Privacy Policy

« EkiYou »

 

 

The company DIAPPYMED (hereinafter “the Controller”) wishes by this Privacy Policy, to inform users of the application (hereinafter “Users”) of the processing of personal data collected via the application EkiYou (hereinafter “the Application”).

The collection of personal data is carried out in compliance with the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR).

The User is hereby informed that the personal data indicated as mandatory on the forms and collected as part of the service described herein are necessary for the use of the EkiYou application.

  1. Identity and contact details of the data controller

The processing of Users’ personal data is carried out under the responsibility of the following controller :

DIAPPYMED

Cap Alpha,
3 avenue de l’Europe,
34830, Clapiers
représenté par Monsieur Omar DIOURI.

 

  1. Data Protection Officer (DPO)

Our Data Protection Officer has been registered with the data protection authorities in an EU member state. If you have any questions or requests regarding this privacy statement or for the data protection officer, you can contact the DPO via the following email address : dpo@diappymed.com

 

  1. Data processing and purposes

Management of the User’s account and authentication on the application

Sub-purposes:

  1. Creation and modification of the account on the Application by the User;
  2. Authentication of the User on the Application

Personal data of the User that are collected:

  • Identification and contact data of the User (name, first name, birth date, e-mail, phone number, username, identification number for the User in the Controller’s systems, sex, country, optional postcode);
  • Data related to the User’s identifiers (such as login, password, IP address)

 

Data Controller

Legal Basis

Retention period

Recipient

Data Transfer

Diappymed

Art. 6§1.b. – Necessary for the performance of a contract or precontract

Erasure 30 days from the deletion of the account

The data controller and any authority legally authorized to access the data

The EkiYou application and the databases are hosted by our subcontractor Google in data centers in Frankfurt (Germany). The data processed for authentication purposes is hosted in data centers in the USA.

 

Google has subscribed to the European Commission’s standard contractual clauses.

 

Management of the access and payments

Sub-purposes:

  1. The subscription by the User, or the generation of a code giving right to a subscription asked by the User of by a healthcare provider, or the automatic activation by the Controller after they received a prescription from a healthcare provider of from the User;
  2. The collection, recording and use of information regarding accesses;
  3. The follow-up of the history of payments and subscriptions
  4. The management of disputes;
  5. The recording of the healthcare provider that contact the Controller in order to generate a code giving right to a subscription for their patients using EkiYou

Personal data of the User that are collected:

  • Identification and contact data of the User (name, first name, birth date, e-mail, phone number, username, identification number for the User in the Controller’s systems, sex, country, optional postcode);
  • Data related to the User’s identifiers (such as login, password, IP address);
  • Health data (from the prescription);
  • Social security number;
  • Payment and subscription history data

Personal data of the healthcare provider that are collected (only for the 5th purpose):

  • Identification and contact data of the healthcare provider (name, first name, e-mail, phone number) ;
  • RPPS / finess number

Data Controller

Legal Basis

Retention period

Recipient

Data Transfer

Diappymed

Art. 6§1.b. – Necessary for the performance of a contract or precontract

10 years starting from the end of the financial year

The data controller and any authority legally authorized to access the data

The EkiYou application and the databases are hosted by our subcontractor Google in data centers in Frankfurt (Germany). The data processed for authentication purposes is hosted in data centers in the USA.

 

Google has subscribed to the European Commission’s standard contractual clauses.

 

Management of the requests via the dedicated form on the Application

Sub-purposes:

  1. The answer to requests from the User regarding the services offered by the Controller via the dedicated form on the Application;
  2. The management of disputes

Personal data of the User that are collected:

  • Identification and contact data of the User (name, first name, birth date, e-mail, phone number, username, identification number for the User in the Controller’s systems, sex, country, optional postcode);
  • Data related to the User’s identifiers (such as login, password, IP address)

 

Data Controller

Legal Basis

Retention period

Recipient

Data Transfer

Diappymed

Art. 6§1.c. – Necessary for compliance with a legal obligation

3 years starting from the request

The data controller and any authority legally authorized to access the data

The EkiYou application and the databases are hosted by our subcontractor Google in data centers in Frankfurt (Germany). The data processed for authentication purposes is hosted in data centers in the USA.

