Skip to content
Professional solutions
Professional solutions Buy Now
Buy Now
Professional solutions Buy Now

Heartstream Privacy Notice

Last updated:October 2025

This privacy notice tells you who we are, what personal data we collect about you, why we collect it, and what we do with it. Keep in mind that, for the purposes of this Privacy Notice, personal data means any information or set of information that directly or indirectly identifies you, such as your name, email or phone number. This privacy notice covers how Heartstream or a Heartstream-affiliated entity handles your personal data when you interact with us, in your capacity as consumer, business customer, supplier, business partner, candidate, visitor, research participant, shareholder, or other person with a business relationship with us. Please take a moment to familiarize yourself with this Privacy Notice.

 

Who we are

Unless otherwise stated in this Privacy Notice or in a product or service specific privacy notice, the controller of your personal data (as well as the controller’s representative in the European Union) is Heartstream US LLC

Postal address:
c/o Heartstream Legal Department
22100 Bothell-Everett Highway
Bothell, WA 98021
USA

 

How we use your personal data

Depends on the situation; scroll down to the applicable activity to find out.

1. Visiting our offices

In our Heartstream offices we meet visitors such as job applicants, suppliers and tradespeople, stakeholders, and any other individuals who may need to interact with Heartstream personnel.

If you visit our Heartstream premises, you should be aware that we may request your personal data to provide you with a personalized badge, which will enable you access to our offices. We may also make use of CCTV systems (or other video devices) to record specific spaces of our premises. When we use such video devices, we place warning signs to ensure you are aware that we will record images or videos.

Why we process your personal data
We process your personal data for the following purposes:

  • To maintain the safety and security of Heartstream employees, visitors, guests, and Heartstream property and assets;
  • To safeguard Heartstream’s legitimate interests, such as investigating non-compliance with Heartstream policies and procedures, potential criminal activities (for example: suspected theft of company or personal property), and other incidents or accidents on our premises; and
  • To initiate disciplinary and judicial processes and procedures, including preserving evidence and disclosing recordings for legal claims and proceedings.

What personal data we process
We process the following categories of personal data:

  • When providing you with a personalized badge, so you can access our offices, we ask for your name and visit information.
  • When using CCTV systems, we process video recordings of you (specifically: your image as captured on the CCTV system).

Lawful basis for processing
The lawful basis we rely on to process your personal data for the purposes described in this section is our legitimate interest, in particular to protect fundamental rights, such as the right to liberty and security, the right to property, and the right of defense.

Who is the controller of your data
The controller of your personal data is the Heartstream affiliate in the country where you visited our premises, identified in our Terms of Use (see the footer) as being the operator of this website.

 

2. Reporting your concerns as a whistleblower

We care about being a responsible partner in society, acting with integrity towards our employees, customers, business partners, shareholders, and the wider community. We always strive to pursue our business objectives in a responsible manner and to ensure we are doing the right thing. If you know of any ethical breaches regarding Heartstream business, you can report your concern through Heartstream Speak Up, a reporting website and toll-free telephone service. You can do so anonymously (if allowed under local law). If you reveal your identity, your complaint and your personal data will be formally registered in the Heartstream Complaints Database. Any reported concern will always trigger a thorough follow-up procedure.

Why we process your personal data
We process your personal data so we can:

  • Investigate potential violations of our business principles or actions that might constitute a threat to Heartstream’s corporate integrity; and
  • Take any action that might be necessary to ensure that we do business in a responsible manner and in compliance with local laws and regulations.

What personal data we process
If you report a concern via our Heartstream Speak Up, we process the following categories of personal data:

  • If you reveal your identity: your name, phone number, e-mail address, the best time to contact you, and your relationship with Heartstream (former employee, vendor, customer, or other), but only if you choose to supply this information.
  • The name and other personal data of any persons you name in your report, but only if you choose to supply this information.
  • Details about the incident you are reporting (time, place, location, circumstances, a description of what happened, the possible effects on the Heartstream entity, and whether the management is aware of this issue).

Lawful basis for processing
The lawful basis we rely on to process your personal data for the purposes described in this section is our legitimate interest, in particular our necessity to conduct business in a responsible manner and in line with local laws and regulations and to protect fundamental rights, such as the right to liberty and security, the right to property, the right of defense, and the freedom to conduct a business.

With whom we share your personal data
Your personal data is registered in the Heartstream Complaints Database; from there it will be sent, on a strictly need-to-know basis, to the appropriate persons within Heartstream. This means the information may be shared with the assigned investigator(s), the compliance function, and in some situations members of Group Legal, or outside Heartstream (for example: forensic auditors or legal counsel) who require this information to ensure compliance with the reporting policy and with legal or regulatory obligations, or as input for subsequent judicial proceedings.

 

3. Making a privacy or security request

We work to high standards when it comes to processing your personal data. Therefore, as described in this Privacy Notice, if you want to exercise your privacy rights, ask us questions about our privacy or security practices, submit a complaint regarding privacy or security, , please do so (you’ll find the contact form in the relevant section of this Privacy Notice) and we’ll do our best to address your request. Your request and your personal data will be formally registered into an electronic file, and this will trigger an internal process aimed at satisfying, to the extent possible, your inquiry. And your personal data will be formally registered into an electronic case file, and this will trigger an internal process aimed at satisfying, to the extent possible, your inquiry.

Why we process your personal data
We process your personal data to comply with the privacy and data protection laws and regulations we are subject to.

What personal data we process
If you submit a privacy or security request to us, we require certain information from you to respond to you and to adequately address your inquiry. We require the following:

  • Your e-mail address;
  • Your relationship with Heartstream (consumer, employee, job applicant, or other).

