iHealthLabs Europe Personal Data Protection Policy
Last updated: 07/08/2024
iHealthLabs Europe SAS (hereinafter, “iHealthLabs”) is a company that sells and distributes connected and non-connected healthcare devices, including clinically validated medical devices, wellness products and health data tracking applications. iHealthLabs is a part of Andon Health Co., Ltd., (hereinafter, “Andon Health”), the publisher of iHealth applications and manufacturer of the connected devices that work with our applications
This document sets out the iHealthLabs Personal Data Protection Policy (hereinafter, the “Policy”) pursuant to European Regulation (EU) 2016/679 on the protection of personal data (hereinafter, the “GDPR” or the “Regulation”) and the amended French Data Protection Act. This Policy is available on request and will remain permanently accessible on the website www.ihealthlabs.eu to ensure the widest possible distribution. iHealthLabs is also able to provide any additional information the user may require to aid their full understanding of the contents of this Policy. To contact iHealthLabs in this regard, please use the contact details provided in Section V of this Policy.
In accordance with the requirement for transparency established in the GDPR, this Policy has been written so as to be easy to understand and interpret by all data subjects whose personal data may be processed by iHealthLabs. As such, the information contained in this Policy is organised into the following sections:
- GDPR Requirements Applicable to the Processing of Personal Data Performed by iHealthLabs
- Description of Data Processing
- Transfer of Data Outside the European Union
- Rights of Data Subjects
- Contacting iHealthLabs About Data Protection or to Exercise Your Data Protection Rights
This Policy may be amended from time to time, so we recommend that it is consulted on a regular basis.
I. GDPR Requirements Applicable to the Processing of Personal Data Performed by iHealthLabs
As set out in the GDPR, personal data is defined as any information that relates to an identified or identifiable living individual, whether directly or indirectly. iHealthLabs processes personal data in order to manage its business operations and customer relationships. A description of the data processing that is performed can be found in Section II of this Policy.
In order to comply with the requirements of the GDPR, iHealthLabs adheres to the following practices:
- We will ensure that data is collected and processed fairly for lawful, explicit and legitimate purposes, strictly within the scope of the company's business operations
- We will take care to ensure that all processing is transparent, providing appropriate information to individuals whenever data is gathered, whether provided by the data subject or a third party or gathered using technology;
- When personal data is requested directly from an individual, we will clearly explain the legal basis for processing their data. If an individual is required to provide their personal data for regulatory or contractual reasons (e.g., as a prerequisite for the provision of a service or conclusion of an agreement), we will inform them of their obligation to provide said personal data; in such circumstances, we will also clearly explain the potential consequences of failing to provide personal data and provide them with all relevant information so that they fully understand the circumstances and their rights concerning the processing of their personal data;
- When personal data is not collected directly from the data subject, we will endeavour to inform them of the source of the data and provide them with similar information as that detailed above, either through an intermediary or by the party gathering the data; in accordance with the GDPR, the data subject will be informed within a reasonable period that their personal data has been collected. Where data is collected for the purposes of communication with the data subject, we will provide the aforementioned information upon first contact with the data subject. Where personal data can be legitimately disclosed to another recipient, the data subject will be informed when the data is first disclosed to the recipient;
- Where automated decision-making processes are applied, including profiling, we will provide useful information regarding the underlying logic involved, as well as the importance and potential consequences of such processing;
- If we intend to carry out any further processing of personal data for a purpose other than that for which the data was originally collected, we will inform the data subject of this, providing any information that may be required to ensure complete transparency and allow the user to fully understand this other purpose;
- We will only share restricted data with recipients according to their level of authorisation, including internal departments at iHealthLabs and, where applicable, the stakeholders concerned;
- In addition, we also undertake to:
- Minimise the amount of data processing carried out by iHealthLabs with respect to the different purposes described in Section II of this Policy,
- Ensure that data is regularly kept up to date,
- Store data in an appropriate manner, in accordance with the purposes of processing, contractual or operational requirements and regulatory obligations, where applicable, pursuant to applicable legislation,
- Adopt appropriate means to manage our relationships with data recipients and sub-contractors to ensure compliance with our legal obligations and guarantee confidentiality,
- In the event of any transfer of data to a country outside the European Union, take all necessary measures, in accordance with the requirements of the GDPR, to guarantee compliance with all applicable European regulations,
- Ensure that all our employees are aware of the importance of protecting personal data and guaranteeing its confidentiality,
- Ensure that data processing is appropriately secure,
- Take into consideration the rights of data subjects, in accordance with the applicable regulations, as detailed in Section IV of this Policy.
