Patient information

Our commitments for the protection of patient data
Our research projects
Research data

Health data

Waiv is a health technology company on a mission to develop AI diagnostic tests for oncology patients, and thereby accelerate access to precision medicine and next-generation therapies.

To do this, Waiv and their partners carry out research projects that use certain patient data (such as health, genetic, and ethnicity-related data). These data were originally collected during patient care or earlier biomedical research by hospitals, research organizations, or companies that work with us (the "Waiv Network").

Although Waiv needs to process this data to fulfill our mission, Waiv is fully committed to respecting all data protection laws that apply to us and our partners. This includes the General Data Protection Regulation (GDPR) in Europe, its local implementations in the European Economic Area, the UK Data Protection Act 2018, the UK GDPR, and Switzerland's Data Protection Act.

The datasets used by Waiv are:

Preselected
Preselected

Preselected by each member of Waiv Network to meet the inclusion and exclusion criteria of the research projects described below.

Pseudonymized
Pseudonymized

Pseudonymized and/or de-identified (or fully anonymized when possible) by each Waiv Network member before being shared with Waiv and/or its partners.

Reused
Reused

Reused only for secondary research aimed at supporting public health, improving the quality and safety of healthcare, medicinal products, or medical devices, or for sharing scientific knowledge through publications.

Waiv and its partners are aware that patients’ health data, and more generally any personal data — even if pseudonymized or de-identified — must be treated as sensitive information. Patients also have the right to know the research purposes for which their data is used. That is why we have chosen to increase transparency about the use of patient data for research, in particular by creating this webpage to explain how Waiv and its partners use patients’ personal data for research purposes.

Our most commonly asked questions

What are the purposes for which Waiv and its partners could process patient data?

Waiv and its partners are using pseudonymized and/or de-identified data for their own research projects, especially involving AI technologies. Examples of their research projects include:

  • developing precision tests and diagnostics to improve how diseases are diagnosed or predicted.
  • identifying new biomarkers or new targets that could lead to new treatments.

When conducting its research project, Waiv and its partners only used patient data which is strictly necessary and always processed it securely as described on this page.

Read more
Arrow
What are the measures implemented by Waiv and its partners to ensure the security of the processing of patient data?

When conducting its research project, Waiv and its partners, both acting as independent controllers, commit to the following:

Non-direct identifying information

Waiv and its partners only use patient’s personal data that has been pseudonymized or de-identified before they access it. Except for specific cases, like quality control as allowed by applicable laws and regulations, Waiv and its partners never access information that could directly identify the patients. Each patient’s data is assigned a code, and only Waiv Network members who provide the data keep a record linking this code to the patient’s identity in their own healthcare databases. As a result, the data shared with Waiv and its partners does not contain any information that could directly reveal a patient’s identity.

Data privacy compliance

Waiv and its partners are committed to processing personal data — especially sensitive information like health data — in line with all applicable laws and regulations. Because Waiv is a French based company, it follows French data protection laws, which are among the strictest in the European Union when it comes to protecting individuals’ rights.

International transfer of data

Waiv uses cloud service providers with servers located in the same region as the region as its research partners providing access to the data is established. For example, data from European centers is stored in Europe by providers certified under the French health data hosting standard (HDS), while data from North Americans centers is mainly stored in North America.

Furthermore, when technically possible, Waiv encourages the processing of European citizens’ data by its employees, affiliates, partners and service providers, located in the European Economic Area. However, if for the needs of their research activities, Waiv and/or its partners has to transfer data of European patients (including British and/or Switzerland), to partners, service providers and/or Waiv’s affiliates established outside of Europe, Waiv will ensure that adequate and appropriate safeguards are implemented, as required by the GDPR, the UK Data Protection Act and the Swiss Data Protection Act when applicable. For example, this could be done by entering into standard contractual clauses approved by the European Commission, as well as the specific clauses approved by the UK Information Commissioner Office and/or the Swiss Federal Data Protection and Information Commissioner when applicable. For more detailed information on the safeguards, patients can contact Owkin’s data protection officer with the details provided below.

Ethical and scientific validation

Waiv and its partners ensure their research projects are aligned with the relevant ethical and scientific standards. When required by the applicable laws and regulations, the scientific protocols are evaluated by local ethical committees.

Privacy by design

As part of its research activities, Waiv adheres to the “Privacy by Design” principle from the earliest stages of its technologies development. Aware of the sensitive nature of personal data - particularly health data - Waiv adopts a proactive approach to ensure that privacy protection is embedded throughout the entire lifecycle of its technologies, from design to deployment. Data processing is limited to what is strictly necessary, secured through robust technical and organizational measures (such as encryption, pseudonymization, and access control), and supported by clear and transparent documentation. This approach ensures sustained compliance with the GDPR while reinforcing the trust of healthcare professionals and patients alike.

Read more
Arrow
What are the rights of patients when their data is processed by Waiv or its partners?

