Nevro Privacy Notice
If you have a request concerning your medical records or other data processed by Nevro, please visit our data subject request portal here.
Version Effective date: February 2023
This Notice describes the types of information we collect, the purposes for which it is used, and the choices you have with respect how we use your data. We encourage you to read this Notice to understand our privacy practices before using our Services.
For the purposes of European data protection laws, we are the controller with respect to your personal information. Please see below the relevant contact details for each Nevro entity in Appendix 1.
If you are a California resident and would like to exercise your California privacy rights, please see our California Privacy Notice (“California Notice”) below.
This Notice does not apply to information we collect about employees and job applicants. This Notice also does not apply to information collected from our HFX iQ™ patient application, please see our HFX iQ™ Patient Application Privacy Notice.
Click on one of the links below to jump to the listed section:
- About Nevro
- Information we collect
- How we use information
- How we share information
- International data transfers
- Your choices and rights
- How we store and secure information
- Other important privacy information
- Contact us
- California Notice
Nevro is a global medical device company that offers products and services for the Senza® and Senza Omnia™ HFX™ Systems.
Personal Information We Collect
We collect personal information about you when you provide it to us, when you use our Services, when you engage with us at Nevro-hosted education events and conferences, and when other sources provide it to us, as described below. For California residents, this is personal information we have collected in the past 12 months. The types of information listed in each category are examples and are not meant to be exhaustive. We collect the following types of personal information:
- Personal identifiers, such as your name, gender, date of birth, phone number, email address, physical address, and other contact information you may provide to us (for example, through the “Contact Us” page). When you refer a friend or a family member for one of our studies or clinical trials, we may collect personal identifiers about that person;
- Customer records, such as records of and information related to payments, insurance information, information about Services purchased or billed for, and other financial information;
- Characteristics of protected classifications under California and federal law, such as age and gender. When you complete and submit a patient assessment form on our NevroHFX.com or HFXforPDN.com websites in the U.S., EEA, UK, Switzerland, and Australia, we collect your age, gender, phone number, email address, and other health-related information;
- Health information, (including special categories of personal information), such as any medical conditions you may be experiencing, any medications you may be taking, information related to your pain, your Nevro medical device settings, healthcare provider information, procedure information, information to facilitate treatment and post-treatment care, information related to our HFX™ therapy, and other related health information that you may provide to us. When you refer a friend or a family member for one of our studies or clinical trials, we may collect health information about that person that you provide;
- Testimonial information, such as your name, location, email address, pain location, implant date, photographs, and videos when you have consented to us publishing a testimonial of your experience. With your consent, your testimonial may be featured on a variety of platforms, including on our Sites, social media, television, print, audio, marketing emails, and promotional materials;
- Geolocation data, such as geolocation data that may be derived from your IP address;
- Audio and visual information, such as recordings of customer service calls, security camera recordings, CCTV images;
- Other information you provide to us.
How we use your personal information and the legal basis for processing
We use the information we collect about you to:
|Categories of Personal Information||Purpose of Processing||Legal Basis|
|Personal identifiers; customer records; audio and visual information||Communicate with you: We may contact you to respond to your inquiries, requests, and/or send important notices. For example, we may contact you to provide customer support, schedule appointments, update you about new Services, or to send you invitations to Nevro-hosted events. See “Your choices and rights” section below to learn how to manage your communication preferences.||This is necessary for the performance of our contract with you (Article 6(1)(b), GDPR)
We have a legitimate interest to ensure our records are kept updated and to communicate with you (Article 6(1)(f), GDPR)
|Personal identifiers; customer records; characteristics of protected classifications; health information; testimonial information; internet or other electronic network activity information; audio and visual information||Provide and improve our Services and Sites: We use information we collect to provide you with our Services (including billing services); develop new products and services; and improve functionality, efficiency, and quality of our Services.||We have a legitimate interest to ensure our business is run efficiently, including to develop new products and improve existing ones (Article 6(1)(f), GDPR)|
|Personal identifiers; customer records; characteristics of protected classifications; health information; testimonial information; internet or other electronic network activity information; audio and visual information||Perform data analytics to improve patient outcomes: We use information we collect to more accurately analyze how you use our Services so that we may improve functionality, efficiency, and quality of our Services.||We have a legitimate interest to develop and improve our business (Article 6(1)(f), GDPR)|
