Hyperfine Privacy Notice

Last Revised: 13 June 2024

Introduction

At Hyperfine, Inc. and Affiliates (“Hyperfine,” “we,” “us” or “our”) your privacy is important to us. This Privacy Notice describes how we collect and use your Personal Information, and the reasons we collect your information. This Privacy Notice also describes your rights to your Personal Information and provides instructions about how you can contact us for more information or to exercise your rights.

We encourage you to take the time to review our Privacy Notice. You may use the Table of Contents to navigate to other sections of this Privacy Notice. It is important to us that you understand this Privacy Notice. By using our website, software, and/or other products and services, you agree to the terms of this Privacy Notice.

Scope:

This Privacy Notice defines your privacy rights regarding your Personal Information obtained by us when you:

Visit our website (referred to as the “Site”).
Register and attend our webinars, demonstrations, and/or other events, engage us on our social media (e.g., LinkedIn), and any other marketing activities hosted by Hyperfine.
Use our Medical Devices, and any associated services as an authorized end user, including the Swoop® Portable MR Imaging® System and our Hyperfine Cloud services (collectively, the “Services”).

What type of Personal Information do we collect?
How do we Collect your Personal Information?
Do we collect Special Categories of Personal Information?
Do we collect Personal Information from Children or Minors?
Do we use Cookies and other Tracking Technologies?
How do we use your Personal Information?
How will we share your Personal Information?
How do we store and retain your Personal Information?
How do we protect your Personal Information?
Is your Personal Information transferred internationally?
How can you Opt-out of our Marketing Communications?
What are the specific privacy rights for Residents of the European Economic Area, the United Kingdom, and Switzerland?
What are the specific privacy rights for California Residents?
What are the specific privacy rights for Canadian Residents?
Do we update our Privacy Policy?

01. What type of Personal Information do we collect?

The specific nature and type of Personal Information we collect depends on the context of your interaction with Hyperfine and use of our Site and Services. We may collect the following types of Personal Information when you use our Site, communicate to us an interest to learn about Hyperfine and our Services, when you use any of our Services, or when you contact us for any other purposes:

Full Name
Email Address
Office and Mobile Phone Number
Job Title, Occupation and Employer
Mailing Address
Billing Address
Country of Residence
State of Residence (for US residents)

02. How do we collect your Personal Information?

As mentioned in the previous section, there are two primary sources of how we obtain your Personal Information: our Site and our Services.

Personal Information you provide us when using our Site:

Our Site offers multiple ways to contact Hyperfine, including the “Contact Us”, “Request Support”, and/or “Customer Portal” service. The Personal Information received through our Site is provided by you voluntarily. For the Personal Information obtained via our Site, we act as a Data Controller, in that we manage the purpose, aims, and objectives for processing this information.

Information automatically collected:

When visiting our Site, certain aggregated information is automatically collected from you through use of common information-gathering technologies, such as web beacons and Cookies. Aggregate information does not include specific identifiers (name, email address), but does include information about the device used to visit our Site (IP address), internet browser, and usage data defining your interaction with our Site. This aggregated information is used to maintain the security and reliability of our Site. Further information about our use Cookies and tracking technologies on our Site, see our Cookie Notice: Cookie Notice

Personal Information you provide us when using our Services:

In general, use of our Services is intended only for Customer consumers, or “End Users” that use our Services. Customer End Users and distribution partners control what Personal Information we obtain through their use of our Services, and how we may process that information, in our role as a Data Processor or Sub-Processor. This includes any Personal Information of our Customer End Users and our End Users’ Patients, which may include patient Personal Information.

Customer End Users provide certain information during the initial purchase of our Services, including business contact and billing information. During use of our Services, we may also collect Personal Information for account management (unique email and username), and any Personal Information you provide us with troubleshooting and support requests for our Services (name, organization, phone number, email address).

03. Do we collect Special Categories of Personal Information?

Personal Health Information processed in support of customers:

In some circumstances, we may process the Personal Information of our Customer End Users’ Patients in performance of our Services to our End Users or distribution partners (as a Data Processor or Data Sub-Processor). This Personal Information may include information relating to a person’s health, including:

Patient name, sex, date of birth, medical record number (MRN)
Patient health information, study description and other custom metadata as defined by the End User (e.g., End User custom DICOM fields in MRI exam).

