Privacy Policy

SCOPE OF PRIVACY POLICY AND DATA CONTROLLER

This policy applies to personal data we collect through your use of this AIRS Medical(“Website”) website or through offline collection in connection with promotional engagement, partner management via post, phone, or email and in-person business meetings. It does not apply to personal data collected by us offline or through any other means, including on any other website operated by AIRS Medical or any third party, including through any application or content that may link to or be accessible from or through the website. This policy applies to personal data we collect and process through: (a) the AIRS Medical website (airsmed.com) ("Website"); (b)our cloud-based medical imaging products and services, including SwiftMR and SwiftSight (collectively, "Products"); (c) offline interactions; and (d) personal data we process in our capacity as a data processor on behalf of healthcare providers through our Products. We encourage you to read their privacy policies for information on how they handle your personal data.

CONTROLLER

AIRS Medical is the controller responsible for your personal data under applicable data protection laws. For processing activities specific to a particular region, the relevant local entity may act as the data controller as specified in the applicable jurisdiction-specific notice. We have appointed a Chief Privacy Officer (CPO) who serves as our designated data protection contact under applicable regulations. The CPO is responsible for overseeing questions in relation to this privacy policy. For the European Economic Area, we have designated a separate Data Protection Officer (DPO) in accordance with GDPR Art. 37. Contact details for both are provided in the Contact Information section below. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact our CPO using information set out in the contact information section. For detailed contact information and jurisdiction-specific designations, please refer to the relevant specific section of this policy.

DATA MINIMIZATION

Unless otherwise instructed at the point of collection or where exceptions under applicable laws take precedence, AIRS Medical will make reasonable efforts to ensure that any use, disclosure, or request of personal data is limited to the minimum amount necessary to accomplish the intended purpose.

Personal data means any information relating to an individual that can be used to identify that person. We collect several types of personal data from Website and offline collections as described in the ‘scope of privacy policy’ section under the legal basis for the collection and temporary storage of data in compliance with applicable laws.

Providing personal information to us is entirely voluntary on your part. If you choose not to provide or allow data that is necessary for the service, we may not be able to deliver the services or certain aspects of it in their full capacity.

TYPES OF DATA

The personal data we collect depends on how you interact with us, the services you use, and the choices you make.

INFORMATION PROVIDED BY YOU

You may directly give us your personal data when you complete online forms on our website or by corresponding with us by post, phone, email, in-person business meetings, or otherwise. This includes personal data you provide when you apply for our products or services, subscribe to our publications, request marketing materials to be sent to you, survey, give us feedback or contact us for general inquiries. The personal data we collect may include the following:

• IDENTITY DATA includes [first name, last name, any previously known names, job title, your company, your country, or similar identifiers]
• CONTACT DATA includes [email address, and telephone numbers]
• MARKETING AND COMMUNICATIONS DATA includes [your preferences in receiving marketing from us]

Where required by applicable laws, we will obtain your prior consent before utilising your personal data for marketing purposes.

In connection with the payment of service fees for services you provide to us, we may collect additional information, including government-issued ID numbers, Tax ID numbers, bank account details, CVs for payment processing purposes.

PATIENT-RELATED DATA PROCESSED VIA OUR PRODUCTS

For certain products and services, AIRS Medical may process patient-related data on behalf of healthcare providers (who act as the Data Controller). In this capacity, AIRS Medical acts as a Data Processor and processes such data strictly in accordance with the Controller’s documented instructions, applicable data processing agreements, and all relevant data protection laws.

The categories of patient-related data processed may include:

• PATIENT IDENTIFIERS include [patient name, date of birth, medical record number, or other identifiers as contained in medical imaging metadata (e.g., DICOM tags)]
• MEDICAL IMAGING DATA includes [diagnostic images (e.g., MRI scans), AI-generated analysis results, and associated diagnostic support reports]

Where technically feasible, we apply de-identification or pseudonymization techniques prior to transmission to our cloud-based processing environment. Where the nature of the service requires that certain patient identifiers (e.g., patient name) be transmitted to the cloud environment for clinical or diagnostic support purposes, such data is protected during transmission using robust encryption and advanced security measures designed to protect data integrity during transmission. Access is strictly limited to authorized personnel on a need-to-know basis, and all data is retained only for the period defined by the healthcare provider in accordance with applicable medical record retention laws.

