Terms and Conditions for your use of the Hedia Diabetes Assistant
Your use of the Hedia Diabetes Assistant (the “Application”) is governed by this agreement entered into between you and Hedia ApS CVR 37664618, Emdrupvej 115, 3. floor, 2400 København NV (the “Application Provider”).
1.1 Please read the following information carefully. By clicking “Agree” in the Application, you agree to the following terms and conditions:
2.1 Subject to the terms and conditions of this agreement, the Application Provider grants you a non-exclusive, non-transferable, revocable license to use the Application for the purpose of receiving suggestions for insulin intake and related use.
2.2 Any use of the Application outside the license specifically granted by the Application Provider constitutes an infringement of the Application Provider’s intellectual property rights and is a material breach of this agreement.
3. Restrictions on License
3.1 Except as otherwise specifically permitted in this agreement, you may not:
(i) modify or create any derivative works of the Application;
(ii) copy the Application except as provided in this agreement or elsewhere by the Application Provider;
(iii) separate the Application, which is licensed as a single service, into its component parts;
(iv) reverse engineer, decompile, or disassemble or otherwise attempt to derive the source code for any software product of the Application (except to the extent applicable laws specifically prohibit such restriction);
(v) redistribute, encumber, sell, rent, lease, sublicense or otherwise transfer rights to the Application. You may NOT transfer the Application under any circumstances; or
(vi) remove or alter any trademark, logo, copyright or other proprietary notices, legends, symbols or labels in the Application.
4. Safety Information
4.1 Before commencing use of the Application, you should always discuss the use of the Application with your diabetes educator or physician. You should only use the personal settings if you agree with them.
4.2 The suggested rapid-acting insulin dose calculated by the Application is intended only as a guide. If you are in any doubt about the recommended rapid-acting insulin dose, you must follow the advice of your diabetes educator or physician.
4.3 The suggested rapid-acting insulin dose will be invalid if you enter incorrect data or have not recorded any insulin dose which occurred in the preceding 4 hours. The suggested rapid-acting insulin dose is only valid for the person for whom the Application has been personalised.
4.4 Do not rely only on the rapid-acting insulin dose calculation:
(i) When using the Application, you agree that the Application Provider is providing you with medical advice intended only as an indicative recommendation.
(ii) You must confirm that the rapid-acting insulin dose calculated by the Application is in accordance with that recommended by your physician or diabetes educator and you must take action on any signs or symptoms of hypoglycemia.
5.1 Whilst every reasonable attempt has been made by the Application Provider to ensure that the calculated insulin dose is accurate, the Application cannot take account of all the many variables that impact the life of a person with diabetes and on resulting blood glucose levels. The Application Provider does not guarantee the accuracy of the results provided by the Application.
5.2 The Application Provider expressly does not warrant that the service will meet your requirements or that operation of the service will be uninterrupted or error-free, hereunder that you will have continued access to the Application or any data within the Application at any time.
6. Limitation of Liability
6.1 To the fullest extent permitted by law the Application Provider:
(i) excludes all liability in respect of loss of data, adverse health consequences, or any consequential or incidental loss that you may suffer as a result of using the Application; and
(ii) excludes all representations, warranties or terms (whether express or implied) other than those expressly set out in these terms and conditions.
6.2 The Application Provider’s total aggregate liability for all claims relating to these terms and conditions is limited to the replacement cost of the Application.
6.3 These Terms and Conditions are to be read subject to any legislation which prohibits or restricts the exclusion, restriction or modification of any implied warranties, conditions or obligations. If such legislation applies, to the extent possible, the Application Provider limits its liability in respect of any claim to, at the Application Provider’s option to:
(i) the replacement of the Application; or
(ii) the payment of the replacement cost of the Application.
7. Processing of Personal Data
7.1 User Consent
If you consent, the Application Provider will process the personal data listed in this section to be able to provide its services.
We distinguish between information that is necessary data (section 7.1.1) to safely store and protect your information and general data (section 7.1.2) that is voluntary for you to provide. Necessary data is obligatory and necessary to create a user in the Application.
