Privacy Notice
This privacy notice took effect 30th June 2025.
To see previous privacy notices, please write to hello@hedia.com
Service User Privacy Notice
The Privacy Notice details the organisation’s acquiring, using and sharing of personal data for the delivery of its services alongside its commitment to ensuring the privacy and security of this data. It is drafted to be public-facing and support the requirements around transparency and accountability for the use of individual’s data.
Contents
Introduction
The purposes we are processing your information for and why we are lawfully
able to do this
Source and recipients of personal data
Keeping your data secure
International Transfers
Retention
Automated decision-making or profiling
Your Rights
Data Protection Officer
Links to other websites
How to make a complaint
Changes to the Privacy Notice
1. Introduction
This privacy notice covers the use of Hedia ApS’ products in the European Union (EU) countries and the United Kingdom (UK).
The processing of your personal data is carried out by Hedia ApS under the framework provided by the UK and EU General Data Protection Regulation 2016/679/EU (GDPR) and the Data Protection Act 2018, a UK legislation.
Hedia is registered in Denmark in the EU under company registration number 37664618 and our registered office is located at Emdrupvej 115A, 3, København NV, 2400, Denmark. For the purposes of applicable data protection legislation Hedia ApS is the data controller for the personal data we process, as described in this privacy notice unless otherwise stated.
Our Data Protection Officer is 8foldGovernance Ltd (company registration number 12085647) and can be contacted at dpo@hedia.com.
To enable us to offer services that process personal data in the UK we have registered with the Information Commissioner’s Office (ICO) under registration no.ZB422562 and engaged 8foldGovernance (a provider of consultancy services, specialising in information governance) to also act as our UK representative. 8foldGovernance is registered with the ICO with registration no. ZA546326.
This privacy notice tells you what you can expect from us with regard to the collecting, storing and use of your information. It explains in detail:
the purposes we are processing your information for and why we are lawfully allowed to do this;
where we obtain your information from and whether there are other recipients of your personal information;
whether we intend to transfer it to another country; and
how long we store it for;
whether we do automated decision-making or profiling.
your rights in relation to this data
who the Data Protection Officer is and contact details for them.
The Privacy Notice details the organisation’s acquiring, using and sharing of personal data for the delivery of its services alongside its commitment to ensuring the privacy and security of this data. It is drafted to be public-facing and support the requirements around transparency and accountability for the use of individual’s data.
2. The purposes we are processing your information for and why we are lawfully able to do this
We may collect, use, store and transfer different kinds of personal data about you which we have set out in the table below, together with the legal basis which we rely on for such processing and the purpose for which we process that personal data.
User Type | Categories of Personal Data | Legal Basis for Processing | Purpose of Processing |
Service Users | Invitation to try out Hedia from your local healthcare provider | Public function | Provision of health and/or social care |
Service Users | Personal information and health data for service user Management, complaint handling and support of the Hedia App | Public function | Compliance with Medical Device Directives and Regulations Provision of health and/or social care. |
Service Users | Personal and Health data needed to provide service, e.g. data for insulin calculation | Consent Public function / Necessity for providing health services | Provision of health and/or social care. Compliance with Medical Device Directives and Regulations |
Service Users | Personal and Health data transferred between (HDA) App and connected devices or third party services, e.g. CGM devices. | Explicit consent | Provision of healthcare and diabetes-related services, including connecting devices or services to the App (e.g., to minimize manual data entry or to support sharing of App data with healthcare professionals). |
Service Users | Usage Data in the App, including information about how you use the App and our services and which pages you visit | Consent Public function / Necessity for providing health services Legitimate Interests | Provision of healthcare and diabetes services. Security, fraud prevention and detection. Improving the functionality of our Services. Service improvements and quality Management. Compliance with Medical Device Directives and Regulations |
Service Users | Technical data including internet protocol (IP) address, your login data, device type, operating system, browser type and version, time zone, setting and location, browser plug-in types and versions, operating system and platform and other technology on the device you use to access the (HDA) App. | Legitimate Interests | Provision of healthcare and diabetes services. Security, fraud prevention and detection Improving the functionality of our services Service improvements and quality management Compliance with Medical Device Directives and Regulations |
Service Users | Personal and health data for scientific research and statistics | Explicit consent | We wish to contribute to scientific research in diabetes. We invite our users to contribute with their personal data to scientific research projects. In compliance with ethical scientific standards, medical and GDPR consents will be obtained for this purpose specifically. |
Service Users | Newsletters – optional | Explicit consent | Information or news about our products and services and invitations to surveys and other marketing activities. Newsletters may also contain relevant information and invitations from carefully selected partners. It is optional for you to subscribe to these newsletters, and you can revoke your consent via the “Unsubscribe” link in the newsletter emails or in your user account settings. |
Service Users | Pseudonymised Data – we may use Pseudonymised data to assist us in investigating data discrepancies in the App | Public function / Necessity for providing health services | Provision of healthcare and diabetes services. Security, fraud prevention and detection. |
Service Users | Aggregated (Anonymised) Data – we may use and share anonymised data, such as statistical data, for any purpose. Aggregate (Anonymised) data may be derived from your personal data but is not personal data as this data does not identify you | N/A | Statistical analysis and reporting to improve our services. Service improvements and quality management. Compliance with Medical Device Directives and Regulations. |
Service Users | Personal information and health data – optional | Explicit Consent | Research e.g. invitations for interviews, aggregated analysis or product feature development. |
Healthcare Provider Staff | Staff Name | Necessity for performance of a contract | Provision of the Hedia Service and User support. |
Healthcare Provider Staff | Work email addresses | Necessity for performance of a contract | Provision of the Hedia Service and User support. |
Healthcare Provider Staff | Work contact number | Necessity for performance of a contract | Provision of the Hedia Service and User support. |
Service Providers | Staff Name | Necessity for performance of a contract | Support the Hedia Service. |
Service Providers | Work email addresses | Necessity for performance of a contract | Support the Hedia Service. |
Service Providers | Work contact number | Necessity for performance of a contract | Support the Hedia Service. |
In line with these purposes, the information used is health data and classified as special category data in data protection law. It is also subject to a common law duty of confidentiality (UK legislation).
