Privacy policy

Prevailing Language. The English language version of this Agreement shall be controlling in all respects and shall prevail in case of any inconsistencies with translated versions if any.

We are dedicated to protecting the privacy of our users by taking all possible measures to protect their personal data. This Privacy and Cookies Policy outlines these measures and discloses the privacy practices of Crisalix and of your healthcare professional, which have been adapted to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR or General Data Protection Regulation”).

This Privacy and Cookies Policy sets out how Crisalix and your healthcare professional use any personal data that you provide or that are collected when you use Crisalix’s services (referred to as “Services” in this policy) via websites, platforms, products, and any and all applications, internet- or mobile-based or not, provided by Crisalix, directly or indirectly.

Crisalix and your healthcare professional are committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using the Services, then you can be assured that it will only be used in accordance with this Privacy and Cookies Policy.

Crisalix will process your personal data both as controller for certain limited purposes (see 2.1.2 below) and as data processor when rendering services to your healthcare professional, who will always act as data controller.

This Privacy and Cookies Policy refers exclusively to personal data processing in the context of the Services rendered by Crisalix related to imaging solutions. For further details on any other processing of your personal data conducted by your healthcare professional, please refer to the privacy notice available in your healthcare professional’s website or consultation.

1. Controllers

1.1. Who are the controllers of my personal data? How can I contact the controllers?

1.1.1.The first and most prominent controller of your personal data is your healthcare professional, who will process your personal data for the purpose of rendering health care services as indicated below (2.1.1). Please refer to the privacy notice available on your healthcare professional’s website or consultation for further details.
1.1.2.In addition, the following Crisalix entities will act as independent controllers for the purposes indicated below (2.1.2):

Crisalix S.A.
Address: PSE-A, 1015 Lausanne, Switzerland
Telephone: +41 78 720 25 21
Email: privacy@crisalix.com

The above company will be referred as “Crisalix”, “we” or “us”.

1.2. Is there a Data Protection Officer (DPO) in Crisalix? How can I get in touch with the DPO?

Yes, we have designated a DPO for all companies within the Crisalix group. This designation has been notified to the Spanish Data Protection Agency. You can contact our DPO through the following email address: privacy@crisalix.com.

2. Purposes of the processing

2.1. For what purpose will the controllers process my data?

2.1.1. Firstly, your personal data will be processed by your healthcare professional as independent controller for the purpose of using the 3D simulation generated by Crisalix’s technology to assist you in the healthcare services provided by such healthcare professional to you.
2.1.2. Secondly, Crisalix will process your personal data as an independent controller for the following purposes:

To render the Services related to your 3D simulation
To perform internal auditing, data analysis, and research to improve Crisalix’s Services. This purpose includes research and development (“R&D”) activities through artificial intelligence systems, including machine learning, for the purposes of validating and improving our algorithms, which are fundamental to perform and improve our Services.
Only when you solicit so, to keep you informed, including by electronics means, about Crisalix’s latest developments, updates and news, and to provide you with third party commercial offers that we consider may be of your interest.

2.2. How long will Crisalix retain my personal data?

2.2.1. Please refer to the privacy notice available on your healthcare professional’s website or consultation for further details on his/her data retention policy.
2.2.2. Crisalix shall retain your personal data for as long as our contractual relationship with us is in force in order to manage it correctly, provided that this is adequate, relevant and limited to what is necessary for the purposes for which the data is processed. The above default rule will apply unless you request the erasure of your data.
Once the processing of your personal data is no longer adequate, relevant and limited to what is necessary for the purposes for which such data are processed, we will retain your personal data duly blocked and only for the purposes of discharging potential responsibilities as permitted by applicable regulations. Likewise, we may retain part of your data in a totally anonymous way so as to render your identification impossible, as a result of which such data will no longer be personal data.

Finally, we wish to inform you that we will take every reasonable step to ensure that inaccurate data is rectified or deleted.

2.3. Will Crisalix take decisions solely on the basis of automated processing, including profiling, with the personal data that I provide?