|Personal identifiers; customer records; characteristics of protected classifications; health information||Conduct scientific research and clinical studies: We conduct clinical studies and trials to test and improve our Services. We may use your information to contact you about studies or clinical trials for which you may be eligible or that might interest you. If you are a participant in a study or clinical trial, we will use your information to conduct the study or trial and any related follow-up activities. Participation in our studies and trials is voluntarily. We use anonymized data for scientific research purposes in connection with our Services.||We have a legitimate interest to develop and improve our business (Article 6(1)(f), GDPR)
We may have a legal obligation to do so (Article 6(1)(c), GDPR)
|Personal identifiers; customer records; audio and visual information; testimonial information||Market and advertise our products and Services: We only publish testimonials, send marketing emails and newsletters, or call you about our Services with your consent. We advertise our Services on social media platforms, but we will not directly contact you through these platforms. In the U.S., we engage in behavioral advertising and partner with third parties, such as Google, to provide you with targeted advertisements on our Sites.||If applicable law requires that we receive your consent before we send you certain types of marketing communications, we will only send those communications after receiving your consent (Article 6(1)(a), GDPR)|
|Personal identifiers||Coordinate events and manage visitors: We use your contact information to coordinate travel arrangements if you attend a Nevro-hosted professional education event that requires you to travel outside of your city.||We have a legitimate interest to manage our business including to coordinate events and manage visitors (Article 6(1)(f), GDPR)|
|All categories of personal information||Protect our rights and other legal claims. To defend and enforce our rights including, against legal claims that involve us, and to manage regulatory matters, investigations, data breaches, and/or data subject requests; prevent fraud and monitor for activities that violate our Terms of Service or that are illegal; and protect our Sites, personnel, and others.||We have a legitimate interest to manage our business and to ensure that all investigations and proceedings are managed efficiently and effectively (Article 6(1)(f), GDPR)
We may have a legal obligation to do so (Article 6(1)(c), GDPR)
|Special Categories of Personal Information|
|Health information||Provide and improve our Services and Sites. We use your health information to provide therapy optimization support, technical device support, and assess the effectiveness of particular programming settings.
Conduct scientific research and clinical studies. We may use your health information when you voluntarily participate in a scientific research and/or clinical study.
|Where we have received your consent (Article 9(1)(a), GDPR).
Where the use of health information is for the provision of healthcare or pursuant to contract with a health professional (Article 9(2)(h), GDPR).
Right to object: under certain data protection laws, please note that you may have a right to object to the processing of your personal information where that processing is carried out for our legitimate interests. Please note however that we may not be able to fulfil this request in all instances.
Please also note that if you do not provide certain personal information when requested we may be prevented from providing you with our Services or otherwise corresponding with you.
How we share your personal information for business purposes
The following chart describes the categories of personal information that we disclose to third parties for business purposes. For California residents, this is personal information we have disclosed in the 12 months prior to the date of this Notice.
|Categories of Consumers’ Personal Information||Categories of Third Parties With Which We Shared Personal Information for a Business Purpose|
|Personal identifiers: Name, address, email address, telephone numbers, IP address or other unique identifier, and other similar information.||Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration.|
|Customer records: records of and information related to payments; insurance information; information about Services purchased or billed for; and other financial information.||Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration.|
|Health information: any medical conditions you may be experiencing, any medications you may be taking, information related to your pain, your Nevro medical device settings, healthcare provider information, procedure information, information to facilitate treatment and post-treatment care, and other related health information that you may provide to us.||Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration.|
|Testimonial information, such as your name, location, email address, pain location, implant date, photographs, and videos when you have consented to us publishing a testimonial of your experience.||Service providers and contractors that advertise or market our products; prospective or current customers and patients.|
|Internet or other electronic network activity information: Device and browser type, browsing and search history on our Sites, and information regarding interaction with our Sites and our advertisements.||Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration.|
|Geolocation data, such as geolocation data that may be derived from your IP address.||Service providers and contractors that advertise or market our products.|
|Audio or visual information: Customer call recordings or testimonials.||Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration.
With separate consent, your testimonial may be featured on a variety of platforms, including on our Sites, social media, television, print, audio, marketing emails, and promotional materials.
