Nevro Privacy Notice
If you have a request concerning your medical records or other data processed by Nevro, please visit our data subject request portal located here.
Version Effective date: March 1, 2024
Introduction
Your privacy is important to us at Nevro Corp. and our affiliates and subsidiaries (collectively, “Nevro”, “we” or “us”), and so is being transparent about our data protection practices. This Privacy Notice (“Notice”) applies to the information we collect through our websites (“Site” or “Sites”), when you communicate with us directly, and the information we collect in connection with the provision and development of our products and services (collectively, “Services”). By accessing the Sites and using our Services, you agree to our collection and use of personal information described herein and you agree to our Terms of Use.
This Notice describes the types of information we collect, the purposes for which it is used, how the information is shared, and the choices you have with respect how we use your data. We encourage you to read this Notice to understand our privacy practices before using our Services or interacting with our Sites.
For the purposes of European data protection laws, we may act as the controller with respect to your personal information. Please see Appendix 1 below to review the contact details for the relevant Nevro entity in your region.
If you are a resident of certain states that provide consumer privacy rights, please see our “Your Individual and State Rights” section below.
Nevro may offer products or services that have unique or additional terms, privacy notices, and/or consent forms that explain how Nevro collects and processes your information. For details on any product-specific features, notices, or terms, please review the terms for those products and services. This Notice does not apply to information we collect about our employees and job applicants. This Notice also does not apply to information collected from our HFX iQ™ patient application, please see our HFX iQ™ Patient Application Privacy Notice.
Click on one of the links below to jump to the listed section:
- About Nevro
- Personal Information We Collect
- How We Use Your Personal Information and the Legal Basis for Processing
- How We Share Information
- How We Store and Secure Information
- Your Choices and Rights
- International Data Transfers
- Other Important Privacy Information
- Contact Us
- Individual and State Rights Notice
About Nevro
Nevro is a global medical device company that offers products and services for the Senza®, Senza Omnia™, Nevro1™, and HFX iQ™ Systems.
Personal Information We Collect
We collect personal information about you when you provide it to us, when you use our Services, when you interact with our Sites, when you engage with us at Nevro-hosted education events and conferences, and when third parties provide it to us, as described below. This is personal information we have collected in the past 12 months. We may collect the following types of personal information:
- Personal identifiers: your name, phone number, email address, physical address, date of birth, and other contact information you may provide to us
- Commercial and financial information: records of and information related to payments, insurance information, information about Services purchased or billed for, and other financial information
- Characteristics of protected classifications under applicable law: age, language, ethnicity, and sex/gender
- Health information (including special categories of personal information): any medical conditions you may be experiencing, any medications you may be taking, information related to your pain, your Nevro medical device settings, healthcare provider information, procedure information, information to facilitate treatment and post-treatment care, information related to our HFX™ therapy, and other related health information that you may provide to us
- Testimonial information: name, location, email address, pain location, implant date, photographs, and videos
- Internet or other electronic network activity information, such as your operating system, IP address, device type, device version, and other information collected when you use our Sites and Services. This also includes browser information, such as browser type, usage details, how you accessed our Sites, the pages you visit on our Sites, the amount of time spent on our Sites
- Professional information: job title, information about your employer
- Education information: educational institutions attended, degree information, grades or grade information, classes or courses taken, certificates obtained, honors received
- Audio and visual information: recordings of patient service calls, security camera recordings, CCTV images
- Inferences drawn from personal information we collect
How We Use Your Personal Information and the Legal Basis for Processing
We use the Personal Information we collect about you to:
| Categories of Personal Information | Purpose of Processing | Legal Basis |
|---|---|---|
| Personal identifiers | Communicate with you: We may contact you to respond to your inquiries, requests, and/or send important notices. We may contact you to provide device or therapy support, schedule appointments, update you about new Services, or to send you invitations to Nevro-hosted events. See “Your Choices and Rights” section below to learn how to manage your communication preferences.
