The purpose of this Privacy Policy (hereinafter the “Policy”) is to inform Data Subjects of the conditions under which Gleamer collects, uses, and protects their Personal Data in connection with the publishing and operation of Voice and its related commercial and operational activities.

This Policy supplements the General Terms of Use of Voice (the “GTU”), the Agreement entered into between Gleamer and the Institution, as well as, where applicable, the applicable Data Processing Agreement (“DPA”). In the event of a conflict regarding Gleamer’s role as Processor, the provisions of the DPA shall prevail.

For the purposes of this Policy, capitalised terms shall have the meaning ascribed to them in the GTU or as defined below:
‍

• “Data Controller”: means the natural or legal person that determines the purposes and means of the Processing.
  ‍

• “Processor”: means the natural or legal person that processes Personal Data on behalf of the Data Controller.
  ‍

• “Processing”: means any operation applied to Personal Data.
  ‍

• “Data Subject”: means the natural person whose Personal Data is subject to Processing.
  ‍

• “DPO”: means the Data Protection Officer appointed by Gleamer in accordance with Article 37 of the GDPR.
  ‍

• “PIA”: means the Privacy Impact Assessment of Voice, made available to Users and client Institutions.

BoneView (including BoneAge and BoneMetrics functionalities) is a Class IIa medical devices manufactured by GLEAMER and whose conformity assessment has been carried out by the notified body BSI CE 2797 relative to the 2017/745 regulation. It is software using deep learning techniques intended to provide preliminary data for helping clinicians’ diagnosis of X-ray radiographs.

ChestView is a Class IIa medical devices manufactured by GLEAMER and whose conformity assessment has been carried out by the notified body BSI CE 2797 relative to the 2017/745 regulation. It is software using deep learning techniques intended to provide preliminary data for helping clinicians’ diagnosis of X-ray radiographs.

BreastView (including BreastView 2D and BreastView3D functionalities) is a Class IIa medical device manufactured by GLEAMER and whose conformity assessment has been carried out by the notified body BSI CE 2797 relative to the 2017/745 regulation. It is a software using deep learning techniques intended to be used as a concurrent reading aid for clinicians to help identify findings on mammograms.

‍
BoneCT and LungCT are Class IIa medical devices manufactured by GLEAMER and whose conformity assessment have been carried out by the notified body BSI CE 2797 relative to the 2017/745 regulation. They are software using deep learning techniques intended to be used as a concurrent reading aid for clinicians to help identify findings on CT scans.

Instructions for use are available here.

Pixyl.Neuro is a Class IIa medical device manufactured by PIXYL and whose conformity assessment has been carried out by the notified body TUV RHEINLAND CE 0197 relative to the 2017/745 regulation. It is a software intended for the automatic labelling, visualization and volumetric quantification of segmentable brain structures and lesions from a set of MRI images. Volumetric measurements may be compared to reference percentile data.

LumbarMR is not yet available for commercial use and is currently in the process of obtaining its first CE marking.

2.1. The Data Controller, for the Processing activities described in this Policy for which Gleamer acts as Data Controller, is Gleamer, a simplified joint-stock company (société par actions simplifiée) with a share capital of EUR 375,795, registered with the Créteil Trade and Companies Register under number 834 105 470, with its registered office at 14 avenue du Général de Gaulle, 94160 Saint-Mandé, duly represented by DH AI INTERNATIONAL HOLDINGS, B.V., President, publisher of Voice.

2.2. In accordance with Article 37 of the GDPR, Gleamer has appointed a Data Protection Officer (DPO), Mr. Antoine Tournier, who can be reached at the email address dpo@gleamer.ai and at the postal address: Gleamer SAS — DPO, 14 avenue du Général de Gaulle, 94160 Saint-Mandé.

3.1. In the context of Processing activities for which Gleamer acts as Data Controller, the categories of Data Subjects and the corresponding purposes are as follows:
‍

• Authorised Users of Voice (radiologists, administrators) — account creation and management, authentication and access control, logging and security, technical support, dictation, automatic transcription, and formatting of radiology reports. Data processed: professional identity, professional email address, affiliated institution and department, login credentials, session data and technical logs, voice recordings and associated transcriptions, as well as, where applicable, technical metadata strictly necessary for the operation and security of the service.
  ‍

• Client Institution Contacts — contract management and billing, client relationship monitoring, response to assistance requests. Data processed: professional identity and contact details, contractual and support exchanges.
  ‍

• Prospects — B2B commercial prospecting, product demonstrations, sending of requested information. Data processed: professional identity and contact details, position, company affiliation, exchange history.
  ‍

• Website and Interface Visitors — operation and security of websites and interfaces, audience measurement, improvement of user experience. Data processed: browsing data, IP address, technical identifiers, cookie data subject to consent.
  ‍

3.2. Gleamer applies the principle of data minimisation and only collects Data strictly necessary for the purposes pursued.

