BONESUPPORT’s Privacy policy

1. Introduction

1.1 Below, it is described how BONE SUPPORT AB, company reg. no. 556800-9939, with the address Scheelevägen 19A, 223 63 Lund, and its affiliates, (“BONESUPPORT”, “us” or “we”), process personal data in relation to you.

1.2 Privacy matters are important to us and your integrity is our priority. Therefore, it is important for us to protect your personal data and ensure that our processing of the data is conducted in a correct and lawful manner.

1.3 In this privacy policy, we explain which types of personal data we may process about you and for what purpose we process them. We also detail our processing of personal data as well as what choices and rights you have in relation to such processing. We kindly ask you to carefully review our privacy policy and acquaint yourself with its content.

1.4 Please note that this privacy policy relates to processing of personal data for which BONESUPPORT is the controller. This means that we are responsible for the processing of your personal data. It also means that you should turn to us with questions or remarks, or if you wish to enforce any of your rights in relation to our processing of your personal data. For any questions regarding our processing of your personal data, integrity or privacy, please contact our data protection officer at privacy(at)bonesupport.com, or using the contact information provided in 8 below.

1.5 Generally, the BONESUPPORT entity that you enter into an agreement with, visit or have other form of contact with is the responsible data controller of your personal data. However, personal data might be shared within the BONESUPPORT group and, thus, other BONESUPPORT group entities may also act as data controller with regards to your personal data. Personal data may be shared by a BONESUPPORT group entity to another, and processed by the receiving BONESUPPORT group entity, in accordance with this privacy policy. In case of such transfer, the receiving BONESUPPORT group entity is the responsible data controller of your personal data for the purpose of which the data was received.

1.6 Sharing of personal data within the BONESUPPORT group is carried out for the purposes of streamlining BONESUPPORT’s business operations and internal administration. The sharing of personal data is carried out on the basis of BONESUPPORT group’s legitimate interest to maintain an effective business structure.

1.7 Appendix A, any local deviations from what is stated in BONESUPPORT’s Privacy Policy due to local legislation or local processing routines are stated under the entity where the local deviation is applicable. Such deviations shall prevail over what is otherwise stated in BONESUPPORT’s privacy policy.

2. The personal data that is processed

2.1 Personal data refers to data that can be attributed to you personally. We may process the following personal data attributable to you as a corporate partner (e.g. suppliers, distributors and research collaborators):

a) name;
b) e-mail address;
c) title/role;
d) organization;
e) business address;
f) phone number; and
g) social security number (for sole traders (Sw. enskilda näringsidkare)).

2.2 We may process the following personal data attributable to you as a healthcare professional:

a) name;
b) title;
c) hospital/company;
d) e-mail address;
e) country;
f) telephone number;
g) remuneration or recovery of costs;
h) participation in educational efforts by BONESUPPORT (including evaluation results); and
i) participation in market research activities.

2.3 We may process the following personal data attributable to site staff and other personnel involved in clinical studies:

a) name;
b) title;
c) organization;
d) e-mail address; and
e) telephone number.

2.4 We may process the following personal data attributable to you as a subscriber to our newsletters:

a) name;
b) e-mail address;
c) company/hospital;
d) country; and
e) area of interest.

2.5 We may process the following personal data attributable to you as a visitor at BONESUPPORT’s premises:

a) name;
b) company; and
c) IP-number.

2.6 We may process the following personal data attributable to you as a website visitor:

a) name;
b) e-mail address;
c) country;
d) specialty/area of interest;
e) title;
f) employer;
g) temporary tracking cookies
h) permanent tracking cookies; and
i) IP-number.

2.7 We may process the following personal data attributable to you as an investor:

a) name;
b) telephone number;
c) company;
d) company address;
e) e-mail address; and
f) time and place for meeting.

2.8 We may process the following personal data attributable to you as a user of box.com:

a) name;
b) e-mail address;
c) access status;
d) user activity; and
e) security logs.