AIRS Medical does not independently determine the purposes of processing patient-related data. All processing is performed under the direction and control of the healthcare provider (Data Controller), and we maintain data processing agreements that define the scope, duration, and nature of such processing in compliance with applicable data protection laws.

AIRS Medical's products are designed to assist healthcare professionals in their clinical decision-making and do not make autonomous diagnostic or treatment decisions. Our AI systems process medical imaging data (e.g., MRI scans) and associated metadata to generate enhanced images, reconstructed scans, or analytical outputs that are presented solely as supplementary information for the treating healthcare professional. All AI-generated outputs require review and validation by a qualified healthcare professional, who retains full authority to accept, modify, or disregard any AI output, before any clinical action is taken. AIRS Medical does not engage in solely automated decision-making as defined under Article 22 of the GDPR. For further information on how our AI systems process data and your related rights, please refer to the applicable jurisdiction-specific notices below.

INFORMATION COLLECTED AUTOMATICALLY

As you navigate through and interact with our website, we may automatically collect Technical Data, Geolocation Data, and Usage Data. This covers details of your visits to our website, including traffic data, location information, logs, and other communication data, as well as the resources that you access and use on the website. We collect this data by using cookies, server log files, and other similar technologies. Please see our Cookie Policy for further details. The data we collect includes:

• TECHNICAL DATA includes [Internet protocol (IP) address, internet connection, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device type and other technology on the devices you use to access this website]
• GEOLOCATION DATA includes [geographical information based on your IP address, time zone, and, if enabled, device permissions that provide location data]
• USAGE DATA includes [information about how you interact with and use our website, cookies and other tracking technologies]

INFORMATION COLLECTED FROM THIRD-PARTY SOURCES

We may receive your personal data from third-party service providers, including social media platforms, advertising networks, analytics providers, if you access our website through an advertisement on their websites or applications. These providers may also provide us with aggregated data and analytics regarding your use of our website.

COOKIES AND SIMILAR TECHNOLOGIES

Cookies are small text files that are stored by the Internet browser on your device. A cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. We use cookies to ensure that our website functions properly and we also use cookies to analyze your interaction with our Website. When you access our Website, we inform you about our use of cookies.

Some features of our website cannot be offered without the use of cookies (“Technical” or “Functional” cookies). These cookies are strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by you, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

For cookies that are not technically necessary (“Statistics,” “Advertising,” and “Marketing” cookies), we require your consent to process the personal data associated with them. These cookies may be used in aggregate to help us understand how our website is being used or to help us customize our website for you. You may adjust or opt out of cookie preferences by clicking on ‘Manage Consent’ at the left bottom of the website. Therein, a link to our privacy policy is also provided for additional context.

• BROWSER COOKIES. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of our website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our website.
• THIRD-PARTY COOKIES. We also use third-party cookies on our website. The legal basis for the use of cookies and the subsequent data processing is your consent in accordance with Article 6(1)(a) GDPR. The following cookie-based tools are used: Elementor, WordPress, WPForms, Google Analytics (and other various services), Wordfence, CloudFlare, Complianz, Hotjar, Meta Pixel, LinkedIn Insight Tag For further details, please see our Cookie Policy.
• WEB BEACONS. Pages of our website may contain small electronic files known as web beacons (also referred to as tracking pixels, such as Meta Pixel or LinkedIn insight Tag) that permit AIRS Medical to count users who have visited those pages for other related website statistics.

We use your personal data for the purposes we have described below in this privacy policy.

