Privacy Policy

Wavelengths
Wavelengths

Last updated May 5, 2025

 

1. WHO WE ARE

This Privacy Notice explains how Niche Biomedical, Inc. d/b/a ANEUVO (“ANEUVO”, “we”, “us”, or “our”) collects, processes, and protects your personal data when you use the ExaStim® Programmer Application (“App”), the ANEUVO User Portal (“User Portal”), and/or the ANEUVO website (collectively, “Services”).

Data Controller (Art. 4(7) GDPR):
Niche Biomedical, Inc.
10940 Wilshire Blvd, Suite 2030
Los Angeles, CA 90024, USA
Email: dataprivacy@aneuvo.com

EU Representative:
In accordance with Article 27 of the GDPR, ANEUVO has appointed a representative within the European Union for matters related to the processing of personal data of individuals located in the EU.

Our appointed EU Representative serves as the point of contact for:

  • Data subjects exercising their rights under GDPR,
  • Communications with supervisory authorities concerning data protection matters.

You may contact our EU Representative at the following address:
heyData GmbH
Schützenstraße 5
10117 Berlin
Germany
Email: support@heydata.eu

Data Protection Officer
We have appointed a Data Protection Officer to oversee questions in relation to this Privacy Notice:

Name: heyData GmbH
E-mail: support@heydata.eu
Postal address: (as above, please mark “Attn: DPO”).

For all inquiries regarding the processing of your personal data, including exercising your rights under GDPR, you may either contact:

  • Our EU Representative (contact details above), or
  • ANEUVO directly at dataprivacy@aneuvo.com

Both ANEUVO and its EU Representative will cooperate with competent supervisory authorities, as required under GDPR.

2. SCOPE OF THIS PRIVACY POLICY

This Privacy Notice applies to:

  • Users of the ExaStim® App.
  • Users managing therapy via the ANEUVO User Portal hosted by Galen.
  • Use of the ExaStim® Stimulation System, a CE-marked medical device under Regulation (EU) 2017/745 (“MDR”).
  • Users of Our website.

3. HOW WE COLLECT AND USE PERSONAL DATA

When you use our Services, we collect and process the following categories of personal data:

3.1 Account and Operational Data

  • Full name or alias
  • Institutional affiliation
  • Provider number
  • Date of birth
  • Gender and other demographic data
  • Email address
  • Postal address
  • Username and password (encrypted)
  • Device ID, IMEI, and serial number
  • Device model and operating system
  • App version installed
  • Registration date and time
  • Language and region settings
  • User Portal settings and preferences
  • We do not knowingly collect precise GPS location, payment card data, or national identifiers.

Purpose: To register your account, provide access to the App and Portal, and ensure system security.

3.2 Health and Treatment Data

  • Diagnosis and treatment information
  • Therapy settings (stimulation intensity, electrode configuration)
  • Session logs (dates, durations, frequencies)
  • Symptom tracking (pain levels, spasticity reports)
  • Therapy progress notes
  • Feedback on therapy effectiveness
  • Device programming settings history
  • Adverse event reports or device-related incidents

Purpose: To deliver therapy services, enable clinician management, monitor outcomes, and fulfill legal obligations under MDR.

3.3 Website, Device and Application Usage Data

  • IP address during device registration
  • Login timestamps
  • App crash reports
  • Firmware versions
  • Connectivity and browsing information (Wi-Fi, mobile data usage, browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems, and advertisements)
  • Technical and diagnostic logs

Purpose: To provide technical support, secure the Services, and improve functionality.

3.4 Support and Communication Data  

  • Inquiries and service requests
  • Support case notes and troubleshooting information
  • Communication history (calls, emails, support chat logs)

Purpose: To respond to requests, solve technical issues, and improve user experience.

3.5 Aggregated, Anonymized, and De-Identified Data  

  • Aggregated stimulation performance statistics
  • De-identified usage patterns and app interactions
  • Statistical data models

Purpose: For research and development, product improvement, scientific publications, and marketing insights.

