Privacy Policy
PLEASE READ THIS POLICY CAREFULLY BEFORE USING BIOTANDEM.COM SERVICES.
You must be 16 years or older to use our Services.
It is very important to us that protecting your privacy and personal data. Our top priority is making our customers (the “users”) feel secure when using our products and services.
This privacy policy (the “Privacy Policy”), together with our Terms & Conditions at biotandem.com/terms-of-use, our Cookie Policy at biotandem.com/cookie-policy and any other documents referred therein, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed. Please read this Privacy Policy carefully to understand the types of data we collect from you, how we use it, the circumstances under which we will share it with third parties, and your rights in relation to your personal data.
This Privacy Policy describes our data processing when using our website biotandem.com (the “Website”) or any service and/or product we may provide you (the “Services”).
1. Who we are
This Privacy Policy applies to any personal data processed by IOWORKS Corporation, 333 5th Avenue, 5th Floor, 10016 New York, USA being the data controller (as defined under Article 4(7) GDPR) of all processing activities in connection with the Services.
Questions, comments and requests regarding this Privacy Policy are welcome and should be addressed through our contact form here. Our data protection officer can be contacted at info@biotandem.com.
2. General overview of the data processing in connection with the Services
Before starting using our Services, you have to confirm that you have read our Privacy Policy carefully, and to consent to biotandem.com analyzing the personal health data you supply, for which you can find an information summary here.
This section 2 aims at giving you a quick high-level overview of the data processing activities in connection with the Services we provide you.
If you wish to read in detail all the data processing activities we undertake, we advise you to read the following section 3 relating to each specific data processing activity, and sections 4 to 9 that relate to:
- our cookies & tracking policy (section 4),
- where we store your personal data (section 5),
- when we may disclose your personal data (section 6),
- our retention policy (section 7),
- your data subjects’ rights (section 8),
- your specific rights if you are a California resident (US) (section 9), and
- our changes policy (section 10).
Information that you provide to us: we may collect and process personal data that you will be asked to provide when you:
- fill in forms on our Website, apply for a job offer or otherwise correspond with us by any available means;
- register to use our Services, subscribe to our newsletter, receive promotional emails or any other marketing materials;
- use our Services;
- report a problem with our Services; or
- complete any surveys or provide any feedback that we may use for research and improvement purposes (although it is optional, and you do not have to respond to these if you do not want to).
The information that we may ask you to provide includes, but is not limited to, your name, gender, date of birth, email address, health condition or further information required to verify your identity.
Information we collect about you: although we will not use it to identify you, we may collect the following data during each of your visits and use of our Services:
- Usage data: technical information about your device, including device-specific information such as your hardware model, operating system version, unique device identifiers, and mobile network information; details of your visits, including the full Uniform Resource Locators (“URL”) clickstream to, through and from our Services (including date and time); details of conditions and symptoms searched;
- Analytics data: your IP address, operating system and browser type; length of visits to certain pages, and page interaction information (such as scrolling, finger gestures, clicks, and mouse-overs) If you are using our Services on behalf of a third party, you must have obtained clear permission from the individuals whose data you provide us with before sharing that data. For the avoidance of any doubt, any reference in this Privacy Policy to “your data” shall include data about other individuals that you have provided us with.
Our Website may contain links to third-party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal data. Please check these policies before you submit any personal data to such third-party websites.
3. Which personal data we may collect and process, why and for how long
3.1 When you use our Website
- Types of data: IP address of the requesting device, date and time of access, name and URL of the requested file, website from which access is obtained (“Referrer URL”), browser used and, where applicable, your device’s operating system and the identity of your access provider.
- Purpose of processing: We use the above data to provide you with access to our Website, ensure that the Website can establish an internet connection smoothly and is easy to use, and to analyze the system security and stability, as well as for additional administrative purposes.
- Use justification: Legitimate interest (Article 6(1)(f)GDPR). Our legitimate interest is based on the data collection purposes listed under “Purpose of processing”. We do not use the data collected for the purpose of identifying you. You are not obliged to provide the above personal data; however, you will not be able to access the Website if such personal data are not provided.
