mySugr GmbH
Privacy Notice

Version dated September 25, 2018

The applicable version of this privacy notice can be viewed and downloaded as a PDF from our website www.mysugr.com

1. INTRODUCTION

1.1 Responsible entity

1.1.1 mySugr GmbH, located in Vienna at the business address Trattnerhof 1/5 OG, 1010 Vienna and registered in the Company Register of Vienna Commercial Court under FN 376086 v (“mySugr”), is the stated responsible entity under the data protection regulations. In other words we are the company that decides on the purpose and means of processing the personal data of our users (“User Data”) and is therefore responsible for its security and compliance with the applicable laws.

1.1.2 As the responsible entity we are subject, for example, to information requirements that we wish to fulfill in connection with this privacy notice. We also provide additional information within our products, e.g. we may ask you for a new consent or explain the consequences of revocation. The information in our products does not contradict this privacy notice, but rather supplements it with brief and easily readable information so that you can make decisions more easily. This privacy notice and the additional information are easily accessible at any time from within our products.

1.2 Structure and consent concept

1.2.1 This privacy notice informs you about the purposes and scope of processing your User Data, as well as data transfers, and your extensive rights. As our offer is exclusively aimed at persons with diabetes, your use typically already provides information on your health condition. We therefore only process User Data as health data with your consent. We differentiate as follows:

1.2.1.1 “Necessary Processing” describes how we process the User Data required to fulfill the contract. Without this consent the use of our products is not possible from a legal and a factual point of view because our services depend on this processing.

1.2.1.2 “Processing for Product Improvement” explains how you can help us and other users, with your consent, by allowing us to use your data in particular to develop algorithms for therapy management, improve the product and so forth without us contacting you for advertising purposes etc. You can also use the products without giving us this consent - but your consent improves the database in the interest of all users so that we can improve our product more quickly.

1.2.1.3 “Processing for Marketing Purposes” describes how we contact you for marketing purposes, with your consent, e.g. by email, notifications etc. Here too you may use the products without consent but with your consent you will receive interesting information on our products or if, for example, your health insurance company covers new services.

1.2.1.4 In “General Information” we have assembled the information that applies to all of the above consents to avoid repetition.

The relevant categories are described in more detail below. You may provide the relevant consents upon registration or later via the account settings. You may revoke any consents at any time via the account settings or by sending an email to support@mysugr.com. In such an instance we will inform you about the consequences of the revocation. The lawfulness of the processing prior to revocation remains unaffected.

1.2.2 In some cases, the processing may take place independently of consent on the basis of statutory principles (e.g. medical device regulations). We will inform you accordingly in appropriate cases.

2. NECESSARY PROCESSING

If you grant your consent, we process the User Data listed below in order to be able to provide our services. If you do not consent to this necessary processing, you cannot use the services of mySugr. You may provide your consents during the registration process and manage them in the account settings.

2.1 Necessary and optional User Data

2.1.1 In order to protect your User Data, our services can only be used in connection with a user account. To create a user account we require and process the following User Data:

2.1.2 All other information is optional and self-explanatory in the input masks. Such optional entries include:

Personal Master Data: first name, last name, address, date of birth/age, gender, telephone number.

Medical Master Data: diabetes type, diagnosis year, insulin therapy (pen/pump), blood glucose target range, height, weight, meter/therapy device, medication, type of insulin, basal settings, correction factors, carbs / insulin ratio.

Commercial and Usage Data
App store download, purchase, invoices, payment status, payment method (credit card, bank account, etc.) insurance number, mySugr Pro status, vouchers redeemed, IP address, device ID, operating system, browser type and version, token, activity events for customization, support queries.

Medical Data
App entries such as date/time/time zone/place, type and duration of activities (breakfast, office work, sport etc.), food intake/meal/ingredients, pills taken/injections, blood glucose measurements, notes/text, blood pressure, weight, HbA1c, ketones, steps, images/photos, medication, tags, points, imported values; sensor data such as start date/time, end date/time, time zone, sensor value, type; temporary basal rate, date; app settings such as display options, activated integrations; or coaching (status, targets, other illnesses).

