Privacy policy

We place great importance on the protection of your personal data. This page explains how we collect, use, and protect your information in accordance with the General Data Protection Regulation (GDPR). By using our website, you agree to our privacy policy.

INTRODUCTION

This Privacy Policy applies to the https://explant.gepromed.com/ platform of the Gepromed Association. The whole is hereinafter referred to as "the device".

Surgeons and key industry contacts are defined as "users" of the platform. If a specificity is to be made by the status of the user, then he will be named "surgeon" or "industrialist".

The Gepromed Association, the association that publishes the system (see Legal Notice), makes every effort to respect and protect the privacy and confidentiality of its users' data.

The purpose of this Privacy Policy is to present to users of the device:

How their personal data is collected and processed. "Personal data" (PID) refers to any data related to the identification, direct or indirect, of a user and all information that may be associated with the same;
The rights that users have in relation to this data, and how they can exercise them;
Responsibilities with regard to the processing of personal data held by the Gepromed Association;
The recipients of this data;
The site's policy on cookies and other trackers.

This privacy policy supplements the legal notice that users can consult at https://explant.gepromed.com/en/legal-notice.

COLLECTION AND PROCESSING OF PERSONAL DATA

In accordance with the provisions of Article 5 of the European Regulation 2016/679 for data protection (GDPR), the collection and processing of the data of the users of the device comply with the following principles:

Lawfulness, fairness and transparency: data may only be collected and processed with the consent of the user who owns the data, or their manager or legal guardian if they are a person under guardianship. Whenever a new type of personal data is collected, the user will be informed that their data is being collected, and for what purposes their data is being collected.
Limited purposes: the collection and processing of data is carried out to meet one or more of the purposes determined in this privacy policy.
Minimization of data collection and processing: only the data necessary for the proper execution of the objectives pursued by the system are collected.
Data retention reduced over time: data is kept for a limited period of time, of which the user is informed.
Integrity and confidentiality of the data collected and processed: the data controller undertakes to guarantee the integrity and confidentiality of the data collected.

The lawfulness of the processing of personal data carried out in the context of the implementation of the system, in accordance with the requirements of Article 6 of European Regulation 2016/679, is based on the free and informed consent of the user (or their guardian) to the processing, which is described to them in this document – except when it is made necessary by the performance of a contract or by a legal obligation.

NATURE OF DATA

Data processed, purpose, retention period

The personal data collected by the system are as follows.

Registration data on the platform

o Identity (surname, first name);

o User contact information (email).

This data is collected by Gepromed in order to create the user account of surgeons and manufacturers on the platform. The account is created by Gepromed and an email is sent to the user so that he can create his password on the platform via the "forgotten password" link.

The collection and processing of the data described above is for the following purposes:

o allow registration on the Gepromed platform;

o allow the monitoring of the explant analysis;

o To provide access to the results of the explant analysis.

The data related to the user of the platform is kept for the duration of the explant analysis and up to 5 years after the last contact with the user.

Contact form data

This data is collected via the "contact us" button. This data is processed by Gepromed's teams.

o Identity of the user (surname, first name, professional status, professional establishment);

o User contact details (e-mail, mobile phone number, city, country).

The collection and processing of the data described above is for the following purposes:

o allow a request to create a user account to Gepromed;

o make it possible to request a sending kit from Gepromed;

o allow you to request the sending of a data collection sheet to Gepromed;

o To answer users' questions on the Explants platform.

The data related to the contact request is kept for the time it takes to process the user's request and for up to three years after the contact request.

Explant data via the "analyzed explants" button

This data is added by Gepromed's explant analysis platform team.

For surgeons: you have access to the following data on your explantations:

o Duration of implantation;

o Cause of implantation and explantation;

o Medical establishment;

o Explant Analysis Reference;

o N° lot de l’explant ;

o Part Number, Type, Brand, Model explant.

The processing of the data described above is for the following purposes:

o allow surgeons to be informed of the follow-up of the explant analysis;

o Enable surgeons to collect data from the explant analysis in a secure manner.

o To allow Gepromed to keep a database of explantations.

The data is kept on the platform by Gepromed for the duration of the explant analysis and up to 5 years after the start of the explant analysis. As the duration of the analysis can be long, this duration takes into account the entire analysis process until the disclosure of the results and a time to reconnect to the platform in order to access the data after the disclosure of the results.

This data does not allow the patient to be re-identified either by Gepromed or by a third party other than the surgeon. The surgeon is the only person authorized to identify one of his patients as part of his medical mission by cross-referencing the data of the Gepromed platform with his own confidential medical database. No personal data of patients is recorded on Gepromed's platform.

For manufacturers: you have access to the following data on your explantations:

o Duration of implantation;

o Cause of implantation and explantation;

o Medical establishment;

o Explant Analysis Reference;

o N°lot de l’explant ;

o Part Number, Type, Brand, Model explant.

The processing of the data described above is for the following purposes:

o allow manufacturers to be informed of the follow-up of the explant analysis;

o Enable manufacturers to collect data from Explant's analysis in a secure manner.

o To allow Gepromed to keep a database of explantations.

Email data

This data is collected via the messaging button. This data is processed by Gepromed's teams.

o Identity of the user (surname, first name);

o User contact details (e-mail);

o Data of the message transmitted to GEPROMED.

The collection and processing of the data described above is for the following purposes:

o Enable communication about explant analysis with Gepromed.

o To answer your questions on the Explants platform.

The data related to the messaging system is kept for the time it takes to process your request and delete it immediately afterwards.

