PRIVACY POLICY

At the house of MITRAL , respecting your privacy and protecting your personal data are our priority.

This Privacy Policy (the “ Privacy Policy ”) aims to inform you about the methods of processing your personal data and your rights when using the application Apneal Lite ( the  «  Application ”) in accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “ GDPR ”) and Law No. 78-17 of January 6, 1978 relating to information technology, files and freedoms in its latest version in force (together the “ Applicable Regulations  »).

The Privacy Policy does not describe the methods of collecting and processing your data via cookies and other tracers (the “ Cookies ”) on the Application. For more information, please see our Cookie Policy .

  1. Who is the data controller?

The data controller is the company   MITRAL, a simplified joint-stock company registered with the Créteil Trade and Companies Register under number 893 531 509, whose registered office is located at 5 avenue Jean Jaurès, 94220, Charenton-le-Pont (“ We  », «  Us  », «  OUR »).

  1. How is your personal data collected?

We may collect your personal data in two ways:

  1. Details on the processing of your personal data

When using the Application, we may also collect health data about you as indicated in the table below. This data is only collected with your express consent via the button available when you register on our Application. You can withdraw your consent at any time by writing to us using the contact details provided in the article 6 .

Mandatory data is indicated when you provide us with your data. It is indicated by any means .

Purposes

Personal data concerned

Legal basis

Retention periods

Allow you to create an account on our Application

Email address, first name, last name, date of birth, telephone number

Execution of the contract you have entered into with Us (in particular the acceptance of our General Conditions of Use)

Your data is kept for the duration of your account.

Your connection logs are kept for 1 year.

If your account is inactive for 2 years, your personal data will be deleted or anonymized if you do not respond to our reactivation email.

In addition, your data is archived for 10 years to meet materiovigilance obligations and to allow you, if you wish, to resume longitudinal monitoring.

Provide you with the services available on our Application through your account

Data relating to the quality of your sleep, including health data: quality of sleep, fatigue, possible depression, age, sounds and chest movements during sleep, medical history, social security number, information on your treatment pathway and your treatments.

Execution of the contract you have entered into with Us (in particular the acceptance of our General Conditions of Use)

For health data: Your consent

Your data is kept for the duration of your account.

If your account is inactive for 2 years, your personal data will be deleted if you do not respond to our reactivation email.

Respond to requests to exercise rights by data subjects

Required:

Name, first name, email address

Facultative :

Copy of an identity document in case of doubt.

Comply with our legal and regulatory obligations (derived from the GDPR)

If we ask for proof of identity: we only keep it for as long as necessary to verify your identity. Once verified, the proof of identity is deleted.

Monitor requests to exercise rights by data subjects

Name, first name, email address.

Our legitimate interest in following up on your requests to exercise your rights

The information allowing the management of your requests to exercise rights under the GDPR will be kept for 3 years from the request.

  1. Who are the recipients of your data?

The following will have access to your personal data:

  1. The staff of our company;
  2. Our subcontracted hosting service providers: : Amazon Web Services, Google Cloud Platform, Omnidoc , Ordoclic  ;
  3. If you decide to give access to your data to your caregivers or prescribers (e.g., general practitioner, pharmacist, specialist, etc.), they will be able to access your data. They will then act as independent data controllers. We disclaim all liability for the processing of personal data carried out by them and we invite you to contact them if you wish to know more about the processing of your personal data;
  4. To any authority legally authorized to know, in particular the judicial, police or administrative authorities if they so request.

  1. Is your data likely to be transferred outside the European Union?

Your data is kept and stored for the entire duration of processing on the servers of Amazon Web Services, Google Cloud Platform, Omnidoc and Ordoclic, HDS certified, located in the European Union.

As part of the tools we use (see article on recipients regarding our subcontractors), your data may be transferred outside the European Union. The transfer of your data in this context is secured using the following tools:

You can obtain a copy of the tools enabling transfers of your data outside the European Union by contacting us using the contact details provided in the a rticle 6 .

  1. What are your rights over your data?

6.1. You have the following rights with respect to your personal data:

You can exercise these rights by writing to us at the following address: dpo@dmh-aphp.fr.

We may ask you on this occasion to provide us with additional information in the event of reasonable doubt or any document likely to prove your identity if the doubt persists.

  1. For any questions or requests that remain unsuccessful, you have the right to lodge a complaint with the competent supervisory authority, in France, the National Commission for Information Technology and Civil Liberties (“CNIL”), located at 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07.

  1. What security measures do we implement?

We are committed to implementing technical and organizational measures to ensure the security, integrity, authenticity, and confidentiality of your personal data. .

We ensure that our subcontractors also maintain a similar level of protection to ours when processing your personal data.

  1. Modifications

We may modify this Privacy Policy at any time, in particular to comply with any regulatory, jurisprudential, editorial or technical developments. These modifications will apply from the date the modified version comes into force. You are therefore invited to regularly consult the latest version of this policy. However, we will keep you informed of any significant changes to this privacy policy.

Entry into force: 21 / 05 /202 5

version 1.0 - 21/05/2025