Dec 1, 2022
Thank you for visiting the Happy Bob website, https://happybob.app, which is hosted and operated by Harald AI Oy.
We collect and process all your data in compliance with applicable privacy legislation including the GDPR, HIPAA,CCPA and PIPEDA.
1.1 Responsible entity
1.1.1 Harald AI Oy, address Tekniikantie 12, 02150 Espoo, Finland, Business ID 2913702-7 (“Harald AI”), is the stated responsible entity under the data protection regulations.
In other words, we are the data controller that decides on the purpose and means of processing the personal data of our users (“User Data”) and are therefore responsible for ensuring that personal data is processed in compliance with the applicable laws.
1.2 Structure and consent concept
220.127.116.11 “Necessary Processing” describes how we process the User Data required to fulfill the contract. Without this processing the use of our products is not possible from a legal and a factual point of view because our services depend on this processing. When User Data includes medical data, we additionally ask for your explicit consent to process this data.
18.104.22.168 “Processing for Product Improvement” explains how you can help us and other users, with your consent, by allowing us to use your data to develop algorithms for blood sugar prediction, improve the product and so forth without us contacting you for advertising purposes etc.
22.214.171.124 “Processing for Marketing Purposes” describes how we contact you for marketing purposes, with your consent, e.g., by email, notifications etc.
126.96.36.199 In “General Information” we have assembled the information that applies to all the above consents to avoid repetition.
The relevant categories are described in more detail below. You may provide the relevant consents upon registration or later via the account settings. You may revoke any consents at any time via the account settings or by sending an email to firstname.lastname@example.org. In such an instance we will inform you about the consequences of the revocation. The lawfulness of the processing prior to revocation remains unaffected.
1.2.2 In some cases, the processing may take place independently of consent on the basis of statutory principles (e.g., medical device regulations). We will inform you accordingly in appropriate cases.
2. NECESSARY PROCESSING
When you register to use Happy Bob App, we process the User Data listed below to be able to provide our services, i.e., to fulfill a contract. User Data that includes your medical data is processed when you grant your explicit consent for processing it.
If you do not consent to this necessary processing, we are unable to provide you the services of Harald AI. You may provide your consents during the registration process and manage them in the account settings.
2.1 Necessary User Data
2.1.1 In order to protect your User Data, our services can only be used in connection with a user account.
To create a user account and to use Happy Bob App we require and process the following User Data:
● First name
● Last name
● Email address
● Registration date
● Continuous Glucose Monitor you use
● Status of consents
● Device ID, manufacturer
● Device type, operating system version
● Language, country, time zone
We also collect
Commercial and Usage Data
App store download, device ID, operating system, browser type and version, token, activity events for customization, support queries.
Blood glucose reading and sensor data such as sensor value, time and time zone. We may receive medical data manually directly from you or with your authorization directly through a third-party API from a continuous glucose monitor.
2.1.2 If you wish, you can operate the user account under an assumed name (pseudonym), i.e. you do not have to state your real name. You can also enter any email address that you set up especially for us – however it must work so that we can send you important warnings.
The scope of the data recorded by Harald AI depends on your registration and use of our products. We only process the User Data that you actively and voluntarily provide to Harald AI. The entry of requested User Data is however a requirement for the comprehensive use of our products.
2.2 Necessary purposes
2.2.1 All the necessary purposes of our processing are associated with providing our services:
Use of our Happy Bob App leads to technical and device-related data recordings such as the device ID, location and use behavior data.
The legal basis for processing this data is our legitimate interest to improve your user experience (e.g. by enabling the Happy Hob App to remember choices you have made while using the App) and to prevent any misuse of our Products (e.g. to ensure that certain functions are available only in specific areas).
Registration leads to the creation of your user account using the email address and password. The legal basis for this is the performance of a contract so that we may provide you with our Products you have requested from us.
The provision of our services requires you to voluntarily provide us CGM data. When you provide us manually with your CGM data, the legal basis is your explicit consent and the performance of a contract between us as our Happy Bob App would not work without your CGM data.
Communication from Harald AI with you within our Happy Bob App or via other electronic messaging services (e.g. email) where this is required to support or troubleshoot our products. This is how we process any comments and queries that you may have via various communication channels when using Happy Bob App. Please therefore think about which information and data you want to give in your active communication with us – this is solely your decision.
When you provide us your contact details and other information in connection of communicating with our customer service, the legal basis for processing that personal data is our legitimate interest to serve you and/or our legal obligations e.g. in relation to fulfilling your rights as a data subject.