MANAGE OUR RELATIONSHIP WITH OUR CUSTOMERS AND BUSINESS PARTNERS

We will use your personal data:

• * to provide our products and services to you;
• to verify your identity (e.g., if you already have access right to our Website or any agreement executed with us in place) and provide supports accordingly
• to execute and perform agreement with our partners, clients, and suppliers;
• to keep you informed about our products, services, and events and promotions. This includes sending newsletters, invitations to events (such as conferences, webinars) and other promotional updates to enhance your experience.
• to respond to your inquiries and provide you with information when you request it or when we believe our products and services may be of interest to you or similar to those that you have already inquired about;
• to conduct and facilitate surveys, feedback
• to personalize your experience when interacting with AIRS Medical;
• to provide customer support through various channels and analyze and improve our customer support

IMPROVE OUR PROCESSES AND BUSINESS OPERATIONS

We will use your personal data:

• to manage our network and information systems security;
• to keep records related to our relationship with healthcare professionals;
• to perform data analysis, auditing and research to help us deliver and improve our digital platforms, content and services; (including developing new products, services, channels);
• to monitor and analyze trends, usage and activities in connection with our products and services to identify areas of interest and improve our products and services accordingly
• to evaluate the effectiveness of our business through essential functions such as accounting, auditing, billing and financial reconciliation

AGGREGATE DATA

To the extent permitted by law, we may also utilize de-identified or aggregated data that no longer identifies an individual to improve our offerings. Personal data obtained through various channels may be aggregated to calculate the percentage of users accessing a specific website feature in order to analyze general trends in how users are interacting with our website to help improve the website and our service offering. This approach enables us to provide a better and more personalized service. By using this data, we can estimate audience size and usage patterns, store information about your preferences, customize our website according to your interests, speed up searches, and recognize you when you return to our website.

OTHER NECESSARY PURPOSES

We will use your personal data:

• to comply with applicable laws and regulations;
• to fulfill legal obligations (including to comply with tasks mandated by law, such as disclosure to government, supervisory, tax, and sector-specific authorities, to respond to requests from competent public authorities);
• to comply with and enforce contractual obligations and our policies and terms (including informing you of the changes to our terms and conditions; policies);
• to exercise or defend AIRS Medical against potential, threatened or litigations;
• to investigate and take action against illegal and harmful behaviour to protect interest of AIRS Medical
• to adhere to applicable regulatory requirements and quality standards (including adverse event reporting to regulatory authorities; complaint and incident management by assessing and implementing corrective and preventive measures)

The GDPR and other applicable privacy laws require us to have a legal basis for collecting and using your personal data. As such, we may rely on the following legal basis. AIRS Medical processes your personal data based on one or more of the following foundations to achieve the purposes described above.

• CONSENT. We may process your personal data if you have given us explicit consent to use your personal data for a specific purpose, for example placing cookies on your device for “Statistics,” “Advertising,” and “Marketing” cookies as described above certain situations where you share your sensitive data about yourself; electronic marketing communications; and in any other situation where personal data processing relies on your consent, such as contacting us for product free-trial or responding to your inquiries about our products and services. Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• PERFORMANCE OF A CONTRACT. We may process your personal data when we believe it is necessary to fulfill our contractual obligations to you, including providing our products and services; identifying and authenticating your access to our website, systems, and publications; responding to your inquiries; and personalizing your experience to meet your needs within the scope of the services we offer.
• LEGITIMATE INTERESTS. Generally, the legitimate interest pursued by AIRS Medical in relation to the use of your personal data is the efficient performance or management of your use of our products and services, our business relationship with you, and the achievement of the specific purposes described herein. These purposes include, but not limited to, Selecting suitable business partners and verifying eligibility for products; Managing and securing our IT systems, communications, and networks; Preventing fraud and protecting the rights, privacy, safety, or property of AIRS Medical; Planning, improving, and analyzing our business activities, including trend analysis for product development; Ensuring quality control through training, feedback, and customer surveys; Handling your queries, providing customer service, and digitizing corporate records; Sending marketing materials (subject to your right to opt-out at any time). Before processing your personal data for our legitimate interests, we perform an assessment to balance our business needs against any potential impact on your rights and freedoms. We do not use your personal data for activities where our interests are overridden by the impact on you unless we have your consent or are otherwise required or permitted to by law.
• LEGAL OBLIGATIONS. We may process your personal data when it is required to ensure compliance with our legal obligations. This includes, but is not limited to cooperation with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclosing your personal data as evidence in litigation in which we are involved,. medical device safety reporting, tax and accounting regulations, and responding to requests from government authorities.
• Special Categories of Personal Data. Where we process health-related data or other special categories of personal data in connection with our services, we do so on the basis of applicable exceptions under data protection law, such as processing necessary for reasons of preventive or occupational medicine, medical diagnosis, or the provision of health care (e.g., GDPR Art. 9(2)(h)), or where required for reasons of public interest in public health. Where we act as a Data Processor, the healthcare provider (Data Controller) is responsible for establishing the applicable legal basis. For further details, please refer to the applicable jurisdiction-specific notice.

