Helius Medical Technologies (“HELIUS”, “WE” or “US”) is committed to protecting and respecting your privacy and ensuring that your personal information is processed fairly and lawfully in line with all relevant privacy legislation. The purpose of this Privacy Statement is to set out the principles governing our use of personal information that we may obtain about you through this website (the “Site”) and in connection with our business (the “Business”). By using this Site, you agree to our use of the personal information that we obtain about you.

“Personal information” is information, or a combination of pieces of information, that could reasonably allow you to be identified.

Please note that our collection or use of your personal information may be governed by a separate privacy notice. If you receive a different notice at the time we collect your personal information, that privacy notice will govern how we use that personal information.

Please read this Privacy Statement carefully. We may change our Privacy Statement from time to time. We therefore ask you to check it occasionally to ensure that you are aware of the most recent version that will apply each time you access this Site. If a revision meaningfully reduces your rights, we will notify you. BY USING THIS SITE, YOU AGREE TO THIS PRIVACY STATEMENT. IF YOU DO NOT AGREE TO THIS PRIVACY STATEMENT, DO NOT USE THIS SITE.

For your convenience, this Site may contain links to a number of other websites. The privacy policies and procedures described here do not apply to those sites; we suggest contacting those sites directly for information on their data collection and distribution policies. Any reference to a linked site or any specific third-party product or service by name does not constitute or imply its endorsement by us, and you assume all risk with respect to its use.

YOUR PERSONAL INFORMATION

We may collect, use, store and transfer the following personal information to provide, improve and protect our Site and in connection with our Business.

The persona information we collect and process. You may give us personal information by visiting or interacting with the Site, filling in forms or submitting information on the Site, interacting with our Business, by corresponding with us by phone, e-mail, SMS or otherwise, or through your employment by HELIUS. This personal information includes the following data which are referred to in this Privacy Statement as ‘your data’, ‘your personal data’ or ‘your personal information’:

• identifiers you provide when you interact with the Site. The personal information you give us may include your name, title, company, mailing address, email address, phone number, password, resume information, feedback and any other information you choose to provide to us;
• professional details, such as job title, and organization;
• technical data such as your internet protocol (IP) address, your login data, the web page you visited before visiting our Site, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Site;
• usage data which tells us how you use our Site;
• marketing and communication data which tells us your preference in receiving marketing from us and our third parties and your communication preferences; and
• sensitive personal data such as your physical or mental health condition

We or our service providers may collect technical information automatically from your computer or mobile device over time and across different Sites through the use of cookies or similar tracking technologies. A cookie is a small text file that can be placed on your computer’s hard drive with your permission. Cookies help analyze web traffic and let us know when and how you visit a particular site. Cookies allow web applications to respond to and tailor your experience with our Sites according to your individual preferences, and to remember those preference for the next time you visit the Sites. A cookie does not give us access to your computer or provide any information other than the data you choose to share. The personal information we may obtain through cookies includes:

• Unique identifiers, such as IP address, browser type, operating system, the pages you view on the Sites, the pages you view immediately before and after you access the Sites, and the search terms you enter on the Sites, Internet or other electronic network activity information;
• General location data; and
• Inferences drawn from the above categories.

We also may obtain your personal information from third parties and sources, such as web hosting providers, analytics providers, and advertisers. In some cases, these third parties collect information on our behalf as our processors or service providers. In other cases, we collect information from third parties based on the account or privacy settings that you have established with those third parties. The information we collect from other sources may include any of the types of personal information listed above.

PURPOSES FOR WHICH WE WILL USE YOUR DATA

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Identification and authentication: We use your identification information to verify your identity when you access and use our Services, or otherwise engage with us, and to ensure the security of your personal information. This is necessary to provide the requested service.
• Communications: We may respond to and communicate with individuals and healthcare providers about requests, questions, comments, products, and services.
• Business operations: We process your personal information to provide the Services that you request and relationships with our actual and potential suppliers and customers. We use personal information to operate, evaluate, and improve our business, including developing new products and services; determining the effectiveness of the company’s sales, marketing and advertising; and performing accounting, auditing, billing, reconciliation, and collection activities.
• Service improvements:We analyze usage information, including site analytics, to continually improve the user experience.
• Customizing your experience: We may use your personal information to improve your experience of the Services, such as by providing interactive or personalized elements on the Services. We will also use your data to manage our relationship with you.
• Marketing: We may use your personal information in accordance with your preferences to build a profile about you, to understand your preferences, and to help determine which marketing materials would be of interest to you.
• Exercising or protecting rights: We may use your personal information to exercise or protect our legal rights, or the rights of you or a third party, where it is necessary to do so, for example to detect, prevent, and respond to intellectual property infringement claims or violations of law.
• Cookies and other technologies: We use technologies like cookies to provide, improve, protect, and promote our Site and our Products. HELIUS currently does not respond to Do Not Track requests.

