LUVVICARE FAMILY MOBILE APPLICATION PRIVACY POLICY

PRIVACY AT A GLANCE

This summary provides a high-level overview of how Luvvi Sarl (“Luvvi,” “we,” “our”) handles your personal information when you use the LuvviCare Family Mobile Application (“App”). For full details, please read the complete Privacy Policy below.

Who operates the App? Luvvi Sarl, based in Geneva, Switzerland, is the technology provider. Your hospital or healthcare facility (“Hospital”) is the data controller (GDPR) or covered entity (HIPAA) responsible for your patient data. Luvvi acts as the data processor (GDPR) or business associate (HIPAA) on the Hospital’s behalf.

What data do we collect? Parent/guardian name, mobile phone number, child’s name and date of birth, messages and media from your Hospital’s clinical team, voice recordings you create via Audio Care, milestone and tracking entries you input, and anonymized usage analytics. We do not use IP addresses, device identifiers, or other technical data for analytics or user tracking purposes.

Why do we collect it? To deliver communications from your Hospital to you, to enable video calls and livestreams, to process Audio Care recordings, to authenticate your identity, and to help Hospitals understand how the App supports their care programs (through anonymized analytics only).

Do we sell your data? No. We never sell personal information or electronic Protected Health Information (ePHI) to anyone. We do not share ePHI with advertisers, sponsors, or marketing partners.

Where is your data stored? In regionally isolated AWS infrastructure: US data in Virginia, Canadian data in Montreal, UK data in London, EU data in Frankfurt, and Australian data in Sydney. Your data does not leave its designated region.

How is your data protected? All ePHI data is encrypted at rest and in transit. Two-factor authentication (SMS OTP) is required. The App does not operate on jailbroken or rooted devices.

What are your rights? Depending on your jurisdiction, you may have rights to access, correct, delete, or port your data, and to lodge complaints with a supervisory authority. Because the Hospital is the data controller, many rights related to patient data must be exercised through your Hospital. See Section 10 and the jurisdiction-specific addenda for details.

How to contact us: privacyofficer@luvvi.com 

1. INTRODUCTION AND SCOPE

This Privacy Policy (“Policy”) describes how Luvvi Sarl (“Luvvi,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information and electronic Protected Health Information (“ePHI”) when you use the LuvviCare Family Mobile Application (“App”).

The App is a secure communication platform provided to families of hospitalized children — including infants in Neonatal Intensive Care Units (NICUs), Pediatric Intensive Care Units (PICUs), and other pediatric care settings — by their hospital or healthcare facility (“Hospital”). The App enables families to receive messages, photos, videos, audio clips, and eCards from the Hospital’s clinical team, participate in video calls and livestreams, record voice messages via the Audio Care feature, and track milestones and other information about their child’s care journey.

Important: This Policy applies only to the LuvviCare Family Mobile App. It does not cover the LuvviCare Hospital/Clinician App, the LuvviCare Web Administration Portal, or any third-party websites or services linked from within the App. Those are governed by separate agreements and policies between Luvvi and the Hospital.

This Policy should be read together with the LuvviCare Family App Terms of Service, which governs your use of the App.

The App is not intended to function as a medical device or to provide clinical decision-making support. It does not provide medical advice, diagnosis, or treatment. All clinical content you receive through the App originates from your Hospital’s clinical team, not from Luvvi.

The App is not intended for use in medical emergencies. If you believe a medical emergency is occurring, contact your healthcare provider or emergency services immediately.

2. DATA CONTROLLER AND DATA PROCESSOR ROLES

The LuvviCare platform operates under a three-party model. Understanding who plays which role is important because it determines who is responsible for your data and who you should contact to exercise your rights.

