Privacy and Personal Data Processing Policy

Effective Date: 06/01/2026

1 • Introduction

Orqual Group and its subsidiaries Kitview, Aero and Ceph (hereinafter referred to as the “Publisher”, “we”, “us” or “our”) are committed to protecting Personal Data and respecting the privacy of individuals.

The purpose of this Privacy Policy is to inform users, customers, prospects, patients and other Data Subjects about the processing of Personal Data carried out in connection with the use of:

  • our websites;
  • mobile applications;
  • the Platform;
  • support, training, maintenance, backup and hosting services;
  • features involving Artificial Intelligence processing.

This Privacy Policy is intended to comply with the requirements of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable data protection laws.

2 • Our Role in Data Processing

Depending on the nature of the services used and the categories of Personal Data involved, the Publisher may act either as a Data Controller or as a Data Processor.

2.1 • When We Act as Data Controller

We determine the purposes and means of processing Personal Data relating in particular to:

  • user account creation and management;
  • authentication and access control;
  • security monitoring and incident prevention;
  • customer support services;
  • commercial relationship management;
  • billing and payment administration;
  • demonstration requests;
  • technical analytics and service monitoring;
  • cookies and tracking technologies operated by us;
  • service improvement and product development;
  • compliance with legal and regulatory obligations.

2.2 • When We Act as Data Processor

We process certain Personal Data on behalf of our Customers and only in accordance with their documented instructions.

In such circumstances:

  • the Customer acts as the Data Controller;
  • the Publisher acts as the Data Processor within the meaning of the GDPR.

This notably applies to:

  • patient records;
  • medical documents;
  • photographs;
  • radiographic images;
  • 3D models;
  • data generated by medical devices or clinical assessment devices connected to the Platform;
  • communications between healthcare professionals and their patients;
  • processing activities carried out through the Platform on behalf of the Customer.

    3 • Products and Services Covered

    This Privacy Policy applies, among others, to:

    • Kitview Connect;
    • Kitview Proxy;
    • Ceph Connect;
    • Aero Connect;
    • Accounts;
    • Coaching;
    • Artificial Intelligence services provided by the Publisher;
    • related mobile applications;
    • Aéro games (Aéro Plane, Aéro Obstacle Course, Aéro Minigolf, Aéro Space Shooter) ;
    • associated websites.

    4 • Categories of Personal Data Processed

    4.1 • User Data

    We may process:

    • first name and last name;
    • email address;
    • telephone number;
    • profile photograph;
    • professional information;
    • login history;
    • activity logs;
    • user preferences;
    • support-related information;
    • information relating to connected third-party services.

    4.2 • Patient Data

    Depending on the services used by our Customers, the following categories of Personal Data may be processed:

    • first name and last name;
    • date of birth;
    • contact details;
    • identification numbers where legally permitted;
    • medical reports;
    • photographs;
    • radiographic images;
    • 3D models;
    • medical questionnaires;
    • correspondence;
    • administrative and medical documents.

    Depending on the equipment and functionalities used by the Customer, processed data may also include measurements, analyses and recordings generated by medical devices or clinical assessment devices connected to the Platform.

    Such data may include:

    • measurements and analyses of nasal and oral respiratory volumes obtained using an Aerophonoscope;
    • associated physiological data;
    • examination results;
    • indicators and metrics;
    • graphical representations;
    • reports and documents generated from such examinations.

    Some of this information constitutes Health Data within the meaning of Article 9 of the GDPR.

    4.3 • Technical Data

    We may also process:

    • IP addresses;
    • technical identifiers;
    • browser-related information;
    • device-related information;
    • navigation data;
    • security logs;
    • diagnostic and performance information.

    5 • Purposes of Processing

    Personal Data may be processed for the following purposes:

    • providing Platform services;
    • managing user accounts;
    • authentication and access control;
    • ensuring platform security;
    • hosting and backup services;
    • providing support and training;
    • managing customer relationships;
    • improving services and functionalities;
    • producing technical usage statistics;
    • preventing security incidents and fraud;
    • enabling integrations with third-party software;
    • collecting, visualising, analysing, storing and comparing data generated by connected medical or clinical assessment devices;
    • assisting healthcare professionals in the interpretation and use of physiological data collected during patient monitoring;
    • providing Artificial Intelligence assisted functionalities;
    • complying with legal and regulatory obligations.

    6 • Legal Bases for Processing

    Depending on the processing activity concerned, Personal Data may be processed on the basis of:

    • performance of a contract;
    • pre-contractual measures requested by the Data Subject;
    • legitimate interests pursued by the Publisher;
    • compliance with legal obligations;
    • consent, where required by applicable law.

    Where Health Data is processed, such processing is carried out exclusively on the legal grounds authorised under Article 9 of the GDPR and applicable healthcare regulations.

    7 • Data Sharing and Recipients

    Personal Data may be accessed by:

    • authorised employees of the Publisher;
    • subsidiaries of the Orqual Group;
    • authorised Distributors acting within the scope of their responsibilities;
    • technical service providers required for the operation of the services;
    • authorised sub-processors;
    • public authorities or regulatory bodies where disclosure is required by law.

    Personal Data may also be transferred to third-party services when a Customer or user voluntarily activates an integration or sharing functionality.

