www.lowcarbprogram.com and our Low Carb Program mobile app (each of and together the “Sites” or “Service“) are owned and operated by Diabetes Digital Media Limited of Technology House, Sir William Lyons Road, University of Warwick Science Park, Coventry, CV4 7EZ (“we”, “us”, “our“).
For the purposes of data protection law:
- If you are referred to the Low Carb Program by your NHS GP, the data controller is the Clinical Commissioning Group (CCG) that commissioned the Service.
- In this instance, DDM is acting as a data processor for NHS Login for the ID Verification service and as a processor for the Clinical Commissioning Group (CCG) that has directed us to deliver our Service.
- The data processor may adopt the legal basis of the data controller to allow them to carry out the instructions of the controller. The NHS is not a third party for GDPR for the purposes of sharing/transfer.
- Otherwise, the data controller is Diabetes Digital Media Limited with registration number Z3613413.
Your continued use of the Sites and our services after posting will constitute your acceptance of, and agreement to, any changes.
1. WHAT IS PERSONALLY IDENTIFIABLE INFORMATION (PII) / PERSONAL DATA?
Personal data or PII means any information relating to a person who can be identified either directly or indirectly by that information; it may include name, address, email address, phone number, credit / debit card number, IP address, location data, purchase history (“Personal Data”).
2. INFORMATION WE MAY COLLECT FROM YOU
2.1. We may collect and process the following data about you:
- Information you provide to us – This includes:
- Information provided at the time of registering to use our Sites, for the purchase of products and/or use of our services, posting material, submitting testimonials, reviewing products, raising quotes or general enquiries, completing an offer submission, entering a competition or requesting further services. We may also ask you for information when you report a problem with our Sites or regarding the products and services provided by us.
- Sensitive Personal Data concerning health matters from or about you if you disclose such information on our Sites (when signing up for an account with us, when registering to take part in clinical trials, making enquiries or otherwise). This includes information relation to your health condition, treatments and medications you make take and healthcare and medical devices you may use.
- If you contact us, we may keep a record of that correspondence and/or any video or audio uploads or telephone calls.
- We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
- Details of transactions you carry out through our Sites and of the fulfilment of your orders.
- Payment details including but not limited to the name on your bank card, the invoice address and partial card number.
- Information we collect about you – When you visit the Sites we may automatically collect information about your computer or device, including your IP address, information about your visit, your browsing history, and how you use the Sites. This information may be combined with other information you provide to us, as described above. You can see more about services we use below.
- Information we receive from other sources – We are also working closely with third parties (including, for example, business partners, advertising networks, analytics providers, and search information providers) and may receive information about you from them. This may be combined with other information you provide to us, as described above.
2.2. Please note you have the option of what information in your account is publicly displayed. Furthermore, within your account, you have the option to opt-in or opt-out of automatically generated e-mails from us.
2.3. Please note that as a free user of the Low Carb Program you will have limited accessibility to the program and the features within it until a subscription is purchased. As a free user of the Low Carb Program we hold the right to contact you with a personalised journey specifically for non-paying customers. The journey you receive will be in accordance with the communication preferences that you select. We may contact you via email, SMS, and push notifications. Communication preferences can be edited at any time via the preference centre in the settings section of the program. Toward the expiry of your free user subscription we may contact you with information on how to purchase a subscription and the benefits of doing so.
2.4. Data security is extremely important to us. All data is stored encrypted-at-rest (i.e. in storage) and also during transit. Your data is stored in the United Kingdom, using Google Cloud services located in the United Kingdom.
2.5. Anonymised, aggregate data may be transferred outside of the United Kingdom for the purposes detailed in Section 7.
2.6. Only data exported by the end user, with their consent to share, is shareable outside of the platform.
3. OUR NEWSLETTER
3.1. You may choose to opt in to receiving our newsletter, either directly through the “Join the Low Carb Program Newsletter” page, by entering a competition, submitting a (travel insurance or life insurance) quote request or when you complete a free meter enquiry form on our Sites. If you choose to opt in you will receive related newsletters from us via email to your registered email address. If you do not wish to be added to our newsletter database please do not opt in.
3.2. In order to unsubscribe from our newsletter please select the “unsubscribe” option in your welcome email (or any subsequent newsletter emails). Please note this is an automated service and as such we cannot be responsible for any errors which may occur in submitting your unsubscription request. Please contact us at [email protected] if you require any assistance with unsubscribing from our newsletter.
4. MEDICAL INFORMATION
You should be aware that information captured via our Sites may be viewed by our medical team. None of this information will be passed to any other person except for:
- disclosure for the prevention of crime;
- in accordance with applicable law;
- compliance with the direction of any regulatory or governing bodies;
- for the purposes of preventing injury or harm to you as the data subject; or
- when registering to receive services or take part in clinical trials/surveys, to the responsible organisation(s).
