Nevro Privacy Notice

If you have a request concerning your medical records or other data processed by Nevro, please visit our data subject request portal here.

Version Effective date: February 2023

Introduction

Your privacy is important to us at Nevro Corp. and its affiliates (collectively, “Nevro”, “we” or “us”), and so is being transparent about our data protection practices. This Privacy Notice (“Notice”) applies to the information we collect through our Nevro.com, NevroHFX.com, and HFXforPDN.com (“Site” or “Sites”), when you communicate with us, and the information we collect in connection with the provision and development of our products and services (collectively, “Services”). By accessing the Sites and using our Services, you agree to our collection and use of personal information described herein and you agree to our Terms of Use.

This Notice describes the types of information we collect, the purposes for which it is used, and the choices you have with respect how we use your data. We encourage you to read this Notice to understand our privacy practices before using our Services.

For the purposes of European data protection laws, we are the controller with respect to your personal information. Please see below the relevant contact details for each Nevro entity in Appendix 1.

If you are a California resident and would like to exercise your California privacy rights, please see our California Privacy Notice (“California Notice”) below.

This Notice does not apply to information we collect about employees and job applicants. This Notice also does not apply to information collected from our HFX iQ™ patient application, please see our HFX iQ™ Patient Application Privacy Notice.

Click on one of the links below to jump to the listed section:

• About Nevro
• Information we collect
• How we use information
• How we share information
• International data transfers
• Your choices and rights
• How we store and secure information
• Other important privacy information
• Contact us
• California Notice

About Nevro

Nevro is a global medical device company that offers products and services for the Senza® and Senza Omnia™ HFX™ Systems.

Personal Information We Collect

We collect personal information about you when you provide it to us, when you use our Services, when you engage with us at Nevro-hosted education events and conferences, and when other sources provide it to us, as described below. For California residents, this is personal information we have collected in the past 12 months. The types of information listed in each category are examples and are not meant to be exhaustive. We collect the following types of personal information:

• Personal identifiers, such as your name, gender, date of birth, phone number, email address, physical address, and other contact information you may provide to us (for example, through the “Contact Us” page). When you refer a friend or a family member for one of our studies or clinical trials, we may collect personal identifiers about that person;
• Customer records, such as records of and information related to payments, insurance information, information about Services purchased or billed for, and other financial information;
• Characteristics of protected classifications under California and federal law, such as age and gender.  When you complete and submit a patient assessment form on our NevroHFX.com or HFXforPDN.com websites in the U.S., EEA, UK, Switzerland, and Australia, we collect your age, gender, phone number, email address, and other health-related information;
• Health information, (including special categories of personal information), such as any medical conditions you may be experiencing, any medications you may be taking, information related to your pain, your Nevro medical device settings, healthcare provider information, procedure information, information to facilitate treatment and post-treatment care, information related to our HFX™ therapy, and other related health information that you may provide to us. When you refer a friend or a family member for one of our studies or clinical trials, we may collect health information about that person that you provide;
• Testimonial information, such as your name, location, email address, pain location, implant date, photographs, and videos when you have consented to us publishing a testimonial of your experience. With your consent, your testimonial may be featured on a variety of platforms, including on our Sites, social media, television, print, audio, marketing emails, and promotional materials;
• Internet or other electronic network activity information, such as your operating system, IP address, device type, device version, and other information collected when you use our Sites and Services.   This also includes browser information, such as browser type, usage details, how you accessed our Sites, the pages you visit on our Sites, the amount of time spent on our Sites. We also use cookies to analyze trends, administer our Services, and track activity on our Sites. For more information about how we use cookies on Nevro.com and to learn how to manage cookies, please see our Cookie Notice. These details are collected automatically when you visit our Sites;
• Geolocation data, such as geolocation data that may be derived from your IP address;
• Audio and visual information, such as recordings of customer service calls, security camera recordings, CCTV images;
• Other information you provide to us.

How we use your personal information and the legal basis for processing

We use the information we collect about you to:

Right to object: under certain data protection laws, please note that you may have a right to object to the processing of your personal information where that processing is carried out for our legitimate interests. Please note however that we may not be able to fulfil this request in all instances. 

Please also note that if you do not provide certain personal information when requested we may be prevented from providing you with our Services or otherwise corresponding with you.

How we share your personal information for business purposes

The following chart describes the categories of personal information that we disclose to third parties for business purposes.  For California residents, this is personal information we have disclosed in the 12 months prior to the date of this Notice.