If you want, you can also disclose your full name, your country, your preferred language, your phone number, your organization, and any other information you include in your inquiry.

Lawful basis for processing
The lawful basis we rely on to process your personal data for the purposes described in this section is our need to comply with the privacy and data protection laws and regulations we are subject to.

 

4. Applying for a job or interacting with us for job opportunities

Our recruitment process is designed to help us find people who share our passion for improving lives through meaningful innovation and to help you find out if Heartstream is the right place for you, which may include:

  • Applying for a job in our career website, which may be hosted or managed by a third party; and
  • Interacting with us (for example, with our recruiters) for job opportunities.

Why we process your personal data
We process your personal data for the following purposes:

  • Providing the functionality of our career website to you, which may include a registered account and submitting applications via the career website;
  • Assessing your skills, qualifications and suitability to work for Heartstream against the position you applied for and/or other career opportunities;
  • Asking you if you would like us to retain your details in our talent pool. If you agree, we can proactively contact you if any suitable vacancies arise;
  • Depending on the country of employment and what is allowed by applicable laws, to verify your information, including through reference checks and, where applicable, background checks;
  • Communicating with you about the recruitment process;
  • Preparing an offer, if your application is successful; and
  • Complying with applicable laws and regulations that we are subject to and cooperating with regulators and law enforcement bodies.

What personal data we process
Depending on the specific recruitment activity, we process the following categories of personal data:

  • Contact information (such as full name, email address, phone number, country of residence, and home address);
  • Data about your skills and qualifications, contained in CVs, cover letters, or other documentation provided to us in your application (such as education history, work experience, and transcripts);
  • Data required to conduct background or employment checks, when allowed by applicable laws (such as documents to prove your identity or qualifications);
  • Information on the type of employment you are or may be looking for, current or desired salary, other terms relating to compensation and benefits packages, willingness to relocate, and other job preferences;
  • Data required to make a conditional offer of employment (such as bank details (to process salary payments) and emergency contact details (to know who to contact in case you have an emergency at work));
  • Details of how you heard about the position you are applying for;
  • Data originating from assessments or questionnaires completed by you (such as your answer to written assessments);
  • In certain cases, you may join optional video interviews and then we may process your image or other data captured by your camera;
  • Information relating to any previous applications you may have made to Heartstream;
  • Information that you make publicly available that we believe is relevant to your application or a potential future application (such as information in your LinkedIn profile);
  • If you’re being referred, we process information that the person referring you provides about you; and
  • If required or permitted by local laws, we may also process information of sensitive nature, such information about disabilities, but only to the extent relevant for the performance of your work.

Lawful basis for processing
The lawful bases we rely on to process your personal data for the purposes described in this section are:

  • Our need to enter into a contract to which you are subject, to meet our contractual obligations, or, at your request, to take pre-contractual steps.
  • Our legitimate interest, in particular our necessity to conduct business in a responsible manner and in line with local laws and regulations and to protect fundamental rights such as the right of defense, the right to property, and the freedom to conduct a business.
  • Our need to comply with legal obligations we are subject to.
  • Your consent, for sending you via email news and updates about Heartstream jobs and recruitment activities and for keeping your details in our talent pool and contacting you for career opportunities.

Who is the controller of your personal data
The controller of your personal data for the purposes described in this section is the Heartstream affiliated company of the country which intends to recruit you (identified in our Terms of use – see the footer – as being the operator of this website) as well as Heartstream US LLC.

 

5. Contacting our customer service

If you require assistance or support from Heartstream, you can contact our support team through our website (via chat or web-form), phone (1 800 722-9377) or social media, and they will do their best to answer your questions and provide you with the required support.

Why we process your personal data
We process your personal data for the following purposes:

  • To answer your questions and provide you with required support, including keeping you up to date on the progress of your case and work order (this may include scheduling, delivering remote/field service activities, including parts ordering (if you are a business customer));
  • To verify your identity and support you accordingly;
  • To deal with any subsequent issues that may arise from your inquiry, such as for establishing, exercising, or defending ourselves from legal claims;
  • To check and improve the level of service we provide; for example, if you contact us by telephone or chat we may record the conversation to educate our team during internal training so that we can improve our customer service support.
  • To improve, fix, and customize our products and services;
  • To comply with compliance, regulatory, and quality standards and regulations.
  • To ask you if you want to receive promotional emails from Heartstream and stay up to date about new and existing Heartstream products and services and about our events (if you want to know more, see the section “Joining our marketing initiatives”).

What personal data we process
If you have a question or request our support, we need you to give us some information, such as your name, e-mail address, telephone number, country, or other information necessary for dealing with your question or inquiry.

Lawful basis for processing
The lawful bases we rely on to process your personal data for the purposes described in this section are:

  • Our need to enter into a contract to which you are subject, to meet our contractual obligations, or, at your request, to take pre-contractual steps.
  • Our legitimate interest, in particular our necessity to conduct business in a responsible manner and in line with local laws and regulations and to protect fundamental rights such as the right of defense, the right to property, and the freedom to conduct a business.
  • Our need to comply with legal obligations we are subject to.
6. Purchasing Heartstream products online

You can purchase Heartstream products and services in our online shops. As a consumer, you can either use your MyHeartstream account or check out as guest. As a professional (for example, if you are a healthcare professional or a distributor and you want to purchase our healthcare products from our Heartstream healthcare shop), you’ll need to create a company or professional account.

