Privacy Policy
Last updated: 29 March 2026 · Effective immediately
This Privacy Policy describes how SymbioWave Technologies SUARL ("SymbioWave", "we", "us") collects, processes, and protects personal data in connection with FieldOrchestrator — our enterprise pharmaceutical SFE platform. It applies to all SaaS deployments. On-Premises deployments are covered in Section 12.
1. Who We Are & Scope
SymbioWave Technologies SUARL is a technology company that develops and operates FieldOrchestrator, a platform designed for pharmaceutical companies to manage their field sales forces. This policy applies to: (a) Customer administrators who create and manage workspaces; (b) Users (field representatives, managers) who access the Platform; (c) Healthcare Professionals (HCPs) whose professional data is managed within the Platform by Customers.
2. Data Controller & Processor
SaaS Deployment (Cloud by SymbioWave)
SymbioWave acts as Data Processor on behalf of the Customer (Data Controller) for HCP and operational data. SymbioWave acts as independent Data Controller for User account data required to operate the Platform and for data processed for billing, security, and legal compliance purposes.
On-Premises Deployment (Sovereign)
The Customer is the sole Data Controller and primary Data Processor for all data stored on their infrastructure. SymbioWave acts as a limited Sub-processor only for AI and routing function calls processed through the Engine API, receiving only minimal function-call context. No Customer database content is transmitted to SymbioWave.
3. Personal Data We Collect
User Account Data
- Full name and professional email address
- Hashed password (Argon2id)
- Role and territory assignment
- Home/base geographic coordinates (field representatives)
- Last-seen timestamp and session data
- Phone number (where provided)
HCP Professional Data
- Full name, title, specialty, and medical institution
- Professional address and geographic coordinates
- Contact details (professional phone and email)
- Engagement metrics: visit frequency, receptivity score, adoption stage
- Commercial data: prescribing potential, Rx volume index, tier classification
- Visit history and engagement notes (managed by Customer)
Visit & Activity Data
- GPS check-in/check-out coordinates and timestamps
- Visit duration, notes, objections, and follow-up actions
- Visit photos uploaded to secure cloud storage
- Product reactions and prescription intentions recorded by representatives
- Offline visit queue data (encrypted in IndexedDB on device)
Technical & Usage Data
- IP address (captured for audit logging and rate limiting)
- Browser and device type (for compatibility)
- Error events and stack traces (via Sentry, production only)
- API usage logs (action type, timestamp, entity affected)
4. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Platform service delivery (territory planning, routing, visit management) | All Customer Data | Contractual necessity / Legitimate interest |
| User authentication and session management | Email, password hash, session tokens | Contractual necessity |
| AI-powered pre-call briefs and analytics | Minimal HCP context (name, specialty, score) | Legitimate interest |
| Audit logging and compliance evidence | User actions, IP, timestamps | Legal obligation / Legitimate interest |
| GDPR erasure and legal hold processing | HCP PII on request | Legal obligation |
| Platform security, fraud prevention, rate limiting | IP address, device data | Legitimate interest |
| Service communications (alerts, notifications) | Admin email addresses | Contractual necessity |
| Service improvement (aggregated, anonymised) | Usage metrics (no PII) | Legitimate interest |
5. Artificial Intelligence Processing
FieldOrchestrator uses Anthropic Claude (claude-haiku-4-5 by default) to generate pre-call visit briefs and to process natural language analytics queries. We apply a strict minimal-data principle:
- Only the HCP's last name, professional specialty, and engagement score are sent to Anthropic;
- Full HCP PII (address, phone, email, full name) is never transmitted to Anthropic;
- AI responses are cached for a maximum of 4 hours and then purged;
- Customer Data is never used to train Anthropic or SymbioWave AI models;
- Output tokens are strictly limited (128–1,536 tokens per call) to prevent data leakage in responses.
For On-Premises deployments, all AI calls are proxied through SymbioWave's Engine API. No data from the Customer's local database is transmitted directly to Anthropic.
6. Data Sharing & Sub-processors
SymbioWave does not sell Customer Data. We share data only with the following sub-processors, each bound by data protection obligations consistent with GDPR Article 28:
| Sub-processor | Role | Location | Data Shared |
|---|---|---|---|
| Supabase | PostgreSQL database hosting (multi-tenant, SaaS only) | EU (Germany, eu-central-1) | All Customer Data at rest |
| Vercel | Application runtime & serverless functions (SaaS only) | EU (Frankfurt, fra1) | Request processing, logs (no persistent PII storage) |
| Anthropic | AI inference (Claude API) | USA (California) | Minimal HCP context: last name, specialty, engagement score only |
| Google Cloud Platform | Route optimisation (OSRM/VROOM), file storage (GCS), secrets management | USA / EU (multi-region) | Geographic coordinates for routing; report files and visit photos |
| Resend | Transactional email | EU (Estonia) | User email addresses, notification content |
| Sentry | Error monitoring (production only) | USA | Stack traces, request context (no intentional PII) |
7. Cookies & Local Storage
fo-session (NextAuth)
Essential — HttpOnly, Secure, SameSite=Lax
Authentication session management. Expires: 8 hours (30 days with 'Remember me')
fo_locale
Functional — SameSite=Lax
Stores user language preference (en/fr). Max-age: 1 year.
