Privacy Policy

Website Data Privacy Policy

Last revised on: April 2025

Introduction
ExThera is committed to protecting the privacy and security of personal data. This Data Privacy Policy explains how we collect, use, disclose, and safeguard the personal and medical data of patients, healthcare providers, and users of our medical devices. We adhere to applicable data protection laws, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA), the European Union General Data Protection Regulation (GDPR), and other applicable data protection laws.

Personal data we collect and how we use it
This section describes how ExThera Medical uses your personal data. Unless we need your personal data in order to comply with laws and regulations, you are not required to provide information to us, but if you choose not to do so we may not be able to offer you certain services and related features or to respond to requests that you may have. The following situations are discussed in more detail below:

Visiting our websites
When you visit our websites or apps, we may collect and/or process your personal data (from your interaction with our sites) to learn more about how you use our site/app and services.

What personal data we obtain

  • Electronic device information, including identifiers associated with your devices, operating system type and characteristics
  • Internet and network activity information, including internet protocol (IP) address, domain name, web browser characteristics, language preferences, navigation, and your interactions with our site or app (such as the pages you visit, links you click, features you use, dates and times of access to our site/app, browsing history, search history, the pages that led or referred you to our site), and other information about your use of our site or app
  • Geolocation data, including approximate location information from your use of our site/app
  • Certain information by automated means, including cookies and similar technologies, such as Flash cookies, local storage, web beacons and pixels, JavaScript, software development kits (SDKs) and device identifiers

How we use your data

  • Ensure our sites or apps operate correctly and secure logins work properly
  • Improve visitor experience and learn how they use our sites/apps and their features
  • Provide you with enhanced functionality such as video content and show you targeted ads on other sites or social media channels

Depending on your location, some cookies may require your consent. See our cookie policy to learn more about our use of cookies and how to manage cookie setting and preferences.

Health vigilance/post-market surveillance/recalls/complaints
As a manufacturer of medical devices, we are subject to regulatory obligations when we place (or make available or put into service) our products on the market. Compliance with those obligations require us to process personal data. The types of personal data we obtain or process as a manufacturer of medical devices, which may be obtained from your interactions with or submissions to our site, your account, your medical device’s registration or telemetry data, or from your healthcare provider(s), as well as from information you communicate to us or post on a public forum, include:

  • Data allowing the identification of the patient or person exposed to an adverse health event, such as age, year or date of birth, gender, weight, height, and identification number
  • Data relating to the identification of the product concerned, such as the type of product used, serial number, and implant date
  • Other information necessary for the assessment of an undesirable health event, such as professional life, health data, therapy data, consumption of tobacco, alcohol, or drugs, and life habit and behavior
  • Contact details of the person who made a complaint or notified us of an adverse health event, or of any health professional likely to provide details

How we use your data: Conduct health vigilance related activities, including managing adverse health events and handling product complaints. We’ll do so to ensure compliance with our legal obligations and with high standards of quality and safety of healthcare and medical devices.

Please note that if you choose to no longer receive promotional messages from us, we may still continue to send you relevant information for other lawful purposes, such as to administer any account or contract you may have with us, send you communications of an operational nature (e.g., planned outage or updates), respond to your requests and as required by law (e.g., in case of a product recall).

Our Use of Cookies and Other Tracking Mechanisms
We and our third-party service providers use cookies and other tracking mechanisms to track information about your use of our Site. We may combine this information with other personal information we collect from you (and our third-party service providers may do so on our behalf).

Cookies: Cookies are alphanumeric identifiers that we transfer to your computer’s hard drive through your web browser for record-keeping purposes. Some cookies allow us to make it easier for you to navigate our Site, while others are used to allow us to track your activities at our Site. There are two types of cookies: session and persistent cookies.

  • Session Cookies exist only during an online session. They disappear from your computer when you close your browser or turn off your computer. We use session cookies to allow our systems to uniquely identify you during a session. This allows us to process your online transactions and requests and verify your identity, after you have logged in, as you move through our Site.
  • Persistent Cookies remain on your computer after you have closed your browser or turned off your computer. We use persistent cookies to track aggregate and statistical information about user activity, and to display advertising both on third-party sites.

