Innodem Privacy Policy

Latest update: November 2023

At 10032506 Canada Inc. (“Innodem,” “we,” “us,” or “our”), we want you to understand what information we collect, and how we use and how we share it. That is why we encourage you to read our Privacy Policy and Notices before using our products.

1. What is the Privacy Policy and what does it cover?

This Privacy Policy applies to personal information gathered by us through Innodem Apps or when accessing our ETNA™-Cloud server, and not from any other source (including any interactions with Innodem staff or in the context of clinical studies).

If you are a resident of the United States, the services we are providing, namely ETNA™ Clinical Apps (defined below), may constitute “healthcare services” under the Health Insurance Portability and Accountability Act of 1996 and accompanying regulations (collectively, “HIPAA”). We confirm that we apply and follow HIPAA’s standards and implementation specifications. Our HIPAA Notice of Privacy Practices is available below.

If you are a resident of California, you may have additional rights regarding your information. Our California Privacy Rights Notice is available below.

“Innodem Apps” include:

Pigio™, Pigio™ ICU (collectively, “Pigio™ Apps”);
ETNA™-NDHC-MS, ETNA™-NDHC-O, ETNA™-CIS, ETNA™-CRCI, ETNA™-UPN-PD, ETNA™-UPN-MS, ETNA™-UPN-HC, ETNA™-UPN-AD, ETNA™-ProgMS, ETNA™-AD, ETNA™-UPN-Beta (collectively, “ETNA™ Clinical Apps”);
ETNA™-MS App; and
ETNA™-Cloud.

2. What information do we collect and why?

We collect your information for different purposes, particularly to help voiceless users communicate (Pigio™ Apps), to develop and validate differential diagnosis and disease progression evaluations (ETNA™ Clinical Apps), and to allow physician users to track the progression of disease (ETNA™-MS App). ETNA™-Cloud provides back-end support and clinician access to results for all ETNA™ Apps.

In detail, we collect the following data for the purposes shown:

Pigio™ Apps

Identification information (e.g., name).
Pigio™ Apps help voiceless patients communicate using only eye movements through our patented eye-tracking technology. The Pigio™ apps will customize words and sentences with a user’s name when interacting with others.

ETNA™ Clinical Apps

Identification information and biomarkers (e.g., unique identifier, audio and videos of your face, face position and rotation, distance to the user’s face with the TrueDepth API, coarse triangle mesh representing the face topology and facial features).
ETNA™ Clinical Apps use information to develop and validate an eye movement assessment tool to assist with differential diagnosis and disease progression evaluation.

ETNA™-MS App

Identification information, medical data, and biomarkers (e.g., unique identifier, date of birth, timed 25-foot walk test, and biomarkers (particularly face embeddings, eye gaze, blink, and optical flow)). The multiple sclerosis Expanded Disability Status Scale (EDSS) is computed using AI models and the information above and is stored in ETNA™-Cloud to assist healthcare professionals.
ETNA™-MS app leverages ARKit and TrueDepth API provided by Apple to locate the two eyes and measure the distance of the center of each eye to the device camera. Eye movement features are computed with AI models based on eye crops and adjusted through trigonometric calculations based on measured distance. ARKit and TrueDepth API’s data is processed on-device and is not persistently stored on the device. Data transmitted to Innodem's servers includes only non-sensitive information such as the user’s face position and rotation, average distance of the two eyes, a coarse triangle mesh representing the topology of the detected face, a dictionary of named coefficients representing the detected facial expression in terms of the movement of specific facial features, identifiers for specific facial features for use with coefficients describing the relative movements of those features, a transform matrix indicating the position and orientation of the face’s left and right eyes, and a position in face coordinate space estimating the direction of the face’s gaze. This application is classified as Software as a Medical Device (SaMD), and in compliance with regulatory bodies like Health Canada and the FDA, we store essential information on our servers to facilitate product recalls or address significant defects. This data storage enables us to perform analyses and report any discrepancies in EDSS score calculations to regulatory authorities. Please note that ARKit and TrueDepth APIs are subject to an opt-in feature that works only with your explicit permission to use the front-facing camera.