IndexedDB: fo-offline-queue
Functional — encrypted (AES-GCM)
Stores encrypted visit data for offline sync. Cleared after successful server sync.
We do not use advertising, tracking, or analytics cookies. No third-party cookies are set by FieldOrchestrator.
8. Data Retention
| Data Type | Retention Period | Method |
|---|---|---|
| Visit logs (check-in/out, notes, GPS) | 2 years | Automated monthly deletion job |
| AI pre-call brief cache | 4 hours | Automatic cache expiry |
| HCP records (active) | Duration of subscription | Soft-delete on Customer request; GDPR erasure on verified request |
| User accounts | Duration of subscription + 30 days | Deleted after account closure |
| Audit logs & compliance evidence | Indefinite (legal obligation) | Append-only, hash-chained; never auto-deleted |
| Session tokens | 8 hours (30 days with Remember Me) | Automatic expiry |
| Visit photos (GCS) | 2 years or until GDPR erasure | Deleted with associated visit log |
| Post-termination Customer Data | 30 days available for export | Securely deleted after 30 days |
9. Your Rights (GDPR & Applicable Law)
Where GDPR or applicable data protection law applies, data subjects have the following rights. Requests should be submitted to dpo@symbiowave.com or, for HCP data, through the Customer's designated administrator:
Right of Access (Art. 15)
Request a copy of your personal data held in the Platform.
Right to Rectification (Art. 16)
Request correction of inaccurate personal data.
Right to Erasure (Art. 17)
Request deletion of HCP PII through the Platform's dual-control GDPR erasure workflow. Legal hold overrides erasure.
Right to Restriction (Art. 18)
Request restriction of processing pending correction or objection.
Right to Data Portability (Art. 20)
Request export of your personal data in machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interest.
Right not to be subject to automated decisions
AI outputs in FieldOrchestrator are advisory only; no automated decisions with legal effect are made solely by AI.
Right to lodge a complaint
Lodge a complaint with your national supervisory authority (e.g., CNIL in France, ICO in the UK).
10. International Transfers
Customer Data is primarily stored and processed within the EU (Supabase EU Central 1, Vercel Frankfurt). However, certain sub-processors are located outside the EU/EEA:
- Anthropic (USA): Only minimal, sanitised HCP context is transferred. Standard Contractual Clauses (SCCs) apply.
- Google Cloud Platform (USA/multi-region): Geographic coordinates for routing and report file storage. SCCs apply via Google Cloud DPA.
- Sentry (USA): Error traces in production. SCCs apply. No PII is intentionally included in error payloads.
11. Security Measures
- Passwords hashed with Argon2id (or Bcrypt for legacy accounts);
- TLS 1.2+ for all data in transit;
- Session cookies: HttpOnly, Secure, SameSite=Lax, RS256-signed JWT;
- Offline visit data: AES-GCM encrypted with a session-derived key;
- Role-based access control (RBAC) with four access levels;
- Login rate limiting: 5 attempts per 15 minutes per email;
- Immutable audit log with SHA-256 hash chaining;
- GDPR erasure: dual-control, multi-step approval process;
- Production secrets: stored in GCP Secret Manager, never in source code;
- On-Premises: Cloudflare Access with MFA for edge authentication.
12. On-Premises Deployment
In an On-Premises deployment, the Customer's database (PostgreSQL), application server, and cache (Redis) run exclusively within Customer's own infrastructure. SymbioWave has no direct access to Customer Data stored on these systems.
The only outbound data from an On-Premises installation to SymbioWave infrastructure is: (a) minimal AI context sent via the Engine API proxy for pre-call brief generation; (b) road network coordinate data sent for route optimisation. In both cases, no full HCP PII is transmitted. SymbioWave's Engine API credentials (x-fo-engine-key) are unique per deployment and issued during bootstrap. Customers retain full data sovereignty.
13. Pharma-Specific Considerations
FieldOrchestrator is designed for commercial HCP engagement data only. It is not intended for, and must not be used to store, Patient Health Information (PHI), clinical trial data, or any information that would qualify as health data under HIPAA, the French loi Jardé, or equivalent regulations.
Customers operating in regulated jurisdictions (France, EU, GCC) are responsible for ensuring their use of FieldOrchestrator complies with local pharmaceutical promotion regulations (ANSM, LEEM, EFPIA codes), Sunshine Act equivalent transparency reporting requirements, and any applicable HCP data consent obligations. SymbioWave's dual-control GDPR erasure workflow supports compliance with Art. 17 GDPR right-to-erasure obligations for HCP data. Legal hold functionality preserves records during litigation.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered workspace administrators by email at least 30 days before material changes take effect. The 'Last updated' date at the top of this page indicates when the policy was last revised. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.
15. Contact & DPO
For privacy inquiries, Data Processing Agreements, GDPR erasure requests, or to exercise your data subject rights:
SymbioWave Technologies SUARL
© 2026 SymbioWave Technologies. All rights reserved.