If you have a request concerning your medical records or other data processed by Nevro, please visit our data subject request portal here.
Version Effective date: February 2023
Introduction
Your privacy is important to us at Nevro Corp. and its affiliates (collectively, “Nevro”, “we” or “us”), and so is being transparent about our data protection practices. This Privacy Notice (“Notice”) applies to the information we collect through our Nevro.com, NevroHFX.com, and HFXforPDN.com (“Site” or “Sites”), when you communicate with us, and the information we collect in connection with the provision and development of our products and services (collectively “Services”). By accessing the Sites and using our Services, you agree to our collection and use of personal information described herein and you agree to our Terms of Use.
This Notice describes the types of information we collect, the purposes for which it is used, and the choices you have with respect how we use your data. We encourage you to read this Notice to understand our privacy practices before using our Services.
For the purposes of European data protection laws, we are the controller with respect to your personal information. Please see below the relevant contact details for each Nevro entity in Appendix 1.
If you are a California resident and would like to exercise your California privacy rights, please see our California Privacy Notice (“California Notice”) below.
This Notice does not apply to information we collect about employees and job applicants. This Notice also does not apply to information collected from our HFX iQ™ patient application (please see our HFX iQ™ Patient Application Privacy Notice).
Click on one of the links below to jump to the listed section:
About Nevro
Nevro is a global medical device company that offers products and services for the Senza® and Senza Omnia™ HFX™ Systems.
Personal Information We Collect
We collect personal information about you when you provide it to us, when you use our Services, when you engage with us at Nevro-hosted education events and conferences, and when other sources provide it to us, as described below. For California residents, this is personal information we have collected in the past 12 months. The types of information listed in each category are examples and are not meant to be exhaustive. We collect the following types of personal information:
- Personal identifiers, such as your name, gender, date of birth, phone number, email address, physical address, and other contact information you may provide to us (for example, through the “Contact Us” page). When you refer a friend or a family member for one of our studies or clinical trials, we may collect personal identifiers about that person;
- Customer records, such as records of and information related to payments, insurance information, information about Services purchased or billed for, and other financial information;
- Characteristics of protected classifications under California and federal law, such as age and gender. When you complete and submit a patient assessment form on our NevroHFX.com or HFXforPDN.com websites in the U.S., EEA, UK, Switzerland, and Australia, we collect your age, gender, phone number, email address, and other health-related information;
- Health information, (including special categories of personal information), such as any medical conditions you may be experiencing, any medications you may be taking, information related to your pain, your Nevro medical device settings, healthcare provider information, procedure information, information to facilitate treatment and post-treatment care, information related to our HFX™ therapy, and other related health information that you may provide to us. When you refer a friend or a family member for one of our studies or clinical trials, we may collect health information about that person that you provide;
- Testimonial information, such as your name, location, email address, pain location, implant date, photographs, and videos when you have consented to us publishing a testimonial of your experience. With your consent, your testimonial may be featured on a variety of platforms, including on our Sites, social media, television, print, audio, marketing emails, and promotional materials;
- Internet or other electronic network activity information, such as your operating system, IP address, device type, device version, and other information collected when you use our Sites and Services. This also includes browser information, such as browser type, usage details, how you accessed our Sites, the pages you visit on our Sites, the amount of time spent on our Sites. We also use cookies to analyze trends, administer our Services, and track activity on our Sites. For more information about how we use cookies on Nevro.com and to learn how to manage cookies, please see our Cookie Notice. These details are collected automatically when you visit our Sites;
- Geolocation data, such as geolocation data that may be derived from your IP address;
- Audio and visual information, such as recordings of customer service calls, security camera recordings, CCTV images;
- Other information you provide to us.