 

Google has subscribed to the European Commission’s standard contractual clauses.

 

Management of the exercise of data subjects’ rights

Sub-purposes:

  1. The management of the exercise of data subjects’ rights and the answer to data subject via e-mail or by post
  2. The management of disputes

Personal data of the User that are collected:

  • Identification and contact data of the User (name, first name, birth date, e-mail, phone number, username, identification number for the User in the Controller’s systems, sex, country, optional postcode);
  • Data related to the User’s identifiers (such as login, password, IP address)

 

Data Controller

Legal Basis

Retention period

Recipient

Data Transfer

Diappymed

Art. 6§1.c. – Necessary for compliance with a legal obligation

5 years starting from the exercise of the data subject’s right

The data controller and any authority legally authorized to access the data

The EkiYou application and the databases are hosted by our subcontractor Google in data centers in Frankfurt (Germany). The data processed for authentication purposes is hosted in data centers in the USA.

 

Google has subscribed to the European Commission’s standard contractual clauses.

 

Management of opinion polls, studies and customer satisfaction surveys

Sub-purposes:

  1. The improvement of the Application by inviting Users to participate in opinions, studies and customer satisfaction surveys
  2. The justification of the interests the Application represents for the medical follow-up of diabetes of Users when asked by the appropriate authorities

Personal data of the User that are collected:

  • Identification and contact data of the User (name, first name, birth date, e-mail, phone number, username, identification number for the User in the Controller’s systems, sex, country, optional postcode);
  • Data related to the User’s identifiers (such as login, password, IP address)

 

Data Controller

Legal Basis

Retention period

Recipient

Data Transfer

Diappymed

Art. 6§1.f – Legitimate interest of the Controller

5 years starting from the opinion poll, study of customer satisfaction study

The data controller and any authority legally authorized to access the data

The EkiYou application and the databases are hosted by our subcontractor Google in data centers in Frankfurt (Germany). The data processed for authentication purposes is hosted in data centers in the USA.

 

Google has subscribed to the European Commission’s standard contractual clauses.

 

Management the follow-up of diabetes

Sub-purposes:

  1. The personalization by the User of their EkiYou account by filling their personal data in regarding their personal characteristics and health;
  2. The possibility for the User to find in their Logbook every data recorded regarding them;
  3. The possibility for the User to ask the Application to remind them of the time for the basal insulin dose and register their injection of check their sugar blood level;
  4. The possibility for the User to access reliable and high-quality information on subjects regarding diabetes (in particular regarding food, sport, mental health, travels or other testimonies);
  5. The possibility for the User to share the data they have recorded on their EkiYou account with their healthcare provider;
  6. The possibility for the User to search for food data;
  7. The functioning of algorithms with the User’s consent;
  8. The supply by third parties of technical functions on behalf of the Controller

 

Personal data of the User that are collected:

  • Identification and contact data of the User (name, first name, birth date, e-mail, username, identification number for the User in the Controller’s systems);
  • Data related to the User’s identifiers (such as login, password, IP address)
  • Personal characteristics (sex, gender, height and weight of the User, physical activity, eating habits);
  • Health data (such as diabetes type, injection system, bolus and rapid insulin pen, basal and lente insulin pen, pump and rapid insulin, carbohydrate ratio and correction factors, total basal daily dose, total bolus daily dose, time of lente insulin injection, injection data, blood glucose data);
  • Social security number

 

Data Controller

Legal Basis

Retention period

Recipient

Data Transfer

Diappymed

Art. 6§1.a – Consent of the data subject

Erasure 30 days from the withdrawal of consent or the deletion of the account

The data controller and any authority legally authorized to access the data

The EkiYou application and the databases are hosted by our subcontractor Google in data centers in Frankfurt (Germany). The data processed for authentication purposes is hosted in data centers in the USA.

 

Google has subscribed to the European Commission’s standard contractual clauses.

