This Policy explains how we collect, use, disclose, and safeguard personal data when you use
our websites, apps, products, services, and communications (together, the “Services”). It
applies to individuals worldwide, subject to regional disclosures in this Policy. If we
process protected health information (PHI) in the United States, the HIPAA section also
applies.
3. Data We Collect
We may collect the following categories of data (as permitted by law and your settings):
Identifiers and contact details: name, email, phone, postal address,
account IDs.
Commercial information: orders, subscriptions, transaction history.
Professional data (if B2B): company, role, department.
Sensitive data (only if necessary and lawful): [describe or state “not
collected”].
PHI (US, HIPAA contexts): see HIPAA section.
Sources: directly from you; your organization (if using enterprise
Services); our Service providers; cookies/SDKs; public or commercially available sources;
and, where permitted, partners/affiliates.
4. How We Use Data & Legal Bases
We use data for:
Service delivery and account management: set up accounts, provide
features, customer support. Legal bases: contract necessity; legitimate interests; and/or
consent as required.
Transactions and billing: process payments, prevent fraud. Legal bases:
contract necessity; legal obligation; legitimate interests.
Personalization and analytics: tailor content, measure performance.
Legal bases: consent where required (e.g., cookies/SDKs); otherwise legitimate interests.
Marketing and communications: send updates, offers, event notices. Legal
bases: consent where required; legitimate interests. You can opt out at any time.
Where we rely on consent, you may withdraw it at any time. Where we rely on
legitimate interests, we balance our interests against your rights.
Applicable frameworks include GDPR/UK GDPR, LGPD (Brazil), PIPEDA (Canada), POPIA (South
Africa), PDPA (e.g., Singapore/Malaysia), and other local laws as relevant.
5. HIPAA (US Health Information)
When we act as a Covered Entity or Business Associate under
HIPAA, we may process Protected Health Information (PHI). In such cases:
We use and disclose PHI only as permitted by HIPAA and our Business Associate Agreements
(BAAs) or as required by law.
We maintain administrative, physical, and technical safeguards to protect PHI and provide
breach notifications as required.
Your HIPAA rights (e.g., access, amendment, accounting of disclosures) are honored in
accordance with applicable rules.
If applicable, your organization’s Notice of Privacy Practices or our HIPAA Notice will
describe PHI uses in more detail. If HIPAA does not apply to a particular Service, this
section may not apply.
6. Cookies & Similar Technologies
We use cookies, SDKs, and similar technologies to operate the Services, remember preferences,
analyze usage, and (where applicable) personalize content or ads. Where required, we seek
your consent before setting non-essential cookies.
Choices: use our cookie banner or preferences to manage consent; set
your browser/device controls; you may opt out of certain analytics/ads where offered.
Signals: we honor applicable browser or platform opt-out signals where
legally required (e.g., Global Privacy Control).
7. Sharing & Recipients
We may share data with:
Service providers/processors: hosting, analytics, support,
communications, payment processing, security.
Business partners (where you engage such features): integrations or
services you connect.
Corporate transactions: in a merger, acquisition, or asset sale, subject
to appropriate safeguards.
Legal and compliance: to comply with laws, enforce terms, protect
rights, safety, and security.
Affiliates: within our corporate group for the purposes described in
this Policy.
We do not sell or share personal data for cross-context behavioral advertising where
prohibited. Where required by law (e.g., certain US states), we provide an opt-out mechanism
for “sale” or “sharing.”
8. International Transfers
Your data may be transferred to and processed in countries outside your own. Where required,
we implement appropriate safeguards such as European Commission Standard Contractual Clauses
(SCCs), the UK International Data Transfer Addendum (IDTA), adequacy decisions, or equivalent
instruments under local laws.
9. Retention
We retain personal data only as long as needed for the purposes described above, including to
comply with legal, accounting, or reporting requirements, and then securely delete or
anonymize it.
Default periods: [insert business-justified retention periods per category,
e.g., “Account data: X years after last activity; Transaction data: Y years for
tax/compliance; Support tickets: Z months”].
10. Security
We maintain administrative, technical, and physical safeguards designed to protect personal
data, including access controls, encryption in transit and at rest (where applicable), secure
development practices, and vendor due diligence. No system is 100% secure; we assess
incidents and notify regulators and individuals as required by law.
11. Your Rights (Global)
Your rights depend on your location and the applicable law. Subject to conditions and
exceptions, you may have the right to:
Access your data and obtain a copy.
Correct inaccurate or incomplete data.
Delete your data.
Restrict or object to processing (including for direct
marketing).
Portability of certain data in a usable format.
Withdraw consent where processing is based on consent.
Limit use/disclosure of sensitive data (where applicable).
Opt out of sale/sharing for cross-context behavioral advertising (where
applicable).
Appeal a decision on your request (in some jurisdictions).
How to exercise: Contact us using the details in the Contact section and
indicate your region. We will verify your identity and respond within applicable timelines.
Authorized agents may submit requests where permitted.
Regional examples: GDPR/UK GDPR (EU/UK); CCPA/CPRA and similar US state laws; LGPD (Brazil);
PIPEDA (Canada); POPIA (South Africa); PDPA (e.g., Singapore/Malaysia). You may also have the
right to lodge a complaint with your local supervisory authority.
12. Children’s Privacy
Our Services are not directed to children under the age of [13/16 – choose per jurisdiction].
We do not knowingly collect personal data from children without appropriate consent. If you
believe a child provided data to us, contact us to request deletion.
13. Automated Decision-Making
We do not engage in automated decision-making that produces legal or similarly significant
effects without human involvement. If we introduce such processing, we will provide required
notices and choices.
14. Changes to This Policy
We may update this Policy from time to time. The “Last updated” date indicates the latest
revision. Material changes will be communicated through the Services or by direct notice
where required.
15. Contact
To ask questions or exercise your rights, contact: info@pilatumedical.com. If applicable in your
region, you may also contact our EU/UK representative or lodge a complaint with your local
authority.
16. Key Definitions
Personal data: information that identifies or can reasonably be linked
to an individual.
Processing: any operation performed on personal data (collection, use,
disclosure, storage, etc.).
Controller / Processor: the party that determines purposes/means of
processing vs. processes on behalf of a controller.
Sale/Share (US state laws): as defined by applicable law for
cross-context behavioral advertising or disclosures for value.
PHI: protected health information regulated by HIPAA.