Why we process your personal data
We process your personal data for the following purposes:

  • To handle your orders and process the payment. In this context, we may process your personal data to prevent and detect fraud and abuse to protect the security of our customers, Heartstream, and others. We may also use scoring methods to assess and manage credit risks;
  • To deliver the purchased products and services to the delivery address you provide to us. To do so, we work together with our distribution partners (who help us to prepare and correctly process your package) and with our logistic partners (who deliver your package to the chosen address);
  • To update you via email on the status of your order;
  • To contact you via email for transactional and technical support;
  • To enable you to consult your order history, save your favorites items or create wish lists, and manage your subscriptions, if any;
  • To comply with laws and regulations we are subject to (for example, for tax purposes we are obliged to store the details of every purchase).

Keep in mind that certain Heartstream products and services available in our Heartstream online shop for consumers are sold to you by one of our partners, as indicated in the terms and conditions of sale that will be shown to you before finalizing your order. This means that if you place an order with one of our partners, we will share your personal data (such as your name and address) with that partner so that it can execute the agreement you have entered to and therefore fulfill your order and send you the invoice. The partner may also use your personal data to update you on the status of your order and to provide you with the required customer support. If you want to know more about how our partner will process your personal data, we invite you to read its privacy notice, which we will make available to you in our online shop.

What personal data we process
We process the following categories of personal data:

  • Your Account data (if you purchase a product with your Heartstream account);
  • Name and Email (if you purchase a product as a guest);
  • Shipment and invoice address;
  • Invoice/receipt information, which includes the purchased product and service;
  • Payment information (such as your credit card number). Please note that we never store your payment information. When you submit a payment, your payment information will be directly sent to our trusted payment provider, which will connect to your bank to validate the transaction.
  • If you purchase our products or services in your capacity as healthcare professional: your position/title in your company, your company name and type, your buying preferences, and your company’s shipping/billing address.

In certain cases, you may choose to also provide us with your phone number (optional) if you want our trusted shipment provider to contact you via phone in case of delivery issues or if you want our support team to contact you via phone in case of issues with your order.

Lawful basis for processing
The lawful bases we rely on to process your personal data for the purposes described in this section are:

  • Our need to execute our Terms and Conditions of Sale with you, in particular our contractual obligation to manage your order;
  • Our legitimate interest, in particular our necessity to conduct business in a responsible manner and in line with local laws and regulations and to protect fundamental rights such as the right of defense, the right to property, and the freedom to conduct a business. This applies when we conduct fraud checks;
  • Our need to comply with legal obligations we are subject to. This applies, for example, when we process details of your purchase for tax purposes.

Who is the controller of your personal data
The controller of your personal data for the purposes identified in this section is the Heartstream affiliated company identified in our Terms and Conditions of Sale, made available to you in our website.
If you place an order in our Heartstream shop for consumers with one of our partners, the controller of your personal data is: (i) Heartstream International BV for collecting your order and processing the payment; and (ii) the relevant partner identified in its terms and conditions of sale or in its privacy notice, for fulfilling your order, sending you the invoice and providing the requested customer support.

 

7. Interacting on social media about Heartstream

If you actively communicate about us or our brands on social media and other public external sources (for example, if you share a comment about a Heartstream product or if you tag Heartstream in your post) we may process personal data about you that you make publicly available. For example, we may analyze and monitor publicly available opinions or statements that you make about Heartstream.

Why we process your personal data
We process your comments or posts (which may include your personal data) for the following purposes:

  • To respond to your comments and questions or provide you with the required support.
  • To gain a general understanding of what people are saying about us and our brands and improve our products and services accordingly.

What personal data we process
For the purposes described above, we may process any information about you that are contained in any comments or other content about Heartstream that you make publicly available on social media and other public external sources. This may include information such as your name (or nickname), profile picture, or country.

Lawful basis for processing
The lawful basis we rely on to process your personal data for the purposes described in this section is our legitimate interest, in particular our necessity to conduct business in a responsible manner and in line with local laws and regulations and to protect our fundamental right to conduct a business.

 

8. Providing your ratings and reviews for Heartstream products

If you want, you can rate and review our Heartstream products online. This helps us to create an open forum where our customers can find and exchange truthful and meaningful comments about our products.

Why we process your personal data
We process your personal data for the following purposes:

  • To verify that your review is in line with our terms and that it does not contain misleading or inaccurate claims regarding the performance of the product (for example, off-label promotion or not in line with our instructions for use);
  • To publish your rating and reviews online and give others the opportunity to learn from your experience with our products;
  • To gain a general understanding of what people are saying about us and our brands and improve our products and services accordingly;
  • To contact you to offer our assistance if your review indicates that you are not satisfied with our product or service.
  • To contact you in case of health and safety or liability issues.

What personal data we process
We process the following categories of personal data: email, location, age, gender, number of people living in your household, period of usage of our Heartstream product.

If you provide your rating and write a review, we will not make your email visible to other visitors. We will make visible the other information that you provide to us, as this helps us to create an open forum where our customers can find and exchange truthful and meaningful information around our products.

In addition, to respect your privacy, we encourage you to provide a nickname and not your real name when leaving your review.

Lawful basis for processing
The lawful bases we rely on to process your personal data for the purposes described in this section are:

  • Our need to execute our Terms and Conditions;
  • Our legitimate interest, in particular our necessity to conduct business in a responsible manner and in line with local laws and regulations and to protect fundamental rights such as the right of defense, the right to property, and the freedom to conduct a business. This applies when we process your personal data to improve our products and services and when we contact you to provide assistance.
  • Our need to comply with legal obligations we are subject to. This applies, for example, when we contact you for health and safety issues.
9. Attending Heartstream events

We organize physical and digital events, such as seminars, workshop or fairs, meetings, webinars, or live broadcast events. If you wish to attend one of our events, we will ask you to provide us with your personal data (such as your contact information).
We don’t publish lists of attendees for our events but, in rare cases, your contact information may be visible to other attendees.
Sometimes our events will be recorded. If we are recording and you are a presenter, your image and audio will be captured in the recording. If you are an attendee, you may decide to share your image and audio during the session, for example, if you choose to interact in a Q&A session. For some events, we may publish the recording on our website or social media channels.

