Privacy Policy – UK & Europe (GDPR)

Effective Date: May 2026

Applies to: Individuals in the United Kingdom (UK), the European Union (EU), and the European Economic Area (EEA)

1. Introduction

Apreo Health, Inc. (“Apreo”, “we”, “us”, or “our”) is committed to protecting your personal data and handling it in a lawful, fair, and transparent manner. This Privacy Notice explains how we collect, use, share, transfer, and protect your personal data when you:

  • Visit our website or digital platforms
  • Participate in a clinical trial using Apreo technologies
  • Contact us for support or business purposes
  • Use or interact with our health technologies or services

This Notice also explains your privacy rights and how you can exercise them.

2. Who We Are

Apreo Health, Inc. is a US based medical technology company developing respiratory clinical devices. We work internationally with hospitals, clinical sites, regulators, research partners, and service providers.

For the purposes of the UK GDPR and EU GDPR, Apreo acts as:

  • Data Controller for its website, business operations, communications, and direct relationships with individuals
  • Controller or Joint Controller for clinical research and device investigations, depending on how responsibilities are allocated with study sites or partners

Where required, we put in place appropriate contractual and governance arrangements to reflect these roles.

Our details:
Apreo Health, Inc.
4040 Campbell Ave, Ste. 210
Menlo Park, CA 94025
United States
Email: dpo@apreohealth.com

Where required by law, we have appointed a Data Protection Officer and representatives in the EU and the UK.

3. Data Protection Legislation

We process personal data in accordance with:

  • The UK General Data Protection Regulation
  • The EU General Data Protection Regulation

We apply a consistent privacy approach based on the core principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, security, and accountability.

4. Personal Data We Collect

The types of personal data we collect depend on your relationship with us and how you interact with Apreo.

4.1 Personal Data You Provide Directly

  • Contact details, such as name, email address, phone number, role, and organisation
  • Account or login details, where applicable
  • Communications and correspondence
  • Information provided when you participate in or support clinical research, in line with approved study protocols

4.2 Health and Clinical Data

For clinical trial participants or users of our medical device, we may process:

  • Health, respiratory, or physiological data
  • Medical history relevant to study eligibility
  • Safety, adverse event, and vigilance information
  • Study documentation required for regulatory compliance

This information is subject to enhanced legal, technical, and organisational safeguards.

4.3 Technical and Website Data

  • IP address and general location information
  • Cookie and analytics identifiers
  • Browser, device, and operating system information
  • Website usage and activity data

4.4 Professional and Business Related Data

  • Contact and professional details of investigators, site staff, vendors, and partners
  • Contractual, billing, and payment information
  • Due diligence, compliance, and credentialing records
  • Business communications and project management information

4.5 Information from Third Parties

  • Information provided by clinical sites, investigators, or research partners
  • Regulatory or safety documentation
  • Publicly available professional information where relevant

5. How We Collect Personal Data

We collect personal data:

  • Directly from you
  • From clinical sites, investigators, and research partners
  • From service providers supporting our operations
  • From publicly available sources
  • Automatically through cookies and similar technologies on our website

We do not use personal data for automated decision making that produces legal or similarly significant effects without human involvement, unless permitted by law and subject to appropriate safeguards.

6. How We Use Your Personal Data

We only process personal data where we have a lawful basis and for defined purposes, including:

6.1 Clinical Research and Trials

  • Managing clinical trial participation and study records
  • Monitoring safety and adverse events
  • Analysing clinical outcomes and device performance based on clinical assessments
  • Meeting ethical, scientific, and regulatory requirements

6.2 Product Evaluation and Development

  • Assessing safety, efficacy, and performance during clinical investigations
  • Supporting scientific analysis and regulatory submissions
  • Improving device design based on aggregated clinical findings

6.3 Website and Communications

  • Responding to enquiries and requests
  • Providing professional or business related information
  • Improving website functionality and security

6.4 Business, Legal, and Security Purposes

  • Managing contracts, partners, and vendors
  • Protecting systems, data, and networks
  • Complying with legal, regulatory, and reporting obligations
  • Establishing, exercising, or defending legal claims

7. Legal Bases for Processing

Under Article 6 of the UK GDPR and EU GDPR, we rely on the following legal bases, depending on the context:

7.1 UK GDPR and EU GDPR Article 6

Purpose of ProcessingLegal BasisTechnical and Organisational Measures
Clinical trials, device safety, and public health functionsPublic Interest, Article 6(1)(e)Good Clinical Practice controls, standard operating procedures, audit trails, and restricted access
Regulatory submissions, safety reporting, and adverse eventsLegal Obligation, Article 6(1)(c)Regulatory audit trails, secure transfer, and retention controls
Providing services to investigators, sites, or partnersContract, Article 6(1)(b)Role based access, encryption, and confidentiality controls
Website operations, analytics, fraud prevention, and IT securityLegitimate Interests, Article 6(1)(f)Minimisation, security monitoring, legitimate interest assessments, and data protection impact assessments where required
Optional marketing or non essential cookiesConsent, Article 6(1)(a)Consent tools and withdrawal mechanisms
Emergency or safety situationsVital Interests, Article 6(1)(d)Incident procedures and limited access