How we use your personal information and the legal basis for processing
We use the information we collect about you to:
Categories of Personal Information
|
Purpose of Processing
|
Legal Basis
|
Personal identifiers; customer records; audio and visual information
|
Communicate with you: We may contact you to respond to your inquiries, requests, and/or send important notices. For example, we may contact you to provide customer support, schedule appointments, update you about new Services, or to send you invitations to Nevro-hosted events. See “Your choices and rights” section below to learn how to manage your communication preferences.
|
This is necessary for the performance of our contract with you (Article 6(1)(b), GDPR)
We have a legitimate interest to ensure our records are kept updated and to communicate with you (Article 6(1)(f), GDPR)
|
Personal identifiers; customer records; characteristics of protected classifications; health information; testimonial information; internet or other electronic network activity information; audio and visual information
|
Provide and improve our Services and Sites: We use information we collect to provide you with our Services (including billing services); develop new products and services; and improve functionality, efficiency, and quality of our Services.
|
We have a legitimate interest to ensure our business is run efficiently, including to develop new products and improve existing ones (Article 6(1)(f), GDPR)
|
Personal identifiers; customer records; characteristics of protected classifications; health information; testimonial information; internet or other electronic network activity information; audio and visual information
|
Perform data analytics to improve patient outcomes: We use information we collect to more accurately analyze how you use our Services so that we may improve functionality, efficiency, and quality of our Services.
|
We have a legitimate interest to develop and improve our business (Article 6(1)(f), GDPR)
|
Personal identifiers; customer records; characteristics of protected classifications; health information
|
Conduct scientific research and clinical studies: We conduct clinical studies and trials to test and improve our Services. We may use your information to contact you about studies or clinical trials for which you may be eligible or that might interest you. If you are a participant in a study or clinical trial, we will use your information to conduct the study or trial and any related follow-up activities. Participation in our studies and trials is voluntary. We use anonymized data for scientific research purposes in connection with our Services.
|
We have a legitimate interest to develop and improve our business (Article 6(1)(f), GDPR)
We may have a legal obligation to do so (Article 6(1)(c), GDPR)
|
Personal identifiers; customer records; audio and visual information; testimonial information
|
Market and advertise our products and Services: We only publish testimonials, send marketing emails and newsletters, or call you about our Services with your consent. We advertise our Services on social media platforms, but we will not directly contact you through these platforms. In the U.S., we engage in behavioral advertising and partner with third parties, such as Google, to provide you with targeted advertisements on our Sites.
|
If applicable law requires that we receive your consent before we send you certain types of marketing communications, we will only send those communications after receiving your consent (Article 6(1)(a), GDPR)
|
Personal identifiers
|
Coordinate events and manage visitors: We use your contact information to coordinate travel arrangements if you attend a Nevro-hosted professional education event that requires you to travel outside of your city.
|
We have a legitimate interest to manage our business including to coordinate events and manage visitors (Article 6(1)(f), GDPR)
|
All categories of personal information
|
Protect our rights and other legal claims. To defend and enforce our rights including, against legal claims that involve us, and to manage regulatory matters, investigations, data breaches, and/or data subject requests; prevent fraud and monitor for activities that violate our Terms of Service or that are illegal; and protect our Sites, personnel, and others.
|
We have a legitimate interest to manage our business and to ensure that all investigations and proceedings are managed efficiently and effectively (Article 6(1)(f), GDPR)
We may have a legal obligation to do so (Article 6(1)(c), GDPR)
|
Special Categories of Personal Information
|
Health information
|
Provide and improve our Services and Sites. We use your health information to provide therapy optimization support, technical device support, and assess the effectiveness of particular programming settings.
Conduct scientific research and clinical studies. We may use your health information when you voluntary participate in a scientific research and/or clinical study.
|
Where we have received your consent (Article 9(1)(a), GDPR).
Where the use of health information is for the provision of healthcare or pursuant to contract with a health professional (Article 9(2)(h), GDPR).
|
Right to object: under certain data protection laws, please note that you may have a right to object to the processing of your personal information where that processing is carried out for our legitimate interests. Please note however that we may not be able to fulfil this request in all instances.
Please also note that if you do not provide certain personal information when requested we may be prevented from providing you with our Services or otherwise corresponding with you.