We may conduct clinical studies or research alone or with our partners as we are committed to the science of all aspects of diabetes and determining and improving effectiveness of techniques for controlling and treating diabetes. For this we or our relevant partner will always acquire your explicit consent.
3. PROCESSING FOR PRODUCT IMPROVEMENT
We also process your User Data to improve our products and services as described in more detail below. In these instances, the processing is based on our legitimate interest to develop and improve the Happy Bob App and to ensure that it is safe to use.
3.1 Usage Data
Activity events that allow us to understand how you use our products. This enables us to see how our products are used and for example where menu designs can be optimized.
3.2 Other Data
We also ask users information about their country, diabetes type, gender and age. This data is used to analyze which user groups benefit from the Happy Bob use.
3.2 Purpose of product improvement
As a result of fast-moving technological progress, we have to continually analyze, develop, test, and improve our products and their interactions, in order to ensure that our content benefits users in the most effective way. To achieve this, we conduct usage and security tests and the knowledge gained is incorporated into improved new versions of our products such as the app. These improvements are also provided to you via regular updates.
4. PROCESSING FOR MARKETING PURPOSES
4.1.1 We would like to send you interesting information on products and services in addition to the contractual scope (including information from carefully selected partners) and invitations to participate in surveys or other sales promotions and marketing activities (“Newsletter”).
4.1.2 You can select whether you want to subscribe to our Newsletter (opt in) i.e. this processing is based on your consent. You can revoke your consent at any time via the link in the Newsletter or the account settings.
4.2 Other types of marketing
4.2.1 Other consents, e.g., for surveys or notifications are obtained as required when you are logged in. We always explain to you why we need certain data and how you can revoke the consent.
5. USAGE FOR STATUTORY PURPOSES
5.1. Enforcement of rights and disclosures required by law
The use of personal data may also be necessary to prevent abuse by users or to assert, exercise, or defend legal claims. We may be forced into disclosure due to binding laws, court or official decisions and instructions, criminal investigation, or in the public interest.
6. GENERAL INFORMATION
6.1 Purpose limitation and security
6.1.2 Each processing always guarantees adequate security and confidentiality of your personal data. This covers protection from unauthorized and illegal processing, unintentional loss, unintentional destruction or damage using appropriate technical and organizational measures. We use strict internal processes, security features, and encryption methods.
6.2.1 Our products are subject to complex processes that we have to manage and keep up-to-date. For technical support we may use affiliated companies and third-party suppliers (“Processors”) in order to offer you a comprehensive and optimal use of our product.
6.2.4 The third-party suppliers appointed by Harald AI may only use other processors (subcontractors) with our prior consent. If a subcontractor does not comply with the same data protection obligations and all the appropriate security measures that we impose on our Processors, then we will prohibit the hiring of such a subcontractor.
6.3 Encryption, pseudonymization, and anonymization
6.3.1 Each data transfer, without exception and by default, is encrypted during transfer. Using HTTPS (hypertext transfer protocol secure) we ensure that your data is not intercepted by unauthorized third parties.
In addition, for the purposes of data security and minimization, we also use other processes for the encryption and pseudonymization of User Data. Of course, this depends on the type, scope, and purpose of the relevant data processing. For example, we only disclose User Data that a Processor requires to carry out his tasks.
6.3.2 When a contractual relationship with a Processor is terminated, such Processor must, at Harald AI’s discretion, either return all our User’s Data or delete it if there are no statutory storage obligations.
6.3.3 Data that requires no personal reference for processing (e.g. for research and analysis) is subject to anonymization. This prevents a connection to a specific user being made in all cases.
6.4 Location of our partners and suppliers
6.4.1 If you are located in the EU/EEA, Switzerland or Canada, we primarily select cooperation partners who are based in or whose servers are located in the European Union (EU) or European Economic Area (EEA).
6.4.2 We may appoint third-party suppliers who are located in or who have servers outside the EU. In these cases, your personal data is subject to a high protection level in line with the GDPR – either through an EU adequacy decision or through certain standard contractual clauses approved by the EU, which the contractual relationships with our contracted data processors are based on, or through comparable legal instruments permitted under the GDPR.
6.4.3 If you are located in the US, we will only process your data within the US and select our partners for processing of your data accordingly. See also section 6.8 below.
6.5 Categories of recipients
6.5.1 Our cooperation partners are bound by the agreements signed with Harald AI as well as by the GDPR and only process data according to our instructions. We provide our users’ Data only to fulfill the contract.
