Personal Health Data Guide

The purpose of this health data notice (hereinafter the "Notice") is to inform any individual or legal entity connecting to and using the iHealth applications (hereinafter "User", "Users", "Your" or "You") of the terms and conditions for hosting and processing their personal data, in particular personal health data, by these applications (hereinafter "Personal Data"). 

1. GENERAL PROVISIONS

1.1 Overview of iHealth applications

The iHealth applications (hereinafter referred to as "the Applications") have been developed for iHealth products and services (hereinafter referred to as "the Products") and are operated by iHealthLabs Europe, a single-member limited liability company with its registered office at 36 rue de Ponthieu, 75008 Paris, France, registered with the Paris Trade and Companies Register under number B 792 514 341 (hereinafter referred to as "iHealth", "Our" or "We"), in compliance with the regulations in force in France relating to data processing, data files and individual liberties and in Europe on the protection of Personal Data, in particular the French Data Protection Act no. 78-17 of 6 January 1978, but also the French Public Health Code and the recommendations of the HAS (Haute Autorité de Santé), an independent French public authority (hereinafter "the Regulations").

The data controller is Mr Stéphane KERRIEN, in his capacity as CEO of iHealth.

This Notice governs the Applications exclusively, and is an integral part of the documentation and legal conditions for the use of iHealth services, which appear in the legal tabs. Therefore, each User concerned by this Notice is also subject to the other conditions, in particular:

- In the event of simple browsing on the https://ihealthlabs.eu/ website (hereinafter the "Website"), the General Terms and Conditions of Use of the Website and the Privacy Policy.

- In the event of the purchase of Products, the General Terms and Conditions of Sale B to B or B to C.

iHealth publishes and operates various Applications.

The Products work with integrated Applications that allow Personal Data to be collected.

For products that connect via Bluetooth, the data is first transmitted to the application and will then, when the application is synchronised with the WiFi network, be sent to the iHealth Cloud.

For products that connect via Wi-Fi, personal health data will be sent directly to the iHealth Cloud, before being redirected and saved on the application.

The Products with integrated Applications are :

• iHealth Wave connected wristband
• iHealth Air pulse oximeter
• iHealth Lite, Lina, Core and Fit connected scales
• iHealth BP3, Track, Feel, Sense, View, Clear, Neo and Push blood pressure monitors
• iHealth Gluco, Gluco+ and Align connected glucose monitors

Mobile Applications: refers to Applications published by iHealth, with a graphical interface, which can be downloaded and accessed from the User's Smartphone or iPad. These Applications enable Personal Data resulting from the use of the Products to be saved, recorded and accessed.

The mobile Applications published by iHealth are :

• iHealth MyVitals
• iHealth Gluco-Smart

The iHealth Cloud: refers to the hosting platform set up by iHealth, accessible online from the User's Smartphones, graphic tablets and computers, via an Internet browser. This platform enables the User to access all his/her Personal Data.

For more information about using the Applications and Products, the User may contact iHealth customer service at the following address: support@ihealthlabs.eu.

1.2 Opposability

This Notice is made available to Users on the Website, where it can be consulted directly. It can be downloaded from the site.

The collection and processing of Personal Data is subject to the prior consent of Users. This consent is distinct from any consent already given by the User concerning the conditions of use of the site or the collection of any personal data of an informative nature concerning his/her qualities, which may already have been given simply by using the Website.

Users are informed that any Personal Data disclosed, directly or indirectly, to iHealth will be stored, hosted and, if necessary, processed automatically, in a manner approved by official bodies as complying with the Regulations.

For further details concerning the hosting of Personal Data, Users are invited to refer to article 4 of this Notice.

This Notice applies first and foremost to Users established in France or in a member state of the European Union, who acknowledge that they have read this Notice before connecting to and using the Applications and Products. This is why they have been asked to accept it expressly and without reservation, before any subsequent step, by ticking the box provided for this purpose. Users have also been advised that they are strongly advised to save this Notice on a durable medium so that they can retain information relating to the processing of their data for as long as is necessary to protect their interests. They acknowledge that they have been duly informed of the conditions under which their Personal Data is collected, stored, hosted and processed, and of the fact that these operations are carried out under supervision and after formal declaration to the official bodies. They are also aware of the possibility they have of being informed of the status and content of this data, and their right to exercise their individual rights, in particular to oppose or delete information concerning them, for a legitimate reason. Finally, Users acknowledge that they are of legal age or capable within the meaning of the applicable law (for Users under the age of eighteen (18), see article 8 of the Notice).