How we share your personal information for business purposes
The following chart describes the categories of personal information that we disclose to third parties for business purposes. For California residents, this is personal information we have disclosed in the 12 months prior to the date of this Notice.
Categories of Consumers’ Personal Information
|
Categories of Third Parties With Which We Shared Personal Information for a Business Purpose
|
Personal identifiers: Name, address, email address, telephone numbers, IP address or other unique identifier, and other similar information.
|
Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration.
|
Customer records: records of and information related to payments; insurance information; information about Services purchased or billed for; and other financial information.
|
Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration.
|
Health information: any medical conditions you may be experiencing, any medications you may be taking, information related to your pain, your Nevro medical device settings, healthcare provider information, procedure information, information to facilitate treatment and post-treatment care, and other related health information that you may provide to us.
|
Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration.
|
Testimonial information, such as your name, location, email address, pain location, implant date, photographs, and videos when you have consented to us publishing a testimonial of your experience.
|
Service providers and contractors that advertise or market our products; prospective or current customers and patients.
|
Internet or other electronic network activity information: Device and browser type, browsing and search history on our Sites, and information regarding interaction with our Sites and our advertisements.
|
Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration.
|
Geolocation data, such as geolocation data that may be derived from your IP address.
|
Service providers and contractors that advertise or market our products.
|
Audio or visual information: Customer call recordings or testimonials.
|
Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration.
With separate consent, your testimonial may be featured on a variety of platforms, including on our Sites, social media, television, print, audio, marketing emails, and promotional materials.
|
How We Sell Your Information
The following chart describes the categories of personal information that we sold (as the term is defined in the CCPA) to third parties, including if it was shared for online behavioral advertising purposes, in the 12 months prior to the date of this Notice.
Categories of Consumers’ Personal Information
|
Categories of Third Parties To Which We Sold Personal Information
|
Personal identifiers
|
Marketing, analytics, and online advertising platform providers.
|
Internet or other electronic network activity information
|
Marketing, analytics, and online advertising platform providers.
|
Additional Information About How We May Share your Personal Information
We may disclose aggregate statistics regarding user behavior as a measure of interest in, and use of, our Sites or de-identified data, such as overall patterns or demographic reports.
We share personal information we have about you with our affiliated companies to operate and improve our Services. Nevro affiliated companies are owned or operated by us, and include the list of entities in Appendix 1. This Notice applies to the information we share with our affiliates.
We may disclose your information when we believe that disclosure is reasonably necessary to (1) comply with any applicable law, regulation, subpoena, legal process or enforceable governmental request; (2) enforce the provisions of this Notice; (3) protect against harm to the rights, property, or safety of Nevro, our customers, or the public as required or permitted by law; (4) help detect and protect against fraud and data security vulnerabilities; and (5) use as part of a sale, merger, reorganization of our entity or other restructuring.
International data transfers
We collect information globally, including from customers in the United States, EEA, United Kingdom, Switzerland, and Australia. We may transfer your information outside of the country in which you originally provided it to where our affiliated companies and service providers operate, including the United States. These countries may not have the same data protection laws as the country in which you provided your personal information. In particular, the European Commission, the Swiss Federal Data Protection and Information Commissioner and the UK Government (as applicable) have determined that the United States does not provide an adequate level of data protection.
To ensure that your data is secure, we use European Commission approved standard contractual clauses (including the UK Addendum where applicable) when we transfer information from the EEA, UK and Switzerland. We also make use of intra-group data transfer agreements to protect your information when we transfer it to our affiliated companies outside the EEA, UK and Switzerland. You can request further information in relation to international transfers (including a copy of any data transfer agreements) by using the contact details privacy@nevro.com.
Your choices and rights
Your choices
Where appropriate or legally required, we will describe how we use personal information we collect so you can make choices about how your data is used. You can notify us during the information collection process and change your preferences at any time.