Customer support services and their tools help our customer support to handle our users’ inquiries quickly and efficiently. Here, for example, queries are recorded from various communication channels and grouped according to topics using ticket systems.
Analysis service providers and their tools help us to understand how users use our products in order for us to provide customized communication and product improvements in the future.
Marketing service providers support us in creating, sorting, customizing, and sending newsletters, emails, and other messages about our products to our users.
Hosting and cloud services and their tools are used to store data and to produce anonymized analyses (see section 2.4 above).
Harald AI stores so-called “cookies” to provide our website and make the use of it more convenient. Cookies are small text files that are stored on your device by your browser. Except for the cookies for usage data mentioned in section 6.7, our cookies are used to operate the website.
We store necessary cookies in order to provide the website for you. We ask for you consent to all non-necessary cookies when you enter the website. You can at any time revoke your consent by using the same banner on our website that you used to give your consent on.
Most of our cookies are either deleted at the end of your visit or when the browser is closed (session cookies). If this is not the case, you can check the deletion period from our cookie banner or revoke your consent to delete the cookies. Please note that this may restrict the functionality or scope of our offer.
6.7 Usage data
We use Google Universal Analytics in the publicly accessible part of our website (no login required), a web analysis service by Google Inc. (“Google”).
You can prevent the storage of cookies using the appropriate setting, as described in section 6.6 above.
6.8. Storage and deletion
6.8.1 Your User Data is stored on your device. This data is also stored on our servers. We only use systems that meet GDPR and HIPAA requirements.
6.8.2 We operate in various countries throughout the world. If you are located in the EU/EEA, Switzerland or Canada, your data is stored on servers in the European Union (EU).
If you are located in the USA, we will only process and store your data within servers in the USA. We ensure that the high protection level pursuant to the GDPR and HIPAA and other privacy regulations is guaranteed.
6.8.3 As a rule, Harald AI only stores your personal data for the duration of the contract. In exceptional cases, longer storage may be required in order to fulfill post-contractual obligations or to comply with statutory storage obligations or disclosure duties, or to assert, exercise, or defend legal claims (limitation periods).
Minors, below the age of sixteen are only permitted to use our products with the consent of a parent/guardian. This also applies to processing their personal data, which is only legal if and to the extent to which the consent has been obtained by and through the parent/guardian. Otherwise use of our products is prohibited.
6.10. Data protection officer
6.10.1 Our data protection officer is available to answer all data protection questions at email@example.com. The data protection officer monitors ‒ independently and not bound by instructions ‒ compliance with all data protection regulations and is subject to strict statutory secrecy and confidentiality obligations.
6.10.2 The data protection officer is widely involved in all questions associated with protecting the personal data of our users. As a trained expert, he monitors our processing on an ongoing basis, informs and regularly advises the entire Harald AI team to ensure the best possible protection of your User Data.
6.11.1 As technology and processes in the Internet as well as data protection legislation are constantly being developed, we have to undertake changes from time to time. We will inform you of changes by appropriate means whilst granting an appropriate advance notice period and if necessary, obtaining new consents.
7. YOUR RIGHTS
7.1. Revocation of consents
If we process your User Data based on your consent, you may revoke the consent at any time. However, this will not affect the lawfulness of the processing before the revocation. We will continue to provide our services if they do not depend on the consent that has been revoked.
7.2. Information, correction, and restriction
7.2.1 Each user has the right to request information on the processing of their personal data. Users can also request a copy of their personal data by contacting us. Users can contact us at any time at firstname.lastname@example.org.
7.2.3 Should some of your personal data be incorrect, you can request that your data is corrected or completed at any time. You can correct most data yourself in our apps. You have the right to restrict data processing for the duration of any investigation review that you have requested.
7.3 Deletion (“right to be forgotten”)
Each user has the right to request the deletion of their personal data. To do so, please contact us at any time at email@example.com.
7.4 Ability to transfer data
Finally, each user has the right to request that we provide an overview of their personal data to another responsible party if this is technically feasible.
7.5.1 If you feel we are not protecting your data protection rights adequately, please contact us at any time at firstname.lastname@example.org or contact our data protection officer directly at email@example.com. We will handle your request as soon as possible.
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority within your jurisdiction. In Finland the supervisory authority is the Office of Data Protection Ombudsman, www.tietosuoja.fi. You can find contact details for other EU countries’ supervisory authorities here.
THANK YOU FOR YOUR CONFIDENCE IN US!