There are therefore defined processing conditions that allow the use of this and those applicable to the use of this information by Hedia ApS are set out below.
Under data protection law the following lawful bases apply to the processing of personal data:
GDPR Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest…’
For the processing of personal data by Hedia ApS which enables or supports the delivery of diabetes services
Under data protection law the following lawful bases apply to the processing of special categories of personal data:
GDPR Article 9(2)(h) – ‘processing is necessary for preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems’
For the processing of special category personal data by Hedia ApS which enables or supports the delivery of care services
For users in the UK, the following lawful bases under the common law duty of confidentiality apply:
The data subject has consented to the services and the sharing of their data for the purposes of ascertaining the service.
3. Source and recipients of personal data
Hedia ApS collects personal data directly from service users who agree to use the service and providers of Health and Social Care services
We will not ordinarily or routinely share any of your personal data with any third party unless we have a lawful reason for doing so.
We may share aggregated (anonymised) data with our commercial partners in support of the service.
4. Keeping your data secure
We will use a combination of technical and organisational measures to safeguard your personal data retained within the HDA, for example: we store your personal data on secure encrypted servers. We also expect you to keep your data secure should you choose to export or transfer it, as mentioned in section 7 of our terms and conditions.
While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the use of the internet is not entirely secure and for this reason, we cannot guarantee the security or integrity of any personal data that is transferred from you or to you via the internet.
5. International Transfers
Personal and Special Category Data will be stored within the EEA and the European Economic Area (“the EEA”). (The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein).
With any transfers (domestic or international) of personal data Hedia employs both technical and organisational measures to ensure the security of personal data and respect for the principle of data minimisation including pseudonymisation and anonymisation. Any transfers will be completed in line with the relevant legislation.
6. Retention
We retain your personal data in accordance with EU and UK national retention guidelines in our server logs, our databases, and our records for as long as necessary to provide our services to you.
We may need to retain some of your information for a longer period, such as in backup records, or in order to comply with our legal or regulatory obligations, to resolve disputes or defend against legal claims.
Where we anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, we may use this information indefinitely without further notice to you.
7. Automated decision-making or profiling
We do not undertake any automated decision-making or profiling in relation to your personal data.
8. Your Rights
Under data protection law, you have the following rights to your information:
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
In order to take up any of these rights you should contact our Data Protection Officer by emailing: dpo@hedia.com
9. Data Protection Officer
Under data protection law Hedia ApS is required to have a Data Protection Officer (DPO).
Contact them by emailing: dpo@hedia.com
10. Links to other websites
Our website and App may contain links to other websites. This privacy notice applies only to our website and App (www.hedia.com) so when you visit other websites please read their privacy notices, as we cannot accept any responsibility for breaches or issues you may have in relation to data privacy once you leave our site.
11. How to make a complaint
We strive to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we may receive about this very seriously. We encourage you to contact us at dpo@hedia.com if you think that any collection or use of your personal data by us is unfair, misleading or inappropriate.
If you make a complaint to us and think we have not dealt with it to your satisfaction, you have the right to make a complaint to your local supervisory authority.
For UK data subjects the supervisory authority is the Information Commissioner’s Office (ICO). Please see the ICO’s website for more information: www.ico.org.uk.
The Danish Data Protection Agency (DPA) is the supervisory authority for Danish data subjects. You can contact the DPA by emailing dt@datatilsynet.dk or by post at Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark or by phone at +45 33 19 32 00.
For other EU data subjects, a full list of EU supervisory authorities is available here.
12. Changes to the Privacy Notice
We keep our privacy notice under regular review. If we change our privacy policy we will post the changes on this page, so that you may be aware of the information we collect and how we use it at all times.