Coordinate events and manage visitors: We use your contact information to coordinate travel arrangements if you attend a Nevro-hosted professional education event that requires you to travel outside of your city. |
This is necessary for the performance of our contract with you (Article 6(1)(b), GDPR)
We have a legitimate interest to ensure our records are kept updated and to communicate with you (Article 6(1)(f), GDPR) We have a legitimate interest to manage our business including to coordinate events and manage visitors (Article 6(1)(f), GDPR) |
| Commercial and financial information | Provide and improve our Services and Sites: We use information we collect to provide you with our Services (including billing services); develop new products and services; and improve functionality, efficiency, and quality of our Services. | We have a legitimate interest to ensure our business is run efficiently, including to develop new products and improve existing ones (Article 6(1)(f), GDPR) |
| Characteristics of protected classifications under applicable law | Perform data analytics to improve patient outcomes: We use information we collect to more accurately analyze how you use our Services so that we may improve functionality, efficiency, and quality of our Services. | We have a legitimate interest to develop and improve our business (Article 6(1)(f), GDPR) |
| Health information | Conduct scientific research and clinical studies: We conduct clinical studies and trials to test and improve our Services. We may use your information to contact you about studies or clinical trials for which you may be eligible or that might interest you. If you are a participant in a study or clinical trial, we will use your information to conduct the study or trial and any related follow-up activities. Participation in our studies and trials is voluntary. We use anonymized data for scientific research purposes in connection with our Services. | We have a legitimate interest to develop and improve our business (Article 6(1)(f), GDPR)
We may have a legal obligation to do so (Article 6(1)(c), GDPR) |
| Testimonial information | Market and advertise our products and Services: We only publish testimonials, send marketing emails and newsletters, or call you about our Services with your consent. We advertise our Services on social media platforms, but we will not directly contact you through these platforms. | If applicable law requires that we receive your consent before we send you certain types of marketing communications, we will only send those communications after receiving your consent (Article 6(1)(a), GDPR) |
| Internet or other electronic network activity information | Perform data analytics to improve patient outcomes: We use information we collect to more accurately analyze how you use our Services so that we may improve functionality, efficiency, and quality of our Services. | We have a legitimate interest to develop and improve our business (Article 6(1)(f), GDPR) |
| Professional information | Engage in business transactions with the entity you represent. We use information we collect to provide our Services; develop new products and services; and improve functionality, efficiency, and quality of our Services. | This is necessary for the performance of our contract with you (Article 6(1)(b), GDPR)
We have a legitimate interest to ensure our records are kept updated and to communicate with you (Article 6(1)(f), GDPR) |
| Education information | Process applicant information related to employment opportunities. | We have a legitimate interest to ensure our records are kept updated and to communicate with you (Article 6(1)(f), GDPR) |
| Audio and visual information | Provide and improve our Services and Sites: We use information we collect to provide you with our Services; develop new products and services; and improve functionality, efficiency, and quality of our Services. | We have a legitimate interest to develop and improve our business (Article 6(1)(f), GDPR)
We may have a legal obligation to do so (Article 6(1)(c), GDPR) |
| Special Categories of Personal Information | ||
| Health information | Provide and improve our Services and Sites. We use your health information to provide therapy optimization support, technical device support, and assess the effectiveness of particular programming settings.
Conduct scientific research and clinical studies. We may use your health information when you voluntary participate in a scientific research and/or clinical study. |
Where we have received your consent (Article 9(1)(a), GDPR).
Where the use of health information is for the provision of healthcare or pursuant to contract with a health professional (Article 9(2)(h), GDPR). |
Right to object: under certain data protection laws, please note that you may have a right to object to the processing of your personal information where that processing is carried out for our legitimate interests. Please note however that we may not be able to fulfil this request in all instances.
Please also note that if you do not provide certain personal information when requested we may be prevented from providing you with our Services or otherwise corresponding with you.
How We Share Your Personal Information for Business Purposes
The following chart describes the categories of personal information that we disclose to third parties for business purposes. This is personal information we have disclosed in the 12 months prior to the date of this Notice.
| Categories of Personal Information | Categories of Third Parties With Which We Shared Personal Information for a Business Purpose |
|---|---|
| Personal identifiers | Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration. |
| Commercial and financial information | Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration. |
| Characteristics of protected classifications under applicable law | Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration. |
| Health information | Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration. |
| Testimonial information | Service providers and contractors that advertise or market our products; prospective or current customers and patients. |
| Internet or other electronic network activity information | Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration. |
| Professional information | Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration. |
| Education information | Service providers related to employment-related activities. |
| Audio and visual information | Service providers and contractors that provide customer relationship management (CRM) services; assist us in operating, analyzing, and displaying content on our website; provide analytics information; advertise or market our products; provide website hosting, webcast and teleconference services; provide document management services; provide legal and accounting services; provide payment processing services; provide customer support; and provide IT and email administration.
