Privacy Policy of HeartFocus

Effective Date: 2025/08/19

Version: 2.0

At DESKi the security of your personal data is our primary commitment. Before using HeartFocus via the HeartFocus Portal or the HeartFocus App ( together “HeartFocus”) please read this Privacy Policy ("the Policy") which explains how we process your personal data collected via HeartFocus (hereinafter referred to as “Data”).

By Data, we mean "any information that identifies or relates to a particular person directly or indirectly, including information designated as personal data or personal information under applicable data protection laws, rules, or regulations".

The Policy details how DESKi processes your Data when you use HeartFocus (“the Services”).

By using the Services, you consent to the terms of collection, use, and sharing of your Data as described below.

In particular, this Policy does not cover the data processing practices of third-party devices connected to the Services, such as the heart imaging probe provided by an external manufacturer. The processing of data by such devices is subject to separate privacy policies issued by the respective entities responsible for their operation and management.This Policy does not apply to the use of your data by third-party companies that we do not control, or by individuals who are not under our management.

The conditions for processing your Data may vary depending on where you access the Services. 

The Policy will detail below the specific obligations applicable according to your location.

The Policy provides detailed information on the following elements:

  • General conditions for processing your Data
    • Who processes your Data?
    • What Data is processed and why is it used?
    • How is your Data protected?
    • How long is your Data retained?
    • Is your Data reused?
  • Your rights regarding the processing of your Data
    • What are your rights concerning the processing of your Data?
    • What recourse do you have regarding the processing of your Data?
  • Conditions for sharing your Data
    • Who has access to your Data?
    • Transfer of your Data
  • Regulations applicable to the use of your Data
  • Conditions for modifying the Policy

I. General Conditions for Processing Your Data

Who is responsible for your Data?

The company DESKi, a Simplified Joint Stock Company registered under number 818145211 and located at 2-8, 2 PLACE DE LA BOURSE, 33000 BORDEAUX– France, trading name as DESKi («DESKi "), is responsible for processing your Data when you use the Services.

For any information related to the processing of your Data by the Services, you can contact DESKi at any time at the following address: dpo@deski.ai

What data is processed and why is it used?

When using HeartFocus, the following categories of data are processed:

  • Data related to the application user - profile and contact details ("User's Data")
  • Data related to technical and navigation Data ("Technical and Navigation Data")

The table below outlines the data categories processed by DESKi, along with the purpose of use for each.

Categories of data Purposes of use
User's data
Profile and contact data
First name
Last name
Organization Name
Email
Phone number 		Authentication of the individual using the Services. This personal data is only collected when you connect to the Heart Focus Portal.
Technical and navigation data
Technical data
  • Partial IP address
  • Information related to the web browser: operating system, and internet browser used to access the Services.
Navigation data
  • Crashes and unhandled exceptions
  • Collection of breadcrumbs, which are events or logs that occur before a crash. These can include user actions (e.g., button clicks, screen navigation) and system events (e.g., network calls, system alerts), providing context for errors.
  • Navigation analytics
 Analysis of navigation and technical use of the Services (device identifier, navigation elements to operate and improve the Services). This personal data is collected when you connect to the Heart Focus Portal and Heart Focus App

Payments (Stripe)

DESKi uses Stripe to process payments. When you make a purchase, certain information (billing details, transaction amount, device/IP for fraud prevention) is sent directly to Stripe. DESKi does not store full card numbers on its systems.

DESKi relies on Art. 6(1)(b) GDPR to process payments, Art. 6(1)(c) for legal/accounting obligations, and Art. 6(1)(f) for fraud prevention. Stripe may act as DESKi’ processor, but it may also act as an independent controller for anti-fraud and regulatory compliance activities.

Your data may be transferred outside the EEA; Stripe implements appropriate safeguards (e.g., Standard Contractual Clauses). See Stripe’s Privacy Policy for details.

DESKi retains payment-related data as required by law; Stripe retains data under its own legal obligations. You can exercise your GDPR rights by contacting us (and Stripe for its independent processing activities).