How We Sell Your Information

The following chart describes the categories of personal information that we sold (as the term is defined in the CCPA) to third parties, including if it was shared for online behavioral advertising purposes, in the 12 months prior to the date of this Notice.

Additional Information About How We May Share your Personal Information

We may disclose aggregate statistics regarding user behavior as a measure of interest in, and use of, our Sites or de-identified data, such as overall patterns or demographic reports.

We share personal information we have about you with our affiliated companies to operate and improve our Services. Nevro affiliated companies are owned or operated by us, and include the list of entities in Appendix 1. This Notice applies to the information we share with our affiliates.

We may disclose your information when we believe that disclosure is reasonably necessary to (1) comply with any applicable law, regulation, subpoena, legal process or enforceable governmental request; (2) enforce the provisions of this Notice; (3) protect against harm to the rights, property, or safety of Nevro, our customers, or the public as required or permitted by law; (4) help detect and protect against fraud and data security vulnerabilities; and (5) use as part of a sale, merger, reorganization of our entity or other restructuring.

International data transfers

We collect information globally, including from customers in the United States, EEA, United Kingdom, Switzerland, and Australia. We may transfer your information outside of the country in which you originally provided it to where our affiliated companies and service providers operate, including the United States. These countries may not have the same data protection laws as the country in which you provided your personal information. In particular, the European Commission, the Swiss Federal Data Protection and Information Commissioner and the UK Government (as applicable) have determined that the United States does not provide an adequate level of data protection.

To ensure that your data is secure, we use European Commission approved standard contractual clauses (including the UK Addendum where applicable) when we transfer information from the EEA, UK and Switzerland. We also make use of intra-group data transfer agreements to protect your information when we transfer it to our affiliated companies outside the EEA, UK and Switzerland. You can request further information in relation to international transfers (including a copy of any data transfer agreements) by using the contact details [email protected].

Your choices and rights

Your choices

Where appropriate or legally required, we will describe how we use personal information we collect so you can make choices about how your data is used. You can notify us during the information collection process and change your preferences at any time.

• Marketing communications: With your consent (where required by applicable law), we may contact you by email or phone to provide additional information about our Services. If you would like to opt-out of further marketing communications, you can click the link in the bottom of any marketing email, or email us at [email protected].
• Patient care communications: Subject to applicable law, we may call, email, or send SMS texts after your procedure to schedule appointments and facilitate follow up treatment.
• Transactional communications: We send transactional emails if you submit a message through the “Contact Us” form on our websites, to notify you about changes to our Services, and to send other disclosures as required by law.

Your rights

For California consumers, please see our California Notice for information about your rights and how to exercise them.

For other individuals, depending on your country or state and as required by law, you have the right to:

• Access and receive a copy of your data; and
• Update, amend, delete or correct incomplete or inaccurate data;
• For EEA/UK individuals, additionally:
  • Request to delete or restrict the processing of your personal information;
  • Request the transfer of certain personal information to a third party, in a machine readable format;
  • Withdraw your consent of our ability to use your data where we rely on consent as the legal basis. Please note that withdrawing your consent does not affect the lawfulness of our processing of your personal information based on such consent before the withdrawal;
  • Object to the processing of your data where we rely on our legitimate interest as the legal basis; and
  • Lodge a complaint with a Data Protection Authority/EU Supervisory Authority.

We can correct or delete incorrect data, or provide a copy of your information upon request, but we reserve the right to use your information to request additional information to verify your identity before we process your request and to maintain a copy of all requests for our legal records. If you wish to exercise these rights, please submit your request here and we will respond to verifiable requests within 30-45 days, depending on the applicable state or country regulations (if any). Applicable privacy laws may give you the right to file a complaint with a government regulator if you are not satisfied with our response.

How we store and secure information

Data security

We maintain appropriate administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access and disclosure. These safeguards used to protect your data include, for example, a Corporate IT Security Policy, use-tested access and security controls, and controls for our third party service providers acting on our behalf or with whom we share your information.

Although we implement safeguards designed to protect your information, it is impossible to guarantee absolute security in all situations. If you have any questions about security of our Services, please contact us at [email protected].

Data retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for as long as needed to support our business operations and develop our Services, comply with our legal obligations (such as maintaining medical records and reporting to regulatory authorities), resolve disputes, and enforce our rights.