    Available integrations may include, among others:

    • Dental Monitoring;
    • iOrtho (Angel Aligners);
    • iStoma (Idava Solutions);
    • iTero;
    • LinkedIn;
    • Instagram;
    • Google Post.

    Users remain responsible for verifying the information they choose to transmit and for ensuring compliance with any applicable legal requirements, including obtaining consent where required.

    8 • Sub-processors

    To provide its services, the Publisher may engage specialised sub-processors.

    As of the publication date of this Privacy Policy, the following sub-processors may be used:

    • Hosting Services: AWS;
    • Backup Services: AWS;
    • Distribution Services in New Caledonia: Xpertis.

    All sub-processors are subject to appropriate confidentiality, security and data protection obligations.

    Significant changes relating to sub-processors may be communicated through appropriate channels.

    9 • Hosting and Security

    The services are primarily hosted on AWS infrastructure using services certified as French Health Data Hosting (HDS) services.

    The Publisher implements appropriate technical and organisational measures designed to ensure:

    • confidentiality;
    • integrity;
    • availability;
    • resilience of systems and services;
    • protection against unauthorised access;
    • protection against accidental loss, alteration or disclosure of Personal Data.

    Such measures may include access controls, authentication mechanisms, activity logging, encryption technologies, network protection measures and security monitoring processes.

      10 • Artificial Intelligence

      Certain Platform functionalities rely on Artificial Intelligence technologies.

      These functionalities are executed exclusively within infrastructure controlled by the Publisher.

      Unless expressly authorised by the Customer:

      • Processed Data is not used to train shared or public AI models intended for third parties or other customers;
      • no Health Data is transmitted to public Artificial Intelligence services not authorised by the Customer.

      Artificial Intelligence functionalities are intended solely as assistance tools.

      They do not produce automated medical decisions within the meaning of Article 22 of the GDPR and shall never replace the analysis, judgement, supervision or validation of qualified healthcare professionals.

      The Publisher implements appropriate safeguards to ensure the confidentiality, integrity and security of data processed through AI-powered functionalities.

      11 • Cookies and Tracking Technologies

      Our websites, applications and services may use cookies, tracking technologies and similar tools necessary for:

      • authentication;
      • security;
      • session management;
      • storing user preferences;
      • audience measurement;
      • service performance improvement;
      • technical diagnostics.

      Strictly necessary cookies do not require prior consent under applicable laws.

      Where cookies or tracking technologies require prior consent, such consent is collected through the mechanisms made available on the relevant services.

      Users may modify their cookie preferences at any time through the settings or consent management tools provided.

      Additional information regarding cookies and tracking technologies may be provided through dedicated cookie notices where applicable.

      12 • Data Retention

      Personal Data is retained only for as long as necessary to fulfil the purposes for which it was collected and to comply with applicable legal, contractual and regulatory obligations.

      Retention periods may vary depending on:

      • the nature of the services used;
      • legal requirements;
      • contractual commitments;
      • security requirements;
      • healthcare-related obligations.

      Deleted data may remain temporarily stored within backup systems for a maximum period of thirty (30) days before permanent deletion.

      Where legally required, certain information may be retained for longer periods for compliance, audit or dispute-resolution purposes.

      13 • Data Subject Rights

      In accordance with applicable data protection laws, Data Subjects may exercise the following rights:

      • right of access;
      • right to rectification;
      • right to erasure;
      • right to object;
      • right to restriction of processing;
      • right to data portability;
      • right to withdraw consent at any time where processing is based on consent;
      • right not to be subject to unlawful automated decision-making;
      • right to establish instructions regarding the handling of their Personal Data after death where recognised by applicable law.

      Where Personal Data relates to a patient record processed on behalf of a healthcare professional, requests should primarily be directed to the relevant healthcare professional acting as Data Controller.

      The Publisher may provide reasonable assistance where appropriate and within the limits of its role as Data Processor.

      14 • International Data Transfers

      The Publisher prioritises the hosting and processing of Personal Data within the European Union.

      Where certain processing activities exceptionally require transfers of Personal Data outside the European Economic Area (EEA), such transfers shall be carried out in accordance with applicable data protection laws and subject to appropriate safeguards, including where applicable:

      • adequacy decisions issued by the European Commission;
      • Standard Contractual Clauses (SCCs);
      • other lawful transfer mechanisms recognised under the GDPR.

      15 • Changes to this Privacy Policy

      This Privacy Policy may be updated from time to time to reflect:

      • changes in applicable laws or regulations;
      • technological developments;
      • organisational changes;
      • modifications to the services provided.

      Where material changes are made, users may be informed through appropriate communication channels, including notifications within the Platform, websites or applications.

      The date of the latest update will always be indicated at the beginning of this Privacy Policy.

      16 • Contact Information

      For any questions regarding this Privacy Policy or the protection of Personal Data, you may contact:

      Orqual Group
      1 Route de Fénétrange
      67260 DIEDENDORF
      France

      For any request relating to the exercise of your rights under the GDPR, you may contact us at:

      Email: privacy@kitview.com

      We will make every reasonable effort to respond to your request within the time limits required by applicable data protection laws.

      If, after contacting us, you believe that your data protection rights have not been respected, you may lodge a complaint with the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés – CNIL) or with the competent supervisory authority in your country of residence.