• AFFILIATES. We may share or disclose your personal data to our affiliates and subsidiaries given the global nature of operations. We strictly adhere to a 'need-to-know' principle, ensuring that access is restricted to authorized personnel who require the information to perform their specific duties.
• BUSINESS PARTNERS. We may share or disclose your personal data to business partners, vicarious agents, or authorized distributors, or local representatives, particularly in markets where we do not have a direct presence or our market reach is deemed limited. In such cases, your personal data is shared only to the extent necessary to manage the business relationship with you and to achieve the purpose described in this Privacy Policy. We ensure that all such partners are selected based on their reputation and compliance standards. Furthermore, we maintain strict contractual safeguards (such as Data Processing Agreements) with these partners, obligating them to protect your personal data with the same level of integrity that we apply ourselves.
• SERVICE PROVIDERS. We may share or disclose your personal data to authorized third-party service providers to perform functions on our behalf for effective business management or the fulfillment of the contract or at your request for the implementation of pre-contractual measures. The categories of the recipients include, but are not limited to, providers of content delivery and web hosting, analytics and marketing services (including social media platforms), payment processing and customer management systems. These providers operate on our behalf and follow our instructions under Article 28 GDPR. Data processing agreements are in place with these providers, contractually binding them to keep your personal data confidential and to use it solely for specified purposes.
• SUCCESSORS. We may share or disclose your personal data to entities such as potential acquirers of our business or brand, or a buyer or successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the company’s assets, whether as a going concern or as part of bankruptcy, liquidation, or a similar proceeding. In such cases, personal data held by AIRS Medical may be among the assets transferred, and the new owners may use your personal data in accordance with this privacy policy.
• LEGAL PROCESS AND ENFORCEMENT. We may share or disclose your personal data if we are legally obligated or authorized to do so by law or legal process. (such as a court order or subpoena) This includes sharing information with law enforcement or government bodies to comply with valid legal requests. We also reserve the right to disclose personal data when essential to protect the rights, property, or safety of AIRS Medical, our customers or the public. This includes enforcing our terms of use and exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction
• PROFESSIONAL ADVISORS. We may share or disclose your personal data to professional advisors such as auditors, accountants, lawyers, or insurers, where necessary in the course of the professional services that they render to us.
• WITH CONSENT. In all other instances where applicable law requires specific authorization for data disclosure, we may share or disclose your personal data to other parties only after obtaining your explicit consent. Such disclosures will be conducted strictly to the extent permitted by law and in accordance with the specific purposes for which your consent was granted.

As a global organization, we may transfer your personal data across international borders to countries where data protection standards may differ from those in your home jurisdiction. Such transfers are made only to fulfill contractual and business obligations or to maintain our business relationship with you.

To support the delivery of our services, we utilize cloud infrastructure provided by Amazon Web Services (AWS), where data is generally processed and stored in the region where the service is delivered. In cases where data may be processed in a different jurisdiction, appropriate safeguards under applicable law are applied prior to any such transfer.