In the event of any reservations and/or disputes relating to the Notice, these will be interpreted as a refusal to expressly consent to this Notice. The User must then disconnect and stop using the Applications, and if necessary uninstall them.

2. PERSONAL DATA LIKELY TO BE COLLECTED

As the User has been informed, iHealth may process the User's Personal Data, on the basis of the User's express consent, in particular to provide the services the User has subscried to.

When collecting Personal Data, Users are advised that they must only provide iHealth with information that is complete, accurate and up-to-date, and that does not prejudice the interests or rights of third parties.

2.1 Personal data collected when browsing our Website

iHealth may collect certain Personal Data from Users when they browse the Website. We invite Users to consult the Confidentiality and Personal Data Policy relating to their use of and browsing on the Website, as well as the Policy relating to the use of Cookies. This essentially concerns information for identifying and recognising the User, excluding any data relating to his/her health or well-being.

2.2 Personal Data collected when using iHealth Applications and Products

2.2.1. When a Product is activated

The User of iHealth Products and Applications, who has therefore not limited himself/herself to consulting the site, but who has subscribed to these elements, is advised that at the time of activating a Product, certain data relating to his/her body identity (weight, height, sex, etc.) may be collected so that the Product can be adapted and configured according to the User's needs.

In addition, iHealth may ask the User to download a mobile Application which requires in particular the creation of an iHealth account.

2.2.2 When creating an iHealth account

The creation of an iHealth account enables full use to be made of the Products and Applications.

To this end, some of the User's identity data may be collected (surname, first name, e-mail address and possibly telephone number), as well as data relating to his/her choices and options for well-being, and body identity (weight, height, sex, etc.).

2.2.3 When using the Products

The Products work with integrated Applications that allow Personal Data to be collected.

For products that connect via Bluetooth, the data is first transmitted to the application and will then, when the application synchronises with the WiFi network, be sent to the iHealth Cloud.

For products that connect via Wi-Fi, personal health data will be sent directly to the iHealth Cloud, before being redirected and saved on the application.

The Personal Data that may be collected depends on the Product used:

2.2.4 When synchronising and using Mobile Applications

Certain functions of the Products require a connection with mobile Applications.

When the Product is synchronised with a mobile Application, Personal Data is recorded and then transmitted to the iHealth Cloud via a WiFi connection.

Depending on the device used by the User to access a mobile Application, certain identity data may be communicated when the Application is downloaded.

iHealth reminds Users that the use of a mobile Application requires the creation of an iHealth account (for more information, see article 2.2.2 of this Notice).

Mobile Applications operate and transmit Personal Data to the iHealth Cloud via an internet connection. They make it possible to process the raw Personal Data collected by the Products in order to make them readable for the User, as well as for the persons he/she has specially authorised for this purpose.

It is possible for the User to activate options enabled by his/her device, such as geolocation. In addition, although Mobile Applications can access the User's contacts, making it easier to share information with them, iHealth does not store them.

The Personal Data that may be processed depends on the Mobile Application used:

2.2.5 Use of cookies

iHealth may use Cookies during the installation and use of the Applications in order to facilitate their operation. For more information concerning these Cookies, iHealth invites the user to refer to Article 7 of this Notice and to the relevant section of the site.

2.3 Personal data collected when connecting an iHealth account to an iHealth partner

iHealth provides connectivity options to third-party applications that are partners of iHealth. These partners may offer to connect the User's Personal Data with their applications.

Through the use of iHealth's API, these partner applications can then collect personal identity data, body identity data, environmental data, activity level data and, where applicable, health-related data.

In these cases, iHealth has specific agreements with these partners allowing iHealth and said partners to access the Personal Data collected by their respective Applications. For more information on the terms and conditions of this sharing, iHealth invites the User to refer to article 3.2.1 of this Notice.

2.4 Personal Data collected when contacting iHealth customer service

In the event of a request concerning a Product or Application, the User may contact the iHealth customer service department. In this case, the User provides certain Personal Data that will temporarily allow the User to be identified and its teams to respond to the User's requests and any questions.

iHealth ensures that its teams comply strictly with this Notice.

In this way, individual and bodily identity data, activity level data, environmental data, Cookies and, where applicable, health data may be used.

3. USE AND SHARING OF PERSONAL DATA

3.1 Use of Personal Data

The Products collect raw Personal Data which is processed by the Mobile Applications in order to offer the User services enabling him to optimise his use of the Products.

iHealth uses certain Personal Data collected in order to improve iHealth's services and to develop them according to the User's usage habits.

iHealth refrains from using Personal Data when it is identifying, except with the express consent of the User.

iHealth prohibits any act of transfer of identifiable Personal Data, directly or indirectly, for consideration.