2.1 Your Hospital

Your Hospital is the healthcare facility where your child is receiving care and that has enrolled with the LuvviCare platform. You may be registered on the App through one of two paths:

(a) Self-registration: You scan a unique LuvviCare QR code provided to you by the care team at your Hospital (for example, on a poster in the unit waiting area or on an informational flyer). This QR code is unique to your Hospital and directs you to the LuvviCare website, where you provide the activation code shown on the poster or flyer, your name, and your mobile phone number. After verifying your identity via SMS OTP, you can download and install the App. At this point, your account is registered with your Hospital but is not yet activated — you can access educational content, track your child’s parameters, and access Audio Care content, but your Hospital must validate your registration before you can receive messages, video calls, or have your voice recordings played for your child by clinical staff.

(b) Hospital-initiated enrollment: Your Hospital’s care team directly enrolls you and your child on the LuvviCare platform. You receive an SMS message notifying you that you have been onboarded and asking you to install the LuvviCare Family App. To log in, you enter your child’s last name, date of birth, the registered parent mobile phone number, and the Hospital’s country, and then verify your identity via SMS OTP.

Access to patient communications is only enabled after validation and activation by the Hospital. Regardless of which registration path is used, you cannot receive clinical messages, video calls, or other patient-related communications until the Hospital has verified and activated your account.

Under applicable privacy laws:

• HIPAA (United States): Your Hospital is the Covered Entity. The Hospital determines what patient information is shared with families through the App, validates parent registrations or directly enrolls families, and is responsible for obtaining any required patient consents or authorizations.

• GDPR / UK GDPR (Europe and United Kingdom): Your Hospital is the Data Controller. The Hospital determines the purposes and means of processing your personal data and special category health data through the App, including the decision to activate your account for clinical communications or to enroll you directly.

• PIPEDA (Canada): Your Hospital is the organization accountable for personal health information. Luvvi processes data on the Hospital’s behalf under contractual safeguards.

• Australian Privacy Act: Your Hospital is the APP entity responsible for personal information. Luvvi processes data under contractual arrangements with the Hospital.

2.2 Luvvi

Luvvi is the technology provider that builds and operates the App. We act as:

• Business Associate under HIPAA, operating under a Business Associate Agreement (BAA) with each Hospital;

• Data Processor under GDPR / UK GDPR, operating under a Data Processing Agreement (DPA) with each Hospital; and

• an equivalent processing role under PIPEDA and the Australian Privacy Act, operating under contractual safeguards with each Hospital.

  
  

Luvvi does not independently determine the purposes or means of processing ePHI or patient data. We act solely on the documented instructions of the Hospital, except where required by applicable law.

2.3 You (The User)

You are a parent, legal guardian, or authorized family contact who has self-registered through your Hospital’s unique QR code or been directly enrolled by your Hospital’s care team to receive communications about a specific patient through the App. Under GDPR, you are a “data subject.” Under HIPAA, you are an authorized recipient of the patient’s ePHI as designated by the Hospital upon account activation.

3. PERSONAL INFORMATION WE COLLECT

The following describes the categories of personal information and ePHI processed through the App:

1. Parent/Guardian Identity
   
   

Data elements: First name, last name, mobile phone number.

Source: Provided by parent during registration (initiated by Hospital).

2. Secondary Contact Identity
   
   

Data elements: First name, last name, mobile phone number.

Source: Provided by parent or Hospital.

3. Patient (Child) Identity
   
   

Data elements: First name, last name, date of birth.

Source: Provided by Hospital during patient enrollment.

4. Authentication Data
   
   

Data elements: OTP codes (transient, not stored), session tokens.

Source: Generated by Luvvi systems.

5. Communications (ePHI)
   
   

Data elements: Messages, photos, videos, audio clips, eCards received from Hospital clinicians.

Source: Generated by Hospital clinicians via the Hospital App.

6. User-Generated Content
   
   

Data elements: Voice recordings (lullabies, stories) via Audio Care, milestone entries, growth data entries, feeding/pumping logs, skin-to-skin tracking, experience ratings.

Source: Created by parent in the Family App.

7. Device and Technical Data
   
   

Data elements: Device type, operating system version, app version, language setting, push notification tokens.