2.1.3 If you wish, you can operate the user account under an assumed name (pseudonym), i.e. you do not have to state your real name. You can also enter any email address that you set up especially for us – however it must work so that we can send you important warnings.

The scope of the data recorded by mySugr depends on your registration and use of our products. We only process the User Data that you actively and voluntarily provide to mySugr. The entry of requested User Data is however a requirement for the comprehensive use of our products. If you do not enter optional data the associated functionality of our products is limited accordingly. For example our Logbook or Bolus Calculator require detailed (voluntary) entry of your data in order to ensure optimal use.

2.1.4 In addition to the entries you provide voluntarily, there is also the option of independently activating or deactivating the recording of certain data in the settings of our apps and other software of your device (e.g. operating system, other apps, app stores etc.). If you have questions, please contact support@mysugr.com.

2.2 Necessary purposes

2.2.1 All the necessary purposes of our processing are associated with providing our services:

Order, delivery, support, and billing of our products (including goods from our cooperation partners) require the entry and processing of certain data in order to process your order.

Installation of our apps leads to technical and device-related data recordings such as the device ID.

Registration leads to the creation of your mySugr ID using the email address and password.

The provision of our services requires you to voluntarily and actively enter data depending on the function and each function describes the purpose for which the data is needed.

Communication from mySugr with you within our apps or via other electronic messaging services (e.g. email, messenger, telephone) where this is required to support or troubleshoot our products. This is how we process any comments and queries that you may have via various communication channels when using mySugr. The most important example is our support service, which you can access at support@mysugr.com. Please therefore think about which information and data you want to give in your active communication with us - this is solely your decision. For our part, communication with users may be necessary either by email, in-app card, or push notification. This is how we inform you about updates to our products and provide important security advice as well as assistance associated with your usage. This support communication - as an essential part of our products - is sent to users notwithstanding whether they have subscribed to our Newsletter or not.

Therapy devices (e.g. blood glucose meters) can be paired with your device which enables data to be transferred to our apps.

Health apps, such as those by Apple, and other connected services also enable data to be exchanged with our apps. But synchronization only takes place if you activate this in the settings of our apps, namely, if you use the function.

2.2.2 Use of our apps and extensions requires you to actively and voluntarily enter data. You will find additional selection options in the settings of our apps. To resolve an error in the app we require, for example, crash reports that we can use for troubleshooting purposes to determine the circumstances of the problem. In addition, the key data of your device and your usage behavior are recorded as our contractual fulfillment, above all, means customizing our products i.e. processing individual user information, for example, depending on your location (also relevant for the search function), diabetes type or type of therapy (both are, for instance, relevant for configuring the user interface). An automated analysis of user behavior is performed exclusively for the purpose of customizing your use when fulfilling the contract and has no legal effect for you.

3. PROCESSING FOR PRODUCT IMPROVEMENT

If you consent, we also process your User Data beyond the necessary usage described in section 2 above to improve our products and services as described in more detail below.

3.1 Additional data

In general, we use the same User Data to improve our products as stated in section 2. In addition, mySugr may also record the following User Data:

Usage Data
Activity events that allow us to understand how you use our products. This enables us to see how our products are used and for example where menu designs can be optimized.

3.2 Purpose of product improvement
As a result of fast-moving technological progress, we have to continually analyze, develop, test, and improve our products and their interactions, in order to ensure that our content benefits users in the most effective way. To achieve this, we conduct usage and security tests and the knowledge gained is incorporated into improved new versions of our products such as the app. These improvements are also provided to you via regular updates.

4. PROCESSING FOR MARKETING PURPOSES

4.1 Newsletter

4.1.1 We would like to send you interesting information on products and services in addition to the contractual scope (including information from carefully selected partners) and invitations to participate in surveys or other sales promotions and marketing activities (“Newsletter”).

4.1.2 You can select whether you want to subscribe to our Newsletter (opt in). You can revoke your consent at any time via the link in the Newsletter or the account settings.