When we transfer personal data outside of the European Economic Area (EEA), we rely on one or more of the following lawful mechanisms:

• Adequacy Decision: The third country has been confirmed by the EU Commission to have an adequate level of data protection. The full list of these countries is available here.
• Standard Contractual Clauses (SCCs): We enter into EU standard contractual clauses or binding corporate rules with the data recipient to ensure an adequate level of protection.

For transfers originating from other jurisdictions (e.g., South Korea, Japan), we comply with the applicable cross-border data transfer requirements of those jurisdictions, as further described in the relevant country-specific sections of this policy.

To the extent permitted by applicable law, we retain the personal information we obtain about you as long as:

(1) it is needed for the purposes for which it was originally collected, in accordance with the provisions of this Privacy Policy; or

(2) we have another lawful basis for retention—such as complying with legal obligations (including retention mandates under tax, commercial, or other applicable laws)—beyond the period necessary to serve the original purpose.

Unless otherwise indicated at the time of collection (e.g., within a specific form completed by you) or unless we have obtained your explicit consent for a different duration, we will process and retain your personal data in accordance with the standards stated above.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process personal data, and whether we can achieve those purposes through other means.

We retain cookie data in accordance with retention periods stated in the Cookie Policy.

You have the right to request deletion of your personal data at any time, subject to certain exceptions where we are required to maintain the data to comply with our legal obligations or to establish, exercise, or defend legal claims (see Your Legal Rights below).

We implement a comprehensive range of organizational, technical, and physical security measures designed to protect your personal data against unauthorized access, loss, or alteration, disclosure. We are committed to maintaining the integrity and confidentiality of your information through robust management practices, including:

• Technical security measures: All information you provide to us is stored on encrypted storage and secure servers with up-to-date security standards.
• All communications related to the provision of services are protected using encryption technology that complies with TLS 1.2 or higher.
• Employee Awareness and Supervision: Access to personal data is strictly limited to authorized personnel who have undergone regular GDPR-related, HIPAA training.
• Physical security measures: Our premises, which house PCs, hard drives, and USBs used to access your personal data, are protected by a 24-hour security monitoring system and enhanced physical security measures.
• Authentication and Access Management: We use strong passwords generated in accordance with our internal policies and enforce two-factor authentication (2FA), which requires two pieces of information to access personal data. In addition, we ensure that passwords are updated regularly and that the same password is not used across different applications to further enhance security.
• Need-to-Know Principle: Access to your personal data is restricted to authorized employees, agents, and contractors who have a demonstrated business need-to-know. All such personnel are bound by strict contractual duties of confidentiality.
• Verified Service Providers: We exercise extreme care in selecting third-party service providers. We verify that they have robust security measures and advanced technologies in place to protect your data. Under mandatory Data Processing Agreements (DPAs), they are contractually obligated to process data only on our explicit instructions.
• Incident Response and Notification: We have established comprehensive procedures to detect, address, and mitigate any suspected personal data breaches. In the event of a breach, we will notify you and the applicable regulatory authorities whenever we are legally required to do so.
• Independent Verification: Our security practices are validated through independent third-party audits and industry-recognized certifications.

To the extent provided by the laws of your jurisdiction, you are entitled to certain rights regarding your personal data. Please note that these rights are not absolute and may vary depending on where you reside; as such, they may be subject to specific exceptions under applicable law.