Source: Automatically collected by the App.

8. Usage Analytics
   
   

Data elements: App engagement metrics (e.g., session frequency, feature usage, screen views).

Source: Collected via Mixpanel analytics SDK (anonymized).

Important: NO ePHI, NO IP addresses, NO device identifiers, and NO patient or family identifiers are used for analytics or transmitted to Mixpanel for tracking purposes.

What we do NOT collect: We do not collect Social Security numbers, financial account information, biometric identifiers (other than voice recordings you voluntarily create), geolocation data, browsing history, or information from your device’s contacts, calendar, or other apps.

4. HOW WE USE YOUR INFORMATION

We process your personal information and ePHI only for the purposes described below. We do not use your data for marketing, advertising, profiling, or any purpose unrelated to the delivery and improvement of the App.

• Deliver messages and media from your Hospital to you. GDPR basis: Performance of contract with Hospital / Legitimate interest. HIPAA basis: Treatment, Payment, Healthcare Operations (TPO) under BAA.

• Enable two-way video calls and livestreams initiated by clinicians. GDPR basis: Performance of contract. HIPAA basis: TPO under BAA.

• Process and play back Audio Care voice recordings. GDPR basis: Performance of contract / Consent. HIPAA basis: TPO under BAA.

• Authenticate your identity via SMS OTP (two-factor authentication). GDPR basis: Performance of contract / Legal obligation. HIPAA basis: Security safeguard under BAA.

• Translate messages to your device’s language setting. GDPR basis: Performance of contract. HIPAA basis: TPO under BAA.

• Store messages and media locally on your device for offline access. GDPR basis: Performance of contract. HIPAA basis: TPO under BAA.

• Send push notifications (content does not include ePHI). GDPR basis: Legitimate interest / Consent. HIPAA basis: Operational necessity.

• Analyze anonymized usage metrics to help Hospitals assess App adoption. GDPR basis: Legitimate interest. HIPAA basis: De-identified data — not ePHI.

• Provide educational content and resources. GDPR basis: Performance of contract. HIPAA basis: N/A (no ePHI involved).

• Maintain security, prevent fraud, detect jailbroken/rooted devices. GDPR basis: Legitimate interest / Legal obligation. HIPAA basis: Security safeguard under BAA.
  
  

Legitimate Interest Assessment: Where we rely on legitimate interest as a legal basis under GDPR, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may contact us at privacyofficer@luvvi.com to request details of these assessments.

5. HOW WE SHARE YOUR INFORMATION

We share your information only in the following limited circumstances:

5.1 With Your Hospital

We share anonymized, aggregated usage and engagement data with the Hospital that enrolled you so they can assess how the App supports their care program. The Hospital’s authorized clinical team can access communications they have sent to you through the App. We do not share your personal messages, voice recordings, or private entries with anyone outside the Hospital’s authorized personnel.

5.2 With Mixpanel (Analytics Provider)

We share anonymized, aggregated usage metrics with Mixpanel to help Hospitals understand App adoption and engagement. We do NOT use ePHI, IP addresses, device identifiers, or any identifiers tied to patients or families for analytics or tracking purposes. Mixpanel acts as a data processor under a Data Processing Agreement with Luvvi.

5.3 With Amazon Web Services (Infrastructure Provider)

All ePHI is stored and processed on AWS infrastructure under a HIPAA Business Associate Agreement and a GDPR-compliant Data Processing Agreement. AWS acts as a sub-processor to Luvvi. Data is regionally isolated as described in Section 8 and encrypted as described in Section 6.

5.4 What We Do NOT Do

• We do NOT sell personal information or ePHI to any third party.

• We do NOT share ePHI with advertisers, sponsors, or marketing partners.

• We do NOT use your data for targeted advertising or behavioral profiling.

• We do NOT provide any personal data or ePHI to white-label Sponsors whose branding may appear in the App.