General data will in some cases be required for us to provide specific services, e.g. entry of current blood glucose level or carbs is optional, but it will be needed to make a correct bolus calculation.
In connection with the handling of personal data, we do our utmost to collect and store only the absolutely necessary data in order to provide the expected service and meet the requirements set by regulatory and local authorities.
7.1.1 Necessary data
When setting up your profile you will be asked to provide the following information, which is necessary for us to set up your profile and provide you with access to our services. This includes email address, password (we only save an encrypted version), and user ID (assigned by us).
Device and consent information
To be able to provide our services and comply with regulations for medical devices, we process usage and device information which includes e.g. device ID, operating system, consents, and activity events for changes in settings or medical master information.
7.1.2 General data
Personal master information
Personal master information is entered when you set up your profile. The entered information can be found and changed in your account settings. Personal master information includes e.g. gender, date of birth, country, language, and time zone.
Medical master information
Medical master information is entered while setting up your profile, and they can later be found and changed in your account settings. Medical master information includes e.g. diabetes type, height, weight, injection method (pen/pump), type of insulin (long-acting and fast-acting), and blood glucose targets.
Medical data entries are made in conjunction with our services. Data processing will depend on your use of the product and services but may include e.g. time of entry, food items, carbohydrates, blood glucose readings, insulin dosage, events (e.g. physical activity), and mood.
Usage Data is automatically collected when using the Application. Data may include e.g. services used, application version updates, and activity time stamps.
7.2 Data processing purposes
Your personal data will be processed in compliance with Danish data protection legislation.
Apart from the data processing purposes described in section “Consent“, we also process your personal data beyond this – for the following purposes:
7.2.1 Data processing to provide you with our services
To be able to provide you with our services, we process the medical data and medical master information, you have provided us with, described in section 7.1.
7.2.2 Data processing for product improvement
To continuously improve and further develop our products and services that support self-management in diabetes, we analyze user-dependent data (device and consent information) and general data (personal master information, medical master information, medical data, and usage data), described in section 7.1, and implement the results in new product versions available to you in regular updates.
7.2.3 Data processing for marketing
We would like to send you information or news about our products and services and invitations to surveys and other marketing activities. The newsletters may also contain relevant information and invitations from carefully selected partners. It is optional for you to subscribe to these newsletters, and you can revoke your consent via the “Unsubscribe” link in the newsletter emails or in your user account settings.
Other marketing-related activities
By consenting and subscribing to our newsletter, you consent to receive invitations to other marketing-related activities e.g. surveys and interviews. Participation in these activities is voluntary, and if you choose to participate, consent will be obtained as required. We always explain why we need certain data, how we process it, and how you can revoke your consent.
We may show you offers within the app without processing your personal data. You will also see these non-customized advertisements if you have not provided your consent.
7.2.4 Data processing for other purposes
Medical Device Directives and Regulations
The Application is classified as a medical device, and therefore, we are subject to increased requirements for monitoring the user safety and functionality of our product. Your personal data will be processed in compliance with Danish data protection legislation.
Scientific research and statistics
In Hedia, we wish to contribute to scientific research in diabetes. We would like to invite our users to contribute with their personal data to scientific research projects. In compliance with ethical scientific standards, consents will be obtained for each specific scientific research project. We comply with the General Data Protection Regulation (GDPR), in which our legal basis for processing data for scientific purposes is stated in Article 9 (2) j.
As a user of the Application, it is optional for you to receive invitations to scientific research projects. If at any point you want to change or revoke your consent, you can do so in user account settings.
Enforcement of rights
In cases of suspected abuse of the Application, or to assert, exercise, or defend legal claims, we may have to process personal information and be forced into disclosure due to binding laws or criminal investigation. If this happens, the storage and processing of your data are permitted by law without your consent.
You are always welcome to contact us on firstname.lastname@example.org if you experience problems or want to file a complaint. In such cases, we may have to process the personal information that you have registered in our services to be able to properly respond to your inquiry.
7.2.5 Data Retention
We only store the personal information for as long as is necessary, in relation to the stated purposes above and for the duration of the contract. In exceptional cases, longer storage may be required in order to fulfil post-contractual obligations or to comply with statutory storage obligations or disclosure duties or to assert, exercise, or defend legal claims (limitation periods).