3.6 Product Safety and Regulatory Compliance Data

  • Adverse events or incidents related to the Device
  • Device performance reports
  • Data provided to regulatory authorities (if necessary)

Purpose: To comply with post-market surveillance obligations under MDR.

3.7 Voluntary Feedback and Surveys  

  • Survey responses
  • User satisfaction ratings
  • Social media profiles
  • Photographs, images, videos
  • Testimonials, comments, product reviews or other voluntary feedback

Purpose: To assess product and service quality and drive improvements.

4. PURPOSES AND LEGAL BASES FOR PROCESSING

We process your data for the following purposes and rely on the following legal bases:

Purpose Legal Basis
Account registration, authentication, and access Hosting the User Portal, maintaining secure databases
Technical Service Providers Art. 6(1)(b) GDPR (Contract performance)
Provision of therapy and healthcare support Art. 9(2)(a) GDPR (Explicit consent)
Post-market surveillance and regulatory compliance Art. 9(2)(i) GDPR
Service optimization and troubleshooting Art. 6(1)(f) GDPR (Legitimate interest)
Scientific research, algorithm training (anonymized data) Art. 6(1)(f) GDPR
Direct marketing communications (if consented) Art. 6(1)(a) GDPR
Protect vital interests (e.g., safety issues) Art. 6(1)(d) GDPR and Art. 9(2)(c) GDPR

Where We rely on legitimate interests, We have carried out a balancing test which you can request at any time.

5. DATA SHARING, RECIPIENTS, AND CATEGORIES OF RECIPIENTS

We may disclose your personal data to carefully selected recipients for the purposes for which you disclosed the data or as defined in this Privacy Notice.

Data recipients may include:

Recipient Category Purpose
Hosting and Cloud Providers (e.g., Galen) Hosting the User Portal, maintaining secure databases
Technical Service Providers Application support, device management, troubleshooting services
Customer Support Providers Processing service inquiries and user support
Legal Advisors and Auditors Compliance with legal obligations, audits, defending claims, corporate transactions
Regulatory Authorities (e.g., FDA, European Competent Authorities) Fulfilling obligations for post-market surveillance and safety reporting
Data Analytics Providers (only anonymized, aggregated data) Product improvement, scientific research
Emergency Services Protecting vital interests in urgent safety matters

Important: These recipients act as processors (Art. 28 GDPR) and are contractually bound to:

  • Only process data under our instructions,
  • Implement adequate technical and organizational security measures,
  • Ensure confidentiality and integrity of personal data,
  • Not subcontract without prior authorization.

6. DATA TRANSFERS AND INTERNATIONAL DATA DISCLOSURE
In some cases, we may transfer your personal data to recipients located outside the European Economic Area (EEA) or Switzerland (i.e., “third countries”). Whenever your data is transferred internationally, we ensure an equivalent level of protection by:

  • Transfers to countries with an adequacy decision by the European Commission under Art. 45 GDPR, or
  • Implementing Standard Contractual Clauses (SCCs) adopted by the European Commission under Art. 46 GDPR, or
  • Ensuring other appropriate safeguards such as binding corporate rules (BCRs), approved codes of conduct, or certification mechanisms (Art. 46(2) GDPR).

Countries where our service providers may process data:

  • United States
  • United Kingdom
  • Ireland

Safeguards applied for international transfers:

  • End-to-end encryption of all personal data transmissions
  • Pseudonymization where feasible
  • Access restriction (only to authorized personnel)
  • Continuous security monitoring of cloud infrastructure

Transfers to Authorities:
We may disclose personal data to law enforcement, regulatory agencies, or public authorities if:

  • Required by applicable law, regulation, legal process, or governmental request,
  • Necessary to protect vital interests of individuals.

7. DATA AGGREGATION AND ANONYMIZATION

We anonymize or aggregate your data:

  • To improve device effectiveness.
  • To support research and development.
  • To generate scientific publications.
  • For market analysis without identifying individuals.

8. HOW WE PROTECT YOUR DATA

We have implemented appropriate and reasonable technical and organizational measures designed to protect the security of any personal data we process.

