Effective date: 5 January 2023

1. Introduction

Allurion Technologies, Inc ("us", "we", or "our") operates the Allurion Scale mobile application (hereinafter referred to as the "App").

The protection and security of your personal data is important to us. Personal data means data about a living individual (including 20 years following the individual’s death if the individual is based in Canada) who can be identified from that data (or from that data and other data either in our possession or likely to come into our possession) (“Personal Data”). This privacy policy (“Privacy Policy”) tells you how we collect, use, share, and protect your Personal Data that is collected through the App.

The App has been developed and is operated by Allurion Technologies, Inc based at 11 Huron Drive, Natick, MA 01760 USA. Allurion Technologies, Inc is the controller of your Personal Data collected via the App.

2. Personal Data Collection and Use

We will process your Personal Data when you submit it in the following ways:

  • App Account Registration and Profile Details: when you create an App account, the following information will be stored: your name, gender, date of birth, height, date and location of balloon placement, clinic, language preference, phone number, email address, password, authentication details, and other registration information including your password for the App account. The App allows you to monitor your weight, body fat percentage, body water percentage, bone mass, muscle mass, body mass index, basal metabolic rate and visceral fat by connecting with your Bluetooth Allurion Scale. By connecting it with your Bluetooth Allurion Scale, the App will collect and store this Personal Data. The App may also collect and store additional health and fitness data (such as sleep data, exercise data and heart rate data) that you share from your mobile device, from Fitbit and/or from the Allurion Health Tracker device. You may also choose to share further information with the App regarding your health and personal circumstances (including, but not limited to, information relating to physical and mental health conditions, hunger levels, and marital status).
  • Customer Services: if you contact us about the App or for any other reason relating to customer services, we will keep a record of that contact. You may provide us with Personal Data when sending us your request. We will hold your email address in order to consider your request and respond to you.
  • Usage Data: when you access the App with a mobile device, we may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile internet browser you use, videos and screenshots of your user sessions, unique device identifiers, and other diagnostic data (“Usage Data”).
  • Location Data: we use location data, such as your current location, to search for clinics near you and to assist with syncing the Bluetooth Allurion Scale and Allurion Health Tracker device with the App. If you have allowed us to collect it, the location data we use will be based on your device’s location.
  • Messages and Video Consults: if you choose to do so, the App will connect you with your selected clinic either via the Messages feature or a Video Consult. If you choose to connect to your selected clinic via the App’s Messages feature, Allurion will have access to the contents of your text messages, as well as any responses from your selected clinic. Please note, however, if you choose to connect to your clinic via the Video Consult feature, Allurion will not be able to access the online consultation.

3. The Reasons for Using Your Personal Data

To the extent we collect Personal Data from you, as described in this Privacy Policy, we use such information for the purposes listed below; and where we are not otherwise required under applicable law to seek your consent for such processing, we rely on the legal bases listed below (in respect of individuals located in the EEA and the United Kingdom). Note that, in certain circumstances detailed below, we will process Personal Data on more than one legal basis depending on the specific purpose for which we are using your Personal Data.

Purpose Legal Basis
To provide and maintain the service that is provided through the App. Performance of a contract
To notify you about changes to the App. Performance of a contract or our legitimate interests
To allow you to participate in interactive features of the App, including sharing your App data with your family, friends, your selected Allurion clinic, and healthcare providers when you have chosen to do so. Performance of a contract; our legitimate interests; public interest in the area of public health; or your consent
To coordinate the care provided to you by your selected Allurion clinic and healthcare providers when you have chosen to do so. Performance of a contract; our legitimate interests; or your consent
To provide customer support when you request it; Performance of a contract or our legitimate interests
To gather analyses and/or valuable information (also by analysing and assessing your usage of the App and/or by asking you to participate in market research and surveys) so that we can continue to develop, test and improve our products and the App to offer new and/or enhanced functionality and features. Our legitimate interests or public interest in the area of public health
To better understand how you interact with the App, including its functionality and features, as well as ensuring the content is presented in the most effective manner. Our legitimate interests
If you qualify for discounts on further purchases of our products, we will process your Personal Data to issue you with vouchers and/or discount codes. Performance of a contract or our legitimate interests
To help search for Allurion clinics near to your location. Our legitimate interests
To support the synchronization of the Bluetooth Allurion Scale and Allurion Health Tracker device with the App. Performance of a contract or our legitimate interests
To help us fix any issue with the App, including where we respond to your questions or respond to your request for support, maintenance, troubleshooting, or other performance issues. Performance of a contract or our legitimate interests
To conduct data analyses, testing and research, including for statistical purposes, so that we can better understand the type of people who use our App and products so that we can develop and expand our consumer market. Our legitimate interests or public interest in the area of public health
To conduct scientific research relating to the App. Our legitimate interests or public interest in the area of public health
To develop and implement security tools and mechanisms as part of our efforts to keep the App safe and secure. Our legitimate interests
To measure the effectiveness and distribution of our advertising campaigns. Our legitimate interests
To detect, prevent and address technical issues. Performance of a contract or our legitimate interests
To improve the quality of healthcare offered by us and our affiliates. Our legitimate interests; public interest in the area of public health; or your consent.
To improve and personalize the App experience and enable us and our affiliates to make better decisions based on the information you provide to us. Our legitimate interests; public interest in the area of public health; or your consent.

