PRIVACY NOTICE

Last updated: March 27, 2025

This Privacy Notice describes how your personal data, including sensitive data, are collected and processed. The processing of your personal data comply, according to your country, with local law requirements, including the Swiss Federal Data Protection Act (“FDPA”), the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), U.S. state data privacy laws such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), or the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) for personal data qualified as Protected Health Information.

This Privacy Notice may be updated from time to time. In this case, we will inform you that this Privacy Notice has been modified and the “last updated” date on top of this document will be modified. We recommend that you periodically review the latest version of this Privacy Notice.

Who we are

Aureliym GmbH and Sonova AG act as independent or joint controllers. A given professional or HCP or ENT specialist’ user may also act as Joint or Independent Controller for the processing described in the applicable privacy notice for recipients.

Personal data we collect from you and why.

Aureliym GmbH and Sonova AG processes your personal data for the following purposes:

• To uniquely identify professionals who work with our recipients, so we can provide you with the correct and appropriate data (including, but not limited to, patient data)

  • This activity is based on our legitimate interest to ensure the security and integrity of user accounts and the protection of personal data.

• To provide relevant contact information to Sonova AG’s staff in the country or region

  • This activity is based on consent

Insofar as Sonova AG and you as ENT or, where applicable, as HCP act as Joint Controllers, you may use the SilentCloud ENT or HCP dashboard to process additional personal data for the following purposes:

• To track recipients and their information (including, but not limited to, recipient’s personal and health data: contact data, diagnostic data such as medical history questionnaire, medication use, tinnitus related questionnaires, tinnitus assessment, hearing assessment, ENT prescription information, therapy data such as usage and status data, tinnitus assessment outcome), to provide ongoing clinical support and medical services (such as by activating the therapy, providing medical service and personalizing the therapy for patients).

This activity is based on the recipient’s consent provided when requested to activate the prescription code in the mobile app. If the ENT or, where applicable the HCP acts as an independent data controller and provides the recipient with the prescription or a code, the ENT or, where applicable, the HCP is responsible for obtaining valid consent to share the recipient's personal data, including sensitive data, with Sonova AG and Aureliym GmbH in order to enable us to track their therapy in the SilentCloud mobile app.

How we share your personal data

Your personal data will be processed according to the instructions we provide to our employees who have received the necessary training in data protection and are subject to an obligation of confidentiality.

Your personal data may also be disclosed to:

• Other companies in our group of companies, such as our subsidiaries, all of which are required to protect personal data in accordance with applicable privacy and data protection laws;
• Our business partners, contractors and third-party service providers. These third parties only process personal data that are strictly necessary for the services they provide to us, according to our instructions and in compliance with our privacy and security requirements.
• Other organizations and public bodies, supervisory and control authorities, including law enforcement agencies, as may be required by law.

By using the SilentCloud ENT or HCP dashboard, only personal data that are strictly necessary for the following purposes are shared:

• Microsoft Ireland Operations Limited (Ireland), Microsoft Azure (data are stored in EU or US depending on user’s location), which is the infrastructure hosting our services.

Before we disclose any personal data to other third parties than those listed above, we will explicitly ask you for your consent. However, if we are obliged to disclose personal data without your consent, we will only disclose personal data that are strictly necessary for that purpose to fulfil our legal obligations.

International personal data transfers

Please note that some of the above-mentioned third parties can be located outside your country. Therefore, your personal data may be transferred to countries that do not provide the same level of protection of personal data as your own country. In such cases, we undertake to:

• implement adequate procedures to comply with applicable law;
• adopt appropriate organizational, technical and legal safeguards in order to ensure an adequate level of protection of the personal data transferred;
• implement, if necessary, and according to applicable law, standard contractual clauses as adopted by the European Commission;
• depending on the country of the importing third party, take additional measures such as a transfer impact assessment.

How long we keep your personal data

We will retain your personal data for a minimal period proportional to the time required to fulfil the purposes outlined in Section 2. For example, relevant personal data will no longer be retained if you delete your account or if our contractual obligations are fulfilled. In the event applicable law or other regulations require a longer retention period, we will apply the longer retention period in order to fulfill our legal obligations.

Your legal rights

Within the framework of the collection and processing of your personal data, and as per applicable law, you may have the right to request access, rectification, erasure of your personal data, or restriction of processing. In addition, you may object to the processing, request data portability and withdraw your consent at any time. According to your country, you may have other rights such as providing instructions for how your personal data should be processed posthumously.

You may exercise your rights by using the contact details in the “How to contact us” Section below. Please note that the exercise of such rights is subject to the limitations provided by applicable law.

If you consider that the processing of your personal data infringes applicable law then you may also lodge a complaint with the local supervisory authority or the competent regulator.

How to contact us

You can always contact Aureliym’s or Sonova’s Data Protection Officer for any of the purposes mentioned above at privacy@AURELIYM.com or Privacy@Sonova.com.