Privacy policy for the mylife
Diabetescare therapy management solution
Valid from: 31
July 2024
The protection of
your personal data is very important to us. Please read this Privacy Policy
regarding the mylife Diabetescare therapy management solution carefully. It
explains when your personal data are collected while using the described
systems and how we store and process such data.
The mylife
Diabetescare therapy management solution consists of the mylife App, mylife Software
(PC) and mylife Cloud and can be connected to the mylife YpsoPump insulin pump,
various blood glucose meters as well as the mylife CamAPS FX App and/or therapy
management clouds from third-party providers. The purpose of the mylife
Diabetescare therapy management solution is to consolidate diabetes therapy
data.
The collection and
processing of personal data occurs on registration and use of the mylife App,
mylife Software (PC), mylife Cloud and mylife CamAPS FX App, as well as on
connecting with other devices and systems.
1.
Controller of personal data
When using the
mylife Diabetescare therapy management solution, the controller within the
meaning
of the EU General Data Protection Regulation
(GDPR) and other data protection regulations is:
Ypsomed AG
Brunnmattstra
ß
e 6
P.O. Box
3401 Burgdorf / Switzerland
Telephone +41 (0)34 424 41 11
Email:
info@ypsomed.com
You can contact our data protection officer at the following postal
or email address:
FIRST
PRIVACY GmbH
Konsul-Smidt-Straße
88
28217 Bremen / Germany
Email:privacy@ypsomed.com.
2.
Description and purposes of data processing
The mylife Diabetescare therapy management solution
is a medical device and therefore
always processes special category personal data.
In
order to use the mylife
Diabetescare therapy management solution
, you must give Ypsomed your express consent to the processing of
personal data relating to your health. You can revoke your consent at any time.
Please refer to the section on Revoking consent to data processing.
We
process your personal data for the following purposes on the basis of your
consent and for the purposes of exercising or defending legal claims:
-
Processing of
health-related data when creating a mylife
Diabetescare
therapy management account to help you or a person you are
caring for (including as a parent or guardian of a child) to treat their diabetes;
-
Processing of
health-related information when you contact our customer service team to
obtain information about the mylife product family, mylife
Diabetescare therapy management solution
or other services, provided
this is necessary to respond to your enquiry, e.g. resolving performance
issues or sharing your information with our third-party processors to resolve
a service issue;
-
Diagnosing and
resolving performance issues in cases where you have shared your
diagnostic/troubleshooting data (including health-related data) to the
extent necessary to process your service request;
-
Transferring
your personal data to your healthcare provider, including to your
healthcare provider's electronic patient record systems;
-
Transferring
your health-related information to third-party systems and tools;
-
Combining your
personal data with other information we hold about you, in order to
provide you with personalised services, better understand you and your
preferences and improve our interactions with you, including aggregating,
anonymising, pseudonymising and/or obscuring data to gain statistical
insights into the behaviour of our users;
-
Providing, maintaining,
improving and developing relevant functions and content for the mylife
Diabetescare therapy management solution;
-
Using cookies to
monitor log data such as IP address, date, time, device data and amount of
data transferred as well as the website from which you accessed the
requested page (referrer). T
hese log data are
anonymised (i.e. there is no assignment or reference to you as
an individual) and
used
for
statistical evaluations, e.g. on the basis of numerical graphics. Under no
circumstances are these data used to create user profiles of any kind;
-
Detecting
possible errors based on the log files, e.g. faulty links or program
errors;
-
Detecting and mitigating
against fraudulent, abusive and prohibited activities as well as protecting
and maintaining the security of the services. To this end, we reserve the
right to check the log files retrospectively based on the last known IP
address if, based on certain facts, there is a suspicion that users are
using the mylife
Diabetescare therapy management solution in violation of the law or the contract;
-
Anonymising,
pseudonymising and/or aggregating diagnostic/troubleshooting data that you
share with us, in order to perform more comprehensive analyses to identify
systemic issues;
·
Exercising and defending our legal rights and
claims.
