If you have a request concerning your medical records, please visit our data subject request portal here.
Version Effective date: 1 May 2020
Your privacy is important to us at Nevro, and so is being transparent about our data protection practices.
This Privacy Notice (“Notice”) applies to you if you are an individual who:
- visits Nevro.com, HF10.com, and other websites on which we post a direct link to this Notice (“Site” or “Sites”)
- is employed or otherwise engaged by our customers (i.e., hospitals)
- is employed or otherwise engaged by our service providers or professional advisors
- is a patient to whom we provide our products and/or services
- visits our offices, attends our events or engages with us at trade shows and conferences
If you are an organization (for example, a hospital, business associate, service provider, or professional advisor), we would ask that you provide this Notice to your directors, officers, employees, partners and other staff who have or have had dealings with us on your behalf.
This Notice should be read along with any additional notice that we provide when we collect or otherwise process your personal data.
This Notice describes the types of information we collect, the purposes for which it is used, and the choices you have with respect how we use your data. We encourage you to read this Notice to understand our privacy practices before using our Services.
If you are a California resident and would like to exercise your California privacy rights, please see our California Consumer Privacy Act Notice below.
Click on one of the links below to jump to the listed section:
- About Nevro
- Information we collect
- How we use information
- How we share information
- How we store and secure information
- Your choices and rights
- How we transfer information we collect internationally
- Other important privacy information
- Contact Us
- California Consumer Privacy Act (CCPA) Notice
Nevro is a global medical device company that offers products and services for the Senza® and Senza Omnia™ HF10™ Systems (“Services”).
Who is your Nevro controller
“Nevro”, “we”, “us” or “our” refers to the relevant Nevro entity with which you deal as set out in the table below. This entity is the primary controller of your personal data and is responsible for providing you with this Notice.
|Country of your dealings||Primary controller||Address||Contact e-mail address|
|Australia||Nevro Medical Pty Limited||Level 14/440 Collins Street
ABN 53 150 636 945
|Austria||Nevro Medical Limited (acting through Nevro Germany GmbH)||Prielmayerstraße 3
|Belgium||Nevro Medical Limited (acting through its Belgian branch office)||Carrick House, Lypiatt Road
|Germany||Nevro Medical Limited (acting through Nevro Germany GmbH)||Prielmayerstraße 3
|Luxembourg||Nevro Medical Limited||Carrick House, Lypiatt Road
|Netherlands||Nevro Medical Limited (acting through its Netherlands branch office)||Carrick House, Lypiatt Road
|Norway||Nevro Medical Limited||Carrick House, Lypiatt Road
|Sweden||Nevro Medical Limited||Carrick House, Lypiatt Road
|Switzerland||Nevro Medical Limited (acting through Nevro Medical SAGL)||Christoph Merian-Ring 11
|United Kingdom||Nevro Medical Limited||Carrick House, Lypiatt Road
|United States||Nevro Corp.||1800 Bridge Pkwy
Redwood City, CA
Information we collect
We collect information about you when you provide it to us, when you use our Services, and when other sources provide it to us, as described below. We collect the following types of information:
- Information you provide through our Sites: When you complete and submit an online form on any of our Sites, such as through the “Contact Us” page, we may collect your name, phone number, and email address. When you complete and submit a patient assessment form on our HF10.com website in the U.S., we collect your age, gender, phone number, email address, and other health-related information. We do not directly collect this contact information outside of the U.S. When you submit a form to see if you qualify for or express interest in one of our studies or clinical trials, we may collect your name, age, date of birth, gender, phone number, email address, zip code, and other health-related information, such as medical conditions you may be experiencing or any medications you might be taking. Where we provide the option for you to refer a friend or family member for one of our studies or clinical trials, we may collect that person’s name, email address, and other contact information.
