Last updated March 2023
With this Veri App Privacy Notice we provide you information on why and how we process your personal data as a controller in connection with Veri App for the following purposes:
1. WHAT DEFINITIONS ARE USED IN THIS PRIVACY NOTICE?
Controller means a party that is in charge of the personal data processing activities.
Data subject means an individual whose personal data is being processed.
GDPR means the EU General Data Protection Regulation (679/2016).
Legal basis for processing means the legal basis with which the controller processes personal data of a data subject. Article 6 of the GDPR contains provisions on legal basis for processing.
Personal data means any data concerning a data subject with which a data subject can be identified with.
Privacy notice means a data protection document that has been drafted according to Articles 13 and 14 of the GDPR, and with which the controller may inform its data subjects of the ways their personal data is processed.
Processor means a party that processes personal data for and on behalf of the controller.
Profiling means the automatic processing of personal data, in which the personal characteristics of the data subject are assessed using personal data.
Purpose for processing means the reason why the controller processes personal data of a data subject.
Special categories of personal data mean personal data revealing a person’s racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, data concerning health, sexual orientation or activity and genetic and biometric data for identifying the person.
2. WHO IS THE CONTROLLER OF YOUR PERSONAL DATA?
Human Engineering Health Oy (business ID: 3115245-3) is the controller of your personal data. The address of the controller is Kaikukatu 4 C, 00530 Helsinki, Finland.
3. DO WE HAVE A DATA PROTECTION OFFICER?
Yes, we have appointed a DPO. You can contact our DPO by email at email@example.com.
4. WHY DO WE PROCESS YOUR PERSONAL DATA? WHAT PERSONAL DATA DO WE
PROCESS? WHAT ARE THE LEGAL BASIS FOR PROCESSING?
We process your personal data for the purposes mentioned below. Below you will also find information on what personal data we process and what are the legal basis for our processing activities.
a. Provision of Veri service to customers and strategic analysis of customer data to improve our services and to fulfill customer needs
Explanation: Personal data is processed so that we can provide Veri service to our customers and to develop our services and better fulfill customer needs.
Category of data subjects: Customers.
Categories of default personal data: Name, email, date of birth.
Categories of optional personal data: Height, weight, meal data, activity data, sleep data, sex and photos that you may record on the Veri App; height, weight, activity data, heart rate sleep data and sex synced from Apple Health or Google Fit; glucose data synced from LibreLink.
Legal basis for processing: Consent (GDPR, art. 6(a)(a)) and our contractual obligations towards our customer (GDPR, art. 6(1)(b)).
b. Strategic analysis of usage data to develop services and fulfill customer needs
Explanation: Personal data is processed so that we can develop our services and better fulfill customer needs.
Category of data subjects: Customers
Categories of personal data: Usage analytics and data as well as crash reports of Veri App.
Legal basis for processing: Consent (GDPR, art. 6(1)(a)) and our contractual obligations towards our customer (GDPR, art. 6(1)(b)).
5. FROM WHERE DO WE COLLECT YOUR PERSONAL DATA?
We collect personal data related to Veri service (including the Veri App):
6. DO WE TRANSFER YOUR PERSONAL DATA?
Transfers to third party service providers: We may transfer your personal data to third party service providers (known in data protection terms as ‘processors’), as it is a normal course of doing business in a digitalized world. Such processors are for example data storage service providers and communications services providers. When personal data is transferred to third parties, we ensure that we conclude adequate personal data processing agreements and safeguards in relation to the data transfers.
Currently we use the following services of processors in Veri App:
Transfers outside the EU/EEA: For all other than US-based customers, Veri App’s servers are located in Paris, France. Where we process personal data for the purposes of a) Provision of Veri App to customers and strategic analysis to improve our services and fulfill customer needs, personal data is processed in the EU and in the US. Where we process personal data for the purpose of b) Strategic analysis of usage data to develop services and fulfill customer needs, we may transfer personal data to the USA. When processing personal data outside the EU/EEA, we ensure an adequate level of data protection, for example through standard contractual clauses and other similar arrangements.
Veri App’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
7. DO OUR PERSONAL DATA PROCESSING ACTIVITIES INCLUDE AUTOMATED DECISION MAKING?
Our personal data processing activities do not include automated decision making.
8. DO WE PROCESS SPECIAL CATEGORIES OF PERSONAL DATA IN VERI APP?
Yes. We process special categories of personal data in Veri App when we process customer’s glucose data, which can be identified as ‘health data’.
Special categories of personal data require special protection, as their processing could create significant risks to the fundamental rights and freedoms of the individual. We carry out all required measures to adequately protect special categories of personal data.
9. DO WE COMPLY WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)?
Yes. In regard to the health data of our US-based customers, we comply with all of the requirements as per the Health Insurance Portability and Accountability Act of 1996 (hereinafter “HIPAA”).
10. HOW LONG DO WE RETAIN YOUR PERSONAL DATA?
We shall retain personal data as for as long as necessary to fulfill the purpose for which it is being processed as follows:
11. WHAT DATA PROTECTION RIGHTS DO YOU HAVE?
You may have the right to use the below listed data protection rights under the EU General Data Protection Regulation (679/2016):
If you would like to use your rights or inquire something about data protection, please be in touch with us in written form: firstname.lastname@example.org
Your rights may only be exercised once your identity has been properly verified.
You may also have a right to lodge a complaint with the data protection authorities, if you think that the processing of your personal data infringes data protection laws.
12. CAN THIS PRIVACY NOTICE BE AMENDED?
We have a unilateral right to modify this privacy notice. We modify the privacy notice whenever necessary, for example in the case of changing legislation. The modifications take effect immediately when we post an up-to-date version of this privacy notice to our website.
If we make significant changes to the privacy notice, or if there is a significant change in the way it is used, we will notify the data subjects.