eMurmur Privacy Policy

This Privacy Policy was last updated on January 17th, 2022.

Application of this Privacy Policy

This Privacy Policy describes the ways in which CSD Labs International Inc. and our global affiliates (“eMurmur”, “CSD Labs GmbH”, “we”, “us”, or “our”) collect, use, and disclose Personal Information through the eMurmur application (the “Application”), related websites (the “Sites”), and related services (the such related services, Application and Sites are, collectively, the “Services”). “Personal Information” includes any information that can be used on its own or with other information to identify a single person or to identify an individual in context.

This Privacy Policy applies to Personal Information that we collect from health care providers, and their authorized users, who access or use the Services and are a customer of eMurmur, whether on a free or paid subscription, and visitors to the Sites (each a “User”, “you” or “your”). Please note that we also have a cookie policy and, to the extent there is a conflict with this Privacy Policy and our cookie policy, the cookie policy will apply.

By using the Services or submitting your Personal Information through the Services, you acknowledge that you have read about how we process your information as set our in this Privacy Policy, now and as amended, by us. Please do use the Services and do not submit any information through them if you have not read this Privacy Policy.

Information We Collect

We also collect Auscultation Data (defined below), which on its own, is not Personal Information and, therefore, not subject to this Privacy Policy.

How We Use Information and Basis for Processing

We may use the Personal Information we collect for a number of purposes. Our basis for processing your Personal Information depends on your jurisdiction. Where you are in the European Economic Area (“EEA”), UK or Switzerland, we have set out our basis for processing below. From time to time, we may also request your consent, in which case we will process on the basis of your consent.

Purpose of Processing Type of Personal Information Basis of Processing (EEA, Swiss and UK Personal Information)
To deliver and manage customer support and respond to inquiries. Contact Information
Usage Information
User Content
Legitimate interest
To provide you with information about the Services, or required notices. Contact Information Legitimate interest
To deliver marketing communications, promotional materials, or advertisements that may be of interest to you, and administer participation in special events, programs, offers, surveys, and other market research. Contact Information Legitimate interest
To improve the Services and/or to develop new products or services; perform quality control activities, conduct data analyses, and develop references for other users and/or health care providers to better understand symptoms or conditions, including training our algorithms. Contact Information
Usage Information
User Content
Legitimate interest
To customize your experience when using the Services, such as by providing interactive or personalized elements and content on the Services. Contact Information
Usage Information
User Content
Performance of contract and legitimate interest
To aggregate and de-identify certain Personal Information and use and share the resulting data for business purposes. Contact Information
Usage Information
User Content
Performance of contract and legitimate interest
To detect, prevent, and respond to fraud, intellectual property infringement, violations of our terms of use or other legal agreements, violations of law, or other misuse of the Services. Contact Information
Usage Information
User Content
Performance of contract and legitimate interest

We also may combine or aggregate any of the Personal Information we collect through the Services for any of these purposes. We may send you emails, text messages, and push notifications to your mobile device, if you have them enabled, to verify your account and for informational and operational purposes, such as account management, providing instructions, alerts, reminders, customer service, system maintenance, and other Service-related purposes.

How We Share Information

We may disclose the Personal Information we collect from you through the Services:

Please note that we may also use third-party web analytics services on our Services, such as those of Google Analytics. The analytics providers that administer these services use technologies such as cookies, web server logs and web beacons collect usage information matched to an IP address to help us analyze how visitors use the Sites and improve the overall experience of the Sites. The analytics providers may also collect information about your use of other websites over time, if those websites also use the same analytics providers. To learn more about Google Analytics and how to opt out, please visit http://www.google.com/analytics/learn/privacy.html.

Third Party Links

The Services may contain third-party links. You acknowledge that we are not responsible for the collection and use of your Personal Information by such third parties that are not under our control. We encourage you to review the privacy policies of each website you visit.

Data Retention and Deletion

We store your Personal Information for as long as you maintain an account and for such additional time as we need to in order to meet the purposes for which the Personal Information was created or such longer time as is required by law. At the end of this period, we will remove your Personal Information from our databases. When we delete any Personal Information, it will be deleted from the active database, but may remain in our backup archives and deleted in the ordinary course (i.e., when no longer needed for the basis for which it is retained). In the specific case of your account for the Services, we retain your Personal Information for up to 90 days after your account is disabled or terminated, after which point it is deleted.

Data Transfers and Processing

eMurmur typically manages Personal Information transfers, storage, and processing from its premises in Austria, but we offer the Services in many different countries and we, and our affiliates and service providers, may maintain databases in different countries. We may transfer your data outside your country of domicile, for the purposes for which we process Personal Information (set out above) potentially including countries which may not provide the same level of protection for your Personal Information as your home country, and may be available to the local government or its agencies under a lawful order.

If you are located in the EEA, please note that we have implemented safeguards, which may include the EU/UK Standard Contractual Clauses, to ensure your Personal Information is protected when transferred, in accordance with applicable data transfer restrictions.

How We Protect Information

We strive to maintain reasonable administrative, technical, and physical safeguards designed to safeguard the Personal Information collected by the Services. However, no information system can be 100% secure, so we cannot guarantee the absolute security of your Personal Information. Moreover, we are not responsible for the security of Personal Information you transmit to the Services over networks that we do not control, including the Internet and wireless networks.

We will not send you an email requesting confidential information such as account numbers, usernames, passwords, or social security numbers, and you should NEVER respond to any email requesting such information. If you receive such an email claiming to be from eMurmur, you should not respond to such email or open any links or attachments to the email. You should notify eMurmur immediately if you receive such an email.