4.2 Other types of marketing

4.2.1 Other consents, e.g. for surveys, notifications, or customized offers, are obtained as required when you are logged in. We always explain to you why we need certain data and also how you can revoke the consent.

4.2.2 Please be aware that we may show you offers within the app without processing your personal data. You will also see these non-customized advertisements if you have not provided your consent.

5. USAGE FOR STATUTORY PURPOSES

5.1 Scientific research and statistics

mySugr is committed to the science of all aspects of diabetes. Therefore, anonymous User Data may also be used for the purposes of research and statistics (always whilst complying with the recognized ethical scientific standards) and internal analyses. This is used mainly to determine and improve the effectiveness of techniques for controlling and treating diabetes. The legal basis for this is Article 9 (2) j) GDPR.

5.2 Enforcement of rights

The use of personal data may also be necessary to prevent abuse by users or to assert, exercise, or defend legal claims. We may be forced into disclosure due to binding laws, court or official decisions and instructions, criminal investigation, or in the public interest. In such cases, the storage and processing of your data are permitted by law without your consent. The legal basis for this is Article 9 (2) f) GDPR.

5.3 In accordance with medical device legislation

Finally, as the manufacturer or distributor of a medical device, we are subject to increased requirements for monitoring the functionality of our product. This vigilance system required for regulatory purposes may also involve the processing of personal data. The legal basis for this is Article 9 (2) i) GDPR.

6. GENERAL INFORMATION

6.1 Purpose limitation and security

6.1.1 mySugr uses your personal data exclusively for the purposes determined in this privacy notice and the relevant consents. We ensure that each processing is restricted to the extent necessary for its purpose.

6.1.2 Each processing always guarantees adequate security and confidentiality of your personal data. This covers protection from unauthorized and illegal processing, unintentional loss, unintentional destruction or damage using appropriate technical and organizational measures. We use strict internal processes, security features, and the latest encryption methods, always taking into account state-ofthe- art technology and implementation costs.

6.2 Processors

6.2.1 Our products are subject to complex processes that, in light of our millions of users, we have to manage and keep up-to-date. For technical support we therefore use affiliated companies of the Roche Group – F. Hoffmann-La Roche Ltd. - and third-party suppliers (“Processors”) in order to offer you a comprehensive and optimal use of our products.

6.2.2 mySugr transfers User Data to Processors exclusively within the framework of this privacy notice and only to fulfill the purposes stated in it. Processors work according to our specifications and instructions; they are not permitted to use the personal data of our users for their own or other purposes.

6.2.3 We use Processors offering sufficient guarantees that suitable technical and organizational measures are undertaken in a way that the processing of personal data complies with the statutory requirements and our privacy notice. The protection of the rights of our users is ensured by concluding binding contracts that meet the strict requirements of GDPR.

6.2.4 The third-party suppliers appointed by mySugr may only use other processors (subcontractors) with our prior consent. If a subcontractor does not comply with the same data protection obligations and all of the appropriate security measures that we impose on our Processors, then we will prohibit the hiring of such a subcontractor.

6.3 Encryption, pseudonymization, and anonymization

6.3.1 Each data transfer, without exception and by default, is encrypted during transfer. Using HTTPS (hypertext transfer protocol secure) we ensure that your data is not intercepted by unauthorized third parties.

In addition, for the purposes of data security and minimization, we also use other processes for the encryption and pseudonymization of User Data. Of course this depends on the type, scope, and purpose of the relevant data processing and takes into account the latest technology. For example, we only disclose User Data that a Processor requires to carry out his tasks.

6.3.2 When a contractual relationship with a Processor is terminated, such Processor must, at mySugr’s discretion, either return all our User’s Data or delete it if there are no statutory storage obligations.

6.3.3 Data that requires no personal reference for processing (e.g. for research and analysis) is subject to anonymization. This prevents a connection to a specific user being made in all cases.

6.4 EU and other countries

6.4.1 We primarily select cooperation partners who are based in or whose servers are located in the European Union (EU) or European Economic Area (EEA). Data transmission within the EU and EEA is unobjectionable because the GDPR applies in all member states.

