Skip to main content

Privacy Notice

Last updated: 04.17.2024

This Privacy Notice describes how your personal data, including sensitive data, are collected and processed, related to the use of your Hearing Devices (“HD”). In this context, this Privacy Notice covers the processing of your personal data carried out via the “myPhonak” Application (“Mobile App”) with all related technology to access or otherwise use the Mobile App as described below. The processing of your personal data comply, according to your country, with local law requirements, including the Swiss Federal Data Protection Act (“FDPA”), the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), or the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) for your personal data qualified as Protected Health Information.

This Privacy Notice may be updated from time to time. In this case, we will inform you that this Privacy Notice has been modified and the “last updated” date on top of this document will be modified. We recommend that you periodically review the latest version of this Privacy Notice.

1. Who we are

Sonova AG, Laubisrütistrasse 28, 8712 Stäfa, Switzerland (www.sonova.com), (“Sonova AG”) acts as a Controller for the processing listed in the following section.

Your Hearing Care Professional (“HCP”) may also act as Controller for the processing described at the end of the section below.

2. Personal data we collect from you and why

Sonova AG processes your personal data for the following purposes:

Based on your consent (those processing are not mandatory and will occur only if you agree and consent to it):

  • Manage your customer account information: your account information (first name (optional), last name (optional), email, password, country, phone number), medical device UID, medical device type and settings. Please note that, once your account is created, if you later decide to change your country selection, this will not impact the data storage, which means that data residency will still be the one defined initially. Also note that if you chose to delete your account, medical device information cannot be deleted.
  • Allow you to access and see your health data in the Mobile App* – this processing requires you to create an account and login: health data (counted steps, activity levels, wearing time, time in different acoustic environments, time of streaming, heart rate, distance, goals for steps and wearing time, charging periods, calories), HD information (e.g., serial number and hearing side), your account information (first name, last name, email, password, country, phone number).
  • Collect and combine personal data and information on usage and identification of hearing devices, as well as previously obtained data under the purpose of our legal obligation as a manufacturer, for further product improvement, research and claims* – this processing requires you to create an account and login: health data (age, weight, height, gender, counted steps, activity level, wearing time, charging periods, time in different acoustic environments, time of streaming, heart rate, distance, goals for steps and wearing time, calories), HD information (e.g., serial number and hearing side).
  • Understand your demographics and preferences in using the Mobile App: Your location such as City/Region/Country (Sonova will not store your location information and will not be able to track them in any way), phone information (e.g., brand, model, operating system information, platform and language), basic interaction with the Mobile App (e.g., first open of the Mobile App, screen transitions and engagement with the Mobile App e.g., buttons, sliders and features), Mobile App version.
  • Submit satisfaction survey to you on the Mobile App via SurveyMonkey: Age range, country and HD type. The IP address is collected by SurveyMonkey. The results of the survey may contain other personal data that some user may enter in the free text field, although this is not our intention neither the purpose of this processing.
  • Enable user to locate lost HD: user’s location (Sonova will not have access to this data).

*For those processing, categories of personal data collected may differ according to your HD. For more information about your HD functionalities, you can contact your HCP or Sonova at the email addfress provided at the end of this document.

Based on the performance of your contract (those processing are mandatory as they are necessary to improve your hearing experience and to ensure the proper functioning of your HD and the Mobile App):

  • Ensuring your HD and Mobile App are functioning as intended and allow you to make adjustments to your HD: data stored in your HD by your HCP (date of birth, age, gender, audiogram), HD product identification (product name, HD type, HD version, main brand, private label, price level, battery type, device type, device options, firmware version, hardware version), personal adjustment settings (including custom fitting adjustments and custom settings, if any).

Based on our legal obligation (under the Medical Device Regulation, we, as a manufacturer, must set up a monitoring system that enables the collection and analysis of data about the quality, performance and safety of our medical devices):

  • Monitor the performance of the HD and ensure correct operation and security (post-market surveillance): connection with HD (e.g., connection status, medical device UID, medical device type and settings, discovery information, pairing information, detailed connection information), charging periods, usage periods, interval logging, data about Mobile App crashes, HD event and exceptions error logs, technical log of Mobile App events (such as events for detection and diagnosis of performance, security and other issues, may require IP address).

Your HCP processes your personal data for the following purpose, based on the performance of your contract:

  • Fit your HD remotely through (RID) Based Remote Support service: data stored in your HD (date of birth, age, gender, audiogram), HD product identification (product name, HD type, HD version, main brand, private label, price level, battery type, device type, device options, firmware version, hardware version), Bluetooth device name, serial number, HD pairing key, HD Usage Logging (boot counter, adjustments, operation time since first/latest fitting, usage time per acoustic situation, operation time, corrections, number of re-charging cycles), HD fitting configuration, and other operational data (your service registration ID or service registration status, IP address, RID number store on the HD).
3. How we share your personal data

Your personal data will be processed according to the instructions we provide to our employees who have received the necessary training in data protection and are subject to an obligation of confidentiality.