Some of the Personal Data collected is used to target the User's requests and propose offers, make suggestions or announce the launch of new Products.

If the User no longer wishes to receive this information, they simply need to deactivate the notifications they no longer wish to receive.

iHealth may also use Personal Data, anonymised beforehand to protect the User's privacy, in order to produce statistics or analyses.

The use of Personal Data by iHealth also makes it possible to contribute to knowledge of uses, to the development and improvement of the connected objects it offers, as well as to the enrichment of the iHealth blog, to the issue of press releases and to participation in scientific studies.

3.2 Sharing of Personal Data

3.2.1 Sharing at the User's initiative

Authentication details (CPS card, PIN code, certificates, passwords, etc.) and Users' Personal Data (hereinafter referred to as "Confidential Data") are private and confidential. The decision to share or transfer them securely to third parties, in particular healthcare professionals, healthcare establishments or services, relatives, etc. rests solely with the Users.

The sharing or transfer of Confidential Data to third parties is carried out at the User's own risk and the User agrees that iHealth cannot be held responsible for any loss of confidentiality, auditability or integrity due to the disclosure of these elements.

The User explicitly acknowledges that iHealth cannot be held responsible for the processing of Confidential Data by the aforementioned third parties and for any prejudice that may be caused, in particular during prevention, diagnosis, care or social and medico-social monitoring activities.

It is also specified that iHealth is not responsible for protecting the Confidential Data that the User chooses to share or transfer to third parties, nor for preventing or controlling the actions or uses made of the said data by the said third parties following this communication.

In addition, Users are advised to exercise caution when deciding to share or transfer their Confidential Data to third parties, particularly on the Internet, outside the modes of communication offered by iHealth where their transmission is likely to be intercepted.

• With healthcare professionals and third parties

In the event that the User chooses to share or transfer his/her Confidential Data with a healthcare professional or another natural or legal person, iHealth invites the latter to ensure that these are only communicated to the persons for whom they are intended.

It is the User's responsibility to ensure, with these professionals, that they do not allow the disclosure of their Confidential Data, by any means whatsoever, whether by authorising them to view the screen of their terminal, by prints or screen captures, spyware, or any other consultation method. Users are also required to close their session before leaving their workstation.

• With an iHealth partner

As indicated, iHealth provides connectivity options to third-party applications that are partners of iHealth. These partners may thus offer to connect the User's Personal Data with their own. This sharing is enabled by the use of the iHealth API.

Such sharing or transfer of Confidential Data will only be possible if the User expressly so chooses in advance, and his/her consent may be modified or withdrawn at any time. This consent is independent of any other consent that the User may have given previously.

Although it offers the option of connecting to a third-party application, iHealth cannot be held responsible for the safeguarding, security and appropriate processing of the User's Confidential Data through its use of such third-party applications.

Consequently, by opting to share with a third-party application, or to transfer Confidential Data to such third parties, the User explicitly acknowledges that iHealth cannot be held responsible for the processing of Confidential Data by the said third parties, and the User agrees that iHealth declines all responsibility for any harm that may be caused by the processing of Confidential Data by these third-party applications.

iHealth therefore invites its Users to check the Personal Data protection provisions put in place by the said partners before agreeing to the sharing of their Confidential Data.

• On social networks

If the User chooses to share his/her Personal Data on social networks, this sharing is done in accordance with the terms of use of the social network used and the privacy policy specific to this social network.

3.2.2 Sharing necessary for the use of certain services

In order for iHealth to offer particular services to Users, it may be necessary for iHealth to share Personal Data with other companies. This concerns in particular the sharing of Personal Data enabling online payment services on the Website.

3.2.3 Legal obligation to share Personal Data

iHealth may be obliged to communicate Personal Data by requisition of a judicial or administrative authority, authorised by law, in accordance with the legal and regulatory provisions in force.

Unless prohibited from doing so, iHealth will inform the User concerned as soon as possible in the event of the transmission of his/her Personal Data.

4. TERMS AND CONDITIONS FOR HOSTING AND STORING PERSONAL DATA

iHealth a choisi d’héberger les Données Personnelles de ses Utilisateurs dans le Cloud iHealth sécurisé et spécialement habilité, dont les serveurs sont situés en France, l’un des pays les plus attentifs à la protection des données personnelles, notamment de santé.

