Privacy Notice for ICAN APP of Sinocare Meditech Inc.
The Sinocare Meditech Inc., („we“)operates the iCAN Continuous Glucose Monitor System APP (“CGM APP”).
Sinocare Meditech Inc. is the controller of your personal data within the meaning of Art. 4 No. 7 of the EU General Data Protection Regulation 2016/679 (“GDPR”) and as such your direct point of contact related to data protection. You can reach us at any time using the following contact options:Postal: Sinocare Meditech Inc.,
Via E-Mail: iCansupport@sinocare.com
Data Protection Officer: Dr. Jiangfeng Fei
EU Representative:
OBELIS S.A.
Bd. Général Wahis, 53
1030 Brussels, Belgium
Tel.: +32.2.732.59.54
The use of the iCAN APP is only possible after prior registration of a user account with us. The terms of use can be found at [iCAN APP Terms of Use]. When using the iCAN APP in connection with the blood glucose sensor and the transmitter, we enable you to transmit, retrieve and display certain information regarding your diabetes (“Product”). The glucose sensor, which you can insert into your skin yourself using the applicator, transmits your current glucose levels via a transmitter to the CGM APP, which can display and identify your current glucose levels, long-term glucose trends and developments based on your glucose levels. Furthermore, the iCAN APP can send you warning messages or alerts if you become hyperglycemic or hypoglycemic and thus reach a life-threatening state. In addition, with the CGM APP, we offer you the voluntary option to upload your data to a cloud server in Germany, which is operated by one of our partners on our behalf. Otherwise, the data collected will remain stored locally and in a secure environment on your device. You can also, in your own responsibility, decide to share with family members and friends access to your live glucose levels via the “Access” function of the CGM APP, provided that such family member or friend has installed and created an account in the separate Sinocare REACH APP. When using the CGM APP, we consequently collect and process your personal data, including special categories of personal data. Personal data means any information relating to an identified or identifiable natural person. Since the protection of your privacy as well as the protection of your personal data in connection with the use of the iCAN APP is very important to us, we would like to inform you in detail below which personal data we collect and process from you, for which purposes and on which legal basis we process this data and with whom we may share your data.
What personal Data do we collect about you?
1. When you download the iCAN APP from your App Store (e.g. Google Play or Apple App Store), certain required information is transmitted to the App Store you have selected. This information includes in particular your user name, your email address and your customer number of the App Store user account, the time of the download of the iCAN APP, provided that the App requires payment, your payment information (e.g. credit card data etc.) as well as the individual device identification number (Device ID) of the device on which you download and install the iCAN APP. We have no influence on these data processing operations. It is conducted exclusively by the respective provider of the App Store and we are not responsible for this processing in the meaning of the data protection laws. („App Store Data“).
2. After the iCAN APP has been downloaded and installed on your mobile device, it can be used without access to the Internet after you have set up a user account with us, which is described in more detail in section 4. In this case, all of the data described below will be stored exclusively locally on your mobile device. If you decide to upload this data to the cloud server operated by our service provider, which you can do by activating a corresponding button in the app, the categories of personal data described below will be processed by us on an ongoing basis.
3. When you use the iCAN APP and register a user account, we collect and process certain Technical Data that is mandatory for the use of the App. This Technical Data, which is necessary for the use of the iCAN APP and is collected automatically, includes your IP address, your device ID (IMEI number = International Mobile Equipment Identity number), your operating system and its current version, date and time of access, the unique number of the carrier (IMSI = International Mobile Subscriber Identity), mobile phone number (MSISDN), the MAC address for WLAN use and the name of your mobile device. („Technical Data“).
4. In order to use the iCAN APP, you must first register a user account with us and log in to the app via this user account. If you create a user account with us, we will collect and process, alongside the aforementioned Technical Data, for the creation of the user account, your email address, a user name chosen by you and an individual password to protect your user account („User Account Data“). When logging into the app in the future, you must provide this email address/user name and your password so that you can be granted access to your user account.
5. When you use the iCAN APP, special categories of personal data will be collected by the iCAN APP, namely Health Data. This includes, when creating your user account, information such as diabetes type, gender and age, which you can optionally and voluntarily provide to us if you wish. In addition, however, it is necessary for the functioning of our Product and the iCAN APP that your glucose levels are continuously processed in connection with the use of the iCAN APP and the glucose sensor by transmitting them to the iCAN APP („Health Data“). For the transmission of the glucose levels to the iCAN APP, it is necessary that the App accesses the Bluetooth interface of your mobile device in order to receive the glucose data transmitted by the transmitter.
For what purposes do we process your personal data?
