Privacy Policy for the App

Last updated March 2023

With this Veri App Privacy Notice we provide you information on why and how we process your personal data as a controller in connection with Veri App for the following purposes:

1. Provision of Veri service including Veri App to customers
2. Strategic analysis of customer data to develop services and fulfill customer needs

Please find our General Privacy Policy here https://www.veri.co/terms?doc=privacy-website

1. WHAT DEFINITIONS ARE USED IN THIS PRIVACY NOTICE?

Controller means a party that is in charge of the personal data processing activities.

Data subject means an individual whose personal data is being processed.

GDPR means the EU General Data Protection Regulation (679/2016).

Legal basis for processing means the legal basis with which the controller processes personal data of a data subject. Article 6 of the GDPR contains provisions on legal basis for processing.

Personal data means any data concerning a data subject with which a data subject can be identified with.

Privacy notice means a data protection document that has been drafted according to Articles 13 and 14 of the GDPR, and with which the controller may inform its data subjects of the ways their personal data is processed.

Processor means a party that processes personal data for and on behalf of the controller.

Profiling means the automatic processing of personal data, in which the personal characteristics of the data subject are assessed using personal data.

Purpose for processing means the reason why the controller processes personal data of a data subject. 

Special categories of personal data mean personal data revealing a person’s racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, data concerning health, sexual orientation or activity and genetic and biometric data for identifying the person.

2. WHO IS THE CONTROLLER OF YOUR PERSONAL DATA?

Human Engineering Health Oy (business ID: 3115245-3) is the controller of your personal data. The address of the controller is Kaikukatu 4 C, 00530 Helsinki, Finland.

3. DO WE HAVE A DATA PROTECTION OFFICER?

Yes, we have appointed a DPO. You can contact our DPO by email at dpo@veri.co.

4. WHY DO WE PROCESS YOUR PERSONAL DATA? WHAT PERSONAL DATA DO WE 

PROCESS? WHAT ARE THE LEGAL BASIS FOR PROCESSING?

We process your personal data for the purposes mentioned below. Below you will also find information on what personal data we process and what are the legal basis for our processing activities. 

a. Provision of Veri service to customers and strategic analysis of customer data to improve our services and to fulfill customer needs

Explanation: Personal data is processed so that we can provide Veri service to our customers and to develop our services and better fulfill customer needs.

Category of data subjects: Customers. 

Categories of default personal data: Name, email, date of birth. 

Categories of optional personal data: Height, weight, meal data, activity data, sleep data, sex and photos that you may record on the Veri App; height, weight, activity data, heart rate sleep data and sex synced from Apple Health or Google Fit; glucose data synced from LibreLink.

Legal basis for processing: Consent (GDPR, art. 6(a)(a)) and our contractual obligations towards our customer (GDPR, art. 6(1)(b)). ‍

b. Strategic analysis of usage data to develop services and fulfill customer needs 

Explanation: Personal data is processed so that we can develop our services and better fulfill customer needs. 

Category of data subjects: Customers 

Categories of personal data: Usage analytics and data as well as crash reports of Veri App.

Legal basis for processing: Consent (GDPR, art. 6(1)(a)) and our contractual obligations towards our customer (GDPR, art. 6(1)(b)). 

5. FROM WHERE DO WE COLLECT YOUR PERSONAL DATA?

We collect personal data related to Veri service (including the Veri App):

• from customers when they save data into Veri App, 
• via Veri App when it is used by customers,
• third party service providers (e.g. Apple Health, Google Fit, LibreLink) if a customer chooses to share his/her personal data with Veri App from a third party service provider, and
• via Veri website and coaching dashboard.

6. DO WE TRANSFER YOUR PERSONAL DATA?

Transfers to third party service providers: We may transfer your personal data to third party service providers (known in data protection terms as ‘processors’), as it is a normal course of doing business in a digitalized world. Such processors are for example data storage service providers and communications services providers. When personal data is transferred to third parties, we ensure that we conclude adequate personal data processing agreements and safeguards in relation to the data transfers. 