  
  

5.5 Law Enforcement and Legal Process

We may disclose personal information if required to do so by applicable law, regulation, or valid legal process (such as a subpoena, court order, or government request). Where legally permitted, we will notify you before making such a disclosure. We will also notify the relevant Hospital, as the data controller or covered entity, of any such request relating to patient data.

6. DATA STORAGE, ENCRYPTION, AND SECURITY

We implement comprehensive administrative, technical, and physical safeguards to protect your personal information and ePHI. These measures are designed to comply with HIPAA Security Rule requirements, GDPR Article 32 security obligations, and equivalent standards under PIPEDA and the Australian Privacy Act.

6.1 Encryption

• At rest: All ePHI stored on our servers is encrypted using AWS Key Management Service (KMS) with custom encryption keys managed by Luvvi. Encryption keys are subject to automatic rotation.

• In transit: All data transmitted between the App and our servers is encrypted using industry-standard TLS protocols.

• On device: Messages and media stored locally on your device for offline access are encrypted using the device’s native encryption capabilities.

  
  

6.2 Authentication and Access Controls

• Two-factor authentication (SMS OTP) is required for all Family App users.

• The App does not operate on jailbroken (iOS) or rooted (Android) devices.

• Access to ePHI within Luvvi’s systems follows zero-trust and least-privilege principles.

• Role-based access controls restrict internal access to authorized personnel only.
  
  

6.3 Additional Security Measures

• Regular external penetration testing of the App and infrastructure.

• Continuous monitoring and logging of access to ePHI.

• Video livestream sessions are never recorded by Luvvi.

• Incident response and breach notification procedures are in place (see Section 14).

• Luvvi is pursuing ISO 27001 and HITRUST certifications.

  
  

7. LOCAL DEVICE STORAGE

The App stores messages and media received from the Hospital in encrypted form on your device to enable offline access. This allows you to view content even when you do not have an internet connection.

This locally stored data remains on your device until:

(a)   You delete the App from your device;

(b)   The Hospital deactivates your account; or

(c)   You manually clear the App’s data through your device’s settings.

Your responsibility: Once data resides on your device, Luvvi cannot remotely access, control, or retrieve it. You are responsible for maintaining the security of your device, including using a device passcode or biometric lock, keeping your operating system up to date, and not sharing your device with unauthorized persons.

If ePHI leaves the App’s encrypted environment (for example, via a screenshot), it may no longer be protected under HIPAA or other privacy regulations.

8. INTERNATIONAL DATA TRANSFERS AND REGIONAL ISOLATION

Luvvi operates regionally isolated infrastructure to ensure that your data stays within the geographic region where your Hospital is located. This architecture is a core element of our privacy and compliance strategy.

• United States: Data is stored in AWS US-East (Virginia). Primary legal framework: HIPAA. Transfer safeguards: BAA with AWS; domestic processing.

• United Kingdom: Data is stored in AWS UK (London). Primary legal framework: UK GDPR / Data Protection Act 2018. Transfer safeguards: UK International Data Transfer Addendum; DPA with AWS.

• European Economic Area: Data is stored in AWS EU (Frankfurt, Germany). Primary legal framework: EU GDPR. Transfer safeguards: Standard Contractual Clauses (SCCs) with AWS.

• Canada: Data is stored in AWS Canada (Montreal). Primary legal framework: PIPEDA and provincial privacy laws. Transfer safeguards: DPA with AWS; domestic processing.

• Australia: Data is stored in AWS Australia (Sydney). Primary legal framework: Australian Privacy Act / APPs. Transfer safeguards: Contractual safeguards with AWS; domestic processing.

  
  

Your data does not leave the region in which it is stored. No ePHI crosses regional boundaries. In the limited circumstances where cross-border transfers may be necessary (for example, for technical support), such transfers are governed by Standard Contractual Clauses (EU), UK International Data Transfer Addendum (UK), or equivalent contractual safeguards.

