July 16, 2020
Thank you for visiting the Happy Bob website, https://happybob.app, which is hosted and operated by Harald AI Oy.
1.1 Responsible entity
1.1.1 Harald AI Oy, address Tekniikantie 12, 02150 Espoo, Finland, Business ID 2913702-7 (“Harald AI”), is the stated responsible entity under the data protection regulations. In other words we are the company that decides on the purpose and means of processing the personal data of our users (“User Data”) and is therefore responsible for its security and compliance with the applicable laws.
1.2 Structure and consent concept
184.108.40.206 “Necessary Processing” describes how we process the User Data required to fulfill the contract. Without this consent the use of our products is not possible from a legal and a factual point of view because our services depend on this processing.
220.127.116.11 “Processing for Product Improvement” explains how you can help us and other users, with your consent, by allowing us to use your data in particular to develop algorithms for blood sugar prediction, improve the product and so forth without us contacting you for advertising purposes etc.
18.104.22.168 “Processing for Marketing Purposes” describes how we contact you for marketing purposes, with your consent, e.g. by email, notifications etc.
22.214.171.124 In “General Information” we have assembled the information that applies to all of the above consents to avoid repetition.
The relevant categories are described in more detail below. You may provide the relevant consents upon registration or later via the account settings. You may revoke any consents at any time via the account settings or by sending an email to firstname.lastname@example.org. In such an instance we will inform you about the consequences of the revocation. The lawfulness of the processing prior to revocation remains unaffected.
1.2.2 In some cases, the processing may take place independently of consent on the basis of statutory principles (e.g. medical device regulations). We will inform you accordingly in appropriate cases.
- NECESSARY PROCESSING
If you grant your consent, we process the User Data listed below in order to be able to provide our services. If you do not consent to this necessary processing, you cannot use the services of Harald AI. You may provide your consents during the registration process and manage them in the account settings.
2.1 Necessary User Data
2.1.1 In order to protect your User Data, our services can only be used in connection with a user account. To create a user account and to use Happy Bob App we require and process the following User Data:
- First name
- Last name
- Email address
- Registration date
- Continuous Glucose Monitor you use
- Status of consents
- Device ID, manufacturer, device type, operating system version
- Language, country, time zone
- IP address.
We also collect
Commercial and Usage Data
App store download, IP address, device ID, operating system, browser type and version, token, activity events for customization, support queries.
Blood glucose reading and sensor data such as sensor value, time and time zone
2.1.3 If you wish, you can operate the user account under an assumed name (pseudonym), i.e. you do not have to state your real name. You can also enter any email address that you set up especially for us – however it must work so that we can send you important warnings.
The scope of the data recorded by Harald AI depends on your registration and use of our products. We only process the User Data that you actively and voluntarily provide to Harald AI. The entry of requested User Data is however a requirement for the comprehensive use of our products.
2.2 Necessary purposes
2.2.1 All the necessary purposes of our processing are associated with providing our services:
Installation of our Happy Bob app leads to technical and device-related data recordings such as the device ID.
Registration leads to the creation of your user account using the email address and password.
The provision of our services requires you to voluntarily provide CGM data.
Communication from Harald AI with you within our Happy Bob app or via other electronic messaging services (e.g. email) where this is required to support or troubleshoot our products. This is how we process any comments and queries that you may have via various communication channels when using Happy Bob App. The most important example is our support service, which you can access at email@example.com. Please therefore think about which information and data you want to give in your active communication with us – this is solely your decision. For our part, communication with users may be necessary either by email or push notification. This is how we inform you about updates to our product and provide important security advice as well as assistance associated with your usage. This support communication – as an essential part of our products – is sent to users notwithstanding whether they have subscribed to our Newsletter or not.