In addition to observing the principles and requirements of data protection law, we also undertake to adopt the necessary organisational and technical measures to ensure compliance with the GDPR and provide operational guarantees.
II. Description of Data Processing
iHealthLabs processes personal data for use in the following areas of the business:
- iHealth connected devices and applications, customer support and third-party applications
- Commercial relations with users
- Commercial relations with business partners
- Cookies and trackers
1. iHealth Connected Devices and Applications, Customer Support, Third-party Applications
1.1 iHealth Connected Devices and Applications
iHealthLabs processes personal data derived from the use of the company's smartphone or tablet applications*, services and products, included connected devices**.
The different ways in which personal data is processed have a contractual legal basis established by the general conditions that apply to the user's relationship with iHealthLabs. Data processing is necessary in order to deliver the results expected by the user, according to their use of iHealthLabs's products or services.
Data is processed in order to manage the user's account, display aggregated indicators on the user’s smartphone or tablet screen or via a web interface, record and back up data, update data based on manually entered information or data gathered by connected devices, and provide customer support.
The data collected is intended exclusively for the use of iHealthLabs and is used solely to manage the company’s relationship with the data subject.
System data and data linked to iHealth applications are securely stored in France by a subcontractor certified as a health data hosting provider (HDS) under the French Public Health Code.
* iHealth MyVitals, iHealth MyVitals Legacy, iHealth Gluco-Smart, iHealth CardioPro
** iHealth Track, Ease, Feel, Sense, View, Clear, Push, Neo and CardioMed blood pressure monitors; iHealth Gluco, Gluco+ and Align blood glucose monitors; iHealth Air pulse oximeter; iHealth Lite, Core, Lina and Fit scales; iHealth Wave and Vital activity trackers
Concerning the iHealth MyVitals application, the following personal data will be processed:
Category of Personal Data | Description |
Identification data | Date of birth, gender First and last name, photograph (optional) |
Contact details | E-mail address |
Physical characteristics | Size, weight (optional) |
Lifestyle habits | Sporty: Yes / No (optional) Daily activity: Sedentary / Active / Very active (optional) |
Geographical data | Country, language |
Technical data | Mobile phone type, mobile operating system version, error codes, measurement device model, measurement device MAC address, measurement date and time, measurement performed online or offline |
Sensitive Data | |
Health data | Depending on the products used: Blood pressure monitor: Blood pressure, Pulse, Arrhythmias Pulse oximeter: Pulse oxygen saturation, Pulse, Perfusion index Activity bracelet: Activity data (number of steps, distance covered, movement, calories burned, swimming distance), Sleep data (duration and quality indicators) Scales: Weight, fat mass, BMI, water mass, lean mass, visceral fat content, bone mass, muscle mass, daily calorie intake |
Concerning the iHealth MyVitals Legacy application, the following personal data will be processed:
Category of Personal Data | Description |
Identification data | First and last name, gender, date of birth, photograph (optional) |
Contact details | E-mail address |
Physical characteristics | Height, weight |
Lifestyle habits | Sporty: Yes / No (optional) Daily activity: Sedentary / Active / Very active (optional) |
Geographical data | Country, language |
Technical data | Mobile phone type, mobile operating system version, error codes, measurement device model, measurement device MAC address, measurement date and time, measurement performed online or offline |
Sensitive Data | |
Health data | Depending on the products used: Blood pressure monitor: Blood pressure, Pulse, Arrhythmias Pulse oximeter: Pulse oxygen saturation, Pulse, Perfusion index Activity bracelet: Activity data (number of steps, distance covered, movement, calories burned, swimming distance), Sleep data (duration and quality indicators) Scales: Weight, fat mass, BMI, water mass, lean mass, visceral fat content, bone mass, muscle mass, daily calorie intake |
Concerning the iHealth Gluco-Smart application, the following personal data will be processed:
Category of Personal Data | Description |
Identification data | Date of birth, gender Optional: First and last name, photograph |
Contact details | E-mail address |
Physical characteristics | Height, weight |
Lifestyle habits | Target ranges, Meal times |
Geographical data | Country, language |
Technical data | Mobile phone type, mobile operating system version, error codes, measurement device model, measurement device MAC address, measurement date and time, measurement performed online or offline |
Sensitive Data | |
Health data | Blood glucose Measurement time (fasting, before breakfast, after breakfast, before lunch, after lunch, before dinner, after dinner, bedtime, after snacks, random) Oral medication (name of drug, dosage, number of units) Activity (duration) Carbohydrates (grams) |
Concerning the iHealth CardioPro application, the following personal data will be processed:
Category of Personal Data | Description |