Innodem Apps - Technical data

IP address is used for consent management purposes.
Performance data (e.g., performance data includes the device level identifier, the device type and model, the device operating system version, the screen resolution, the app version including the build number, the language of the app and the crash log).
If enabled, performance data is information collected automatically by Apple when an app crash occurs. This can be disabled on the iOS device globally or per app. Performance data is sent directly to Apple servers. Innodem employees consult this online from the App Store Connect website. Performance data is only accessed by Innodem Technical staff. Performance data is not traceable to an individual and is not shared outside of Innodem. Apple’s privacy policies are available here: https://www.apple.com/legal/privacy/pdfs/apple-privacy-policy-en-ww.pdf

ETNA™-Cloud

Identification (e.g. email, password, first name, last name, phone number). Any other patient information acquired is always via a unique anonymized identifier.
ETNA™-Cloud allows authorized clinicians to manage their account information and access information derived from Innodem Apps. Innodem may use Identification information to contact patients directly in case of a critical product issue.

To use less information that is connected to you, in some cases we aggregate or de-identify information or anonymize it so that it no longer identifies you. We use this information in the same ways we use your information as described in this section.

Further, as described above, we may receive non-identifiable information from other sources (such as unique identifiers from clinics, or a subset of informed consent forms from healthcare professionals).

Please note that we may also collect and use your information for any other purpose permitted or required by law.

3. How do we share your information?

We share your information with third parties where necessary to fulfill the purposes identified above, including as set forth in the table below:

Service Providers

We may share your information to our authorized third-party services providers providing us services, such as for data storage (more specifically, AWS-hosted cloud application for ETNA™-Cloud, or Castor EDC cloud-based clinical data management system).

Law Enforcement and Other Authorities

We may receive requests by authorities to access your information. We will validate any such request to ensure that the request is legitimate before responding and will respond with the minimum necessary information to fulfill the request, logging the disclosure as required. When possible, we will advise you. We will only share what is strictly required.

Commercial Transactions

We may share your information with an acquirer, successor or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.

Notification and Communication with your Family

We may disclose your information to notify or assist in notifying a family member, your emergency contact, or another person responsible for your care about your location, general condition, or in the event of your death. However, if you are able and available to agree or object, we will give you the opportunity to do so prior to making this notification.

We may also share aggregate or de-identified data that is not personally identifiable to third parties (particularly, when using ETNA™-ProgMS with pharmaceutical partners) for any purpose permitted under applicable law.

4. How do we transfer your information?

For Innodem Apps, information is collected through your iPad and stored on the ETNA™-Cloud in Canada with backup in the European Union and on Castor EDC cloud in Canada with backup in the United States.

As such, your information may be stored outside of your region and you consent to such cross-border data processing. While such information is outside of your region, it is subject to the laws of the jurisdiction in which it is held, and may be subject to disclosure to the governments, courts or law enforcement or regulatory agencies of such other jurisdictions pursuant to local laws.

Please note that our practices regarding your information will at all times continue to be governed by this Privacy Policy, and, if applicable, we comply with applicable legal requirements providing adequate protection for the transfer of information to third countries/regions.

If you would like more information about how we transfer your information, please contact us as set forth in the section below “How to contact us?”

5. How do we secure and keep your information?

We implement physical, administrative and technical safeguards designed to preserve the confidentiality, integrity and security of information under our control. Specifically, your information, excluding performance data sent to Apple servers, is stored on ETNA™-Cloud subject to leading security standards, including encryption in transit and at rest and taking into account ISO standards; such as ISO 13485 (certified, see certificate HERE (link)) and ISO/IEC 27001 (in progress) for Innodem, and ISO/IEC 27001 for AWS and Castor EDC.

We take steps to ensure that only those employees and authorized third parties who need access to your information to perform their duties have access to it (for example, medical data can only be seen by Innodem medical staff).

We retain your information only for as long as is necessary for us to fulfill the relevant purposes specified in this Privacy Policy, to comply with our legal obligations under applicable laws and regulations, and, when applicable, subject to consent or authorization forms obtained by healthcare professionals (for ETNA™ Clinical Apps).

6. What are your rights regarding your information?

Under certain circumstances and subject to applicable data protection laws, supported by a written request and proof of identification, you may consult the personal information that we have collected, used or shared, and/or ask that it be corrected or deleted in whole or in part, and/or withdraw your consent to our disclosure or use of personal information collected.