- Storage duration: Your data is removed after 15 days, unless any security-relevant event occurs (e.g. a DDoS attack). If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and clarified in full.
3.2 When you register a user account or create a new profile
- Types of data: Name, Email address and password, date, time and location of registration.
- Purpose of processing: We use the above data to provide you with a user account and access to our Services. It is not possible to access our Services if the data are not provided.
- Use justification: Contract performance (Article 6(1)(b)GDPR / Consent (Article9(2)(a) GDPR) for the processing of your health data.
- Storage duration: We process your data for the purposes specified above until you request deletion of your account or when you delete your account. We will further retain your data (see section 7 for more details), e.g. for the purposes of establishing, exercising or defending against legal claims and to comply with high quality and safety standards, in particular our Post-Market Surveillance obligations but we will not process the data for any other purposes.
3.3 Health profile (biotype)
- Types of data: Gender, date of birth, body height, body weight, medical or life style conditions such as smoking, increased blood pressure, diabetes, and pregnancy status.
- Purpose of processing:* This feature allows you to create a comprehensive health profile ("biotype") to manage your health data in our System. "Biotype" is the sum of features that physicians should consider when deciding on an individual. We use medical guidelines for the basis of medical knowledge. All biotype related information is derived from medical guidelines. We process your data to provide you identify and suggest medical information related to your conditions.
- Use justification: Consent (Article 9(2)(a) GDPR). You may revoke/withdraw your consent at any time.
- Storage duration: Your data will be stored until it is no longer required for the purpose for which it was collected. The storage duration of your data for this purpose corresponds to the period of processing in accordance with Section 3.2.
3.4 Facebook Login / Google Login
- Types of data: Facebook ID, email address (if you authorize Facebook to share the address with us), time and date of the login.
- Purpose of processing: If you choose to use and login with Facebook or Google, we will receive the data listed above from Facebook or Google with your approval to populate your user data in the Website, and to verify your identity. Please note that if you use the Facebook login or the Google login, Facebook or Google may also process your data (Facebook ID/ Google ID, metadata, some events and device metric). We are not responsible for this data processing; you can learn more about this in Facebook’s Privacy Policy / Google's Privacy Policy.
- Use justification: Legitimate interest (Article 6(1)(f) GDPR). Our legitimate interest is to provide users who do not have an email account or who wish to log in with their Facebook account or Google account the option to use our Services / Contract performance (Article 6 (1)(b) / Consent (Article 6 (1)(a) GDPR).
- Storage duration: The storage duration of your data for this purpose corresponds to the period of processing in accordance with section 3.2. Data processed by Facebook or Google, which we do not control if you choose to use Facebook login or Google login, may remain in Facebook’s servers or Google's servers. Should you delete your Facebook or Google account and wish to use the Website, you will be directed to sign-in with an email or other login procedure.
4. Cookies and tracking on our Website
Our Website uses so-called “cookies”. Cookies are text files that are stored in the Internet browser or by the Internet browser on your device (computer, tablet, or phone). We use the term “cookies” to refer to all tools that collect data on our Website (e.g. IP addresses, place and time of the visit). Your data collected in this way is pseudonymized, and is not stored together with your other personal data. This processing is carried out on a legal basis and, where required by law, based on your consent.
For detailed information on the cookies we use, the purposes for which we use them and to manage your Cookie preferences, see our Cookie Policy.
5. Where do we store your personal data
The personal data that we collect from you is stored in the USA on Azure Cloud Servicess of Microsoft Corporation a company with its offices at One Microsoft Way, Redmond, WA 98052, United States.
Sensitive information between your browser and our Website is transferred in encrypted form using Hypertext Transport Protocol Secure ("HTTPS"). When transmitting sensitive information, you should always make sure that your browser can validate our certificate.
Please contact us if you would like further details.
6. Disclosure of your personal data
- This section will be completed later *
7. How long do we retain your personal data
We will hold your personal data for as long as it is necessary or required by law or by any relevant regulatory body, and always in compliance with the data minimization principle. Specific storage periods for the respective processing activities are detailed in section 3 above.