Applicable law may require HELIUS to identify a legal basis in order to process your personal information. Such bases include:

• Consent: We will rely on your consent, where required by law, to use (i) technical information (including general location data) derived from cookies and similar tracking technologies; and (ii) your personal information for marketing purposes.
• Performance of a contract: We will process any of your personal information identified in this Policy as necessary to perform our contractual obligations with customers or suppliers.
• Complying with legal obligations: We may process your personal information to carry out fraud prevention checks or comply with other legal or regulatory requirements, such as those related to information security or consumer transaction law, when required by law.
• Legitimate interests: Any personal information not processed under the other bases identified in this section will be processed in furtherance of our legitimate interests. We have legitimate interests in providing and maintaining our Services, responding to your communications, improving and customizing our Services, exercising or protecting the rights of HELIUS or you or a third party, and operating our business effectively. Where we rely on legitimate interests to process your personal information, we will balance our need to process that information with any risks such processing poses to your rights and freedoms.

SHARING YOUR DATA

We may share information as discussed below, but we won’t sell it to advertisers or third parties.

• To inform third-party entities that provide services to us: We may share your personal information with third parties that perform marketing services and other business operations. For example, we may partner with companies to process secure payments, fulfill orders, optimize services, send newsletters and marketing messages, support email and messaging services, and analyze information. These service providers may include advertising agencies, technical support, or website analytics providers, which will use your personal information only in the ways described in this Policy.
• Where required by law: We may share your personal information with law enforcement agencies, courts, other government authorities or other third parties where we believe necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party.
• In the context of a transaction: We may share your personal information with potential transaction partners, service providers, advisors, and other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell or transfer all or a portion of our assets or business. Should such a sale or transfer occur, we will use reasonable efforts to obligate the entity to which we transfer your personal information to use it in a manner consistent with this Policy.
• Anonymize: We may also anonymize or deidentify your personal information in such a way that you may not reasonably be re-identified by us or any other company and may use this anonymized information for any other purpose.

PROTECTING YOUR DATA

We only process personal data where we have a legal basis for doing so. We review the personal data we hold periodically to ensure it is being lawfully processed.

Before transferring personal data to any third party (e.g. suppliers, partners and back office support), we seek to establish that there is a legal reason for making the transfer, which may include your consent.

We have implemented measures and procedures that protect the privacy of individuals and help ensure that data protection is integral to all processing activities. This includes implementing measures which may include, for example:

• Pseudonymization;
• Anonymization;
• Cyber/data security controls; and
• A data retention policy.

PRIVACY RIGHTS FOR EU RESIDENTS

If you are an individual in the European Union, you have certain rights with respect to the access, correction, restriction, and erasure of your personal information stored on our platform at any time. You can exercise these rights by contacting us using the contact information below. Your rights include the following:

• Accessing your data. Upon request, we shall provide any information relating to your data and our processing of your data in a concise, transparent, intelligible and easily accessible form using clear and plain language. The information shall be provided in writing or by other means, including, where appropriate, by electronic means within 30 days of a written request.
• Correcting your data. You have the right to ask us to rectify any inaccurate or incomplete personal data on our platform. If we have given your personal data to any third parties, we will notify those third parties that HELIUS has received a request to rectify your personal data, unless doing so proves impossible or involves disproportionate effort. Those third parties should also rectify the personal data they hold – however, we are not in a position to audit those third parties to ensure that the rectification has occurred.
• Erasing your data. You can ask us to erase your personal data stored on our platform. If we receive a request to erase your data, we will ask you if you want your personal data to be removed entirely or if you want to be kept on a list of individuals who do not want to be contacted in the future (for a specified period or otherwise). We cannot keep a record of individuals whose data we have erased so you may be contacted again by us, should we come into possession of your personal data at a later date. If we have given your personal data to any third parties, we will tell those third parties that HELIUS has received a request to erase your personal data, unless this proves impossible or involves a disproportionate effort. Those third parties should also rectify the personal data they hold – however, HELIUS will not be in a position to audit those third parties to ensure that the rectification has occurred.
• Restricting the use of your data. We only process your personal data where we have the legal basis for doing so.

You have the right to ask us to suspend or otherwise restrict the processing of your personal data where:

• You challenge the accuracy of the personal data;
• The processing is unlawful but you do not want us to erase it;
• We no longer need the personal data for the purposes of the processing, but you want us to hold it as you need it to establish, exercise, or defend legal claims; or
• You have objected to our use of your data, but we need to verify whether we have legitimate grounds to use it.

If we have given the personal data to any third parties, we will tell those third parties that we have received a request to restrict the use of your personal data, unless this proves impossible or involves a disproportionate effort. Those third parties should also rectify the personal data they hold – however, we will not be in a position to audit those third parties to ensure that the rectification has occurred.

