Privacy Policy
ecential-robotics.com

1. PREAMBLE

The present privacy policy (the "Policy") describes the activities of ECENTIAL ROBOTICS which require the use of Personal Data (as defined below) with the aim of informing the user(s) (the "User(s)") of the website www.ecential-robotics.com (the "Website") of the company ECENTIAL ROBOTICS of the personal data collected.

The use of the Website by Users implies the processing of their Personal Data by ECENTIAL ROBOTICS, acting in its capacity as data controller.

The purpose of this Policy is to inform Users of the conditions under which their Personal Data is processed in the context of their use of the Website, and to describe the conditions for compliance with the rules governing the protection of their personal data.

This Policy has been drawn up to ensure that ECENTIAL ROBOTICS carries out its activities in accordance with national, European and international legislation relating to the protection of Personal Data and, in particular, Regulation (EU) No. 2016/679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and its free circulation, and repealing Directive 95/46/EC (known as the "General Data Protection Regulation" or "GDPR") and French Law No. 78-17 of January 6, 1978, as amended, relating to data processing, files and freedoms (the "Loi Informatique et Libertés") (together the "Applicable Regulations").

1.1 User information

The Policy is permanently accessible on the Website, at the following address: eCential Robotics | Politique de confidentialité (ecential-robotics.com).
In addition, all Users are invited to read the terms of the present Policy.

1.2 Control

ECENTIAL ROBOTICS has appointed a Data Protection Officer (hereinafter the "DPO") in order to implement its compliance with the Applicable Regulations. One of the functions of the DPO is to monitor ECENTIAL ROBOTICS' compliance with the principles of Personal Data protection, including, in particular, employee’s compliance with the Policy.

The ECENTIAL ROBOTICS DPO can be contacted by e-mail at the following address: dpo@ecential-robotics.com.

1.3 Definition of terms

In the Policy, words or expressions beginning with a capital letter, whether used in the singular or plural, have the following definition:

• Account: designates the User's personal account on ECENTIAL ACADEMY. This account is optional, and allows Healthcare professional Users, who have given their consent, access to various resources in digital format.
• Recipient: means, within the meaning of the GDPR, the natural or legal person, public authority, service or any other body that receives communication of personal data, whether or not it is a third party. However, public authorities that are likely to receive communication of personal data as part of a particular investigative mission in accordance with Union or Member State law are not considered recipients; the processing of such data by the public authorities in question complies with the applicable data protection rules according to the purposes of the processing.
• Personal Data: means within the meaning of the GDPR any information relating to an identified or identifiable person, directly or indirectly, in particular by reference to an identifier an identification number, location data, an online identifier or to one or more specific elements that are unique to that person.
• Data Controller: means, within the meaning of the GDPR, the natural or legal person who decides on the purpose and means of a Processing of Personal Data.
• Sub-Contractor: means, within the meaning of the GDPR, the natural or legal person who processes Personal Data on behalf of the Data Controller.
• Processing of Personal Data or Processing: means within the meaning of the GDPR any operation or set of operations which may or may not be performed using automated processes and applied to data or sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  

2. PRINCIPLES OF PERSONAL DATA PROTECTION

The Policy is based on compliance with the principles described below, as laid down by Applicable Regulations.
When acting as a Data Controller, ECENTIAL ROBOTICS is responsible for compliance with these principles and must be able to demonstrate its compliance with these principles at all times.

2.1 Lawfulness, fairness and transparency

Personal Data collected in connection with the use of the Website must be processed lawfully, fairly and transparently.

2.2 Purpose limitation

Personal Data must be collected for specified, explicit and legitimate purposes, and must not be further processed in a manner incompatible with these purposes.

2.3 Data minimization

Personal Data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed.

2.4 Accuracy

Personal Data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that Personal Data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.

2.5 Storage limitation

Personal Data must be kept in a form that permits identification of the persons concerned for no longer than is necessary for the purposes for which it is processed.