6.4.2 In exceptional circumstances we appoint third-party suppliers who are located in or who have servers outside the EU, e.g. innovative companies in Silicon Valley, USA. However, even in these cases your personal data is subject to a high protection level in line with the GDPR – either through an EU adequacy decision, which considers data protection in certain third-party countries to be appropriate (e.g. Switzerland, Israel, and New Zealand), or through certain standard contractual clauses approved by the EU, which the contractual relationships with our contracted data processors are based on, or through comparable legal instruments permitted under the GDPR. In any case, all Processors are subject to the obligations in this privacy notice.

6.4.3 In addition, we ensure that our partners have additional security standards in place, such as individual security measures and data protection provisions or certifications under the GDPR. So, for example, if third-party suppliers are located in the USA they should be subject to the Privacy Shield Framework approved by the EU or comparable internationally recognized security standards.

6.5. Categories of recipients

6.5.1 Our cooperation partners are bound by the agreements signed with mySugr as well as by the GDPR and only process data according to our instructions. We provide our users’ Data only to fulfill the contract:

Manufacturers and suppliers require personal data to handle orders for goods. A typical example is the delivery of a blood glucose meter and test strips as part of the mySugr Bundle.

Insurance companies may exchange data with us if you buy our products as part of your health insurance (statutory or private). If applicable, this enables billing based on the tariff of your insurance company.

Bookkeeping and payment service providers support us in the ongoing billing of our chargeable products.

Customer support services and their tools help our customer support to quickly and efficiently handle our users’ inquiries. Here, for example, queries are recorded from various communication channels and grouped according to topics using ticket systems.

Analysis service providers and their tools help us to understand how users use our products in order for us to provide customized communication and product improvements in the future. This way we can avoid that e.g. a pump user with type 1 diabetes receives messages about type 2 diabetes or pens.

Marketing service providers support us in creating, sorting, customizing, and sending newsletters, emails, and other messages about our products to our users.

Hosting and cloud services and their tools are used to store data and to produce anonymized analyses (see section 2.4 above).

Reminder: the transfer of data to our Processors and service providers is protected by guarantees such as adequacy decisions, certifications (Privacy Shield) or standard contractual clauses. A copy of such guarantees or information on these can be requested from privacy@mysugr.com.privacy@mysugr.com .

6.5.2 Finally please note that you have the option to directly share certain data with a third party from within our products. This relates, for example, to reports generated in our apps and communication with your healthcare professional or mySugr Coach for therapy advice. You are solely responsible for such data transfers.

6.6 Cookies

mySugr stores so-called “cookies” to offer you a comprehensive range of functions and make the use of our website more convenient. Cookies are small text files that are stored on your device by your browser. Except for the cookies for usage data mentioned in section 6.7, our cookies are used to operate the website. If you do not want to use cookies you can prevent them from being stored using the relevant settings in the browser. Most of our cookies are either deleted at the end of your visit or when the browser is closed (session cookies). If this is not the case, you can check the deletion period in your browser or delete the cookies manually. Please note that this may restrict the functionality or scope of our offer.

6.7 Usage data

We only use Google Universal Analytics in the publicly accessible part of our website (no login required), a web analysis service by Google Inc. (“Google”). Google is certified under the EU-US Privacy Shield; we also have a processing contract in place with Google.


Google Universal Analytics uses cookies (see above) to enable analysis of your website use and these may be stored for up to 2 years if you do not delete them before that time. The information generated by the cookie on your use of our website is generally transferred to and stored on a Google server in the USA. We have extended Google Analytics on our website to include the “gat.anonymizeIp();” code in order for IP addresses to be recorded anonymously. At our request, Google only records your IP address in abbreviated form thus ensuring anonymization that does not permit any conclusions to be made about your identity or device. Google abbreviates IP addresses within the EU or other members states which are parties to the Agreement on the European Economic Area. Only in exceptional circumstances is the full IP address transferred to a Google server in the USA and reduced there. At our request Google will use this information to analyze your use of the website in order to provide us with aggregated reports and provide other services associated with Internet usage. The IP address provided by your browser as part of Google Analytics is not merged with other Google data.


