) of the GDPR) Or Legitimate interest (Article 6.1.f) of the GDPR.Health data processed with the patient’s consent provided for in the Subscription Contract (article 9.2.a) |
| Data automatically transmitted by patients’ connected devices relating to patient compliance and treatment effectiveness. | Collection / storage / provision / deletion Calculation of statistical values and alerts for each patient | Medical care | For the entire duration of the support corresponding to the duration of activation of the patient file by the Client on the Platform+ 12 months after the end of support for the exercise of rights Maximum legal retention period determined by the data controller | Legal obligation (Article 6.1 c) of the GDPR) Or Legitimate interest (Article 6.1.f) of the GDPR.Health data processed with the patient’s consent provided for in the Subscription Contract (article 9.2.a) |
| Values calculated by Vestalis to enable remote monitoring and tracking from data automatically transmitted by connected devices. This data is presented to users in the Vestalis interface in the form of dashboards, alerts, indicators, graphs, and reports. | Calculation/storage/provision/deletion | Medical care | For the entire duration of the support corresponding to the duration of activation of the patient file by the Client on the Platform+ 12 months after the end of support for the exercise of rights Maximum legal retention period determined by the data controller | Legal obligation (Article 6.1 c) of the GDPR) Or Legitimate interest (Article 6.1.f) of the GDPR.Health data processed with the patient’s consent provided for in the Subscription Contract (article 9.2.a) |
| Personal data concerned | Nature of operations performed on the data | Purpose of processing | Data retention period | Legal basis subject to analysis by the data controller (Client and/or Professional User) |
| Information entered by users when providing home services, including visit and telephone call reports, as well as requests for opinions. | Calculation/storage/provision/deletion | Medical care | For the entire duration of the support corresponding to the duration of activation of the patient file by the Client on the Platform+ 12 months after the end of support for the exercise of rights Maximum legal retention period determined by the data controller | Legal obligation (Article 6.1 c) of the GDPR) Or Legitimate interest (Article 6.1.f) of the GDPR.Health data processed with the patient’s consent provided for in the Subscription Contract (article 9.2.a) |
| Information entered by users when distributing medical equipment to the patient, including the references of the equipment provided to patients and their settings. | Calculation/storage/provision/deletion | Medical care | For the entire duration of the support corresponding to the duration of activation of the patient file by the Client on the Platform+ 12 months after the end of support for the exercise of rights Maximum legal retention period determined by the data controller | Legal obligation (Article 6.1 c) of the GDPR) Or Legitimate interest (Article 6.1.f) of the GDPR.Health data processed with the patient’s consent provided for in the Subscription Contract (article 9.2.a) |
4.7 Processing relating to traces (Professional Users and Patient Users)
| Personal data concerned | Nature of operations performed on the data | Purpose of processing | Data retention period | Legal basis subject to analysis by the data controller (Client and/or Professional User) |
| Trace of functional access to health data, including for each request: date and time, User ID, the operation carried out, the nature of the data accessed. | Collection / storage / provision / deletion | Data security Exercise of rights | 36 months | Legal obligation (Article 6.1 c) of the GDPR) Or Legitimate interest (Article 6.1.f) of the GDPR.Health data processed with the patient’s consent provided for in the Subscription Contract (article 9.2.a) |
| Trace of technical access to health data, including for each request, Date and Time, IP address of the requester, Nature of the request, Status of the request | Collection / storage / provision / deletion | Data security Exercise of rights | 12 months | Legal obligation (Article 6.1 c) of the GDPR) Or Legitimate interest (Article 6.1.f) of the GDPR.Health data processed with the patient’s consent provided for in the Subscription Contract (article 9.2.a) |
5. RECIPIENTS OF THE DATA
The Data relating to the processing for which the Company acts as Data Controller is intended solely for the following persons:
- To the Company’s staff members, specifically authorized and within the limits of their missions.
- To specifically authorized personnel of the certified health data host, within the limits of their responsibilities.
