Personal data protection policy

BORA CARE- PREAMBLE

Who does this policy apply to?

This data protection policy is intended for the Users of the BORA CARE® Solution, namely:

  • Patients,
  • Professionals involved in medical remote monitoring with the BORA CARE® Solution (healthcare institutions, healthcare professionals, home healthcare providers, nursing home…)

for the purpose of providing them with detailed information regarding the processing of their personal data by BIOSENCY.

The BORA CARE® Solution includes one or more of the following modules, which can be activated according to user needs:

  • the module enabling remote monitoring of physiological signs on the Bora connect® platform using the Bora band® device and its data transmission accessory,
  • the module enabling remote monitoring of non-invasive ventilation device data on Bora connect®,
  • the module enabling early detection of exacerbations using the BVS3 algorithm, displayed on the Bora connect® platform,

The Bora connect® platform allows patients to view data from the Bora band® device and non-invasive ventilation devices, and to complete questionnaires. Healthcare professionals can also view these data.

In the course of using our services, personal data will be collected and processed by BIOSENCY as data controller for the processing activities detailed below.

BIOSENCY guarantees that the processing operations it carries out comply with applicable data protection legislation, including the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), as well as amended French Law n°78-17 of 6 January 1978 on information technology, files and freedoms.

This data protection policy does not cover the processing of personal data carried out by Professionals (healthcare establishments, healthcare professionals, home healthcare providers, nursing home…), when using the BORA CARE® Solution in their capacity as data controllers.
Regarding the implementation of these data processing activities, you are invited to contact the relevant data controllers directly to obtain further information. In particular, Patients are encouraged to contact their healthcare professional regarding the implementation of medical remote monitoring.

Definitions :

For the purposes of this personal data protection policy, the definitions of «personal data» and «controller», as well as, more generally, all concepts relating to data protection are those provided in GDPR, article 4.

What is the purpose of this policy?

Biosency attaches great importance to the protection and confidentiality of your personal data.

This data privacy policy reflects our commitment to complying with applicable data protection laws and regulations, in particular the General Data Protection Regulation (GDPR) and aims to inform you about how and why we process your personal data related to your use of the BORA CARE® Solution.

1) Which processing activities are carried out? Why do we process your data?

Part for Patients

In the context of providing the BORA CARE® Solution, we necessarily process your personal data for the following purposes:

  • To comply with our obligations as a medical device manufacturer (material vigilance, post-market clinical follow-up) based on our legal obligations.

  • To ensure billing management for medical remote monitoring reimbursed by the French Health Insurance system, on the basis of our legitimate interest

  • We may re-use your health data for the purposes of studies and/or scientific research and/or health assessment serving a public interest in the health field, in compliance with applicable regulations governing such research, on the basis of our legitimate interest. For more information on the studies conducted using your data, please visit our website https://biosency.com, under the “Our Studies” section

  • We may process your personal data for anonymization purposes, meaning that it will subsequently be completely impossible to re-identify you, on the basis of our legitimate interest, for example, to conduct studies or improve our services.

Your data is collected directly from you and then uploaded to the Platform by healthcare professionals or home healthcare providers. We commit to processing your data only for the purposes described above.

Part intended for Professionals (healthcare establishments, healthcare professionals, home healthcare providers …)

In the context of providing the BORA CARE® Solution, we necessarily process your personal data for the following purposes:

  • To inform you about our latest news, on the basis of our legitimate interest.
  • To comply with our obligations as a medical device manufacturer (vigilance, post-market clinical follow-up) based on our legal obligations.
  • To ensure billing management for medical remote monitoring reimbursed by the French Health Insurance system, on the basis of our legitimate interest.
  • To manage the contractual relationship, on the basis of our agreement.

Your personal data is collected directly from you or added by an administrator, such as a healthcare professional, home healthcare providers. We commit to processing your data only for the purposes described above.

2) Which data do we process?
  • Personal and professional identification data
  • Security data (login ID, logs, IP address…)
  • Data necessary to fulfil our legal obligations as a medical device manufacturer (such as nature and effects of adverse health event)
  • Health data and specific identification data concerning Patients (social security number …)
3) How long do we retain your data?

Data required for remote monitoring through the BORA CARE® Solution will be stored until your account is deleted and then archived until all avenues of appeal have been exhausted.

Data necessary for the billing of reimbursed telemonitoring will be stored for the period required for billing and then archived for ten (10) years from the close of the relevant financial year.

Data relating to the management of the contractual relationship will be stored for the duration of the contractual relationship and archived until all avenues of appeal have been exhausted for five (5) years.

