GDPR Compliance

Our commitment to data protection and privacy

Our Commitment to GDPR

CardioMood SA is fully committed to complying with the General Data Protection Regulation (GDPR). As a Swiss company serving customers in the European Economic Area (EEA), we have implemented comprehensive measures to protect your personal data and uphold your privacy rights.

Data Controller Information

CardioMood SA acts as the Data Controller for personal data collected through our services. Our contact details are:

CardioMood SA
Chemin du Pré-Fleuri 5
1228 Plan-les-Ouates
Geneva, Switzerland
Email: privacy@cardiomood.com

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with GDPR. You can contact our DPO at dpo@cardiomood.com.

Your Rights Under GDPR

Under GDPR, you have the following rights regarding your personal data:

Right to Access (Article 15)

You can request a copy of all personal data we hold about you. We will provide this information free of charge within 30 days of your request.

Right to Rectification (Article 16)

You can request that we correct any inaccurate personal data or complete any incomplete data we hold about you.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," you can request that we delete your personal data when it is no longer necessary for the purpose for which it was collected, or if you withdraw your consent.

Right to Restrict Processing (Article 18)

You can request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

Right to Data Portability (Article 20)

You can request to receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.

Right to Object (Article 21)

You can object to the processing of your personal data for direct marketing purposes or when processing is based on legitimate interests.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affects you, including profiling.

Legal Basis for Processing

We process personal data only when we have a valid legal basis:

  • Consent: For health data processing, we obtain explicit consent before collection.
  • Contract Performance: Processing necessary to fulfill our contractual obligations to you.
  • Legitimate Interests: For business purposes that do not override your fundamental rights.
  • Legal Obligation: When processing is required by law.

Special Category Data

Health data collected through our wearable devices and platform is considered special category data under GDPR Article 9. We only process this data with your explicit consent and implement enhanced security measures to protect it.

International Data Transfers

When transferring personal data outside the EEA, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for countries with equivalent data protection standards
  • Additional technical and organizational measures as required

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Health data is retained according to the retention period specified in your consent, and you can request deletion at any time.

Security Measures

We implement appropriate technical and organizational measures to ensure data security:

  • AES-256 encryption for data at rest and in transit
  • Access controls and authentication mechanisms
  • Regular security assessments and audits
  • Employee training on data protection
  • Incident response and breach notification procedures

Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

Exercising Your Rights

To exercise any of your GDPR rights, you can:

  • Use the privacy controls in your CardioMood account settings
  • Email our privacy team at privacy@cardiomood.com
  • Contact our Data Protection Officer at dpo@cardiomood.com
  • Submit a written request to our registered address

We will respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days, and we will inform you of any such extension.

Supervisory Authority

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. For Swiss residents, this is the Federal Data Protection and Information Commissioner (FDPIC).

Updates to This Statement

We may update this GDPR compliance statement from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes through our website or by email.

Last updated: January 1, 2024