You can prevent the storage of cookies using the appropriate setting in your browser, as described in section 6.6 above. In addition, you can prevent the processing of the data generated by the cookie relating to your use of the website (incl. the IP address) by Google by installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

 

6.8. Storage and deletion

6.8.1 Your User Data is stored on your device. This data is also stored on our servers. We only use systems that meet GDPR requirements.

6.8.2 During registration you can select whether your data should be stored on servers in the European Union (EU) or the USA. By default, storage is set to the region of your current location during registration. Regardless of the storage location we ensure that the high protection level pursuant to the GDPR is guaranteed; naturally this also applies to data that is stored temporarily at another location or is transferred for processing.

6.8.3 As a rule, mySugr only stores your personal data for the duration of the contract. In exceptional cases, longer storage may be required in order to fulfill post-contractual obligations or to comply with statutory storage obligations or disclosure duties, or to assert, exercise, or defend legal claims (limitation periods).

6.9. Minors

Minors, below the age of sixteen are only permitted to use our products with the consent of a parent/guardian (see section 3.2.3 of our General Terms and Conditions - T&Cs). This also applies to processing their personal data, which is only legal if and to the extent to which the consent has been obtained by and through the parent/guardian. Otherwise use of our products is prohibited.

6.10. Data protection officer

6.10.1 Our data protection officer is available to answer all data protection questions at privacy@mysugr.com . The data protection officer monitors ‒ independently and not bound by instructions ‒ compliance with all data protection regulations and is subject to strict statutory secrecy and confidentiality obligations.

6.10.2 The data protection officer is widely involved in all questions associated with protecting the personal data of our users. As a trained expert, he monitors our processing on an ongoing basis, informs and regularly advises the entire mySugr team in order to ensure the best possible protection of your User Data.

6.11. Changes

6.11.1 As technology and processes in the Internet as well as data protection legislation are constantly being developed, we have to undertake changes from time to time. We will inform you of changes by appropriate means whilst granting an appropriate advance notice period and if necessary obtaining new consents.

6.11.2 Unless otherwise provided by this privacy notice, the same definitions apply in our General Terms and Conditions - T&Cs.

7. YOUR RIGHTS

7.1. Revocation of consents

If we process your User Data based on your consent, you may revoke the consent at any time. However, this will not affect the lawfulness of the processing before the revocation. We will continue to provide our services if they do not depend on the consent that has been revoked.

7.2. Information, correction, and restriction

7.2.1 Each user has the right to request information on the processing of their personal data. To do so, please contact us at any time at privacy@mysugr.com .

7.2.2 Your right to information covers information on the processing purposes, data and recipient categories, storage time, origin of your data, and your rights under the data protection regulations. You can find all of this information in this privacy notice and we are happy to provide it to you in an electronic form.

7.2.3 Should some of your personal data be incorrect, you can request that your data is corrected or completed at any time. You can correct most data yourself in our apps. You have the right to restrict data processing for the duration of any investigation review that you have requested.

7.3 Deletion (“right to be forgotten”)

Each user has the right to request the deletion of their personal data. To do so, please contact us at any time at support@mysugr.com.

7.4 Ability to transfer data

Finally each user has the right to request that we provide an overview of their personal data to another responsible party, if this is technically feasible.

7.5 Complaints

7.5.1 If you feel we are not protecting your data protection rights adequately, please contact us at any time at support@mysugr.com or contact our data protection officer directly at privacy@mysugr.com. We will handle your request immediately.

7.5.2 Any user has the right to submit a complaint with the Austrian Data Protection Authority responsible for mySugr at Wickenburggasse 8-10, 1080 Vienna if they believe that the processing of their personal data is not in compliance with data protection regulations. In addition, the user has a right to complain to a supervisory authority in the EU member state in which they are resident, in which their workplace is located, or which is the location of a suspected infringement.

THANK YOU FOR YOUR CONFIDENCE IN US!