Based
on legal requirements:
·
Ensuring traceability of medical devices from the manufacturer to
the end user for any product information, safety instructions or recalls;
·
Delivering technical training in the handling of our medical
devices;
·
Transferring data to statutory health insurance providers;
·
Ensuring high quality and safety standards are maintained for
medical devices post-market release, including monitoring and improving the
quality, safety and effectiveness of medical devices and systems, repairing or
improving the mylife
Diabetescare
therapy management solution and upholding related regulatory
requirements in connection with the post-market surveillance of medical
devices.
3
Use of the mylife Diabetescare therapy management solution
3.1
Manufacturer of the mylife Diabetescare therapy management solution
The mylife
Diabetescare therapy management solution was developed on behalf of Ypsomed AG
by SINOVO health solutions GmbH (SINOVO). The use of the mylife App, mylife
Software and mylife Cloud is subject to SINOVO's General Terms and Conditions
of Business and Use.
SINOVO processes
the personal data collected in the mylife Diabetescare therapy management solution
on behalf of Ypsomed and exclusively as contractually agreed or instructed by
Ypsomed. Responsibility for the fulfilment of legal, regulatory or official
obligations lies with SINOVO.
3.2 The mylife App
When you download
the mylife App to your smart device, you have the option of connecting your
mylife YpsoPump to the mylife App. In addition, you can also link blood glucose
meters and/or selected CGMs (continuous glucose monitors) from third-party
providers to the mylife App.
·
When linking blood glucose meters, no data
are shared with third parties.
·
If the Dexcom CGM is
connected to the mylife App, the data generated by the CGM are shared with
Dexcom. Linking the Dexcom CGM with the mylife App explicitly requires a Dexcom
Clarity account and Dexcom's data protection provisions apply.
In the mylife App,
you can choose whether and how you wish to synchronise your data with the
mylife Software and/or mylife Cloud. If you do not activate synchronisation
with the mylife Software and/or mylife Cloud, the data collected will only be
stored on your smart device. No data will be transferred to Ypsomed, SINOVO or
third parties. You also do not need to register to use the mylife App.
The following data
can be recorded in the mylife App and saved on your smart device:
·
Blood glucose levels and/or sensor glucose
values
·
Boluses
·
Basal rates
·
Insulin on Board (IOB)
·
Other data useful for therapy (e.g.
carbohydrates)
If you wish to synchronise
your data with the mylife Software and/or mylife Cloud, the data protection
provisions for the mylife Cloud (Section 3.4) or mylife Software (Section 3.3)
apply in addition.
3.3 The mylife Software (PC)
You can either
transfer the data from your mylife YpsoPump insulin pump or your blood glucose
meter directly to the mylife Software or you can connect your devices to the
mylife App and synchronise them with the mylife Software via the mylife Cloud.
The mylife
Software is available with two different options. You can decide whether you
wish to install the mylife Software as a PC-only version directly on your
computer or use the mylife Software together with the mylife Cloud. This second
option requires data to be uploaded from the software to the cloud using the
mylife Uploader. The conditions for using the mylife Cloud can be found in the
following sections.
If you have agreed
in the mylife App to synchronise your data with the local mylife Software on
your computer, the following data, for example, will be transferred from your
mylife App via the mylife Cloud to the local mylife Software on your computer:
·
Glucose values
·
Boluses
·
Basal rates
·
Insulin on Board (IOB)
·
Other data useful for therapy (e.g.
carbohydrates)
If you connect
your mylife YpsoPump insulin pump or blood glucose meter directly to the mylife
Software without the mylife Cloud, the corresponding insulin and blood glucose
data will be transferred from the devices to the mylife Software. In this case,
the data in the local mylife Software are stored exclusively on your device. No
data are transferred to Ypsomed, SINOVO or another third party.
3.4 The mylife Cloud
To use the mylife
Cloud, you must first register for the mylife Cloud via your mylife App or internet
browser. The mylife Cloud is an online service and is not installed locally on
your device. The data are stored on Microsoft servers (Azure) in specific
countries. Unless otherwise stated in Section 8 or Section 10, these servers
are located in the EU.
Before you can
register for the mylife Cloud, you must agree to SINOVO's General Terms and
Conditions of Business and Use and to the processing of your personal data in
accordance with this Privacy Policy.