With separate consent, your testimonial may be featured on a variety of platforms, including on our Sites, social media, television, print, audio, marketing emails, and promotional materials. |
How We Sell Your Information
When we engage in digital advertising, we may sell the following categories of personal information (according to the broad definition of “sell” under select state privacy laws), share them for purposes of cross-context behavioral advertising, or use them for targeted advertising: personal identifiers (including IP address, mobile advertising IDs) and internet or other electronic activity information.
The following chart describes the categories of personal information that we sold (as the term is defined under applicable state privacy laws) to third parties, including if it was shared for online behavioral advertising purposes, in the 12 months prior to the date of this Notice.
| Categories of Consumers’ Personal Information | Categories of Third Parties To Which We Sold Personal Information |
|---|---|
| Personal identifiers | Marketing, analytics, and online advertising platform providers. |
| Internet or other electronic network activity information | Marketing, analytics, and online advertising platform providers. |
We do not sell or share for cross-context behavioral advertising any of the other categories of personal information we collect.
Additional Information About How We May Share your Personal Information
We may disclose aggregate statistics regarding user behavior as a measure of interest in, and use of, our Sites or de-identified data, such as overall patterns or demographic reports.
We share personal information we have about you with our affiliated companies to operate and improve our Services. Nevro affiliated companies are owned or operated by us, and include the list of entities in Appendix 1. This Notice applies to the information we share with our affiliates.
We may disclose your information when we believe that disclosure is reasonably necessary to (1) comply with any applicable law, regulation, subpoena, legal process or enforceable governmental request; (2) enforce the provisions of this Notice; (3) protect against harm to the rights, property, or safety of Nevro, our customers, or the public as required or permitted by law; (4) help detect and protect against fraud and data security vulnerabilities; and (5) use as part of a sale, merger, reorganization of our entity or other restructuring.
International Data Transfers
We collect information globally, including from customers in the United States, European Economic Area (“EEA”), United Kingdom, Switzerland, and Australia. We may transfer your information outside of the country in which you originally provided it to where our affiliated companies and service providers operate, including the United States. These countries may not have the same data protection laws as the country in which you provided your personal information.
To ensure that your data is secure, we use European Commission approved standard contractual clauses (including the UK Addendum and Swiss Addendum where applicable) when we transfer information from the EEA, UK and Switzerland. We also make use of intra-group data transfer agreements to protect your information when we transfer it to our affiliated companies outside the EEA, UK and Switzerland. You can request further information in relation to international transfers (including a copy of any data transfer agreements) by using the contact details [email protected].
Your Choices and Rights
Your Choices
Where appropriate or legally required, we will describe how we use personal information we collect so you can make choices about how your data is used. You can notify us during the information collection process and change your preferences at any time.
- Marketing communications: With your consent (where required by applicable law), we may contact you by email or phone to provide additional information about our Services. If you would like to opt-out of further marketing communications, you can click the link in the bottom of any marketing email, or email us at [email protected].
- Patient care communications: Subject to applicable law, we may call, email, or send SMS texts after your procedure to schedule appointments and facilitate follow up treatment.
- Transactional communications: We send transactional emails if you submit a message through the “Contact Us” form on our websites, to notify you about changes to our Services, and to send other disclosures as required by law.
How We Store and Secure Information
Data Security
We maintain appropriate administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access and disclosure. These safeguards used to protect your data include, for example, a Corporate IT Security Policy, use-tested access and security controls, and controls for our third party service providers acting on our behalf or with whom we share your information.
Although we implement safeguards designed to protect your information, it is impossible to guarantee absolute security in all situations. If you have any questions about security of our Services, please contact us at [email protected].
Data Retention
We retain personal information for as long as necessary to fulfil the purposes for which it was collected, including for as long as needed to support our business operations and develop our Services, comply with our legal obligations (such as maintaining medical records and reporting to regulatory authorities), resolve disputes, and enforce our rights.