1. We process the Technical Data solely for the purpose of providing you with the iCAN APP, to ensure the security and functionality of the iCAN APP, and to evaluate the utilization of the app (Art. 6 (1) lit. f GDPR).
2. Your User Account Data will only be used to perform the contract concluded with you for the use of the iCAN APP (Art. 6 (1) lit. b GDPR).
3. The Health Data you provide, in particular the data about your glucose levels, will be processed for the purpose of enabling you the use of the iCAN APP, in particular to provide you with your current glucose levels, to provide you with a retrospective analysis of your glucose levels and, consequently, to improve your understanding and control of your diabetes. In addition, your Health Data will also be processed to provide you with warning messages and alerts if your glucose level reaches a life-threatening range and to enable you to take appropriate remedial measures. Legal basis for this processing is your explicit consent to be provided when installing the iCAN APP (Art. 9 (2) lit. a GDPR). Please note that without your consent, you cannot use the iCAN APP to monitor your glucose levels.
4. Instead of storing your User Account Data and Health Data on your device, you have the opportunity to upload your Health Data and User Account Data to our cloud servers using the function provided in the iCAN APP and store it there. This has the advantage that you will have access to your data even if you change mobile devices and download and install the iCAN APP on a new mobile device. By uploading the data, you can easily transfer it to the iCAN APP on a new mobile device. This function is disabled in the default setting of the App. Legal basis for this processing activity is also your explicit consent (Art. 9 (2) lit. a GDPR). This is optional and by no means mandatory to use the iCAN APP.
5. Should you choose to upload and store your Health Data and User Account Data to the cloud servers operated by us using the function provided in the iCAN APP, we intend to share this data in an aggregated, i.e. anonymized, form with research and development centers in the United States of America and Peoples’ Republic of China for statistical and analytical research purposes and to improve data related to diabetes research. Processing for research purposes includes, but is not limited to, creating, accessing, storing, using, analyzing, and sharing the data with affiliates, external researchers, healthcare companies and professionals, and health authorities. We will also use aggregated or anonymized data to evaluate and improve the performance of the iCAN APP and to update and improve existing features, develop new features to meet the individual needs of our users, and to improve statistical and scientific research capabilities. We will only share this anonymized and aggregated data upon your explicit consent.
6. Upon your request, we process your data for the performance of the contract concluded with us in order to provide you with adequate and helpful customer service or customer support, should you ever experience problems with the iCAN APP or require assistance. In this context, our customer service personnel may need to access the data stored in your user account or terminal device and may be located in a country outside the European Economic Area (“EEA”) and different from the country from which you are making the customer request or the country in which you are resident or habitually resident. In such case we also require your consent to access your data (Art. 6 (1) lit. a) and Art. 9 (2) lit. a GDPR).
7. We process your personal data exclusively for the aforementioned purposes. To the extent that we intend to process your personal data for purposes other than these purposes, we will only do so to the extent required/permitted by law or if you have given us your consent to process the data for the different purposes. Prior to any further processing for the different purposes, we will inform you accordingly and provide you with all necessary information.
8. We will not use automatic decision-making (including profiling) to process your personal data.
9. For withdrawing your consent, please refer to the “Which rights do I have” section below.
With whom do we share your personal data?
In addition to the cases explicitly mentioned in this privacy notice, your personal data will only be shared with your express prior consent or if this is permitted and required by law.
1. If you decide to upload your user account to the cloud, your Technical Data, User Account Data and Health Data will be shared with our technical service providers for the purpose of offering the optional cloud storage service to you. In this case, any transfer of personal data will take place for the fulfillment of the contract concluded with you (Art. 6 (2) lit. b GDPR) and, in case of your Health Data, on the basis of your prior express consent (Art. 9 (2) lit. a GDPR).
2. If you decide to share your Health Data with third parties via the “Access” function of the iCAN APP, you need to give us your prior express consent to transfer to and share this personal data with these persons (Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR. You are yourself responsible for selecting any such persons and to ensure that these do not misuse your Health Data. You can at any time disable the access of any of these persons to your Health Data in the “Access” function of the iCAN APP.
3. We may also disclose your User Account Data and Health Data to our third party service providers, for the purpose of customer services and support. In this case, any transfer of personal data will only take place if you have given us your prior express consent to transfer to and share this personal data with our third party service providers (Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR.
4. Any transfer of personal data to the above mentioned recipients in Section 1, 2 and 3 is justified by the fact that you have previously given us your express consent to transfer this personal data within the meaning of Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR. If we use such external service providers, we have carefully selected them beforehand as processors and verify their reliability in accordance with Art. 28 (1) GDPR and contractually obligate them within the scope of Art. 28 (3) GDPR to process all personal data provided by us exclusively in accordance with our instructions.