How is your Data protected?

User’s responsibility  

The User is responsible for following the security guidelines outlined in the User Manual, including integrating the device into a Mobile Device Management system, protecting the unlock screen with a PIN code or password, and setting the auto-lock duration to 1 minute or less.

​You can also contribute to the protection of your Data by choosing and appropriately protecting your password and/or any other connection mechanism, limiting access to your computer or device and your browser, and logging out when you have finished accessing your account. 

User Device Security 

The  HeartFocus App is designed to operate securely when used as instructed. However, DESKi is not liable for any unauthorized access, loss, or disclosure of data resulting from the User’s failure to properly secure the device on which the App is installed (e.g., absence of screen lock/encryption, sharing credentials, jailbreak/rooting, disabled updates, or installation of untrusted software). 

The User is responsible for: (i) maintaining the confidentiality of login credentials; (ii) keeping the operating system and the HeartFocus App up to date; (iii) enabling built-in security features (PIN, biometric lock, encryption); and (iv) using the heart-imaging probe and any third-party peripherals according to the manufacturer’s security instructions. 

DESKi remains responsible for safeguarding the User’s login credentials and any personal data processed on its own systems or on third-party systems integrated and managed by DESKi. For this purpose, DESKi implements mainly the following security measures: 

  • Encryption everywhere: TLS 1.2 for data in transit and AES-256 for data at rest. 
  • Strict access control: Role-based, need-to-know permissions only. 
  • Continuous monitoring: Production environments are monitored, and security reviews are performed regularly. 
  • Tested backup & deletion processes: Documented procedures ensure secure retention and deletion of data at contract end. Backups can be reliably recovered in case of data loss or system failure. 
  • Vetted providers: Key service providers are contractually assessed for security and breach notification obligations. 

How long is your Data retained?

Your User’s Data is retained for the duration of the contractual relationship. To guard against any disputes, DESKi can keep certain information for up to 5 years from the end of the contractual relationship. 

​​Your Technical and Navigation data are retained for a maximum period of 25 months from your last connection.

II. Your Rights Regarding the Processing of Your Data

What are your rights?

You may exercise your rights by contacting us at dpo@deski.ai. You may exercise the following rights independently or with our assistance.

Right of Access

You have the right to know what personal information DESKi processes about you. You can contact DESKi to request access to the personal information collected about you. DESKi will confirm whether it processes your data and provide you with details of the personal information collected and processed.

Please note that you can easily access the personal data related to your account and services directly through your account.

Right to Erasure

You have the right to request the deletion of your personal information in certain circumstances. DESKi will comply with such requests unless there is a valid legal basis or obligation to retain the data.

Right to Rectification

You have the right to request correction of any inaccurate or incomplete personal information DESKi holds about you.

Please note that you can update some of your basic account details directly in your account.

Right to Data Portability

You have the right to request a copy of the personal information you have provided to DESKi in a structured, commonly used, and machine-readable format. This right applies only when DESKi processes your personal information based on your consent or a contract.

Right to Object to Processing

You have the right to object to the processing of your personal information in certain circumstances. If DESKi has no legitimate grounds to continue processing your personal information, DESKi will stop doing so once your objection is received and verified.

Under certain regulations, you may have the right to object to any sale or sharing of your personal information, profiling, or targeted advertising as defined by applicable law. DESKi does not sell or share your personal information for such purposes, and you always have the right to opt out of direct marketing at any time.

Right to Restrict Processing

You have the right to ask DESKi to restrict the processing of certain personal information in specific circumstances, for example, if you contest the accuracy of your data and want processing suspended while verification takes place.

Right to Withdraw Consent

If DESKi processes your personal information based on your consent, you have the right to withdraw your consent at any time, as permitted by applicable law. Please note that withdrawing your consent may limit your ability to use certain DESKi services.

To exercise any of these rights, please contact DESKi’s Data Protection Officer at: dpo@deski.ai

What recourse do you have regarding the processing of your Data?