- Information you provide for Nevro HF10 Therapy: We may collect information about you when you receive HF10 Therapy to facilitate treatment and post-treatment care. This will vary depending on where you are located but may include your name, gender, date of birth, mailing address, email, phone number, information relating to your pain (pain scores, procedure type, pain location), your Nevro medical device settings, and your experience with our Services. We may also collect your name and appointment information from healthcare providers, such as hospitals and clinics, where your procedure is performed. If you are located in Europe you will be provided with a separate notice which details the information collected when you receive HF10 Therapy.
- Information you provide at events: When you attend Nevro-hosted professional or patient education events, or submit requests for more information about our Services, we collect your name, email address, and phone number during the registration process. We also collect contact information to coordinate travel for attendees of Nevro-hosted professional education events and trainings. When you engage with us at trade shows and conferences, we collect contact information you provide to us, such as your name, email address, and phone number.
- Information you provide when you visit our offices: When you visit one of our offices we collect your name, organizational affiliation and contact information. In some offices we may also collect video images from CCTV when you enter and exit our offices.
- Information you provide to publish your testimonial: With your consent, we collect information such as your name, city, state, email address, health information (pain location), implant date, photographs and videos of you to publish your testimonial. Your testimonial may be featured on a variety of platforms, including on our Sites, social media, television, print, audio, marketing emails, and promotional materials.
- Service providers: If you are a service provider or professional advisor engaged by us, or if you are employed or otherwise engaged by a service provider or professional advisor to us, we may collect (either from you or from the organization with which you are affiliated) your name, organizational affiliation, national provider identifier, contact information and bank account details.
- Device information: When you visit our Sites, we automatically collect your operating system, IP address, device type, and device version.
- Browsing information: When you visit our Sites, we automatically collect your browser type and usage details, such as time, frequency, and use pattern. We may collect the domain name from which you access our Sites, the pages of our Sites that you visit, the amount of time spent on our Sites, and the number of times you return to our Sites.
- “Do Not Track” technologies: We currently do not respond to web browser “Do Not Track” signals.
How we use information and in reliance on what lawful basis
We use the information we collect about you to:
- Communicate with you: We may contact you to respond to your inquiries, requests, and/or send important service messages. For example, we may contact you to provide customer support, or schedule appointments. It is in our legitimate interest to organize calls and meetings between you and our staff, manage our relationship with you and for us to conduct our business.
- Provide and improve our Services and Sites: We use information we collect to provide and analyze how you use our Services / Sites, develop new products and services, and improve functionality, efficiency, and quality of our Services / Sites. We have a legitimate interest to properly manage and administer our relationship with you and to ensure that we are effective and efficient as we can be.
- Nevro HF10 Therapy: We collect personal data in order to provide you with the necessary devices to support the trial and/or implant of the devices and to optimize the HF10 Services. In detail, Nevro collects and processes your personal data to understand your specific needs for implant and treatment, to invoice and bill your medical provider for the device, to contact your physician if necessary to plan and to perform the HF10 therapy, to provide the Services in connection with the patient agreement you have entered into with your treating doctor or hospital and to perform Nevro’s related therapy support obligations towards the treating doctor or hospital. These activities are carried out where in our legitimate interests and to comply with our legal obligations. If you are located in Europe you will be provided with a separate notice which details the information collected when you receive HF10 Therapy.
- Perform data analytics for patient outcomes: The information we collect is anonymized and aggregated to perform data analytics. This data helps us improve the quality of our Services, optimize our algorithms for HF10 Therapy, and present patient outcomes to current and prospective customers. We have a legitimate interest to manage our business and improve our Services / Sites.
- Billing: Depending on your location, we may collect your name, date of birth, insurance number, and other health information, as necessary, to use for billing purposes. It is in our legitimate interest to bill you for services provided to us. It may also be necessary to perform, or to enter into, contracts with you (for example, to process payment details). In some cases, it may also be necessary for us to comply with our legal obligations to perform anti-money laundering/know your customer checks.
- Marketing and advertising: We only publish testimonials, send marketing emails and newsletters, or call you about our Services, with your consent. We advertise our Services on social media platforms, such as Facebook, but we will not directly contact you or collect your information through these platforms. In the U.S., we engage in behavioral advertising and partner with third parties, such as Google, to provide you targeted advertisements on our Sites. See “Your choices and rights” section below to learn how to manage your communication preferences.