Disabling Cookies. Most web browsers automatically accept cookies, but if you prefer, you can edit your browser options to block them in the future. The Help portion of the toolbar on most browsers will tell you how to prevent your computer from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Visitors to our Site who disable cookies will be able to browse certain areas of the Site, but some features may not function.

Local Storage Objects. We may use Local Storage Objects (“LSOs”) to store your Site preferences and to personalize your visit. LSOs are different from browser cookies because of the amount and type of data stored. Typically, you cannot control, delete, or disable the acceptance of LSOs through your web browser.

Clear GIFs, pixel tags and other technologies. Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer’s hard drive, clear GIFs are embedded invisibly on web pages. We may use clear GIFs (a.k.a. web beacons, web bugs or pixel tags), in connection with our Site to, among other things, track the activities of Site visitors, help us manage content, and compile statistics about Site usage. We and our third-party service providers also use clear GIFs in HTML emails to our customers, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded.

Third-Party Analytics. We use automated devices and applications, such as Google Analytics, to evaluate usage of our Site. We also may use other analytic means to evaluate our Site. We use these tools to help us improve our Site, performance, and user experiences. These entities may use cookies and other tracking technologies to perform their services.

Do-Not-Track. Currently, our systems do not recognize browser “do-not-track” requests. You may, however, disable certain tracking as discussed in this section (e.g., by disabling cookies); you also may opt-out of targeted advertising by following the instructions in the Third-Party Ad Network section.

Third-Party Ad Networks
We use third parties such as network advertisers to serve advertisements on third-party websites or other media (e.g., social networking platforms). This enables us and these third parties to target advertisements to you for products and services in which you might be interested. Third-party ad network providers, advertisers, sponsors and/or traffic measurement services may use cookies, JavaScript, web beacons (including clear GIFs), Flash LSOs and other tracking technologies to measure the effectiveness of their ads and to personalize advertising content to you. These third-party cookies and other technologies are governed by each third party’s specific privacy policy, not this one.

Users in the United States may opt out of many third-party ad networks. For example, you may go to the Digital Advertising Alliance (“DAA”) Consumer Choice Page for information about opting out of interest-based advertising and their choices regarding having information used by DAA companies. You may also go to the Network Advertising Initiative (“NAI”) Consumer Opt-Out Page for information about opting out of interest-based advertising and their choices regarding having information used by NAI members.

Opting out from one or more companies listed on the DAA Consumer Choice Page or the NAI Consumer Opt-Out Page will opt you out from those companies’ delivery of interest-based content or ads to you, but it does not mean you will no longer receive any advertising through our Site or on other websites. You may continue to receive advertisements, for example, based on the particular website that you are viewing (i.e., contextually based ads). Also, if your browsers are configured to reject cookies when you opt out on the DAA or NAI websites, your opt out may not be effective. Additional information is available on the DAA’s website at www.aboutads.info or the NAI’s website at www.networkadvertising.org.

Third-Party Links
Our Site may contain links to third-party websites. Any access to and use of such linked websites is not governed by this Policy but instead is governed by the privacy policies of those third party websites. We are not responsible for the information practices of such third-party websites.

When you interact on social media with or about ExThera Medical
You may send us a private or direct message via social media, or you may communicate about us or ExThera Medical products on social media (e.g., if you participate in our online communities, share a comment about a ExThera Medical product, or tag ExThera Medical in your post). If you interact on social media with or about us, the types of personal data we obtain or process about you from that interaction include:

  • Social media information, such as your social media username, profile picture, country
  • Information about you that is contained in your comments, posts, or other content about ExThera Medical that you share on social media services

How we use your data

  • To review or respond to your message or comments, and where applicable, to provide you with the required support and take any necessary follow-up actions
  • Using your data to understand your feedback and improve our products and services if you communicate about us or our products

Visiting ExThera Medical locations
You may visit our locations in order to interact with our personnel, to provide services or perform certain tasks. If you visit ExThera Medical locations, the types of personal data we obtain or process about you include:

  • Your contact information and visit details, such as your name, signature and arrival/departure time and date, to enable you to access our premises and provide you with a badge as applicable
  • Video recordings of you if we operate closed-circuit television (CCTV) systems in the location you visit

How we use your data: We will use this information for security and safety reasons, including ensuring the security of ExThera Medical personnel, property and assets, and complying with our internal security policies.