As required or permitted by law, you may be entitled to additional rights, including: (i) the right to control the dissemination of your personal information; (ii) the right to receive computerized personal information collected from you in a structured, commonly used and technological format and to have this information transferred directly to another organization; (iii) the right to be informed of and submit observations regarding automated decision-making; and (iv) the right to request information about data processing. In regard to any of your information that is “protected health information,” as described in the HIPAA Notice of Privacy Practices below, that Notice and the rights it enumerates will be controlling.

If you are a California resident please see our California Privacy Rights Notice below which contains mandated disclosures about our treatment of California residents’ information, whether online, offline or via our applications.

Finally, you also have a right to lodge a complaint with a competent data protection authority, in particular in the country/region where you normally reside, where we are based or where an alleged infringement of data protection law has taken place.

To exercise any of these rights, please contact us as set forth in the section below “How to contact us?”

7. How will you know this Privacy Policy has changed?

From time to time, we may update this Privacy Policy. Any changes will be effective when we post the revised Privacy Policy. This Privacy Policy was last updated as of the effective date listed at the top. We will notify you of any changes to this Privacy Policy by posting it on our website. Your continued use of our apps and online resources after any update to this Privacy Policy will constitute your acceptance of the changes.

8. How to contact us?

If you have any questions, requests or complaints regarding your information or this Privacy Policy, please contact our Data Protection Officer at dpo@innodemneurosciences.com.

Please note that we do not knowingly collect information from children under the age of 18. If you are the parent or legal guardian of a child under 18 who has provided us with information, please contact us to ask us to stop using or to delete that information.

Innodem HIPAA Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

When we are acting as a “covered entity” by providing “healthcare services” to a resident of the United States, including through ETNA™ Clinical Apps, we are required by law to protect the privacy of your health information under HIPAA. We are also required to provide you with this notice about our privacy practices. We are required to comply with all the terms described in this Notice of Privacy Practices.

1. How we may use and disclose your health information.

We collect health information from you and we store it in computers. The collected information may be used by us or our business associates for the following purposes:

For treatment.
To obtain payment for treatment.
For regular health care operations.
When required by federal, state or local law, judicial or administrative proceedings, or law enforcement.
For public health activities.
For health oversight activities.
For research purposes.
To avoid a serious threat to health or safety.
For specific government functions.
For workers’ compensation purposes.
For scheduling appointments and services.

2. Disclosures that require your authorization.

No disclosures made for purposes other than those listed above will be made without your prior authorization, except as required or allowed by law. If you authorize us to use or disclose your information, you can revoke your authorization by notifying us in writing as described below.

3. You have the opportunity to object to these disclosures.

We may provide your information to a family member, friend, or other person that you indicate is involved in your care, treatment or the payment for your healthcare. You may object to or restrict any of these disclosures by notifying us in writing as described below.

4. Your health information rights.

The Right to Request Limits on How We Use and Disclose Your Health Information.

You have the right to ask that we limit how we use and give out your information. We will carefully consider your request, but we are not required to accept it. If we accept your request, we will put it in writing and abide by it except in emergency situations. To request limits, contact us in writing as described below.

The Right to Choose How We Send Your Information to You.

You have the right to ask that we send information to you to an alternate address. For example, you may ask us to send information to your work address rather than your home address. You can also ask that it be sent by alternate means. For example, you can ask that we send information by email instead of regular mail. We will agree to your request if we can easily provide it in the format you request.

The Right to See and Get Copies of Your Health Information.

Most of the time, you have the right to look at or get copies / summary of your health information that we have.

You or your legally authorized representative may request to inspect or obtain a copy of your health information. If we keep your health information in an Electronic Health Record, it will be given to you (or your designee) electronically upon your request. We will provide a copy / summary within the time frames established by law and we may charge a reasonable cost-based fee. In certain situations, we may deny your request. If we do, we will tell you, in writing, our reasons why and explain how you can have the denial reviewed.

The Right to Get a List of Who We Have Given Your Information To.

You have the right to get a list of certain instances in which we have given out your health information after April 14, 2003. To get this list, you must complete the appropriate form and submit it to the facility where you received your care.

The Right to Correct or Update Your Health Information.

If you believe that there is a mistake in your information or that a piece of important information is missing, you have the right to request that we correct the existing information or add the missing information. Your request and your reason for the request must be submitted in writing as described below. Each request will be carefully considered. If we approve your request, we will make the change to your information, tell you that we have done it, and tell others that need to know about the change. We may say no to your request, but we will tell you why in writing within 60 days.

