HeartFocus Privacy Policy

Effective Date: September 24th, 2024
Last Updated: September 24th, 2024

At DESKi the security of your personal data is our primary commitment. Before using HeartFocus, please read this Privacy Policy ("the Policy") which explains how we process your personal data and the personal data of the patients you will use the device associated with Heart Focus on (together "Data").

By Data, we mean "any information that identifies or relates to a particular person directly or indirectly, including information designated as personal data or personal information under applicable data protection laws, rules, or regulations".

The Policy details how DESKi processes your Data when you use HeartFocus through the mobile application (“the Services”).

By consenting to access and use the Services, you agree to the terms of collection, use, and sharing of your Data as described below.

Use of the Services is also subject to the General Terms of Use, of which this Policy is a part. 

This Policy does not apply to the use of your data by third-party companies that we do not control, or by individuals who are not under our management.

The conditions for processing your Data may vary depending on where you access the Services. 

The Policy will detail below the specific obligations applicable according to your location.

The Policy provides detailed information on the following elements:

  1. General conditions for processing your Data
    • Who processes your Data?
    • What Data is processed and why is it used?
    • How is your Data protected?
    • How long is your Data retained?
    • Is your Data reused?
  2. Your rights regarding the processing of your Data
    • What are your rights concerning the processing of your Data?
    • What recourse do you have regarding the processing of your Data?
  3. Conditions for sharing your Data
    • Who has access to your Data?
    • Transfer of your Data
  4. Regulations applicable to the use of your Data
  5. Conditions for modifying the Policy

1. General Conditions for Processing Your Data

Who processes your Data?

The company DESKi, a Simplified Joint Stock Company registered under number 818145211 and located at 2-8, 2 PLACE DE LA BOURSE, 33000 BORDEAUX– France, trading name as DESKi («DESKi "), is responsible for processing your Data when you use the Services.

For any information related to the processing of your Data by the Services, you can contact DESKi at any time at the following address:

dpo@deski.io

What data is processed and why is it used?

When using the Heart Focus, two categories of data are processed:

  • Data related to the application user – profile and contact details (“User”s Data”).
  • Data related to patients, for whom the application serves as a tool to input their demographics details and acquire anatomically standard diagnostic-quality 2D echocardiographic views (“Health Data”). The operator ( the “Operator”) handling the ultrasound scanner and Heart Focus is in charge of processing the incoming ultrasound image stream in real-time.

The table below outlines the data categories processed by DESKi, along with the purpose of use for each.

Categories of data Purposes of use
1. User's data
Profile and contact data
  • First name
  • Last name
  • User name
  • Email
  • Organization
 Creation of a user profile and an account for the use of the Services.
Technical and navigation data
  • Technical data
  • IP address (partly pseudonymized)
    For your privacy protection, we anonymize IP addresses by masking the last two segments, ensuring that they cannot be used to identify you personally. This means that only a partial IP address is stored, preventing precise tracking of your location or other personal data.
  • Information related to the device, operating system, and internet browser used to access the Services.
  • Crashes and unhandled exceptions
  • Collection of breadcrumbs, which are events or logs that occur before a crash. These can include user actions (e.g., button clicks, screen navigation) and system events (e.g., network calls, system alerts), providing context for errors.
 Analysis of navigation and technical use of the Services (navigation elements to operate and improve the Services).
2. Health data
  • First name
  • Last name (mandatory, this is the only one)
  • Sex
  • Date of Birth
  • Height
  • Weight
  • Patient ID: identifier within the healthcare organization
  • Number provided by the healthcare organization's imaging service
  • Indications linked the patient's exam
  • Notes linked to the patient's exam
  • A clip for each of the 10 echocardiographic views
 Creation and management of echocardiographic exams.

Your Data is collected via the detection tool provided by an external ultrasound scanner.

We never transmit, share or sell your Data for commercial or marketing purposes. Your Data is collected only for the purposes presented above.

How is your Data protected?

  • User’s responsibility
    The user is responsible for following the security guidelines outlined in the User Manual https://www.heartfocus.ai/user-manuals, including integrating the device into a Mobile Device Management system, protecting the unlock screen with a PIN code or password, and setting the auto-lock duration to 1 minute or less. Android 12 or newer includes built-in security measures, ensuring that no other applications can access HeartFocus data.

    When the Android device screen is locked, the storage access is encrypted.

    You can also contribute to the protection of your Data by choosing and appropriately protecting your password and/or any other connection mechanism, limiting access to your computer or device and your browser, and logging out when you have finished accessing your account.
  • DICOM Images
    All exam data is stored locally on the Android tablet, and the patient data is packaged as DICOM files, with a maximum of 10 files, each corresponding to one echocardiographic clip or view. Each DICOM file contains a complete copy of the patient's data. Once the files are uploaded to the DICOM server, which is configured by the User, they are deleted from the tablet.

How long is your Data retained?