How We Sell Your Information
The following chart describes the categories of personal information that we sold (as the term is defined in the CCPA) to third parties, including if it was shared for online behavioral advertising purposes, in the 12 months prior to the date of this Notice.
|Categories of Consumers’ Personal Information||Categories of Third Parties To Which We Sold Personal Information|
|Personal identifiers||Marketing, analytics, and online advertising platform providers.|
|Internet or other electronic network activity information||Marketing, analytics, and online advertising platform providers.|
Additional Information About How We May Share your Personal Information
We may disclose aggregate statistics regarding user behavior as a measure of interest in, and use of, our Sites or de-identified data, such as overall patterns or demographic reports.
We share personal information we have about you with our affiliated companies to operate and improve our Services. Nevro affiliated companies are owned or operated by us, and include the list of entities in Appendix 1. This Notice applies to the information we share with our affiliates.
We may disclose your information when we believe that disclosure is reasonably necessary to (1) comply with any applicable law, regulation, subpoena, legal process or enforceable governmental request; (2) enforce the provisions of this Notice; (3) protect against harm to the rights, property, or safety of Nevro, our customers, or the public as required or permitted by law; (4) help detect and protect against fraud and data security vulnerabilities; and (5) use as part of a sale, merger, reorganization of our entity or other restructuring.
International data transfers
We collect information globally, including from customers in the United States, EEA, United Kingdom, Switzerland, and Australia. We may transfer your information outside of the country in which you originally provided it to where our affiliated companies and service providers operate, including the United States. These countries may not have the same data protection laws as the country in which you provided your personal information. In particular, the European Commission, the Swiss Federal Data Protection and Information Commissioner and the UK Government (as applicable) have determined that the United States does not provide an adequate level of data protection.
To ensure that your data is secure, we use European Commission approved standard contractual clauses (including the UK Addendum where applicable) when we transfer information from the EEA, UK and Switzerland. We also make use of intra-group data transfer agreements to protect your information when we transfer it to our affiliated companies outside the EEA, UK and Switzerland. You can request further information in relation to international transfers (including a copy of any data transfer agreements) by using the contact details [email protected].
Your choices and rights
Where appropriate or legally required, we will describe how we use personal information we collect so you can make choices about how your data is used. You can notify us during the information collection process and change your preferences at any time.
- Marketing communications: With your consent (where required by applicable law), we may contact you by email or phone to provide additional information about our Services. If you would like to opt-out of further marketing communications, you can click the link in the bottom of any marketing email, or email us at [email protected].
- Patient care communications: Subject to applicable law, we may call, email, or send SMS texts after your procedure to schedule appointments and facilitate follow up treatment.
- Transactional communications: We send transactional emails if you submit a message through the “Contact Us” form on our websites, to notify you about changes to our Services, and to send other disclosures as required by law.
For California consumers, please see our California Notice for information about your rights and how to exercise them.
For other individuals, depending on your country or state and as required by law, you have the right to:
- Access and receive a copy of your data; and
- Update, amend, delete or correct incomplete or inaccurate data;
- For EEA/UK individuals, additionally:
- Request to delete or restrict the processing of your personal information;
- Request the transfer of certain personal information to a third party, in a machine readable format;
- Withdraw your consent of our ability to use your data where we rely on consent as the legal basis. Please note that withdrawing your consent does not affect the lawfulness of our processing of your personal information based on such consent before the withdrawal;
- Object to the processing of your data where we rely on our legitimate interest as the legal basis; and
- Lodge a complaint with a Data Protection Authority/EU Supervisory Authority.
We can correct or delete incorrect data, or provide a copy of your information upon request, but we reserve the right to use your information to request additional information to verify your identity before we process your request and to maintain a copy of all requests for our legal records. If you wish to exercise these rights, please submit your request here and we will respond to verifiable requests within 30-45 days, depending on the applicable state or country regulations (if any). Applicable privacy laws may give you the right to file a complaint with a government regulator if you are not satisfied with our response.
How we store and secure information
We maintain appropriate administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access and disclosure. These safeguards used to protect your data include, for example, a Corporate IT Security Policy, use-tested access and security controls, and controls for our third party service providers acting on our behalf or with whom we share your information.
Although we implement safeguards designed to protect your information, it is impossible to guarantee absolute security in all situations. If you have any questions about security of our Services, please contact us at [email protected].
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for as long as needed to support our business operations and develop our Services, comply with our legal obligations (such as maintaining medical records and reporting to regulatory authorities), resolve disputes, and enforce our rights.