The Right to Get This Notice.

You have the right to request a paper copy of this notice. You also have a right to get a copy of this notice by email.

The Right to Privacy Notification.

You have the right to be notified after a breach of your protected health information.

5. Changes to our notice of privacy practices.

If our privacy practices should change at any time in the future, we will promptly change and post the new notice. We reserve the right to apply any changes to our privacy practices or this Notice to all of the personal health information that we maintain, including information collected before the date of the change.

6. Complaints and contact information

If you have any questions about this notice, any requests, or any complaints about our privacy practices, please contact our Data Protection Officer at dpo@innodemneurosciences.com.

If you think that we may have violated your privacy rights, or you disagree with a decision we made about your health information, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201; or electronically at www.hhs.gov/ocr/privacy/hipaa/complaints.

We will not retaliate against you for filing a complaint.

7. Persons under the age of 18.

8. How will you know this Privacy Policy has changed?

9. How to contact us?

Please make any requests in writing. If you have any questions, requests or complaints regarding your information or this Privacy Policy, please contact our Data Protection Officer at dpo@innodemneurosciences.com.

10. Your rights

Any request you may have of us must be submitted in writing, including complaints.

You have the right to:

Request restrictions on certain uses and disclosures of your health information. We are not required to agree to the restriction that you requested. Except as provided in the next paragraph, we will honor the restriction until you revoke it or we notify you. To request restrictions, you must make your request in writing. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure, or both; and (3) to whom you want the limits to apply – for example, disclosures to your spouse.
Request us to communicate with you in a certain way or at a certain location. For example, you may ask to be contacted only while at work or by email.
Right to be notified if we (or a Business Associate) discover a breach of unsecured protected health information.
Inspect and receive a copy of certain protected health information that may be used to make decisions about you. If the information you request is maintained electronically, and you request an electronic copy, we will provide a copy in the electronic form and format you request, if the information can be readily produced in that form and format; if the information cannot be readily produced in that form and format, we will work with you to come to an agreement on form and format. If we cannot agree on an electronic form and format, we will provide you with a paper copy.
Change or add information to your designated records; however, we may not change the “original” documents.
An accounting of disclosures of your protected health information we may make. However, we do not have to account for disclosures related to treatment, payment, health care operations, information provided to you, specialized government functions, and disclosures you authorize.
Right to receive a paper copy of this Privacy Policy even if you receive this electronically.
As required or permitted by law, you may be entitled to additional rights, including: (i) the right to control the dissemination of your personal information; (ii) the right to receive computerized personal information collected from you in a structured, commonly used and technological format and to have this information transferred directly to another organization; (iii) the right to be informed of and submit observations regarding automated decision-making; and (iv) the right to request information about data processing.
Complaints. You also have a right to lodge a complaint with us and/or with a competent data protection authority, in particular in the country/region where you normally reside, where we are based or where an alleged infringement of data protection law has taken place. If you file a complaint, we will not take any action against you or change your treatment in any way. If a resident of the United States, you may submit a formal complaint to:

Dept. of Health and Human Services Office of Civil Rights

200 Independence Avenue, S.W. Room 509F HHH Building

Washington, DC 20201

To exercise any of these rights, please contact us as set forth in the section below “How to contact us?”

Innodem California Privacy Rights Notice

This notice to California residents is provided under California law, including the California Consumer Privacy Act or “CCPA” (Cal.Civ.Code 1798.100 et seq.). If you are a California resident and our Privacy Policy which includes but is not limited to our HIPAA Notice of Privacy Practices (“HIPAA Notice”), is inapplicable, this further California notice contains mandated disclosures about our treatment of California residents’ information, whether online, offline or via our applications.

“Personal information” means all personal information as defined in the CCPA, which includes information relating to a particular household as well as a natural person. This notice applies to most of the personal information Innodem collects from California residents in the course of conducting its general business operations and is supplemental to its general privacy policy found above, but is inapplicable if and to the extent our HIPAA Notice applies.

This notice does not apply to protected health information collected in the course of treatment, payment, or healthcare operations otherwise covered by our HIPAA Notice.

We collect these categories of personal information when you interact with us: identifiers/contact information, biometric and demographic information (including for example, gender and age information), internet or other electronic network activity information, geolocation data, audio, electronic, visual or similar information and inferences drawn from the above.

