Privacy Policy
Tensi+ application
Last updated: 18/05/2026
Effective date: 01/06/2026
1. Introduction
Stimuli Technology (“we”, “us”, “our”) places great importance on the protection of your personal data and health data.
This Privacy Policy describes how we collect, use, store, and protect your data when you use:
■ the Tensi+ patient mobile application;
■ the professional web application accessible at app.tensiplus.com;
■ our associated technical services (together, the “Services”).
It is established in accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and applicable data protection laws.
We apply the principle of data minimisation, collecting only the information strictly necessary for the purposes described in this Policy.
By using the Services, you accept this Privacy Policy. If you do not accept it, you are invited not to use the Services.
2. Data Controller
Data Controller: Stimuli Technology
Address: 20bis rue Barthélémy Danjou, 92100 Boulogne Billancourt
Country: France
Privacy contact: privacy@stimuli-technology.com
Data Protection Officer (DPO): Akshaya Mariadassou
Within the Services:
■ For the Patient Application: Stimuli Technology acts as data controller.
■ For the Professional Platform:
- Stimuli Technology also acts as data controller for processing necessary for technical operation, security, maintenance, and improvement of the Platform;
- Stimuli Technology acts as a processor for data processing carried out on behalf of healthcare professionals, in the context of patient monitoring, where the healthcare professional acts as an independent data controller.
The qualification of roles depends on the purposes pursued and the actual responsibilities of each party.
3. Data We Collect
We collect only the data strictly necessary for the operation of the Services.
3.1 Patient Data
When creating and using a patient account, we collect:
■ account identifiers (email, encrypted password);
■ profile information (first name, last name, age, gender, declared location);
■ tracking data within the application.
3.2 Healthcare Professional Data
When registering on the professional web application, we collect:
■ account identifiers (email, encrypted password);
■ profile identifiers (first name, last name, specialty).
3.3 Health Data
In the course of using the Services, we process health data within the meaning of Article 9 GDPR, including:
■ bladder diary data;
■ treatment session data;
■ reports generated through the Services.
Health data is processed only to the extent necessary to provide monitoring functionality. It is accessible only to authorised users (the patient concerned and explicitly authorised healthcare professionals) strictly within the scope of the service.
It is not processed for commercial or advertising purposes.
3.4 Connection Data Between Patient and Healthcare Professional
When you connect with a healthcare professional, we process:
■ creation and management of the patient–professional relationship;
■ access and revocation of this relationship;
■ data made accessible within this relationship.
3.5 Technical Data
We also collect:
■ IP addresses;
■ device type and operating system;
■ connection and security logs;
■ application version.
3.6 Communications
When you contact support, we retain communications and the information provided.
4. Purposes and Legal Bases
Why do we use your data?
We use your data to:
■ operate the application (tracking, account management, access to features);
■ provide a monitoring service;
allow, if you choose, sharing your data with a healthcare professional;
■ ensure security and proper functioning of the system;
■ comply with legal obligations.
4.1 Service Provision
■ account creation and management;
■ access to application features;
■ storage and display of tracking data.
Legal basis: performance of a contract.
4.2 Health Data Processing
■ monitoring and display of health data;
■ generation of reports and indicators;
■ controlled sharing with a connected healthcare professional.
Legal basis: performance of a contract for necessary processing; explicit consent of the user for health data processing (Article 9 GDPR).
4.3 Communication and Notifications
■ push notifications (FCM) related to service usage;
■ reminders configured by the user.
Notifications do not contain health data.
Legal basis: contract performance / consent depending on configuration.
4.4 Statistics and Service Improvement
■ anonymised or aggregated usage analysis.
Legal basis: legitimate interest.
4.5 Security and Compliance
■ fraud prevention;
■ system security;
■ legal obligations.
Legal basis: legal obligation and legitimate interest.
5. Data Recipients
Your data may only be shared with the following recipients:
5.1 Healthcare Professionals
Patients may choose to connect their account with a healthcare professional. Access is granted only after explicit patient authorisation (unique code). This connection may be revoked at any time.
5.2 Technical Service Providers
We use strictly controlled service providers:
Amazon Web Services (AWS, Paris region – eu-west-3): hosting, databases, storage, processing;
Claranet: infrastructure management and hosting provider certified HDS, including monitoring, security, and operations;
Google Firebase Cloud Messaging (FCM): push notifications.
These providers act as processors under Article 28 GDPR.
5.3 Authorities
We may disclose data to authorities where legally required.