4. Retention of Personal Data

We keep your account information, like your name, email address, and password, for as long as your account is in existence because we need it to operate your account. We may also be required to maintain your information to meet legal requirements. In some cases, when you give us Personal Data for a feature of the App, we delete the Personal Data after it is no longer needed for the feature and no longer required to be kept by law. If you choose to connect to your selected clinic via the App’s Messages feature, we will store your text messages between you and your clinic for two years.

We keep other information, like the Personal Data we obtain when you connect with your Bluetooth Allurion Scale, until you use your account settings or tools to delete the data or your account is no longer used, unless otherwise required or authorized by law. This is because we use this data to provide you with your personal statistics and other features of the App. We also keep information about you and your use of the App for as long as necessary for our legitimate business interests, for legal reasons, and to prevent harm, including as described in the “Reasons for Using Your Personal Data” and “How we Share your Personal Data” sections. To determine the appropriate retention period for your Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

5. Storage of your Personal Data

Your information, including Personal Data, may be transferred to — and maintained on — computers and servers located in the United States or the EEA. Your information may also be accessed by Allurion entities or service providers in other jurisdictions. Where the storage or access location is outside of your state, province, country or other governmental jurisdiction, the data protection laws may differ from those in your jurisdiction.

Allurion Technologies, Inc will take all the steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and your Personal Data will not be transferred to an organization or a country unless there are adequate controls in place for the security of your data and other personal information.

For individuals based in the United Kingdom or the EEA: If you are based in the United Kingdom or the EEA, please be aware that when you use the App, your Personal Data will be stored by our Service Providers (as defined below) in the EEA; however, your Personal Data may also be accessed by Allurion Technologies, Inc in the United States and other Allurion entities or service providers located outside your jurisdiction. For further details, please contact us using the details in the “Contact Us” section below.

6. How we Share your Personal Data

Business Transaction

If Allurion Technologies, Inc is involved in a merger, acquisition or asset sale, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your Personal Data may be transferred including as part of any due diligence process. We will provide notice before your Personal Data is transferred and becomes subject to a different privacy policy.

Affiliates

Affiliates of Allurion Technologies, Inc, including in the US and EEA, may receive your Personal Data.

Disclosure for Law Enforcement

Under certain circumstances, Allurion Technologies, Inc may be required to disclose your Personal Data if required or authorized to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Allurion Clinics

We will share your Personal Data with the Allurion clinic that you selected so that they may provide their services to you and analyse your progress through the use of our products.

Disclosure for Service Providers

We may employ third party companies and individuals to facilitate the App (“Service Providers”), provide the services through the App on our behalf, perform App-related services, and/or assist us in analysing how the App is used.

These Service Providers only have access to your Personal Data to perform these tasks on our behalf and are obligated to keep such Personal Data confidential and not to disclose or use it for any other purpose.

Legal Requirements

Allurion Technologies, Inc may disclose your Personal Data in the good faith belief that such action is necessary to:

  • To comply with a legal obligation;
  • To protect and defend the rights or property of Allurion Technologies, Inc;
  • To prevent or investigate possible wrongdoing in connection with the Service;
  • To protect the personal safety of users of the Service or the public; or
  • To protect against legal liability.

7. Security of Personal Data

We have implemented reasonable and appropriate administrative, technical and physical safeguards to protect the confidentiality, integrity, and availability of your Personal Data. We will use strict procedures and security features and take all steps reasonably necessary to ensure your Personal Data is processed securely and in accordance with this Privacy Policy.

You are responsible for protecting against unauthorised access to the App. You should use strong password security, by using a mix of letters, numbers and symbols and a different password than you use for any other accounts that you may have. You must keep your account password confidential and not share it with anyone.

We are not responsible for any lost, stolen or compromised passwords or for any access to your account from unauthorized users where such access is caused by your actions or inaction. If you think your account has been compromised, please contact us as soon as possible, using the contact details in the “Contact Us” section below.

8. Exercising Your Rights

If you need to update your Personal Data you can do this through the App. If you are unable to access that information for any reason, you can notify us of any changes to (or errors in) your Personal Data by contacting us at help@allurion.com.

Depending on where you are located, you may have the right to: (a) access the Personal Data we hold about you; (b) request we rectify any inaccurate Personal Data we hold about you; (c) request we delete any Personal Data we hold about you; (d) restrict the processing of Personal Data we hold about you; (e) object to the processing of Personal Data we hold about you; and/or (f) receive any Personal Data we hold about you in a structured and commonly used machine-readable format or have such Personal Data transmitted to another company.

Please note that we may ask you to verify your identity before responding to such requests.