No, Crisalix shall not take individual decisions solely on the basis of automated processing which may produce legal effects concerning you or similarly affect you significantly

2.4. Will Crisalix process anonymous/aggregate data for analysis purposes?

Yes, we also collect non-personal information – data in a form that does not permit direct or indirect association with any specific data subject. We may collect, use, transfer, and disclose non-personal information for any purpose. Note that aggregated and/or anonymous data is considered non-personal information for the purposes of this Privacy and Cookies Policy.

The following are some examples of non-personal information that we collect and how we may use it:

We may collect information such as, language, zip/postal code, area code, location, and the time zone where a Service is used or visited so that we can better understand user behavior and improve our Services and advertising.
We may also collect information regarding customer behavior on our website and from our other Services, such as but not limited to 3D usage statistics, surgery information, or success rate. This information is aggregated and used to help us provide more useful information to our customers and to understand which parts of our Services are of most interest.

In any event, if we do combine non-personal information with personal data the combined information will be processed as personal data for as long as it remains combined.

2.5. Apps using ARKit, TrueDepth API, Camera APIs, Photo APIs, or other software for depth of facial mapping information

TrueDepth API and Camera APIs data is only used to track user's facial mapping information, necessary for Face-based Augmented Reality experiences. We do not collect, store or share with third-parties data used by ARKit, TrueDepth API, Camera APIs, Photo APIs, or other software for depth of facial mapping information.

3. Legitimisation of the processing

3.1. On what legal basis is the processing of my personal data based?

Your personal data will be processed for the above-mentioned purposes and on the basis of the following legitimate reasons for the processing, which are applicable depending on each case:

3.1.1.Your healthcare professional will process your personal data based on your explicit consent pursuant to arts. 6.1.(a) and 9.2.(a) GDPR.
3.1.2.Crisalix will process your personal data for the above-mentioned purposes based on the necessity for the performance of contractual obligations with you to render the Services (Art. 6.1.(b) GDPR) and for legitimate interests pursued by us (Art. 6.1.(f) GDPR) for activities to improve our Services, including R&D activities.

3.2. Which data do I need to provide Crisalix with? What happens if I do not provide it?

It is necessary that you provide us with all of the personal data marked as mandatory in the registration form of the Services. Mandatory data fields are identified with a (*).

Please note that we do not consider your pictures and the 3D simulations we generate as health data since we do not process any data from medical records of healthcare professionals and our Services are not subject to regulations on medical devices.

Failure on your side to provide us with the personal data requested and identified as mandatory, may negatively affect the use of the Services and access to its contents, to the point that you may not be able to access the Services at all.

In addition to the personal data collected through the form, we may collect and process other personal data such as any other data which may be generated during the use of the Services.

3.3. Do I need to provide accurate and precise data?

Yes, considering how important your data is to us, when you provide us with your data you guarantee its veracity and/or accuracy.

Please, be aware that you will be responsible for any false or inaccurate representations made by you, as well as for the damage caused as a result of the same to Crisalix, Crisalix' Affiliates or other third parties.

Crisalix shall not be responsible for any incident deriving from the lack of accuracy and/or misrepresentation of the information provided by you.

4. Recipients

4.1. Will Crisalix disclose my personal data to third-parties?

4.1.1 Crisalix will disclose to your healthcare professional your 3D simulation and any other data that you provide us (e.g. name).
4.1.2Crisalix SA and Crisalix Labs SLU may share your personal data with each other and use it consistent with this Privacy and Cookies Policy.

Besides, we need to share personal data with third companies which provide services such as information processing, fulfilling customer orders, payment processing, managing and enhancing customer data, providing customer service, assessing your interest in our products and services, and conducting customer research or satisfaction surveys. These third parties will act as our processors, or sub-processors, and in accordance with the corresponding data processor agreement that Crisalix will execute with them, they will implement appropriate safeguards to protect your personal data.

Furthermore, Crisalix will disclose your personal data if these is required by law, legal process, litigation, and/or requests from public or governmental authorities within or outside your country of residence.

We may also disclose personal data about you if we determine that such disclosure is reasonably necessary to enforce our terms and conditions or protect our operations or users. Additionally, in the event of a reorganization, merger, or sale we may transfer any and all personal data we collect about you to the relevant third party.

