Table of Contents
3. PERSONS CONCERNED
4. PURPOSES AND LEGAL BASIS FOR DATA COLLECTION AND PROCESSING
5. DATA RECIPIENTS
6. DATA RETENTION PERIOD
7. DATA PRIVACY AND SECURITY
8. SITES WEB TIERS
9. RIGHTS OF INDIVIDUALS
10. EXERCISE OF RIGHTS
11. INTERNATIONAL DATA TRANSFERS
12. AMENDMENTS TO THIS POLICY
myBrain Technologies offers the Q+Acquisier/Q+ Medical Services and products and the myBrain Technologies Platform (hereinafter « the Services »), based on the EEG analysis process to create virtual representations of human behaviour in real-life conditions. The Services are described and accessible at the URL https://mybraintech.com (hereinafter « the Website ») and on its mobile Application Acquisier Android and IOS (hereinafter « the Application »).
The Website is published by myBrain Technologies.
myBrain Technologies has duly appointed a DPO who can be contacted as detailed below:
157 Boulevard Macdonald
For the purposes of interpreting and executing this Policy, the terms used below are defined as follows:
« Client »: refers to the person benefiting or wishing to benefit from the Services offered by myBrain Technologies, the term Client including the potential Client;
« Personal Data » or « Data »: refers to any information that directly or indirectly identifies a natural person, such as surname, first name, e-mail, postal address, telephone number, etc.;
« Health Data »: refers to Personal Data concerning the physical or mental health, past, present or future, of a natural person which reveals information about the state of health of that person. This category of Data includes: Data which are Health Data by nature (e.g. medical history, illnesses, care provided, Services provided, results of examinations, treatments, disabilities, etc.); Data which, by virtue of their nature, are not Health Data; Data which, because of their combination with other Data, become Health Data in that they make it possible to draw a conclusion about a person’s state of health or health risk (e.g. ability to take part in a sporting activity); and finally, Data which become Health Data because of their destination (i.e. the use made of them for medical purposes).
This definition includes, for example, Data relating to the physiological or biomedical state of a person.
« Data Protection Officer » or « DPO »: refers to the person in charge of advising and controlling the Data Controller with regard to the protection of Personal Data. In this case, the DPO of myBrain Technologies can be reached at firstname.lastname@example.org;
« Experimenter »: refers to a person appointed by the Client in charge of collecting and Processing certain Data in the context of the Services;
« Project »: refers to a set of Services and Processing ordered by the Client from myBrain Technologies as part of the Services to which it has subscribed;
« Data Controller »: refers to the person, department or organisation that determines the purposes and means of the Processing of Personal Data;
« Services »: refers to all the Services, products and benefits accessible via the Website and/or the Application;
« Website »: refers to the site accessible at the following URL address https://mybraintech.com;
« Subcontractors »: refers to the natural or legal person who processes Personal Data on behalf of the Data Controller, on its instructions and under its authority;
« Subjects »: refers to the persons who volunteer to participate in a Project commissioned by the Client;
« Processing »: refers to any operation on Personal Data, including, but not limited to, recording, collecting, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, blocking, erasing or destroying;
« User »: refers to any person using the Services.
3. Persons Concerned
myBrain Technologies, in its capacity as Data Controller, may process the Personal Data of the following categories of individuals:
- Internet Users browsing the Website;
- Clients and staff/collaborators of the Client;
4. Purposes and legal basis for data collection and processing
4.1. The Personal Data of Clients, Users and Experimenters are collected and processed by the Data Controller on the basis of the execution of the contract between myBrain Technologies and the Client, the purpose of which is to order Projects and provide Services.
This Data is processed for the purpose of fulfilling the contract, creating User/Experimenter accounts, managing and monitoring the contract.
The User and Experimenter may at any time withdraw their consent and exercise their rights with regard to their Data by contacting the Client or the DPO of myBrain in accordance with the conditions set out in this Policy.
In this contractual context, the Data requested from the Clients is necessary for the conclusion and execution of the contract between myBrain Technologies and the Clients, and the lack of communication of this Data may prevent the formation of the contract.