Currently we use the following services of processors in Veri App:

• Amazon Web Services Inc.: Cloud infrastructure provider. Several infrastructure components are provisioned to ensure functionality of our services.
• Chargebee, Inc.: Payment and subscription management platform. Used for storing subscription and billing information.
• Firebase (Google LLC): A platform offering a set of cloud hosting services. We use it to deliver real-time push notifications.
• Google LLC: Fitness (exercise, sleep, weight and similar) types of data are stored in the related cloud services for Android users.
• Google Workspace (formerly G-Suite) (Google LLC): collection of cloud computing, productivity and collaboration tools, software and products including Gmail, calendar, meet, chat, drive, docs, sheets, slides, forms, sites and more.
• Intercom R&D Unlimited Company: Chat support platform. We use Intercom to facilitate all of the support requests made from the Veri App.
• Mailchimp, Mandrill (The Rocket Science Group LLC d/b/a Mailchimp): Email and marketing platform, used to deliver onboarding, informative, transactional (eg. login codes) and other types of emails directly to users.
• Mixpanel, Inc.: Business analytics platform, used to analyze user interactions with web and mobile environments. We utilize Mixpanel to track interactions in the Veri App.
• Segment.io. Inc.: Customer data collection and unification platform. We send data about interactions within the Veri App via Segment.
• Sentry (Functional Software, Inc. d/b/a Sentry): Application health visibility platform. We use Sentry to monitor the fundamental stability of the Veri App. Crashes, Errors and various Transactions are reported to Sentry, which we use to make sure the user experience is as smooth as possible
• Stitch (Talend, CA): Data warehouse used for data analysis and ingestion of marketing data. We use Stitch to enable user analytics that drive our business decisions.
• Stripe Payments Europe, Ltd: Suite of payment APIs facilitating the payment and transaction data during purchases of our customers. We use Stripe as our main payment gateway.
• Truepill Limited: Our sensor distribution and delivery partner in the UK.
• PostMeds Inc. trading as Truepill: Our prescription processor, and sensor distribution & delivery partner in the US.
• Zapier, Inc.: Web application integration and automation platform. We use Zapier to interconnect some of our services as well as to automate several reporting tasks.
• Customer.io: Messaging platform use to communicate with our users.

Transfers outside the EU/EEA: For all other than US-based customers, Veri App’s servers are located in Paris, France. Where we process personal data for the purposes of a) Provision of Veri App to customers and strategic analysis to improve our services and fulfill customer needs, personal data is processed in the EU and in the US. Where we process personal data for the purpose of b) Strategic analysis of usage data to develop services and fulfill customer needs, we may transfer personal data to the USA. When processing personal data outside the EU/EEA, we ensure an adequate level of data protection, for example through standard contractual clauses and other similar arrangements.

Veri App’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

7. DO OUR PERSONAL DATA PROCESSING ACTIVITIES INCLUDE AUTOMATED DECISION MAKING?

Our personal data processing activities do not include automated decision making.

8. DO WE PROCESS SPECIAL CATEGORIES OF PERSONAL DATA IN VERI APP?

Yes. We process special categories of personal data in Veri App when we process customer’s glucose data, which can be identified as ‘health data’.

Special categories of personal data require special protection, as their processing could create significant risks to the fundamental rights and freedoms of the individual. We carry out all required measures to adequately protect special categories of personal data. 

9. DO WE COMPLY WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)?

Yes. In regard to the health data of our US-based customers, we comply with all of the requirements as per the Health Insurance Portability and Accountability Act of 1996 (hereinafter “HIPAA”).

10. HOW LONG DO WE RETAIN YOUR PERSONAL DATA?

We shall retain personal data as for as long as necessary to fulfill the purpose for which it is being processed as follows:

• Personal data processed for the fulfillment of contractual obligations: personal data shall be processed for a maximum of five years from when you stop using Veri service.
• Personal data processed on the basis of consent: personal data shall be processed for as long as provide us your consent.
  

11. WHAT DATA PROTECTION RIGHTS DO YOU HAVE?

You may have the right to use the below listed data protection rights under the EU General Data Protection Regulation (679/2016):

• Right to inspect (art. 15)
• Right to rectify (art. 16)
• Right to erasure (art. 17)
• Right to restriction of processing (art. 18)
• Right to data portability (art. 20)
• Right to object (art. 21)
• Automated individual decision-making, including profiling (art. 22)

If you would like to use your rights or inquire something about data protection, please be in touch with us in written form: dpo@veri.co 

Your rights may only be exercised once your identity has been properly verified.

You may also have a right to lodge a complaint with the data protection authorities, if you think that the processing of your personal data infringes data protection laws.

12. CAN THIS PRIVACY NOTICE BE AMENDED?

We have a unilateral right to modify this privacy notice. We modify the privacy notice whenever necessary, for example in the case of changing legislation. The modifications take effect immediately when we post an up-to-date version of this privacy notice to our website.

If we make significant changes to the privacy notice, or if there is a significant change in the way it is used, we will notify the data subjects.