Participating in events or interviews
You may wish to participate in one of our physical or virtual events (such as workshops, meetings, webinars, or live broadcast events), or we may ask you to share your story, provide a testimonial or take part in an interview about your treatment with an ExThera Medical product. In this case, we’ll need to process some personal data about you, as described below. If you participate in one of our events, testimonials or interviews, the types of personal data we obtain or process about you from your participation include:

  • Identification/contact information, such as your name (or a fictitious name to protect your privacy), email address, nationality, country
  • Personal details, such as dietary requirements, where applicable
  • Professional information, such as your job type and title
  • Product(s)/service(s) of interest to you, where applicable
  • Health data, such as the medical condition treated by the ExThera Medical product (if you are providing information as a patient)
  • Images, video, and/or audio recordings of you, if our event/interview is filmed or recorded

How we use your data: We will use your data to organize and facilitate the event/interview, and conduct our educational, promotional, and advertising activities.

Participating in surveys
From time to time, we may invite you to participate in an ExThera Medical survey to gather your feedback to help us determine customer satisfaction levels, identify areas of potential improvement or to conduct market research. To the extent possible, we will gather your feedback in an anonymous manner. In some cases, however, the survey may gather identifiable respondent information. In such instances, the types of the personal data we obtain or process about you includes:

  • Identification/contact information, such as your name, email address, phone number
  • Professional details (if you are a business customer), such as your employer’s details, specialty, professional experience, professional qualifications
  • Opinions, views, or information you choose to provide us as part of your survey responses. If you are a patient, this may include your age and information about your health, such as your medical condition, type of ExThera Medical product/services you are treated with, details of the medical procedure you underwent as a patient.
  • Where applicable, information collected by automated means (including cookies), such as your IP address, and survey metadata (e.g., the language you take the survey in, duration of your survey response, last date the survey was started)

How we use your data: We will use your personal data to conduct the survey, including to send it to you, allow you to submit your survey responses, prevent survey fraud, analyze the survey results, and improve or develop our products and services, accordingly.

Participating in clinical studies and other research activities
We perform clinical activities, including clinical studies, clinical investigations, clinical surveys and other studies or research activities. In this context, we process personal data of participants to these activities, as well as personal data of healthcare personnel involved in such activities. The types of personal data we obtain or process this way will vary depending on the research activity, but this will generally include:

  • Information indirectly identifying participants in those research activities (such as age or date of birth, place of birth, gender, country and department of residence, serial number or alphanumeric code excluding first and last name)
  • Where applicable, administrative data identifying participants that may be obtained by our service providers (such as first and last name, contact details, bank details) for very limited purposes, including to reimburse transport costs and/or to pay compensation
  • Data concerning participants’ health, including vital status, and any other sensitive data, as relevant to the subject of the research activity (such as participants’ ethnic origin or data concerning sexual life)
  • Dates relating to the conduct of the research activity, including the date of inclusion
  • Details of participants’ personal and professional life, such as family situation, current profession, business trips, consumption of tobacco, alcohol, drugs, lifestyle habits and behaviors, and any other relevant information
  • Insurance information, including health insurer or payer information
  • Participation in other research activities
  • Reimbursement of costs incurred by the participant
  • Annual amount of compensation received

For such activities, we typically have no access to directly identifiable information about patients as that information is kept confidential by the relevant healthcare professional except if required for the purposes of the study. If you are a healthcare professional involved in our (clinical) research activities, the types of personal data we obtain or process about you include:

  • Identification data, such as name, gender, professional contact details, bank details
  • Training and qualifications
  • Other relevant details of professional life (e.g., professional curriculum)
  • If applicable, identification number in the directory of health professionals
  • Amount of compensation and remuneration received
  • Collaboration in research activities
  • History of access, and connection to the medical data of participants in the research activities, where relevant

How we use your data: To carry out research activities in the public interest, including to generate evidence to submit to health regulatory authorities in order to comply with our medical device manufacturer’s obligations, to assess the safety, performance and quality of our medical devices, and to develop and improve the safety and performance of these medical devices aiming at enhancing and improving healthcare

We will do so based on your consent or as required by applicable law in conducting research activities, for scientific research, or to ensure high standards of quality and safety of our products and services.

The ExThera Medical entity responsible for the processing of your personal data is the sponsor or ExThera Medical entity that determines the purposes of the clinical study or research project, as indicated in the clinical study or research documentation or in other relevant documentation provided by the healthcare professional in connection with the clinical or research activities you participate in.

General business purposes
In some circumstances, we process personal data to comply with applicable legal requirements and our policies, to perform auditing and other internal functions, or for litigation and dispute resolution purposes. When this is the case, the types of personal data we obtain or process about you include:

  • Your identification and contact information
  • Other information as is necessary and relevant to the particular case; e.g., in the event of an (internal) audit, information contained in documents and materials audited, or in the event of litigation, information gathered in the evidence necessary for the litigation

How we use your data: We will use your information — in an anonymized, de-identified or redacted form, where appropriate — in order to:

  • Fulfill our contract with you when it is our legal duty
  • Support and manage our therapies or related services by our service providers and/or business partners
  • Manage our relationship with you and keep our records up to date
  • Manage websites for healthcare professionals, account access support, verify your personal identity as needed for us to provide our therapies or related services, online support, and related services safely and lawfully
  • Properly administer our business, therapies, or related services
  • Enforce, establish, exercise, or defend our legal rights, including this privacy notice and other rules about use of our product or services
  • Protect and secure websites, networks, systems, data, and services ExThera Medical provides to our customers
  • Manage compliance with our policies, including conducting (internal) audits, investigations, or due diligence checks for the above reasons
  • Understand how to improve our therapies or related services
  • Comply with applicable legal requirements, regulations, court orders, or other legal processes

Secondary use of data
With the authorization of your medical institution, the data obtained as part of the services provided to your medical institution may be further used to support and improve those services, including to improve and develop ExThera Medical products and services, to conduct benchmarking, business analytics or market research, to train and educate ExThera Medical personnel or healthcare professionals, or to support regulatory filings and the reimbursement of ExThera Medical products and services.

Sensitive data use
Some of the data we collect, and use is considered sensitive under applicable laws, which may include, for example, health- and financial-related data and genetic/biometric data. Our collection and use of sensitive personal data is limited to that which is necessary to provide you with your requested services, including treating your condition, and for additional purposes for which you have provided your consent. You can choose to withdraw or withhold your consent. However, where your sensitive data is necessary to provide you with services, you will not be able to use those services.

Data you provide to us
We may ask that you, your caregiver, your account administration, or any individual authorized by you not to send or disclose any other personal data other than the data that we may ask you to provide.

Telephonic contact
By disclosing the phone number(s) you provide to ExThera Medical, we may contact those number(s), including via text, SMS, or voice call, for the transactional purposes defined in this privacy notice, as well as for responding to requests you make of ExThera Medical. If you provide an additional consent for marketing communications, ExThera Medical may then contact you by telephone for marketing, advertising, or offers of sale of ExThera Medical therapies or related services as well.

When making contact by telephone, we may use automated technologies (including recordings and auto-dialing), and telephone, airtime, message, and data rates may apply. By providing your phone number(s) and/or consent(s), you certify that (a) you are age 13 and older, (b) the contact information you provide is yours, and (c) you authorize and consent to use of the information provided for ExThera Medical to contact you. Consent is not a condition for purchase or services. You may opt out of telephonic contact from ExThera Medical using automated technologies and for marketing communications at any time by texting ”STOP” in reply to a text message or for marketing messages, signing into your ExThera Medical profile and updating your communication preferences.

