Privacy Notice for REACH APP of Sinocare Meditech Inc.
The Sinocare Meditech Inc., („we“) operates the Sinocare REACH APP (“REACH APP”).
Sinocare Meditech UK Inc. is the controller of your personal data within the meaning of Art. 4 No. 7 of the EU General Data Protection Regulation 2016/679 (“GDPR”) and as such your direct point of contact related to data protection. You can reach us at any time using the following contact options:
Postal: Sinocare Meditech Inc.,
Via E-Mail: iCansupport@sinocare.com
Data Protection Officer: Dr. Jiangfeng Fei
EU Representative:
OBELIS S.A.
Bd. Général Wahis, 53
1030 Brussels, Belgium
Tel.: +32.2.732.59.54
The REACH APP enables users who have downloaded the REACH APP and created an account for it („User“ or „you“) to access the live glucose level data („Glucose Data“) of glucosis patients who have installed the separate Sinocare iCAN APP and granted the User access to their Glucose Data. When downloading, installing and using the REACH APP, we process personal data relating to you.
Personal data means any information relating to an identified or identifiable natural person. Since the protection of your privacy as well as the protection of your personal data in connection with the use of the REACH APP is very important to us, we would like to inform you in detail below which personal data we collect and process from you, for which purposes and on which legal basis we process this data and with whom we may share your data.
What personal Data do we collect about you?
1. When you download the REACH APP from your App Store (e.g. Google Play or Apple App Store), certain required information is transmitted to the App Store you have selected. This information includes in particular your user name, your email address and your customer number of the App Store user account, the time of the download of the REACH APP, provided that the App requires payment, your payment information (e.g. credit card data, etc.) as well as the individual device identification number (Device ID) of the device on which you download and install the REACH APP. We have no influence on these data processing operations. It is conducted exclusively by the respective provider of the App Store and we are not responsible for this processing in the meaning of the data protection laws. („App Store Data“).
2. When you use the REACH APP and register a user account, we collect and process certain Technical Data that is mandatory for the use of the REACH APP. This Technical Data, which is necessary for the use of the REACH APP and is collected automatically, includes your IP address, your device ID (IMEI number = International Mobile Equipment Identity number), your operating system and its current version, date and time of access, the unique number of the carrier (IMSI = International Mobile Subscriber Identity), mobile phone number (MSISDN), the MAC address for WLAN use and the name of your mobile device. („Technical Data“).
3. In order to use the REACH APP, you must first register a user account with us and log in to the app via this user account. If you create a user account with us, we will collect and process, alongside the aforementioned Technical Data, for the creation of the user account, your email address, a user name chosen by you and an individual password to protect your user account („User Account Data“). When logging into the app in the future, you must provide this email address/user name and your password so that you can be granted access to your user account.
For what purposes do we process your personal data?
1. We process the Technical Data solely for the purpose of providing you with the REACH APP, to ensure the security and functionality of the REACH APP, and to evaluate the utilization of the app (Art. 6 (1) lit. f GDPR).
2. Your User Account Data will only be used to perform the contract concluded with you for the use of the REACH APP (Art. 6 (1) lit. b GDPR).
3. We process your personal data exclusively for the aforementioned purposes. To the extent that we intend to process your personal data for purposes other than these purposes, we will only do so to the extent required/permitted by law or if you have given us your consent to process the data for the different purposes. Prior to any further processing for the different purposes, we will inform you accordingly and provide you with all necessary information.
4. We will not use automatic decision-making (including profiling) to process your personal data.
With whom do we share your personal data?
1. In addition to the cases explicitly mentioned in this privacy notice, your personal data will only be shared with your express prior consent or if this is permitted and required by law.
2. We may use third party service providers for processing your Technical Data and Account Data for the above purposes. If we use such external service providers, we have carefully selected them beforehand as processors and verify their reliability in accordance with Art. 28 (1) GDPR and contractually obligate them within the scope of Art. 28 (3) GDPR to process all personal data provided by us exclusively in accordance with our instructions.
3. We may share the Technical Data and User Account Data within the Sinocare Group for internal administrative purposes and in particular for joint customer services as well as customer support with Changsha Sinocare Inc (265 Guyuan Road, Hi-Tech Zone, Changsha, 410205, Hunan, P.R. China) and Sinocare Meditech Inc. (3230 W Prospect Road, Lauderdale, FL 33309. USA), if this is necessary for the above purposes. The legal basis for any disclosure of this personal data (if not anonymized prior to the disclosure) to our affiliated companies is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR.
4. We may share Technical Data and User Account Data with persons engaged in the conduct of our business to the extent necessary (auditors, financial institutions, insurance companies, legal advisors, regulators, parties involved in acquisitions or the establishment of joint ventures) based on our legitimate business interest (Art. 6 (1) lit. f GDPR).