Please know that we collect this information so that we can best serve you, including to fulfill your requests. We may process your personal information to:

Contact you
Respond to your comments and questions
Perform our ordinary business operations
Comply with our legal and regulatory obligations.

We may process the following categories of your personal information, as appropriate for the relevant processing activity:

Name
Contact details, including mailing or email addresses
Biometrics
Information about you we may need to authenticate or verify your credentials
Age
Gender.

We may obtain personal information about you directly from you or via our service providers.

We may share personal information about you with:

Our service providers, researchers, or others working with us under appropriate contractual restrictions
Companies or individuals who advise us in the course of running our business
Third parties in connection with or during negotiation of any merger, financing, acquisition or dissolution; other transaction; litigation; to prevent or assist in preventing any violation or potential violation of law; or disclosure required by a court or other judicial body or law enforcement or regulatory body.

Although California residents have the right to “opt out” of the “sale” of their ”personal information” to “third parties” as those phrases and terms are defined in the CCPA and described below, Innodem does not “sell” your personal information and does not “share” it with “third parties” except in the limited circumstances noted below.

We also make the following disclosures for purposes of compliance with the CCPA:

We collected the following categories of personal information in the last 12 months: identifiers/contact information, demographic information (such as gender and age), biometric information, internet or other electronic network activity information, geolocation data, audio, electronic, visual or similar information, and inferences drawn from the above.
The sources of personal information from whom we collected are: directly from individuals, analytics tools.
The business or commercial purposes of collecting personal information are as summarized in our “notice at collection” section, and as described in more detail in our Privacy Policy.
We disclosed the following categories of personal information for a business purpose in the last 12 months: identifiers/contact information, demographic information (such as gender and age), internet or other electronic network activity information, geolocation data, audio, electronic, visual or similar information, and inferences drawn from the above.
We disclosed each category to third-party business partners and service providers, third-party sites or platforms only as required by or permitted by applicable law.
As the term is defined by the CCPA, we “sold” the following categories of personal information in the last 12 months: none.
We do not collect, process or “sell” personal information of persons under 18 years of age.

1. Rights of California Residents under the CCPA

Right to Know

If you are a California resident, you are entitled to request in writing the following information:

Categories and specific pieces of personal information we have collected about you
Categories of sources from which your personal information was collected
Our business purpose for collecting any of your personal information
The categories of third parties with whom we have shared your personal information

Right to Access

If you are a California resident, you have the right to request, up to two times each year, access to categories and specific pieces of personal information about you that we collect, use, disclose, and sell.

Right to Delete

If you are a California resident, you have the right to request that we delete personal information that we collect from you, subject to applicable legal exceptions.

Right to Opt Out of Sale of Personal Information

If you are a California resident, you have the right to “opt out” of the “sale” of your “personal information” to “third parties” (as those terms are defined in the CCPA); however as noted above, we do not sell any personal information.

2. Process to Make a CCPA Request

Making Access and Deletion Requests

To make an access or deletion request, please If you have any questions, requests or complaints regarding your information or this Privacy Policy, please contact our Data Protection Officer at dpo@innodemneurosciences.com. Before completing your request, we may need to verify your identity. We will send you a link to verify your email address and may request additional documentation or information solely for the purpose of verifying your identity.

You have the right not to receive discriminatory treatment for the exercise of your privacy rights conferred by the CCPA.

Instructions for Authorized Agents Making Access and Deletion Requests

You may also use an authorized agent to submit an access or deletion request on your behalf. Authorized agents may submit access and deletion requests at ccpa.disney.com/agents. An authorized agent must have your signed permission to submit a request on your behalf or provide proof that they have power of attorney in accordance with California probate law. Authorized agents that are business entities must be registered with the California Secretary of State to conduct business in California. Before completing requests from authorized agents, we may contact you directly to confirm you’ve given your permission and/or to verify your identity.

Shine the Light Act

If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal information by Innodem Neurosciences to third parties for the third parties’ direct marketing purposes. Pursuant to California Civil Code Section 1798.83(c)(2), Innodem Neurosciences does not share individuals’ personal information with other companies or others outside Innodem Neurosciences for third parties’ direct marketing use unless an individual instructs us to do so.

To make such a request, please contact our Data Privacy Officer at dpo@innodemneurosciences.com.

Language

ETNA™-MS

Pigio™