Privacy Notice for iCan Review of Sinocare Meditech Inc.
What Personal Data Do We Collect About You?
1. When you use iCan Review and register a user account, we collect and process certain Technical Data that is mandatory for the use of iCan Review. This Technical Data is collected automatically when using iCan Review and includes your IP address, your operating system and its current version, date and time of access, the MAC Address for WLAN use, time zone difference to Greenwich Mean Time (GMZ), content of the request (visited website), access status/HTTP status code, amount of the data transferred, previously visited website, browser type and name and the language and the version of your internet browser (“Technical Data”).
2. In order to use the iCan Review, you must first register a user account with us. If you create a user account with us, we will collect and process, alongside the aforementioned Technical Data, for the creation of the user account, your first and last name, work address and a detailed address, phone number, email address, a user name chosen by you and an individual password to protect your user account (“User Account Data“). When logging into the platform in the future, you must provide this email address/user name and your password so that you can be granted access to your user account.
3. When you use iCan Review and the Health Care Team Management Tool, we collect and process the names (first and last name) and the email addresses of the members of your health care team, their last login, whether they have joined your team and whether they have administrator rights, the names (first and last name) and email addresses of Health Care Professionals who you invite to support you with the treatment of patients and whether you want to grant them administrator rights, and the names (first and last name) of the members who have left your team, whether they have had administrator rights and the point of time when they have left your team (“Team Data”).
4. When you use the Patients Management Tool in iCan Review and the patients share their glucose data with you with their consent, we process and have access to the names of your patients (first and last name), their email address, date of birth, gender and type of diabetes (“Basic Patient Information”). In this context, the patients’ glucose data contain the patients’ latest glucose values, the monitoring time, the remaining time of their CGM device, their latest glucose curve as well as recorded events such as diets, exercises and insulin dose, and their glucose report in the form of your continuous glucose evaluation report (“HCP Glucose Data“).
For What Purposes Do We Process Your Personal Data?
1. We process the Technical Data solely for the purpose of providing you with iCan Review, to ensure the security and functionality of iCan Review, and to evaluate the utilization of the service (Art. 6 (1) lit. f GDPR).
2. Your User Account Data and Team Data will only be used and processed to perform the contract concluded with you for the use of iCan Review, notably to grant you access to the features and functionalities of iCan Review (Art. 6 (1) lit. b GDPR).
3. We process the Basic Patient Information only to perform the contract concluded with you for the use of iCan Review (Art. 6 (1) lit. b GDPR) and with the patients’ consent if they decide to share their Basic Patient Information with you (Art. 6 (1) lit. a, 9 (2) lit. a GDPR). When providing you with access to iCan Review and during the performance of the agreement with you regarding the use of iCan Review, we will not process the Basic Patient Information for own purposes.
4. The HCP Glucose Data, which will be shared with you when the patients consent to the transmission of this information to you as their treating Health Care Professional, will only be used and processed to perform the contract with you for the use of iCan Review and with the patients’ prior consent pursuant to Art. 9 (2) lit. a GDPR. When providing you with access to iCan Review and during the performance of the agreement regarding the use of iCan Review, we will not process the HCP Glucose Data for own purposes.
5. We process your personal data exclusively for the aforementioned purposes. To the extent that we intend to process your personal data for purposes other than these purposes, we will only do so to the extent required/permitted by law or if you have given us your consent to process the data for the different purposes. Prior to any further processing for the different purposes, we will inform you accordingly and provide you with all necessary information.
6. We will not use automatic decision-making (including profiling) to process your personal data.
With Whom Do We Share Your Personal Data?
1. In addition to the cases explicitly mentioned in this privacy notice, your personal data will only be shared with your express prior consent or if this is permitted and required by law.
2. We may use third party service providers for processing your Technical Data and Account Data for the above purposes. If we use such external service providers, we have carefully selected them beforehand as processors and verify their reliability in accordance with Art. 28 (1) GDPR and contractually obligate them within the scope of Art. 28 (3) GDPR to process all personal data provided by us exclusively in accordance with our instructions.
3. We may share the Technical Data and User Account Data within the Sinocare Group for internal administrative purposes and in particular for joint customer services as well as customer support with Changsha Sinocare Inc. (265 Guyuan Road, Hi-Tech Zone, Changsha, 410205, Hunan, P.R. China), if this is necessary for the above purposes. The legal basis for any disclosure of this personal data (if not anonymized prior to the disclosure) to our affiliated companies is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR.
4. Your personal data and your patients’ personal data will be hosted by Amazon Web Services (AWS) as our data processor. The current privacy notice of Amazon Web Services (AWS) can be found here: https://aws.amazon.com/privacy/?nc1=h_ls.
5. We may share your Technical Data, User Account Data and Team Data with persons engaged in the conduct of our business or in connection with the sale of company or assets of our company to the extent necessary (auditors, financial institutions, insurance companies, legal advisors, regulators, parties involved in acquisitions or the establishment of joint ventures) based on our legitimate business interest (Art. 6 (1) lit. f GDPR).
