This Privacy Notice (“Notice”) is distributed to you by Establishment Labs® S.A., having its registered address at Coyol Free Zone, B15, Alajuela, Costa Rica, (“ESTA”, “we”, “us”), together with European Distribution Center Motiva BV, having its registered address at Nijverheidsstraat 96, 2160 Wommelgem, Belgium, VAT BE 0881.512.541 RPM/RPR Antwerp (“EDC”), which processes data with ESTA as data controller if you are located in the EU and acts as ESTA’s representative in the EU. This Notice covers the personal data that ESTA and EDC collect through miafemtech.com and other websites (establishmentlabs.com, miafemtech.com) (individually, “Website” or collectively “Websites”), applications, products, and services owned or controlled by ESTA, EDC, and our affiliates (collectively referred to as “Affiliates”) or Websites that post a link to this Notice. Personal data means information, either with other information or by itself, that allows you to be directly or indirectly identified (“Personal Data”).
This Notice is to inform you how we collect, use, disclose, and store Personal Data in our role as a controller of Personal Information when you:
- Interact with our websites, including when you download information.
- Provide your personal data to allow administration of our services and managing our relationship with you (“Services”), such as setting up a website or app account or collecting data to process an invoice for accounting purposes.
- When you explicitly consent to provide health data for The Mia® Comprehensive Coverage registration or product support (“Products”), such as attending physician, Mia® Diamonds and Minimally Invasive System serial numbers, date of purchase, and procedure details.
- Register and/or attend one of our events, webinars, live events, or conferences (collectively “Events”).
What Personal Data does ESTA collect?
Data you provide to us
We may collect Personal Data that you choose to provide us when accessing or using our websites, such as when you register for an online account or contact us via our websites. If you do contact us, a record of our correspondence will be maintained.
We receive and store Personal Data you explicitly agree to provide to us for Products, such as when you register your Mia® Diamonds and Minimally Invasive System for The Mia® Comprehensive Coverage. This data may include name, address, procedure information, attending surgeon, implant serial numbers, photographs, documents, and other required procedure information.
When you use our Services or Events, we store the Personal Data you provide including name, email address, or other contact information. We retain records of our communication.
You may refuse to provide requested information anywhere on our Websites or Apps, but if you refuse, we may not be able to provide you the requested services relating to the creation of your account, the registration of your Mia® Diamonds and Minimally Invasive System, or your participation in any benefits.
Automatic Data Collection
Subject to your tracking preferences, ESTA may use a variety of technologies, like trackers and cookies, that collect and provide information about how our Websites or Apps are accessed and used. Such information may consist of your internet browser, operating system, service provider, the webpages you viewed, the time you viewed them and for how long, and demographic information.
Please refer to our Cookie Notice for more information on cookies and trackers used on our website.
When you use the Services, network data may also be collected. The data could include log information about users (including IP addresses), usage information (types of services users use, performance metrics, and computer configurations), and data collected by cookies or similar technology.
Information we collect from trusted third parties:
If your Personal Information has been collected as (i) you interacted or used our Website, (ii) you registered and/or attended our Events, and/or (iii) part of the Services, your Personal information, as stored in our CRM service provider, may be enriched or updated to ensure it is accurate and up to date, and achieves the purpose for which it was originally collected. Please note that the information used to enrich and update your Personal Information, as obtained from the use of third parties’ data sets, does not constitute Personal Information, but merely amounts to data elements related to your organization’s name, structure, industry, and similar attributes.
Please note that we may also obtain non-personal information for the purpose of enriching or updating your Personal Information we already hold.
How and on which legal bases do we use your Personal Data?
Personal information we collect from you on our Websites, Products, or Events:
- To customize the website according to you interests.
- Set up a user account.
- To improve our websites to make sure it is presented most effectively for you and your device.
- To perform marketing, advertising, improve products and services, conduct surveys or trend analysis.
- To perform internal operations such as data analysis, testing, troubleshooting, survey, and statistical purposes.
- To help keep our websites secure.
- To contact you by email, phone, fax or mail for medical research purposes.
- To register your Mia® Diamonds and Minimally Invasive System via your account, including internal record keeping, customer services, and responding to your requests about your Products.
- To allow your participation in our Mia® Comprehensive Coverage to which you subscribe.
Our use of Personal Data may be based on our legitimate interests to ensure security, business performance improvement, and network operations. Our legitimate interests may also be relied upon to improve business and marketing practices or contact you to offer similar Services or products that you may have bought from us. Direct marketing purposes are based upon your consent.