 

Post-market surveillance

Sub-purposes:

  1. Ensuring the safety and performance of the medical device, with the surveillance of the performances of the Application, the detection and correction of the technical anomalies and the compliance upgrade with the applicable law;
  2. Providing application support for Users, with technical support and a resolution of problems linked to the Application, the answers to requests from the Users and the improvement of the User’s experience;
  3. Measuring the usage of the Controller’s products, with an analysis of the uses and a follow-up of the habits in order to optimize the functionalities and the identification of the User’s needs;
  4. The improvement of the medical devices products of the Controller, with the collection of feedbacks from User’s, the integration of new medical and technological requirements and the continuous optimization of the functionalities and of the reliability;
  5. The management of complaints and vigilance issues
  6. The supply by third parties of technical functions on behalf of the Controller

 

Personal data of the User that are collected:

  • Identification and contact data of the User (name, first name, birth date, e-mail, username, identification number for the User in the Controller’s systems);
  • Data related to the User’s identifiers (such as login, password, IP address)
  • Personal characteristics (sex, gender, height and weight of the User, physical activity, eating habits);
  • Health data (such as diabetes type, injection system, bolus and rapid insulin pen, basal and lente insulin pen, pump and rapid insulin, carbohydrate ratio and correction factors, total basal daily dose, total bolus daily dose, time of lente insulin injection, injection data, blood glucose data);

 

Data Controller

Legal Basis

Retention period

Recipient

Data Transfer

Diappymed

Art. 6§1.f – Legitimate interest of the Controller

10 years starting from the end of the commercialization of the Application (MDR 2017-745)

The data controller and any authority legally authorized to access the data

The EkiYou application and the databases are hosted by our subcontractor Google in data centers in Frankfurt (Germany). The data processed for authentication purposes is hosted in data centers in the USA.

 

Google has subscribed to the European Commission’s standard contractual clauses.

 

 

Management of partnerships with other diabetes monitoring applications

Sub-purposes:

  1. The improvement of the User’s diabetes monitoring by allowing them to connect their EkiYou account to their account on another diabetes monitoring applications (including insulin pen device), if a partnership has been concluded for that matter regarding said diabetes monitoring application.
  2. The recording by the other diabetes monitoring applications of the health data of the User processed by the Controller in the context of the Application EkiYou
  3. The recording by the Application EKiYou of the injection data linked to the insulin pen device connected to the EKiYou account

 

Personal data of the User that are collected:

  • Identification and contact data of the User (name, first name, birth date, e-mail, username, identification number for the User in the Controller’s systems);
  • Data related to the User’s identifiers (such as login, password, IP address)
  • Personal characteristics (sex, gender, height and weight of the User, physical activity, eating habits);
  • Health data (such as diabetes type, injection system, bolus and rapid insulin pen, basal and lente insulin pen, pump and rapid insulin, carbohydrate ratio and correction factors, total basal daily dose, total bolus daily dose, time of lente insulin injection, injection data, blood glucose data);
  • Social security number

 

Data Controller

Legal Basis

Retention period

Recipient

Data Transfer

Diappymed

Art. 6§1.a – Consent of the data subject

10 years starting from the end of the commercialization of the Application (MDR 2017-745)

The data controller and any authority legally authorized to access the data

The EkiYou application and the databases are hosted by our subcontractor Google in data centers in Frankfurt (Germany). The data processed for authentication purposes is hosted in data centers in the USA.

 

Google has subscribed to the European Commission’s standard contractual clauses.

 

 

The mandatory or optional nature of the data to be provided is indicated to the User at the time of collection by an asterisk (*).

The requirement to provide mandatory data is of a regulatory or contractual nature or it conditions access to the functionalities of the Controller’s Application.

Access to the functionalities of the Controller’s Application cannot be granted if this information is not provided.

By voluntarily providing optional data, the User expressly accepts that they will be processed under the conditions and for all the above purposes.

 

  1. Social Networks

The Processor is present on various social networks, including Facebook, Instagram, LinkedIn, Youtube. As such, the Data Processor is likely to process the public data of the profiles of social network users who share, subscribe, follow or contact the Data Processor on these platforms.

The Data Processor shall not be responsible for the User’s public data accessible on these networks and platforms. The User is therefore advised to read the privacy policies applicable to each of these platforms in order to configure his or her privacy settings.

 

  1. Data Recipients

The Data Controller may share some of your data with its service providers (see section 3.).