Your personal data may also be disclosed to:

  • Other companies in our group of companies, such as our subsidiaries, all of which are required to protect personal data in accordance with applicable privacy and data protection laws;
  • Our business partners, contractors and third-party service providers. These third parties only process personal data that are strictly necessary for the services they provide to us, according to our instructions and in compliance with our privacy and security requirements.
  • Other organizations and public bodies, supervisory and control authorities, including law enforcement agencies, as may be required by law.

By using the Mobile App, only personal data that are strictly necessary for the following purposes are shared (the location of your personal data which are shared may vary depending your country):

  • Microsoft Ireland Operations Limited - Microsoft Azure (The Netherlands): 
    • provide cloud infrastructure hosting our services;
    • for Android mobile phone and “enable user to locate lost HD” processing, data is sent to Microsoft Azure to convert a location to a street address.
  • Apple Inc. (United States): for iOS mobile phone and “enable user to locate lost HD” processing, data is sent to Apple to convert a location to a street address.
  • Salesforce, Inc. (United States, European Union): provisions of customer account and administering the account database.
  • Twilio Inc., Xirsys (data are not stored persistently and are processed as a relay server based on the location of the call participants and the IP address ranges identified – for more information please see: https://www.twilio.com/docs/stun-turn/regions or https://docs.xirsys.com/?pg=api-intro): manage and maintain the WebRTC service and provide technical support.
  • Google Ireland Limited - Google Analytics (Ireland): analytics.
  • Google Ireland Limited - Google Firebase (Ireland): crash analytics, remote configuration and push notifications.
  • SurveyMonkey Inc. (United States, Ireland): used to collect user satisfaction surveys.
  • Elasticsearch B.V (the Netherlands): logging ingestion for monitoring, security and observability purposes.
  • Cloudflare Inc. (United States, European Union): used to verify whether user is a bot or human in order to prevent malicious bot activity.

Before we disclose any personal data to other third parties than those listed above, we will explicitly ask you for your consent. However, if we are obliged to disclose personal data without your consent, we will only disclose personal data that are strictly necessary for that purpose to fulfil our legal obligations.

4. International personal data transfers

Please note that some of the above-mentioned third parties can be located outside your country. Therefore, your personal data may be transferred to countries that do not provide the same level of protection of personal data as your own country. In such cases, we undertake to:

  • implement adequate procedures to comply with applicable law;
  • adopt appropriate organizational, technical and legal safeguards in order to ensure an adequate level of protection of the personal data transferred;
  • implement, if necessary, and according to applicable law, standard contractual clauses as adopted by the European Commission;
  • depending on the country of the importing third party, take additional measures such as a transfer impact assessment.
5. How long we keep your personal data

Sonova AG will retain your personal data for a minimal period proportional to the time required to fulfil the purposes outlined in Section 2. For example, relevant personal data will no longer be retained if you delete your account or if our contractual obligations are fulfilled. In the event applicable law or other regulations require a longer retention period, we will apply the longer retention period in order to fulfill our legal obligations.

Your personal data processed by HCPs will be retained in accordance with applicable laws. For more information on their specific retention periods, please contact your HCP.

6. Your legal rights

Within the framework of the collection and processing of your personal data, and as per applicable law, you may have the right to request access, rectification, erasure of your personal data, or restriction of processing. In addition, you may object to the processing, request data portability and withdraw your consent at any time. According to your country, you may have other rights such as providing instructions for how your personal data should be processed posthumously. Under HIPAA you may also have the right to request an accounting of disclosures of your personal data, and the right to receive a paper copy of this notice upon written request.

You may exercise your rights by using the contact details in the “How to contact us” Section below, or you should contact your HCP if your rights concern personal data processed for the purpose of Remote Support Service.

Please note that the exercise of such rights is subject to the limitations provided by applicable law.

If you consider that the processing of your personal data infringes applicable law then you may also lodge a complaint with the local supervisory authority or the competent regulator. 

7. Third party links on Mobile App

The Mobile App may contain links to other websites or content belonging to or originating from third parties or links to websites and features in banners or other advertising. Such external links are not investigated, monitored, or checked for accuracy, adequacy, validity, reliability, availability or completeness by Sonova. Therefore, please note that the Mobile App does not disclose any personal data to those third parties and their websites and that we are not responsible in any way of personal data processed by them.

For example, this is the case with the Health Resources tab which gives you access to a list of 3rd party health-oriented applications that are therefore not under Sonova’s responsibility.

8. How to contact us

In the event of questions about this Privacy Notice, or the processing of your Personal Data, please contact our Data Privacy Team at privacy@sonova.com.