• Right to Be Informed. Be informed about the collection and use of your personal data
• Right of Access. Have access to personal data about you. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Right to Erasure (Right to Be Forgotten). Have data about you deleted. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. Especially where we act as a Data Processor for healthcare providers, any erasure request must be directed to the relevant Data Controller (e.g., your hospital or physician), as we are contractually and legally bound to retain data according to their instructions and applicable medical record retention laws. We will notify you of such reasons, if applicable, at the time of your request
• Right to Rectification. Have information about you corrected. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Right to Object or Restrict Processing. Object or restrict the processing of data (Article 18 GDPR) about you where we are relying on a legitimate interest as the legal basis for that particular use of your data. To ensure your request is handled correctly, please note the following:
• In cases where we act as a Data Processor, we will facilitate your request through the relevant Data Controller(e.g., your hospital or physician). Please note that, if processing is restricted, it may render the provision of certain services or diagnostic functions impossible.
• In cases where we act as a Data Controller, we will cease the processing of your data unless we can demonstrate compelling legitimate grounds for further processing which override the data subject’s interest in objecting. If the data processing is based on consent in accordance with applicable laws, you can revoke your consent at any time with effect for the future without affecting the legality of the previous processing.
• Right to Data Portability. Data portability to allow you to obtain and reuse your personal data for your own purposes, across different services. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. We will provide you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Right to Withdraw Consent. Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. To ensure clarity regarding the impact of withdrawal, please note:
• In cases where we act as a Data Processor: If you wish to withdraw consent for data processed through our services provided to a healthcare provider, you must contact the Data Controller (e.g., your hospital or physician) directly. As a processor, we act upon the Controller’s instructions and will execute the erasure or cessation of processing once we receive a formal request from them.
• When we act as a Data Controller: Upon receiving your withdrawal of consent, we will erase the relevant personal data, provided that its continued processing is no longer necessary and there is no other overriding legitimate interest or legal obligation for us to maintain it.
• Legal and Service Impact: The withdrawal of consent does not affect the lawfulness of any processing carried out before the withdrawal. Please be aware that if you withdraw your consent, we may no longer be able to provide certain services to you. In such cases, we will inform you of the specific impact at the time of your withdrawal.

For your protection, and to protect the privacy of others, we may need to verify your identity before completing what you have asked us to do.

EXCEPTIONS TO THE RIGHT TO ERASURE

Please be aware that there may be specific situations where AIRS Medical is legally entitled or required to deny or restrict your privacy rights. In particular, we may decline a request to erase your personal data or limit other rights if the processing is necessary for one of the following reasons:

• to comply with legal obligations under applicable laws (including those of EU Member States, where applicable)
• to establish, exercise or defense of legal claims
• to perform a public interest task or exercise official authority
• for public health reasons
• for archival, research or statistical purposes
• to exercise our right to freedom of expression or information

Once we have verified your identity, we respond to and resolve all Subject Access Requests we receive from you regarding your personal data within one month of receipt of the request as outlined under the GDPR and other applicable laws. Occasionally, it could take us longer than a month if your request is particularly complex or you have made a number of requests. In such cases, we will notify you within the first month and provide an estimated timeline for completion.

We will send you the information you need to resolve your Subject Access Request in the format that you made the request in. For example, if you emailed us to make your Subject Access Request we will email the required information to you. We always justify why we cannot comply with your Subject Access Request. For example, if the requested data has been erased in accordance with our data retention policy or due to legal obligations, we will inform you of this.

In principle, you will not have to pay a fee to access your personal data or to exercise any of the other rights. However, as permitted by applicable law, we may charge a reasonable fee or refuse to act on your request if it is manifestly unfounded, repetitive, or excessive. (see below) If you want to exercise the Subjects Access Request rights, please visit here to submit an online request form. You will not have to pay a fee to access your personal data or to exercise any of the other rights. Please note that where AIRS Medical acts as a Data Processor on behalf of a healthcare provider (the Data Controller), we may be contractually required to redirect your request to the relevant provider. We will cooperate with and support the healthcare provider to ensure your request is addressed in accordance with applicable law.

EXCESSIVE OR UNFOUNDED REQUESTS

We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances. If Subject Access Requests made by you are deemed to be excessive or unfounded we reserve the right granted to us under the GDPR and other applicable laws to:

• Refuse to provide you with the information, always justifying in writing the reasons behind our refusal
• Charge a reasonable administration fee and again, always justifying in writing the reason for any fees
• If your Subject Access Request is particularly complex, for example, we have to go through a large sum of data to access the information necessary to resolve your Subject Access Request, we will write to you within one month of receipt of the request and inform you why it will take us longer to comply with your request. Under the GDPR, if we follow these steps, we will have a further 2 months to comply with your subject Access Request.