This transmission of data by the Data Controller is carried out within the strict limits necessary for the accomplishment of the tasks conferred on these service providers.

These recipients may be required to contact the User directly using the contact details that they have provided.

The Data Controller requires these recipients to use the User’s personal data only to manage the services for which they are responsible and in accordance with the applicable laws and regulations on the protection of personal data.

Where applicable, the User’s personal data may be communicated to third parties authorized by law (in particular in the context of an express and motivated request from the judicial authorities).

Similarly, if the Data Controller is involved in a merger, acquisition, transfer of assets or receivership procedure, it may be required to transfer or share all or part of its assets, including the User’s personal data. In this case, the User will be informed and will be able to give his informed consent, before any transfer of his personal data to a third party.

 

  1. Storage and transfer of data outside the European Union

The User’s personal data processed through the Application are stored in the DataCenters of our subcontractor Google, located in Frankfurt (Germany).

The authentication service only processes the data necessary to connect to the application (email, password…) and is hosted in the United States. As such, our subcontractor Google has taken all the necessary measures to comply with the RGPD and has subscribed to the standard contractual clauses of the European Commission.

 

  1. Security of personal data

The Data Controller implements organizational, technical, software and physical measures for digital security to protect the User’s personal data from alteration, destruction and unauthorized access. However, it should be noted that the Internet is not a completely secure environment and that the Data Controller cannot guarantee the security of the transmission or storage of the User’s data on the Internet.

 

  1. Use of data for statistical purposes

As part of its commitment to the continuous improvement of its service, the Data Controller may use anonymized data for statistical purposes.

This data allows the Data Controller to perform analyses and find correlations between different variables, which helps it to better understand the needs of Users and to improve the quality of its services.

 

  1. Your rights

In accordance with the provisions of Regulation No. 2016/679 of April 27, 2016 and Law No. 78-17 of January 6, 1978 as amended, the User is fully informed of his rights.

The User has :

– a right of access to his data : the User has the right to obtain confirmation as to whether or not his data is being processed, as well as the communication of a copy of his data and information relating to the characteristics of the processing carried out by the Data Controller on such data ;

– a right to rectification of inaccurate information and incomplete data ;

– a right to the deletion of data that are no longer necessary for the processing, a right to withdraw consent to the processing, a right to object to the processing of his data when there are no legitimate and compelling reasons justifying the processing, a right to object to commercial prospecting ;

– a right to limit the processing in case of inaccuracy of the data during the time of their verification, or when they are no longer necessary for the exercise of a legal right ;

– a right to data portability, in order to request the transmission to another person in charge of the data provided with his consent or on the occasion of the conclusion of the contract ;

– a right not to be subject to a decision based exclusively on automated processing that produces significant legal effects concerning him ;

– a right to define directives concerning the fate of his data after his death.

 

The User may exercise his rights at any time :

– By mail to the address :

DIAPPYMED

Cap Alpha,

3 avenue de l’Europe,

34830, Clapiers

– By email to the address : dpo@diappymed.com // ekiyou@diappymed.com

The User must specify in their request their full name, e-mail address or postal address to which they wish the reply from the Data Controller they have contacted to be sent.

For security reasons and to avoid fraudulent requests, DiappyMed reserves the right to request proof of identity if there is reasonable doubt as to the applicant’s identity. Once the request has been processed, this proof will be destroyed.

In accordance with the law, this request will be answered within one month of its receipt.

Finally, the User has the right to lodge a complaint with the French Supervisory Authority, i.e., the “Commission Nationale de l’Informatique et des Libertés” (hereinafter : “CNIL”) or any other competent supervisory authority in his State of residence.

The User may make this complaint to the French CNIL :

– By mail to the following address :

3 Place de Fontenoy

TSA 80715

75334 PARIS CEDEX 07

– By phone at 01 53 73 22 22 (Monday to Thursday from 9am to 6:30pm / Friday from 9am to 6pm) ;

– By fax at 01 53 73 22 00 ;

– Via the CNIL website at the following address: https://www.cnil.fr/fr/plaintes

Mascotte DiappyMed

What information do you need?

I am patient
Mascotte DiappyMed

What information do you need?

I am a patient
Mascotte DiappyMed

I am a healthcare professional