6. If you decide to invite a patient to share their Basic Patient Information and their HCP Glucose Data with you, we share your name, business address and telephone number with the patient who you invited to share their data with you. The Legal basis for this processing activity is the performance of the contract (Art. 6 (1) lit. b GDPR).
7. To the extent necessary to investigate unlawful or abusive use of iCan Review or for legal defense or enforcement and to investigate criminal offenses, we may disclose your Technical Data, User Account Data and Team Data to law enforcement or other authorities and, if necessary, to harmed third parties and legal counsel. However, we will only forward your data if there are indications of illegal or abusive behavior and upon binding request. We may also share it, particularly with our legal counsel, if necessary to enforce our iCan Review terms of use or other legal claims. In addition, we may be required by law to provide information about personal data at the request of certain public authorities. This typically includes requests from law enforcement authorities, authorities that prosecute administrative offenses subject to fines, and tax authorities. We may also disclose your data to authorized third parties if we are permitted to do so by law (e.g., in the case of (third-party) information claims for intellectual property rights infringement) or if we are required to provide information by an administrative or court order. The legal basis for the disclosure of your personal data is either our respective legal obligation to comply (Art. 6 (1) lit. c GDPR) our legitimate interest pursuant to Art. 6 (1) lit. f GDPR, or if there are indications of unlawful or abusive behavior, we have a legitimate interest in disclosing the data to enforce our terms of use, our own legal claims or those of third parties, and our interests outweigh your interest in protecting your personal data.
Do We Transfer Your Personal Data to Third Countries?
The below mentioned recipients of your personal data may process your personal data outside the European Union:
- Changsha Sinocare Inc. in China (support services);
- Amazon Web Services (AWS) with physical server location in Germany (as hosting provider) (the current privacy notice can be found here: https://aws.amazon.com/privacy/?nc1=h_ls;
- Health Care Professionals who you invite to enter your team
- Your family members and friends you decide to share your data with throught iCan Reach
We take appropriate measures to provide guarantees that the recipients comply with the principles of GDPR. Unless there are other appropriate safeguards or transfer mechanisms (such as adequacy decisions of the EU Commission) in place, we use the standard contractual clauses approved by the EU Commission pursuant to Art. 46 (2) lit. c GDPR when drafting the contracts concluded with our service providers. The standard contractual clauses currently approved by the EU Commission are available on this website. Furthermore, you can request further information on these measures taken at any time using the contact details above.
Please note that as far as there is no adequacy decision of the European Commission for these countries, despite careful selection and commitment of our service providers, these may be subject to compulsory laws in their respective country of establishment requiring them to grant access to data on request of governmental authorities which may not provide for legal boundaries comparable to the European Union.
When Do We Delete Your Personal Data?
We delete your personal data as soon as it is no longer necessary for the purposes we have collected and processed it for. In general, we store your personal data for the duration of the contractual relationship regarding iCan Review.
Your personal data collected and processed when you contact our customer service will be stored where this is necessary to ensure product safety and to comply with applicable regulatory provisions. We will anonymize your data to the extent permitted to comply with said regulatory provisions.
Legal requirements for the retention and deletion of personal data, in particular tax and commercial law requirements for retention, remain unaffected.
Which Encryption Methods and Encryption Standards Do We Use for the Security of Your Personal Data?
For data loss prevention and protection against unauthorized access to your personal data, we use various encryption methods, encryption standards and security means.
Account Data on our cloud server is transmitted to the cloud server using HTTPS encryption. The data stored on our cloud server is encrypted using Advanced Encryption Standard (AES).
For the prevention of data loss of data stored on our cloud server, we perform daily incremental backups and monthly full backups for the sole purpose of providing you with backups of your data in the event of accidental data loss.
Which Rights Do You Have?
You have the right to request information about the data we have stored about you in accordance with Art. 15 GDPR, to request the rectification of inaccurate data in accordance with Art. 16 GDPR and to request the erasure of data in accordance with Art. 17 GDPR or the restriction of data processing in accordance with Art. 18 GDPR. Under the conditions of Art. 20 GDPR, you may also request the transmission of personal data to you or a third party.
In accordance with Art. 21 GDPR, you have the right to object to the processing of your data, provided that the reason for the objection arises from your particular situation and it concerns data that we process to protect one of our interests worthy of protection or if it concerns the use of your data for direct marketing.
You also have a right to lodge a complaint with a competent supervisory authority pursuant to Article 77 GDPR if you consider that we are not processing your personal data in accordance with applicable law. This can be, for instance, the supervisory authority at the place of your residence.
If you have given us consent to process your personal data, you can withdraw this consent at any time without providing reasons and with effect for the future at the email address provided above under the contact details. Please note that this will not affect the processing of your data up to the receipt of the withdrawal notice by us.
Amendment of this Privacy Notice
We always keep this Privacy Notice updated. We will always link to the current version of the Privacy Notice in iCan Review. If we change this Privacy Notice, we will inform you about this via pop-ups in iCan Review.
Date of the Privacy Notice: Nov. 2024
