DREEM U.S. INC

Privacy Policy

Version: 1

Last Updated: 25/03/2022

This privacy notice (“Privacy Notice”) describes how Data (defined below) and/or medical information about you may be used and disclosed and how you can obtain access to this information. Please review it carefully.

Introduction

We at Dreem U.S. Inc. (“we”, “us”, “the Company”, or “Dreem”) value your privacy and are committed to keeping your personal data confidential. We use your data solely in the context of providing a telehealth platform (the “Platform”) and associated services and Products (defined below) (collectively, the Platform and the associated services and Products are the “Services”) through which you can access Dreem’s affiliated network of sleep medicine specialists. As part of the Services, we may collect and process personally identifiable information, including Protected Health Information (as this term is defined under the Health Insurance Portability and Accountability Act (“HIPAA”). This Privacy Notice describes what personal data we collect, how and why we collect it, how we protect it, and your rights as a data subject.

Definitions

In this Privacy Notice, terms and expressions beginning with a capital letter have the meaning given to them below or elsewhere in this Privacy Notice:

  1. Account: The account opened by a User for the purpose of using the Services.

  2. Connected Equipment: Any Product connected to the internet network, mobile application, website, or web application allowing to carry out Data Processing.

  3. Data: This term means data that Dreem collects from Users, including, but not limited to, any personally identifiable information and Protected Health Information, about a User that is collected by Dreem. Data may include first and last name, physical address, e-mail address, telephone number, Social Security Number, or any other identifier that permits the physical or online contacting of that User.

  4. Data Processing: Any operation or set of operations relating to Data, such as collection, storage, or use.

  5. Protected Health Information: This term has the meaning set forth in the Health Insurance Portability and Accountability Act and its implementing regulations.

  6. Partners: Dreem’s business contacts, customers, providers, and suppliers.

  7. Product(s): All medical equipment and devices, accessories, and software made available by Dreem.

  8. Site(s): Any website published and/or hosted by or on behalf of Dreem.

  9. User: Any person of legal age accessing the Site, Connected Equipment, and/or the Services.

Privacy Notice Applicability

This Privacy Notice applies to Data that Dreem collects from Users of the Dreem Services, Connected Equipment, and Sites.Please note that the term “Data”, as described above, includes any information that can be used on its own or with other information in combination to identify or contact one of our Users.Some of the Data we collect and transmit may be considered “health data” (i.e., data related to your physical or mental health), “Protected Health Information” or “PHI” (i.e., information that relates to your past, present, or future physical or mental health or condition(s); the provision of health care to you; or the past, present, or future payment for the provision of health care to you), and/or medical records as defined by state law.

We believe that privacy and transparency about the use of your Data are of utmost importance. Therefore, our privacy practices are intended to comply with the Health Insurance Portability and Accountability Act (“HIPAA”) and relevant state laws related to the use and disclosure of medical records, where applicable. Additionally, in this Privacy Notice, we provide you detailed information about our collection, use, maintenance, and disclosure of your Data. This Privacy Notice explains what kind of information we collect, when and how we might use your Data, how we protect your Data, and your rights regarding your Data.

For additional information related to how we use and disclose your Data, please contact our Privacy Officer at dsc-privacy@dreem.com.

Please note that this Privacy Notice does not address the use of cookies and other tracking files. These elements are described in the cookie management policy accessible on any Dreem Sites or on the Platform.

Note regarding third-party sites: Our Services and Sites may contain links to other sites that are not operated by Dreem. If you click a third-party link, you will be directed to that third party’s site. We strongly advise you to review the privacy policy(ies) of every site you visit. Dreem has no control over and assumes no responsibility for the content, privacy policies, or practices of any third-party sites or services.This Privacy Notice does not apply to your use of or access to any third-party sites or services.

Agreement to Privacy Notice Terms

BY ACCESSING AND/OR USING THE SERVICES AND SITES,YOU ARE ACKNOWLEDGING THAT YOU HAVE READ AND AGREE TO THE TERMS OF THIS PRIVACY NOTICE.IF YOU DO NOT AGREE, YOU MUST IMMEDIATELY CEASE USING THE SERVICES AND SITES.

Rejection by you of the current Privacy Notice or any new version of the Privacy Notice will preclude you from using the Connected Equipment, Services, and/or Sites, and will result in the deletion of your Data, except where it is prohibited by law or regulation.

Your withdrawal of consent or your objection to the processing of your Data that is necessary for the performance of our Services, will result in the termination of Data, and subsequently, will result in the termination of your ability to use our Services. The termination of our Services will result in the return of our Products and/or the cessation of the use of the Connected Equipment, including the cessation of use of our mobile applications and Sites.