Our security measures include:

  • Encryption of personal data both in transit and at rest,
  • Access controls and authentication mechanisms,
  • Regular security audits and vulnerability assessments,
  • Secure software development practices,
  • Ongoing employee training in data protection and security,
  • Business continuity and disaster recovery procedures.

However, despite our safeguards and efforts to secure you’re your data, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your data. Although we will do our best to protect your personal data, transmission of personal data to and from our Services is at your own risk. You should only access the Services and Product within a secure environment.

9. HOW LONG WE STORE YOUR DATA

We store your personal data only for as long as it is necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations.

In particular, the following retention obligations apply:

  • Commercial and tax laws (e.g., German Commercial Code, US Internal Revenue Code) may require us to retain certain operational and contractual records for up to 10 years.
  • MDR requires that documentation relating to the safety and performance of a medical device, including device usage records, incident reports, and regulatory data, must be stored for at least 10 years after the last device has been placed on the market.
  • Where necessary, we may retain personal data for longer periods if required to establish, exercise, or defend legal claims.

If personal data is no longer required for the purposes for which it was collected and no legal or regulatory obligations require its continued retention, the data will be securely deleted or anonymized.

Additionally, if you have provided consent for the processing of personal data for specific extended purposes (e.g., research, analytics), we may store such data until consent is withdrawn or until it is no longer needed for those purposes.

10. YOUR RIGHTS AND CHOICES AS A DATA SUBJECT

As a data subject, you have the following rights:

  • Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to your personal data and additional information about the processing.
  • Right to Rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data or the completion of incomplete personal data we hold about you.
  • Right to Erasure / Right to be Forgotten (Art. 17 GDPR): You have the right to request the deletion of your personal data without undue delay, provided that the processing is no longer necessary or there are no overriding legitimate grounds for retention. In such cases, we will also instruct you to uninstall the ExaStim® App from your device to complete the deletion process.
  • Right to Restriction of Processing (Art. 18 GDPR): You have the right to request that we restrict the processing of your personal data, for example while we verify its accuracy or assess an objection you have raised.
  • Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and the right to transmit that data to another controller where technically feasible.
  • Right to Object to Processing (Art. 21 GDPR): You have the right to object at any time to the processing of your personal data based on legitimate interests or direct marketing purposes.

You may also withdraw your consent at any time, where the processing is based on your consent. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. Please note that if you withdraw your consent, you may no longer be able to use the ExaStim® App, the User Portal, or the related services, to the extent that they rely on the processing of your personal data.

11. EXERCISING YOUR RIGHTS AND TELLING US YOUR CHOICES

To exercise any of your rights or to tell us of your choices, please contact us by email at:  dataprivacy@aneuvo.com

We may require you to provide appropriate proof of identity to ensure that your data is only disclosed to you or your authorized representative.

You also have the right to lodge a complaint with the supervisory authority for your member state, such as:

Belgian Data Protection Authority
Rue de la Presse 35 – Drukpersstraat 35, 1000 Bruxelles – Brussel
Belgium
Phone: +32 2 274 48 00
Email: contact@apd-gba.be
Website: https://www.autoriteprotectiondonnees.be

12. AGE RESTRICTIONS

The ExaStim® Programmer Application and User Portal are intended for users aged 18 years and older.

We do not knowingly collect, solicit data from, or market to users under 18 years of age, nor do we knowingly sell such personal data. By using the Services and Product, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at dataprivacy@aneuvo.com.

13. AUTOMATED DECISION-MAKING
The App may suggest therapy parameter adjustments based on aggregated efficacy data. These suggestions are not fully automated; a qualified clinician must validate them. Therefore Art 22 GDPR does not apply. Should fully automated decisions be introduced, we will update this notice and provide the right to obtain human review.

14. CHANGES TO THIS PRIVACY NOTICE

We may update this Privacy Notice as necessary to reflect changes in law, technology, or business practices.  Significant changes will be communicated in an appropriate manner before they become effective, including by posting a notice within the App.  The version date at the top of this Privacy Notice indicates when it was last updated.