We never sell your personal data.
5.4 Push Notifications (Firebase Cloud Messaging)
We use Google Firebase Cloud Messaging (FCM) to send push notifications. These notifications serve a purely technical purpose and are used to inform users of events related to the use of the Services. They do not contain any health data. The notifications are designed so as not to contain any sensitive or personally identifiable information.
Only the technical data necessary (e.g., notification identifiers) is used to ensure their proper functioning.
6. Transfers of data outside European Union
Data is primarily hosted within the European Union on Amazon Web Services infrastructure located in France (eu-west-3 – Paris).
AWS acts as a data processor within the meaning of the GDPR. Data processing is governed by AWS’s standard contractual terms, including the Data Processing Addendum (DPA), which is incorporated into AWS’s terms of service and automatically applies when using AWS services.
This DPA includes contractual safeguards compliant with the General Data Protection Regulation (GDPR), notably the standard contractual clauses adopted by the European Commission.
In certain exceptional cases, technical or support operations may involve remote access from countries outside the European Union. Such access is strictly governed by appropriate safeguards in accordance with the GDPR.
AWS also provides data protection mechanisms recognized by the European Commission, such as the EU–U.S. Data Privacy Framework (DPF) where applicable.
These measures ensure a level of data protection that complies with GDPR requirements.
7. Data Retention
We retain your data only for as long as necessary for the operation of the service.
- Active account
While your account is active, your data is stored within our systems (account data, health data, technical data, and authentication information).
- Account deletion
When you delete your account, you are immediately removed from our authentication system. Your account and health data are then anonymized in our database, meaning they can no longer be linked to your identity.
This anonymized data is retained for 7 years and 8 days, after which it is automatically deleted.
- Technical logs
Technical logs are stored in our systems for security and service operation purposes. Data is retained for a year, after which it is automatically deleted.
8. Security and Hosting
We implement appropriate technical and organisational measures to protect your data, including:
■ secure AWS hosting within the EU;
■ HDS-certified hosting environment via HDS certified managed service provider;
■ strict access control to health data;
■ logging and traceability of access;
■ security monitoring and incident detection;
■ regular backups and disaster recovery plans;
■ authentication and access management mechanisms adapted to data sensitivity.
Access to health data is strictly limited to authorised persons.
No method of transmission or storage is completely secure, but we apply high standards appropriate to the data processed.
Security measures may be reassessed in order to maintain a level of protection appropriate to the sensitivity of the health data being processed.
9. Your Choices
You may at any time:
■ stop using the application;
■ remove access to a connected healthcare professional;
■ request deletion of your account and data;
■ disable notifications.
For more information on data deletion, please refer to Section 11.
10. Your Rights
You have the following rights:
■ right of access;
■ right to rectification;
■ right to erasure;
■ right to restriction of processing;
■ right to object;
■ right to data portability.
You may exercise your rights by contacting: privacy@stimuli-technology.com.
Your request will be processed within a maximum period of 30 days (extendable by 2 months in cases of complexity).
We may ask you to provide proof of identity.
You also have the right to lodge a complaint with the competent supervisory authority, in particular the CNIL in France.
Users may request account deletion at any time via their account by clicking on “Delete account” or by contacting privacy@stimuli-technology.com.
In order to protect personal data and prevent any fraudulent deletion, we may request additional information or proof of identity when there is reasonable doubt regarding the identity of the requester.
A logical deletion of the account may be applied immediately, followed by the deletion or gradual anonymization of the data, subject to applicable legal retention obligations.
12. Cookies and Trackers
We use cookies in the following ways:
- Connection and sessions
We use a technical cookie that is essential for the proper functioning of the application to keep you logged in. This cookie allows you to remain connected without having to log in each time you use the application. It remains active until you choose to log out.
- Security of login information
Login information is never stored permanently on your device (neither in browser storage nor elsewhere). Authentication data is only temporarily stored in memory and is automatically deleted when you close the application or tab.
- Language preferences
We use local storage on your device solely to remember your language preference in order to improve your experience. No identifying data or health data is stored for this purpose.
13. Data of minors
The Services are not intended for individuals under the age of 16.
Any use of the Services by a minor must be carried out under the supervision and responsibility of their legal guardian.
14. Changes
We may modify this Privacy Policy at any time. In case of significant changes, users will be informed by appropriate means.
The update date at the top of the document will be systematically updated.
15. Contact
Stimuli Technology
20bis rue Barthélémy Danjou, 92100 Boulogne Billancourt, FRANCE