Lorsque l’Utilisateur synchronise ses Produits avec les Applications mobiles, ses mesures sont envoyées dans le Cloud iHealth sécurisé. Le Cloud est un espace de stockage de données en ligne. Grâce à ce dernier, il est possible pour l’Utilisateur d’accéder à ses Données Personnelles gratuitement depuis tous ses appareils et à tout moment.

De par leur conception, les Applications n’utilisent pas un stockage local. Cela signifie que l’intégralité des Données Personnelles collectées et traitées par les Applications, sera exclusivement hébergée sur le Cloud iHealth sécurisé et non sur le terminal de l’Utilisateur.

Conformément aux dispositions en vigueur en France sur la protection des données personnelles, iHealth recourt pour la mise en œuvre de la traçabilité, du stockage et du traitement des Données Personnelles, à un hébergement agréé de données de santé à caractère personnel.

iHealth a choisi de confier la gestion des Données Personnelles à la société Informatique de Sécurité, dont le siège social est au 2 avenue des Puits à Montceau Les Mines, inscrite au RCS de Châlon sur Saône sous le numéro 339 178 949 (ci-après « IDS »). IDS est un hébergeur certifié ISO 27001:2013 et agréé en France pour l’hébergement de données de santé à caractère personnel. La liste des hébergeurs agréés est accessible sur le site internet de l’agence gouvernementale ASIP Santé (l’agence française de la santé numérique) à l’adresse suivante :

http://esante.gouv.fr/services/referentiels/securite/hebergeurs-agrees

IDS provides a highly secure hosting, storage and connectivity service on behalf of iHealth, using several communication, data processing and storage centres. These are equipped with advanced security devices and procedures, and access to them is strictly restricted and controlled by a number of security measures (security staff and airlocks, specific access control readers, etc.). Some of these centres may be hosted on the premises of external service providers, but they are operated exclusively by IDS staff.

The encryption of communications between the Users' terminals and the secure iHealth Cloud, the authentication of the Users and the daily backup of the Personal Data deposited are ensured by the security capsule defined and operated by IDS, which provides all the technical developments necessary to protect the availability, confidentiality, integrity and auditability of their Personal Data processed by the Applications. IDS and iHealth take all measures reasonably necessary to ensure that Users' Personal Data is processed securely and in compliance with this Notice.

5. RETENTION PERIOD FOR PERSONAL DATA

Users' Personal Data is kept for no longer than is relevant and necessary to achieve the purposes for which it is collected and processed, unless otherwise required by law or specifically recommended by the CNIL (Commission Nationale de l'Informatique et des Libertés).

The User's Personal Data is thus kept until the User's account has been deleted (on this issue, the User may refer to article 6.5 of this Notice).

6. USER RIGHTS

In accordance with the Regulations, the User has the right to access, object to, rectify and, subject to the legal provisions applicable to the matter, delete Personal Data concerning him/her, by contacting iHealth:

By e-mail to the following address: support@ihealthlabs.eu

By post to the following address: iHealthLabs Europe, 36 rue de Ponthieu, 75008 Paris, France.

6.1 Rights of access and retrieval of Personal Data

All Users have the right to privacy, secrecy and free access to all information concerning their health. At any time and on simple request, the User has the possibility, via a secure procedure, of having easy access to all the information concerning his/her health in relation to the Applications, in a form that is easily accessible and exportable.

In this way, iHealth makes available in an open, structured, commonly used and machine-readable format, enabling the storage of Users' Personal Data, the access rights granted and the history of access to this Personal Data. It is hereby specified that iHealth may object to requests that are manifestly abusive, particularly in terms of their number, repetitive or systematic nature.

Users may access information concerning their health in relation to the Applications and Products in various ways.

- Users may access it by contacting iHealth (retrieval via the cloud) or,

- Users may also access it indirectly through a third party such as a family member or a healthcare professional whom they designate in order to obtain communication. The latter are health professionals and health establishments or services which take care of Users and which are responsible for producing or collecting the Personal Health Data hosted.

To submit a request, please contact us:

- By e-mail at the following address: support@ihealthlabs.eu

- By post at the following address: iHealthLabs Europe, 36 rue de Ponthieu, 75008 Paris, France.

Should the User have any questions, remarks or comments, in particular concerning their Personal Data, including its origin, the purposes of processing, the categories of Personal Data processed and the recipients or categories of recipients to whom the Personal Data is communicated, we invite them to contact us.

6.2 Right to object to processing of Personal Data

All Users have the right to object, on legitimate grounds, to their Personal Data being processed, by contacting iHealth.