2.9 We may process the following personal data attributable to you as a job applicant:

a) Name;
b) e-mail address;
c) telephone number;
d) CV; and
e) cover letter.

2.10 We may process the following personal data attributable to you as a webinar participant

a) name;
b) e-mail address;
c) country;
d) employer/organization;
e) evaluation results; and
f) IP-number.

3.0 The purpose and legal grounds of the processing

Corporate partners

3.1 Regarding you as a corporate partner (e.g. supplier, distributor or research collaborator), your personal data listed in 1a)-f) is processed for the purpose of, and BONESUPPORT’s legitimate interest in, project management, administering agreements with project participators, administering agreements with partners and following up on support cases. Furthermore, the data is also processed for the purpose of and the legitimate interest in invoicing company partners. If you are a partner to us through a sole trader, our legal basis for the purposes provided above is the performance of our contract with you.

3.2 Personal data listed in 1g) is processed for the purpose of invoicing, and on the legal basis of, performing our contract with the individual behind a sole trader.

Healthcare professionals

3.3 Regarding you as a healthcare professional, your personal data listed in 2a)-i) is processed for the purpose of, and BONESUPPORT’s legitimate interest in, maintaining customer relations, giving feedback, providing support follow-up, establishing new sales channels, administering and facilitating product training, marketing our products and services, invoicing, and fulfilling contracts with county councils and the Royal College of Surgeons of England (for example regarding educational efforts).

3.4 Personal data listed in 2g) is in addition processed for the performance of a contract with the healthcare professional.

3.5 Personal data listed in 2h) is also processed based on BONESUPPORT’s legitimate interest in maintaining records of educational efforts to disclose to the contracting council and the Royal College of Surgeons of England.

Site staff and other personnel involved in clinical studies

3.6 We process personal data attributable to site staff and other personnel involved in clinical studies for the purpose of, and BONESUPPORT´s legitimate interest in, conducting clinical studies.

Subscribers to our newsletters

3.7 We process personal data attributable to you as subscriber to our newsletters for the purpose of providing marketing. The processing of data is based on your consent.

Visitor at BONESUPPORT’s premises

3.8 We process the personal data stated above in 5a)-c) attributable to you as a visitor at the BONESUPPORT’s office for the purpose of, and based on our legitimate interest in, maintaining security, facilitating the delivery of goods, office maintenance, for staff management and for our compliance with legal obligations.

Website visitors

3.9 Regarding you as a website visitor, your personal data listed above in 6a)-f) is processed for the purpose of, and based on our legitimate interest in, providing you with financial information on BONESUPPORT and marketing our products and services.

3.10 Personal data listed above in 6g)-i) is processed for the purpose of, and based on our legitimate interest in, website monitoring and analysis of website activity. Our use of non-necessary cookies is based on your consent.

3.11 For more information on how we process cookies, please see our cookie policy.

Investors

3.12 We process personal data attributable to you as an investor for the purpose of, and based on our legitimate interest in, logging investor meetings to facilitate future contacts and to keep track of such interactions.

Users of box.com

3.13 Box.com is an online storage facility for documents to be shared with distributors, colleagues, employees and sales teams. Where you sign up with box.com, you have a direct relationship with box.com and will be subject to box.com’s terms and conditions and privacy policy.

3.14 Regarding you as user of box.com, we process your personal data listed in above 8a)-b) for the purpose of, and based on our legitimate interest in, facilitate access to the website and to control access to the content of the website.

3.15 Personal data listed in to 8c)-e) is processed for the purpose of, and BONESUPPORT’s legitimate interest in, maintain security.

Job applicants

3.16 We process your personal data attributable to you as a job applicant for the purpose of, and based on our legitimate interest in, facilitating and following up on job applications. In case you wish not to apply for a specific position or wish to enable us to keep your application for future job openings, such processing is based on your consent.