Why we process your personal data
We process your personal data for the following purposes:

  • To organize and facilitate the event and provide you with an acceptable service. This may include activities such as contacting you about the event logistics, handling any dietary requirements or access provision you may need (if we do so, we don’t share this information in any identifiable way with the venue, and we delete it after the event), provide you access to the content of the event (for example, a link to the recording after the event has concluded);
  • To contact you after the event for commercial opportunities about Heartstream products or services.

What personal data we process
We process the following categories of personal data:

  • Contact information, such as your name and email, and country;
  • Professional information, such as your company name, job title, specialty, and function.
  • Product/service interest

Lawful basis for processing
The lawful basis we rely on to process your personal data for the purposes described in this section is our legitimate interest, in particular our necessity to protect fundamental rights such as the right to property and the freedom to conduct a business.

Unless otherwise required by applicable law, when we collect any information about dietary requirements or other access requirements, we do so with your consent as this type of information is classified as special category of personal data.

Who is the controller of your personal data
The controller of your personal data is the Heartstream affiliated company of the country where you join the event or from where the event is organized, identified in our Terms of Use (see the footer) as being the operator of this website.

 

10. Joining our marketing initiatives

If you want, you can join our marketing initiatives and stay up to date about Heartstream products, services, and promotions. Below, we’ll give you an overview of our marketing initiatives and we’ll explain, for each of them, how we process your personal data.

Promotional Emails
Why we process your personal data and what personal data we process You can choose to receive promotional emails from Heartstream and stay up to date about Heartstream products and services and about our events. This means that if you give us your consent, we will provide you with promotional emails – or, if you are a business customer, we will engage with you about commercial opportunities – that are relevant and interesting to you. For example.

  • If you accepted the targeted advertising cookie category when browsing our website, we track your interaction with our websites and mobile apps to see what you are interested in. If you give us your consent to receive promotional communications, we will use the data about your interaction with our websites and mobile apps to send you promotional communications that are relevant and of interest to you. For example, if you visited a certain product in our website, we may send you promotional emails about such product or similar products.
  • If you give us your consent to receive promotional emails, we will send you such promotional emails. We track whether you open, read, or click on the content of the promotional email that you’ve received from us. For example, if you click on a certain product (within the promotional email that you have received), we may send you promotional emails about such product or similar products.
  • If you give us your consent to receive promotional communications via our dedicated forms published in our websites or social media pages, we will use that data that you provide to us via these forms (such as your name and email, job title/company, and specialty or area of care (if you subscribe via the Customer forms directed at Professionals or Customer representatives)) and information about your country to send you promotional communications that are relevant and of interest to you. For example, if we notice that you are regularly viewing our AEDs from a specific country, we may send you promotional communications about AEDs or similar products in the language of that country.
  • If you give us your consent to receive promotional communications while you are interacting with our support team, we will use certain data that you provide to us (such as your email and the type of product/service for which you requested assistance) to send you promotional communications that are relevant and of interest to you. For example, if you requested assistance w an AED, we may send you promotional communications about AEDs or similar products.

We may combine the data we collect about you from the Heartstream sources listed above and place them in one or more segments (groups having certain characteristics in common) to tailor our promotional emails to your interest.

Lawful basis for processing
The lawful bases we rely on to process your personal data for the purposes described in this section are:

  • Your consent; as a general rule, we will send you promotional communications only if you have provided your prior consent. You can withdraw your consent to receive our tailored promotional emails at any time by clicking the unsubscribe button at the bottom of the promotional email that you receive from Heartstream, and you will be automatically unsubscribed.
  • Our legitimate interest, in particular our necessity to protect fundamental rights, such as the freedom to conduct a business.

Who is the controller of your personal data
The controller of your personal data is the Heartstream affiliated company of the country where you signed up to receive promotional emails (identified in our Terms of Use – see the footer – as being the operator of the website).

Social media advertising
We use social media to keep you updated about new and existing Heartstream products and services and to build a commercial relationship with you.

Why we process your personal data and what personal data we process
We process your personal data to reach out to you – via social media – with promotional communications or ads about new and existing Heartstream products and services and about our events. For example, if you have accepted the targeted advertising cookies in our website, we may track your usage of our websites (such as the actions you have taken on our website) and show you relevant Heartstream ads on your social media.
If you give us your consent to receive promotional communications (e.g. via our dedicated forms published in our websites), we may provide your personal data (such as your email) to social media providers so to show you relevant Heartstream ads on such social media.
If you are representative of an existing or potential Heartstream’ customer or business partner (or prospective), we may use your personal data to engage with you – via social media (e.g. LinkedIn) – for commercial opportunities.

Lawful basis for processing
The lawful bases we rely on to process your personal data for the purposes described in this section are:

  • Your consent; this applies when before we collect your behavior on the website and place the relevant cookies and similar technologies in your device and when we use your consent to receive marketing communications to target you on social media via our partners;
  • Our legitimate interest, in particular our necessity to protect fundamental rights, such as the freedom to conduct a business. This applies when we process your personal data to build your (prospect) customer profile and engage with you via social media for commercial opportunities.

Who is the controller of your personal data
The controller of your personal data is the Heartstream affiliated company of the country where you signed up to receive promotional emails (identified in our Terms of Use – see the footer – as being the operator of the website).

 

11. Complying with our regulatory obligations

As a manufacturer of medical devices, we are subject to regulatory obligations concerning the placing on the market, making available on the market, or putting into service of medical devices for human use and accessories for such devices. Therefore, we continuously process personal data to ensure compliance with our regulatory obligations as manufacturer of medical devices.