2.6 Integrity and confidentiality

Personal Data must be processed in such a way as to guarantee appropriate security, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

3. DATA PROCESSED BY ECENTIAL ROBOTICS

3.1 Data processed as part of ECENTIAL ROBOTICS activities

ECENTIAL ROBOTICS may process the following Personal Data as part of its various activities:

• Cookie management: A cookie is "a small amount of data generated by a website and saved by your browser. Its purpose is to store information about you, similar to preference files created by a software application." When consulting the Website, cookies may be deposited on the User's browser.
• Contact form: surname, first name, professional or personal e-mail address, User's location, company;
• Newsletter: User's professional or personal e-mail address;
• Logging system: IP address, operating system used or browser type, date and time of connection/disconnection, and actions taken by the User;
• ECENTIAL ACADEMY User Account: surname, first name, job title, professional or personal e-mail address, telephone number, professional address;
• Exercise of rights: surname, first name, position, professional or personal e-mail address, telephone number, location of User.

3.2 Data processing purposes

ECENTIAL ROBOTICS acts as Data Controller for Users' Personal Data within the framework of the use of the Website.

ECENTIAL ROBOTICS collects and processes Users' Personal Data as defined above for the following purposes:

Cookies	To facilitate the User's navigation. For more information, see the "Cookies" notice at the bottom of the page
Contact form	To allow the User to contact ECENTIAL ROBOTICS.
Newsletter	To allow the User to be informed of ECENTIAL ROBOTICS’ news.
ECENTIAL ACADEMY User Account	To allow the User, with his/her prior consent, to benefit from diverse documentation related to ECENTIAL ROBOTICS, in digital format.
Exercise of rights	To respond to any User's request concerning the availability of Personal Data and its processing.

Users' Personal Data are strictly confidential and are processed by ECENTIAL ROBOTICS solely for the purposes described above.

ECENTIAL ROBOTICS expressly undertakes not to further process Personal Data for purposes incompatible with the aforementioned purposes.

Furthermore, ECENTIAL ROBOTICS undertakes not to disclose, assign, rent or transmit Users' Personal Data to third parties other than its Subcontractors.

3.3 Legal basis(s) for Data Processing

ECENTIAL ROBOTICS acts as a Data Controller within the meaning of the Applicable Regulations when it processes Users' Personal Data.

The legal bases for the processing of Personal Data are as follow:

• Cookie management: consent
• Contact form: consent
• Newsletter: consent
• ECENTIAL ACADEMY User Account: consent
• Exercise of the User's rights: legal obligation provided for in Articles 15 to 21 of the GDPR.

3.4 Recipients of Personal Data

ECENTIAL ROBOTICS expressly declares that the User's Personal Data is exclusively intended for ECENTIAL ROBOTICS, which shall refrain from conceding, renting, transferring or otherwise communicating to a third party, all or part of the Data, except for the purposes of hosting under the conditions prescribed by Applicable Regulations.

Furthermore, ECENTIAL ROBOTICS undertakes to ensure that only employees whose knowledge of Personal Data is strictly necessary for the performance of their tasks are authorized to process Personal Data.

ECENTIAL ROBOTICS also guarantees that its employees who are required to know, use and/or otherwise process Personal Data undertake to maintain its strict confidentiality.

4. RETENTION OF PERSONAL DATA

Users' Personal Data processed by ECENTIAL ROBOTICS for the purposes specified above will be kept for the time necessary to carry out the processing, namely:

• Cookies’ Management : Personal Data from cookies are kept for 13 months;
• Contact form: Personal Data is kept while the demand is being processed plus 2 years, before being deleted;
• Newsletter: Personal Data is kept until the User unsubscribes;
• ECENTIAL ACADEMY User account: Personal Data is kept for as long as the account is active. Following deactivation of the account at the User’s will, Personal Data is kept for 3 years before being deleted.
• Exercise of rights: Personal Data is kept for the duration of the processing of the request, then for 1 year before being deleted.

By derogation, ECENTIAL ROBOTICS may keep the User's Personal Data for a longer period, in accordance with the applicable legislation.

At the end of this period, the Personal Data will be deleted.


5. USERS' RIGHTS TO THEIR PERSONAL DATA

5.1 Exercise of rights by the User

In accordance with Applicable Regulations, all Users have the right to access their Personal Data processed by ECENTIAL ROBOTICS.

Users may exercise their rights or ask any question relating to the protection of their Personal Data to ECENTIAL ROBOTICS, at the following address: dpo@ecential-robotics.com.