The Personal Information defined above is only processed at the direction of, and after authorization expressed from, our Customer End Users or distribution partners, in performance of Services. However, where the scope of Services does not require specific identification of patients, we minimize the collection of Personal Information through de-identification (or pseudonymization of information). The list of Services that follows defines some of the Services provided to Customer End Users and distribution partners (at their direction and expressly authorized by them), and the type of Information collected and processed for that Service:

Hyperfine Image Viewer Services: For supporting clinical care. Collection of identifiable patient information (patient name, medical record number, date of birth, physician name, physician notes) is required to ensure Customer End Users can correctly associate patients to their medical images (for provisioning of healthcare and treatment).
Quality Assurance and Customer Support Services: For providing quality assurance and customer support. Collection of de-identified data (data that does not include identifiable patient information) is required by us for providing timely diagnostics, troubleshooting, and other technical support in order to maintain optimal performance and quality of our Services (for ensuring high standards of quality and safety of health care and medical devices).
Email Notification Services: For communicating exam updates and notifications to other End Users. Collection of de-identified data (data that does not include identifiable patient information) is required by us to process the notification requests between Customer End Users.

Note: If you are a Patient of one of our Customer End Users or distribution partner’s customers with questions or requests related to your Privacy rights, you should contact the relevant End User and/or review that organization’s Privacy Policies. If Hyperfine receives a privacy inquiry from an End User Patient, we will respectfully direct this inquiry to the appropriate Customer End User for response.

Personal Health Information processed in Clinical Research and Trial Studies:

In some circumstances, our Services may be used in clinical research and investigational studies managed by Hyperfine or in collaboration with our Research Partners. These studies involve the collection and processing of Personal Information from study participants under the parameters governing the conduct of the research. While each research study is unique, the Personal Information collected by these research studies informs us generally about the use of our Services and what potential future enhancements to our Services in clinical care and treatment (for legitimate activities and scientific research purposes). Where Personal Information and/or de-identified information is collected in these research and trial studies, Hyperfine will ensure collection and processing of data is performed in compliance with applicable privacy and data protection laws, and any applicable patient consent forms.

04. Do we collect Personal Information from Children or Minors?

Use of our Site is intended for adult representatives of our customers and prospective Customers of our Services, which does not include children or minors. We do not solicit, or knowingly collect Personal Information from children or minors. Where any of our Services require the collection and processing of Personal Information of children or minors, we comply with the Children's Online Privacy Protection Act (“COPPA”), which first requires the written consent of a parent or legal guardian for the collection of personally identifiable information of children under 13 years of age. We do not knowingly collect personally identifiable information about children under 13 years of age. In the event that we learn that we have collected such information without the necessary consent, we will take steps to promptly delete such information. If you have any concerns in this regard, you may contact us at privacy@hyperfine.io.

05. Do we use Cookies and other Tracking Technologies?

Our Sites and Web Services use both session and persistent cookies. You can delete cookies from your hard drive at any time or configure your Internet browser to reject or notify you when a cookie is being placed on your hard drive. However, please note that blocking cookies may prevent you from using certain features on our Sites, and you may be required to re-enter information more frequently to access certain services on the Sites. For more information about cookies, including how to control and delete them, refer to our Cookie Notice: Cookie Notice

06. How do we use your Personal Information?

We use Personal Information collected on our Site and Services for the following purposes and legal bases:

To contact you with Marketing information about our Medical Device and other Services in response to any information requested sent by you. These communications are provided to you based on your consent, which you may opt-out of at any time (see: How Can I Opt-out of Marketing Communications?).
To contact you to provide product support and technical assistance at your request.
To provide the Services that we have committed to provide our customers.
To analyze the utilization and trends of our Services in furtherance of our product improvement and enhancing the Customer experience with our Services.
To improve the quality, performance, safety, and medical application or our Services that and to further enhance the Customer experience with our Services.
In furtherance of scientific and medical research.