4.2. Could Crisalix disclose my personal data to third parties through the Services?

Yes, please note that, when using our online community (MyCrisalix), you will make public your personal data. Therefore, when you use the Services or post on a Crisalix forum, blog, or social networking service, the personal data you share are visible to other users and can be read, collected, or used by them. You can access the terms of use of MyCrisalix here: https://my.crisalix.com/pages/community_terms.

Furthermore, you may choose to contact a healthcare professional from the directory that we provide in the Services, and, in such a case, you will allow us to share your personal data with the chosen healthcare professional.

You are responsible for the personal data you choose to submit in these instances.

5. International transfers

5.1. Will my personal data be transferred to third countries or international organisations?

Yes, note that Crisalix SA is a Swiss company and therefore such entity will be processing your personal data also in Switzerland. In certain occasions we may also hire third-party vendors that for the purposes of rendering us certain services (i.e., hosting and other IT services) can process your personal data outside the EU territory. However, we have adapted our privacy policy and data processing operations to the General Data Protection Regulation and we will execute the corresponding standard contractual clauses with such vendors where they need to process your personal data outside the EU territory.

Crisalix Labs SLU is an affiliate of Crisalix SA located in Spain and is also subject to the General Data Protection Regulation.

6. Your rights

6.1. What rights do I enjoy regarding the processing of my personal data?

As provided for by the General Data Protection Regulation, we wish to inform you about your right to:

Access your data. You have the right to access your data in order to find out what personal data we process that concerns you. You may exercise your right of access at the following email privacy@crisalix.com.
Request to have your data rectified or deleted. In certain circumstances, you will have the right to rectify inaccurate personal data relating to you that is processed by us, or even to request its erasure. You may exercise your rights of rectification and erasure by contacting us at the following email privacy@crisalix.com.
Request the restriction of the processing of your data. In certain circumstances, you will have the right to request the restriction of the processing of your data by us, in which case, we wish to inform you that we will only retain the data for the exercise or defence of legal claims, as provided by the General Data Protection Regulation. You may exercise your right of restriction by contacting us at the following email privacy@crisalix.com.
Your data portability. In certain circumstances, you will have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and the right to transmit this data to another controller. You may exercise your right to data portability by contacting us at the following email privacy@crisalix.com.
Object to the processing of your data. In certain circumstances and on grounds relating to your particular situation, you will have the right to object to the processing of your data, in which case we will no longer process it unless compelling legitimate grounds exist or for the exercise or defence of possible legal claims. You may exercise your right to object by contacting us at the following email privacy@crisalix.com.

6.2. Do I have the right to withdraw my consent?

Yes, you may, at any moment, withdraw your consent regarding the processing of your data for one, several or all of the purposes referred to above. Be aware that, should that happen, our rendering of the Services could be altered or even discontinued totally.

6.3. Do you have the right to appeal?

Yes, you can appeal to the competent supervisory authority in your place of residence. You may obtain information on how to contact the different supervisory authorities by contacting us at the following email privacy@crisalix.com.

In any event, before starting any appeal, please contact us by email (privacy@crisalix.com) so that we can try to settle any discrepancies or disputes in an amicable way.

6.4. When will Crisalix reply to you?

We will reply to your requests as soon as possible and, in any event, within one month. Should we not meet this deadline, please, excuse us and contact us again so that we can deal with and rectify any possible technical error, which may have caused our late reply.

7. Origin of the data

7.1. Where has Crisalix obtained my personal data from

We have obtained your data directly from you. For further information about what data we process, please refer to section 3.2.

7.2. What categories of personal data does Crisalix process? Will Crisalix process sensitive data?

For additional information about the data we process, please, refer to section 3.2. For further information, please visit the Security statement and the HIPAA compliant.

We do not process special categories of personal data to provide the Services since we do not process any other data from healthcare professionals apart from the 3D simulations we generate.

8. Best practices, safeguards and additional measures

We are aware of the importance of privacy and data protection regulations. Accordingly, the protection of the security, integrity and confidentiality of our clients and users’ information is very important for us. Therefore, it is our firm intention to act in a responsible way in this regard.

