PRIVACY POLICY

1. Which Personal Data we collect from our Users

We only collect Personal Data from our Users that are adequate, relevant and limited to what is necessary for the provision of our Services and other Purposes provided in this Privacy Policy.

All fields of our data collection forms are necessary for us to provide the Services.

The non-communication of such data to SocialDiabetes determines the impossibility of providing and using the Services adequately.

Need of the Personal Data of our Users

We use your Personal Data to render the Services and for the other Purposes described in this Privacy Policy

We collect both Personal Data as such and general data. Personnel include health data. We obtain for example the glucose readings either automatically by connectivity with a glucometer or continuous meter or because it is entered manually by the User.

Users also enter the carbohydrates they eat, or the medication they take.

We can read parameters of activity wristbands, GPS devices or other devices with similar functionalities.

In reference to the permissions used by the applications, we need the ACCESS_BACKGROUND_LOCATION and ACCESS_FINE_LOCATION permissions. Both permissions are necessary for the correct functioning of the Bluetooth devices that connect to the application, such as glucometers, blood pressure meters, scales, thermometers, smart insulin pens, since without them it is not possible to connect or receive data. Specifically ACCESS_BACKGROUND_LOCATION is used when the application is in BACKGROUND or the application is in the background and is not active, when the app is closed or when the app is not in use. Without this permission, the correct reception of data is not guaranteed in this case. Under no circumstances is the physical location of the user obtained, the permission mentioned is only used for the connection with Bluetooth devices.

In this document you can consult the updated list of Personal Data that we collect from our Users when they register and use the Services either via the Website and/or the Application.

Examples

2. Purposes: for which the Personal Data of our Users are intended

By registering as a User, you will become part of the most important online community in the world of diabetes and allow the scientific community, such as, for example, researchers, doctors, clinics and hospitals, among other purposes for the evaluation, management and follow-up of certain guidelines related to diabetes, as well as researching and advancing the treatment of diabetes and improving the lives of these people through the preparation of statistical reports.

For that purpose, SocialDiabetes will use your data, once they have been pseudonymised, so that they can no longer be attributed to you and always anonymously be added to the anonymous data of other registered Users.

Likewise, registration as a User will allow you to synchronize your data in a secure environment to make and maintain a backup of them that allows you to store and retrieve the data at any time and from any device that allows it.

Access to the SocialDiabetes community

Investigators, physicians, clĂ­nics and hospitals

Your data pseudonymised, aggregate and anonimised

Secure environment and backup of your data, always accessible online

We use the Personal Data of our Users only with the following Purposes:

provide and improve the Services;

anage the use of the Services;

promote products or services of SocialDiabetes or third parties among our Users, including by email (unless they are not interested in such type of communications, which can be configured by the User in their User Profile);

send our Users information or news related to the Website or the SocialDiabetes Application by any means, including electronic mail (unless they are not interested in such type of communications, which can be configured by the User in their User Profile);

we can use the Personal Data of our Users for their exploitation for purposes related to diabetes research, at the request of any of the Third Recipients;

edit and publish the testimonials of our Users about their personal experiences in relation to the use of the Services, the Website and the Application;

draw macro conclusions such as clinical impact due to the use of the Website and the Application, statistics, etc., and draw general conclusions based on the data provided by Users and prepare statistical reports, and publish said conclusions in magazines, posters, congresses or on our Website or social networks.

Purposes

Once registered, regardless of the device they use to access SocialDiabetes, Users may voluntarily and freely send SocialDiabetes through the means that are made available to them testimonials about their personal experiences in connection with the use of the Services and the Platform indicating their name and surname, and place of residence for its subsequent publication on the Website. In the event that Users choose to send their testimonials to SocialDiabetes, it is understood that they expressly authorize SocialDiabetes to publish said contents together with their names, surnames, and places of residence.

Users can also access forums, in which, after selecting an alias, they can hold online conversations and exchange opinions related to diabetes with other members of the forums. In no case will any information or personal data other than the alias of any other User be available in the forums. With the voluntary and optional publication of said contents in the forums using the tools that the Platform puts at your disposal, you know and accept that they may be accessible by other Users.

The User is solely responsible for the content that contributes to the testimonial space and the forums. SocialDiabetes does not carry out any control over the content provided by Users.

The User warrants to SocialDiabetes that the User is the sole and exclusive owner of the rights inherent to the content the User contributes to the testimonial space or the forums, or that the User has the necessary authorization and permissions of the legitimate holders of said rights.