07. How will we share your Personal Information?

We may share or transfer Personal Information to third parties as required to support fulfillment of our Services to our Customers, or under special circumstances described below:

Third Party Service Providers: Where it is necessary, Hyperfine may share your information to third parties to provide certain processing functions on our behalf. The types of third party service providers we share information with include cloud hosting providers, zero-footprint PACS providers, data analytics service providers, CRM providers, and email communications providers.
Compliance with Legal Requirements: Where required, Hyperfine may share your information to comply with applicable regulatory, governmental, judicial and/or other legal processes.
Vital interests and legal rights: When necessary, Hyperfine may share information as part of investigatory actions related to illegal activities, including suspected fraud, threats to the safety of individuals, or as evidence in judicial proceedings and/or litigation.
Business Transfers: In the event of a merger, acquisition, and/or sale of Hyperfine’s company with another company, we may share or transfer your Personal Information to that second company. Where a business transfer occurs, Hyperfine will notify the second company about whether and to what extent it may use your Personal Information, as defined in this Notice, and inform that company of their obligation to only use your information in a manner consistent with this Policy Notice.

08. How do we store and retain your Personal Information?

Your Personal Information is stored within secured data centers located in the United States. Hyperfine retains this information for various reasons, which include:

Fulfilling service commitments and processing activities on behalf of Customers, as defined in this Privacy Notice.
Fulfilling our own legitimate business interests and regulatory requirements.
For sensitive health information, the retention period is considered to be appropriate by Hyperfine in order to meet any contractual requirements, while limiting the potential risk of harm through misuse and/or unauthorized access.

At the end of the retention period described above, Hyperfine will delete or fully anonymize that Personal Information.

09. How do we protect your Personal Information?

We have implemented commercially reasonable administrative, technical, and organizational security measures designed to protect the security of any Personal Information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security measures, and improperly collect, access, steal, or modify your information. Although we will do our reasonable best to protect your Personal Information, transmission of Personal Information to and from our Services is at your own risk. You should only access the Services within a secure environment.

10. Is your Personal Information transferred internationally?

For Users of our Site

Hyperfine’s Website is hosted in the United States. If you are an international visitor to our Website from the European Union (EU), United Kingdom (UK), Canada, or other regions with laws governing data collection and use that may differ from U.S. law, please note that you are transferring your personal data to the United States which does not have the same data protection laws as the EU. By accessing our website, you consent to:

The use of your personal data for the purposes identified above in accordance with this Privacy Notice; and
The transfer of your personal data to the United States as indicated above.

For Users of our Services

In performance of our Services, we will process Personal Information for the purposes described in this Privacy Notice to the United States. If you are an End User located in the EEA, UK, or Switzerland, you acknowledge that your Personal Information may be transferred to third countries, or countries outside the EEA, UK, or Switzerland, such as the United States. Hyperfine will implement a lawful transfer mechanism approved by the European Commission to protect your Personal Information when it is transferred outside the EEA, UK, or Switzerland, which includes:

Implementing data protection agreements and standard contractual clauses that define appropriate organizational and technical measures to protect your Personal Information during transfer.
Participating in the EU-US Data Privacy Framework (DPF), and UK and Swiss Extension to the EU-US. DPF, to perform international data transfer under an adequate level of protection comparable to the protection of personal data in the EU, as determined by the EU Commission.

11. How can you Opt-Out of our Marketing Communications?

If you previously agreed to receive marketing communications from us, you may opt out at a later date. Please note that opting out of our marketing communications means we will no longer send you information about our Services. To opt-out of receiving marketing communications from us, please contact us via email at info@hyperfine.io.

Note: It may take us up to 10 business days to process your opt-out request, during which time you may continue to receive emails from us.

12. What are the specific privacy rights for Residents of the European Economic Area, the United Kingdom, and Switzerland?