- Coordinate events and manage visitors: We use your name and contact information to coordinate events where you are attending including, travel arrangements if you attend a Nevro-hosted professional education event that requires you to travel outside of your city. Where we process visitor personal data it is in our legitimate interest to keep our offices secure and manage our business.
- Sale of information (CCPA): We do not sell patient or physician information as defined by the CCPA. See more information here.
Where we require your personal data to comply with legal requirements, failure to provide this information means we may not be able to accept you as a customer / patient and/or you may be unable to receive Services from us. We will tell you when we ask for your information whether it is a statutory or contractual requirement to give us the information and the consequences of not providing the information.
Individuals located in EEA/UK: Please note that you have a right to object to processing of your personal data where that processing is carried out for our legitimate interest or for direct marketing purposes.
How we share information
We share information about you with third parties as follows:
- Service providers: We provide your information to third party service providers to help us perform our Services and operate the Sites. These service providers are authorized to use your information only as necessary to provide services on our behalf and under our direction. We use service providers for business activities such as relationship management, content management, data center hosting services, customer support, document management, marketing, and email administration. We also provide your personal data to professional advisors (for example, accountants, lawyers or other consultants) and, independent public accountants and auditors, authorized representatives of internal control functions.
- Nevro Corp. and Nevro affiliated companies: As necessary, we share information we have about you with our affiliated companies to operate and improve our Services. Nevro affiliated companies are owned or operated by Nevro Corp. This Notice applies to the information we share with our affiliates.
- Legal purposes: We disclose your information when we believe that disclosure is (1) reasonably necessary to comply with any applicable law, regulation, subpoena, legal process or enforceable governmental request; (2) necessary to enforce the provisions of this Notice; or (3) necessary to protect against harm to the rights, property, or safety of Nevro, our customers, or the public as required or permitted by law.
- Transactions: We may also disclose your personal data to any third party that acquires, or is interested in acquiring, all or part of our assets or shares, or that succeeds us in carrying on all or part of our business.
International data transfers
Given the global nature of our business we may transfer your personal data outside of the country in which you originally provided it to us. These countries may not have the same level of data protection as the country in which you provided your personal data to us. In particular, if you are located in EEA/UK your personal data will be transferred to the United States which the European Commission has determined does not provide an adequate level of data protection. Where we transfer your personal data from the EEA/UK we rely on our intra-group EU-style data transfer agreement (known as standard contractual clauses). Where we transfer your personal data from the EEA/UK to other recipients outside of the EEA/UK, we will enter into a similar data transfer agreement with the recipient or seek assurances from the recipient that they are EU/Swiss-U.S. Privacy Shield certified or have Binding Corporate Rules in place.
Your choices and rights
Where appropriate or legally required, we will describe how we use personal data we collect so you can make choices about how your data is used. You can notify us during the information collection process and change your preferences at any time.
- Marketing communications: With your consent, we may contact you by email or phone to provide additional information about our Services. If you would like to opt-out of further marketing communications, you can click the link in the bottom of any marketing email, or email us at [email protected].
- Patient care communications: Subject to applicable law, we may call, email, or send SMS texts after your procedure to schedule appointments and facilitate follow up treatment.
- Transactional communications: We send transactional emails if you submit a message through the “Contact Us” form on our websites, to notify you about changes to our Services, and to send other disclosures as required by law.
For California consumers, please see our California Consumer Privacy Act Notice for information about your rights and how to exercise them.
For other individuals, depending on your country or state and as required by law, you have the right to:
- Access and receive a copy of your personal data;
- Update, amend, delete or correct incomplete or inaccurate data;
- For CA consumers, additionally:
- Request to delete information;
- For EEA/AUS individuals, additionally:
- Request that we stop processing your personal data;
- Withdraw your consent to the processing of your personal data;
- Object to the processing of your data;
- The portability of personal data – i.e., ask for a copy of your personal data to be provided to you, or a third party, in a digital format; and
- Lodge a complaint with a Data Protection Authority/EU Supervisory Authority.
