This policy describes how Ziwig processes and protects the personal data of users of the ZIWIG website (hereinafter “www.ziwig.com”), available at https://ziwig.com.

The processing of Personal Data is carried out in compliance with the General Data Protection Regulation (or “GDPR,” EU Regulation 2016/679) and the amended French Data Protection Act No. 78-17 (or “LIL”) (together hereinafter referred to as the “Applicable Legislation”).

The GDPR and the LIL do not apply to the processing of data that has been anonymized in such a way that the data subject is not or is no longer identifiable, including processing for statistical or research purposes.

This Policy may be modified, supplemented, or updated, in particular to comply with any legal, regulatory, jurisprudential, or technical developments.

This Policy forms an integral part of the Application’s Terms of Use.

**Definitions**

The following terms, when capitalized, shall have the meanings set forth below:

“Site” refers to the Ziwig website.

“Terms of Use” or “TOU” refers to the terms of use applicable to the Services.

“Personal Data” refers to any information relating to an identified or identifiable natural person as defined by the General Data Protection Regulation (GDPR).

“Equipment” refers to any type of computer hardware, software, and electronic communication means used by the User to access and use the Site.

“Parties” refers collectively to Ziwig and the User.

“Personal Data Protection Policy” or “Policy” refers to this document.

“User” means any natural person who uses the Site.

“Ziwig” means Ziwig, a simplified joint-stock company, registered with the Lyon Trade and Companies Register under number 848079075, with its registered office located at 19 rue Riboud, 69003 LYON.

1. Identity and contact information of the data controller

Legal Notice: The data controller, as defined by Applicable Law, is the person who determines the means and purposes of the processing. The data processor is a person who processes personal data on behalf of the data controller. The data processor acts under the authority of the data controller and in accordance with the data controller’s instructions.

The data controller for the processing of Personal Data described in this Policy is ZIWIG, a simplified joint-stock company, registered with the Lyon Trade and Companies Register under number 848 079 075, with its registered office located at 19 rue Riboud, 69003 LYON.

Ziwig takes appropriate measures to ensure the protection and confidentiality of the Personal Data it processes in accordance with the provisions of Applicable Law.

2. Processing of personal data

Purposes	Personal data processed	Legal basis for processing	Retention period
Management of user support and contact requests	Email address, last name, first name, subject of the request, message, date and time of the request	Ziwig’s legitimate interest	Data is retained until the message is successfully sent
Subscription to alerts (podcasts, news, and publications)	Email address	User consent	Data is retained only for the duration of the newsletter subscription
Management of requests for information about Ziwig Endotest®	Email address, phone number, last name, first name, country, message, date and time of the request	Ziwig’s legitimate interest	Data is retained until the message is successfully sent
Analysis of website traffic and prevention and detection of cyber fraud	Timestamp, device used for browsing, IP address	Ziwig’s legitimate interest	6 months
Complaints and requests to exercise rights	Last name, first name, email address, content of the request	Legal obligation	5 years from the date of the request

3. Cookies

The use of the Site requires technical cookies. These are cookies that are strictly necessary for the proper functioning of the Site and are essential for browsing the Site and using its features. If the User blocks these cookies by configuring their browser, Ziwig will no longer be able to ensure the optimal functioning of the Site.

The Site also uses audience measurement cookies (Google Analytics) that the User may choose to refuse at any time. These cookies collect only browsing data (timestamp, IP address, hardware used).

4. Social media

Any User of the Site may click on the icons for the social media platforms Twitter, Facebook, LinkedIn, YouTube, and Instagram displayed on the Site.

When the User clicks on these buttons, and if the User has an account on these social media platforms, Ziwig may have access to the personal information that the User has designated as public and accessible from their social media profiles. However, Ziwig does not collect or store any of this information in a database separate from the social media platforms.

5. Rights of Data Subjects

In accordance with Applicable Legislation, data subjects have the following rights:

– the right of access (Article 15 of the GDPR) and the right to rectification (Article 16 of the GDPR),
– the right to erasure of data (Article 17 of the GDPR), when such data is inaccurate, incomplete, ambiguous, outdated, or when its collection, use, disclosure, or retention is prohibited
– the right to withdraw consent at any time (Article 13(2)(c) of the GDPR)
– the right to restrict data processing (Article 18 of the GDPR)
– the right to object to data processing (Article 21 of the GDPR)
– the right to data portability, where such data is subject to automated processing based on consent or a contract (Article 20 of the GDPR)

The data subject has the right to determine what happens to their data after their death. In particular, the User may instruct Ziwig to disclose their data to a third party of their choosing. As soon as Ziwig becomes aware of a User’s death and in the absence of prior instructions from the User or actions taken by the heirs, Ziwig will destroy the User’s data, unless its retention is necessary for evidentiary purposes or to comply with a legal obligation.

If the data subject wishes to exercise their rights, they may contact Ziwig by email at dpo@ziwig.com. If applicable, they must specify the Personal Data they would like Ziwig to correct, update, or delete. In all cases, they must identify themselves precisely by providing any information necessary to verify their identity.

Data subjects may file a complaint with the supervisory authorities, including the CNIL (https://www.cnil.fr/fr/plaintes).

6. Processors and Recipients of Personal Data

Internal Use: The User’s Personal Data may be processed by Ziwig employees and its processors, within the scope of their respective responsibilities and solely for the purposes set forth in this Policy.

Recipients and Processors:

For the hosting of the Site, Ziwig uses dedicated servers provided by a hosting provider certified as a Health Data Host (HDS) within the European Union.

The IT maintenance of the Site has been entrusted to an IT service provider. As this provider is located in a country outside the European Union, it has committed to complying with the requirements described in the contractual clauses adopted by the European Commission to regulate the transfer of personal data to recipients located outside the European Union. A Data Transfer Impact Assessment (DTIA) was conducted to ensure that the service provider has implemented the necessary security measures to guarantee adequate data protection.

7. Security of Personal Data

Ziwig implements technical and organizational measures to ensure the security of Personal Data. These measures take into account specific restrictions and/or additional safeguards when the processing involves Personal Data relating to health (“sensitive data”). This includes protecting data against security breaches that accidentally or unlawfully result in the destruction, loss, alteration, disclosure, or unauthorized access to the data (personal data breach). To assess the appropriate level of security, Ziwig takes due account of the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, as well as the risks to data subjects.

Ziwig grants access to Personal Data being processed to recipients and processors only to the extent strictly necessary to achieve the purposes of this Policy. Ziwig ensures that persons authorized to process the Personal Data received have committed to maintaining confidentiality or are subject to an appropriate legal obligation of confidentiality.