Subject to applicable laws, you may have the right to file a complaint with your local competent data protection authority regarding any of our activities. If you have any questions about our privacy practices, write to the Data Protection Officer at dpo@deski.ai.

You can find a list of competent data protection authorities here: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

Children’s privacy 

The Services are not intended for children and we do not knowingly collect personal information provided by children under 18 years of age through the Services. If you become aware that a person under 18 is using the Services, please email us at dpo@deski.ai. We will take the necessary steps to delete this information and/or terminate the child's account.

III. Conditions for Sharing Your Data

Who has access to your Data?

Your profile and contact Data are only accessible for the purposes presented above.

Your technical and navigation data may be transmitted to DESKi's partner- Sentry.io, Matomo cloud and Google Analytics in charge of the purposes presented below.

Sentry.io – Application Monitoring Software 

Collection:

  • Crashes and unhandled exceptions
  • Collection of breadcrumbs, which are events or logs that occur before a crash. These can include user actions (e.g., button clicks, screen navigation) and system events (e.g., network calls, system alerts), providing context for errors.

If you want more information on how Sentry’s processes Data, please read Sentry' Privacy Policy

Matomo – Analytics: 
  • App sessions: Tracks when a user starts or exits the application.
  • Page views Monitors the screens or pages the user navigates to within the app.
  • Events: Captures custom interactions, such as button presses, form completions, or other defined actions taken by the user. 
  • Device information: Collects details such as device model, operating system version, app version, screen resolution, and other relevant data.
    If you want more information on how Matomo processes Data, please read Matomo's Privacy Policy

We respect your privacy rights under the California Consumer Privacy Act (CCPA) and any other state with similar requirements. While we currently do not sell or share personal information, we provide this “Do Not Sell or Share My Information” option to honor your preferences now and in the future should our practices change. You may submit a request at any time to ensure your choice is recorded and respected.

Send an email to dpo@deski.ai to request: Do Not Sell or Share My Personal Information

Transfer of your Data

If you are located in the EEA, your personal data may be transferred to countries outside the EEA where data protection standards may not be equivalent to those required under applicable regulations. These transfers may involve service providers processing data for the purposes outlined above. To ensure an adequate level of protection, DESKi has implemented appropriate safeguards in accordance with Chapter V of the GDPR.

For any information related to the transfer of your Data, you can contact DESKi at the following address: dpo@deski.ai

IV. Regulations Applicable to the Use of Your Data

This Policy applies uniformly to all users of the HeartFocus Services, regardless of where you live. DESKi takes into consideration the personal data protection regulations applicable to the markets in which it offers its Services.

GDPR Compliance

DESKi is committed to complying with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR), which applies to our European users.

HIPAA Notice

HeartForcus operates in compliance with the Health Insurance Portability and Accountability (HIPAA), as DESKi does not access Protected Health Information (PHI) as defined under 45 CFR § 160.103 in the course of delivering HeartFocus Services. 

U.S. States with Enhanced Privacy Requirements

For U.S. residents in states with specific privacy legislation, including the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and similar laws in Virginia, Colorado, Connecticut, and Utah, DESKi provides additional rights and disclosures. These include the right to know, delete, correct, and opt out of the sale or sharing of personal information, as well as protections against certain types of profiling and targeted advertising.

This notice supplements the information contained in DESKi’s Privacy Policy and applies solely to all visitors, users, and others who reside in U.S. states with enhanced privacy notice requirements (“customers” or “you”), and who access DESKi’s applications or services.

Collection, Use, and Sharing of Information

When a customer interacts with DESKi’s services, DESKi collects information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, device, or household (“personal information” or “personal data”).

Details about the categories of personal information we collect, the purposes for which your personal information is processed, and any sharing of your personal information are described in relevant sections of our Privacy Policy:

  1. Users Data : Categories of collected personal information and processing purposes
  2. Technical ad navigation data : Categories of collected personal information and processing purposes
  3. Data Sharing : When and how we may share your data with service providers or partners

In the past twelve (12) months, DESKi has not sold personal information to third parties, including data aggregators. We have collected and disclosed only the categories of personal information described in our Privacy Policy and disclosed to service providers as required to operate our services.