The following
categories of personal data may be collected and transmitted during
registration:
·
Contact data (surname, first name, email
address, telephone number)
·
Login data (email, password)
·
Account use (patient administration or self-administration)
·
General settings (e.g. language, country, time
zone)
For insulin
therapy:
·
Therapy details (type of diabetes, type of
therapy, insulin, name of healthcare professional)
·
Personal data (weight, height, gender, date of
birth)
·
Blood glucose ranges (target range,
hyperglycaemia, hypoglycaemia, time of day, after meals)
·
Device data (blood glucose levels, insulin
release values, alarms and notifications from connected devices, status
information from the devices)
·
Therapy data (blood glucose levels, insulin
doses, carbohydrate intake, exercise)
As soon as you log
in to your mylife Cloud account, a cookie is placed on your device which can be
used to identify you for the duration of your visit. The cookie expires
automatically at the end of the session. You can save this cookie permanently
using the "Log in automatically on this computer" function to enable an
automatic login. The cookie then contains parts of your login data in encrypted
form. An automatic login on two (2) different computers is not possible.
3.5 The mylife CamAPS FX App
The mylife CamAPS
FX App is an independent smartphone application from
CamDiab
Limited with registered offices in Cambridge, UK – business address: Level 4,
Institute of Metabolic Science, Box 289, Addenbrooke's Hospital, Hills Rd,
Cambridge, CB2 0QQ, United Kingdom
(CamDiab).
To use the app,
you must register separately. The CamDiab Terms of Use and Privacy Policy
apply.
The mylife CamAPS
FX App includes functionality to display the data from the app in the mylife
Cloud. By logging into the mylife Cloud from the mylife CamAPS FX App, you
consent to the transfer of data from CamDiab to Ypsomed and thereby activate
this function. The following categories of personal data are then transmitted
from the mylife CamAPS FX App to the mylife Cloud:
·
Account data, e.g.:
o
Email address
·
Device data and settings, e.g.:
o
Type of terminal and operating system
o
App version
o
CGM brand and serial number
o
Pump brand and serial number
o
Pump error messages
·
Therapy settings, e.g.:
o
Unit of glucose calculation (mg/dL or mmol/l))
o
Insulin-to-carbohydrate ratio
o
BG target value
o
Auto-mode target value
·
Health data, e.g.:
o
CGM values
o
BG values
o
Basal insulin
o
Boluses
o
Meals
o
Alarms
o
Auto-mode status
4
Sharing data from the mylife Diabetescare therapy management solution
with others
The mylife
Diabetescare therapy management solution offers various options for patients to
share their data with their medical professionals or others.
4.1
Transferring data from the insulin pump or blood glucose meter to
the mylife Software
Medical
professionals can install the patient management version of the mylife
Software. During a consultation, they can connect their patient’s mylife
YpsoPump insulin pump or blood glucose meter directly to the mylife Software
installed on their computer and import the data.
If the medical
professional only uses the local mylife Software, the data remain stored on the
medical professional's computer. In this case, no data are transferred between
the medical professional and the patient or vice versa and neither Ypsomed nor
SINOVO can access these data.
Note: The medical
professional is responsible for the processing of these data. Ask your medical
professional how they process and protect your personal data and how you can
exercise your rights listed below vis-à-vis your medical professional.
Clarify in advance
with your medical professional whether they will synchronise the data from the
mylife Software with the mylife Cloud and inform them if you do not agree to your
data being synchronised in this way.
4.2 Sharing reports from the mylife Diabetescare therapy management solution
In the mylife App
or mylife Cloud menu, you can find a "Report" function which allows
you to create a PDF report or CSV export of the data for a time frame of your
choice. The report can include the following data among others:
-
Glucose and insulin data
-
Pump and bolus suggestion calculator settings
-
Therapy data in various display formats
-
mylife App or Cloud diary (CSV export)
You can forward
the report to your medical professional or your clinic via any channels that
permit the sending of PDF and CSV files. Bear in mind that the PDF and CSV
reports contain health data. You should therefore choose a secure channel for
sending and enquire about the relevant data protection policy. You bear the
responsibility for sending the report.
4.3
mylife Cloud – data synchronisation between patients and medical
professionals
The mylife Cloud
simplifies data synchronisation between medical professionals and their
patients. Medical professionals can invite their patients to synchronise their
data directly between the two mylife Cloud accounts.