Users are invited to indicate precisely the purpose of their request and the Personal Data concerned.

The rights are as follows:

• Right to access to data concerning him/her and to information relating to processing (purposes, category of data concerned, Recipients, retention period, etc.). ECENTIAL ROBOTICS undertakes to communicate the User's Personal Data in a readable and intelligible format.
• Right to rectify Personal Data in the event of erroneous or incomplete information;
• right to erase (the right to be forgotten) Personal Data which is no longer necessary for the purposes for which it was collected, or (ii) for which the User has exercised his/her right to object to processing;
• right to limit the Processing of Personal Data, when (i) the User contests its accuracy, or (ii) when the data retention period has expired but the User needs to retain the data in order to establish, exercise or defend a legal claim, or (iii) when the User objects to one of the Processing of his or her Personal Data;
• Right to the portability of Personal Data, i.e. the right to receive personal data that is the subject of Processing in a usable format and/or to request that it be transmitted to another Data Controller;
• Right to object to the Processing of Personal Data. This includes the possibility for the User to withdraw his consent at any time.

Except in cases where the request appears excessive or requires disproportionate efforts, ECENTIAL ROBOTICS, as Data Controller, is obliged to respond to Users' requests to exercise their rights as soon as possible and no later than one month after receipt of the request.

5.2 Data breach management

Personal data breach is defined as "a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4 12° of the GDPR).

ECENTIAL ROBOTICS, as the Data Controller, is obliged to notify the existence of a Personal Data breach to the supervisory authority as soon as possible after its discovery and at the latest within seventy-two (72) hours, and to the User concerned whenever the breach is likely to give rise to a significant risk to his or her rights and freedoms.

5.3 Complaints to the CNIL

If the User believes, after contacting ECENTIAL ROBOTICS, that his/her rights have not been respected or that the access control system does not comply with the data protection rules set out in the Applicable Regulations, he/she is free to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) at any time. 


6. CONTACT

For all information and questions relating to ECENTIAL ROBOTICS' Personal Data Protection Policy or practices, please send an e-mail to the DPO at the following address: dpo@ecential-robotics.com or contact him by post at : ECENTIAL ROBOTICS Zone Mayencin II - Parc Equation - Bâtiment 1 - 2 Avenue de Vignate - 38 610 GIERES - France.

Product Security & Disclosure Policy
ecential-robotics.com

<December 2024>

Introduction

We are committed to ensuring the safety, effectiveness and security of our products. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report on potential vulnerabilities in our systems.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and ECENTIAL ROBOTICS® will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Guidelines

Under this policy, “research” means activities in which you:

• Notify us as soon as possible after you discover a real or potential security issue.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Comply with the applicable laws in connection with security research activities or other participation in this vulnerability disclosure program.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
• Provide us with a reasonable amount of time to resolve the issue before you disclose it publicly.
• Do not submit a high volume of low-quality reports.

Once you’ve established that vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test methods

The following test methods are not authorized:

• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a device and/or its surrounding infrastructure, including customer and ECENTIAL ROBOTICS® system and data.
• Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing

Scope

This policy applies to the medical devices manufactured and commercialized by ECENTIAL ROBOTICS®

Any device or service not expressly listed above is excluded from scope and is not authorized for testing. If you aren’t sure whether the system is in scope or not, contact us here eCential Robotics | Contact before starting your research.

Though we may develop and maintain other medical devices or internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular device or system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.

Reporting vulnerability

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. We will not share your name or contact information without express permission.

We accept vulnerability reports here eCential Robotics | Contact. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 5 business days.

By submitting vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against ECENTIAL ROBOTICS® related to your submission.

What we would like to see from you

In order to help us triage and prioritize submissions, we recommend that your reports:

• Describe the location the vulnerability was discovered and the potential impact of exploitation.
• Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
• Be in English.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

• Within 5 business days, we will acknowledge that your report has been received.
• To the best of our ability, we will confirm the existence of vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including issues or challenges that may delay resolution.
• We will consult with you to determine the public disclosure timing and details, giving you credit after the vulnerability has been validated and resolved, if desired.
• We will maintain an open dialogue to discuss issues.

Questions

Questions regarding this policy may be sent via this webform eCential Robotics | Contact. We also invite you to contact us with suggestions for improving this policy.