3.3. The User is informed that voice recordings made in the course of using Voice are processed as Personal Data within the meaning of the GDPR. These voice recordings are not processed for the purposes of biometric identification and therefore do not constitute biometric data within the meaning of Article 4(14) of the GDPR, nor special categories of personal data referred to in Article 9 of the GDPR.

3.4. The User’s Personal Data, including voice recordings and associated transcriptions, are processed for the following specified, explicit, and legitimate purposes: (a) to enable dictation, automatic transcription, and formatting of radiology reports; (b) to ensure the operation, maintenance, security, and improvement of the service, including through incident and malfunction management.

3.5. The User is strictly prohibited from introducing, in their voice dictations or in any other information provided to the System, patients’ Personal Data, and in particular directly identifying health data, such as: surname, first name, NIR (social security number), full date of birth, address, telephone number, email address, or any other element enabling the direct or indirect identification of a Data Subject. In the event of a breach of this prohibition, the User shall bear sole liability.

4.1. The Processing activities for which Gleamer acts as Data Controller are based on the following legal bases within the meaning of Article 6 of the GDPR:
‍

• Performance of a contract or pre-contractual measures (Article 6(1)(b) GDPR): for the management of user accounts, the provision of Voice to the Institution, contract management, and technical support. This basis constitutes the principal ground for Processing related to the provision of Voice.
  ‍

• Legitimate interest (Article 6(1)(f) GDPR): for information systems security, incident prevention, B2B commercial prospecting (limited and non-intrusive), and the continuous improvement of Voice. The interest pursued has been assessed in light of the interests and freedoms of the Data Subjects.
  ‍

• Compliance with a legal obligation (Article 6(1)(c) GDPR): to respond to any request from a competent authority and for the retention of accounting and tax records.
  ‍

• Consent (Article 6(1)(a) GDPR): for non-strictly necessary cookies and the possible sending of marketing communications to natural persons outside of a prior commercial relationship.
  ‍

4.2. Regarding Data processed in Voice on behalf of Institutions (in particular any health data contained in dictations and reports), the choice of legal basis is the responsibility of the Institution in its capacity as Data Controller, in accordance with Articles 6 and 9 of the GDPR.

4.3. The processing of the User’s voice recordings is based on the performance of the Agreement entered into between Gleamer and the Institution, in accordance with Article 6(1)(b) of the GDPR, for processing strictly necessary for the provision of the System. The User may exercise their rights relating to the processing of their voice recordings by sending a request to Gleamer’s Data Protection Officer at the following email address: dpo@gleamer.ai.

5.1. Personal Data is disclosed to the following recipients, within the limits of their duties and authorisations:
‍

• to authorised Gleamer personnel (commercial, support, engineering, security, and compliance teams);
  ‍

• to client Institutions in connection with the performance of the Agreement;
  ‍

• to authorised Sub-processors, acting as cloud host, speech-to-text and language model providers, identity and access management providers, as well as for the sending of transactional emails and the technical supervision of the Solution;
  ‍

• where applicable, to competent authorities upon legal requisition.
  ‍

5.2. The detailed and up-to-date list of authorised Sub-processors, their purposes, hosting locations, and the assessment of their contractual and technical safeguards are set out in the PIA, made available to Users and client Institutions on the website contract.gleamer.ai. Any change of Sub-processor shall be subject to prior information or notification in accordance with Article 28(2) of the GDPR and the DPA.

6.1. In the context of the operation of Voice, all Personal Data is hosted exclusively in data centres located within the European Union.

6.2. Certain Sub-processors are companies affiliated with groups established outside the European Union. The analysis of the residual exposure to any foreign jurisdiction and the technical, organisational, and contractual safeguards implemented by Gleamer (in particular pseudonymisation at source, end-to-end encryption, enhanced access control, and the conclusion of Standard Contractual Clauses adopted by the European Commission) are described in the PIA, made available to Users and client Institutions on the website contract.gleamer.ai. A copy of the safeguards may be obtained upon request from the DPO.