You are responsible for taking reasonable precautions to protect your username, password, and other account information from disclosure to third parties, and you are not permitted to circumvent the use of required encryption technologies. You should immediately notify eMurmur if you know of or suspect any unauthorized use or disclosure of your username, password, and/or other User account information, or any other security concern.

Your Choices

If you no longer wish to receive marketing communications from us, or if you wish to inquire about or make corrections to of the Personal Information we have collected about you, please submit a request to office@emurmur.com.

You may also opt out of receiving marketing emails by using the unsubscribe information available in our promotional emails. Please note that you may not opt-out of receiving non-promotional messages regarding your account, such as technical notices, purchase confirmations, or Services-related emails.

If you are an EU data subject, the GDPR may apply to the Personal Information we collect from you. If so, you have the following rights under certain circumstances:

Your rights to your Personal Information may be limited in some circumstances by local legal requirements. Note however that if you exercise your rights, in some cases, we may not be able to provide to you some of the features and functionalities of the Service.

Minor’s Information

The Services are not directed to, nor do we knowingly collect Personal Information from, any one under the age of majority without parental/guardian consent. If you have reason to believe that we may have collected a minor’s Personal Information without parental/guardian consent, please contact us at the contact information listed below.

Changes to this Privacy Policy

If we update this Privacy Policy, we will notify you by posting a new Privacy Policy on this page. If we make any revisions that materially change the ways in which we use or share the Personal Information previously collected from you through the Services, we will give you the opportunity to consent to such changes before applying them to that Personal Information to the extent required by law.

Processing as Processor

This section of the Privacy Policy discusses Personal Information we process in our capacity as a processor for informational purposes only. This Privacy Policy does not apply to any patients of one or more of our participating Users (“Patient”) and their Patient Information (defined below) is sent to the Application and the Services, such as where the Patient’s primary care provider is a User. When we collect Patient Information, we only do so in our capacity as a processor acting on behalf of the relevant User. Patients should direct all questions, concerns and requests to the User that is the controller of their Personal Information (i.e., their care provider).

“Patient Information” means health-related Personal Information about an individual Patient that eMurmur collects in its capacity as a processor acting for a controller User. Patient Information includes anything collected by a User or that Patients upload to the Application or otherwise submit to or make available to eMurmur. This includes Personal Information about health conditions, personal traits, medications, activity levels, ethnicity, and/or family history. This information will evolve as we further develop the Services and Application and may include, without limitation, Patient name, Patient date of birth, patient ID and Patient’s medical history. We also collect “Auscultation Data”, which includes recorded heart sounds, lung sounds, bowel sounds, other bodily sounds, all other data related to auscultation, location on the body where the sounds were recorded, position of the Patient while a recording was made, interpretation of the recorded sounds, description of the recorded sounds, provider commentaries, suspected and/or diagnosed condition, heart rate, breathing rate, device accelerometer data, and other recorded data, including information relating to data acquisition. As mentioned above, Auscultation Data is not Personal Information alone as it cannot be used to identify an individual (i.e., it is not like a fingerprint—it alone does not identify an individual).

The controllers of the Patient Information of which we are the processors may use your Personal Information for a number of purposes and you should contact them or view their privacy notice to understand that processing. The purposes of such processing may include to:

We also anonymize Patient Information by removing identifiers (i.e., separating out the Auscultation Data). Anonymized data cannot be used to identify an individual and is unable to be re-identified and is no longer considered Personal Information. We may process anonymized information for any purpose and such processing is not subject to this Privacy Policy.

eMurmur may share the research and analyses in anonymized format with its affiliates, agents, Users, Users’ affiliates, and other healthcare research and services entities. The research and analysis disclosed to such third parties cannot be used to identify an individual personally and cannot be re-identified. Any anonymized information that we collect or create is not Personal Information and therefore not subject to this Privacy Policy.

Contact Us

eMurmur has a data protection officer and privacy officer who is responsible for matters relating to privacy and data protection and who can be contacted at the information below.

If you have any questions about this Privacy Policy or our use of your Personal Information collected through the Services, please contact us at office@emurmur.com, or at the following address:

Global, excluding Europe:
CSD Labs International Inc.
Attn: Privacy Officer
78 George St, Suite 204
Ottawa, Ontario, K1N 5W1

CSD Labs GmbH
Attn: Privacy Officer
Nikolaiplatz 4
8020 Graz


eMurmur processes Personal Information both as a processor and as a controller, as defined under the GDPR. With respect to the Personal Information that eMurmur processes on your behalf, you represent and warrant that you have established an appropriate legal basis or bases to allow eMurmur to process such Personal Information. The following terms supplement this Privacy Policy with respect to our processing of European Economic Area (i.e., European Union Member States, Iceland, Lichtenstein and Norway), Swiss and the UK Personal Information. To the extent applicable, in the event of any conflict or inconsistency between the other parts of this Privacy Policy and the terms of this Section, this Section will govern and prevail with regards to the processing of EEA, Swiss and UK Personal Information. We also process Patients’ Personal Information, including health information, in accordance with Articles 6 and 9 of the GDPR. We process this information on behalf of their healthcare provider to assist them or their affiliates (i.e., our Users). We may also process health data to provide, develop, or improve the Services. Under Article 6, processing is necessary for the purposes of our legitimate interests, which include providing these Services to our customers and to the Controllers of the Personal Information and developing and improving our Services. Under Article 9, such processing is necessary in the interest of public health (including ensuring high standards of quality of health care, of our devices, and of our Services) and/or necessary for scientific research purposes.