Allurion Insights Privacy Notice

Effective date: 5 January 2023

Allurion Technologies, Inc., ("Allurion", "our", "we", "us") sets out in this privacy notice ("Privacy Notice") how it collects, uses, holds, or discloses the personal data of healthcare professionals or clinical representatives (“you”, “your”) in connection with your registration and use of the Allurion Insights platform ("Allurion Insights") and in accordance with the General Data Protection Regulation 2016/679 ("GDPR"), the GDPR in such form as incorporated into the law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018, Australia’s Privacy Act 1988 (Cth), the Brazilian law 13.709/2018 (“LGPD"), and other applicable national, state, or provincial data protection laws, as amended or replaced from time to time.

Allurion Technologies Inc., with its registered office in 11 Huron Drive, Natick, Massachusetts, 01760, USA, email: help@allurion.com, will be the controller of your personal data. Allurion has appointed Allurion S.a.s., with its address at 6 Boulevard Montmartre 75009 Paris, France as its data protection representative whom you may contact if you are based in the European Economic Area (“EEA”). If you are based in Mexico, Allurion Technologies, Inc. can also be contacted at: Av. Prolongación Paseo de la Reforma, No. 51, Piso 12 Oficina 1204, Colonia Paseo de las Lomas, Alcaldía Álvaro Obregón, Ciudad de México, C.P. 01330. Generally, if you have any questions about this Privacy Notice, please contact us by email at: help@allurion.com.

1. Personal data we collect from you and why we use it

When you choose to create an account with Allurion Insights, using an online form, we will collect personal data from you such as: username, password, first name, last name, email address and the clinic where you are based.

When you connect with your patients through Allurion Insights we will have access to the contents of those communications. Also, if you choose to store your notes, in connection with consultations you conduct with your patients, within Allurion Insights, we will have access to this information.

We are required to specify the legal basis under which we are allowed to process certain personal data. We will process your personal data for our legitimate interests. Your personal data will be processed by Allurion for the following purposes:

We may also process your personal data where we have a legal obligation to do so.

Note, in accordance with the Health Insurance Portability and Accountability Act of 1996, Allurion’s use and disclosure of protected health information is subject to the terms of its Business Associate Agreement with healthcare provider customers.

2. Disclosure and storage of your personal data

Allurion may disclose your personal data to the following categories of individuals/businesses and/or for the following reasons:

Allurion is based in the United States, and therefore your personal data will be transferred from your jurisdiction to the United States. The United States may not provide the same level of protection as the data protection laws in your jurisdiction. For transfers to Allurion, these will be governed the European Commission-approved Standard Contractual Clauses. For transfers to third parties we will ensure reasonable and appropriate safeguards are in place to safeguard such transfers, according to applicable data protection laws. For any further information please contact Allurion at: help@allurion.com

We keep your personal data for as long as your Allurion Insights account is in existence because we need it to operate your account. Personal data will be deleted when your account has expired, unless we are required to retain such personal data under applicable laws.

3. Your rights

Depending on where you are located, you may have the right to: (a) access the personal data we hold about you; (b) request we correct any inaccurate personal data we hold about you; (c) request we delete any personal data we hold about you; (d) restrict the processing of personal data we hold about you; (e) object to the processing of personal data we hold about you; and/or (f) receive any personal data we hold about you in a structured and commonly used machine readable format or have such personal data transmitted to another company.

To exercise any of your rights in connection with your personal data, please contact us at: help@allurion.com. Please note that we may ask you to verify your identity before responding to such requests. You have the right to complain to your local data protection authority in your country about our collection and use of your personal data.

4. Changes to this Privacy Notice

We may update our Privacy Notice from time to time. We will notify you of any changes by posting the new Privacy Notice on this page. Where required by law, we will provide you the opportunity to read the revised notice so that you may decide whether you wish to continue to use Allurion Insights. Your continued use of Allurion Insights after the changes to this Privacy Notice will be deemed to be your acceptance of those changes.

5. If you are accessing Allurion Insights from Mexico

a) Your ARCO rights

To exercise any of your ARCO rights in connection with your personal data, please contact us at: help@allurion.com. When you choose to access, rectify, update, oppose, limit the use or divulgence of, or request the deletion of your personal data, your request must include, at least, the following:

Unless you expressly indicate that you want to receive a reply by different means, we will respond to your request via the email address provided on your application within a maximum period of twenty (20) business days, from the date the request was received. If we are required to do so, we will action your request within fifteen (15) business days from the date we responded to your request. In the case of requests for access to personal data, we will provide you with a copy of your personal data, providing we have prior proof of your identity or that of your legal representative, as applicable.

These deadlines may be extended once (for an equal period), if justified by the circumstances.

Provided that the withdrawal of your consent does not result in us being unable to comply with any obligations with regard to our relationship with you, the consent granted by you for the processing of your personal data may be revoked by delivering a written notice or an email to us, using the contact details listed below. The withdrawal of consent will be effective from the date which we receive your request.

b) Consent for processing and transferring personal data

If you are based in Mexico, your consent for the processing of your personal data according to the terms provided herein will be deemed expressly granted when you acknowledge this Privacy Notice. By your acceptance, you also consent to any transfer of Personal Data that may be carried out by us pursuant to the terms of this Privacy Notice.

6. If you are accessing Allurion Insights from Brazil

a) Sensitive Data

You expressly agree that for the provision of the services once you create your Allurion Insights account we may access, process and transfer your data in accordance with this policy and Brazilian law 13.709/2018 (“LGPD”).

b) Your LGPD rights

To exercise any of your LGPD rights in connection with your personal data, please contact us at: help@allurion.com. When you choose to access, rectify, update, oppose, limit the use or divulgence of, or request the deletion of your personal data, your request must include, at least, the following:

Unless you expressly indicate that you want to receive a reply by different means, we will respond to your request via the email address provided on your application within a maximum period of fifteen (15) days up from your request. In the case of requests for access to personal data, we will provide you with a copy of your personal data, providing we have prior proof of your identity or that of your legal representative, as applicable.

These deadlines may be extended once (for an equal period), if justified by the circumstances and legally approved. Provided that the withdrawal of your consent does not result in us being unable to comply with any obligations with regard to our relationship with you, the consent granted by you for the processing of your personal data may be revoked by delivering a written notice or an email to us, using the contact details listed below. The withdrawal of consent will be effective from the date which we receive your request.

c) Consent for processing and transferring personal data

If you are based in Brazil, your consent for the processing of your personal data according to the terms provided herein will be deemed expressly granted when you acknowledge this Privacy Notice, including the processing of your sensitive personal data. By your acceptance, you also consent to any transfer of Personal Data that may be carried out by us pursuant to the terms of this Privacy Notice.