7.1. Personal Data is retained for the period necessary to fulfil the purposes for which it was collected, extended where applicable by statutory archiving periods.

7.2. For Data processed in Voice as Processor on behalf of Institutions (in particular dictated audio recordings, transcriptions, medical reports, contextual examination data, application and technical logs), the retention periods and deletion procedures are defined in the DPA entered into with the Institution and detailed in the PIA.

7.3. By default, transcribed content (and the elements necessary for its technical traceability) is retained for a period of thirty (30) days from its generation, for the purposes of incident resolution, quality audit, and improvement of transcription reliability. Upon expiry of this period, it is deleted or anonymised, unless a longer statutory retention obligation applies to Gleamer or a documented request from the Institution is made under the Agreement.

8.1. Gleamer implements appropriate technical and organisational measures, in accordance with Article 32 of the GDPR, to ensure a level of security appropriate to the risk, including:
‍

• encryption of data in transit (TLS) and at rest (AES-256);
  ‍

• pseudonymisation at source of patient identifiers when integration with hospital information systems is configured (Gateway hosted within the Institution’s environment);
  ‍

• strict need-to-know access control, multi-factor authentication, and periodic access reviews;
  ‍

• logging and traceability of access and sensitive operations;
  ‍

• documented incident management and Data breach notification procedures;
  ‍

• confidentiality commitments from all employees and regular training in security and data protection;
  ‍

• use of qualified and certified Sub-processors in accordance with applicable standards (in particular ISO 27001);
  ‍

• periodic conduct of privacy impact assessments (PIA).
  

9.1. In accordance with Articles 15 to 22 of the GDPR and French Law No. 78-17 of January 6, 1978, as amended, you have the following rights over your Personal Data: right of access; right to rectification; right to erasure; right to restriction of Processing; right to object, in particular to commercial prospecting; right to data portability; right to define post-mortem directives; right to withdraw your consent at any time, without affecting the lawfulness of prior Processing.

9.2. You may exercise these rights by contacting Gleamer’s DPO at the email address dpo@gleamer.ai. Proof of identity may be requested in the event of reasonable doubt. Gleamer undertakes to respond within one (1) month of receipt of the request, which period may be extended by two (2) months in the case of complex requests.

9.3. If your Data is processed in Voice on behalf of an Institution (in particular dictated data, transcriptions, and reports), you are invited to exercise your rights directly with the relevant Institution, which is the Data Controller. Any request addressed to Gleamer in this regard will be forwarded without delay to the relevant Institution.

9.4. You also have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL — 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr) or any other competent supervisory authority.

10.1. The websites and certain interfaces of Voice may use cookies and other trackers. Cookies strictly necessary for the operation of the Service (authentication, security, load balancing) are placed without prior collection of consent.

10.2. Other cookies (in particular non-exempt audience measurement cookies and, where applicable, marketing cookies) are only placed after collection of the User’s consent, which may be withdrawn at any time via the cookie management banner. For more information, the User may consult the dedicated cookie policy.

8.1. Gleamer implements appropriate technical and organisational measures, in accordance with Article 32 of the GDPR, to ensure a level of security appropriate to the risk, including:
‍

• encryption of data in transit (TLS) and at rest (AES-256);
  ‍

• pseudonymisation at source of patient identifiers when integration with hospital information systems is configured (Gateway hosted within the Institution’s environment);
  ‍

• strict need-to-know access control, multi-factor authentication, and periodic access reviews;
  ‍

• logging and traceability of access and sensitive operations;
  ‍

• documented incident management and Data breach notification procedures;
  ‍

• confidentiality commitments from all employees and regular training in security and data protection;
  ‍

• use of qualified and certified Sub-processors in accordance with applicable standards (in particular ISO 27001);
  ‍

• periodic conduct of privacy impact assessments (PIA).
  

For any questions regarding this Policy or the protection of your Personal Data, you may contact Mr. Antoine Tournier, DPO of Gleamer, at the email address dpo@gleamer.ai or by post at: Gleamer SAS — DPO, 14 avenue du Général de Gaulle, 94160 Saint-Mandé, France.