Pursuant to applicable law, any Processing of Data carried out prior to your objection or withdrawal of consent to such Data Processing, remains lawful. Data that has been collected and processed prior to your objection or withdrawal of consent will be retained for a specific and specified period of time. In addition to the right to object or withdraw consent, you may exercise your rights with respect to the Data processed prior to such objection or withdrawal of consent, as described above.

Legal Basis for Data Processing

Dreem processes your Data based on legitimate business interests, the fulfillment of our Services to you, compliance with our legal obligations, and/or your consent. We only use or disclose your Data when it is legally mandated or where it is necessary to fulfill those purposes described in this Privacy Notice. Where required by law, we will ask for your prior consent before disclosing your Data to a third party. Our legal bases for processing your Data depend on the particular processing purposes, and include, but are not limited to, the following:

  • Contract: When Dreem processes Data for the purpose of providing you with access to our Services, Connected Equipment, or Sites, we process data on the basis of a contract between you and Dreem, which is formed at the time of Account creation and acceptance of the Terms of Use.

  • Consent: Where required by law, we will ask for your prior consent before processing or disclosing your Personal Health Information.

  • Legitimate Interest: Dreem may process Data on the basis of its legitimate business interests for the purposes of marketing Services and Connected Equipment, providing customer service, and/or improving Services and Connected Equipment.

  • Legal Obligation: Dreem must process certain Data to comply with legal obligations, which may vary in each country.

Purposes of Data Processing

If we provide you with Connected Equipment or a Product, we will, with your consent, carry out the following Data Processing functions:

  • The collection and remote processing by electronic transmission of your Data relating to the use of the Connected Equipment or Product, and

  • Electronic transmission of usage data to your healthcare provider, if requested and if the Connected Equipment or Product allows for such transmission.

In addition, we may process your Data for the following legitimate business purposes in compliance with applicable law:

  • To provide Services and/or Connected Equipment;

  • To fulfill our obligations to you under the Terms of Use;

  • To communicate with you about and manage your Account;

  • To properly store and track your data within our system;

  • To respond to lawful requests from public and government authorities, and to comply with applicable state/federal law, including cooperation with judicial proceedings and court orders;

  • To protect our rights, privacy, safety, or property, and/or that of you or others by providing proper notices, pursuing available legal remedies, and acting to limit our damages;

  • To handle technical support and other requests from you;

  • To enforce and ensure your compliance with our Terms of Use or the terms of any other applicable services agreement we have with you;

  • To manage and improve our operations and the Platform and Sites, including the development of additional functionality;

  • To manage payment processing;

  • To evaluate the quality of service you receive, identify usage trends, and improve your user experience;

  • To keep our Platform and Sites safe and secure;

  • To send you information about changes to our terms, conditions, and policies;

  • To allow us to pursue available remedies or limit the damages that we may sustain;

  • To enable you to connect with or share Data with your healthcare provider, which enables that healthcare provider to monitor your progress and overall condition as he/she deems appropriate;

  • To conduct surveys relating to Dreem’s activities and the Services provided; and

  • To carry out research, study, or evaluation programs that respect your privacy, after all the conditions required by the applicable regulations have been met. This may include: (i) research, study, or evaluation programs of our activities, practices, or materials provided as part of the Services; and (ii) the development, coordination, and/or improvement of our activities, including the materials and tools used in the course of our activities, such as computer tools and/or algorithms.

In addition, for the purpose of continuous improvement of the quality and content of our services, we analyze aggregated statistics in such a way as to guarantee the anonymity and respect of the privacy of our Users.

Collected and Processed Data

To enable the use of the Services, Connected Equipment, and/or Sites, the collection and processing of Data by Dreem is necessary.

We collect five types of information from our Users: (i) demographic data; (ii) medical data; (iii) support data; (iv) technology data; and (v) economic data. Each category of data is explained in depth below.

Demographic DataDreem collects demographic data from Users, which may include, but not be limited to, your name, birth year, gender, height, weight, phone number, and e-mail address. The collection of this demographic data is primarily used to create your Account, which you can use to securely receive the Services.

Medical DataIn addition to demographic information, we may collect information regarding your health conditions, including, but not limited to, images, age, gender, weight, height, medical history, symptoms, and communications between you and your healthcare provider who is providing services to you via the Platform. We collect this information to provide you with the Services and to provide your health care provider with the information required to provide medical treatment through the Platform. As part of our Services, we may also collect sleep and other data that you provide through Connected Equipment or Products.

Support DataIf you contact us for support or to lodge a complaint, we may collect technical or other information from you through log files and other technologies, some of which may qualify as Data (e.g., IP address). Such information will be used for the purposes of troubleshooting, customer support, software updates, and improvement of the Platform and related Services in accordance with this Privacy Notice. Calls with Dreem may be recorded or monitored for training, quality assurance, customer service, and reference purposes.