Other important privacy information
Our Sites and Services are intended for a general audience and are not directed to children. We do not knowingly collect personal information online from minors under the age of 16. If you believe that a minor under the age of 16 may have provided us with personal information, please contact us at [email protected] and we will promptly delete that information from our records.
Third party services, applications, and websites
Certain third party services or websites you use, or navigate to or from our Services (such as social media sites) may have separate user terms and privacy policies that are independent of this Notice. We are not responsible for the privacy practices of these third party services or applications. We recommend carefully reviewing the user terms and privacy statement of each third party service, website, and/or application prior to use.
Do Not Track Requests
Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browsers’ do not track signals.
Global Privacy Control
We also recognize opt-out signals communicated through the browser-based extension offered through the Global Privacy Control, a non-profit that is in the process of developing a technological tool that can be used universally to signal a user’s privacy preferences. However, please note that, due to the technical limitations of the Global Privacy Control’s extension, requests made through their extension apply only to the device on which the request is made (e.g., a specific computer) and will only work with the browser used to activate the opt-out setting (e.g., Duck Duck Go).
Third Party Websites
Changes to Privacy Notice
We may update this Notice to reflect changes in our personal information practices or relevant laws. We will notify you if we make any material changes by revising the “effective date” at the top of this Notice. We encourage you to review this Notice for updates each time you use our Services.
If you have any questions about our privacy practices, or if you would like to exercise your rights, please contact us at [email protected] or write to us at:
1800 Bridge Pkwy
Redwood City, CA 94065
Additional Information for California Residents – California Notice
This California Notice supplements the information provided in the Nevro Privacy Notice. As required by California law (including the California Consumer Privacy Act (“CCPA”)), this California Notice describes the rights and choices that California consumers have with respect to their personal information and Nevro’s responsibilities in relation to California consumers’ personal information. Capitalized terms used but not defined herein are defined in the Privacy Notice.
If you have questions or concerns about any of the information provided in this California Notice, please contact us using the information provided in the “Contact Us” section of the Privacy Notice.
Definition of Personal Information
For purpose of this California Notice, “personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household.
Personal information does not include:
- Publicly available information that is lawfully made available from federal, state, or local government records;
- De-identified or aggregated Consumer information; and
- Information excluded from the scope of the CCPA such as:
- Health or medical information covered under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the California Confidentiality of Medical Information Act (“CMIA”) or clinical trial data;
- Financial information covered under the Fair Credit Reporting Act (“FCRA”) or the California Financial Information Privacy Act (“FIPA”).
For purposes of the CCPA, Nevro acts as a business in relation to personal information collected through our Services, our HFX Access™ reimbursement support provided pursuant to patient authorization, providing customer support, and our marketing activities. This California Notice does not cover personal information processed for clinical trial purposes or those other activities excluded from the scope of the CCPA. (See the “How we use information” section above.)
Your California Privacy Rights
If you are a resident of California, you have specific rights regarding your personal information. This section describes your rights under the CCPA and how to exercise them. However, these California privacy rights are not absolute, and we may be able to decline your request in accordance with the CCPA. You may exercise your California privacy rights following the methods described under the subsection titled “Exercising Your California Privacy Rights” below.
- Right to Access and Know About Personal Information Collected, or Disclosed. You have the right to request that Nevro disclose certain information to you about our collection and use of your personal information over the past twelve (12) months, including:
- Specific pieces of personal information we have collected about you;
- Categories of personal information we have collected about you;
- Categories of sources from which such personal information was collected;
- Categories of personal information that the business disclosed for a business purpose about the consumer;
- Categories of third parties to whom the personal information disclosed for a business purpose; and
- The business or commercial purpose for collecting your personal information.
- Right to Portability. You have the right to receive certain personal information that you provided to us, in a machine-readable form and/or that we transmit it to a third party with your express authorization.
- Right to Correct Personal Information. You have the right to request that Nevro correct any inaccurate personal information or complete any incomplete personal information.
- Right to Delete Personal Information. You have the right to request that Nevro delete personal information we may hold about you. Please be aware there are occasions when we are not able to delete your personal information. If we deny your request to delete personal information, we will inform you of the reasons for denial in our response to you. We will keep a copy of your deletion request in order to document that the action was taken, and any new information you submit to Nevro will not be subject to the pre-dated deletion request.
- Right to Limit the Use and Disclosure of Sensitive Personal Information. You have the right to request that Nevro limit the use and disclosure of your sensitive personal information to only that which is necessary to perform the Services.