Identification data | Users (Healthcare professionals): Last name First name Gender (M/F)
Patients: Last name First name Gender (M/F) Date of birth |
Contact details | Users: Username Password Phone Address E-mail address
Patients: Telephone (optional) Address (optional) E-mail address (optional) |
Geographical data | Users: Country Language Latitude, longitude (to calculate sunrise and sunset times) |
Technical data | Mobile phone type, mobile operating system version, error codes, measurement device model, measurement device MAC address, measurement date and time, measurement performed online or offline |
Sensitive Data | |
Health data | Patients: Size (optional) Weight (optional) Examination duration (25 or 49 hours) Blood pressure and pulse measurements (at regular intervals during the examination) Posture and activity level Bedtime and wake-up time, nap times, on the day(s) of examination Antihypertensive treatment (yes/no) If 49-hour examination, change of circumstances between days 1 and 2 (yes/no) Calculations derived from these measurements |
1.2 Customer Support
With regard to customer support, personal data is processed to carry out the various tasks required to resolve technical problems or respond to user queries. iHealthLabs provides users with both first- and second-level support. In certain rare and specific cases, iHealthLabs may need to contact Andon Health (third-level support), located in China, to resolve the problem and guarantee that data is processed correctly. This may mean that Andon Health's support team needs to access customer data to ensure that user accounts function correctly. iHealthLabs will always inform the customer and request their authorisation before requesting intervention by Andon Health. If such authorisation is not provided, Andon Health will not intervene.
Users can receive a more personalised service by completing a questionnaire or using the chat tool available on the iHealth Assistance or Start by iHealth Assistance websites.
The different ways in which personal data is processed have a contractual legal basis established by the general conditions that apply to the user's relationship with iHealthLabs.
Data processing is necessary in order to deliver the results expected by the user when using the customer support service.
Concerning the customer support contact form, the following personal data will be processed:
Category of Personal Data | Description |
Contact | E-mail address |
Technical data | Date and time of connections IP address |
Communication data (supplied by user) | Reason for contact (drop-down menu) Subject Description
Depending on the problem encountered: Order number (optional) Product iHealth application username iHealth application used Smartphone OS Type of problem Web browser
|
Concerning the customer support chat feature, the following personal data will be processed:
Category of Personal Data | Description |
Identification data | Name (optional) |
Contact details | E-mail address (optional) |
Communication data | Messages exchanged with the user |
1.3 Third-party Applications
iHealthLabs offers users the option of synchronising their personal data with third-party applications used by other product or service providers.
This data transfer requires the user’s prior consent. The user may withdraw their consent at any time via the application settings. iHealthLabs recommends that users carefully check the Personal Data Protection policies adopted by third-party applications before agreeing to share their data.
2- Commercial Relations with Users
With respect to the commercial relationship with the user, personal data is processed in order to perform the various tasks required to create and manage the user's account on the www.ihealthlabs.eu website. This includes the ordering of products and their subsequent payment and responding to queries and requests submitted using the contact form.
The legal basis for processing in these different circumstances is the contract entered into with the user when the account is created on the website. Processing is necessary in order to deliver the results expected by the user. The data collected is exclusively intended for use by iHealthLabs and is used solely to manage the company’s commercial relationship with the user.
When an account is created on the www.ihealthlabs.eu website, the following personal data will be processed:
Category of Personal Data | Description |
Identification data | Civil status (optional) First name Last name Account creation date and time |
Contact details | E-mail address |
Technical data | Date and time of connections IP address |
When products are ordered on the website, the following personal data will be processed:
Category of Personal Data | Description |
Transaction data | Abandoned basket Order reference Products in the order Payment method Order status Total amount paid Order date and time |
Delivery details | Delivery address Phone number |
When a query is submitted using the contact form on the website, the following personal data will be processed:
Category of Personal Data | Description |
Identification data | First and last name |
Contact details | E-mail address |
Technical data | Date and time of connections IP address |
Communication data (supplied by user) | Subject (drop-down menu) Message |
3- Commercial Relations with Business Partners
Personal data is also processed by iHealthLabs Europe in order to facilitate and manage its commercial relations with other business partners and professionals.