5. We may share the Technical Data and User Account Data within the Sinocare Group for internal administrative purposes and in particular for joint customer services as well as customer support with Changsha Sinocare Inc (265 Guyuan Road, Hi-Tech Zone, Changsha, 410205, Hunan, P.R. China) and Sinocare Meditech Inc. (3230 W Prospect Road, Lauderdale, FL 33309. USA), if this is necessary for the above purposes. The legal basis for any disclosure of this personal data (if not anonymized prior to the disclosure) to our affiliated companies is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Insofar as non-anonymized Health Data is also included in the transfer, the transfer will only take place with your consent pursuant to Art. 9 (2) lit. a GDPR.
6. We may share Technical Data and User Account Data with persons engaged in the conduct of our business to the extent necessary (auditors, financial institutions, insurance companies, legal advisors, regulators, parties involved in acquisitions or the establishment of joint ventures) based on our legitimate business interest (Art. 6 (1) lit. f GDPR).
7. With your explicit consent, we will share your User Account Data and Health Data uploaded to the cloud in aggregated and anonymized form with research and development centers in the U.S. and China, affiliated companies, external researchers, healthcare companies and professionals, and health authorities for statistical and analytical research purposes. The legal basis for this disclosure is your explicit consent pursuant to Art. 6 (1) lit. a and Art. 9 (2) lit. a GDPR.
8. To the extent necessary to investigate unlawful or abusive use of the iCAN APP or for legal defense or enforcement and to investigate criminal offenses, we may disclose your Technical Data and Account Data to law enforcement or other authorities and, if necessary, to harmed third parties and legal counsel. However, we will only forward your data if there are indications of illegal or abusive behavior and upon binding request. We may also share it, particularly with our legal counsel, if necessary to enforce our iCAN APP terms of use or other legal claims. In addition, we may be required by law to provide information about personal data at the request of certain public authorities. This typically includes requests from law enforcement authorities, authorities that prosecute administrative offenses subject to fines, and tax authorities. We may also disclose your data to authorized third parties if we are permitted to do so by law (e.g., in the case of (third-party) information claims for intellectual property rights infringement) or if we are required to provide information by an administrative or court order. The legal basis for the disclosure of your personal data is either our respective legal obligation to comply (Art. 6 (1) lit. c GDPR) our legitimate interest pursuant to Art. 6 (1) lit. f GDPR, or if there are indications of unlawful or abusive behavior, we have a legitimate interest in disclosing the data to enforce our terms of use, our own legal claims or those of third parties, and our interests outweigh your interest in protecting your personal data.
Do we transfer your personal data to third countries?
The above mentioned recipients of your personal data may process your personal data outside the European Union:
• Changsha Sinocare Inc. in China (support services)
• Sinocare Meditech Inc. in the USA (support services)
• AWS with physical server location in Germany (as hosting provider)
• research and development centers in the U.S. and China, affiliated companies, external researchers, healthcare companies and professionals, and health authorities (aggregated and anonymized data only)
We take appropriate measures to provide guarantees that the recipients comply with the principles of GDPR. Unless there are other appropriate safeguards or transfer mechanisms (such as adequacy decisions of the EU Commission) in place, we use the standard contractual clauses approved by the EU Commission pursuant to Art. 46 (2) lit. c GDPR when drafting the contracts concluded with our service providers. The standard contractual clauses currently approved by the EU Commission are available on this website. Furthermore, you can request further information on these measures taken at any time using the contact details above.
Please note that as far as there is no adequacy decision of the European Commission for these countries, despite careful selection and commitment of our service providers, these may be subject to compulsory laws in their respective country of establishment requiring them to grant access to data on request of governmental authorities which may not provide for legal boundaries comparable to the European Union.
If you decide to upload your data to the cloud servers operated by our service providers or if you agree to share your Health Data in anonymized form with third parties, your consent also covers the transfer of Health Data to recipients outside the European Union. In countries outside the EU your data may not be as strictly protected as you are used to, in particular governmental authorities may have broad access rights to your data and you may not be informed about such access or have any rights of redress in this regard.
When do we delete your personal data?
We delete or anonymize your personal data as soon as it is no longer necessary for the purposes we have collected and processed it for. In general, we store your personal data for the duration of the contractual relationship regarding the iCAN APP. If you have uploaded your personal data to our cloud server, we will store your User Account Data and Health Data for a period of twelve months from the last use of your User Account and delete or aggregate them thereafter. Should you withdraw your consent in accordance with the “What rights do you have?” section below (e.g. for hosting your Health Data in the cloud), the respective data will be deleted by us.