Luvvi’s corporate headquarters are in Geneva, Switzerland. Switzerland has received an adequacy decision from the European Commission under GDPR, meaning transfers of personal data from the EEA to Switzerland are permitted without additional safeguards.

9. DATA RETENTION

We retain your personal information and ePHI only for as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law.

• ePHI (messages, media, communications): Retained for the duration of the patient’s hospitalization and for a defined period after discharge, as determined by the Hospital’s retention policy and applicable law. The Hospital, as the data controller or covered entity, determines the retention period for patient data.

• Account data (parent name, phone number): Retained until the Hospital deactivates your account or you request deletion. Following deactivation, account data is deleted within 30 days, except where retention is required by law.

• Audio Care recordings: Retained per the Hospital’s policy and available for playback during the care period. Parents may request deletion of their own recordings at any time.

• Usage analytics (Mixpanel): Anonymized and aggregated. Because no individual-level identifiers are transmitted to Mixpanel, this data cannot be linked back to you.

• Local device data: Retained on your device until you delete the App or clear its data.

• Authentication data (OTP codes): Transient. OTP codes expire within minutes and are not stored after use.

  
  

10. YOUR RIGHTS

Your rights regarding your personal information depend on your jurisdiction and on the type of data involved. Key rights may include: accessing your data, correcting inaccurate data, deleting your data, restricting or objecting to processing, data portability, withdrawing consent, and lodging complaints with a supervisory authority.

For detailed rights specific to your jurisdiction, please see the applicable addendum at the end of this Policy:

• California residents: Addendum A (CCPA/CPRA rights)

• EEA and UK residents: Addendum C (GDPR rights, including access, rectification, erasure, restriction, portability, objection, and consent withdrawal)

• Canadian residents: Addendum D (PIPEDA rights)

• Australian residents: Addendum E (Australian Privacy Principles)

• U.S. residents (HIPAA): Rights regarding your patient data and ePHI must be exercised through your Hospital, which is the covered entity under HIPAA. Key HIPAA rights include access to your records (45 CFR §164.524), amendment of inaccurate records (45 CFR §164.526), and an accounting of disclosures.

• 
  

Important: Because the Hospital is the data controller (GDPR) or covered entity (HIPAA), many data subject rights relating to patient data and ePHI must be exercised through your Hospital. Luvvi will assist the Hospital in responding to such requests in accordance with applicable law.

For rights exercised directly with Luvvi (for example, regarding your account data or analytics preferences), please contact us at privacyofficer@luvvi.com. We will respond to verified requests within the timeframes required by applicable law (generally 30 days under GDPR, 45 days under HIPAA, and 45 days under CCPA/CPRA).

We will not discriminate against you for exercising any of your privacy rights.

11. CHILDREN’S PRIVACY

The LuvviCare Family App is intended for use by adults (parents, legal guardians, and authorized family contacts) only. You must be 18 years of age or older, or the age of majority in your jurisdiction, to create an account and use the App.

We do not knowingly collect personal information directly from children under 13 (as defined by the U.S. Children’s Online Privacy Protection Act, “COPPA”), under 16 (as defined by GDPR), or under the applicable age of digital consent in other jurisdictions.

Patient (child) information processed through the App is provided by the Hospital — not by the child — and is processed under the Hospital’s authority as the data controller or covered entity, in accordance with applicable health privacy laws.

If we learn that we have inadvertently collected personal information directly from a child without appropriate authorization, we will take steps to delete that information promptly. If you believe a child has provided personal information to us directly, please contact us at privacyofficer@luvvi.com.

12. COOKIES AND TRACKING TECHNOLOGIES

The LuvviCare Family App is a native mobile application. It does not use cookies.

We use the Mixpanel analytics SDK to collect anonymized usage metrics, as described in Sections 3 and 4. No ePHI, IP addresses, device identifiers, or patient or family identifiers are used for analytics or tracking purposes. The data collected by Mixpanel is designed not to identify you or your child.