Once personal information is no longer necessary, the data is anonymised. This means that the information cannot be connected to an identifiable data subject.
7.3 Third-party suppliers
We (as a data controller) use third-party suppliers (data processors) to provide products, services, and support, and in some cases, we might need to disclose user data. Third-party suppliers and partners are bound by the agreements signed with the Application Provider, as well as by the GDPR, and only process data according to our instructions.
These suppliers provide us with services globally, including hosting services, customer support, information technology, marketing, research, and surveys.
7.3.1 Data storage for the Application
Personal information is stored on servers in Europe.
Some personal information is managed by a third-party supplier (data processor), which stores and processes personal data on behalf of the company in accordance with these terms and conditions and the applicable legislation on the protection of personal data.
7.3.2 Data transfers from the Application
You have the option to share and transfer your data from our services by generating a report and forwarding it to e.g. your healthcare professionals. If you choose to do so, please note that you are solely responsible for these data transfers.
7.3.3 Links to Third Party Sites
Hedia ApS cannot and has not reviewed all pages of the websites linked to this site and therefore cannot be liable for their content or data-handling policies.
Users link to other websites at their own risk and use such sites according to the terms and conditions of use of such sites.
Hedia ApS provides links to you only as a convenience, and the inclusion of any link does not imply endorsement by Hedia ApS or the website.
7.4 Encryption and anonymization
The data that is captured through your interactions with Hedia’s website and application is stored securely in protected data warehouses and are only accessible to accredited administrative users with specific access permissions.
Data in transit between our webpage, our application and the related data warehouses are encrypted in transit to minimise the risk of interception.
We only utilize cloud service providers for storing documentation and data that support data encryptions.
We always have a valid SSL-certificate on our main website.
We use a combination of technical, administrative, and physical controls to maintain the security of your data.
Each data transfer is encrypted during transfer in the application to the secure data storage facilities.
We complete regular reviews of the data capture processes to ensure only data that is necessary to support the delivery of Hedia services is captured.
We may also use other processes for encryption of user data for the purpose of data security. This is dependent on the type, scope and purpose of the relevant data processing. For example, a data processor does not receive any user data that is not directly required for completing their tasks.
7.5 Data Transfer (EU and other countries)
We (data controller) work together with partners (data processors) who are primarily based in or whose servers are located in the European Union (EU) or European Economic Area (EEA). Data transmission within the EU and EEA is under the GDPR, which applies to all member states.
In some circumstances, we appoint third-party suppliers (data processors) who are located in or who have servers outside the EU, such as data hosting services in the USA.
However, even in these cases, your personal data is subject to a high protection level in line with the GDPR – either through an EU adequacy decision, or through certain standard contractual clauses approved by the EU, which the contractual relationships with our contracted data processors are based on, or through comparable legal instruments permitted under the GDPR.
In any case, all third-party suppliers are subject to the obligations in these terms and conditions.
In addition, we ensure that our partners have additional security standards in place, such as individual security measures and data protection provisions or certifications under the GDPR.
Minors below the age of 18 are not permitted to use the application. When initiating use of the Application, users will be asked to provide the date of birth. If age is below 18, access to the Application’s services will not be granted.
If you become aware of the Application being used by a minor, it can be reported to the Application provider on email@example.com.
7.7 Your Rights
7.7.1 Revocation of consent
Based on your consent, we may process your user data. You may revoke this consent at any time.
However, this will not affect the lawfulness of the processing before the revocation. We will continue to provide our services if they do not depend on the consent that has been revoked.
7.7.2 Information, correction, and restriction
As a user, you have the right to request information on the processing of your personal data. To do so, please contact us at any time at firstname.lastname@example.org.
Your right to information also covers information on the processing purposes, data and recipient categories, storage time, the origin of your data, and your rights under the data protection regulations.
Should some of your personal data be incorrect, you can request that your data is corrected or completed at any time. You can correct most data by yourself in the Application under your account settings. You have the right to restrict data processing for the duration of any investigation review that you have requested.