Why we process your personal data
We process personal data for the following purposes:

  • To report any serious incident to health authorities after they have established the causal relationship between that incident and the device, or that such a causal relationship is reasonably possible;
  • To analyze and report on statistically significant increases (either frequency or severity) of non-serious incidents or side-effects that may affect the device’s risk-benefit analysis;
  • To analyze, investigate, and take field corrective actions as appropriate in relation to serious incidents.

What personal data we process
We process the following categories of personal data:

  • Contact information relating to reporters of incidents;
  • Information about patients/other individuals contained in the incident/complaint/feedback; and
  • Log files or medical images, which may contain patient’s details such as age, sex, weight.

We have no access to directly identifiable information about patients; they are kept confidential by the relevant healthcare provider and are not required for the processing operations we undertake.

Lawful basis for processing
We process your personal data to comply with a legal or regulatory obligation to which Heartstream is subject when we when we manage complaints and when we report (a) adverse events to competent authorities and (b) trends of statistically significant increases (in frequency/severity) of non-serious incidents;
We process your personal data to perform an activity carried out in the public interest when we investigate incidents to identify root cause and needed preventive, corrective, and field safety corrective action;
We process your personal data to detect trends of statistically significant increases (in frequency/severity) of non-serious incidents.

How long we keep your personal data
As a manufacturer, Heartstream is required to keep its devices’ technical documentation up to date and available for the competent authorities for a period of at least 10 years after the last device covered by the same declaration of conformity has been placed on the market (i.e. sold).

Who is the controller of your personal data
The controller of your personal data is the Heartstream affiliated company who is the manufacturer of the medical device as indicated in the regulatory label of the relevant device.

 

12. Conducting clinical investigations

We perform clinical investigations to assess the safety or performance of our medical devices. In this context, we process the personal data of human subjects.

Why we process your personal data
We process personal data for the following purposes:

  • To perform clinical evaluation to confirm the safety and performance of our medical devices prior to placing them on the market;
  • To conduct clinical investigations to: (i) establish the suitability of the design, manufacture, and packaging of our medical devices for their intended purpose under normal conditions of use; (ii) establish and verify the clinical benefits of the medical device for patients and to establish and verify the clinical safety of the device; and (iii) determine undesirable side-effects and to assess whether those risks are acceptable risks when weighed against the health benefits of the medical device.
  • To perform and update the clinical evaluation of medical devices and to perform post-market surveillance.

What personal data we process
We process the following categories of (retrospective) data:

  • General information about patients (such as age, category, and sex);
  • Data concerning health, depending on the type of medical device that was the subject of the clinical investigation.

We have no access to directly identifiable information about patients; they are kept confidential by the relevant healthcare provider and are not required for the processing operations we undertake.

Lawful basis for processing
Unless differently required by applicable law:

  • When we conduct clinical investigations to comply with medical device manufacturer’s obligations (for example, when assessing the safety, performance, or quality of our medical devices), we do so to carry out an activity in the public interest.
  • When we conduct clinical investigations to make better products or to improve healthcare, we do so to carry out an activity in the public interest.
  • When we report serious adverse events that take place during a clinical investigation, we do so to comply with a legal or regulatory obligation to which Heartstream is subject.

Who is the controller of your personal data
The controller of your personal data is the Heartstream affiliated company who is the manufacturer of the medical device or the sponsor of the clinical investigation, indicated in the study documentation or in other relevant documentation provided by the healthcare provider.

In some cases, clinical investigations are jointly performed by the Heartstream affiliated company who is the manufacturer of the medical device (indicated in the study documentation or in other relevant documentation provided by the healthcare provider) together with other Heartstream affiliated companies.

 

13. Conducting clinical studies

We perform clinical studies to fulfil various purposes, such as complying with our medical device manufacturer’s obligations or to develop and improve the (safety or) performance of the medical device, enhancing healthcare. In this context, we process personal data of human subjects.

Why we process your personal data
We process personal data for the following purposes:

  • To perform clinical studies about the medical device based on legal obligations to which Heartstream is subject;
  • To perform and update the clinical evaluation of the medical device and to perform post-market surveillance.
  • To evaluate, assess, test, develop, or improve the (safety or) performance of our medical device, with the aim to make better products and thereby improve healthcare.

What personal data we process
We process the following categories of (retrospective) data:

  • General information about patients (such as age, category, and sex);
  • Data concerning health, depending on the type of medical device that was the subject of the clinical investigation.

We have no access to directly identifiable information about patients; they are kept confidential by the relevant healthcare provider and are not required for the processing operations we undertake.

Lawful basis for processing
Unless differently required by applicable law:

  • When we conduct clinical studies to comply with medical device manufacturer’s obligations (for example, when assessing the safety, performance, and quality of our medical devices) we do so to carry out an activity in the public interest.
  • When we report serious adverse events that take place during a clinical study, we do so to comply with a legal or regulatory obligation to which Heartstream is subject.
  • When we conduct clinical studies to evaluate, assess, test, develop, or improve the (safety or) performance of medical devices, with the aim to make better products and thereby improve healthcare, we do so based on the scientific research exemption or, where required, based on consent.

Who is the controller of your personal data
The controller of your personal data is the Heartstream affiliated company who is the manufacturer of the medical device or the sponsor of the clinical study, indicated in the study documentation or in other relevant documentation provided by the healthcare provider.

In some cases, clinical investigations are jointly performed by the Heartstream affiliated company who is the manufacturer of the medical device (indicated in the study documentation or in other relevant documentation provided by the healthcare provider) together with other Heartstream affiliated companies.