Webinar participants

3.17 Regarding you as a webinar participant, your personal data listed in 10a)-f) is processed for the purpose of, and BONESUPPORT’s legitimate interest in, delivering access to the webinar, logging webinar meetings to facilitate future contacts and to keep track of such interactions.

3.18 Furthermore, the personal data listed in 10a)-f) is also processed for the purpose of analyzing and developing our business, and for marketing communication. The processing of data for this purpose is based on our legitimate interest in improving and marketing our business.

3.19 Personal data listed in 10a)-e) is also processed based on BONESUPPORT’s legitimate interest in maintaining records of educational efforts to disclose to the Royal College of Surgeons of England.

4.0 Storage of personal data

4.1 We store your personal data as long as necessary for us to fulfil the purpose of the processing. We will always process your personal data to the extent and during the period of time that we are required to by law.

4.2 Personal data on corporate contacts which is processed for the purpose of project management, administering agreements with project participators and administering agreements with partners, will be kept as long as is necessary for the performance of the project or the agreement.

4.3 Personal data for the purpose of following up on support cases will be kept until the support case is closed.

4.4 Personal data for the purpose of invoicing will be kept for as long as required by relevant bookkeeping legislation.

4.5 Personal data on healthcare professionals will be kept for as long as there is cooperation with the healthcare professional. For healthcare professionals involved in clinical studies, see section 6 below.

4.6 Personal data on medical staff or another individual involved in clinical studies will be stored for ten years if it is necessary for the initiation of the clinical study, and personal data necessary for the application for marketing authorization will be stored for as long as the time agreed between us and the investigator of the clinical study.

4.7 Personal data related to subscribers to our newsletter and webinar participants that consent to processing of personal data for marketing purposes will be kept until the consent is withdrawn.

4.8 Regarding visitors and BONESUPPORT’s premises, personal data in the form of IP-number will be stored for eight days. After this period the data is automatically deleted. Data in the form of name and company will be kept for three months after the visit, or during the longer period of time required by law.

4.9 Personal data on website visitor will be stored for as long as we provide you with financial information and marketing. Temporary tracking cookies are saved until the browser is closed and the permanent cookies are saved for six months.

4.10 Personal data on investors will be kept for one year.

4.11 Personal data on users of box.com will be kept during for as long as you are a user of the service.

4.12 Personal data on job applicants is only kept for the term of the recruitment period or, if you have provided your consent to it, until the consent is withdrawn, but for a maximum of two years.

4.13 Personal data on webinar participants processed for the purpose set forth in section 17 will be kept for one year.

4.14 Personal data on webinar participants processed for the purpose set forth in section 19 will be kept for two years from the date of the webinar.

4.15 If your personal data is no longer necessary for us in order to fulfil the purpose of the processing, or if the processing for any other reason is no longer allowed, the data will be anonymized or deleted.

5.0 Recipients

5.1 We may disclose your personal data with our group companies.

5.2 We may share your personal data with appropriate third parties including:

  • Companies providing hosting services or IT- and cloud services, our business partners, clinical study partners, customers, suppliers and sub-contractors for the performance of any contract we enter into or other dealings we have in the normal course of business with you or the person that you work for;
  • our auditors, legal advisors and other professional advisors or service providers;
  • credit reference agencies for the purpose of assessing your credit score where this is in the context of us entering into a contract with you or the person that you work for.

5.3 We may share personal information obtained via our website to third parties analytics and search engine providers that assist us in the improvement and optimisation of our site and subject to the cookie policy.

5.4 We will also disclose your personal information to third parties:

  • In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets subject to the terms of this privacy policy.
  • If BONESUPPORT or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of supply terms and other agreements with you or the company you work for; or to protect the rights, property, or safety of our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction and to prevent cybercrime.

5.5 In such cases, data processing agreements will be entered into when necessary to make sure that your personal data is processed only in accordance with this privacy policy.