- To the staff members of Subcontractors, technical service providers, specifically authorized, within the limits of their missions.
- To persons authorized as third parties by law.
Data relating to the use of the Services is intended exclusively for:
- To Professional Users who are staff members of a Home Health Care Provider
- To Professional Users, Doctors and other healthcare professionals, who participate in the medical care of Patients
- To specifically authorized personnel of the certified health data host, within the limits of their responsibilities
- To the staff members of Subcontractors, technical service providers, specifically authorized, within the limits of their missions.
- To persons authorized as third parties by law.
6. WHAT ARE YOUR RIGHTS AS A USER?
In accordance with the Regulations, as a User you have the following rights:
- Right of access: you have the right to access the Personal Data which is subject to Processing and, where applicable, to obtain a copy.
- Right of rectification: you have the right to obtain from the Data Controller the rectification of Personal Data concerning you which is inaccurate and/or that it be completed if it is incomplete.
- Right to erasure: you may request the erasure of your Personal Data as soon as possible, except where the Processing is based on a legal obligation to which the Data Controller is subject.
- Right to restriction of processing: you can request that the Processing of your Personal Data be restricted, so that the Data Controller may retain this data, but may not use or process it.
- Right to portability: you have the right to request from the Data Controller to receive the Personal Data concerning you in a structured, commonly used and machine-readable format (and/or the right to transmit this data to another Data Controller) when the Processing is based on the performance of a contract.
- Right to object: when the Processing of your Personal Data is based on a legitimate interest of the Data Controller, you may at any time object to the continuation of the Processing and for reasons relating to your particular situation.
- Right to define the fate of Personal Data after death: you have the right to define your general guidelines regarding the retention, deletion and communication of your Personal Data after your death. These guidelines may be registered with a digital trustee certified by the National Commission for Information Technology and Civil Liberties.
When processing has been carried out on the legal basis of consent in accordance with the Regulations, the User has the right to withdraw his consent at any time, without this withdrawal calling into question the lawfulness of the data processing carried out before this withdrawal.
7. TERMS AND CONDITIONS FOR EXERCISING YOUR USER RIGHTS
When the Company acts as Data Controller, these rights may be exercised by sending a request to privacy@srett.com.
When the Company acts as a Subcontractor, these rights may be exercised directly (i) if it is the Patient, with the Healthcare Professional involved in their medical care, (ii) if it is a Professional User, with the data controller.
If, after contacting us, you believe that your rights have not been respected, you can file a complaint with the authorities.
In France, the competent authority is the National Commission for Information Technology and Civil Liberties, accessible:
- Online since online complaint teleservice;
- By post by writing to the following address: CNIL – Complaints Department – 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07 – FRANCE.
8. SECURITY MEASURES
The Company undertakes to take all measures to ensure the security and confidentiality of Personal Data.
In particular, the Company implements technical and organizational measures in order to prevent them from being destroyed, altered or disclosed to unauthorized third parties.
In particular and in accordance with the provisions of Article L. 11118 of the French Public Health Code, personal health data is hosted in France by a certified health data host: Cloud Santé, Euris, 116 rue de Silly ,92100 Boulogne-Billancourt, France
As part of the use of the Services, this hosting is necessary for(i) Ensure the conservation, archiving and security of Personal Data, (ii) Ensure compliance with the confidentiality, security and durability requirements of your Personal Data.
9. CHANGES TO THE PRIVACY POLICY
The Company may modify, supplement or update the Privacy Policy in order to take into account any legal, regulatory and/or technical developments.
In the event of a substantial modification to this Policy, the Company undertakes to inform Users by any appropriate means before its effective date.
10. CONTACT THE COMPANY
For any additional questions relating to the use of your Personal Data, you can contact our Data Protection Officer either by email at the following address: privacy@srett.com, or by mail to the address SRETT, 11 rue Heinrich, 92100 Boulogne-Billancourt, France.
Confidential | All rights reserved | Reproduction prohibited without permission
1003694.AA 2025-07