In this context, we have adopted sufficient technical and organisational measures to ensure the security of your personal data and to avoid its alteration, loss and unauthorised processing or access, all in conformity with the applicable data protection regulations and the highest market standards.

Besides, to make sure your personal information is secure, we communicate our privacy and security guidelines to our employees and strictly enforce privacy safeguards within Crisalix and Crisalix' Affiliates.

For further information, please visit the Security statement and the HIPAA compliant.

9. Cookies policy

We use our own and third-party cookies so as to allow for more functional and useful browsing on the Services. In this regard and with the aim of ensuring that you receive all of the necessary information for correct browsing, we provide you with the following informative text about what cookies are, the type of cookies used on our Services and how you can disable them.

9.1. What is a cookie?

A cookie is a small text file that websites install in the computer or mobile device of the users who visit them.

Cookies make it possible for a website or a digital platform to remember the actions and preferences of the user (login identifier, font size and other display preferences) so that users do not need to reconfigure them whenever they come back.

Cookies can be divided between own and third-party cookies, and session (stored only during the browsing) and permanent cookies (stored during a longer period).

Note that we process information collected by cookies and other technologies as non-personal information. However, to the extent that Internet Protocol (IP) addresses or similar identifiers are considered personal information by local law, we also process these identifiers as personal information. Similarly, to the extent that non-personal information is combined with personal data, we process the combined information as personal data for the purposes of this Privacy and Cookies Policy.

9.2. What types of cookies does Crisalix use?

In the Services, we use the following cookies:

“Strictly necessary” cookies. These cookies are considered essential for browsing on the Services as they enable the use of its features or tools.
Functionality cookies. These cookies allow the Services to remember the decisions you make, for instance, the selected language. Our goal in these cases is to make your experience with Crisalix more convenient and personal. Knowing your country and language helps us provide a customized and more relevant online experience.
Analytic cookies. These cookies, which are processed either by Crisalix or by third parties, help to quantify the number of users and, therefore, they carry out measurements and statistical analysis of the use made by users of the offered service. Thus, your browsing on our Services is analysed with the aim of improving the provision of the products or services we offer. We may use this information to understand and analyse trends, to administer the site, to learn about user behaviour on the site, and to gather demographic information about our user base as a whole. Crisalix may use this information in our marketing and advertising services, and for statistical purposes. Besides, in some of our email messages, we may use a “click-through URL” linked to content on the Crisalix website or elsewhere. When users click one of these URLs, they may pass through a separate web server before arriving at the destination page. We track this click-through data to help us determine the effectiveness of our customer communications. If you prefer not to be tracked in this way, you should not click text or graphic links in the email messages. Pixel tags enable us to send email messages in a format customers can read, and they tell us whether mail has been opened. We may use this information to reduce or eliminate messages sent to customers.

9.3. How can I revoke my consent or eliminate the cookies?

You may accept, block or delete the cookies installed in your device by managing your cookie preferences through the consent management platform (“CMP”) installed in our website or also by configuring the settings of the browser installed in your mobile device.

These procedures are subject to updates or changes made by developers of the browsers, so we cannot guarantee the complete conformity of these procedures with the latest available version of each browser.

If your browser does not allow for the installation of cookies, you may not be able to access any of the services and sections of the Services.

In addition, you can set preferences for how Google advertises to you using the Google Ad Preferences page and if you want you can opt out of a third-party vendor’s use of cookies by visiting the Network Advertising Initiative opt-out page or permanently using this browser plugin.

In case you have any questions about this cookies section, contact us at privacy@crisalix.com.

9.4. What are the consequences if I revoke my consent to cookies

You may withdraw your previously granted consent regarding cookie installation at any time by managing your cookie preferences through the CMP or by deleting the cookies installed in your device or configuring the settings on your browser (see previous question).

However, this may have an impact on the operation of the Services, making the user experience less satisfactory or, even, preventing the use of the Services.

10. Amendment of this Privacy and Cookies Policy

Crisalix reserves the right to update and modify the Privacy and Cookies Policy from time to time.

Date of the last update: April 14, 2023.

11. Contact

Should you wish to send us any suggestion or comment regarding our Privacy and Cookies Policy, please, contact with us. You may find our details in section 1.1.