- Marketing communications: With your consent (where required by applicable law), we may contact you by email or phone to provide additional information about our Services. If you would like to opt-out of further marketing communications, you can click the link in the bottom of any marketing email, or email us at opt-out@nevro.com.
- Patient care communications: Subject to applicable law, we may call, email, or send SMS texts after your procedure to schedule appointments and facilitate follow up treatment.
- Transactional communications: We send transactional emails if you submit a message through the “Contact Us” form on our websites, to notify you about changes to our Services, and to send other disclosures as required by law.
Your rights
For California consumers, please see our California Notice for information about your rights and how to exercise them.
For other individuals, depending on your country or state and as required by law, you have the right to:
- Access and receive a copy of your data; and
- Update, amend, delete or correct incomplete or inaccurate data;
- For EEA/UK individuals, additionally:
- Request to delete or restrict the processing of your personal information;
- Request the transfer of certain personal information to a third party, in a machine readable format;
- Withdraw your consent of our ability to use your data where we rely on consent as the legal basis. Please note that withdrawing your consent does not affect the lawfulness of our processing of your personal information based on such consent before the withdrawal;
- Object to the processing of your data where we rely on our legitimate interest as the legal basis; and
- Lodge a complaint with a Data Protection Authority/EU Supervisory Authority.
We can correct or delete incorrect data, or provide a copy of your information upon request, but we reserve the right to use your information to request additional information to verify your identity before we process your request and to maintain a copy of all requests for our legal records. If you wish to exercise these rights, please submit your request here and we will respond to verifiable requests within 30-45 days, depending on the applicable state or country regulations (if any). Applicable privacy laws may give you the right to file a complaint with a government regulator if you are not satisfied with our response.
Other important privacy information
Children’s privacy
Our Sites and Services are intended for a general audience and are not directed to children. We do not knowingly collect personal information online from minors under the age of 16. If you believe that a minor under the age of 16 may have provided us with personal information, please contact us at privacy@nevro.com and we will promptly delete that information from our records.
Third party services, applications, and websites
Certain third party services or websites you use, or navigate to or from our Services (such as social media sites) may have separate user terms and privacy policies that are independent of this Notice. We are not responsible for the privacy practices of these third party services or applications. We recommend carefully reviewing the user terms and privacy statement of each third party service, website, and/or application prior to use.
Do Not Track Requests
Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browsers’ do not track signals.
Cookies
For more information about how we use cookies and to learn how to manage cookies, please see our Cookie Notice.
We use Google Analytics to evaluate the use of our website. Google Analytics uses cookies and other identifiers to collect information, such as how often users visit a website, what pages they visit when they do so, and what other websites they visited prior to visiting a website. To learn more about how Google Analytics collects personal information, review Google’s Privacy Policy.
Global Privacy Control
We also recognize opt-out signals communicated through the browser-based extension offered through the Global Privacy Control, a non-profit that is in the process of developing a technological tool that can be used universally to signal a user’s privacy preferences. However, please note that, due to the technical limitations of the Global Privacy Control’s extension, requests made through their extension apply only to the device on which the request is made (e.g., a specific computer) and will only work with the browser used to activate the opt-out setting (e.g., Duck Duck Go).
Third Party Websites
Our Sites and Services may contain links to websites and services that are owned or operated by third parties (each, a “Third-Party Service”) which may include features that collect your IP address, which page you are visiting on our Sites and Services and may set up a cookie to enable the links to function properly. Any information that you provide on such sites is provided directly to the Third-Party Service and we are not responsible for their respective content, privacy or security practices and policies. To protect your information, we recommend that you carefully review the privacy policies of all Third-Party Services that you access. Our Sites and Services may include access to publicly accessible blogs, forums, or social media pages. Personal information you voluntarily transmit or publish online in such publicly accessible blog, forum, or social media page may be viewed and used by others without any restrictions. Your interactions with these platforms are governed by the privacy policy of the company providing them.
