How it worksCapabilitiesWho is it forSecurity

GDPR Policy

Speer Health, Inc. — GDPR Policy

1. Purpose and Scope

This GDPR Policy explains how Speer Health, Inc. ("Speer," "we," "us") complies with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the UK General Data Protection Regulation ("UK GDPR"). It supplements our Privacy Policy and applies to data subjects located in the European Economic Area ("EEA"), the United Kingdom, and Switzerland.

In the event of any conflict between this GDPR Policy and the Privacy Policy with respect to the rights of EEA, UK, or Swiss data subjects, this GDPR Policy controls.

2. Speer's Role: Controller and Processor

GDPR distinguishes between data controllers, who determine the purposes and means of processing personal data, and data processors, who process personal data on behalf of a controller. Speer acts in both capacities depending on context.

2.1 Speer as Controller

Speer is the controller of personal data we collect directly, including:

  • Information collected from visitors to our website
  • Information collected from prospective customers (demo requests, marketing inquiries, event registrations)
  • Information about authorized users administering our customer accounts (limited to account-management purposes)
  • Information about our employees, contractors, and job applicants

2.2 Speer as Processor

For the personal data that our customers upload to, generate within, or otherwise submit through the Services — including HCP profile data, engagement records, MSL observations, scientific insights, and similar content ("Customer Data") — our customers are the controllers. Speer acts as a processor and processes Customer Data only on the documented instructions of the customer, in accordance with our customer agreements and our Data Processing Addendum.

If you are a data subject whose data appears in the Services because a Speer customer entered it, you should direct rights requests to that customer. Speer will provide reasonable assistance to our customers in responding to such requests.

3. Legal Bases for Processing (Where Speer is Controller)

Where Speer acts as a controller, we process personal data on one or more of the following legal bases under Article 6 of the GDPR:

  • Performance of a contract (Article 6(1)(b)) — to provide services you have requested or take steps prior to entering into a contract
  • Legitimate interests (Article 6(1)(f)) — to operate, secure, and improve our Site and Services; conduct analytics; respond to inquiries; and pursue B2B marketing where appropriate, provided your interests and rights do not override those interests
  • Consent (Article 6(1)(a)) — for example, for certain marketing communications and non-essential cookies; you may withdraw consent at any time
  • Compliance with legal obligations (Article 6(1)(c)) — to comply with applicable law

Where processing is based on consent, you may withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.

We do not knowingly process special categories of personal data (Article 9) as a controller. The Services are intended for engagement with healthcare professionals in their professional capacity and are not intended to process patient health data.

4. Your Rights as a Data Subject

Under Articles 15–22 of the GDPR and UK GDPR, you have the following rights with respect to your personal data:

4.1 Right of access (Article 15)

You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with information about how it is processed.

4.2 Right to rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

4.3 Right to erasure ("right to be forgotten") (Article 17)

You have the right to have your personal data erased in certain circumstances, including where the data is no longer necessary for the purpose it was collected, where you withdraw consent (and no other legal basis applies), or where the data has been unlawfully processed.

4.4 Right to restriction of processing (Article 18)

You have the right to restrict our processing of your personal data in certain circumstances, such as while the accuracy of the data is contested.

4.5 Right to data portability (Article 20)

You have the right to receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.

4.6 Right to object (Article 21)

You have the right to object to processing of your personal data based on our legitimate interests, including for direct marketing purposes. If you object to direct marketing, we will stop processing your data for that purpose.

4.7 Rights related to automated decision-making (Article 22)

You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects on you. Speer does not use Customer Data or controller data to make solely automated decisions producing legal or similarly significant effects on data subjects.

4.8 Right to withdraw consent

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4.9 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority in the EEA, UK, or Switzerland — typically the authority in the country where you reside, work, or where the alleged infringement occurred. We encourage you to contact us first so we have the opportunity to address your concerns.

5. How to Exercise Your Rights

To exercise any of the rights described above, contact us at: mshibly@speerhealth.ai

We may ask you to verify your identity before responding. We will respond to your request without undue delay and in any event within one month of receipt, in accordance with Article 12 of the GDPR. Where the request is complex or where we receive a high volume of requests, we may extend this period by up to two additional months and will notify you of any such extension within one month of receipt, together with the reasons for the delay.

If you are a data subject whose data appears in the Services because it was uploaded by one of our customers, please direct your request to that customer (the controller). We will assist our customers in responding to such requests.

6. International Data Transfers

Speer is established in the United States, and our infrastructure is hosted in the United States. When we transfer personal data from the EEA, the United Kingdom, or Switzerland to the United States or other countries outside the EEA/UK/Switzerland, we rely on appropriate safeguards under Article 46 of the GDPR, including:

  • Standard Contractual Clauses (SCCs) — the modular SCCs adopted by the European Commission, including the UK International Data Transfer Addendum where applicable
  • Adequacy decisions — where the European Commission, the UK government, or the Swiss Federal Data Protection and Information Commissioner has determined that the recipient country provides an adequate level of protection

Where a transfer relies on SCCs, supplementary technical and organizational measures (such as encryption in transit and at rest, access controls, and audit logging) are applied to ensure an essentially equivalent level of protection.

7. Sub-processors

Speer engages sub-processors to support the Services. A current list of our sub-processors is maintained at our Trust Center: https://speer-health-343.trust.site/subprocessors

All sub-processors are bound by written agreements that impose data protection obligations no less protective than those in our agreements with our customers. Where a sub-processor is located outside the EEA/UK/Switzerland, we ensure that an appropriate transfer mechanism (typically SCCs) is in place.

When we add or replace a sub-processor, we provide our customers with reasonable notice in accordance with our Data Processing Addendum, giving customers the opportunity to object on reasonable grounds related to data protection.

8. Data Processing Addendum

Speer offers a Data Processing Addendum ("DPA") incorporating the EU Standard Contractual Clauses (and, where applicable, the UK Addendum and the Swiss SCC equivalence) to enable our customers to comply with GDPR requirements when Speer processes personal data on their behalf. To request our DPA, contact mshibly@speerhealth.ai.

9. Data Retention

Where Speer acts as a controller, we retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention period depends on the type of data and the purpose of processing.

Where Speer acts as a processor, retention of Customer Data is governed by the customer agreement and the instructions of the customer. Upon termination of the customer agreement, Customer Data is deleted or returned in accordance with the agreement.

10. Security

Speer maintains a security program with administrative, technical, and physical safeguards appropriate to the risks of processing, in accordance with Article 32 of the GDPR. Details of our current security controls and certification status are available at our Trust Center: https://speer-health-343.trust.site

11. Children

The Services are not directed at children, and we do not knowingly process personal data of individuals under the age of 18.

12. Changes to This GDPR Policy

We may update this GDPR Policy from time to time. When we make material changes, we will update the "Effective Date" at the top of this policy and, where required, notify you through the Services or by email.

13. Contact

For questions about this GDPR Policy, our processing of your personal data, or to exercise your rights, contact:

Speer Health, Inc.
Email: mshibly@speerhealth.ai