4.2. The Personal Data of the Subjects is used by myBrain Technologies for specific, explicit and legitimate purposes and is collected either by myBrain Technologies or by the Experimenters, employees or collaborators of the Client, from the Subjects with the latter’s consent (legal basis of the Subjects’ Data Processing).
The purposes of the Subjects’ Data Processing are determined by the Client for each Project. The Experimenter communicates these purposes to the Subjects and all useful information on the methods of Processing and the exercise of the Subjects’ rights to their Data.
myBrain Technologies keeps and processes the Subjects’ EEG Data at the end of the contract with the Client for the exclusive purpose of training myBrain Technologies’ algorithms/artificial intelligence and in a format that does not allow the identification of the Subjects.
The Subjects’ Data collected by the Experimenter and processed by myBrain Technologies in the context of the Services are Pseudonymous Data and are not directly identifying.
Some Processing is carried out in the context of scientific research. These Processings are based on the consent of individuals and research protocols that comply with the regulations.
The Subject may at any time withdraw his or her consent and exercise his or her rights with respect to his or her Data by contacting the Client/Experimenter, in the case of Data held and processed by the Client.
In the case of Data processed by myBrain Technologies, the latter does not hold any identifying Data relating to the Subjects and therefore cannot respond to their requests to exercise their rights. It is therefore not obliged to process additional Data for the sole purpose of responding to requests to exercise the rights of the persons concerned.
Finally, myBrain Technologies processes certain Data for the purpose of complying with legal or regulatory obligations (in the area of accounting) or for the legitimate interests it pursues (as part of the improvement of its products and Services and for satisfaction surveys, product evaluation procedures, communication and commercial prospecting).
5. Data Recipients
The Personal Data collected by myBrain Technologies may be intended for the following persons, depending on the Processing operation:
- The Client and its authorized personnel;
- To the persons designated as Experimenters, if they are different from the Client’s staff;
- myBrain Technologies’ staff authorized to process Data;
- Subcontractors of myBrain Technologies and/or other possible Subcontractors of the Client;
- Any research partners and joint processors of myBrain Technologies;
- To the Client’s research partners and or providers and joint processors.
Certain Personal Data may be communicated to legally authorized authorities in order to comply with legal or regulatory obligations.
6. Data Retention Period
myBrain Technologies only retains Data for the period of time strictly necessary to achieve the purposes of the Processing, this retention period being based on circumstances specific to the Processing and the instructions of the Client.
With regard to Data relating to Users, Experimenters and the Client, when processed for the purpose of managing Client files and commercial prospecting: they may be kept for commercial prospecting purposes for a period of three (3) years from the end of the commercial relationship or the last contact with the Client.
Data relating to the Subjects may be kept for up to ten (10) years from the end of the contract with the Client for the exclusive purpose of training algorithms and in a format that does not allow the Subjects to be identified.
Data of a commercial and accounting nature may be kept for ten (10) years concerning information necessary for invoicing, by virtue of a legal obligation incumbent on myBrain Technologies.
7. Confidentiality and security of data
myBrain Technologies is committed to guaranteeing the security of the Processing of Personal Data.
To this end, myBrain Technologies takes technical and organizational measures to guarantee a level of security appropriate to the risks associated with the Processing.
The Data collected and processed by myBrain Technologies are hosted (LNE approval certificate for OVH: 35608-2).
8. Sites Web tiers
The Website may contain links, including hyperlinks, and/or offers from partners to third-party websites.
myBrain Technologies has no control over the content of third-party websites or over the practices of these third parties with regard to the protection of the Personal Data they may collect, and declines all responsibility for this content. It is your responsibility to inform yourself about the privacy policies of such third parties.
9. Rights of individuals
Subjects’ rights to their Data must be exercised directly with the relevant Client, as myBrain Technologies does not process any identifying Data about Subjects.
In accordance with Articles 11.2 and 12.2 of the General Data Protection Regulation (GDPR), the purposes for which myBrain Technologies processes Subjects’ Data do not require the identification of the persons concerned. The articles of the GDPR relating to the exercise of the rights of individuals therefore do not apply to myBrain Technologies.