Changes to Privacy Notice
We may update this Notice to reflect changes in our personal information practices or relevant laws. We will notify you if we make any material changes by revising the "effective date" at the top of this Notice. We encourage you to review this Notice for updates each time you use our Services.
Additional Information for California Residents – California Privacy Notice
Introduction
This California Privacy Notice (“California Notice”) supplements the information provided in the Nevro Privacy Notice. As required by California law (including the California Consumer Privacy Act (“CCPA”)), this California Notice describes the rights and choices that California consumers have with respect to their personal information and Nevro’s responsibilities in relation to California consumers’ personal information. Capitalized terms used but not defined herein are defined in the Privacy Notice.
If you have questions or concerns about any of the information provided in this California Notice, please contact us using the information provided in the “Contact Us” section of the Privacy Notice.
Definition of Personal Information
For purpose of this California Notice, “personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household.
Personal information does not include:
- Publicly available information that is lawfully made available from federal, state, or local government records;
- De-identified or aggregated Consumer information; and
- Information excluded from the scope of the CCPA such as:
- Health or medical information covered under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the California Confidentiality of Medical Information Act (“CMIA”) or clinical trial data;
- Financial information covered under the Fair Credit Reporting Act (“FCRA”) or the California Financial Information Privacy Act (“FIPA”).
Scope
For purposes of the CCPA, Nevro acts as a business in relation to personal information collected through our Services, our HFX Access reimbursement support provided pursuant to patient authorization, providing customer support, and our marketing activities. This California Notice does not cover personal information processed for clinical trial purposes or those other activities excluded from the scope of the CCPA. (See the “How we use information” section above.)
Your California Privacy Rights
If you are a resident of California, you have specific rights regarding your personal information. This section describes your rights under the CCPA and how to exercise them. However, these California privacy rights are not absolute, and we may be able to decline your request in accordance with the CCPA. You may exercise your California privacy rights following the methods described under the subsection titled “Exercising Your California Privacy Rights” below.
- Right to Access and Know About Personal Information Collected, or Disclosed. You have the right to request that Nevro disclose certain information to you about our collection and use of your personal information over the past twelve (12) months, including:
- Specific pieces of personal information we have collected about you;
- Categories of personal information we have collected about you;
- Categories of sources from which such personal information was collected;
- Categories of personal information that the business disclosed for a business purpose about the consumer;
- Categories of third parties to whom the personal information disclosed for a business purpose; and
- The business or commercial purpose for collecting your personal information.
- Right to Portability. You have the right to receive certain personal information that you provided to us, in a machine-readable form and/or that we transmit it to a third party with your express authorization.
- Right to Correct Personal Information. You have the right to request that Nevro correct any inaccurate personal information or complete any incomplete personal information.
- Right to Delete Personal Information. You have the right to request that Nevro delete personal information we may hold about you. Please be aware there are occasions when we are not able to delete your personal information. If we deny your request to delete personal information, we will inform you of the reasons for denial in our response to you. We will keep a copy of your deletion request in order to document that the action was taken, and any new information you submit to Nevro will not be subject to the pre-dated deletion request.
- Right to Limit the Use and Disclosure of Sensitive Personal Information. You have the right to request that Nevro limit the use and disclosure of your sensitive personal information to only that which is necessary to perform the Services.
- Right to Opt Out of Sharing or Sale of Personal Information. We sell (as the term is defined under the CCPA) personal information when you interact with a Site. You have the right to opt-out of the sale of your personal information with third parties. We do not knowingly sell the personal information of any individuals under 16 years of age.
If you opt-out of the sale of your personal information, we will wait at least 12 months before asking you if we may sell your personal information.
Exercising Your California Privacy Rights
To exercise your right to opt out of the sale of your personal information, click here. The link will take you to a webform where you can indicate that you are exercising your right to instruct us not to sell your personal information.
You may exercise each right once every twelve (12) months. To exercise your rights under the CCPA, you must submit a verifiable consumer request. To submit a verifiable request, please submit a consumer request through our webform. Alternatively, you can submit your request by phone at 1.888.956.3876.