The User grants to SocialDiabetes, a non-exclusive, indefinite, global, free, transferable, and sublicensable license on all Intellectual Property rights and any other rights on the contents of the registered Users that they publish in the testimonial and forums spaces.

SocialDiabetes reserves the right to use the anonymous contributions made by all Users in the testimonial space, or in the Platform, in order to promote the Services through, for example, the insertion of advertisements in different media or the publication of books.

SocialDiabetes reserves the right to remove links to any website that Users place in the testimonial spaces or in the forums of the Platform, if at the discretion of SocialDiabetes the activities developed in these forums by the Users or the contents thereof are illegal or infringe the rights of third parties, or in case SocialDiabetes is required to do so by virtue of a judicial decision, an arbitral award, or an administrative order.

Testimonials and Forums

Online chats with other members of the SocialDiabetes community

The User is responsible for those testimonials contributed

Warranties of the User for the testimonials and contents contributed

SocialDiabetes may also use the data provided by Users in order to draw general conclusions based on such data and prepare statistical reports and improve our Services. For the elaboration of the aforementioned reports, the data will be processed in an aggregated form, so they will always be used anonymously and without elements that allow identifying the User who provides such data. Therefore, identifying data such as user, email account, name and surname of any User will not be included in said statistical reports.

Statistical Reports

Likewise, SocialDiabetes may send Users electronic communications to their email address, inviting them to participate, if they voluntarily chose to do so, in Questionnaires, Surveys, and Investigation Studies in order to extract data and conclusions that allow progress in diabetes research.

Your participation in said Questionnaires, Surveys and Investigation Studies is entirely voluntary and optional. In the event that you choose to participate, your participation will be subject to our Privacy Policy and the privacy policies of the third party organizers of the respective Questionnaires, Surveys and Investigation Studies and you will be able to know and, if applicable, if you so choose voluntarily, accept or reject said privacy policies prior to your participation.

Questionnaires, Surveys and Investigation Studies

3. Third Recipients: with whom we share the Personal Data of our Users

By registering for the Services, the User agrees that their Personal Data may be transferred by SocialDiabetes to the following Third Recipients, for the Purposes:

Relatives or doctors previously registered as SocialDiabetes Users and with the prior consent/invitation from the User

Public or private research centers

Pharmaceutical and/or biotechnology companies, such as manufacturers of medical devices (such as glucometers with which the Platform is connected) and with which SocialDiabetes may have collaboration or similar agreements; in these cases, the User's data relating to their health is shared or transferred to the Recipient in an aggregated and anonymized manner, and in other cases we may use identifying information (not health) of a User, for example at the request of a manufacturer of medical device with whom we are connected in order to send the User an e-mail offering the products or services of said manufacturer with a discount, and in general to make our own or third-party promotions to our Users

Health insurers authorized by the User: some insurers are proposing to their clients the use of SocialDiabetes (for example to obtain a reduction in the annual fee)

Healthcare providers and hospitals, with authorization from the patient User

Third party purchasers of all or a substantial part of the assets, shares or business of SocialDiabetes through sale, merger or otherwise

SocialDiabetes affiliates

Competent authorities (judicial or administrative) in the event that we receive a mandatory requirement, in which case we would only reveal the information strictly necessary to comply with said requirement, to ensure adequate confidentiality, and in any case we would inform the User properly

Apart from the cases indicated above, your data will not be transferred to any third party without your prior and express approval.

Third Recipients

Previously registered parents and physicians

Investigation centers

Pharma and biotech companies

Health insurers

Healthcare providers and hospitals

SocialDiabetes affiliates

Competent authorities

Users expressly accept that the Doctors they invite to be their Doctors in the Platform, once these Doctors have accepted the invitations, have access to the data provided by the Users to SocialDiabetes in order that the professionals can follow up and monitor the Users, and give them the advice that the Doctors deem appropriate during the term that each User decides.

In order for Users to send the invitations indicated in the preceding sections to the Doctors of their choice, said Doctors must have previously provided their emails to those Users who had selected them freely, voluntarily and without any intervention of SocialDiabetes.

Your Doctor can access to your data if you invite him/her and accepts to belong to the SocialDiabetes community

The Doctor shares his/her email with you previously, without any intervention by SocialDiabetes

Doctors can only use the data of the Users who have selected them as their Doctors in order to be able to monitor and supervise those Users, and to give them the advice that Doctors deem appropriate during the term that each User decides.