Push notification tokens are used solely for delivering notifications to your device and are not shared with any third party other than the platform notification service (Apple Push Notification Service for iOS, Firebase Cloud Messaging for Android).

We do not use any tracking technologies for advertising, retargeting, or cross-app tracking purposes.

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, the App’s features, legal requirements, or regulatory guidance. When we make material changes, we will:

(a)   Notify you through the App or via the email or phone number associated with your account;

(b)   Update the “Effective Date” and “Last Updated” dates at the top of this Policy; and

(c)   Where required by applicable law, seek your renewed consent before applying material changes to your data processing.

We encourage you to review this Policy periodically. Your continued use of the App after the updated Policy becomes effective constitutes your acknowledgment of the changes. If you do not agree with the updated Policy, you should discontinue use of the App and contact your Hospital about deactivating your account.

14. DATA BREACH NOTIFICATION

In the event of a data breach involving your personal information or ePHI, Luvvi will:

(a)   Notify the affected Hospital(s) without undue delay and, where feasible, within 24 hours of becoming aware of the breach;

(b)   Cooperate with the Hospital in notifying affected individuals and supervisory authorities, as required by applicable law;

(c)   Comply with the following notification timelines:

• GDPR / UK GDPR: Notification to the supervisory authority within 72 hours (Article 33). Notification to affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34).

• HIPAA: Notification to affected individuals within 60 days, and to HHS and media outlets as required by the Breach Notification Rule (45 CFR §§ 164.400–414).

• Australian Privacy Act: Notification to the OAIC and affected individuals under the Notifiable Data Breaches (NDB) scheme where the breach is likely to result in serious harm.

• PIPEDA (Canada): Notification to the OPC and affected individuals where the breach creates a real risk of significant harm.

• U.S. State Laws: Notification in accordance with applicable state breach notification statutes.

(d)   Document the breach, its effects, and the remedial actions taken, and retain such documentation for a minimum of five years.

15. HOW TO CONTACT US

If you have questions about this Privacy Policy, wish to exercise any of your privacy rights, or have concerns about how your data is handled, please contact us:

General Privacy Inquiries:

Luvvi Sarl
 Attn: Privacy Team
 Rue Adrien Lachenal 26
 1207 Geneva, Switzerland
 Email: privacyofficer@luvvi.com

For HIPAA-related inquiries (U.S. users):

Please contact your Hospital’s Privacy Officer for matters relating to your patient data. For matters relating to Luvvi’s role as Business Associate, contact us at privacyofficer@luvvi.com.

For GDPR / UK GDPR inquiries:

Please contact our Privacy Officer at privacyofficer@luvvi.com. If Luvvi appoints an EU Representative under Article 27 GDPR or a UK Representative under the UK GDPR, their contact details will be published on our website.

To exercise data subject rights: Email privacyofficer@luvvi.com with the subject line “Data Subject Request — [Your Jurisdiction].”

16. SUPERVISORY AUTHORITIES

If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction:

• United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk

• European Union: Your national Data Protection Authority (e.g., BfDI in Germany, CNIL in France, DPA in Ireland)

• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch

• United States: U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) for HIPAA matters; Federal Trade Commission (FTC) and state Attorneys General for consumer privacy matters

• Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca

• Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au

ADDENDUM A: ADDITIONAL INFORMATION FOR CALIFORNIA RESIDENTS

This addendum applies to residents of California and supplements the information in the main Privacy Policy above with disclosures required under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”).

A.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA/CPRA:

• Identifiers: Parent/guardian name, mobile phone number, child’s name and date of birth.

• Protected Health Information: Messages, photos, videos, audio clips, and other clinical communications received from your Hospital. Note: To the extent this information constitutes protected health information governed by HIPAA, it is exempt from the CCPA/CPRA under California Civil Code § 1798.145(c)(1)(A).

• Audio Information: Voice recordings created by you via the Audio Care feature.