Other than User data that are retained by DESki for twenty four (24) months all Patient data is stored on the device hosting the HearFocus application. Therefore, DESKi or the application do not manage data retention. It is the User's responsibility to determine an appropriate retention period for the data stored on the device or subsequently transmitted to designated servers used by the User.

2. Your Rights Regarding the Processing of Your Data

What are your rights?

Your Data is subject to compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("GDPR"). Consequently, you have the following rights relating to the data concerning you, under the conditions of application provided by the current regulations:

  • Right of access to data concerning you,
  • Right to rectification of your inaccurate or incomplete data,
  • Right to erasure of your data,
  • Right to restriction of processing of your data,
  • Right to data portability,
  • Right to withdraw your consent at any time.

To exercise your rights, please contact DESKi’s Data Protection Officer by email at the following address:

dpo@deski.ai

What recourse do you have regarding the processing of your Data?

Subject to applicable laws, you may have the right to file a complaint with your local competent data protection authority regarding any of our activities. If you have any questions about our privacy practices, write to the Data Protection Officer at dpo@deski.ai.

Children’s privacy 

The Services are not intended for children and we do not knowingly collect personal information provided by children under 13 years of age through the Services. If you become aware that a person under 13 is using the Services, please email us at contact@deski.ai We will take the necessary steps to delete this information and/or terminate the child's account.

Age Limit for Residents of the European Economic Area (EEA) and the United Kingdom (UK): Due to legal requirements, we prohibit the use of the Services to residents of the EEA or UK who are under 16 years of age. If you become aware that a person under 16 is using the Services, please email us at contact@deski.ai. We will take the necessary steps to delete this information and/or terminate the child's account.​​​​​​​​​​​​​​​​

3. Conditions for Sharing Your Data

Who has access to your Data?

Your User data will be accessible to DESKi for the purposes outlined above. Health data will be accessible only by the Operator of Heart Focus for the purposes specified above.

Your technical and navigation data may be transmitted to DESKi's partner - sentry in charge of the purposes presented below.

Sentry – Application Monitoring Software 

Collection:

  • crashes and unhandled exceptions
  • collection of breadcrumbs, which are events or logs that occur before a crash. These can include user actions (e.g., button clicks, screen navigation) and system events (e.g., network calls, system alerts), providing context for errors.

If you want more information on how Sentry’s processes Data, please read Sentry' Privacy Policy.

Transfer of your Data

Your technical and navigation data may be transferred to countries where data protection conditions are not considered equivalent to those of the Regulations applicable to the Use of your data. These data may be transmitted to service providers in charge of the purposes presented above. To ensure the same level of data protection, DESKi has implemented appropriate measures provided by Chapter V of the GDPR.

For any information related to the transfer of your Data, you can contact DESKi at the following address: dpo@deski.ai

4. Regulations Applicable to the Use of Your Data

Different local laws may apply to your Data depending on the different conditions of applicability of the laws and your localization. Below are the main applicable regulations (non-exhaustive list):

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("GDPR").
  • The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")

    DESKi is classified as a Business Associate under HIPAA and may receive personal data, including protected health information (PHI), from Covered Entities in connection with the Services. Where applicable, we implement technical, administrative, and physical safeguards to protect the confidentiality, integrity, and security of any PHI you provide. These measures are specifically designed to prevent unauthorized access, use, or disclosure of your PHI.

    The collection, processing, use and disclosure of PHI are governed by our HIPAA Privacy Notice.
  • California 
    Knowledge/Access Request: In addition to the other rights mentioned in this Policy, you have the right to request to know (i) the personal and sensitive information we have collected about you and the purposes of use; and (ii) the categories, sources, and third parties involved in the personal information we have collected about you or "sold" or disclosed during the last 12 months. You can exercise your right to request knowledge twice a year, free of charge.

    "Shine the Light" Law: California residents can also request information from us once per calendar year regarding personal information shared with third parties for their own direct marketing purposes. We do not share information with third parties for their own promotional purposes. However, if you have any questions, please email us at contact@deski.ai. You will need to specify "California Privacy Rights Request" in the subject line of the email and include your name, address, city, state, and zip code.

The designation of "Data" in this policy refers to "personal and sensitive information" as defined by California laws.​​​​​​​​​​​​​​​​

For any questions regarding the regulations applicable to your Data, you can contact us at the following address: dpo@deski.ai

5. Conditions for Modifying the Policy

DESKi is constantly improving the Services and, as a result, may need to modify the Policy. You will be notified of these changes during your next connection to the Services following the modification. Where applicable, your consent will be required and collected via the application.

By consenting to access and use of your Data in connection with the Services, you accept the terms of the current Policy when you consent.

6. Contact Information

If you have any questions or comments about this Policy, the ways in which we collect and use your Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at:

  • DESKi, a Simplified Joint Stock Company registered under number 818145211 and located at 2-8, 2 PLACE DE LA BOURSE, 33000 BORDEAUX– France
  • dpo@deski.ai