The Diact product family (“Services”) is a software-based system for diabetes data analysis and management to assist patients and care-providers in making better decisions in glucose management. The Services are provided by Dianovator AB (”Dianovator” or ”we”,”us”). When you use our Services or browse our website, we collect data about you. This document describes how we manage that data and what measures we take to keep it secure and applies both when Dianovator acts as Data Controller (when we receive the data directly from a private person) and when we act as Data Processor for another entity.
Dianovator is committed to protecting your Personal Data. Personal Data means any information that could be used to identify a natural person and should be protected according to the General Data Protection Regulation (EU) 2016/679 (GDPR). The source of the information is either you or your healthcare provider.
Categories of Personal Data
- Service Data. Name, personal identity number (Sweden only), gender and health data (sensor and device data such as glucose measurements, insulin doses, insulin pump settings and warnings, etc, as well as other health-related information such as prescribed insulin, weight, length and diagnosis) uploaded from medical devices or data files or submitted by other means by you or your healthcare provider.
- Account Data. Account Data may include your name, email address and any other submitted information. The source of the Account Data is you, your employer or an industry partner of yours.
- Usage Data. We may process personally identifiable data about your use of our website and Services. The Usage Data may include your IP address, geographical location, browser type and version, device make and model, operating system, referral source, length of visit, page views and navigation paths, as well as information about the timing, frequency and pattern of your use of our Services.
- Notification Data. We may process information that you provide to us for the purpose of subscribing to our email notifications and/or newsletters.
- Correspondence Data. We may process information contained in, or relating to, any messages that we receive from you.
- Audit Log Data. We may process access information regarding who has accessed and processed your Service Data and any access or processing you have made to other people’s Service Data. The Audit Log Data may include identification of the data subject, who has accessed the Service Data, when it was accessed, how it was accessed, and changes to Service Data.
- Regulatory Data. We may process information about you for keeping records of incidents or complaints.
The Service Data may be processed for the purposes of providing our Services, analyzing the use of our Services for product development, informing you about product news, informing you about product issues, providing information we believe is of interest to you and communicating with you. The data processing is automated. If you are a private person using our Services, the legal basis is your consent. If you are a Data Controller representing data subjects, the legal basis for our processing is legitimate interest.
The Account Data may be processed for the purposes of operating our website, providing our Services, ensuring the security of our website and Services, maintaining back-ups of our databases and communicating with you. The legal basis for this processing is consent.
The Usage Data may be processed for the purposes of analyzing the use and troubleshooting of the website and Services. The legal basis for this processing is our legitimate interests, namely monitoring and improving our website and Services.
The Notification Data may be processed for the purposes of sending you the relevant notifications and/or newsletters. The legal basis for this processing is consent.
The Correspondence Data may include the communication content and metadata associated with the communication. Correspondence Data may be processed for the purposes of communicating with you and for record-keeping, e.g. for technical support or accounting purposes. Further, when you seek technical support from us, you understand and acknowledge that the individual(s) providing you with support may need to access your Service Data and Usage Data in order to diagnose the problem you are seeking support for; in this case, this information will only be used to help provide you with support. The legal basis for this processing is our legitimate interests.
The Audit Log Data may be processed for the purposes of allowing investigations to be performed regarding who has accessed your and other people’s Personal Data. The legal basis for this processing is legal requirements, which includes the Swedish Patient Data Law (2008:355).
The Regulatory Data may be processed for the purposes of establishing internal reports and records that may be made available to authorities upon their request. The legal basis for this processing is legal requirements, specifically the Medical Device Directive (93/42/EEC).
We may permanently anonymize the Personal Data and use it for statistical analysis, clinical research, demographic analysis and for improving our Services. Permanently anonymized data does not constitute personally identifiable information and is therefore not traceable back to you and is no longer considered Personal Data.
We will retain your Personal Data as follows:
- Service Data will be retained as long as we have your consent, and for a maximum period of 30 days following termination of your Service account.
- Account and Usage Data will be retained during the period for which you have a valid Service account with us, and for a maximum period of 30 days following termination of your Service account.
- Notification Data will be retained during the period for which you have a valid Service account with us and/or you have elected to allow such processing. Should you withdraw your consent and object to such processing, Notification Data will be retained for a maximum period of 30 days following the date of your request.
- Correspondence Data will be retained for a maximum period of 24 months following the resolution of the most recent inquiry from you, or following the end of our relationship (e.g. service contract), whichever is latest.
- Audit Log Data will be retained for a maximum period of 10 years following the creation of such data.
- Regulatory Data will be retained for 10 years after the last production date of the product in question, and for a maximum period of 12 months following the end of said 10-year period.
Notwithstanding the other provisions of this Section, we may retain your Personal Data for a longer period where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
Disclosure of Data
If you are a private person using our Services, you complied to letting your healthcare provider take part of your Service Data when you signed up for an account.
We do not share your Personal Data with any other third party, with the exception for our entrusted suppliers or subcontractors insofar as reasonably necessary in order to provide the Services. Contact us (privacy(at)dianovator.se) to request a current list of suppliers and subcontractors that process your Personal Data.
Personal Data of children
Processing of Personal Data of children below the age of 16 requires the consent of a parent or legal guardian.
The data is stored in secure servers within the European Union. Should Personal Data be provided to us in physical form, it will be stored in secure manual record-keeping systems.
All Personal Data stored electronically is encrypted.
Transactions that are sent to and from your client, e.g. computer or mobile app, are protected by encryption technology.
You should ensure that your password(s) of our Services is not susceptible to being guessed and should be stored in a safe manner and not shared with others. We will not ask you for your password (except when you log in to our Services).
Third party websites
Our website and Services can include hyperlinks to, and details of, third party websites. We have no control over, and are not responsible for, the privacy policies and practices of third parties.
You have the following rights according to the GDPR:
- Right of access. You have the right to confirmation from us as to whether we process your Personal Data and details of the purposes of the processing, the categories of Personal Data concerned and the recipients of the Personal Data. You have the right to receive a copy of your Personal Data.
- Right to rectification. You have the right to request that inaccurate information be rectified. This also means that you have the right to add such Personal Data that is missing and that is relevant considering the purpose of the Personal Data processing.
- Withdrawal of consent. You may withdraw your consent of data processing at any time.
- Right to erasure. In some circumstances you have the right to request the erasure of your Personal Data without undue delay. Those circumstances include: the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the Personal Data have been unlawfully processed. However, there are exclusions of the right to erasure. The general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal or regulatory obligation; or for the establishment, exercise or defence of legal claims.
- Right to limitation of processing. In some circumstances you have the right to request the restriction of the processing of your Personal Data. Those circumstances are: you contest the accuracy of the Personal Data; processing is unlawful but you oppose erasure; we no longer need the Personal Data for the purposes of our processing, but you require Personal Data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your Personal Data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
- Objection to processing. You have the right to object to our processing of your Personal Data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for any of the following: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
- Direct marketing. You have the right to object to our processing of your Personal Data for direct marketing purposes (including profiling for direct marketing purposes).
- Data portability. You have the right to receive your Personal Data from us in a structured, commonly used and machine-readable format.
- Complaints. If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection.
You may exercise any of your rights in relation to your Personal Data by contacting us (privacy(at)dianovator.se).
We may update this policy from time to time. Track this page for updates.
Contact and Data Protection Officer
Generally – the application is very exciting!
Beta test (Skåne University Hospital)