With the acceptance by the Doctor of the User's invitation, the Doctor expressly authorizes SocialDiabetes to share the Doctor's personal data, consisting of email, name and surname with the User whose invitation to be their Doctor has accepted, for the purpose indicated in this section.

The Doctor uses your data for your follow up and medical advice

If the Doctor accepts your invite and registers in SocialDiabetes, he/she accepts that we share your data with you

In any case, the Personal Data of the Doctors will not be disclosed by SocialDiabetes to any third party other than the Users who have invited those Doctors to be their Doctors in the Platform and whose invitation they have accepted, without the prior express consent of the Doctors themselves.

Both the Users and the Doctors may add or disaggregate Doctors or Users, respectively, at any time.

Add or disaggregate Users or Doctors at any moment

We only carry out international transfers of the Personal Data of our Users in the cases permitted by the Law Applicable to the User Agreement, and always ensuring that the level of protection of the Users guaranteed by said Applicable Law is not undermined.

In particular, SocialDiabetes may make transfers of Personal Data of Users, for the Purposes, to Recipients located in third countries in the following cases:

a) Adequacy decisions by the European Commission confirming that these countries ensure an adequate level of protection.

For example, the USA is considered within the previous section according to the Privacy Shield.

b) Standard data protection clauses adopted by the European Commission and by the Spanish Data Protection Agency.

SocialDiabetes uses such standard clauses as far as possible in its contracts with the Recipients of the Personal Data of our Users.

c)In other cases, we can also transfer Personal Data to Recipients located in third countries:

with the coverage of adequate contractual clauses, with authorization from the competent authority; or

with the explicit consent of the User, to whom we will previously inform of the possible risks; or

when the transfer is necessary for the execution of the User Agreement; or

when the transfer is necessary for the execution of a contract between SocialDiabetes and a third party, in the interest of the User; or

when the transfer is necessary for the formulation, exercise or defense of claims; or

when the transfer is necessary to protect the vital interests of the User and that the User is physically or legally incapable of giving his/her consent; or

In any other cases as permitted by the Law Applicable to the User Agreement at any time.

International transfers of the Personal Data of our Users

4. Consent, confidentiality, retention, security, anonymized use and Open Data

By voluntarily providing your Personal Data or using the Services or the Platform, Users expressly and explicitly consent to the processing of your Personal Data, including those data concerning health, by SocialDiabetes in order to manage the use of the Services. of SocialDiabetes, and the functionalities of the Platform, as well as for the other Purposes foreseen in this Privacy Policy.

The use of our Services, Website and/or Application implies your consent as User for us to process your Personal Data for the Purposes

The data are entered manually by the User, including by physicians (remotely through the Platform) or are automatically read from devices of third-party manufacturers freely selected by the Users under their responsibility.

How we collect the data of our Users

The Personal Data of our Users are confidential and SocialDiabetes is fully committed to their protection and preservation.

For more information about the security measures that SocialDiabetes applies to the data, consult our Security Policy.

Confidentiality and Security of the Personal Data of our Users

We keep the Personal Data of the Users while the User Agreement is in force and, once expired or terminated for any reason, during the period necessary for the management of any aspect related to the contractual relationship maintained, taking as reference the legal terms for possible liability actions in accordance with the Law Applicable to the User Agreement and other terms derived from said regulations, as well as during the periods necessary to comply with our legal obligations, such as those of an accounting or tax nature, or during the term necessary to comply with our contractual obligations and/or to exercise our rights in relation, for example, to our liability insurance policies.

Retention periods

SocialDiabetes is fully committed to the fundamental right of our Users to the protection of their Personal Data in relation to their processing by SocialDiabetes.

Users can exercise their Privacy Rights by addressing their requests, free of charge, to SocialDiabetes through any of the User's Communication Channels.

Users' Privacy Rights

In all cases in which the User Agreement, this Privacy Policy or our Security Policy refers to an anonymous, aggregate or pseudonymized use of the Users' data, either for any of the Purposes and/or for its disclosure to any of the Third Recipients, this means that the User's data will be processed in an aggregated manner, so they will always be used anonymously, without identifying and without elements that allow the User to be identified. Therefore, in such cases no identifying data will be included as User, email account, name and surname of any User.

Anonymized, Aggregate or Pseudonymised use of the data of the Users

Users can set up their data in their User Profile.

Data always belong to our Users, with universal access, without conditions or tolls. As proof of our commitment in this regard, we make the data available to the User through Application Programming Interfaces (APIs) so that Users can use their data as they freely decide based on their ownership of them and the corresponding rights of exploitation within the limits established by Law.