We can correct or delete incorrect data, or provide a copy of your personal data upon request, but we reserve the right to request where necessary, additional information to verify your identity before we process your request and to maintain a copy of all requests for our legal records. If you wish to exercise these rights, please submit your request here and we will respond to verifiable requests within 30-45 days, depending on the applicable state or country regulations (if any). Applicable privacy laws may give you the right to file a complaint with a government regulator if you are not satisfied with our response.
How we store and secure information
We maintain appropriate administrative, technical, and physical safeguards designed to protect your personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. We maintain a Corporate IT Security Policy and use-tested access and security controls to ensure that your data is secure. We also require third party service providers acting on our behalf or with whom we share your information also provide such security measures in accordance with industry standards.
We use data hosting service providers in the U.S. and EEA to host the information we collect in connection with our HF10 Therapy. The servers which store the information we collect are kept in a controlled environment. Where data is transferred over the Internet as part of our website, the data is encrypted using industry standard SSL (HTTPS) and multi-factor authentication is required for remote access to most systems containing sensitive information.
Although we implement safeguards designed to protect your information, it is impossible to guarantee absolute security in all situations. If you have any questions about security of our Services, please contact us at [email protected].
We retain your information for as long as needed to comply with our legal obligations (such as maintaining medical records and reporting to regulatory authorities), resolve disputes, and enforce our rights. We also may retain your information to support our business operations and develop our Services. The criteria used to determine the retention periods include:
- how long the personal data is needed to provide the Services and operate the business;
- the type of personal data collected; and
- whether we are subject to a legal, contractual or similar obligation to retain the data (e.g., mandatory data retention laws, government orders to preserve data relevant to an investigation, or data that must be retained for the purposes of litigation or disputes.
Other important privacy information
Our Services are intended for a general audience and are not directed to children. We do not knowingly collect personal information online from minors under the age of 16. If you believe that a minor under the age of 16 may have provided us with personal information, please contact us at [email protected] and we will promptly delete that information from our records.
Third party services, applications, and websites
Certain third party services or websites you use, or navigate to or from our Services (such as social media sites) may have separate user terms and privacy policies that are independent of this Notice. We are not responsible for the privacy practices of these third party services or applications. We recommend carefully reviewing the user terms and privacy statement of each third party service, website, and/or application prior to use.
Changes to Privacy Notice
We may update this Notice to reflect changes in our personal data practices or relevant laws. We will notify you if we make any material changes by revising the “effective date” at the top of this Notice. We encourage you to review this Notice for updates each time you use our Services.
If you have any questions about our privacy practices, or if you would like to exercise your rights, please contact our Data Protection Officer at [email protected] or write to us at:
Attn: Data Protection Officer
1800 Bridge Pkwy
Redwood City, CA 94065
EU Data Protection Representative: Nevro Germany GmbH ([email protected])
UK Data Protection Representative: Nevro Medical Ltd. ([email protected])
California Consumer Privacy Act Privacy Notice (“CCPA Notice”)
This California Consumer Privacy Act Notice (“CCPA Notice”) supplements the information provided in the Nevro Privacy Notice. This CCPA Notice describes the rights and choices that California consumers have with respect to their personal information and Nevro’s responsibilities in relation to California consumers’ personal information. Capitalized terms used but not defined herein are defined in the Privacy Notice.
If you have questions or concerns about any of the information provided in this CCPA Notice, please contact us using the information provided in the “Contact Us” section of the Privacy Notice.
Definition of Personal Information
For purpose of this CCPA Notice, “personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household.
Personal information does not include:
- Publicly available information that is lawfully made available from federal, state, or local government records;
- De-identified or aggregated Consumer information; and
- Information excluded from the scope of the CCPA such as:
- Health or medical information covered under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the California Confidentiality of Medical Information Act (“CMIA”) or clinical trial data;
- Financial information covered under the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach Bliley Act (“GLBA”) or the California Financial Information Privacy Act (“FIPA”).