- Right to Opt Out of Sharing or Sale of Personal Information. We sell (as the term is defined under the CCPA) personal information when you interact with a Site. You have the right to opt-out of the sale of your personal information with third parties. We do not knowingly sell the personal information of any individuals under 16 years of age.
If you opt-out of the sale of your personal information, we will wait at least 12 months before asking you if we may sell your personal information.
Exercising Your California Privacy Rights
To exercise your right to opt out of the sale of your personal information, click here.
You may exercise your rights to access, know, or delete once every twelve (12) months. To exercise these rights under the CCPA, you must submit a verifiable consumer request. To submit a verifiable request, please submit a consumer request through our webform. Alternatively, you can submit your request by phone at 1.888.956.3876.
To help protect your privacy and maintain security, we take steps to verify your identity before granting you access to your information. To verify your identity to make the request and confirm the personal information relates to you, we will ask you to accurately provide for at least four (4) unique identifiers or submit a completed a notarized medical record request form. You may download a medical records request form as part of the records request process.
Our Commitment to Allowing You to Exercise Your Rights – Non-Discrimination
If you exercise any of the rights explained in this Policy, we will continue to treat you fairly. If you exercise your rights under this Policy, you will not be denied or charged different prices or rates for goods or services, or provided a different level or quality of goods or services than others.
Some types of personal information can be associated with a household (a group of people living together in a single dwelling). Requests for access or deletion of household personal information must be made by each member of the household. To the extent we collect household information and requests are made pertaining specifically to such information, before responding to a request, we will verify the identity of each member of the household using the verification criteria explained above and will also verify that each household member is currently a member of the household.
Designated Authorized Agent
You may designate an individual, who is registered with the California Secretary of State to act on your behalf, to submit a verifiable consumer request relating to your personal information. Authorized agents must additionally provide documentation of their designation, such as a notarized medical records request form (available for download here) or power of attorney.
We cannot respond to your request if we cannot verify your identity and/or authority to make the request on behalf of another and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing and Format
We will confirm receipt of your consumer request within ten (10) business days. We will respond to your verifiable consumer request within forty-five (45) days from the date we receive it. In some cases, we may require additional time to complete your request and will inform you if additional time is needed. Where additional time is needed, we may take up to a maximum of ninety (90) additional days to complete your request.
Nevro does not offer financial incentives or price or service differences in exchange for the retention or sale of personal information.
California Shine the Light
California Civil Code Section 1798.83, also known as the “Shine the Light” law, permits California residents that have an established business relationship with a business to annually request, free of charge, information about certain categories of personal information a business has disclosed to third parties for those parties’ direct marketing purposes in the preceding calendar year.
If you have questions about this California Notice, please contact us.
Data Protection Representatives
For the purpose of EU GDPR, our EU Data Protection Representative is: Nevro Germany GmbH ([email protected])
For the purpose of UK GDPR, our UK Data Protection Representative is: Nevro Medical Ltd. ([email protected])
Appendix 1 – Contact Details
|Location||Nevro Entity||Contact details|
|Australia||Nevro Medical Pty Limited||Email: [email protected]
Address: Level 14/440 Collins Street, Melbourne, VIC 3000, Australia
|Austria||Nevro Medical Limited (acting through Nevro Germany GmbH)||Email: [email protected]
Address: Prielmayerstraße 3, 80335 München
|Belgium||Nevro Medical Limited (acting through its Belgian branch office)||Email: [email protected]
Address: Carrick House, Lypiatt Road, Cheltenham, Gloucestershire, GL50 2QJ
|Costa Rica||Nevro Medical S.R.L.||Email: [email protected]
Address: Building 28C, Coyol Free Trade Zone, Alajuela, 20113, Costa Rica
|Czech Republic, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Norway, Slovakia, Spain, Sweden, and United Kingdom||Nevro Medical Limited||Email: [email protected]
Address: Carrick House, Lypiatt Road, Cheltenham, Gloucestershire, GL50 2QJ
|Germany||Nevro Germany GmbH||Email: [email protected]
Address: Prielmayerstraße 3, 80335 München
|Switzerland||Nevro Medical Limited (acting through Nevro Medical SAGL)||Email: [email protected]
Address: Christoph Merian-Ring 11, 4153 Reinach
|United States||Nevro Corp.||Email: [email protected]
Address: 1800 Bridge Pkwy
Redwood City, CA