Privacy Policy

Introduction

This privacy policy describes how we process your personal data on our website and within our other online presences such as our social media profiles.

1. Data Controller

Corvia Medical, Inc.
One Highwood Drive
Suite 300
Tewksbury, MA 01876
USA

E-Mail: privacy@corviamedical.com

(hereinafter also “we” or “us”).

2. Data Security

We take appropriate technical and organizational measures to ensure an adequate level of protection appropriate to the risk of the data processing to keep your data safe. These measures include ensuring the confidentiality, integrity and availability of your data through appropriate controls on physical and electronic access to the data as well as controls on input, disclosure, availability and segregation. 

3. Accessing the Website

When you access our website, we automatically collect and process various data, such as:

  • Information about the accessing end device and the software used
  • Date and time of access
  • Cookies (see our Cookie Policy for further information)
  • IP address


The storage of the IP address is at least temporarily technically necessary to enable the website’s delivery to the user’s device. Our servers also store your IP address for up to 7 days for our own security purposes.

We use web hosting providers including technical security and maintenance services to provide our website. Through these hosts we collect data on access to our website (log files), including the date and time of access, the browser type and version, the operating system and the IP address. These log files may be used for security purposes (e.g., in the event of abusive attacks) and to ensure the server stability based on our legitimate interests.

For the provision and hosting of our website, we use WPEngine, Inc. (Flywheel), 504 Lavaca Street, Suite 1000, Austin, TX 78701; Website: https://getflywheel.com/; Privacy Policy: https://wpengine.com/legal/privacy/.

4. Contacting Us

If you contact us by email, telephone, via social media or using our contact form, we store your contact data and the content of your enquiry for the purpose of processing your request and contacting you if necessary.

You may have the option to take part in surveys on our websites, that help determine if you may be a candidate for one of our clinical trials. In this case, we will ask for certain data about your health. This data is only used to determine whether you are a suitable candidate for such studies and will not be permanently stored.

As a potential candidate you then have the option to provide us with your contact data and age so that our patient advisors can contact you to explore your participation in the trial. We process this data on the basis of your consent.

If your request relates to pre-contractual measures or an existing contract, for example a request for a quote, this forms the legal basis for the data processing. In all other cases, processing of your request is based on our legitimate interests. We will store your data until fulfilling the purpose (normally this is the completion of your request) or until you request us to delete it, provided that there is no legal retention period.  

For providing the contact form and for technical processing of your request, we use the service provider HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA; 

Privacy policy: https://legal.hubspot.com/de/privacy-policy

Opt-Out: https://privacyportal.onetrust.com/webform/9fd092df-0b2a-4194-89f1-820b83267af4/13da1ce4-8542-4d34-a84c-379495aa666c

5. Newsletters

For dispatching our newsletters and for evaluating their use we use: Constant Contact, Inc., Waltham, Massachusetts (USA), 1601 Trapelo Road, Waltham, MA 02451 USA; 

Privacy policy: https://www.constantcontact.com/legal/privacy-notice

Opt-Out: https://endurance.clarip.com/dsr/create

If you subscribe to the newsletter, you can withdraw your consent to the storage of your contact information at any time, for example using the “unsubscribe” link at the end of each newsletter.  We will store your data until you unsubscribe and will then delete it from the distribution list and transfer your email address to a so-called blacklist to prevent future unintentional mailings to you, based on our legitimate interest.

6. Online Presence in Social Networks (social media)

We maintain online presences within social networks to communicate with users or to offer them information about us. In this context, user data is processed outside the European Union.

User data is regularly processed within social networks for market research and interest-based advertising purposes and to create user profiles based on the user preferences and the identified interests.  For this purpose, cookies and, if you are logged into your social media account, further user data will be stored on your device and in your user profile. For a detailed description and opt-out options see the privacy policies of the respective network operators.

Note, that requests for information and other data subject rights can be asserted most effectively with the providers themselves, as only they have access to their own user data and can respond appropriately. If you still need help with this, please feel free to contact us.

Facebook
We are jointly responsible with Facebook Ireland Ltd. for the collection of, but not for the further processing of data of visitors to our Facebook page (so-called “Fanpage”). This data includes, in particular, information about content viewed or interacted with, as well as information about the devices used by users, e.g. IP addresses, operating system, browser type, and language settings.  See Facebook`s data policy: https://www.facebook.com/policy. As explained in the Facebook Data Policy under “How do we use this information?” Facebook also uses information to provide analytics services (“Page Insights”) to page operators to provide them with insights into how people interact with their pages and with content associated with them. We have entered into a specific agreement with Facebook (“Page Insights Information”, https://www.facebook.com/legal/terms/page_controller_addendum), which specifically sets out the security measures that Facebook must observe and in which Facebook agrees to comply with data subjects’ rights.  For example, users can send information or deletion requests directly to Facebook. Further information can be found in Facebook’s “Information on Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data).

Service providers:

Facebook: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; 
Website: https://www.facebook.com
Privacy policy: https://www.facebook.com/about/privacy
Option to object (Opt-Out): https://www.facebook.com/adpreferences/ad_settings (Facebook login is required).

LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; 
Website: https://www.linkedin.com
Privacy policy: https://www.linkedin.com/legal/privacy-policy
Option to object (Opt-Out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Twitter: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; 
Parent company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; 
Privacy policy: https://twitter.com/de/privacy
(Settings) https://twitter.com/personalization.

YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; 
Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; 
Privacy policy: https://policies.google.com/privacy
Possibility to object (Opt-Out): https://adssettings.google.com/authenticated.

7. Plugins and Embedded Content 

To enable user-friendliness and provide adequate customer service on our website we use functional and content elements (videos or city maps; hereinafter: “content”) from different service providers (hereinafter: “third-party providers”) in our online services. These third-party providers regularly process the IP address, which is necessary for displaying the website content.

Third-party providers may also store pseudonymous so-called pixel tags on the users’ device (invisible graphics, also known as “web beacons”) to collect information such as page visits and device specifications for statistical or marketing purposes.

If we ask for your consent to the use of the third-party providers, the legal basis for the processing of data is your consent, or where legally permitted, our legitimate interests in offering economic and recipient-friendly services. For additional information, we refer to our Cookie Policy.

8. Cookies

We use cookies on our website. Cookies are small files that are stored on the device. Among other things, they can be used to determine whether you have visited a website before. We use session or other cookies on our website. Our Cookie Policy informs you about the exact scope of our cookies.

9. Storage Period

We process personal data only as long as it is necessary for the underlying processing purpose (until you revoke your consent or other authorizations cease to apply). The data is then deleted, or where legally permitted or required, access to the data is restricted.

10. Updates to the Privacy Policy

We update our privacy policy from time to time and as soon as changes in our data processing make it necessary. We therefore ask you to inform yourself within regular intervals. 

11. Data Privacy – EU Residents – with Reference to the EU General Data Protection Regulation (GDPR)

Your Rights 
If asked by you, we will provide you with information as to whether personal data relating to you is being processed. If this is the case, you have a right to information about, and a copy of this personal data, and the information listed in detail in Art. 15 GDPR. In addition, you have the right to rectification (Art. 16 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to erasure (Art. 17 GDPR) and the right to data portability (Art. 20 GDPR), all rights subject to the respective legal requirements.

Right to object: You have the right at any time to object to the processing of your personal data, which is carried out on the basis of our legitimate interest, on grounds relating to your particular situation. This also applies to profiling based on these provisions.

If your personal data is processed for direct marketing, you have the right to object to this form of processing at any time. This also applies to profiling insofar as it is connected with direct advertising.

Right of withdraw: You have the right to withdraw your consent at any time with effect for the future.

Requests may be submitted to privacy@corviamedical.com.  Please note that the law may require we verify your identity before responding to the request.

Complaint to a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the requirements of the GDPR.

Corvia has contracted with DataRep as its Data Protection Representative in the European Union. When contacting DataRep, please address your request to DataRep directly and not to Corvia Medical. Communications addressed to Corvia Medical but sent to a DataRep location will likely not be received.

CountryAddress
AustriaDataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
BelgiumDataRep, Place de L’Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium
CroatiaDataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia
Czech RepublicDataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic
DenmarkDataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark
FranceDataRep, 72 rue de Lessard, Rouen, 76100, France
GermanyDataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany
ItalyDataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy
NetherlandsDataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands
PolandDataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland
SpainDataRep, Calle de Manzanares 4, Madrid, 28005, Spain
United KingdomDataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom

Data transfers

As a U.S. company, we also process your data in countries outside the European Union and the European Economic Area (“EEA”), primarily in the United States. Further, we will only process your data or have your data processed in countries outside the EEA, if an adequate level of data protection in accordance with the requirements of Articles 44 to 49 GDPR is ensured. This can be achieved, for example, by concluding so-called standard contractual clauses (e.g. with our service providers such as HubSpot or Google).

We will only transfer your personal data to third parties in accordance with the legal requirements and if the transfer is necessary in order to fulfill our contractual obligations to you, we are otherwise entitled or obligated to transfer the data, or you have given us your consent to do so. 

12. Data Privacy Rights – California Residents

Residents of California may have specific rights under the California Consumer Privacy Act, including:

  • The right to know what specific personal information we hold about you, the categories of sources of that information, the purpose(s) for collecting the information, disclosures that have been made for business purposes, and the categories of third parties to whom it was disclosed.
  • The right to copies of the personal information we hold about you.
  • The right to have your personal information deleted, although the law identifies several instances in which you will not be entitled to deletion.
  • The right to know what data has been sold, and to opt out of sales of your personal data. 
  • If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note, however, that this will not affect the lawfulness of the processing before its withdrawal.

Please note that Corvia Medical does not sell Personal Data.

Requests may be submitted to privacy@corviamedical.com.  Please note that the law requires we verify your identity before responding to the request.

We will not discriminate against you for exercising any of your privacy rights.

Last updated: 2022 October 3