For purposes of the CCPA, Nevro acts as a business in relation to personal information collected through our Services, our NevroCare reimbursement support provided pursuant to patient authorization, providing customer support, and our marketing activities. This CCPA Notice does not cover personal information processed for clinical trial purposes or those other activies excluded from the scope of the CCPA. (See the “How we use information” section above.)
Collection and Use of Personal Information
We collect personal information in order to provide our Services and operate our business. This section describes our collection, use, and disclosure of personal information.
Sources, Purposes, and Disclosures of Personal Information
The table below describes the sources for each category of personal information we have collected in the last twelve (12) months, the business and/or commercial purposes for which we use each category of personal information, and the categories of third parties with whom we share each category of personal information we collect.
Nevro does not sell personal information for business or commercial purposes.
|Category||Sources||Business or Commercial Purposes||Disclosures – Third Parties Shared With|
||We may use the personal information we collect for one or more of the following business purposes:
|Customer Records Information (personal information categories listed in the customer records statute in California Civil Code Section 1798.80(e))|
|Characteristics of protected classifications under California or federal law|
|Internet or other similar network activity information||
|Geolocation data||Indirectly from consumers||
|Sensory data||Directly from consumers|
|Professional or employment-related information|
|Inferences||Indirectly from consumers||
Your California Privacy Rights
If you are a resident of California, you have specific rights regarding your personal information. This section describes your rights under the CCPA and how to exercise them. However, these California privacy rights are not absolute, and we may be able to decline your request in accordance with the CCPA. You may exercise your California privacy rights following the methods described under the subsection titled “Exercising Your California Privacy Rights” below.
- Right to Know About Personal Information Collected, Disclosed, or Sold. You have the right to request that Nevro disclose certain information to you about our collection and use of your personal information over the past twelve (12) months.
- Right to Delete Personal Information. You have the right to request that Nevro delete personal information we may hold about you. Please be aware there are occasions when we are not able to delete your personal information. If we deny your request to delete personal information, we will inform you of the reasons for denial in our response to you. We will keep a copy of your deletion request in order to document that the action was taken, and any new information you submit to Nevro will not be subject to the pre-dated deletion request.
- Right to Opt-Out of Sale of Personal Information. You have the right to opt out of the sale of your personal information. Because we do not sell personal information, this right does not apply to Nevro.
- Right to Non-Discrimination. You have the right to not receive discriminatory treatment from Nevro for exercising any of your rights described under this “Your California Privacy Rights” section. This means we will not treat you differently for exercising any of the rights described above.
Exercising Your California Privacy Rights
You may exercise each right once every twelve (12) months. To exercise your rights under the CCPA, you must submit a verifiable consumer request. To submit a verifiable request, please submit a consumer request through our webform. Alternatively, you can submit your request by phone at 1.888.956.3876.
To help protect your privacy and maintain security, we take steps to verify your identity before granting you access to your information. To verify your identity to make the request and confirm the personal information relates to you, we will ask you to accurately provide for at least four (4) unique identifiers or submit a completed a notarized medical record request form. You may download a medical records request form as part of the records request process.
Designated Authorized Agent
You may designate an individual, who is registered with the California Secretary of State to act on your behalf, to submit a verifiable consumer request relating to your personal information. Authorized agents must additionally provide documentation of their designation, such as a notarized medical records request form (available for download here) or power of attorney.
We cannot respond to your request if we cannot verify your identity and/or authority to make the request on behalf of another and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing and Format
We will respond to your verifiable consumer request within forty-five (45) days from the date we receive it. In some cases, we may require additional time to complete your request and will inform you if additional time is needed. Where additional time is needed, we may take up to a maximum of ninety (90) additional days to complete your request.
Nevro does not offer financial incentives or price or service differences in exchange for the retention or sale of personal information.