• Internet or Electronic Network Activity: Anonymized app usage metrics only (IP addresses and device identifiers are not used for analytics or tracking; no browsing history).

  
  

A.2 Sale and Sharing of Personal Information

We do not sell your personal information. We do not “share” your personal information for cross-context behavioral advertising as defined by the CCPA/CPRA.

A.3 Your California Privacy Rights

As a California resident, you have the following rights under the CCPA/CPRA:

(a)   Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.

(b)   Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.

(c)   Right to Correct: You may request that we correct inaccurate personal information we maintain about you.

(d)   Right to Opt Out of Sale/Sharing: Because we do not sell or share personal information, there is no need to opt out. However, we honor “Do Not Sell or Share My Personal Information” requests as a matter of policy.

(e)   Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (health data) only for the purposes of providing the App’s services, which is a permitted use under the CCPA/CPRA.

(f)    Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

A.4 How to Submit a Request

To exercise your California privacy rights, email us at privacyofficer@luvvi.com with the subject line “California Privacy Request.” We will verify your identity before processing your request. We will respond within 45 days, which may be extended by an additional 45 days where reasonably necessary.

A.5 HIPAA Exemption

To the extent that your personal information constitutes protected health information governed by HIPAA and the HITECH Act, it is exempt from the CCPA/CPRA. Rights relating to such information should be exercised through your Hospital under HIPAA.

ADDENDUM B: ADDITIONAL INFORMATION FOR NEVADA RESIDENTS

Under Nevada Revised Statutes Chapter 603A, Nevada residents may submit a request directing a website operator not to sell certain information the operator has collected about the consumer.

Luvvi does not sell your personal information as defined under Nevada law. If you are a Nevada resident and wish to submit a verified request, please email privacyofficer@luvvi.com with the subject line “Nevada Privacy Request.”

ADDENDUM C: ADDITIONAL INFORMATION FOR USERS IN THE EEA AND UNITED KINGDOM

This addendum applies to users located in the European Economic Area (“EEA”) and the United Kingdom (“UK”) and supplements the information in the main Privacy Policy with disclosures required under the EU General Data Protection Regulation (“GDPR”) and the UK General Data Protection Regulation / Data Protection Act 2018 (“UK GDPR”).

C.1 Data Controller

Your Hospital is the data controller for patient data and ePHI processed through the App. Luvvi acts as the data processor, processing data on the Hospital’s behalf under a Data Processing Agreement that includes the European Commission’s Standard Contractual Clauses (SCCs) for international transfers.

For personal data that Luvvi processes independently of the Hospital’s instructions (for example, anonymized usage analytics), Luvvi acts as an independent data controller.

C.2 Legal Bases for Processing

The legal bases for our processing of your personal data are set out in the table in Section 4 of the main Privacy Policy. In summary:

(a)   Performance of a contract: Processing necessary to deliver the App’s services to you as described in the Terms of Service.

(b)   Legitimate interests: Processing necessary for our legitimate interests (or those of a third party), such as maintaining security, improving the App, and providing anonymized analytics to Hospitals, where those interests are not overridden by your rights.

(c)   Legal obligation: Processing necessary to comply with applicable laws and regulations.

(d)   Consent: Where required, particularly for the processing of special category health data under Article 9(2)(a) GDPR.

C.3 Special Category Data

Health data processed through the App constitutes special category data under Article 9 GDPR. This data is processed on the legal basis of:

• Article 9(2)(h): Processing necessary for the provision of health care, under the Hospital’s responsibility as the data controller; and

• Article 9(2)(a): Explicit consent, where applicable.

• 
  

C.4 Your GDPR Rights

In addition to the rights summarized in Section 10 of the main Privacy Policy, you have the right to:

• Request a copy of the Standard Contractual Clauses or other safeguards governing international data transfers;

• Object to processing based on legitimate interests, in which case we will cease processing unless we demonstrate compelling legitimate grounds; and

• Withdraw consent at any time for processing based on consent, without affecting the lawfulness of processing before withdrawal.