Consumer Rights

If you are a resident of a state that grants enhanced privacy rights regarding personal information, you may exercise the following rights:

1. Right to Know

You may request that we disclose the personal information we have collected about you over the past 12 months. After we verify your identity, we will provide:

  • The categories of personal information collected
  • The categories of personal information disclosed (if any)
  • The sources of the personal information
  • The purpose of the collection or disclosure
  • The categories of third parties we shared data with
  • The specific pieces of personal information collected
2. Right to Correction

You have the right to request correction of any inaccurate personal information we maintain about you. Once your identity is verified, we will correct your data unless a legal or operational exception applies.

3. Right to Deletion

You may request the deletion of your personal information, subject to certain exceptions (e.g., when we are legally required to retain data). Upon verification, we will delete your data and instruct service providers to do the same unless retention is required.

4. How to Submit a Request

You may submit a verified consumer request via email:  dpo@deski.ai

Please include your full name, company (if applicable), email address, and phone number. We may request additional information to verify your identity, which is required by law in some jurisdictions.

Only you—or someone legally authorized to act on your behalf—may submit a request. Requests on behalf of minors must be submitted by a parent or legal guardian.

We will respond within 45 days of receiving your verified request. If more time is needed, we will inform you during that period.

5. Right to Appeal

If we do not take action on your request, you may submit an appeal by sending an email to  dpo@deski.ai. and marking your subject as “Appeal”. We will review and respond within the timeframes established by applicable law. If your appeal is denied, you may contact your state Attorney General or relevant regulator to file a complaint.

6. Non-Discrimination

DESKi does not discriminate against users for exercising their privacy rights. This means we will not:

  • Deny you services
  • Charge different prices or rates
  • Provide a different level or quality of service
  • Suggest different pricing or service levels based on your privacy choices

For any questions regarding the regulations applicable to your Data, you can contact us at the following address: dpo@deski.ai

Cookies

Like many online services, we use the following technologies to facilitate some of our automatic data collection:

  • Cookies, which are text files that websites store on a visitor’s device to uniquely identify the visitor’s browser or to store information or settings in the browser for the purpose of helping you navigate between pages efficiently, remembering your preferences, enabling functions.

We use cookies to help you navigate efficiently and perform certain functions. The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data. Please see below the list of “NecessaryCookies” collected :

Cookie Duration Description
Rc::a never This cookie is set by Google reCAPTCHA to identify bots to protect the website against malicious spam attacks.
Rc::c session This cookie is set by Google reCAPTCHA to identify bots to protect the website against malicious spam attacks.
Cookieyes-consent 1 year CookieYes sets this cookie to remember users' consent preference so that their preferences are respected on subsequent visits to this site. It does not collect or store any personal information about the site visitors.

We also use third-party cookies that help us analyze how you use this website, store your preferences, and provide the content and advertisements that are relevant to you. These cookies will only be stored in your browser with your prior consent.

You can choose to enable or disable some or all these cookies but disabling some of them may affect your browsing experience.

Website Analytics

DESKi uses Google Analytics, a web analysis service of Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (“Google”).

Google will analyze your use of the DESKi site on our behalf. The information collected by Google in connection with your use of the DESKi site (including your IP address) will be transmitted to a server of Google in the US, where it will be stored and analyzed. The respective results will then be made available to us in anonymized form.

V. Conditions for Modifying the Policy

DESKi is constantly improving the Services and, as a result, may need to modify the Policy. You will be notified of these changes during your next connection to the Services following the modification. Where applicable, your consent will be required and collected via the application.

By consenting to the access and use of your Data in connection with the Services, you agree to the terms governing the collection, use, and sharing of your Data as outlined in this Policy.

V.I.  Contact Information

If you have any questions or comments about this Policy, the ways in which we collect and use your Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at:

  • DESKi, a Simplified Joint Stock Company registered under number 818145211 and located at 2-8, 2 PLACE DE LA BOURSE, 33000 BORDEAUX– France
  • dpo@deski.ai