Data Privacy Policy

By consenting to your Health Related Data being processed for the provision of ADMS you consent that we may process your Health Related Data necessary to perform our contract with you regarding ADMS, specifically to present to you an overview of your health related events and achievements of setup goals in the App and to provide reminders for your scheduled events, as further described below in clause 5.

By consenting to your Health Related Data being processed for analytical, research, statistical purposes you consent that we may process your Health related Data to use the data generated for analytical, research, statistical purposes to provide you with statistics and analysis of your data, and in order to develop and improve our products and services, as further described below in clause 5.

  1. Introduction

Brighter respects your privacy and is committed to making sure that you are able to feel secure about how we process your Personal Data. We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Brighter is working towards ISO 27001 certification to ensure that appropriate security measures are in place to protect the personal data. This includes but is not restricted to access control policy, password policy, encryption policy and data retention policy.

This Data Privacy Policy explains how and why we process your Personal Data when you access ADMS (regardless of where you access ADMS from) and your privacy rights according to the personal data legislation.

The Glossary in Appendix 1 will help you to understand the meaning of certain defined terms used in this Data Privacy Policy.

  1. Important information 

Purpose of this Data Privacy Policy

This Data Privacy Policy aims to give you information on how Brighter collects and processes your Personal Data through your use of ADMS.

ADMS are intended for persons of 18 years or over and we do not knowingly collect Personal Data relating to children.

It is important that you read this Data Privacy Policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your Personal Data. This Data Privacy Policy supplements other notices and privacy policies and is not intended to override them.

Controller

This Data Privacy Policy is issued on behalf of Brighter so when we mention “Brighter”, “we”, “us” or “our” in this Data Privacy Policy, we are referring to Brighter. Brighter AB (publ) (reg. no. 556736-8591) is the controller and responsible for ADMS.

We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this Data Privacy Policy. If you have any questions about this Data Privacy Policy, including any requests, please contact the Data Protection Officer using the details set out below.

Contact details of Data Protection Officer

If you have any questions about this Data Privacy Policy or our privacy practices, please contact our Data Protection Officer on the contact details listed below. Please mark the subject line or caption as “DPO” or “Data Protection Officer” in your communication.

Full name of legal entity: Brighter AB (publ)

Email address: info@brighter.se

Postal address: Borgarfjordsgatan 18, SE-164 40 Kista, Sweden

Telephone number: +46 (0)8-550 088 20

Changes to this Data Privacy Policy

We regularly review the terms of our Data Privacy Policy and will inform you about material changes in this Policy.

Processors

Brighter AB uses certain processors to assist in providing our services. A processor agrees to receive personal data from Brighter AB intended for processing activities to be carried out on behalf of our Actiste portfolio users; (ii) in accordance with Data Privacy Policy as communicated by Brighter; and (iii) in accordance with the Data Protection Agreement between Brighter and the processor.

 

Entity Name Processing Activities Entity Countries Applicable Brighter Service/Product Third Party (sub-processor)
Cuelebre Data Analytics European Union ADMS None
Google G Suite Cloud Service Provider EU regional Routing applied: European Union Customer Service None
Concise Software Development European Union ADMS, Companion App None
Speed Logistics Processing European Union Actiste, Actiste Mini Iver
Data center and operation.
Entity countries: Sweden

Nordlo
Data center and operation.
Entity countries: Sweden

Icore
System integration.
Entity countries: Europe

Consafe Logistics AB (WMS)
Supply management solutions.
Entity countries: Europe

Sonat Customer Service Processing European Union Customer Service Zendesk
Customer support system. Entity countries: USA with relevant SCC.
Addimotion Services AB: web-based transport tracking system. Entity countries: European Union
Amazon Web Services Cloud Service Provider EU regional Routing applied: Ireland ADMS None

 

  1. The Personal Data we collect about you

Personal data includes, but is not limited to, any information about an individual from which that person can be identified.