Data sharing
In the ordinary course of business in conducting the purposes described in this notice, we may share your personal data with certain categories of third parties, including:

  • Affiliates: We may disclose the information we collect from you to our affiliates or subsidiaries; however, if we do so, their use and disclosure of your personal information will be subject to this Policy
  • Service providers: We may share personal data with relevant third-party service providers, who act on our behalf to fulfill the activities noted in this privacy notice, including IT providers, providers of communication tools and customer relationship management systems, survey tool providers or platforms, event organization management tool providers, outsourced operations such as accounts payable providers, email automation tool providers, cloud hosting service providers, and contract management platform providers
  • Healthcare providers and regulators: As described above, we may disclose personal data to your physician to coordinate or manage your healthcare and related services. This may also include other healthcare provider(s) who, at your request, become involved with the management of your care, online account, or related services. ExThera Medical may also disclose your personal data to health oversight agencies such as government regulators to support with audits, investigations, and inspections.
  • To business and other specialists: We may share personal data with external organizations with which it has partnered (such as research partners and as part of co-branding initiatives), and with external specialists or professional advisors within a particular field (such as lawyers, consultants, tax advisors, auditors, specialist delivery providers, banks, payment service providers, and benchmarking agencies)
  • Parties to a corporate transaction: We may share your personal data as necessary with parties to a potential, pending, or in process corporate transaction, such as if we sell or transfer all or a portion of our business or assets, or if we undergo a merger, acquisition, joint venture, reorganization, divestiture, dissolution, or liquidation
  • For legal and other related interests: We may share personal data where:
    • Required by law
    • Required to disclose and/or share your personal data with regulatory, public, or governmental authorities to comply with any law, regulation, court order, legal, or government request
    • Allowed or required by law for public health purposes, including reporting complaints and quality issues to medical device regulators
    • Needed to protect its own or others vital interests, including the safety of life and property, or for investigating illegal or malicious activities, where allowed by law
    • Needed to exercise or defend legal claims
    • Needed with its corporate affiliates, who have the same privacy requirements
  • Others, per your request: With your consent, we may share your personal data with other parties you choose, such as your caregivers.

International transfers
In some cases, ExThera Medical may transmit, or store personal data collected with affiliates, vendors, or sites in other countries. We will only transfer personal data as allowed by applicable law to further the purposes set out in this document. Where personal data is transferred to another country, we take administrative and technical measures to ensure adequate safeguards and protections are applied as provided for by applicable law. In cases where personal data is transmitted to other countries, we will ensure that safeguards equivalent to those required by applicable data protection laws are in place. For more information on the safeguards implemented by ExThera Medical, please contact us via email.

Data retention
We retain personal and medical data for as long as necessary to fulfill the purposes outlined in this policy, comply with legal obligations, resolve disputes, and enforce our agreements. The retention period may vary depending on the type of data and applicable regulations. Once the data is no longer needed, we securely delete or anonymize it.

Your privacy rights
You may have some of the rights below relating to your personal data, depending on applicable laws. Additional information may be found in the specific jurisdictions section.

  • Access your personal data and confirm how your personal data is being processed
  • Transfer or obtain a copy in a structured, machine-readable, or portable format
  • Correct or amend if it is incomplete, inaccurate, or outdated
  • Request deletion of your personal data, which in some cases may be fulfilled by restricting, obfuscating, de-linking, or deidentifying that data
  • Restrict or limit excessive or unlawful processing, where the accuracy of the data is contested
  • Object to or opt-out of processing in circumstances where ExThera Medical claims a legitimate interest in its processing and where your rights outweigh those of ExThera Medical, such as where that data is used for direct marketing (including email or telephonic marketing)
  • Withdraw (or manage) consent where it is the basis for processing, which may include cases where the data is sensitive or about children. Where consent is revoked, we will not further process that data unless required or otherwise permitted by applicable law.