Nevertheless, Subjects may send their requests to exercise their rights to myBrain Technologies: DPO Service, Le Cargo, 157 Boulevard Macdonald, 75019 Paris or email@example.com. myBrain Technologies will forward them to the Client concerned as soon as possible.
In accordance with the regulations in force, Clients, Users and Experimenters have the following rights to their Data, which they may exercise under the conditions set out below:
- Right of access
Clients, Users and Experimenters have a right of access to obtain information on the existence of a Processing operation and its methods.
They also have the right to obtain a copy of their Data.
- Right to object
Clients, Users and Experimenters have the right to object at any time, for reasons related to their particular situation, to the Processing of their Personal Data. This right applies unless myBrain Technologies or the Client has a legitimate and compelling reason to continue the Processing.
Clients, Users and Experimenters have the right not to be subject to a decision based exclusively on automated Processing, including profiling, producing legal effects concerning them or significantly affecting them in a similar way.
- Right to erase Data (or « right to be forgotten »)
Subject to applicable regulations, including exceptions (e.g. for retention necessary to comply with a legal obligation), Clients, Users and Experimenters may request the deletion of their Personal Data.
- When Personal Data is not or is no longer necessary for the purposes for which it was collected or otherwise processed;
- When the Client, User or Experimenter withdraws the consent on which the Processing is based and no other legal basis for the Processing exists;
- When the Client, User or Experimenter considers that the Processing of his/her Personal Data constitutes unlawful Processing;
- Where the Personal Data must be erased by virtue of a legal obligation under EU law or the law of the Member State to which myBrain Technologies is subject, namely France;
- Where the Client, User or Experimenter has objected to the Processing of Data and myBrain Technologies has no legitimate or compelling reason to refuse the request.
- Right to limit Processing
Client, Users and Experimenters may obtain from myBrain Technologies the limitation of Processing where any of the following apply.
- Where the accuracy of the Personal Data is disputed, and for a period of time that allows myBrain Technologies to verify the accuracy of the Data;
- Where the Processing is unlawful and the Client, User or Experimenter objects to the deletion of his or her Data and instead requires the Processing to be restricted;
- When the Data is no longer necessary for the purposes for which it was collected, but the Client, User or Experimenter needs it for the establishment, exercise or defense of legal claims;
- When the Client, User or Experimenter objects to the Processing being based on the legitimate interest of myBrain Technologies, during the verification as to whether the legitimate motives pursued by myBrain Technologies prevail over those of the Data subject.
- Right to lodge a complaint with a supervisory authority.
If Clients, Users and Experimenters believe that their rights have not been respected, they have the right to lodge a complaint with the Commission Nationale Informatique et Libertés (CNIL) in France.
- Right to decide what to do with the Data after Death
Clients, Users and Experimenters have the right to organize the fate of their Data after death by adopting general or specific directives.
10. Exercise of rights
For requests to exercise their rights, Clients, Users and Experimenters are invited to contact directly the relevant department of the Client directly or, failing that, the DPO of myBrain Technologies who will forward the requests to the Client:
DPO Service, Le Cargo, 157 Boulevard Macdonald, 75019 Paris
myBrain Technologies undertakes to forward requests as soon as possible.
11. International Data Transfers
The Personal Data collected and processed are kept in France.
However, it is possible that, in the context of some of its missions, myBrain Technologies’ Data may be transferred to Subcontractors located outside the European Union. In order to protect the privacy and Personal Data of Users and Clients, myBrain Technologies makes every effort to select partners who offer guarantees of security and confidentiality and to establish contractual relationships that meet the standards required by law, particularly at the European level.
12. Amendments and modifications to this policy
myBrain Technologies reserves the right to change this Policy. In the event of a change to the Policy, myBrain Technologies will send an email to the Clients informing them of the change.
myBrain Technologies can be contacted according to the contact details indicated in the Legal Notice of the Website (https://mybraintech.com/terms-conditions/).
The DPO can be reached at the following postal address: DPO Service, Le Cargo, 157 Boulevard Macdonald, 75019 Paris; and at the following e-mail address: firstname.lastname@example.org.
Document updated on May 23, 2023.