As a patient, you can
consent to your data being shared with your medical professional in the
"Data release" section of your patient account. Once the data release
has been activated, the medical professional can access and analyse your data
in their patient management account.
You can revoke
your consent for data release at any time in your mylife Cloud account. Once
consent is revoked, your medical professional will no longer have access to
your data. However, a copy of any data shared up to that point will remain in
the medical professional's account. The medical professional is the controller
for these data and therefore the party to address when asserting your rights.
4.4 Connecting the mylife Cloud with clouds from other providers
You can link your
mylife Cloud with therapy clouds from other providers (third-party providers)
and have certain predefined data transferred to the cloud of the third-party
provider with your consent. In this case, the data are transferred unilaterally
from the mylife Cloud to the cloud of the third-party provider.
To do this, select
the login for the mylife Cloud (if available) in the third-party provider’s
system. You will be redirected to the login for the mylife Cloud, where you
must log in correctly using your mylife Cloud security credentials. By logging
in, you agree to the transfer of data to the third-party provider. You can
transfer your data to multiple clouds from third-party providers, provided that
they all permit a connection to the mylife Cloud.
The third-party
provider's data protection provisions apply to the processing of any personal
data on the third-party provider's cloud. Ypsomed has no influence over the
processing of these data.
You can stop the
transfer of data at any time by cancelling the connection in your mylife
account. Data transferred to the third-party provider’s cloud up to that point
will remain stored there. If you wish to object to data processing by the
third-party provider, you should contact the third-party provider directly.
Please refer to the data protection provisions of the third-party provider.
5
Protection and storage of personal data
We use the cloud
services of Microsoft Ireland Operations Limited, Dublin, Ireland (Microsoft)
to process your personal data in the mylife Cloud. The data in the mylife Cloud
are encrypted and only SINOVO system administrators have access to the server's
cloud database.
Ypsomed takes all
necessary and reasonable technical and organisational actions to ensure the
security, integrity and availability of your data.
We only store your
data for as long as is necessary for the purposes set out in this Privacy
Policy. Fundamentally, this is as long as your account is active in the mylife
Cloud. You can cancel your mylife Cloud account at any time. Nonetheless, Ypsomed
and SINOVO are subject to various statutory retention and documentation
obligations. Your personal data will therefore be deleted following the
cancellation of your mylife Cloud account as soon as these deadlines and
obligations no longer apply.
If you do not use
your mylife Cloud account for two years and we have had no relevant contact
with you, we will delete your personal data from our systems unless we believe
in good faith that we are required by law or other regulation to retain these
data (for example, because it is required in connection with a prospective
legal dispute).
6
Forwarding of personal data to third parties
Ypsomed only
passes on data to third parties if this is required by law or necessary for the
execution of its contractual services; if it is necessary for market
surveillance or the processing of complaints by SINOVO or CamDiab as the
manufacturer; or if you have consented to the transfer.
Ypsomed remains responsible for the control and correct processing of the data,
even if the data are forwarded to companies within the Ypsomed Group or external
service providers as part of its business processes. We ensure that the
companies of the Ypsomed Group comply with data protection regulations, and we also
require our distribution partners and any service providers commissioned by us
to respect data protection and data security and to only process the data as is
necessary to fulfil their mandate.
Recipients may
receive personal data under the following conditions:
-
If you contact
Ypsomed: In this case, those employees within Ypsomed who need your
personal data to fulfil the purposes stated in this Privacy Policy will
have access to these data. Examples include customer service employees who
process your enquiries and requests.
-
If Ypsomed
engages service providers and processors, such as SINOVO or Microsoft:
These external partners are contractually obliged to comply with data
protection standards.
-
If required by
law or contractual agreements
in connection with
the monitoring of medical devices.
-
If required by
law or an authority: In this case, it is possible that Ypsomed may process
and disclose your personal data without prior notice or consent. This may
be due to a court order or other regulatory obligation.
The mylife
Diabetescare therapy management solution may contain links to the websites or
applications of third parties. Any access to or use of these linked websites is
not covered by this Privacy Policy, but rather the privacy policies of the
websites of these third parties. We accept no responsibility for the
information practices of third-party websites.
7
Transfer of personal data to other countries
Ypsomed only processes
personal data within Switzerland or the European Economic Area (EEA).