Other important privacy information

Children’s privacy

Our Sites and Services are intended for a general audience and are not directed to children. We do not knowingly collect personal information online from minors under the age of 16. If you believe that a minor under the age of 16 may have provided us with personal information, please contact us at [email protected] and we will promptly delete that information from our records.

Third party services, applications, and websites

Certain third party services or websites you use, or navigate to or from our Services (such as social media sites) may have separate user terms and privacy policies that are independent of this Notice. We are not responsible for the privacy practices of these third party services or applications. We recommend carefully reviewing the user terms and privacy statement of each third party service, website, and/or application prior to use.

Do Not Track Requests

Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browsers’ do not track signals.

Cookies

For more information about how we use cookies and to learn how to manage cookies, please see our Cookie Notice.

We use Google Analytics to evaluate the use of our website. Google Analytics uses cookies and other identifiers to collect information, such as how often users visit a website, what pages they visit when they do so, and what other websites they visited prior to visiting a website. To learn more about how Google Analytics collects personal information, review Google’s Privacy Policy.

Global Privacy Control 

We also recognize opt-out signals communicated through the browser-based extension offered through the Global Privacy Control, a non-profit that is in the process of developing a technological tool that can be used universally to signal a user’s privacy preferences.  However, please note that, due to the technical limitations of the Global Privacy Control’s extension, requests made through their extension apply only to the device on which the request is made (e.g., a specific computer) and will only work with the browser used to activate the opt-out setting (e.g., Duck Duck Go).

Third Party Websites

Our Sites and Services may contain links to websites and services that are owned or operated by third parties (each, a “Third-Party Service”) which may include features that collect your IP address, which page you are visiting on our Sites and Services and may set up a cookie to enable the links to function properly. Any information that you provide on such sites is provided directly to the Third-Party Service and we are not responsible for their respective content, privacy or security practices and policies. To protect your information, we recommend that you carefully review the privacy policies of all Third-Party Services that you access. Our Sites and Services may include access to publicly accessible blogs, forums, or social media pages. Personal information you voluntarily transmit or publish online in such publicly accessible blog, forum, or social media page may be viewed and used by others without any restrictions. Your interactions with these platforms are governed by the privacy policy of the company providing them.

Changes to Privacy Notice

We may update this Notice to reflect changes in our personal information practices or relevant laws. We will notify you if we make any material changes by revising the “effective date” at the top of this Notice. We encourage you to review this Notice for updates each time you use our Services.

Contact us

If you have any questions about our privacy practices, or if you would like to exercise your rights, please contact us at [email protected] or write to us at:

Nevro Corp.
Attn: Privacy
1800 Bridge Pkwy
Redwood City, CA 94065
USA

Additional Information for California Residents – California Notice

Introduction

This California Notice supplements the information provided in the Nevro Privacy Notice. As required by California law (including the California Consumer Privacy Act (“CCPA”)), this California Notice describes the rights and choices that California consumers have with respect to their personal information and Nevro’s responsibilities in relation to California consumers’ personal information. Capitalized terms used but not defined herein are defined in the Privacy Notice.

If you have questions or concerns about any of the information provided in this California Notice, please contact us using the information provided in the “Contact Us” section of the Privacy Notice.

Definition of Personal Information

For purpose of this California Notice, “personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household.

Personal information does not include:

• Publicly available information that is lawfully made available from federal, state, or local government records;
• De-identified or aggregated Consumer information; and
• Information excluded from the scope of the CCPA such as:
  • Health or medical information covered under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the California Confidentiality of Medical Information Act (“CMIA”) or clinical trial data;
  • Financial information covered under the Fair Credit Reporting Act (“FCRA”) or the California Financial Information Privacy Act (“FIPA”).

Scope

For purposes of the CCPA, Nevro acts as a business in relation to personal information collected through our Services, our HFX Access™ reimbursement support provided pursuant to patient authorization, providing customer support, and our marketing activities. This California Notice does not cover personal information processed for clinical trial purposes or those other activities excluded from the scope of the CCPA. (See the “How we use information” section above.)

Your California Privacy Rights

If you are a resident of California, you have specific rights regarding your personal information. This section describes your rights under the CCPA and how to exercise them. However, these California privacy rights are not absolute, and we may be able to decline your request in accordance with the CCPA. You may exercise your California privacy rights following the methods described under the subsection titled “Exercising Your California Privacy Rights” below.

