Privacy Policy – Q-SPIROx by COSMED

COSMED S.r.l. (“COSMED”, “we”, “our”, or “us”) is committed to ensuring high standards of privacy and data protection. This Privacy Policy explains how the Q-SPIROx by COSMED mobile application (the “App”) handles personal and clinical data.

A fundamental principle of this App is simple:
All data generated or entered in the App remains stored locally on the user’s device. Data is never transmitted to COSMED or to any COSMED-controlled external server.

1. Scope and Roles under GDPR

This Privacy Policy describes the processing of personal and clinical data performed through the App.
For the purposes of patient data processed locally on the device using the App:

• The Data Controller is the healthcare professional or healthcare organization using the App in the context of its medical practice.
• COSMED S.r.l. does not act as Data Controller nor as Data Processor for patient data stored locally in the App, as such data are never transmitted to COSMED and COSMED has no access to them.

COSMED S.r.l. may act as an independent Data Controller only for:

• anonymised technical information relating to the App (e.g. if crash logs are shared with Apple or Google in accordance with their own settings and privacy policies); and
• any personal data processed through its corporate website, support channels or other services, which are covered by separate privacy notices.

2. Definitions

For the purpose of this Privacy Policy:

• “Data Controller” means the natural or legal person who determines the purposes and means of the processing of personal data. For patient data processed through the App, this is the healthcare professional or healthcare organization using the App.
• “Data Subject” means the identified or identifiable natural person to whom the personal data relate (e.g. the patient).
• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Processing” means any operation performed on personal data (such as collection, storage, consultation, alteration, deletion), as defined in Article 4 GDPR.

“Personal Data” and “Processing” shall have the meanings given in the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

3. Contact Details of COSMED

COSMED S.r.l.
Via dei Piani di Monte Savello 37
00041 Albano Laziale (RM), Italy
Email: Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser.
Website: www.cosmed.com

Please note that COSMED cannot access patient data stored locally in the App and therefore cannot respond to patient data subject requests relating to such data.

4. Information We Collect and Store Locally

All patient and test data described below are stored exclusively on the user’s device, inside an encrypted local database. The App does not transmit patient data to COSMED.

4.1 Patient Information (entered manually by the healthcare professional)

The App allows the creation and management of a local patient archive, which may include:

• Name, initials, or patient code
• Date of birth / age
• Sex at Birth
• Anthropometric data
• Notes or optional identifiers

This information is saved exclusively on the mobile device in an encrypted local database. Nothing is uploaded, transmitted, or synchronized outside the device by the App.

4.2 Spirometry and Oximetry Test Data

When the App connects via Bluetooth Low Energy (BLE) to the COSMED Q spirometer/oximeter, the following test data may be acquired and stored locally:

Spirometry:

• FVC (L)
• FEV1 (L)
• FEV6 (L)
• FEV1/FVC (%)
• PEF (L/s)
• PIF (L/s)
• FEF25–75 (L/s)
• FET 100% (s)
• FIVC (L/s)
• FIV1 (L/s)
• FEV0.5 (L/s)
• Test Acceptability (ATS 2019)
• Quality Control Grade (ATS 2019)
• Automatic Interpretation (ATS 2019)
• VC (L)
• EVC (L)
• IVC (L)
• ERV (L)
• IC (L)
• Vt (L)
• VE (L/min)
• Rf
• Ti (s)
• Flow–volume and volume–time curves displayed
• during the test
• Oximetry:
• SpO2 (%)
• HR (bpm)
• O2 flow
• O2 (%)
• PI (%)

All these measurements are stored only in the encrypted local database on the device.

4.3 Device and Technical Information

The App may collect anonymised technical data such as:

• App version
• Device model and operating system
• Crash logs (only if the user enables the operating system’s opt-in diagnostics sharing, e.g. Apple’s “Share diagnostics”)

This information never contains patient data. Such technical data may be processed by the operating system provider (e.g. Apple, Google) according to its own privacy settings and privacy policies. COSMED may receive only aggregated and/or anonymised information, where available.

5. Local-Only Data Architecture and Device Backups

The App has been designed with a local-only data model, meaning:

• No cloud storage managed by COSMED
• No COSMED remote servers
• No external synchronization initiated by the App
• No automatic sharing with COSMED or third parties by the App

All personal and clinical data remain inside an encrypted database stored on the device. Users (healthcare professionals) maintain full control over what is saved, exported, or deleted.