To help protect your privacy and maintain security, we take steps to verify your identity before granting you access to your information. To verify your identity to make the request and confirm the personal information relates to you, we will ask you to accurately provide for at least four (4) unique identifiers or submit a completed a notarized medical record request form. You may download a medical records request form as part of the records request process.
Our Commitment to Allowing You to Exercise Your Rights – Non-Discrimination
If you exercise any of the rights explained in this Policy, we will continue to treat you fairly. If you exercise your rights under this Policy, you will not be denied or charged different prices or rates for goods or services, or provided a different level or quality of goods or services than others.
Household Information
Some types of personal information can be associated with a household (a group of people living together in a single dwelling). Requests for access or deletion of household personal information must be made by each member of the household. To the extent we collect household information and requests are made pertaining specifically to such information, before responding to a request, we will verify the identity of each member of the household using the verification criteria explained above and will also verify that each household member is currently a member of the household.
Designated Authorized Agent
You may designate an individual, who is registered with the California Secretary of State to act on your behalf, to submit a verifiable consumer request relating to your personal information. Authorized agents must additionally provide documentation of their designation, such as a notarized medical records request form (available for download here) or power of attorney.
We cannot respond to your request if we cannot verify your identity and/or authority to make the request on behalf of another and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.
Response Timing and Format
We will confirm receipt of your consumer request within ten (10) business days. We will respond to your verifiable consumer request within forty-five (45) days from the date we receive it. In some cases, we may require additional time to complete your request and will inform you if additional time is needed. Where additional time is needed, we may take up to a maximum of ninety (90) additional days to complete your request.
Financial Incentives
Nevro does not offer financial incentives or price or service differences in exchange for the retention or sale of personal information.
California Shine the Light
California Civil Code Section 1798.83, also known as the “Shine the Light” law, permits California residents that have an established business relationship with a business to annually request, free of charge, information about certain categories of personal information a business has disclosed to third parties for those parties’ direct marketing purposes in the preceding calendar year.
Questions
If you have questions about this California Notice, please contact us.
Data Protection Representatives
For the purpose of EU GDPR, our EU Data Protection Representative is: Nevro Germany GmbH (Nevro@iitr.de)
For the purpose of UK GDPR, our UK Data Protection Representative is: Nevro Medical Ltd. (Privacy@Nevro.com)
Appendix 1 – Contact Details
Location
|
Nevro Entity
|
Contact details
|
Australia
|
Nevro Medical Pty Limited
|
Email: privacy@nevro.com
Address: Level 14/440 Collins Street, Melbourne, VIC 3000, Australia
|
Austria
|
Nevro Medical Limited (acting through Nevro Germany GmbH)
|
Email: nevro@iitr.de
Address: Prielmayerstraße 3, 80335 München
|
Belgium
|
Nevro Medical Limited (acting through its Belgian branch office)
|
Email: privacy@nevro.com
Address: Carrick House, Lypiatt Road, Cheltenham, Gloucestershire, GL50 2QJ
|
Costa Rica
|
Nevro Medical S.R.L.
|
Email: privacy@nevro.com
Address: Building 28C, Coyol Free Trade Zone, Alajuela, 20113, Costa Rica
|
Czech Republic, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Norway, Slovakia, Spain, Sweden, and United Kingdom
|
Nevro Medical Limited
|
Email: privacy@nevro.com
Address: Carrick House, Lypiatt Road, Cheltenham, Gloucestershire, GL50 2QJ
|
Germany
|
Nevro Germany GmbH
|
Email: nevro@iitr.de
Address: Prielmayerstraße 3, 80335 München
|
Switzerland
|
Nevro Medical Limited (acting through Nevro Medical SAGL)
|
Email: privacy@nevro.com
Address: Christoph Merian-Ring 11, 4153 Reinach
|
United States
|
Nevro Corp.
|
Email: privacy@nevro.com
Address: 1800 Bridge Pkwy
Redwood City, CA
94065
|