Nevertheless, failure to communicate certain Personal Data may have possible consequences on the use of the Products and Applications, including the impossibility of connection and use.

6.3 Right to rectify Personal Data

Tout Utilisateur justifiant de son identité peut demander à tout moment que soient rectifiées, complétées et mises à jour les Données Personnelles le concernant. Pour cela, l’Utilisateur peut prendre contact avec iHealth.

6.4 Right to delete Personal Data

Subject to the legal provisions applicable to the matter, the User's Personal Data which are inaccurate, incomplete, equivocal, out of date or which were collected when the User was a minor at the time of collection may be deleted on request by contacting iHealth.

6.5 Deletion of the iHealth account

If the User wishes to delete his/her iHealth account, he/she should contact iHealth at the following e-mail address: support@ihealthlabs.eu. The account cannot be deleted from the Mobile Applications or the Website.

The User's Personal Data is then deleted from the secure iHealth Cloud.

However, iHealth maintains and regularly performs a security guarantee for Personal Data by means of a backup procedure, in accordance with legal and regulatory provisions.

Users' Personal Data may therefore be archived on the secure iHealth Cloud if they are used to establish proof of a right or contract, or archived to comply with a legal obligation in accordance with the provisions in force. The archiving periods therefore correspond to the statutory periods. Archived Personal Data may only be consulted on a one-off basis by Users or through a healthcare professional designated by them in order to obtain access to it.

If back-ups archived by iHealth reach the end of their legal retention period, they will either be permanently deleted or irreversibly anonymised for statistical and scientific purposes. Thus, iHealth cannot guarantee that Users' Personal Data will be accessible forever.

This is why, before deleting their account, Users have the possibility, via a secure procedure, at any time and on simple request, to have easy access to all the information concerning them, in a form that is easily accessible and exportable (for the methods of accessing and recovering Personal Data, see article 6.1 of the Notice above).

7. USE OF COOKIES

As already indicated in the section and tab provided for this purpose, Cookies may be placed on the User's terminal in order to identify his/her browser or device. iHealth uses Cookies and other similar technologies to collect technical information on how Users use the Applications and to adapt its Products to Users' needs, in particular by offering new functions.

Cookies and other similar technologies also make it possible to optimise and simplify the use of the Applications in order to ensure that they function properly.

Cookies collect technical information from the User's terminal in order to track data, such as how the User uses the Applications and any errors that may occur. This analysis data may be transmitted to the secure iHealth Cloud.

When installing the Application, the User has the choice of accepting or refusing Cookies.

In addition, the User may later block Cookies by activating a setting on his/her terminal which allows him/her to refuse the placement of Cookies. However, if the User sets his terminal to block all Cookies (including essential Cookies), he may not be able to use the Applications, or only certain functions of the Applications.

8. MINOR USERS

iHealth does not collect or process any Personal Data associated with an individual whom we have confirmed is under eighteen (18) years of age, unless we have the prior and verifiable consent of his or her parents or legal guardians (hereinafter "Parents or Guardians"). If the User is under the age of eighteen (18), his/her Parents or Guardians must give their consent to iHealth by contacting us:

- By e-mail at the following address: support@ihealthlabs.eu

- By post at the following address: iHealthLabs Europe, 36 rue de Ponthieu, 75008 Paris, France.

If you are a Parent or Guardian with questions, remarks or comments regarding your child's Personal Data, we invite you to contact us.

If we collect or process Personal Data from a person under the age of eighteen (18), or from a minor who uses our Applications and Products without the consent of his or her Parents or Guardians, we will be obliged to permanently delete his or her Personal Data from our secure iHealth Cloud as soon as we have knowledge and confirmation of this.

9. CHANGES TO THIS PRIVACY POLICY

iHealth reserves the right to modify this Notice at any time, in particular to adapt it to the needs of Users.

Any new version of this Notice will be posted on the Website and iHealth will inform Users of any changes to this Notice by e-mail or by push notification from the Applications so that Users can take note of them. Users will also be asked to consent to this new Notice.

The version online on the Web Site will prevail over any other version of this Notice, with the exception of changes made after an order has been placed in accordance with common law.

The nullity of a clause does not entail the nullity of the Notice, which continues to produce its effects.

10. CONTACT

If you have any questions, remarks or comments about this Notice, please contact us:

- By e-mail at the following address: support@ihealthlabs.eu

- By post at the following address: iHealthLabs Europe, 36 rue de Ponthieu, 75008 Paris, France.

Download the Health Data Notice here.