Set up your own data

Open data

5. Which are your Privacy Rights as User of SocialDiabetes and how to exercise them

According to the Law applicable to the User Agreement, our Users have the right to request from SocialDiabetes access to and rectification or erasure of Personal Data or restriction of processing concerning the User and to object to processing as well as the right to data portability. In addition, Users have the right to withdraw their consent to processing their Personal Data at any time, and the right to lodge a complaint with the Spanish Data Protection Agency or any other competent supervisory authority.

Your Privacy Rights

In most cases, such as for the update of your data, or your preferences, Users can exercise their Privacy Rights both through the Website, and through the Application, accessing your User Profile.

Manage at any time your data in your User Profile

Additionally, SocialDiabetes makes available to Users several User Communication Channels for the exercise of their rights and to make recommendations and/or request information or raise questions of all kinds.

For all this, you can address your requests:

to our User Customer Service

or directly to our Privacy Office

Communication Channels with SocialDiabetes for privacy questions

To facilitate the identification of the applicant and comply with the Applicable Law, we may require the User to attach a copy of their Identity Card, passport or any equivalent identification document.

In order to preserve your rights, we need you to identify yourself

In addition, SocialDiabetes has designated a Data Protection Officer responsible to monitor compliance with the applicable Law on privacy and data protection of the Personal Data of our Users.

SocialDiabetes Data Protection Officer

6. Cookies and data analytics tools

The SocialDiabetes Platform uses automatic data collection systems not directly provided by the User, called cookies and other data analysis and processing tools.

Cookies are files installed on the hard disk of the User's computer or mobile device or in the browser's memory in the folder preconfigured by the operating system of the computer, to identify said computer or device. Although they do not contain comprehensible information, they allow to associate the identity of the User with the Personal Data that they leave in the Platform. Learn more about the cookies SocialDiabetes uses here.

Only SocialDiabetes can process and/or manage the information collected and obtained through the aforementioned cookies and tools.

We only process the information obtained from cookies and data analytics tools anonymously and aggregate, creating user profiles based on the content they visit, type of devices used, cities of origin and gender, with the sole purpose of optimizing the Services in relation to the specific requirements and preferences of the Users derived from their use of the Platform.

Upon entering the SocialDiabetes Website, Users are giving their consent to the installation on their hard drive of the aforementioned cookies and the use by SocialDiabetes of the data analytics tools. If Users do not want a cookie to be installed on their hard disk, they shall set up their internet browsing program to deactivate them.

Cookies and data analytics tools

7. SocialDiabetes' Liability

SocialDiabetes' liability is subject to certain limitations and exceptions you can check in this section of the User Agreement.

8. Jurisdiction

Any dispute regarding the Services and/or the use of the Platform by the User, as well as any question that may arise about the interpretation, application and compliance with this User Agreement will be subject to the exclusive jurisdiction of the Courts and Tribunals of the City of Barcelona (Spain).

Jurisdiction

9. Applicable Law

As a Spanish company, SocialDiabetes is subject to Laws of Spain as enforceable at any time, which apply to the User Agreement, including our Privacy Policy and our Security Policy, and the provision and use of the Services, and/or the Website, and/or the Application.

Applicable Law

10. Definitions

All terms in capital letters in this Privacy Policy shall have the meaning set forth in the Definitions section of the User Agreement.

Definitions

SECURITY POLICY

1. Warranty of security of the Personal Data of our Users appropriate to the risks

SocialDiabetes ensures the integrity and confidentiality of the Personal data of our Users, according to the User Agreement Applicable Law and this Security Policy.

In line with the above, we implement appropriate technical and organizational measures to ensure an appropriate security of the Personal Data of our Users, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Warranty of integrity and confidentiality

In particular, SocialDiabetes undertakes to adopt the measures provided for in Regulation (EU) 2016/679 of April 27, 2016 (General Data Protection Regulation) and the User Agreement Applicable Law.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and Purposes of processing of the Personal Data of the Users, as well as the risk of varying likelihood and severity for their rights and freedoms, SocialDiabetes shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:

a) the pseudonymisation and encryption of the Personal Data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Warranty of appropriate security measures

Taking into account the state of the art, the cost of implementation and the nature, scope, context and Purposes of processing of the Personal Data of our Users, as well as the risks of varying likelihood and severity posed for them by the processing, SocialDiabetes implements, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement in an effective manner data-protection principles, such as data minimisation, and to integrate the necessary safeguards into the processing in order to meet the requirements of the User Agreement Applicable Law and protect the rights of Users.