Security data will be stored for one (1) year. In the event of a cybersecurity incident, data will be archived for the period necessary for investigations, analysis and preservation of evidence, until all avenues of appeal have been exhausted.

Data relating to the management of medical devices vigilance will be retained for ten (10) years after the discontinuation of the Solution’s marketing, in accordance with applicable legal and regulatory obligations.

We may re-use your health data for studies and/or scientific research and/or health assessment purposes with a public interest in the health sector, in compliance with applicable regulations to such research, on the basis of our legitimate interest. For more information on the studies conducted on your data, please visit our website https://biosency.com, under the “Our Studies” section.

Personal data which, due to their use in various processing activities, are subject to multiple retention periods, shall be retained for the longest applicable period.

Upon expiration of the retention periods, deletion of your personal data is irreversible, and we will no longer be able to provide it to you. Only anonymized data may be retained for statistical purposes.

In the event of litigation, we are required to retain all your data for the entire duration of the case, even after the expiration of the above retention periods.

4) Who may have access to your data?

WE WILL NEVER TRANSFER OR SELL YOUR DATA TO THIRD PARTIES OR COMMERCIAL PARTNERS. ALL OF YOUR PERSONAL DATA IS SAFEGUARDED AND USED EXCLUSIVELY BY OUR TEAMS OR OUR PARTNERS.

We only share your data with individuals duly authorized to process it in order to provide our services , such as security and maintenance teams, support team, the accounting department, statutory health insurance bodies (e.g., the French Health Insurance system) and complementary health insurance organizations as part of billing for remote monitoring, as well as healthcare professionals duly authorized to access the Platform, and service providers engaged to deliver our services.

Data may be shared with contractually bound service providers, who perform necessary tasks, such as our hosting provider. These third parties, service providers or subcontractors, provide services in accordance with Biosency instructions. They only have access to the personal data necessary for performing their tasks and may not use it for any other purpose.

We specify that we vet all our IT service providers before recruiting them to ensure that they strictly comply with the applicable European data protection regulations and French legislations.

5) Which rights do you have to control the use of your data?

Applicable data protection regulations and French legislations grant you specific rights that you can exercise at any time and free of charge, to control the use we make of your data:

  • Right of access to, and to obtain a copy of your personal data, provided it does not conflict with trade secrets, confidentiality, or the secrecy of correspondence.
  • Right to rectification of inaccurate, outdated or incomplete data.
  • Right to erasure (« right to be forgotten ») of your personal data which is not essential for the proper provision of our services.
  • Right to restriction of processing, allowing you to request that the processing of your personal data be restricted in certain circumstances.
  • Right to object to processing of your personal data when such processing is based on our legitimate interests. However, we can continue such processing if we demonstrate compelling and legitimate grounds that prevail over your interests, rights and freedoms.
  • Right to data portability, allowing you to receive part or all of your data, either for personal use or to transmit it to another data controller. This right applies only when processing is based on your consent or on a contract, and is carried out using automated means.
  • Right to issue post-mortem instructions regarding your data in the event of your death, either directly or through a trusted third party or legal heir.
6) Who may you contact to exercise your rights?

To exercise any of your rights mentioned above, or for any question relating to the processing of your personal data, you may contact free of charge:

  • BIOSENCY DPO (Data Protection Officer):
  1. by email: dpo@biosency.com.
  2. by post at the following address: Data Protection Officer, BIOSENCY, 8 rue bis du Pressoir Godier – 35760 Saint-Grégoire – France

Requests must be submitted by you personally, unless acting through an authorized representative. Therefore, we may request proof of identity if there is any doubt as to the identity of the requester, as well as documentation establishing the status or authority of your representative.

We will respond to your request as soon as possible, within one (1) month of receipt of your request, unless the request is complex or repeated. In such cases, this period may be extended to a maximum of three (3) months.

In the event that, after contacting us, you consider that your rights have not been respected, you may lodge a complaint with the french data protection authority (CNIL):

  • Online, via the téléservice de plainte en ligne ;
  • By post, by writing to the following address: CNIL – Service des Plaintes – 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07.
May the policy be changed?

We may amend this data protection policy from time to time to adapt it to new legal requirements as well as new processing activities that we may implement in the future.

BIOSENCY – SAS au Capital de 602 460 Euros – SIREN 830861860 RCS Rennes –
APE 7490B Siège Social : 8 Rue du Pressoir Godier 35760 Saint Grégoire

January 2026 version