Exercising your rights
How to exercise your rights. You or your authorized agent may exercise these rights at any time or contact us with any inquiries through the methods provided in the “How to contact us” section below.

Process. We will first confirm that we have received your request. For rights requests, we are required to verify your identity, your right to access the information requested, and, as applicable, your authorized agent’s authority to act on your behalf. We may need to ask you for additional information that will help us do so, including government-issued IDs containing your name and address, utility bills containing that same information, and/or unique identifiers like usernames. We will only use that additional information in the verification process, and not for any other purpose.

After the validation of identity and authority (including if we do not receive that information), we will process your request and then contact you with our response to your request, including any data and reasons for rejection as applicable, within the time required by applicable law. If we need more time, we will notify you in accordance with applicable law.

Fees. We may charge a reasonable fee in some geographies to process or respond to your request only if allowed by applicable law, for instance if it is excessive, repetitive, or manifestly unfounded. If a fee is warranted, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Additional options. Depending on your jurisdiction, you may have additional options if you are dissatisfied with our response:

You may internally appeal or contact our data protection officer if you disagree with a decision we made about your rights. Please include a copy of or reference to the decision.

You may also complain to a data protection or regulatory authority if you have further concerns about our data practices or our response to a request. If you need information about which authority may apply to you depending on your location and circumstances, please contact us.

You will not be discriminated against for your exercise of your rights. This does not necessarily include, depending on applicable law in your jurisdiction, cases where a difference in price or services offered is reasonably related to the value provided by your data, or where you consent to participate in a voluntary loyalty or similar incentive program.

Children and personal data online
We do not intentionally collect personal data from children (as defined by applicable law) unless we have received verifiable consent (from the parent or the child, depending on the requirements of applicable law) unless a legal requirement or vital interest applies. If you believe we have collected personal data from a child, contact us using the information found in the How to contact us section.

Special provisions for specific jurisdictions:
United States of America

  • Past practices. The statements in this notice are our data processing activities for the described scope of the notice both as current and within the past 12 months
  • Protected health information under HIPAA. This notice does not apply to our data processing activities and practices for Protected Health Information (PHI), which is regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In those cases, you may have received a Notice of Privacy Practices from ExThera Medical or your health care provider which will govern that data use. Data governed under HIPAA may be deidentified through either or both the Safe Harbor and Expert Determination methods. While that data is then deidentified, ExThera Medical does not, and will not permit others to, reidentify deidentified PHI except as required by applicable law or as directly consented to by the subject of that PHI.
  • Sales/sharing of personal data: ExThera Medical does not sell your personal data for money or other consideration, nor share it for direct or behavioral marketing purposes, with unrelated third parties, except as described in the Our Use of “Cookies and Other Tracking Mechanisms” section
  • Right to opt-out or object. As noted above, you may have the right to opt-out of some processing, such as sharing data with third parties for their own or for cross-contextual marketing, sales of personal data, making certain decisions or profiles about you by automated or artificial means, or certain kinds of automated/prerecorded telephonic messages
  • Right to restrict or limit. In some jurisdictions you may have the right to restrict some processing if the data is sensitive and used for purposes additional to delivering requested goods/services
  • Exercising your privacy rights. United States residents can file a privacy rights request by contacting us by email or phone. You do not have to create an account with us to submit a request

Updates to this privacy notice
This Policy is current as of the last revision date set forth above. We may change this Policy from time to time, so please be sure to check back periodically. We will post any changes to this Policy on our Site. If we make any changes to this Policy that materially affect our practices with regard to the personal information, we have previously collected from you, we will endeavor to provide you with notice in advance of such change by highlighting the change on our Site.

How to contact us
If you would like to exercise your privacy rights or if you have any questions about this privacy notice you may contact us as follows:

General inquiries (all geographies): By email [email protected]

U.S. inquiries: By email via the general inquiries email address or phone (925) 839-2060. You may also send mail to our general-purpose corporate mailing address:

ExThera Medical, Inc.
757 Arnold Dr. Suite B
Martinez CA, 94553
USA

MM00064 Rev D