• Right to Access and Know About Personal Information Collected, or Disclosed. You have the right to request that Nevro disclose certain information to you about our collection and use of your personal information over the past twelve (12) months, including:
  • Specific pieces of personal information we have collected about you;
  • Categories of personal information we have collected about you;
  • Categories of sources from which such personal information was collected;
  • Categories of personal information that the business disclosed for a business purpose about the consumer;
  • Categories of third parties to whom the personal information disclosed for a business purpose; and
  • The business or commercial purpose for collecting your personal information.
• Right to Portability. You have the right to receive certain personal information that you provided to us, in a machine-readable form and/or that we transmit it to a third party with your express authorization.
• Right to Correct Personal Information. You have the right to request that Nevro correct any inaccurate personal information or complete any incomplete personal information.
• Right to Delete Personal Information. You have the right to request that Nevro delete personal information we may hold about you. Please be aware there are occasions when we are not able to delete your personal information. If we deny your request to delete personal information, we will inform you of the reasons for denial in our response to you. We will keep a copy of your deletion request in order to document that the action was taken, and any new information you submit to Nevro will not be subject to the pre-dated deletion request.
• Right to Limit the Use and Disclosure of Sensitive Personal Information. You have the right to request that Nevro limit the use and disclosure of your sensitive personal information to only that which is necessary to perform the Services.
• Right to Opt Out of Sharing or Sale of Personal Information. We sell (as the term is defined under the CCPA) personal information when you interact with a Site. You have the right to opt-out of the sale of your personal information with third parties. We do not knowingly sell the personal information of any individuals under 16 years of age.

If you opt-out of the sale of your personal information, we will wait at least 12 months before asking you if we may sell your personal information.

Exercising Your California Privacy Rights

To exercise your right to opt out of the sale of your personal information, click here.

You may exercise your rights to access, know, or delete once every twelve (12) months. To exercise these rights under the CCPA, you must submit a verifiable consumer request. To submit a verifiable request, please submit a consumer request through our webform. Alternatively, you can submit your request by phone at 1.888.956.3876.

To help protect your privacy and maintain security, we take steps to verify your identity before granting you access to your information. To verify your identity to make the request and confirm the personal information relates to you, we will ask you to accurately provide for at least four (4) unique identifiers or submit a completed a notarized medical record request form. You may download a medical records request form as part of the records request process.

Our Commitment to Allowing You to Exercise Your Rights – Non-Discrimination

If you exercise any of the rights explained in this Policy, we will continue to treat you fairly.  If you exercise your rights under this Policy, you will not be denied or charged different prices or rates for goods or services, or provided a different level or quality of goods or services than others.

Household Information

Some types of personal information can be associated with a household (a group of people living together in a single dwelling). Requests for access or deletion of household personal information must be made by each member of the household. To the extent we collect household information and requests are made pertaining specifically to such information, before responding to a request, we will verify the identity of each member of the household using the verification criteria explained above and will also verify that each household member is currently a member of the household.

Designated Authorized Agent

You may designate an individual, who is registered with the California Secretary of State to act on your behalf, to submit a verifiable consumer request relating to your personal information. Authorized agents must additionally provide documentation of their designation, such as a notarized medical records request form (available for download here) or power of attorney.

We cannot respond to your request if we cannot verify your identity and/or authority to make the request on behalf of another and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We will confirm receipt of your consumer request within ten (10) business days. We will respond to your verifiable consumer request within forty-five (45) days from the date we receive it. In some cases, we may require additional time to complete your request and will inform you if additional time is needed. Where additional time is needed, we may take up to a maximum of ninety (90) additional days to complete your request.

Financial Incentives

Nevro does not offer financial incentives or price or service differences in exchange for the retention or sale of personal information.

California Shine the Light

California Civil Code Section 1798.83, also known as the “Shine the Light” law, permits California residents that have an established business relationship with a business to annually request, free of charge, information about certain categories of personal information a business has disclosed to third parties for those parties’ direct marketing purposes in the preceding calendar year.

Questions

If you have questions about this California Notice, please contact us.

Data Protection Representatives

For the purpose of EU GDPR, our EU Data Protection Representative is: Nevro Germany GmbH ([email protected])

For the purpose of UK GDPR, our UK Data Protection Representative is: Nevro Medical Ltd. ([email protected])

Appendix 1 – Contact Details