Where you have been asked to consent to the processing of your Personal Data, you can withdraw consent by contacting us using our contact details below. Any withdrawal of consent will not affect the lawfulness of the processing based on your consent before the withdrawal. Please also note that where you withdraw consent, we will only stop processing your Personal Data that relates to the withdrawal of consent.

To exercise any of your rights in connection with your Personal Data, please contact us using the contact information in the “Contact Us” section below. Additionally, you may have the right to complain to a Data Protection Authority in your country about our collection and use of your Personal Data.

9. Links to Other Sites

The App may contain links to other sites that are not operated by us. If you click a third party link, you will be directed to that third party’s site. We strongly advise you to review the privacy policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

10. Children's Privacy

Our Service does not target or address anyone under the age of 16 (“Children”).

We do not knowingly collect Personal Data from Children. If you are a parent or guardian and you are aware that your Child has provided us with Personal Data, please contact us using the details provided in the “Contact Us” section below. If we become aware that we have collected Personal Data from Children without verification of parental consent, we take steps to remove that information from our servers.

11. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our Service prior to the change becoming effective and update the “effective date” at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page. Where required by law, we will provide you the opportunity to read the revised policy so that you may decide whether you wish to continue to use the App. Your continued use of the App after the changes to this Privacy Policy will be deemed to be your acceptance of those changes.

12. Contact Us

We have appointed Allurion S.a.s., with its address at 6 Boulevard Montmartre 75009 Paris, France as our EU data protection representative who you may contact if you are based in the EEA.

If you have any questions about this Privacy Policy, please contact us:

  • By email: help@allurion.com

13. If you are accessing the App from Mexico

a) Your ARCO rights.

To exercise any of your ARCO rights in connection with your Personal Data, please contact us at: help@allurion.com. When you choose to access, rectify, update, oppose, limit the use or portability, or cancel your personal data, your request must include, at least, the following:

  • Your name, address and e-mail address or any other means by which you wish us to send our reply to your request;
  • Documents proving your identity or your legal representative, as applicable;
  • A clear and precise description of the Personal Data in relation to which you are exercising your rights. In the event of a request for rectification, you shall state the required changes and provide supporting documentation; and
  • Any other supporting information that facilitates us in locating your Personal Data.

Unless you expressly indicate that you want to receive a reply by different means, we will respond to your request via the email address provided on your application within a maximum of twenty (20) business days from the date the request was received. If we are required to do so, we will action your request within fifteen (15) business days from the date we responded to your request. In the case of requests for access to Personal Data, we will provide you with a copy of your Personal Data, providing we have prior proof of your identity or that of your legal representative, as applicable.

These deadlines may be extended once (for an equal period), if justified by the circumstances. Provided that the withdrawal of your consent does not result in us being unable to comply with any obligations regarding our relationship with you, the consent granted by you for the processing of your Personal Data may be revoked by delivering a written notice or an email to us using the contact details listed below. The withdrawal of consent will be effective from the date on which we receive your request.

b) Consent for processing and transferring personal data.

If you are based in Mexico, your consent to the processing of your Personal Data according to the terms provided herein will be deemed expressly granted when you acknowledge this Privacy Policy. By your acceptance, you also consent to any transfer of Personal Data that may be carried out by us pursuant to the terms of this Privacy Policy. For the processing of your health data within the App, we require your separate authorization when you sign up to use the App.

14. If you are accessing the App from Brazil

a) Sensitive Data

You expressly agree that for the provision of the services, once you create your App account we may access, process and transfer your data in accordance with this policy and Brazilian law 13.709/2018 (“LGPD”).

b) Your LGPD rights

To exercise any of your LGPD rights in connection with your personal data, please contact us at: help@allurion.com. When you choose to access, rectify, update, oppose, limit the use or divulgence of, or request the deletion of your personal data, your request must include, at least, the following:

  • Your name, address and e-mail address or any other means by which you wish us to send our reply to your request;
  • Documents proving your identity or your legal representative, as applicable;
  • A clear and precise description of the Personal Data in relation to which you are exercising your rights. In the event of a request for rectification, you shall state the required changes and provide supporting documentation; and
  • Any other supporting information that facilitates us in locating your Personal Data.

Unless you expressly indicate that you want to receive a reply by different means, we will respond to your request via the email address provided on your application within a maximum period of fifteen (15) days from your request. In the case of requests for access to personal data, we will provide you with a copy of your personal data, providing we have prior proof of your identity or that of your legal representative, as applicable.

These deadlines may be extended once (for an equal period), if justified by the circumstances and legally approved. Provided that the withdrawal of your consent does not result in us being unable to comply with any obligations with regard to our relationship with you, the consent granted by you for the processing of your personal data may be revoked by delivering a written notice or an email to us, using the contact details listed below. The withdrawal of consent will be effective from the date which we receive your request.

c) Consent for processing and transferring personal data

If you are based in Brazil, your consent for the processing of your personal data according to the terms provided herein will be deemed expressly granted when you acknowledge this Privacy Notice, including the processing of your sensitive personal data. By your acceptance, you also consent to any transfer of Personal Data that may be carried out by us pursuant to the terms of this Privacy Notice.