 

14. Managing your commercial relationship with us

If you have a commercial relationship with Heartstream – as a (prospective) supplier, business customer, or partner – we want to ensure that our relationship with you is founded upon transparency, clear accountability, and trust. To manage this relationship with you and to ensure compliance with applicable laws, we may process personal data.

Why we process your personal data
We process your personal data for the following purposes:

  • To communicate with you, for example by answering your requests or sending transactional communications;
  • To initiate, plan, and maintain our (contractual) relationship with the customer, supplier, or business partner you represent, for example by contracting, processing payments, accounting/billing/invoicing, managing credits, managing shipping and deliveries, and handling repairs;
  • If you are a business customer, to provide you with the requested product and services, such as providing technical support;
  • If you are a business customer, to give you access to our Customer Service portal.
  • To provide you (or your representatives) with trainings or demos;
  • If you are a business customer, to extend to you credit, if you request it.
  • To ensure compliance with our General Business Principles and other applicable laws and regulations that we are subject to, such as conducting screenings to assess what compliance and (commercial/credit) risks are associated with potential business relationships or collecting/responding to quality complaints regarding our medical devices.

What personal data we process
To manage our business relationship with you and ensure compliance with applicable laws, we process the following categories of personal data:

  • Contact information, such as full name, job title/role, business email, business address, and business phone number;
  • Payment information, such as data necessary to process payments;
  • Publicly available data, such as information relating to owners, majority shareholders, top-level management, or executives of our suppliers and business partners, collected from trusted publicly available sources;
  • Data you provide to us, for example if you interact with a Heartstream representative;
  • Information about individuals that report adverse events or make quality complaints, including healthcare professionals, such as name, email, and postal address.
  • Device data, such as log-files.

Lawful basis for processing
The lawful bases we rely on to process your personal data for the purposes described in this section are:

  • Our need to enter into a contract to which you are subject, to meet our contractual obligations, or, at your request, to take pre-contractual steps.
  • Our legitimate interest, in particular our necessity to conduct business in a responsible manner and in line with local laws and regulations and to protect fundamental rights such as the right of defense, the right to property, and the freedom to conduct a business.
  • Our need to comply with legal obligations we are subject to.
15. Accomplishing other legal and business purposes

As necessary, we may have to fulfill other legal and business purposes. In this context, we may process personal data.

Why we process your personal data
We process personal data for the following purposes.

  • Business process execution and internal management. This purpose includes activities such as conducting (internal) audits and investigations, management of alliances, ventures, mergers, acquisitions and divestitures, re-organizations or disposals, and integrations with purchasers.
  • Develop and improve applications, products, systems, and services.
  • Security and protection of interests and assets of Heartstream, its customers and business partners, including the safeguarding of the security and integrity of their business sector. In particular, it includes activities such as detecting, preventing, investigating, and combating (attempted) criminal or objectionable conduct directed against Heartstream, its employees, or other individuals, and activities such as those involving health and safety, authentication of customer, supplier or business partner status, and access rights and activities, such as deploying and maintaining technical and organizational security measures.
  • Protection of Heartstream’s intellectual property rights. This purpose includes activities such as filing and managing intellectual property rights of Heartstream, and it may require the processing of personal data of inventors and other individuals.
  • Creation and disclosure of promotional material. This purpose includes activities such using photos and videos (which may contain data relating to individuals) in promotional material, which may be disclosed to customers or made available online.
  • Compliance with legal obligations. This purpose includes processing personal data in connection with the performance of a task carried out to comply with a legal obligation to which Heartstream is subject, including the disclosure of personal data to government institutions or supervisory authorities, including tax authorities and other competent authorities for the sector in which Heartstream operates.
  • Defense of legal claims. This purpose includes activities such as preventing, preparing for or engaging in dispute resolution.

What personal data we process
Depending on the specific purpose, we process various categories of personal data (such as contact information data and any other information required to fulfill the above purposes).

Lawful basis for processing
The lawful bases we rely on to process your personal data for the purposes described in this section are:

  • Our need to enter into a contract to which you are subject, to meet our contractual obligations, or, at your request, to take pre-contractual steps.
  • Our legitimate interest, in particular our necessity to conduct business in a responsible manner and in line with local laws and regulations and to protect fundamental rights, such as the right of defense, the right to property, and the freedom to conduct a business.
  • Our need to comply with legal obligations we are subject to.
  • The consent of the relevant individuals;
  • Any other legal ground permitted by applicable laws.

Unless we need your personal data to comply with laws and regulations, you are not obligated to provide us with your personal data. If you chose not to provide us with your personal data, in many cases we will not be able to provide you with the products or services you requested or respond to your requests.

Visiting our websites
When you visit our websites, we place cookies and other similar technologies on your browser or device that help us to enable the technical and functional management of our websites (including ensuring information security), to improve the design and performance of our websites, and to better understand the visitor’s behavior on our pages. These cookies and other similar technologies may collect data such as your IP address, your operating system, your browser type, and your device type (for example PC or smartphone).

Some cookies are always on when you visit our websites, and you can’t turn them off unless you change your browser settings. We call these “strictly necessary cookies”. Without these cookies, the services that you ask for cannot function as intended. We use these cookies to make sure our websites work correctly and are meeting audience needs and interests. For example, we use these cookies to verify when a website is down or to ensure the security of our websites. The lawful bases we rely on to process your personal data in this context is our legitimate interest, in particular our necessity protect fundamental rights such as the right of defense, the right to property, and the freedom to conduct a business.

We use performance cookies (such as analytics) to gather aggregated statistical information on how our website are performing and to improve their performance accordingly. You can switch these on or off at any time. We’ll use them only if you’ve agreed. For example, we use these cookies to obtain a general view of how visitors use our websites (for example: which web pages you visit most often and the number of visitors to the various part of a website) or to conduct user surveys on our website in general or on specific elements of our website.