AIRS Medical endeavors to protect your personal data by maintaining administrative, technical, physical security measures. However, in the unfortunate and rare event of a data breach that poses a risk to you, we will notify the relevant parties in accordance with applicable data protection laws and our contractual obligations. Where we act as a data processor, we will notify the data controller without undue delay upon becoming aware of a breach.

This will give you an opportunity to try and take steps to protect your positions, for example, enable you to change passwords and inform your banks that you may be at risk of identity fraud.

Furthermore, where permitted by the laws of your jurisdiction, if notifying each affected individual involves a disproportionate effort, we may instead utilize public communication or similar measures to ensure you remain informed. However, we will always comply with the specific breach notification requirements and timelines prescribed by the laws of your country (e.g., South Korea, Japan, etc.)

The website of AIRS Medical is not directed toward, nor intended for use by, children. We do not knowingly collect or process personal data from individuals under the minimum age required for consent in their respective jurisdictions. (e.g., 13 years of age in the U.S., 14 years of age in South Korea, or 13 in the UK, between 13 and 16 in the EEA").

If you are under the applicable minimum age in your jurisdiction, please do not use this website, register, or participate in any of the interactive features of this website, or provide any personal data to us, including your name, postal address, telephone number, or email address.

If you believe we might have inadvertently collected any personal data from a child under the applicable legal age for consent without verified parental consent, please contact us using the contact information below. Upon discovery or notification, we will take steps to delete such data from our systems.

We keep our privacy policy under regular review to make sure it is up to date and accurate. The date of the last update can be found at the beginning of this privacy policy. In the event of material changes, we will notify you by email or through a prominent notice on our website at least 30 days prior to the changes taking effect. We recommend that you visit this page regularly to check for any updates that may have been made.

If you have any questions about this privacy policy, or if you would like us to update information we have about you or your preferences, please fill out the Contact Us form or directly reach out to us at:

• Attn: Chief Privacy Officer
• Email Address: [email protected]
• Postal Address: AIRS Medical Inc., 13-14 Floor, Keungil Tower, 223, Teheran-ro, Gangnam-gu, Seoul, 06142, Republic of Korea

DATA PROTECTION OFFICER (DPO) FOR THE EEA

In accordance with Article 37 of the EU General Data Protection Regulation (GDPR), We have designated a Data Protection Officer (DPO) for the European Economic Area. The DPO is responsible for overseeing compliance with applicable data protection laws within the EEA, advising on data protection obligations, and serving as a contact point for data subjects and supervisory authorities on all matters related to the processing of personal data.

If you are located in the European Economic Area and have questions or concerns regarding the processing of your personal data, or wish to exercise your rights under the GDPR, you may contact our DPO directly.

• Attn: Data Protection Officer
• Email Address: [email protected]
• Postal Address: AIRS Medical Europe GmbH, Oskar-von-Miller-Ring 20, 80333 Munich, Germany

If you are unhappy about how we have handled your personal data you can make a complaint to our CPO who will investigate the matter and report back to you. We would appreciate the chance to deal with your concerns before approaching the competent authorities so please contact us in the first instance.

If you are still not satisfied after our response or believe we are not using your personal data in line with the law, you have the right to make complaints to the supervisory authorities or file an action directly in court against a company.

[UK] You can complain to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk).

[EU] You can complain to a Data Protection Authority (DPA) against a company. DPAs are the national or regional public authorities who supervise the application of data protection laws and have the power to issue fines or other penalties against companies.

[Other Jurisdictions]: For users in other regions, you may contact the relevant national data protection authority in your jurisdiction (e.g., the Personal Information Protection Commission (PIPC) in South Korea).

• Notice to residents of South Korea
• Notice to EEA residents
• Notice to UK residents
• Notice to U.S resident
• Notice to Japan residents