5.6 Your personal data may be transferred to such third parties, data processors and BONESUPPORT Group entities outside of the EU/EEA as listed above. In these cases adequate safety measures will be implemented to ensure that your personal data is protected. For information on the safety measures applied, please contact us at privacy(at)bonesupport.com.

6.0 Your rights

6.1 You have the right to receive confirmation on whether or not we process personal data concerning you, and in such cases get access to such personal data and also information regarding the personal data and how we process it.

6.2 You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data about you completed.

6.3 You have, under certain circumstances, the right to have personal data concerning you erased, for example if the personal data are no longer necessary in relation to the purposes for which they were collected or if the personal data have been unlawfully processed.

6.4 In some circumstances you have the right to obtain restriction of the processing of your personal data. For example if you contest the accuracy of the personal data, you can also require that we restrict the processing of your personal data for such a period that enables us to verify the accuracy of the personal data.

6.5 You have the right to object to processing of your personal data that is based on our legitimate interests. If this is done, we must provide compelling legitimate grounds for the processing which overrides your interests, rights and freedoms, in order to proceed with the processing of your personal data.

6.6 You have the right to object to the processing of your personal data for direct marketing purposes. In case of such an objection, we will no longer process your personal data for that purpose.

6.7 You have the right to withdraw a consent provided by you at any time by contacting us. If your consent is withdrawn, we will no longer process your personal data for the purpose that you had given your consent to. However, personal data attributable to you as a subject in clinical studies can be processed even though the consent is withdrawn if the processing is necessary due to scientific research purposes.

6.8 You have the right to receive the personal data relating to you and that you have provided to us, in a commonly used electronic format. You have the right to transmit that data to another controller (data portability).

6.9 You have the right to complain on the processing of your personal data by lodging a complaint to the applicable Data Protection Authority.

7.0 Additions and amendments

We may make additions or amendments to this privacy policy. If we do so, we will publish the amended policy to our website. In such case, we kindly ask you to carefully review the updated privacy policy.

8.0 Contact us

To update, rectify or erase data we have about you or to enforce your rights as described above, you are welcome to contact our data protection officer at privacy(at)bonesupport.com, or at the address BONESUPPORT, Att: Data Protection Officer, Scheelevägen 19 SE-223 70 Lund, Sweden, or by calling +46 46 286 53 70.
__________________________

This privacy policy enters into force on 2 June 2021

Appendix A – Local deviations

Below, any local deviations from what is stated in BONESUPPORT’s privacy policy due to local legislation or local processing routines are stated under the entity where the local deviation is applicable. Such deviations shall prevail over what is stated in BONESUPPORT’s privacy policy. For contact details to these subsidiaries, please e-mail privacy(at)bonesupport.com.

1.0 BONESUPPORT INC, the US

1.1 In addition to the personal data stated in a) – g) above in the privacy policy, the following data can be processed regarding contact persons with corporate partners:

h) vendor name;
i) remittance address;
j) vendor address;
k) SSN or EIN;
l) NPI for Physicians;
m) W9 Form;
n) bank account; and
o) bank routing number.

1.2 The personal data stated in g)-n) above are processed for the purpose of complying with legal obligations relating to taxation, regulation regarding transparency in financial relationships with healthcare professionals. The personal data is also processed for the purpose of, and the legitimate interest in, transferring money to collaboration partners.

2.0 BONESUPPORT GmbH, Germany
2.1 Not applicable.

3.0 BONESUPPORT GmbH, Switzerland
3.1 Not applicable.

4.0 BONESUPPORT UK, Ltd, United Kingdom
4.1 Not applicable.

5.0 BONE SUPPORT B.V., Netherlands
5.1 Not applicable.

6.0 BONE SUPPORT B.V., Netherlands
6.1 Not applicable.

7.0 Bonesupport ApS, Denmark
7.1 Not applicable.

8.0 BONESUPPORT S.L, Spain
8.1 Not applicable.