The legal basis for processing in these circumstances is the legitimate interest of iHealthLabs.
In order to facilitate and manage its relations with business partners, the company processes the following data:
Category of Personal Data | Description |
Company details | Company name, company registration number, company address, website address, EORI number, VAT number, delivery address, contact person (first and last name, telephone no., e-mail address), payment method |
4- Data retention period
iHealth applications and connectable products
Personal data is kept for as long as the user's account exists. After 3 years without connection to an iHealth application, the account is considered inactive. An e-mail will then be sent to the user explaining that their account and associated personal data will be permanently deleted without any action on their part 60 days after this e-mail is sent.
Customer support
Personal data collected through the various customer support channels (website support contact form, website chat, application contact section) is kept for 7 years.
Commercial relations with users
Data relating to the creation of an account on the www.ihealthlabs.eu website and to orders placed on the site is kept for 10 years. Data relating to the site's general contact form is kept for 7 years.
Commercial relations with professionals
Data relating to professional partners is kept for as long as the commercial relationship is active.
5- Cookies and Trackers
iHealthLabs uses cookies on its website, www.ihealthlabs.eu. A cookie is a small text file stored on the user's computer when visiting a site. The purpose of this data processing is to collect non-personally identifiable information relating to visits to the pages on the website, facilitate identification to provide access to the user’s account and, when browsing the site, retain the contents of an order basket and memorise products viewed. We recommend that you consult the Cookies section for further information about how iHealthLabs uses cookies and the options for users to exercise their rights.
III. Transfer of Data Outside the European Union
As mentioned in Section II of this Policy, the customer support service may require assistance from Andon Health engineers located in China. In such circumstances, any transfer of data is guaranteed under the GDPR by standard contractual clauses signed between iHealthLabs Europe and Andon Health. These clauses describe the implementation of technical and organisational measures to ensure appropriate data security and confidentiality is maintained during secure remote interventions, without downloading data from the customer located in Europe.
IV. Rights of Data Subjects
Under the GDPR, individuals have a set of rights that they may exercise according to the circumstances in which their personal data is processed.
These rights are as follows:
- The right to be informed whenever their personal data is gathered, whether directly or indirectly;
- The right to receive confirmation from the data controller as to whether or not their personal data is being processed and, if so, the right to access said personal data;
- The right to rectification and erasure, enabling the rectification of inaccurate personal data as soon as possible and, depending on the purposes of the processing, the right to have the data completed, including by providing an additional declaration, as well as the right to erasure, enabling the erasure of personal data as soon as possible when certain conditions are met; The user has the option of deleting their personal data (either via the application or by contacting the support service): no data is retained if their account is deleted;
- The right to restrict processing for a certain period, under certain circumstances, such as a potential challenge to the accuracy of personal data, unlawful processing to which an individual objects, or where data processing is required for the establishment, exercise or defence of any legal rights, or in the event of a pending verification regarding the prevalence of the legitimate grounds pursued by the data controller over those of the data subject;
- The right to portability of data where processing is based on the data subject's consent or a contractual agreement; The option to download all of the personal data held related to the user;
- The right to object to any individual automated decision based on the data subject's particular situation, subject to the applicable legislation;
Data subjects also have the right to lodge a complaint with the relevant data protection supervisory authority in their country.
V. Contacting iHealthLabs About Data Protection or to Exercise Your Data Protection Rights
iHealthLabs undertakes to respond to any and all queries concerning the application of the GDPR to its business operations.
In the event of a request to exercise any of the rights recognised by the GDPR, iHealthLabs shall endeavour to provide a concise, transparent and understandable response, expressed in clear and simple terms.
Information may also be provided in writing or by any other means, including electronically if the original request was submitted electronically.
On request, information may be provided orally, provided that your identity is verified by some other means. To verify your identity, you may be asked to provide additional information or supporting documentation.
iHealthLabs has appointed a data protection delegate who is responsible for liaising with the Commission Nationale de l'Informatique et des Libertés. As part of their role and in accordance with the GDPR, this delegate will be involved in all processing projects and will be responsible for ensuring that people’s rights are respected and promoting a data protection culture within the iHealthLabs organisation.
Any request to exercise your data protection rights may be sent to us in the following manner:
- By e-mail to dpo@ihealthlabs.eu
- By post to: DPO – iHealthLabs Europe, 36 rue de Ponthieu, 75008 Paris, France.
As stated in Section IV of this Policy, individuals have the right to lodge a complaint with the relevant data protection supervisory authority in their country.