We also use functional cookies to personalize our websites to your needs by remembering choices you make. You can switch these on or off at any time. We’ll use them only if you’ve agreed. For example, we use these cookies to remind you of your settings on our website (such as your username, language, or the region you are in) and provide more enhanced, personal features. They don’t gather any information about you that could be used for advertising purposes. The lawful bases we rely on to process your personal data in this context is your consent.

Lastly, we use advertising and social media cookies to track your surfing behavior on our website and show you personalized advertisements relevant to you and to your interests. Further, if you gave us your consent to receive promotional communications, we will use the information gathered from these cookies to send you communications tailored to your preferences. These cookies may be placed by third parties and will be linked to site functionality provided by such third parties. Therefore, these cookies will affect the content and messages you see on other websites you visit. You can switch these on or off at any time. We’ll use them only if you’ve agreed. For example, if you are reading an article about a Heartstream product, then we might show you ads on this product in our or a third-party’s website. The lawful bases we rely on to process your personal data in this context is your consent.

For more information on the specific cookies we use, please read our cookie consent tool. You can adjust your cookie settings at any time from our cookie consent tool.

Our Tracker Details can be found here: Privacy Notice – Tracker Details

How we protect your personal data
We use organizational, technical, and physical measures to protect your personal data, taking into account the nature of the personal data and the processing as well as the potential threats posed. We are constantly working to improve these measures to help keep your personal data secure.

How we transfer your personal data between countries
Due to our global nature, your personal data may be transferred to or accessed by Heartstream-affiliated companies or Heartstream’s trusted third parties around the world. Of course, when we do so, we ensure that such transfer or access will comply with applicable laws on the transfer of personal data between countries.

When we transfer personal data from the European Economic Area, the United Kingdom, and Switzerland to:

  • Heartstream-affiliated companies processing such personal data in other countries, such transfers are governed by the Heartstream Privacy Rules (so called Binding Corporate Rules);
  • Heartstream trusted third parties processing such personal data in other countries not recognized by the European Commission as providing an adequate level of data protection, such transfers are governed by the Standard Contractual Clauses.

Your privacy rights
Depending on our reason for processing your personal data and applicable laws, you have certain rights on your personal data. Here we some of these rights.

  • You have the right to access your personal data. This means that you can ask us for copies of, or information about, the personal data that we process about you.
  • You have the right to rectify your personal data. This means that, if you think that the personal data we process about you is inaccurate, you can ask us to rectify or correct it. If you want us to rectify your personal data, please tell us what you believe is inaccurate and explain to us how we should correct it.
  • You have the right to delete your personal data. This means that you can ask us to erase the personal data that we process about you. There might be cases (for example, when we are legally obliged to keep your personal data) where we may not be able to erase your personal data.
  • You have the right to data portability. This means that you can ask us to transfer the information about you (that you have given to us directly) to another organization or give it to you. This right applies only in certain circumstances (for example, if we are processing your personal data with automated means and based on your consent).
  • You have the right to restrict our processing of your personal data. This means that, in certain circumstances, you can ask us to limit the way we use your personal data.
  • You have the right to object to our processing of your personal data. This means that, in certain circumstances, you can object to our processing of your personal data.

There may be situations where we are entitled to deny or restrict your privacy rights, for example, if it is necessary to establish, exercise, or defend Heartstream from legal claims or if your request is manifestly unfounded or excessive, in particular because of its repetitive character.
At Heartstream, we aim to give you control over your personal data. Therefore, depending on the activity, you can control your personal data and exercise your privacy rights and choices by yourself, for example by logging in to your Heartstream account and updating, modifying or deleting your personal data or by unsubscribing to our promotional communications by means of the unsubscribe button (link) included at the bottom of our promotional communications.

In all other cases, to exercise your privacy rights, to submit a privacy complaint, or to contact us, you can use our contact form, call us at 1 800 722-9377, or send us an email at .

We will do our best to address your request in a timely manner and free of charge. In certain cases, we may ask you to verify your identity before acting on your request.  If you are not happy with how we have handled your request, you can make a complaint to the supervisory authority competent for your country or region.

With whom we share your personal data
Unless otherwise stated in this notice, these are the categories of third parties with whom we may share your personal data:

  • Our Heartstream-affiliated companies. Due to our global nature, your personal data may be disclosed to other Heartstream-affiliated companies. We will make sure that access to your personal data is granted only on a need-to-know basis. In addition, our Heartstream-affiliated companies must handle your personal data in accordance with our Heartstream Privacy Rules. This ensures that your personal data will be processed by Heartstream following the same data protection standards.
  • Our service providers. We may engage with third party service providers (like IT providers or customer service providers) and ask them to perform certain processing operations on our behalf, such as storing personal data. When we do so, these service providers are contractually obliged not to use your personal data for purposes other than those requested by us or required by law.
  • Our business partners: Sometimes, we may partner with our business partners to provide you with services, and, in this context, we may share your personal data with them. For example, if you purchase a product from our e-shop, we share your information with payment service providers to process the payments.
  • Third parties in connection with corporate transactions: At times, we may be involved in a merger, acquisition, bankruptcy, joint venture, reorganization, sale of assets, or other disposition of all or any portion of our business, assets, or stock. In these cases, we may share your personal data with the third party involved in that corporate transaction.
  • Others: For legal reasons, we may also share your personal data with others (such as public and governmental authorities and professional advisors) if we determine that access, use, preservation, or disclosure of your personal data is necessary to: 1) comply with applicable laws and regulations or enforceable governmental requests; 2) investigate, prevent, or take actions regarding suspected or actual illegal activities or to assist government enforcement agencies; 3) enforce our terms and conditions with you; 4) investigate and defend ourselves against any claims or allegations; 5) protect the security or integrity of our services; or 6) exercise or protect the rights and safety of Heartstream, our Heartstream customers, personnel, or others.