  
  

C.5 Data Protection Impact Assessment

Luvvi has conducted a Data Protection Impact Assessment (DPIA) under Article 35 GDPR in connection with the processing of health data through the App. A summary of the DPIA is available upon request to your Hospital or by contacting privacyofficer@luvvi.com.

C.6 EU/UK Representative

If Luvvi does not have an establishment in the EEA or UK, it will appoint a representative under Article 27 GDPR and the equivalent UK provision. If Luvvi appoints an EU Representative under Article 27 GDPR or a UK Representative under the UK GDPR, their contact details will be published on our website at luvvi.com/legal/privacy.

C.7 Supervisory Authority

You have the right to lodge a complaint with your national Data Protection Authority. See Section 16 of the main Privacy Policy for contact details.

ADDENDUM D: ADDITIONAL INFORMATION FOR CANADIAN USERS

This addendum applies to users located in Canada and supplements the information in the main Privacy Policy with disclosures required under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applicable provincial privacy legislation.

D.1 Accountability

Your Hospital is the organization primarily accountable for the personal health information processed through the App. Luvvi processes this information on the Hospital’s behalf under contractual safeguards that require Luvvi to implement appropriate security measures and to process personal information only as directed by the Hospital.

D.2 Consent

By creating an account and using the App, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. You may withdraw your consent at any time by contacting your Hospital or by emailing privacyofficer@luvvi.com. Please note that withdrawing consent may affect your ability to use the App.

D.3 Your Rights Under PIPEDA

Under PIPEDA, you have the right to:

(a)   Access your personal information held by Luvvi and request a copy;

(b)   Challenge the accuracy and completeness of your personal information and have it amended;

(c)   Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions; and

(d)   Complain to the Office of the Privacy Commissioner of Canada (OPC) if you believe your privacy rights have been violated.

D.4 Data Storage

Personal information and ePHI of Canadian users is stored on AWS servers located in Canada (Montreal). Your data does not leave Canada except in limited circumstances described in Section 8 of the main Privacy Policy, and any such transfer is subject to contractual safeguards.

D.5 Breach Notification

In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm, Luvvi will notify the affected Hospital, which will notify you and the OPC in accordance with PIPEDA’s breach notification requirements.

ADDENDUM E: ADDITIONAL INFORMATION FOR AUSTRALIAN USERS

This addendum applies to users located in Australia and supplements the information in the main Privacy Policy with disclosures required under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”).

E.1 APP Entity

Your Hospital is the APP entity primarily responsible for the handling of your personal information and health information under the Privacy Act. Luvvi processes this information on the Hospital’s behalf under contractual arrangements that require Luvvi to comply with obligations equivalent to the APPs.

E.2 Collection and Use

We collect only the personal information reasonably necessary to provide the App’s services, as described in Section 3 of the main Privacy Policy. We do not collect personal information by unlawful or unfair means.

E.3 Disclosure Overseas

Personal information of Australian users is stored on AWS servers located in Australia (Sydney). Your data does not leave Australia except in limited circumstances described in Section 8 of the main Privacy Policy. Before any overseas disclosure, Luvvi takes reasonable steps to ensure the overseas recipient does not breach the APPs, or the disclosure is covered by an exception under APP 8.2.

E.4 Your Rights Under the APPs

Under the Australian Privacy Principles, you have the right to:

(a)   Request access to the personal information Luvvi holds about you (APP 12);

(b)   Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13);

(c)   Complain about a breach of the APPs (APP 1). Luvvi will respond to complaints within 30 days.

E.5 Notifiable Data Breaches

In the event of an eligible data breach (as defined by Part IIIC of the Privacy Act) that is likely to result in serious harm, Luvvi will notify the affected Hospital, which will notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

E.6 Contact for Australian Privacy Concerns

Australian users may contact us at privacyofficer@luvvi.com or lodge a complaint with the OAIC at oaic.gov.au.