5.1 Device-Level Backups

Although the App itself does not transmit personal or clinical data to COSMED or to servers controlled by COSMED, data stored locally in the App may be included in device-level backups (e.g. iCloud, Google Drive) if such services are enabled by the device owner.
In that case:

• The relevant cloud service provider (e.g. Apple, Google) acts as an independent Data Controller for the backup copy, according to its own terms and privacy policy;
• COSMED has no access to such backups and does not control how they are managed.
  Healthcare professionals should configure device and backup settings in accordance with their own data protection obligations and internal policies.

Healthcare professionals should configure device and backup settings in accordance with their own data protection obligations and internal policies.

6. Data Sharing

The App includes no mechanism for sharing patient data with COSMED or any external party automatically.

The only form of data output is:

• A report generated on the device, which the user may export manually using standard iOS/Android sharing functions (email, printing, file storage, etc.).

Exporting a report is entirely voluntary and under the responsibility of the user (healthcare professional / healthcare organization).
The App does not send any information automatically.

7. Purposes and Legal Basis of Processing

7.1 Purposes of Processing within the App

Data collected and stored locally in the App are used solely to:

• Manage the local patient archive
• Perform and display spirometry and oximetry tests
• Show real-time curves
• Store results for future review
• Generate clinical reports when requested by the user

The App does not use patient data for:

• analytics or profiling,
• advertising,
• remote processing,
• any other secondary purpose.

7.2 Legal Basis (for Healthcare Professionals using the App)

The processing of patient data within the App is carried out under the responsibility of the healthcare professional or healthcare organization acting as Data Controller. The legal basis for such processing typically includes, depending on the context and applicable law:

• compliance with legal obligations in the field of healthcare; and/or
• performance of tasks carried out in the public interest; and/or
• provision of medical diagnosis, care or treatment, as provided by applicable national law and Article 9(2)(h) GDPR (processing of special categories of data for healthcare purposes).

COSMED does not determine these purposes and means and therefore does not act as Data Controller for patient data processed locally in the App.

8. Data Security

To protect stored information, the App uses several security measures, including:

• An encrypted local database containing all patient records and test data
• No external data transmission by the App to COSMED
• Operating-system–level security (e.g. device passcode, biometric lock, sandboxing)
• User-driven deletion controls

Users (healthcare professionals) may delete individual records or all data at any time, or remove the App to erase all stored information from the device (without prejudice to any device-level backups controlled by Apple/Google or other providers).

Healthcare professionals remain responsible for:

• securing the physical device;
• choosing strong authentication methods;
• complying with applicable professional and legal obligations regarding medical data.

9. Data Retention

For patient data stored locally in the App:

• Data are kept on the device for as long as the healthcare professional or healthcare organization decides to retain them for clinical, legal and/or administrative purposes, in accordance with applicable law.
• The user may delete individual patient records or test results at any time via the App’s functions.
• Deleting/uninstalling the App from the device will erase the local database from the device (without prejudice to any automatic device or cloud backups managed by the operating system provider or other third parties).

COSMED does not set any retention period for patient data processed locally in the App, as it does not have access to such data.

10. Data Subjects’ Rights

For patient data stored locally in the App:

• The relevant Data Controller is the healthcare professional or healthcare organization using the App.
• Patients (data subjects) may exercise their rights under the GDPR – including the rights of access, rectification, erasure, restriction of processing, data
  portability and objection – directly with that healthcare professional or organization, in accordance with applicable law.

The App provides functions that allow the user (healthcare professional) to:

• view stored data,
• modify or delete patient records,
• delete all data by uninstalling the App.

Since COSMED never receives or accesses patient data processed in the App, COSMED cannot respond to data subject requests relating to such patient data.

11. Bluetooth Connectivity

Bluetooth Low Energy (BLE) is used exclusively to:

• Connect with the COSMED Q device
• Receive real-time measurements from the device into the App
• Receive the results at the end of the test

No patient information is transmitted from the App to the device or to any third party via BLE, other than what is necessary for real-time measurement and display as designed by the system.

12. Children’s Privacy

The App is intended for professional medical use only.

Any patient data related to minors must be entered and managed solely by authorized healthcare professionals and in accordance with applicable laws and professional obligations regarding minors’ data and consent.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect:

• changes in the App’s features,
• legal or regulatory developments, or
• internal compliance requirements.

When updates are made, the “Last Updated” date at the top of this page will be revised. Where legally required, users may be informed of material changes through appropriate in-app notices or other communication channels.

14. Contact Us

If you have questions regarding this Privacy Policy or about how COSMED processes data under its control, please contact:

COSMED S.r.l. Email: Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser. Website: www.cosmed.com

For any questions, requests or concerns relating to patient data stored in the App, data subjects should contact the relevant healthcare professional or healthcare organization acting as Data Controller.