Other Important Privacy Information
Children’s Privacy
Our Sites and Services are intended for a general audience and are not directed to children. We do not knowingly collect personal information online from minors under the age of 13. If you believe that a minor under the age of 13 may have provided us with personal information, please contact us at [email protected] and we will promptly delete that information from our records.
Third Party Services, Applications, and Websites
Certain third party services or websites you use, or navigate to or from our Services (such as social media sites) may have separate user terms and privacy policies that are independent of this Notice. We are not responsible for the privacy practices of these third party services or applications. We recommend carefully reviewing the user terms and privacy statement of each third party service, website, and/or application prior to use.
Do Not Track Requests
Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browsers’ do not track signals.
Cookies
For more information about how we use cookies and to learn how to manage cookies, please see our Cookie Notice.
We use Google Analytics to evaluate the use of our website. Google Analytics uses cookies and other identifiers to collect information, such as how often users visit a website, what pages they visit when they do so, and what other websites they visited prior to visiting a website. To learn more about how Google Analytics collects personal information, review Google’s Privacy Policy.
Global Privacy Control
We also recognize opt-out signals communicated through the browser-based extension offered through the Global Privacy Control, a non-profit that is in the process of developing a technological tool that can be used universally to signal a user’s privacy preferences. However, please note that, due to the technical limitations of the Global Privacy Control’s extension, requests made through their extension apply only to the device on which the request is made (e.g., a specific computer) and will only work with the browser used to activate the opt-out setting (e.g., Duck Duck Go).
Third Party Websites
Our Sites and Services may contain links to websites and services that are owned or operated by third parties (each, a “Third-Party Service”) which may include features that collect your IP address, which page you are visiting on our Sites and Services and may set up a cookie to enable the links to function properly. Any information that you provide on such sites is provided directly to the Third-Party Service and we are not responsible for their respective content, privacy or security practices and policies. To protect your information, we recommend that you carefully review the privacy policies of all Third-Party Services that you access. Our Sites and Services may include access to publicly accessible blogs, forums, or social media pages. Personal information you voluntarily transmit or publish online in such publicly accessible blog, forum, or social media page may be viewed and used by others without any restrictions. Your interactions with these platforms are governed by the privacy policy of the company providing them.
California Shine the Light
California Civil Code Section 1798.83, also known as the “Shine the Light” law, permits California residents that have an established business relationship with a business to annually request, free of charge, information about certain categories of personal information a business has disclosed to third parties for those parties’ direct marketing purposes in the preceding calendar year.
Your Individual and State Rights
Depending on your country or state and as required by law, you may have the following rights with respect to your personal information. The rights provided under these laws are similar in many respects, with some differences depending on your country or state. We list below the rights that may be applicable to our business under these laws:
- Right to Know – to confirm whether or not we are processing a resident’s personal information and to access such data. Laws in some states provide the right to know more detailed information.
- For example, California’s privacy law gives residents the right to request the following additional information collected: Categories of personal information we have collected about them; categories of sources from which such personal information was collected; categories of personal information that the business sold or disclosed for a business purpose about the consumer; categories of third parties to whom the personal information was sold or disclosed for a business purpose; and the business or commercial purpose for collecting or selling your personal information.
- Right of access/copy – to obtain information or request a copy regarding the processing of your personal information, including the right to obtain a copy of the processed personal information;
- Right of rectification/correct – to request amendments to any inaccurate or incomplete personal information;
- Right of erasure/delete – to request for the deletion of your personal information that we hold. However, we may not always be able to delete your personal information for legal and regulatory reasons;
- Right to restriction of processing/limit the use of sensitive personal information – to request that we restrict or suppress the processing of your sensitive personal information or opt-out of processing for profiling/targeted advertising purposes (including “sale”);
- Right of portability – to receive and/or request transmission to a third party certain personal information that you have provided to us, in a machine-readable format;
- Right to object – to object to the processing of your personal information where we rely on our legitimate interest as the lawful basis;
- Withdraw consent where we rely on consent as a lawful basis for processing your personal information. Please note that withdrawing your consent does not affect the lawfulness of our processing of your personal information based on such consent prior to the withdrawal;
- Lodge a complaint with a Data Protection Authority/EU Supervisory Authority.