In order to comply with the principle of data minimisation according to the GDPR and more specifically the exclusion of health data as described in recital 35 of the GDPR, the transmission of patient health data on the messaging service is prohibited and will lead to the immediate deletion of the message if health data is included in the message.

All data are stored in optimal security conditions with regard to their sensitivity (see 3. Data hosting).

Third-party data recipients

The personal data collected by the website may be transmitted to third parties, the list of which is as follows:

· our IT development subcontractors (data accessible to this third party: Codein – 6 Rue de Maguelone 34000 Montpellier, France – contact@codein.fr – +33 (0)9.72.42.26.03);

· the Office suite for email processing and internal organization;

· Brevo for hosting the platform's email;

To date, no data is outsourced outside the European Union, either for hosting or for any other processing, or for subcontracting.

Data hosting

The personal data processed in the context of the use of the device are stored on Codein's servers – 6 Rue de Maguelone 34000 Montpellier, France – contact@codein.fr – +33 (0)9.72.42.26.03).

The personal data processed in the context of the use of the device's messaging system passes through Brevo's SMTP relay and is stored on their servers.

DATA CONTROLLER AND DPO

Data controller

The person responsible for the processing of personal data is the Gepromed Association, in the person (legal controller) of Mr. Nabil CHAKFÉ, President. He can be contacted by phone at +33(0) 3.68.85.40.94.

Obligations of the data controller

The person responsible for the processing of personal data determines the purpose of the processing and the means implemented to achieve it.

It undertakes to protect the personal data collected, not to transmit it to third parties without the user having been informed and to respect the purposes for which this data was collected.

The User undertakes to notify the User in the event of rectification or deletion of the data, unless this would entail disproportionate formalities, costs and procedures for the User.

In the event that the integrity, confidentiality or security of the user's personal data is compromised, resulting in a risk for the user, the Data Controller undertakes to inform the user by any means.

The Data Protection Officer (DPO)

In order to ensure that it complies as closely as possible with the national and European legal and regulatory provisions in force, and to optimally protect the data and privacy of its users, the Gepromed Association has appointed a Data Protection Officer (DPO) to the Commission Nationale Informatique et Libertés (CNIL), in the person of Mrs. SCHMUCK Laetitia.

The DPO can be contacted by email: dpo@gepromed.com.

USER RIGHTS

In accordance with the provisions of Articles 15 to 22 of European Regulation 2016/679, the user has the rights listed below.

User rights with regard to the processing of personal data

Right of access, rectification and right to erasure

The user can access, update, modify or request the deletion of data concerning him or her – regardless of whether he or she has created his or her account himself or whether it has been created by a third party.

The user has the right to request the deletion of his personal space if he has one.

Right to data portability

The user may request the portability of his personal data, held by the Gepromed Association, to another site, by requesting the provision of an archive in a format that meets market standards.

Right to restriction and objection to data processing

The user has the right to request the restriction or to oppose the processing of their data by the data controller, without the latter being able to refuse, unless it can be demonstrated that there are legitimate and compelling reasons that may override the interests and rights and freedoms of the user.

Right not to be subject to a decision based solely on an automated process

The user has the right not to be subject to a decision based exclusively on an automated process if the decision produces legal effects concerning him, or similarly significantly affects him.

Right to determine the fate of data after death

The user (or their legal guardian if applicable) is reminded that they can organise the fate of their data collected and processed if they die, in accordance with Law No. 2016-1321 of 7 October 2016. If he wishes, he must send the Gepromed Association a notification of his advance directive by email address to dpo@gepromed.com.

Right to refer the matter to the competent supervisory authority

In the event that the data controller decides not to respond to the user's request, and the user wishes to contest this decision, or if he believes that one of the rights listed above has been infringed, he or she is entitled to refer the matter to the CNIL (Commission Nationale de l'Informatique et des Libertés, https://www.cnil.fr/fr/complaints) or any competent judge.

Conditions for the exercise of rights by the user

Each of these rights can be exercised by e-mail to the DPO of the Gepromed Association (dpo@gepromed.com), or by post to the following address:

Gepromed / Confidentiality Association – 4 rue Kirschleger 67085 Strasbourg – France

In order to ensure that these rights cannot be exercised to the detriment of a third party and in order to prohibit any identity theft, the user is required to communicate to the Gepromed Association his first and last name as well as his e-mail address, his account or personal or subscriber space number, AND a copy of an identity document.

The Data Controller is obliged to respond to the User within a maximum of 30 (thirty) days.

USE OF TRACKERS

No cookies or trackers are used on the device.

In addition, the device integrates social network buttons, allowing the user to share his activity. Cookies from these social networks may therefore be stored on the user's terminal when using these features.

The user's attention is drawn to the fact that these social networks have their own privacy policies and general terms and conditions of use that are different from the website. The publisher of the site invites users to consult the privacy policies and general terms and conditions of use of these sites.

TERMS OF MODIFICATION OF THE PRIVACY POLICY

This privacy policy can be consulted at any time at the https://explant.gepromed.com/en/confidentialite, as well as in access to the legal notice provided by the application.

The publisher of the device reserves the right to modify it in order to guarantee its compliance with the law in force. Therefore, the user is invited to come and consult this privacy policy regularly in order to stay informed of the latest changes that will be made to it.

However, in the event of a major change, the latter will be brought to the attention of the users by e-mail at the address mentioned by the user.

The user is informed that this privacy policy was last updated on August 18, 2025.