We collect and process the following categories of your Personal Data in connection with your use of ADMS:

  • Identification Data which includes, but is not limited to, first name, last name, user name or similar identifier, personal ID number, billing address, delivery address, email address and telephone numbers.
  • Health Related Data which includes, but is not limited to:
  • Diabetes Data – length, weight, gender, date of birth, diabetes type, insulin used, schedules and debut of diabetes.
  • Blood Glucose Data – your blood glucose values which you record using the Device and/or the App.
  • Insulin Dose Data – your insulin doses which you inject and where you input and record such doses using the Device and/or the App.
  • Exercise Data – your frequency, level and intensity of exercise you undertake on a daily basis and which you record using the App.
  • Mood Data – your general moods and feelings which you experience on a daily basis and which you record using the App.
  • Meal Data – the food and drink which you consume on a daily basis and which you record using the App.
  • Technical Data which includes, but is not limited to, the serial number of the Device, approximate location data of your Device and technical data of phone device including but not limited to brand, operating system, and version number.
  1. How we collect your Personal Data

We use different methods to collect data from and about you including through:

  • Direct interactions. Through your use of ADMS, particularly through using the App and the Device.
  • Automated technologies or interactions. As you interact and use ADMS, we will automatically collect Personal Data about you.
  1. What we use your Personal Data for

We have set out below, in a table format, a description of all the ways we use your Personal Data, and which of the lawful basis we rely on to do so. We have also identified what our Legitimate Interests are where appropriate.

Note that we may process your Personal Data for more than one lawful basis depending on the specific purpose for which we are using your Personal Data. Please contact us if you need details about the specific lawful basis we are relying on to process your Personal Data where more than one lawful basis has been set out in the table below.

Purpose/Activity Category of Personal Data  Lawful basis
To register you as a new patient and to manage the delivery of the Start Kit and Refill Kits to you. Identification Data Performance of Contract with you.
To present to you an overview of your health related events and achievements of setup goals in the App. Health Related data Performance of Contract with you.

Condition for processing special category data:
Consent (art. 9.2 a GDPR).

To provide reminders for your scheduled events. Health Related data Performance of Contract with you.

Condition for processing special category data:
Consent (art. 9.2 a GDPR).

To process and deliver to you ADMS including:

(a) Manage payments, fees and charges; and

(b) Collect and recover money owed to us.

Identification Data (a) Performance of Contract with you; and

(b) Necessary for our Legitimate Interests (to recover debts due to us).

To manage our relationship with you which will include:

(a) Notifying you about changes to our terms or Data Privacy Policy; and

(b) Asking you to leave a review or take a survey.

Identification Data (a) Performance of Contract with you;

(b) Necessary to Comply with a Legal Obligation; and

(c) Necessary for our Legitimate Interests (to keep our records updated and to study how patients use our ADMS).

To administer and protect our business and ADMS (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). Identification Data (a) Performance of Contract with you;

(b) Necessary for our Legitimate Interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise); and

(c) Necessary to Comply with a Legal Obligation.

To analyse your data to give you statistics and analysis, which includes:

(a) To make suggestions and recommendations to you about other services provided by Brighter that may be of interest to you.

Identification Data

 

 

(a) Performance of Contract with you;

(b) Necessary for our Legitimate Interests (to develop our products/services and grow our business).

To use the data generated for analytical, research, statistical purposes which includes:

(a) To analyse your data in order to provide you with statistics and analysis; and

(b) To analyse your data for statistical purposes in order to develop and improve our products and services.

Health related Data (a) Performance of Contract with you;

(b) Necessary for our Legitimate Interests (to develop our products/services and grow our business);

(c) Consent from you.

Condition for processing special category data:
Consent (art. 9.2 a GDPR).

To use the data generated for analytical, research, statistical purposes, which includes:

(a) To provide support to you and for general troubleshooting of network related issues and similar; and

(b) To analyse the data for statistical purposes in order to develop and improve our products and services.

Technical Data (a) Performance of Contract with you; and

(b) Necessary for our Legitimate Interests (to develop our products/services and grow our business).

 

  1. Personal Data retention

We only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. In general, all categories of your Personal Data are stored as long as there is a relationship with us, unless otherwise necessary to fulfil any of the purposes stated above.

We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

  1. Sharing Personal Data 

We do not sell, otherwise disclose, or share data we collect and store about you, except as described in this Data Privacy Policy.