7.7.3 Ability to transfer data
As a user, you have the right to request that we provide an overview of your personal data to another responsible party if this is technically feasible. Please contact us at email@example.com.
7.7.4 Right to object and access information
Article 21 of the GDPR gives you, as an individual, the right to object to the processing of your personal data at any time. An objection may be in relation to all of the personal data we hold about you or only to certain information. It may also only relate to a particular purpose we are processing the data for.
If you believe that the information held about you is inaccurate, please write to us at firstname.lastname@example.org.
You can always have the information we have collected about you changed.
If you want to receive a copy, please write to us at email@example.com
7.7.5 Deletion (“right to be forgotten”)
As a user, you have the right to request the deletion of your personal data. To do so, please contact us at any time at firstname.lastname@example.org.
7.8 Processing personal data as part of our complaint handling
If a complaint is related to our service, we reserve the right to view the user’s entries and settings in our database. This is done as part of the complaint investigation process and to improve the troubleshooting.
Should you feel that we are not protecting your data protection right adequately, please feel free to contact us at any time at email@example.com. We will make sure to handle your request immediately, and you’ll hear from us within 24 hours.
You can always file a complaint about the processing of your personal data to the Danish Data Protection Agency through their website: https://www.datatilsynet.dk/borger/klage-til-datatilsynet/, if you believe that the processing of your personal data is not in compliance with the data protection regulations.
7.9 Data Protection Officer (DPO)
Our Data Protection Officer (DPO) monitors compliance with all data protection regulations and is subject to strict statutory secrecy and confidentiality obligations. The responsibilities of the DPO includes:
Educating the company and employees on important compliance requirements
Serving as the point of contact between the company and GDPR Supervisory Authorities
Monitoring performance and providing advice on the impact of data protection efforts
Maintaining comprehensive records of all data processing activities conducted by the company, including the purposes of all processing activities, which must be made public on request
Interfacing with data subjects to inform them about how their data is being used, their right to have their personal data erased, and what measures the company has put in place to protect their personal information
Any questions related to data protection in Hedia can be forwarded to firstname.lastname@example.org
7.10 Management of any potential data breaches
If an incident has occurred and resulted in or is believed to have resulted in the breach or loss of personal data for which the company is responsible, supervisory authorities and affected persons will be notified.
Notification of supervisory authorities will be done without undue delay (GDPR Article 33).
Persons affected by the breach will be notified (GDPR Article 34).
8. Changes and updates to our Terms & Conditions
As technology and processes, as well as data protection legislation, can change over time, we have to undertake changes to this agreement from time to time.
We will inform you of changes whilst granting an appropriate advance notice period and if necessary, obtaining new consents. Either via our website (www.hedia.co) or other means which we find appropriate.
Any change to this agreement will be effective 30 calendar days after we have notified you of such changes.
If you have any questions or comments about our personal data policy, or about how we use your personal information, please contact us at email@example.com.
Cookies are used:
to recognise you when you visit our site again and enhance your browsing experience by storing your preferences.
for statistical purposes, and completely anonymous cookies data are shared with third-party applications, e.g. Google Analytics, to analyse website activity.
for targeted marketing, which is based on information about your behaviour on the website.
For each visit to the website – regardless of the presence of a cookie – the company registers your type of browser, operating system, host and web addresses on the pages to which access is desired. This data is used in a comprehensive and anonymous form for statistical analysis of the general use of the website.
If you do not want the company to identify your electronic device using cookies, you can delete and block cookies from hedia.co in your browser.
10. Complaints and feedback
10.1 You are always welcome to provide suggestions or feedback to us on firstname.lastname@example.org.
10.2 As a consumer, you can under certain conditions file a complaint with the Consumer Complaints Board (in Danish “Forbrugerklagenævnet”) by contacting Forbrugerklagenævnet, Konkurrence- og Forbrugerstyrelsen, Carl Jacobsens Vej 35, 2500 Valby or through the website http://www.forbrug.dk/.
10.3 In order to file a complaint, you can also use the EU’s online dispute resolution platform: http://ec.europa.eu/consumers/odr/.