7.2 Special Category Sensitive Health Data

Purpose of ProcessingLegal BasisTechnical and Organisational Measures
Clinical investigation data and device performance dataPublic health interest, Article 9(2)(i)Ethics approval, protocol compliance, audit trails, and secure systems
Scientific and technical research related to device development and evaluationScientific research, Article 9(2)(j)Pseudonymisation, minimisation, and restricted access
Device safety monitoring and post market surveillancePublic health, Article 9(2)(i)Controlled access and documented vigilance procedures
Where required by law or study designExplicit consent, Article 9(2)(a)Study specific consent documentation
Legal claims, complaints, investigations, or regulatory defenceLegal claims, Article 9(2)(f)Legal holds and secure storage

These bases reflect compliance with the EU Medical Device Regulation, UK Medical Devices Regulations, and applicable clinical investigation requirements, where applicable to device investigations.

8. Cookies, Analytics and Tracking Technologies

Our website uses cookies and similar technologies to operate effectively and to understand how it is used. Cookies may include:

Necessary and Essential Cookies

These Cookies are essential to provide services and enable core Website features, including user authentication and fraud prevention, and without them, the requested services cannot be delivered.

Cookies Policy and Notice Acceptance Cookies

These Cookies identify if users have accepted the use of cookies on the Website.

Functionality Cookies

These Cookies remember your preferences, such as login details or language settings, to provide a more personalised experience and avoid you having to reenter them each time you use the Website.

Tracking and Performance Cookies

These Cookies are used to analyse website traffic, understand how users interact with the Website, and test new pages or features, and may involve information linked to a pseudonymous identifier associated with your device.

Where required, we seek your consent before placing non essential cookies. You can manage your cookie preferences through your browser settings. Further information is available in our Cookie Notice.

Our website may contain links to third party websites. We are not responsible for their content or privacy practices. Any personal data you provide to third party websites will be handled in accordance with their own privacy notices.

9. Who We Might Share Your Information With

We may share personal data with:

  • Clinical trial sites, investigators, and research partners
  • Service providers supporting our operations
  • Professional advisers, such as legal or audit advisers
  • Regulators or authorities, where required by law
  • Third parties, where necessary, to protect legal rights or prevent harm
  • A buyer or successor organisation in the event of a business transfer

Where appropriate, contractual and security safeguards are in place for data sharing.

10. How Long We Keep Your Information For

We retain personal data only for as long as necessary for the purposes described, in accordance with legal, regulatory, and contractual requirements. Clinical research and safety records may be retained for extended periods where required by medical device or research regulations.

11. How We Keep You Updated on Our Products and Services

We may contact you where necessary to manage our relationship with you, deliver our services, or meet legal or regulatory obligations. These communications are service related and are not marketing.

Where we send marketing or promotional communications, we do so only where permitted by law and, where required, with your consent. You may opt out of marketing communications at any time by using the unsubscribe link in our emails or by contacting us using the details in the Contact Us section.

You also have the right to object to direct marketing at any time.

12. Your Rights Over Your Information

Depending on your circumstances, you may have the right to:

  • Be informed about how your data is used
  • Access your personal data
  • Request correction of inaccurate or incomplete data
  • Request deletion in limited circumstances
  • Restrict processing
  • Object to certain processing, including direct marketing
  • Withdraw consent at any time
  • Lodge a complaint with a data protection authority

Some rights may be limited where processing is required for clinical research, public health, or legal obligations.

If you are in the UK, you can contact the Information Commissioner’s Office at
www.ico.org.uk.
If you are in the EU or EEA, you can find your supervisory authority at
European Data Protection Board members page.

To exercise any of these rights, please contact us using the details in the Contact Us section below.

13. Security

We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption where appropriate, monitoring, incident response procedures, and staff training.

14. International Transfers

Personal data may be transferred outside the UK, the EU, or the EEA. Where this occurs, we use appropriate safeguards, such as:

  • Adequacy decisions
  • Standard Contractual Clauses
  • Transfer risk assessments
  • Technical and organisational security measures

15. What Happens If Our Business Changes Hands?

We may, from time to time, expand or reduce our business, which may involve the sale and transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part, and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by us.

16. Contact Us

If you would like to exercise your privacy rights, ask a question, or raise a concern about how we handle your Personal Data, please contact our Data Protection Officer using the details below. Individuals in the EU, EEA, and the UK may use these contact details for any privacy related enquiries or requests.

Data Protection Officer
Primary contact for all enquiries
Email: dpo@apreohealth.com

European Union Representative:
eurep@apreohealth.com

United Kingdom Representative:
ukrep@apreohealth.com

17. Changes to Our Privacy Notice

Thank you for taking the time to read our Privacy Notice. We may update this Privacy Notice from time to time. The most current version will always be available on our website.

This Notice was last updated on May 2026.