Continuous glucose monitor (CGM) must be paired with Happy Bob app before it can be used
2.2.2 Use of our Happy Bob app requires you to voluntarily enter your CGM data. To resolve an error in the app we require crash reports that we can use for troubleshooting purposes to determine the circumstances of the problem. In addition, the key data of your device and your usage behavior are recorded as our contractual fulfillment, meaning customizing our products i.e. processing individual user information, for example, depending on your location, which is for instance relevant for configuring the user interface. An automated analysis of user behavior is performed exclusively for the purpose of customizing your use when fulfilling the contract and has no legal effect for you.
- PROCESSING FOR PRODUCT IMPROVEMENT
We also process your User Data to improve our products and services as described in more detail below.
3.1 Usage Data
Activity events that allow us to understand how you use our products. This enables us to see how our products are used and for example where menu designs can be optimized.
3.2 Purpose of product improvement
As a result of fast-moving technological progress, we have to continually analyze, develop, test, and improve our products and their interactions, in order to ensure that our content benefits users in the most effective way. To achieve this, we conduct usage and security tests and the knowledge gained is incorporated into improved new versions of our products such as the app. These improvements are also provided to you via regular updates.
- PROCESSING FOR MARKETING PURPOSES
4.1.1 We would like to send you interesting information on products and services in addition to the contractual scope (including information from carefully selected partners) and invitations to participate in surveys or other sales promotions and marketing activities (“Newsletter”).
4.1.2 You can select whether you want to subscribe to our Newsletter (opt in). You can revoke your consent at any time via the link in the Newsletter or the account settings.
4.2 Other types of marketing
4.2.1 Other consents, e.g. for surveys or notifications are obtained as required when you are logged in. We always explain to you why we need certain data and also how you can revoke the consent.
- USAGE FOR STATUTORY PURPOSES
5.1 Scientific research and statistics
Harald AI is committed to the science of all aspects of diabetes. Therefore, anonymous User Data may also be used for the purposes of research and statistics (always whilst complying with the recognized ethical scientific standards) and internal analyses. This is used mainly to determine and improve the effectiveness of techniques for controlling and treating diabetes. The legal basis for this is Article 9 (2) j) GDPR.
5.2 Enforcement of rights
The use of personal data may also be necessary to prevent abuse by users or to assert, exercise, or defend legal claims. We may be forced into disclosure due to binding laws, court or official decisions and instructions, criminal investigation, or in the public interest. In such cases, the storage and processing of your data are permitted by law without your consent. The legal basis for this is Article 9 (2) f) GDPR.
- GENERAL INFORMATION
6.1 Purpose limitation and security
6.1.2 Each processing always guarantees adequate security and confidentiality of your personal data. This covers protection from unauthorized and illegal processing, unintentional loss, unintentional destruction or damage using appropriate technical and organizational measures. We use strict internal processes, security features, and encryption methods.
6.2.1 Our products are subject to complex processes that we have to manage and keep up-to-date. For technical support we may use affiliated companies and third-party suppliers (“Processors”) in order to offer you a comprehensive and optimal use of our product.
6.2.4 The third-party suppliers appointed by Harald AI may only use other processors (subcontractors) with our prior consent. If a subcontractor does not comply with the same data protection obligations and all of the appropriate security measures that we impose on our Processors, then we will prohibit the hiring of such a subcontractor.
6.3 Encryption, pseudonymization, and anonymization
6.3.1 Each data transfer, without exception and by default, is encrypted during transfer. Using HTTPS (hypertext transfer protocol secure) we ensure that your data is not intercepted by unauthorized third parties.
In addition, for the purposes of data security and minimization, we also use other processes for the encryption and pseudonymization of User Data. Of course this depends on the type, scope, and purpose of the relevant data processing. For example, we only disclose User Data that a Processor requires to carry out his tasks.
6.3.2 When a contractual relationship with a Processor is terminated, such Processor must, at Harald AI’s discretion, either return all our User’s Data or delete it if there are no statutory storage obligations.
6.3.3 Data that requires no personal reference for processing (e.g. for research and analysis) is subject to anonymization. This prevents a connection to a specific user being made in all cases.