Technology DataWe use common information-gathering tools, such as log files, cookies, web beacons, and similar technologies to automatically collect information, which may contain Data from your computer or mobile device as you navigate our Platform or interact with emails or other communications we have sent you. The information we collect may include your IP address (or proxy server), device and application identification numbers, location, browser type, Internet service provider and/or mobile carrier, the pages and files you viewed, your searches, your operating system and system configuration information, and date/time stamps associated with your usage. This information is used to analyze overall trends, help us provide and improve our Services, and ensure the proper functioning and security of the Platform and Services.

Economic DataWe may collect economic and financial data, including payment data and purchase data, if you elect to purchase a Service or Connected Device through Dreem.

Dreem may collect this Data directly from you, indirectly on Dreem’s Sites, or by Dreem’s Partners. Further, this Data may be transmitted via telephone calls, telecommunication services (e.g., via the Internet), or through the automatic remote electronic transmission capabilities of the Products and Connected Equipment.

In certain instance, Dreem may require you to provide specific Data before access a Service or Site. When this occurs, the required Data will be indicated by an asterisk. You will then need to provide this required Data to continue the use of the Services. If you do not wish to provide the required Data, you can stop using the Services.

Data Accuracy

The proper use of the Products or Connected Equipment that Dreem provides to you (if applicable) is essential to ensure that the Data collected is accurate. The integrity of the Data and its accuracy is ensured only in the absence of intervention by someone other than our staff or our authorized Partner’s staff.

We maintain reasonable technical controls to ensure the confidentiality, accuracy, durability, and integrity of the Data placed under our responsibility.

Data Storage and transfers

Your Data may be transferred to and stored in other locations within the European Economic Area. These locations may be maintained by us, or our service providers, or our Partners. The purpose of the transfer and storage of data in other locations includes, among other things, the provision of support services. By submitting your Data, you consent to such transfer and storage.

Your Rights in Regard to the Data Dreem Collects

Depending on the legal basis of collection, the location of the collection, and the purpose of the collection, you may have different rights with respect to your Data. These rights may include:

  • Right of access and correctionYou may request access to your Data and, if you believe such data is inaccurate, you may request correction of that Data.

  • Right to withdraw consentYou may at any time withdraw your consent to the processing of Data concerning you. Any withdrawal of consent will only be valid for the future and will not apply to previously collected or used Data.

  • Right to objectYou may object to the processing of your Data, provided that you give a legitimate reason. A legitimate reason is not necessary if you object to the processing of your Data for a commercial purpose.

  • Right to be forgottenYou have the right to have your Data erased after a certain period of time.

  • Right to limitation of processingYou may request that your Data be subject to limited processing in certain circumstances.

  • Right to portabilityYou may request (i) a copy of the Data you have provided to Dreem, or (ii) that Dreem transfer your Data to another entity.

  • Right not to be subject to an automated individual decision: If you are subject to an automated individual decision you may request to see the logic behind the decision and discuss it with a natural person. An automated individual decision refers to decisions taken about you by technological means and without any human involvement (e.g., algorithmic decisions based on your Data).

Data security

Transmission of Data over the Internet is never 100% secure or error-free. However, we take reasonable and appropriate measures to protect your Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. The measures include, but are not limited to, implementation of technical, organizational, and physical controls to safeguard Data.

However, it is your responsibility to safeguard your Account credentials (passwords and User IDs) and to notify us if you ever suspect that your credentials for our Services have been compromised. You are solely responsible for any unauthorized use of our Services conducted via your credentials. Dreem shall not be liable for unauthorized access if it's the User’s fault.

Dreem agrees to notify you within the legally required timeframe upon becoming aware of any unauthorized access to your Data that is maintained by Dreem or one of its Partners, for fulfillment of the Services provided by Dreem. Notification of any such Data breach is a legal obligation and shall not be construed as an admission of any liability on the part of Dreem for its occurrence or operation.

You acknowledge and agree that Dreem's security obligations are limited to the scope of the Services.

Disclosure of Data

Dreem does not share, sell, or otherwise disclose your Data for purposes other than those outlined in this Privacy Notice. We may use or disclose aggregated or pseudo-anonymized information about Users, and information that does not identify any individual, without restriction.

Dreem may disclose Data that is collected from, or provided by, you as described in this Privacy Notice. In particular, we may share your Data with the following categories of individuals/entities:

Business Partners and VendorsWe share Data with a limited number of Partners, service providers, and other persons/entities who help run our business (collectively, “Business Partners”). Specifically, we may employ third-party companies and individuals to facilitate our Services, provide Services on our behalf, perform Service-related functions, or assist us in analyzing how our Services are used. Our Business Partners are contractually bound to protect your Data and to use it only for the limited purpose(s) for which it is shared. Business Partners’ use of Data may include, but is not limited to, the provision of services such as data hosting, IT services, customer services, and payment processing. Additionally, we share Data with our contractors, service providers, and other third parties that help support our Products.