If you are located in the European Economic Area, the United Kingdom or Switzerland, you have the following rights with regard to your Personal Information processed by us:

Your Right of Access	You have the right to request access to and receive information about the Personal Data we maintain about you for our own purposes.
Your Right to Correction or Rectification	You have the right to ask us to update and correct inaccuracies in your Personal Data.
Your Right to be Forgotten	You have the right to ask us to have your Personal Data anonymized or deleted, as appropriate subject to exceptions in applicable laws.
Your Right to the Restriction of Processing	You have the right to ask us to restrict our processing of your Personal Data.
Your Right to Data Portability	You have the right to obtain an electronic copy of the Personal Data we have collected pertaining to you and to exercise your right to data portability to easily transfer your Personal Information to another company.
Your Right to Object	You have the right to object to our processing of your Personal Data. Where it is appropriate that we comply with your request, we will stop processing your Personal Data in the means which you’ve objective against.
Your Right to Lodge a Complaint	You have the right to lodge a complaint with a supervisory authority regarding our collection and use of your Personal Data. For more information, you may contact your local supervisory authority within your country of residence, place of work, or where the processing took place.
Your Right to Withdraw Consent	Where you previously provided your consent to Hyperfine to process your Personal Data, you have the right to withdraw your consent at any time and free of charge. We will apply your preferences going forward, but this will not affect the lawfulness of the processing before your withdrawal of consent.

These rights may be limited in some circumstances by local, regional, federal or state legal or regulatory requirements or derogations (exceptions) in local law, or the General Data Protection Regulation (GDPR).

Our EU, UK, and Switzerland Data Representative

Hyperfine has appointed a local data representative that you can contact directly regarding the processing of your Personal Data if you are a resident in the European Economic Area, the United Kingdom, or Switzerland. You can contact them directly regarding the processing of your information by emailing: privacy@hyperfine.io

13. What are the specific privacy rights for California Residents?

If you are a resident of California, you have the following rights to your Personal Information as defined by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Delete Personal Information	You have the right to request us to delete any Personal Information we have collected about you.
Right to Correct Inaccurate Personal Information	You have the right to request changes and alterations to any Personal Information we have collected about you.
Right to Know What Personal Information is Being Collected (“Shine the Light” Requests)	You have the right to explicitly know what Personal Information we have collected about you, and for the exact purpose it has been collected. Residents of California have the right to request a disclosure describing the categories of Personal Information we have shared with third parties for their direct marketing purposes, and with whom we have shared it, during the preceding calendar year.
Right of Access to Personal Information	You have the right to request access to the specific Personal Information we have collected about you, including sources from where it was collected.
Right to Limit Use and Disclosure of Personal Information	You have the right to restrict the ways in which we use and disclose your Personal Information.
Right to Opt-Out of Sale or Sharing of Personal Information	You have the right to opt out of receipt of communications from us.
Right to No Retaliation for Opt-Out or Exercise of Other Rights	You have the right to exercise any of the above consumer subject rights without having to endure any form of retaliation from us.

You may exercise any of these rights by contacting us at privacy@hyperfine.io, or calling us at 1-866-796-6767. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your requests to know or delete. Additionally, you can designate an authorized agent to submit requests on your behalf. However, we will require written proof of the agent’s permission to do so and verify your identity before processing your request.

14. What are the specific privacy rights for Canadian Residents?

If you are a resident of Canada, you are guaranteed the following privacy rights to your Personal Information as defined in the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

The right to be informed	We must provide you with the clear purposes and objectives for processing your Personal Information.
The right to access	You have the right to request access information about what Personal Information we have collected from you, and how it is used and disclosed by us. We must respond to your access request within a reasonable timeframe, no later than 30 business days from receipt of your request, and at minimal or no cost to you.
The right to correction	You have the right to request that we make corrections to inaccurate records of your Personal Information. We must apply these corrections to your Personal Information processed by us and any downstream third parties.
The right to withdraw consent	You have the right to withdraw consent at any time to us processing your Personal Information. We have the right to respectfully refuse or postpone your withdrawal request if we still require your Personal Information to fulfill the purpose for which it was collected.
The right to erasure	You have the right to request your Personal Information be deleted (“right to be forgotten”).
The right to lodge a complaint	If you believe we are in violation of PIPEDA, you have the right to file a complaint with the Office of the Privacy Commissioner (OPC) of Canada.

15. Do we update our Privacy Notice?

Our business changes frequently, and this Notice is subject to change from time to time. When we make changes to this Notice, we will (1) post the updated version on our website, (2) update the effective date of the Notice, and (3) provide notice of material changes to the extent required by applicable law. But, unless stated otherwise, our current Notice applies to all information that we have collected about you.