The use of Personal Data for The Mia® Comprehensive Coverage may be based on our performance of a contract with you and your explicit consent to use this data in performance of the contract. Provision of personal data in these instances is necessary to enable our proper execution of The Mia® Comprehensive Coverage, and to register your Mia® Diamonds and Minimally Invasive System. Without your permission it may be excessively difficult, or impossible, to accurately obtain data to verify dates of implantation of your Mia® Diamonds.
Personal information we collect from you through administration of our Services:
- Send customers technical alerts, updates, security notifications, and administrative communications.
- Process and complete transactions, and send related information, including transaction confirmations and invoices.
- Investigate and prevent fraudulent activities, unauthorized access to the Services, and other illegal activities.
- Manage our customers’ use of the Services, respond to inquiries and comments, and provide customer service and support.
- For any other purposes about which we notify customers and users.
We may rely upon on our legitimate interests for use of your Personal Data in these contexts, generally, either for security purposes or for business improvement, such as investigating and preventing fraudulent activities.
Provision of Personal Data in these instances may be needed to enable access to some of the Services. If you choose to not provide Personal Data, you may experience the unavailability of some Services.
Enterprise Data Analysis:
If your Personal Data has been collected (i) directly from you through our Websites, Products, or Events, and/or (ii) part of the administration of our Services, your Personal Data may be used for the purposes of enterprise data analysis, depending on the scope and purpose of the analysis.
How we may share Personal Data to third parties.
When required to achieve the purposes outlined previously, ESTA and/or EDC may share Personal Data in the following limited circumstances:
Between our affiliates:
We may share your Personal Data within our family of companies, including ESTA, EDC, and other affiliates of our organization for purposes consistent with this Notice and based on our legitimate interests.
Protection of ESTA, EDC, and others:
We reserve the right to access, read, preserve, and disclose any Personal Data as necessary to i) comply with a law or a court order, ii) enforce or apply our Agreements with you and other agreements, or iii) protect the rights, property, or safety of ESTA, EDC, our affiliates, our employees, our users, or others.
Disclosures for national security or law enforcement:
Under certain circumstances, we may be required to disclose your Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements, based on our legitimate interests or legal obligations.
We may choose to buy or sell assets and may share and/or transfer customer information, including Personal Data, in connection with the evaluation of and entry into such transactions and based on our legitimate interests. Also, if we or our assets are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Data may be one of the assets transferred to or acquired by a third party.
Vendors, consultants, and other service providers:
We may share your Personal Data with third party consultants, service providers, and other vendors who we utilize to perform tasks on our behalf. For example, these companies may include service providers related to the web, data storage, advertising, or analytics services to us so that we can administer web servers and store information on a secure database or on back-up disks.
If we transfer your Personal Data to a service provider or third party for processing, ESTA remains responsible for ensuring that such third-party agent or service provider processes your Personal Data to the standard required by the applicable privacy laws, including the GDPR. These transfers are generally based on our legitimate interests.
Please see the International Data Transfers section below for more information.
How long we may keep personal data
Your personal data will be kept for different time periods based on the purposes identified herein. Some Personal Data may be deleted automatically based on specific schedules, such as marketing information. Other information, such as account information, may be retained for longer as required to comply with contracts with you. Finally, we may further retain data based on our legitimate interests or legal purposes, such as record-keeping, applicable law(s), or enforcing legal rights.
We are committed to ensuring that your personal data is secure. In order to prevent accidental or unlawful destruction or accidental loss, misuse, unauthorized access, disclosure, alteration, or destruction, we employ a variety of security measures.
However, please note that no company can guarantee complete security. Therefore, despite the security measures that we have put in place to protect personal data about you, we cannot guarantee that loss, misuse, or alteration of data will not occur.
What are your Privacy Rights?
What choices do I have?
You have a number of privacy rights and you may always opt to not disclose Personal Data to us. Please note that some data may be needed to register with us or take advantage of some features of our Products or Services.
Right to withdraw consent:
If you withdraw your consent to the use of your health data for the purpose of the performance of an agreement between you and ESTA and/or EDC relating to your subscription to The Mia® Comprehensive Coverage, such withdrawal will also be understood as a waiver of any right or claim that exists or may exist on The Mia® Comprehensive Coverage which may have been granted under the condition of providing the required information.