How long we keep your personal data
We delete personal data when it is no longer necessary for the purposes described in this Privacy notice.

In any case, unless indicated otherwise in this Privacy notice, the criteria we use to decide our retention periods include: (i) whether we need your personal data to safeguard our legitimate interest, to perform a contract to which you are subject, to respond to your questions, or to provide you the required service or support; (ii) whether there is a legal obligation to which we are subject; or (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation, or regulatory investigations).

Local-specific privacy information
To ensure compliance with local laws, we would like you to be aware of certain additional privacy information.
For California residents
California Civil Code Section 1798.83 permits our customers who are California residents to request and obtain from us once a year, free of charge, information about the personal information (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year. If applicable, this information would include a list of the categories of personal information that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year.  If you are a California resident and like to make such a request, please contact us at 1 800 722-9377 or .

California Consumer Privacy Act. Pursuant to the California Consumer Privacy Act of 2018 (“CCPA”), we are providing the following details regarding the categories of Personal Information that we collect, use and disclose about California residents. Under the CCPA, “Personal Information” is information that identifies, relates to, or could reasonably be linked with a particular California resident or household.

Sources of Personal Information
We collect Personal Information from:

  • Our interactions with you, such as through our websites, surveys, emails, social media, and any other online or offline interactions, such as when you contact us via phone, attend one of our events, or visit our offices; and
  • Our Philips affiliated companies, service providers and/or business partners;
  • Publicly available (online) sources;
  • Other individuals.

Collection and Disclosure of Personal Information
The following chart details which categories of Personal Information about California residents we plan to collect, as well as which categories of Personal Information we have collected and disclosed for our operational business purposes in the preceding 12 months.

Categories of Personal Information Disclosed to Which Categories of Third Parties for Operational Business Purposes
Identifiers, such as name, contact information, account name, social security number, driver’s license number, passport number, IP address and other similar identifiers
  • Our affiliated companies
  • Our service providers
  • Our business partners
  • Third parties in connection with corporate transactions
  • Others: for legal reasons, we may also share your data with others (such as public and governmental authorities, professional advisors).
Personal information, as defined in the California customer records law, such as name, contact information and payment card number
Characteristics of protected classifications under California or federal law, such as age, race, religion, sex, primary language, and health
Medical Information, including information in possession or derived from a healthcare provider, healthcare service plan, or contractor regarding an individual’s medical history, mental or physical condition, or treatment.
Health Insurance Information, including individual’s health insurance policy or subscriber number, or other unique identifier used by a health insurer to identify the individual, or any information in the eligibility file or claims history.
Commercial information, such as transaction information and purchase history
Internet or network activity information, such as browsing history and interactions with our website
Geolocation data, such as device location
Audio, electronic, visual and similar information, such as call and video recordings
Inferences drawn from any of the Personal Information listed above to create a profile about, for example, an individual’s preferences, behavior, and characteristics

 

Use of Personal Information
We use these categories of Personal Information to operate, manage, and maintain our business, provide our products and services, and accomplish our business purposes and objectives, as described above under “How we Use Your Data.”

We do not sell and have not sold Personal Information in the preceding 12 months, as “sale” is defined in the CCPA.  We do not sell the Personal Information of minors under 16 years of age.

In instances in which we collect Protected Health Information as defined by the Health Insurance and Accountability Act of 1996 (HIPAA), we may de-identify such information using the HIPAA Safe Harbor method or HIPAA Expert Determination method.  Once such information is de-identified, it is no longer considered personal information, and we may use it in the same manner as other non-personal information. Any entities to whom we sell or disclose deidentified Protected Health Information are prohibited from attempting to re-identify it.

Individual Rights and Requests
If you are a California resident, you may request that we:

  • Disclose to you the following information covering the 12 months preceding your request:
    • The categories of Personal Information we collected about you and the categories of sources from which we collected such Personal Information;
    • The specific pieces of Personal Information we collected about you;
    • The business or commercial purpose for collecting (if applicable) Personal Information about you; and
    • The categories of Personal Information about you that we otherwise shared or disclosed, and the categories of third parties with whom we shared or to whom we disclosed such Personal Information (if applicable).
  • Delete Personal Information we collected from you.

To make a request for the disclosures or deletion described above, please contact us at: contact form, , or 1 800 722-9377. We will verify and respond to your request as described above in “Your privacy rights” and consistent with applicable law, taking into account the type and sensitivity of the Personal Information subject to the request. If you make a request, we may need to request additional Personal Information from you, such as your name, surname, username, or email address to verify your identity and protect against fraudulent requests.

You have the right to be free from unlawful discrimination for exercising your rights under the CCPA.

 

Authorized Agents

If you want to make a request as an authorized agent on behalf of a California resident, you may use the submission methods noted above.  As part of our verification process, we may request that you provide, as applicable:

  • Proof of your registration with the California Secretary of State to conduct business in California;
  • A power of attorney from the California resident, pursuant to Probate Code sections 4000-4465;
  • Written permission that the California resident has authorized you to make a request on the resident’s behalf. This permission must be signed (via physical or e-signature) by the California resident. If you are making a request on behalf of a California resident and have not provided us with a power of attorney from the resident, we may also require the resident to:
    • Provide you with a written permission signed by the resident to make the request on the resident’s behalf;
    • Verify the resident’s identity directly with us; or
    • Directly confirm with us that the resident provided you permission to submit the request.