If data must nevertheless be transferred to other countries, we
verify that
these countries offer an adequate level of
data protection, as confirmed by the Swiss Federal Data Protection and
Information Commissioner (EDÖB) or the European Commission, or
we ensure the security of your data with appropriate guarantees
(e.g. standard contractual clauses approved by the EDÖB or the European
Commission) as well as increased technical security measures.
8
Country representatives
For enquiries,
please contact our customer service team. All country representatives and
customer service contacts can be found under the following URL:
https://www.mylife-diabetescare.com/en/services/customer-care-contact.html
. If Ypsomed does not have a direct representative in your country,
please get in touch with the contact from mylife Therapy Management
("About") or write to us at
info@ypsomed.com
.
9
Country-specific notes
Ypsomed endeavours
to provide a complete and correct translation in the relevant national
language. In the event of a discrepancy between the language versions, the
original German version shall apply.
9.1 Germany
Use as a
computer-only version
People with
diabetes can obtain the mylife Software free of charge using the order form.
Medical professionals can order the mylife Software or a licence key for the
mylife Cloud directly from Ypsomed.
To order the
mylife Software, you must provide Ypsomed with some personal data: surname,
first name, house number, street name, town, postcode and email address
(optional), as well as details of the devices you wish to connect and their
serial numbers.
The personal data provided
on the order form are processed exclusively for the purpose of establishing and
processing the order and fulfilling the contract.
9.2 France
We record the
country of origin based on the country selected in the registration process. If
you live in France, it is therefore important that you also select France as
your country of residence. This determines where your data are stored. The data
of a French citizen may only be stored and processed in France itself. If you
inadvertently select the wrong country, please terminate the registration
process. You can no longer change the country once the registration process has
been completed.
In some cases, we
request information about your profession so that we can share specific content
with you. If required by law, we will check your information before we send you
the access data.
10
Your rights
Rights of data subjects
You can request information at any time as to whether and which of
your personal data Ypsomed processes for what purpose, as well as receive a
copy of your data. You can also request the correction and completion of
incorrect or incomplete data at any time. We will delete data at your request,
unless Ypsomed is required to retain this data to fulfil a legal obligation,
for reasons of public interest or for the assertion, exercise or defence of
legal claims.
Furthermore, you have the right to request that the processing of
your personal data be restricted, provided that any legal requirements are met.
You may also request a copy of any personal data that you have
provided to us in a structured, commonly used and machine readable format or
have them transferred to another responsible person.
Children
The mylife Cloud solution is aimed exclusively at persons of legal
age. Individuals under 18 years of age are expressly advised that they must
obtain the consent of their parents or legal guardian to transfer their
personal data.
If data are transmitted to us by individuals under 18 years of age
without the consent of their parents or legal guardians, you may view the
information provided by the underage person and/or request correction or
deletion of this data at any time. The provisions of this Privacy Policy apply
until the request for correction or deletion of personal data is made.
Revoking consent to data processing
You can revoke all declarations of consent submitted to Ypsomed for
the processing of personal data at any time, without giving a reason and either
individually or collectively. The processing of the data remains lawful until such
time that consent is revoked. You can exercise this right by phoning Ypsomed or
by sending us your revocation request in writing, e.g. by email. If you only
wish to revoke consent to the processing of data in the mylife Cloud, you can
simply cancel your account.
Right to object
You have the right to object at any time to our processing of your
personal data based on our legitimate interests. To object, you must provide
reasons that arise from your particular situation and make the processing of
your data – unlike for other data subjects – unreasonable.
Right to lodge a complaint with a supervisory authority
If you have any doubts as to whether your data are being processed
in accordance with the law, you can lodge a complaint with the supervisory
authority responsible for data protection at your place of residence or employment
or at our registered office.
Right to data portability
You have the right to receive
your personal data in a structured, commonly used and machine-readable IT
format and, where technically feasible and reasonable, to transmit these data
to another controller without hindrance. This right to data portability extends
only to the personal data that we process based on a contract with you or your
consent.
11
Changes to this Privacy Policy
The content of
this Privacy Policy must be adapted from time to time. We reserve the right to
change this Privacy Policy at any time. Please consult the Privacy Policy
regularly if you use the mylife Diabetescare therapy management solution.