We implement appropriate technical and organisational measures for ensuring that, by default, only Personal Data which are necessary for each specific Purpose of the processing are processed.

The above applies to the amount of Personal Data we collect, the extent of their processing, the period of their storage and their accessibility. In particular, such measures ensure that by default Personal Data are not made accessible without the individual's intervention to an indefinite number of natural persons.

Warranty of data protection by design and by default

Where a type of processing in particular due to new functionalities of our Platform or using other new technologies in providing the Services, and taking into account the nature, scope, context and Purposes of the processing, is likely to result in a high risk to the rights and freedoms of our Users, we will, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of Personal Data of our Users, and we will implement the appropriate measures to ensure compliance with the User Agreement Applicable Law.

Warranty of data protection impact assessment regarding the Personal Data of our Users

In cases of data breach affecting the Personal Data of our Users, SocialDiabetes undertakes to notify the data breach to the competent authorities and to communicate the data breach to the Users, when necessary according to the User Agreement Applicable Law and within the deadlines established therein.

Warranty of information in cases of Personal Data breach

We keep the Personal Data of the Users while the User Agreement is in force and, once expired or terminated for any reason, during the period necessary for the management of any aspect related to the contractual relationship maintained, taking as reference the legal terms for possible liability actions in accordance with the Law Applicable to the User Agreement and other terms derived from said regulations, as well as during the periods necessary to comply with our legal obligations, such as those of an accounting or tax nature, or during the term necessary to comply with our contractual obligations and/or to exercise our rights in relation, for example, to our liability insurance policies.

Warranty of storage limitation regarding the Personal Data of our Users

Without prejudice to their retention in the cases described in the previous section, we proceed to the erasure of the Personal Data of our Users when the same cease to be necessary for the fulfillment of the Purposes for which they were collected or treated, or at the request of the Users in exercise of their rights, or when required by a mandatory Law.

Warranty of erasure and destruction of the Personal Data of the Users

2. Our information systems

The Personal Data of our Users are stored on Google Cloud servers.

SocialDiabetes takes the necessary measures to ensure that our services providers who need access to the Personal Data of our Users can only process such data following the instructions of SocialDiabetes and the User Agreement Law Applicable.

Storage systems and services for the Personal data of our Users

All communications of the SocialDiabetes Platform are secure (SSL protocol and encrypted).

Secure communications

3. Rights and responsibilities of the Users

Users can synchronize their data in a secure environment to make and maintain a backup of them that allows them to store and retrieve data at any time and from any device that allows it.

Synchronize your Personal Data and access them at any time and from any device

SocialDiabetes shall not be liable for the incidents affecting the Personal Data as a result of an attack or unauthorized access to the systems in such a way that it is impossible to detect by the security measures implemented, or to a lack of diligence on the part of the User regarding the use of the Services or the Platform, as applicable, in connection with their obligation to preserve and keep their User name and access codes or their own Personal Data.

User responsibility in using the Services and preserving their access codes

Users shall keep their password under their exclusive responsibility in the strictest and absolute confidentiality. Any damages or consequences of any kind derived from the breach or disclosure of the secret will be assumed by the Users.

The password may be modified at any time by the User. Users agree to notify SocialDiabetes through any of the User's Communication Channels as soon as they become aware of any unauthorized use of or access to their password by third parties.

Passwords

For further details or for any doubt related to this Security Policy you can contact SocialDiabetes through any of the User Communication Channels.

Passwords

4. SocialDiabetes' Liability

SocialDiabetes' liability is subject to certain limitations and exceptions you can check in this section of the User Agreement.

5. Jurisdiction

Any dispute regarding the Services and/or the use of the Platform by the User, as well as any question that may arise about the interpretation, application and compliance with this User Agreement will be subject to the exclusive jurisdiction of the Courts and Tribunals of the City of Barcelona (Spain).

Jurisdiction

6. Applicable Law

As a Spanish company, SocialDiabetes is subject to Laws of Spain as enforceable at any time, which apply to the User Agreement, including our Privacy Policy and our Security Policy, and the provision and use of the Services, and/or the Website, and/or the Application.

Applicable Law

7. Definitions

All terms in capital letters in this Security Policy shall have the meaning set forth in the Definitions section of the User Agreement.

Definitions