We may share your Personal Data with selected companies that supply various types of services to us related to ADMS, such as IT-related services, logistics and payment services. This may involve transferring your Personal Data outside the European Economic Area (EEA). Where we transfer your Personal Data outside the EEA we will take reasonable steps to ensure that your Personal Data is treated securely and that the means of transfer provide adequate safeguards . For example, this may include:

  • Transfer of your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission.
  • Where we use certain service providers, using specific contracts approved by the European Commission or alternative contractual means to provide the equivalent level of protection.

We have agreements with all our suppliers and subcontractors that regulate what Personal Data is being processed, why the processing is done, how Personal Data are to be protected and for how long it is being processed.

  1. Your legal rights

You have rights under data protection laws in relation to your Personal Data. If you wish to exercise any of the rights set out below, please contact us.

  • Access to Personal Data – you have the right to access your Personal Data that we have registered: categories of Personal Data, purposes for processing, retention periods and who it will be shared with. You can also download an extract showing your health related data being processed within ADMS via the settings function in ADMS.
  • Correction of Personal Data – you have the right to have any incomplete or inaccurate Personal Data we hold about you corrected, though we may need to verify the accuracy of the new Personal Data you provide to us. We inform you about the correction of your Personal Data. It is important that the Identification Data we hold about you is accurate and current. Where we need to collect Personal Data by Applicable Law, or under the terms of a contract we have with you, and you fail to provide that Personal Data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
  • Erasure of Personal Data – you have the right to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it.  We inform you about the erasure of your Personal Data. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Restriction of processing of your Personal Data – you have the right to ask us to suspend the processing of your Personal Data in the following scenarios:
  • If you want us to establish the Personal Data’s accuracy.
  • Where our use of the Personal Data is unlawful but you do not want us to erase it.
  • Where you need us to hold the Personal Data even if we no longer require it as you need it to establish, exercise or defend legal claims.
  • You have objected to our use of your Personal Data but we need to verify whether we have overriding legitimate grounds to use it.
  • Data portability – you have the right to receive your Personal Data in a structured, commonly used and machine-readable format and have the right to transmit these data to another controller without being impeded by us. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Object to processing – You have the right to object to our processing of your personal data in some cases. We may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. You can contact us at any time to obtain more information about the balancing of interests that has been carried out.

In addition to the above, you also have the right to withdraw your consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

  1. Complaints regarding our processing of your Personal Data

You may submit a complaint at any time about the use or disclosure of your Personal Data to our Data Protection Officer. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your Personal Data within 45 days of receiving your complaint. For any unresolved complaints, we will cooperate with the relevant data protection authority located in the jurisdiction in which you are based to resolve your complaint. You always have the right to submit your complaint directly to the data protection authority located in the jurisdiction in which you are based.

  1. No fee usually required

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

  1. What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). We exercise data security measures to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.

  1. Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Appendix 1

The Glossary

Actiste Consumables means the disposable consumables required to operate your Device (if applicable to you) that includes, but is not limited to, needles (Actiste Device only), lancets and test strips.

Actiste Device Data includes, but is not limited to, the Actiste ID number of the Device. 

Actiste Network means the service you connect to via the App through https://actiste.net and/or https://actiste.com (including any relevant sub-domains unless certain terms of the ADMS Agreement are expressly excluded from such sub-domains own terms) and the Device (if applicable) and the data we provide to you through the App, the Actiste Network and the Device (as applicable).

ADMS means together the App, the Device and the Service.

ADMS Agreement means together the End User License Agreement, the Data Privacy Policy and the Applicable Law and Jurisdiction.

App means the Actiste Companion which is a mobile app, the application software and any updates or supplements to it providing a platform where you are able to, but not limited to, view information and data which you have generated through using your Device.

Applicable Law means the applicable laws of your jurisdiction which may impact the ADMS Agreement and the Subscription Agreement (if applicable) (as the context may require).

Balance Subscription Fee means the fee payable by Patient to Brighter if the Patient terminates the Subscription Agreement within the Initial Subscription Term or before having paid the minimum Subscription Fees as set out in clause 10 of the Subscription Agreement (where a Subscription Agreement applies).

Blood Glucose Data includes, but is not limited to, your glucose values which you record using the Device and/or the App.

Brighter means (a) Brighter AB (publ), a limited company incorporated in Sweden under company registration number 556736-8591, with registered office address at Borgarfjordsgatan 18, SE-164 40, Sweden; and/or (b) any affiliate or subsidiary of Brighter AB (publ).