Withdrawing your consent. Where we are relying on consent to process your personal data (for example consent to receive marketing) you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you.

INTERNATIONAL DATA PROCESSING & TRANSFER

We process information collected from or about you in any country in which HELIUS operates, as permitted by applicable law. In some cases, your information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for information under applicable laws(such as from the European Economic Area (“EEA”) to outside the EEA). When we conduct such transfers, we put in place appropriate safeguards (such as standard contractual clauses) in accordance with applicable legal requirements. Information located outside of your home country may be subject to access by that country’s government or its agencies under a lawful order. For more information on the appropriate safeguards in place or to obtain a copy of the standard contractual clauses, please contact us.

PRIVACY RIGHTS FOR CALIFORNIA RESIDENTS

The following applies only to California residents:

California residents have the following rights regarding our collection and use of your personal information. To exercise those rights, please contact us using the contact information below. We may ask you to provide additional information to verify your request. We may not discriminate against you if you exercise your rights as described in this notice. For example, we may not deny goods or services to you, or charge you different prices or rates, or provide a different level of quality of products or services.

Right to Information

You have the right to request the following information regarding the personal information we have collected about you:

• Categories of personal information collected about you, and sources from which collected;
• Our purpose for collecting personal information;
• Categories of third parties with which the personal information was shared; and
• Specific pieces of personal information collected about consumers.

You have the right to request the following information regarding the personal information we have sold or disclosed about you:

• Categories of your personal information sold in the preceding 12 months;
• Categories of third parties to whom your personal information has been disclosed;
• Categories of personal information that we disclosed about consumers for a business purpose.

Right to Opt Out of Sharing, Disclosure, or Sale of Personal Information

• You have the right to direct us to not share, disclose, or sell your personal information. To exercise this right, you or your authorized representative may submit a request to privacy@heliusmedical.com

Right to Request Deletion

• You have the right to request that we delete the personal information we have about you. However, we are not required to delete information if it is necessary to retain your information to:
• Complete the transaction for which the personal information was collected, provide a good or service requested by you, or a transaction reasonably anticipated within the context of our or one of our affiliate’s ongoing business relationship with you, or to otherwise perform a contract we have with you.
• Detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity or prosecute those responsible for that activity.
• Debug to identify and repair errors that impair existing intended functionality.
• Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
• Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion of the information is likely to render impossible or seriously impact the achievement of such research, if you have provided informed consent.
• Facilitate solely internal uses that are reasonably aligned with your expectations based on your relationship with us or one of our affiliates.
• Comply with a legal obligation.
• Otherwise use the personal information, internally, in a lawful manner that is compatible with the context in which it was provided.

WHERE WE STORE AND TRANSFER YOUR DATA

The Site is controlled by HELIUS from its offices in the United States. HELIUS may store and use information in the United States and other jurisdictions; any personal data provided to HELIUS will be transmitted to or within those jurisdictions.  HELIUS also may transfer information and personal data to other jurisdictions to facilitate HELIUS’s third party processors’ access to and/or processing of information and/or personal data.

HELIUS makes no representation that materials on this Site are appropriate or available for use in other locations, and access to them from territories where their contents are illegal is prohibited.  Those who choose to access this Site from other locations do so on their own initiative and are responsible for compliance with applicable local laws.

DATA RETENTION

We retain your personal information for as long as necessary to carry out the purposes set out in this Policy, unless a longer retention period is required by applicable law.

To determine the appropriate retention time for your personal information, we consider the amount, nature, and sensitivity of personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information, and whether we can achieve these purposes through other means, as well as applicable legal requirements. In some circumstances we may anonymize personal information so that it may no longer be associated with an individual, and in such cases we may use that anonymized information without further notice to you and outside of this Policy (because, once anonymized, it ceases to constitute “personal information”).

INFORMATION SECURITY

We implement technical and organizational measures to maintain a level of security appropriate to any risks presented to the personal information we process. These measures seek to ensure the ongoing integrity and confidentiality of personal information. Please note that no security measures can be 100% secure; however, we evaluate and test our chosen measures on regular basis in order to protect your personal information in accordance with this Policy and applicable law.

DO NOT TRACK

We do not currently respond to web browser “do not track” signals or other mechanisms that provide a method to opt out of the collection of information across the networks of websites and online services in which we participate. For more information, visit www.allaboutdnt.org.

THIRD-PARTY WEBSITES

This Policy applies solely to the information collected by HELIUS. Our Sites may contain links to websites not owned or controlled by HELIUS. HELIUS does not have any control over these third-party websites. We encourage you to be aware of these other third-party websites and their privacy statements, as we cannot control and are not responsible for privacy policies or practices of third-party websites.

CONTACT US

For any questions regarding this Policy or to exercise your applicable data privacy rights, contact us at privacy@heliusmedical.com or 215-944-6100.

Effective Date:  Aug 13th, 2021