6.4 EU and other countries
6.4.1 We primarily select cooperation partners who are based in or whose servers are located in the European Union (EU) or European Economic Area (EEA). Data transmission within the EU and EEA is unobjectionable because the GDPR applies in all member states.
6.5. Categories of recipients
6.5.1 Our cooperation partners are bound by the agreements signed with Harald AI as well as by the GDPR and only process data according to our instructions. We provide our users’ Data only to fulfill the contract:
Customer support services and their tools help our customer support to quickly and efficiently handle our users’ inquiries. Here, for example, queries are recorded from various communication channels and grouped according to topics using ticket systems.
Analysis service providers and their tools help us to understand how users use our products in order for us to provide customized communication and product improvements in the future.
Marketing service providers support us in creating, sorting, customizing, and sending newsletters, emails, and other messages about our products to our users.
Hosting and cloud services and their tools are used to store data and to produce anonymized analyses (see section 2.4 above).
6.7 Usage data
We only use Google Universal Analytics in the publicly accessible part of our website (no login required), a web analysis service by Google Inc. (“Google”).
You can prevent the storage of cookies using the appropriate setting in your browser, as described in section 6.6 above.
6.8. Storage and deletion
6.8.1 Your User Data is stored on your device. This data is also stored on our servers. We only use systems that meet GDPR requirements.
6.8.2 Your data is stored on servers in the European Union (EU). We ensure that the high protection level pursuant to the GDPR is guaranteed.
6.8.3 As a rule, Harald AI only stores your personal data for the duration of the contract. In exceptional cases, longer storage may be required in order to fulfill post-contractual obligations or to comply with statutory storage obligations or disclosure duties, or to assert, exercise, or defend legal claims (limitation periods).
Minors, below the age of sixteen are only permitted to use our products with the consent of a parent/guardian. This also applies to processing their personal data, which is only legal if and to the extent to which the consent has been obtained by and through the parent/guardian. Otherwise use of our products is prohibited.
6.10. Data protection officer
6.10.1 Our data protection officer is available to answer all data protection questions at firstname.lastname@example.org . The data protection officer monitors ‒ independently and not bound by instructions ‒ compliance with all data protection regulations and is subject to strict statutory secrecy and confidentiality obligations.
6.10.2 The data protection officer is widely involved in all questions associated with protecting the personal data of our users. As a trained expert, he monitors our processing on an ongoing basis, informs and regularly advises the entire Harald AI team in order to ensure the best possible protection of your User Data.
6.11.1 As technology and processes in the Internet as well as data protection legislation are constantly being developed, we have to undertake changes from time to time. We will inform you of changes by appropriate means whilst granting an appropriate advance notice period and if necessary obtaining new consents.
- YOUR RIGHTS
7.1. Revocation of consents
If we process your User Data based on your consent, you may revoke the consent at any time. However, this will not affect the lawfulness of the processing before the revocation. We will continue to provide our services if they do not depend on the consent that has been revoked.
7.2. Information, correction, and restriction
7.2.1 Each user has the right to request information on the processing of their personal data. To do so, please contact us at any time at email@example.com .
7.2.3 Should some of your personal data be incorrect, you can request that your data is corrected or completed at any time. You can correct most data yourself in our apps. You have the right to restrict data processing for the duration of any investigation review that you have requested.
7.3 Deletion (“right to be forgotten”)
Each user has the right to request the deletion of their personal data. To do so, please contact us at any time at firstname.lastname@example.org.
7.4 Ability to transfer data
Finally each user has the right to request that we provide an overview of their personal data to another responsible party, if this is technically feasible.
7.5.1 If you feel we are not protecting your data protection rights adequately, please contact us at any time at email@example.com or contact our data protection officer directly at firstname.lastname@example.org. We will handle your request as soon as possible.
THANK YOU FOR YOUR CONFIDENCE IN US!