5. To the extent necessary to investigate unlawful or abusive use of the REACH APP or for legal defense or enforcement and to investigate criminal offenses, we may disclose your Technical Data and Account Data to law enforcement or other authorities and, if necessary, to harmed third parties and legal counsel. However, we will only forward your data if there are indications of illegal or abusive behavior and upon binding request. We may also share it, particularly with our legal counsel, if necessary to enforce our REACH APP terms of use or other legal claims. In addition, we may be required by law to provide information about personal data at the request of certain public authorities. This typically includes requests from law enforcement authorities, authorities that prosecute administrative offenses subject to fines, and tax authorities. We may also disclose your data to authorized third parties if we are permitted to do so by law (e.g., in the case of (third-party) information claims for intellectual property rights infringement) or if we are required to provide information by an administrative or court order. The legal basis for the disclosure of your personal data is either our respective legal obligation to comply (Art. 6 (1) lit. c GDPR) our legitimate interest pursuant to Art. 6 (1) lit. f GDPR, or if there are indications of unlawful or abusive behavior, we have a legitimate interest in disclosing the data to enforce our terms of use, our own legal claims or those of third parties, and our interests outweigh your interest in protecting your personal data.
Do we transfer your personal data to third countries?
The above mentioned recipients of your personal data may process your personal data outside the European Union:
• Changsha Sinocare Inc. in China (support services)
• Sinocare Meditech Inc. in the USA (support services)
• AWS with physical server location in Germany (as hosting provider)
• research and development centers in the U.S. and China, affiliated companies, external researchers, healthcare companies and professionals, and health authorities (aggregated and anonymized data only)
We take appropriate measures to provide guarantees that the recipients comply with the principles of GDPR. Unless there are other appropriate safeguards or transfer mechanisms (such as adequacy decisions of the EU Commission) in place, we use the standard contractual clauses approved by the EU Commission pursuant to Art. 46 (2) lit. c GDPR when drafting the contracts concluded with our service providers. The standard contractual clauses currently approved by the EU Commission are available on this website. Furthermore, you can request further information on these measures taken at any time using the contact details above.
Please note that as far as there is no adequacy decision of the European Commission for these countries, despite careful selection and commitment of our service providers, these may be subject to compulsory laws in their respective country of establishment requiring them to grant access to data on request of governmental authorities which may not provide for legal boundaries comparable to the European Union.
When do we delete your personal data?
We delete or anonymize your personal data as soon as it is no longer necessary for the purposes we have collected and processed it for. In general, we store your personal data for the duration of the contractual relationship regarding the REACH APP. We will store your User Account Data for a period of twelve months from the last use of your User Account and delete or aggregate them thereafter.
Your personal data collected and processed when you contact our customer service will be stored where this is necessary to ensure product safety and to comply with applicable regulatory provisions. We will anonymize your data to the extent permitted to comply with said regulatory provisions. The data stored on the mobile device you use in connection with the use of the REACH APP will be stored until you decide to delete the REACH APP.
Legal requirements for the retention and deletion of personal data, in particular tax and commercial law requirements for retention, remain unaffected.
How do we process children’s data?
We do not knowingly collect and process personal data from children under the age of 16 without the consent of their parents or other legal guardians.
Which encryption methods and encryption standards do we use for the security of your personal data?
For data loss prevention and protection against unauthorized access to your personal data, we use various encryption methods, encryption standards and security means.
User Account Data stored locally on your device is encrypted using CBC encryption, while the user account password is MD5 encrypted. Account Data on our cloud server is transmitted to the cloud server using HTTPS encryption. The data stored on our cloud server is encrypted using Advanced Encryption Standard (AES).
For the prevention of data loss of data stored on our cloud server, we perform daily incremental backups and monthly full backups for the sole purpose of providing you with backups of your data in the event of accidental data loss.
Which rights do you have?
You have the right to request information about the data we have stored about you in accordance with Art. 15 GDPR, to request the rectification of inaccurate data in accordance with Art. 16 GDPR and to request the erasure of data in accordance with Art. 17 GDPR or the restriction of data processing in accordance with Art. 18 GDPR. Under the conditions of Art. 20 GDPR, you may also request the transmission of personal data to you or a third party.
In accordance with Art. 21 GDPR, you have the right to object to the processing of your data, provided that the reason for the objection arises from your particular situation and it concerns data that we process to protect one of our interests worthy of protection or if it concerns the use of your data for direct marketing.
You also have a right to lodge a complaint with a competent supervisory authority pursuant to Article 77 GDPR if you consider that we are not processing your personal data in accordance with applicable law. This can be, for instance, the supervisory authority at the place of your residence.
If you have given us consent to process your personal data, you can withdraw this consent at any time without providing reasons and with effect for the future at the email address provided above under the contact details. Please note that this will not affect the processing of your data up to the receipt of the withdrawal notice by us.
Amendment of this Privacy Notice
We always keep this Privacy Notice updated. The current version can always be viewed under the menu “About” within the app. If we change this Privacy Notice, we will inform you about this via a corresponding banner in the CGM APP or via email.
Date of the Privacy Notice: Jan 2024