You may opt-out of receiving marketing or promotional communications from us at any time by going to the following link: miafemtech.com/contact. Please note that if you have an account with us and you opt-out of marketing communications that we may continue to send your non-promotional communications (such as service-related communications).
You can change your cookie preferences and other trackers at any time by clicking on the cookie icon at the bottom of the screen on all our Websites or Apps.
How do I exercise my Privacy Rights?
If you wish to access personal data about yourself or exercise any of the rights listed below, please submit a request to ESTA by using the contact details identified in the “How to contact us” section below. Alternatively, if you are located in the EU, you may also contact EDC at the address mentioned in the Introduction of this Notice, which will then transfer your request to ESTA.
We will review your request and respond as quickly as possible, but please note that we may still use any aggregated and de-identified Personal Data that does not identify a data subject and use your Personal Data, as needed, to comply with our legal obligations, resolve disputes, and enforce our agreements.
Right of access:
You have the right to obtain confirmation as to whether your personal data is processed, and, if so, to request access to such personal data as well as other information about such processing that are also contained in this policy. Before we may provide access, we will first require verification of your identity to help ensure security of the data.
Right to rectification:
You have the right to have inaccurate personal data about yourself rectified or completed if it is incomplete.
Right to erasure (‘right to be forgotten’):
You have the right to request that we erase your personal data.
Right to restriction of processing:
You have the right to request from us that we limit the way we use your personal data.
Right to data portability:
You have the right to receive the personal data you provided, in a structured, commonly used, and machine-readable form and to transmit that data to another controller or to have it transmitted directly from us to another controller.
Right to object:
You have the right to object, on grounds relating to your particular situation, at any time, to the processing of your personal data and we may have to stop processing your data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. You have the right to object, at any time, to the processing of your personal for direct marketing purposes.
Read more about Data Subjects Rights Policy.
International data transfers
ESTA is a company that operates globally. Because of this fact, Personal Data from individuals who visit our Websites, use our Products, and/or use our Services or otherwise interact with us may be transferred and accessed from around the world, such as from countries where ESTA, its Affiliates, or our service providers operate.
We will always protect your Personal Data in accordance with this Notice wherever it is processed. ESTA does not voluntarily or actively transfer or disclose our customers’ Personal Data to the government or law enforcement authorities (the “Authorities”) and/or otherwise grant any Authorities access to your Personal Data. In the event of a request from the Authorities, we have procedures and controls in place to make sure that any such request is assessed according to our internal policy on data protection.
Information for users in the European Economic Area (“EEA”) or in the United Kingdom (“UK”):
Operating globally, ESTA may transfer Personal Data from the EEA or the UK to the United States, Costa Rica and other countries, including Personal Data we receive from individuals residing in the EEA or the UK who visit our Websites and/or use our Services or otherwise interact with us.
In cases where ESTA may transfer your Personal Data outside the EEA or UK, it relies on:
- Adequacy Decisions:
- European Commission, based on Article 45 of Regulation (EU) 2016/679 (GDPR)
- UK Secretary of State, based on Article 45 of the UK GDPR and Section 17A of the Data Protection Act 2018; or
- Standard Contractual Clauses:
- European Commission
- Information Commissioner’s Office (ICO)
The European Commission and the ICO have determined that the above Standard Contractual Clauses may provide sufficient safeguards to protect personal data transferred outside the EEA and the UK. For more information, please visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.
ESTA performs transfer impact assessments and monitors such transfers to help ensure they maintain a level of protection that is essentially equivalent to the one provided by the European and UK data protection laws.
Links to other websites
This website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information that you provide while visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and refer to the privacy statement applicable to the website in question.
How to contact us
Controller’s Contact Information:
Establishment Labs® S.A. Coyol Free Zone, B15 Alajuela, Costa Rica +506 2434-2400
European Distribution Center Motiva BV, Nijverheidsstraat 96 2160 Wommelgem, Belgium +32 3 432 41 70
Data Protection Officer:
This Agreement was last revised on February 28, 2023
- The information provided is for informational and educational purposes only, the content herein is not intended as a substitute for consultation with a physician. Mia® are not yet commercially available in the US.
- The statements and opinions presented here are applicable to each individual. Results will vary and may not be representative of the experience of others. All statements are voluntarily provided and are not paid, nor were they provided with free products, services, or any benefits in exchange for said statements. The statements are representative of patient experience; the exact results and experience will be unique and individual to each patient.