Comply with a Legal Obligation means processing your Personal Data where it is necessary for compliance with a legal obligation that we are subject to.

Content includes, but is not limited to, any text, graphics, images, audio, video, software data, compilations, page layout, underlying code and any other form of information that appears on or forms part of the Service in any media form existing on the date of the ADMS Agreement and/or in the future.

Cooling Off Period means the period of time where a Patient is entitled to terminate the Subscription Agreement within as set out in clause 6 of the Subscription Agreement.

Device refers to Actiste Device or Actiste Mini Device (as applicable to you), which are mobile connected devices that may include, but is not limited to, functions of measuring your blood glucose level, injecting insulin (Actiste Device only), logging treatment values, and sharing data over-the-air from the same device.

Diabetes Data includes, but is not limited to length, weight, gender, date of birth, diabetes type, insulin used, schedules and debut of diabetes.

Effective Date means the date of accepting the terms and conditions of the Subscription Agreement (where a Subscription Agreement applies).

Exercise Data includes, but is not limited to, your frequency, level and intensity of exercise you undertake on a daily basis and which you record using the App.

Health Related Data includes, but is not limited to Diabetes Data, Blood Glucose Data, Insulin Dose Data, Exercise Data, Mood Data, Meal Data.

Identification Data includes, but is not limited to, first name, last name, user name or similar identifier, personal ID number, billing address, delivery address, email address and telephone numbers.

Initial Subscription Term means the period of time commencing on the date of the Subscription Agreement as set out in clause 10 of the Subscription Agreement.

Insulin Dose Data includes, but is not limited to, your insulin doses which you inject and where you input and record such doses using the Device and/or the App.

Intellectual Property Rights includes patents, utility models, rights to inventions, copyright and neighbouring and related rights, moral rights, trademarks and service marks, business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, rights in designs, rights in computer software, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets) and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world. 

Legitimate Interests means the interest of our business in conducting and managing our business to enable us to give you the best ADMS and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Data for our legitimate interests. We do not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to Applicable Law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Meal Data includes, but is not limited to, the food and drink which you consume on a daily basis and which you record using the App.

Mood Data includes, but is not limited to, your general moods and feelings which you experience on a daily basis and which you record using the App.

Patient means any end user who is diabetic and who uses ADMS.

Performance of Contract means processing your data where it is necessary for the performance of contract to which you are a party or to take steps at your request before entering into such a contract.

Personal Data means together the Identification Data, Health Related Data and Technical Data.

Persons means either natural persons or legal persons as the context may require.

Recipient or Recipients includes, but is not limited to:

  • Service Providers acting as processors, joint controllers or controllers (as the context may require) who provide services to you or who have access to your Personal Data, or who provide services to us which are necessary for the operation of our business.
  • Professional advisers acting as processors, joint controllers or controllers (as the context may require) including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
  • Regulators and other authorities acting as processors, joint controllers or controllers (as the context may require) who require reporting of processing activities in certain circumstances.
  • Persons to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this Data Privacy Policy.

Renewal Period means the renewal of the Initial Subscription Term as set out in clause 10 of the Subscription Agreement (where a Subscription Agreement applies).

Service means the service you connect to via the App, through https://actiste.net and/or https://actiste.com (including any relevant sub-domains unless certain terms of the ADMS Agreement are expressly excluded from such sub-domains own terms) (Actiste Network) and the Device and the information and data we provide to you through the App, the Actiste Network and the Device.

Service Provider means any end user who is a service provider who Brighter may have partnered with to provide the Patient and other Recipients with ADMS.

Subscription Agreement (if applicable) means the subscription agreement between Brighter and a Patient where Brighter agrees to provide the Patient with ADMS and the Patient agrees to pay Brighter a Subscription Fee.

Subscription Fee means the month subscription fee paid by each Patient to Brighter to access ADMS (whether pursuant to a Subscription Agreement with Brighter or another arrangement with any reseller or distributor for Brighter).

Subscription Term means together the Initial Subscription Term and the Renewal Term.

Technical Data includes but is not limited to the Actiste Device Data, approximate location data of your Device and technical data of phone device including but not limited to brand, operating system, and version number.

Menu