Please note, California’s law is the only law that applies to all state residents, irrespective of the context in which they interact with us (e.g., a customer, a business contact, a vendor). Laws in other states apply only to people when acting in an individual or household context.
Consumer Rights Under U.S. State Consumer Health Data Privacy Laws
We have a separate Consumer Health Data Privacy Notice that relates to rights provided under consumer health data privacy laws in Nevada and Washington state to residents of those states acting in an individual or household context with respect to their consumer health data. You can access our Consumer Health Data Privacy Notices here.
Exercising Your Rights
We will respond to requests from residents of states with data privacy laws that apply to us and will do so with respect to the rights that are provided under the requestor’s state law as of the effective date of that law.
We can correct or delete incorrect data, or provide a copy of your information upon request, but we reserve the right to use your information to request additional information to verify your identity before we process your request and to maintain a copy of all requests for our legal records.
If you wish to exercise these rights, please submit your request here and we will respond to verifiable requests within 30-45 days, depending on the applicable state or country regulations (if any). If we require additional information or time to process your requests, we will contact you. Applicable privacy laws may give you the right to file a complaint with a government regulator if you are not satisfied with our response.
Our Commitment to Allowing You to Exercise Your Rights – Non-Discrimination
If you exercise any of the rights explained in this Policy, we will continue to treat you fairly. If you exercise your rights under this Policy, you will not be denied or charged different prices or rates for goods or services, or provided a different level or quality of goods or services than others.
Designated Authorized Agent
You may designate an individual, consistent with requirements under applicable laws, to submit a verifiable consumer request relating to your personal information. Authorized agents must additionally provide documentation of their designation, such as a notarized medical records request form (available for download here) or power of attorney.
We cannot respond to your request if we cannot verify your identity and/or authority to make the request on behalf of another and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Financial Incentives
Nevro does not offer financial incentives or price or service differences in exchange for the retention or sale of personal information.
Changes to Privacy Notice
We may update this Notice to reflect changes in our personal information practices or relevant laws. We will notify you if we make any material changes by revising the “effective date” at the top of this Notice. We encourage you to review this Notice for updates each time you use our Services.
Contact Us
If you have any questions about our privacy practices, or if you would like to exercise your rights, please contact us at [email protected] or write to us at:
Nevro Corp.
Attn: Privacy
1800 Bridge Pkwy
Redwood City, CA 94065
USA
Data Protection Representatives
For the purpose of EU GDPR, our EU Data Protection Representative is: Nevro Germany GmbH ([email protected])
For the purpose of UK GDPR, our UK Data Protection Representative is: Nevro Medical Ltd. ([email protected])
Appendix 1 – Contact Details
| Location | Nevro Entity | Contact details |
|---|---|---|
| Australia | Nevro Medical Pty Limited | Email: [email protected] Address: Level 14/440 Collins Street, Melbourne, VIC 3000, Australia |
| Austria | Nevro Medical Limited (acting through Nevro Germany GmbH) | Email: [email protected] Address: Prielmayerstraße 3, 80335 München |
| Belgium | Nevro Medical Limited (acting through its Belgian branch office) | Email: [email protected] Address: Carrick House, Lypiatt Road, Cheltenham, Gloucestershire, GL50 2QJ |
| Costa Rica | Nevro Medical S.R.L. | Email: [email protected] Address: Building 28C, Coyol Free Trade Zone, Alajuela, 20113, Costa Rica |
| Czech Republic, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Norway, Slovakia, Spain, Sweden, and United Kingdom | Nevro Medical Limited | Email: [email protected] Address: Carrick House, Lypiatt Road, Cheltenham, Gloucestershire, GL50 2QJ |
| Germany | Nevro Germany GmbH | Email: [email protected] Address: Prielmayerstraße 3, 80335 München |
| Switzerland | Nevro Medical Limited (acting through Nevro Medical SAGL) | Email: [email protected] Address: Christoph Merian-Ring 11, 4153 Reinach |
| United States | Nevro Corp. | Email: [email protected] Address: 1800 Bridge Pkwy Redwood City, CA 94065 |