Our AdvisorsWe may share your Data with third parties that provide advisory services to Dreem, including, but not limited to, our lawyers, auditors, accountants, and banks (collectively, “Advisors”). Data will only be shared with Advisors if Dreem has a legitimate business interest in the sharing of such data.

Provider UsersTo use the Services, Users will be affiliated with one or more healthcare providers. As part of the Services, we will share your Data with your assigned healthcare provider. If at any point you want to deny access to one or more healthcare providers, you can do so by emailing dsc-privacy@dreem.com.

Third Parties Upon Your Direction or ConsentYou may direct Dreem to share your Data with third parties. Upon your request and consent, we may share such Data with those third parties that you identify.

Third Parties Pursuant to Business TransfersIn the event of a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of Dreem’s corporate entity, assets, or stock (including in connection with any bankruptcy or similar proceedings), we may share your Data with a third party.

Government and Law Enforcement AuthoritiesIf reasonable and necessary, we may share your Data to (i) comply with legal processes or enforceable governmental requests, or as otherwise required by law; (ii) cooperate with third parties in investigating acts or omissions that violate this Privacy Notice or the Terms of Use; or (iii) bring legal action against someone who may be violating the Terms of Use or who may be causing intentional or unintentional injury or interference to the rights or property of Dreem or any third party, including other users of our Services.

Retention Period

Dreem will not retain Data beyond a reasonable period of time and will only retain it for as long as we have a legal basis to do so. When we no longer have a legitimate ongoing business need or contractual/legal obligation to retain your Data, we will delete or anonymize it or, if this is not possible (for example, because your Data has been stored in a backup archive), then we will store your Data and secure it using the same, or materially similar safeguards, and isolate it from further processing until deletion is possible.

The exact data retention period varies according to the nature of the Data and the processing involved.

What Happens to Personal Data Submitted by Minors?

Dreem does not knowingly collect Data from individuals under the age of 18. Additionally, our Services are not directed to individuals under the age of 18. We request that these individuals not provide Data to us. If we learn that Data from users under the age of 18 has been collected, we will deactivate the Account associated with that data and take reasonable measures to promptly delete such data from our records. If you are aware of a user under the age of 18 accessing the Services or Platform, please contact us at dsc-privacy@dreem.com.

If you are a resident of California under the age of 18 and have registered for an Account with us, you may ask us to remove content or information that you have posted to our Platform.

Update, Correct, or Delete Data

You have the right to request restrictions on uses and disclosures of your Data. While we are not required to agree to all restriction requests, we will attempt to accommodate reasonable requests when appropriate.

You may change your email address and other contact information by accessing your Account. If you need to make changes or corrections to other information, you may contact us at  dsc-privacy@dreem.com. In order to comply with certain requests to limit use of your Data, we may need to terminate your ability to access and/or use some or all of the Services. BY REQUESTING TO LIMIT USE OF YOUR PERSONAL DATA OR DELETE PERSONAL DATA, YOU ACKNOWLEDGE AND AGREE THAT DREEM WILL NOT BE LIABLE TO YOU FOR ANY CORRESPONDING LIMITATION IN THE SCOPE OF SERVICES OR TERMINATION OF SERVICES AS NECESSARY TO COMPLY WITH YOUR REQUEST.

You have the right to request deletion of any Data from your Account or the Dreem Platform. To request deletion of your Data, please email us at dsc-privacy@dreem.com and include a description of the Data you would like removed. We will respond to all requests for data deletion as soon as reasonably possible.

Should you decide to delete your User Account entirely, you may do so by emailing dsc-privacy@dreem.com. By terminating your Account, you agree that you will not be able to access any information previously contained in your Account. You further understand that it may not be technologically possible to remove all of your Data from our systems. While we will use reasonable efforts to remove your Data, the need to back up our systems to protect information from inadvertent loss means a copy of your Data may exist in a non-erasable form that will be difficult or impossible for us to locate or remove.

Changes to this Privacy Notice

Please note that we occasionally update this Privacy Notice, and it is your responsibility to stay up to date with any amended versions. Any revisions to this Privacy Notice will be posted on the applicable Dreem Site and the applicable Platform. Any changes to this Privacy Notice will be effective immediately upon publication and will apply to all Data that we maintain, use, and disclose. If you continue to use the Services and Sites following such notice, you are agreeing to those changes

Account Deletion

If at any point you no longer agree to the use and disclosure of Data, as described in this Privacy Notice, you can delete your user account by sending a deletion request to  dsc-privacy@dreem.com with the following information:

  • Your login email address; and

  • A statement that you are requesting account deletion.

Questions or Concerns

If you have any questions or concerns after reading this Privacy Notice, please do not hesitate to contact us at dsc-privacy@dreem.com. We appreciate your feedback.