Patients whose data is processed by Waiv and/or its partners are free to object to the processing of their data in any research projects conducted by Waiv and/or its partners. At any time and upon simple request, patient may (i) have access to their data processed by Waiv and/or its partners; (ii) obtain a copy of their data; (iii) obtain the correction of inaccurate or incomplete data concerning them; (iv) obtain the deletion of their data; (v) object to and/or request the restriction of the processing of their data.

Read more
Arrow
How can patients exercise their rights?

Each patient may, at any time, exercise its rights by contacting Waiv’s data protection officer at the following address (request must be accompanied by valid proof of identity and the name of the healthcare center where the patient has been treated):

  • By post: to the attention of the Waiv Data Protection Officer, 14-16 Boulevard Poissonnière, 75009, Paris France;
  • By email: dpo@owkin.com.

Some research projects entail the training or validation of artificial intelligence tools or the questioning of patient databases to provide scientific outputs (e.g. agentic AI, foundation models…). Patients should be informed that, once their data has been used for training and validation, their ability to exercise certain data protection rights may be limited due to technical grounds. In addition, certain data collected in advance may not be deleted if such deletion is likely to make it impossible or seriously compromise the achievement of the research projects’ objectives.

Patients can find further information in the general patient information notice that can be downloaded here.

Read more
Arrow

Research projects

RlapsRisk® BC Validation
Objectives of study

The objective of the study is to quantify the contribution of artificial intelligence models on the prediction of the risk of relapse in patients with HER2-/ER+ early breast cancer and to validate the performance of the diagnostic tool developed by Waiv and Gustave Roussy for the purpose of its CE marking.

Data controller

Owkin Dx

Partners providing access to patient data for the study
  • Unicancer (based in Paris - French Academic Partner
  • Institut Curie (based in Paris - French Academic Partner)
  • Cypath-RB (based in Villeurbanne - French Non-Academic Partner)
Type of data

Personal health data

Legal basis for processing
  • Under Article 6 (GDPR): legitimate interest of Waiv to perform its research projects to develop, improve or validate its AI tools for better patients medical care or treatments (a LIA has been performed to assess the balance between the benefits for Waiv and risk for the patients)
  • Under Article 9 (GDPR): the public interest in public health as the study will ensure high standards of quality and safety of health care and medical devices
  • Under French law: compliance with MR004
Waiv's DPO contact
dpo@owkin.com
Arrow
Clinical Validation of MSIntuit® CRC
Objectives of study

To validate the clinical performances of MSIntuit CRC on retrospective cohorts of patients with primary colorectal cancer from multiple centers.

Data controller

Owkin Dx

Partners providing access to patient data for the study
Type of data

Non-sensitive personal data and sensitive data (such as health data)

Legal basis for processing
  • Under Article 6 (GDPR): legitimate interest of Waiv to perform its research projects to develop, improve or validate its AI tools for better patients medical care or treatments (a LIA has been performed to assess the balance between the benefits for Waiv and risk for the patients)
  • Under Article 9 (GDPR): the public interest in public health as the study will ensure high standards of quality and safety of health care and medical devices
  • Under French law: compliance with MR004
Waiv's DPO contact
dpo@owkin.com
Arrow
MSI Pan-Tumor Dx
Objectives of study

The overall objective of this Project is for Waiv to develop digital pathology CE-IVD diagnostic devices to aid in pre-screening microsatellite instability status across several types of cancer.

Data controller

Owkin Dx

Partners providing access to patient data for the study
  • Het Ziekenhuisnetwerk Antwerpen vzw (Antwerp – Belgium - Academic Partner);
  • Gasthuiszusters Antwerpen vzw (Antwerp – Belgium - Academic Partner);
  • Assistance Publique - Hôpitaux de Paris (Paris – France - Academic Partner);
  • Gustave Roussy (Paris – France - Academic Partner).
  • Aigora GmbH (München – Germany - Industrial Partner);
  • Baylor Scott & White Health (Dallas, Texas – United States of America - Academic Partner);
  • Cooper Health (Camden, New Jersey – United States of America - Academic Partner);
  • Vall d'Hebron Research Institute (VHIR) (Barcelona – Spain - Academic Partner).
  • University Hospitals Birmingham NHS Foundation Trust (Birmingham – United Kingdom - Academic Partner);
  • CureCollect Ltd (London – United Kingdom - Academic Partner).
Type of data

Non-sensitive personal data and sensitive data (such as health data)

Legal basis for processing
  • Under article 6 (GDPR): legitimate interest of Waiv to perform its research projects to develop, improve or validate its AI tools for better patient’s medical care or treatments (a LIA has been performed to assess the balance between the benefits for Waiv and risk for the patients);
  • Under article 9 (GDPR): scientific research purpose.
  • Compliance with MR-004
Waiv's DPO contact
dpo@owkin.com
Arrow