If your personal data is used for more than one purpose, we will retain it until the purpose with the longest period expires, but we will stop using it for the purpose with the shorter period as soon as the shorter period expires (to comply with the purpose limitation principle). We restrict access to your personal data to the persons who need to use it for the relevant purpose(s), always in compliance with the integrity and confidentiality principle.
After the processing of your data is no longer necessary for the purposes outlined in section 3 or your account is deleted (see section 3.2) we will securely and separately store some of your data in accordance with statutory retention obligations applicable to us and reasonable business needs.
We will retain accounting data in accordance with the commercial and tax law storage obligations of three or seven years.
We will retain data (incl. health data) in relation to your use of our Services for three or ten years in accordance with our business needs for the purposes of establishing, exercising or defending against legal claims.
If the processing of your personal data is no longer necessary for any purpose it is either irreversibly anonymized (and the anonymized data may be retained), or securely erased.
8. Your data subject’s rights
Under GDPR you have various rights in relation to your personal data (as listed below). All of these rights can be exercised by contacting us via our contact form, by selecting “Exercising My Data & Privacy Rights”.
Verification: in order to verify your request, we will take reasonable steps such as asking you to send us a confirmation from the email address associated with your account, so that we can verify that you are the owner of this email account. If there is no email address associated with your account, we may ask you for proof of ID.
- Right to withdraw consent: Where the processing of your data relies on your prior consent, you have the right to withdraw such a consent at any time by notifying us here. By withdrawing your consent, the lawfulness of the processing based on consent up until the point of withdrawal will not be affected.
- Right to object: You have a right to object under the conditions of Article 21 GDPR. Below you will find more detailed information: — Right to object where the processing is based on legitimate interests: As a data subject, you have the right to object on grounds relating to your particular situation, at any time, to the processing of your personal data which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. In the event of an objection relating to your particular situation, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims. — Right to object to direct marketing: Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, we no longer process your personal data for these purposes. To exercise your rights of objection, you may reply by email to the direct marketing email you receive from us, or contact us at any time here.
- Right to be informed: As a data subject, you have a right to obtain access and information under the conditions provided in Article 15 GDPR. This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data or not. If so, you also have the right to obtain access to the personal data and the information listed in Article 15(1) GDPR. This includes information regarding the purposes of the processing, the categories of personal data that are being processed, and the recipients or categories of recipients to whom the personal data have been or will be disclosed.
- Right to erasure / ‘Right to be forgotten’: As a data subject, you have a right to erasure (“right to be forgotten”) under the conditions provided in Article 17 GDPR. This means that you generally have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in Article 17(1) GDPR applies. You can do this by deleting your account, in the Website, at any time. If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data (Article 17(2) of the GDPR. The right to erasure (“right to be forgotten”) does not by exception apply if the processing is necessary for one of the reasons listed in Article 17(3) GDPR. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims (Article 17(3)(b) and (e) GDPR).
- Right to restriction of processing: As a data subject, you have a right to restriction of processing under the conditions provided in Article 18 GDPR. This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Article 18(1) GDPR applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data (Article 18(1)(a) GDPR). Restriction means that stored personal data are marked with the goal of restricting their future processing (Article 4(3) GDPR).
- Right to data portability: As a data subject, you have a right to data portability under the conditions provided in Article 20 GDPR. This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance from us where the processing is based on consent (pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR or on a contract (pursuant to Article 6(1)(b) GDPR), and where the processing is carried out by automated means (Article 20(1) GDPR). In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller where technically feasible (Article 20(2) GDPR).
- Right to Rectification: As a data subject, you have the right to rectification under the conditions provided in Article 16 GDPR. This means in particular that you have the right to receive from us, without undue delay, the rectification of inaccuracies in your personal data and completion of incomplete personal data.
- Right to complain: As a data subject, you have a right to lodge a complaint with a supervisory authority under the conditions provided in Article 77 GDPR.
Asking us to stop processing your personal data or deleting your personal data will likely mean that you are no longer able to use our Services, or at least those aspects of the Services which require the processing of the types of personal data you have asked us to delete, which may result in you no longer being able to use the Services.