5. PURPOSES FOR WHICH WE PROCESS PERSONAL DATA
5.1. We will only process your Personal Data, in accordance with applicable law, for the following purposes:
- creating and maintaining your customer account, if you become a registered customer with us;
- handling and fulfilling your requests, if you request goods and/or services from us;
- offering our services to you in a personalised way, for example, we may provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes;
- facilitating your relationship with your health insurance company, if you have been referred to us and based solely on your involvement with the Low Carb Program;
- to publish testimonials you submit about us and/or the Sites and to identify you as the author of such testimonial(s) (identification will be limited to your [first name, age, gender and location];
- for research and statistical purposes, but any Personal Data relating to your health will always be anonymised and aggregated and will not identify you;
- administering any promotion or competition, that you enter via the Sites or via email communication;
- to allow you to participate in interactive features of our services, when you choose to do so;
- resolving any disputes, if you lawfully exercise your rights or if you wish to dispute any part of our service offering;
- sending you personalised marketing communications, where you have agreed that we may do so, in order to keep you informed of our products and services, as well as those of our selected partners’ and Providers’, which we (or they) consider may be of interest to you;
- providing you, or allow carefully selected third parties to provide you, with information about products or services, that may interest you;
- ensuring the security of your account and our business, preventing or detecting fraud or abuses of our Sites, for example, by requesting verification information in order to reset your account password (if applicable);
- developing and improving our products and services, for example, by reviewing visits to the Sites and its various subpages, demand for specific products and services and user comments;
- to administer the Sites and for internal business administration and operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to notify you about changes to our services and to send you service emails relating to the activities you have asked us to undertake on your behalf;
- as part of our efforts to keep the Sites safe and secure;
- to comply with our legal obligations to carry out the instructions of the controller, for example, if you are referred to the Service by your NHS GP, we may adopt the legal basis of the controller to allow us to carry out their instructions, and may, for instance, share data with the NHS Clinical Commissioning Group (CCG) that provided you access to the Service; and
- to comply with applicable law, for example, in response to a request from a court or regulatory body, where such request is made in accordance with the law.
5.2. Your consent, as the “Data Subject”, to the processing as specified in this Policy is the primary legal ground for our processing of your Personal Data. However, there may be circumstances where we may also rely on other valid legal grounds for the processing of your Personal Data, such as:
- your request for content, products or services necessitating steps including processing of your Personal Data to be taken prior to entering into contract with you and any processing that is necessary for the performance of such contract;
- legitimate interests we pursue as a business, except where such interests are overridden by your interests and fundamental rights; and
- compliance with any legal obligation to which we are subject, such as, for example, the processing for the purposes of complying with applicable law.
5.3 Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
6. DISCLOSURE OF YOUR INFORMATION
There are circumstances where we wish to disclose or are compelled to disclose your Personal Data to third parties. This will only take place in accordance with the applicable law and for the purposes listed above. These scenarios include disclosure to:
- our subsidiaries, branches or associated offices;
- your health insurance company (who may have referred you to the Low Carb Program or who you have otherwise notified us of) in order for them to contact you to discuss your insurance policy in connection with your participation in the Low Carb Program;
- your NHS Clinical Commissioning Group, if they have referred you to the Low Carb Program. Any information shared with your NHS Clinical Commissioning Group will be in anonymised aggregated form and will not identify you. You will always be asked to opt-in to sharing any identifiable data;
- the Swiss Re Group, who is a leading global reinsurer and who facilitates our relationship with your health or life insurance company. This data is only shared if you have been provided the Low Carb Program by your insurance company. Any information shared with the Swiss Re Group will be in anonymised aggregated form only and will not identify you;
- where you submit testimonials about us and/or the Sites, in order for those agents to publish such testimonials via various media (which may include online and printed publications and/or film);
- our outsourced service providers and suppliers to facilitate the provision of goods and/or services to you, together with such other goods and/or services as we and/or they feel may interest you;
- to research organisations where the information has been anonymised and aggregated;
- our advertising partners who enable us to deliver personalised ads to your devices or similar advertising;
- subject to your consent, to our marketing partners, who may contact you by post, email, telephone, SMS or by other means. If you do not wish to be contacted, you may unsubscribe by notifying us at [email protected] by clicking “unsubscribe” in the message concerned;
- analytics and search engine providers that assist us in the improvement and optimisation of the Sites. Your Personal Data is generally shared in a form that does not directly identify you;
- third party analytics providers that assist us in establishing trends amongst our users based on the information you provide to us and generating associated content (for example, news articles and/or social media posts);
- selected third party service providers in order to share the statistical and analytical information generated above, in an anonymised and aggregated format only;
- third party service providers and consultants in order to protect the security or integrity of our business, including our databases and systems and for business continuity reasons;
- another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, financing, sale, merger, reorganisation, change of legal form, dissolution or similar event. In the case of a merger or sale, your Personal Data will be permanently transferred to a successor company;
- public authorities where we are required by law to do so;
- if required, in order to receive legal advice; and
- any other third party where you have provided your consent.
7. INTERNATIONAL TRANSFER OF PERSONAL DATA
We may transfer your anonymised and aggregated Personal Data to a third party in countries outside the country in which it was originally collected for further processing in accordance with the purposes set out above. In particular, your anonymised and aggregated Personal Data may be transferred throughout our group and to our research partners abroad. In these circumstances, we will, as required by applicable law, ensure that your privacy rights are adequately protected by appropriate technical, organisation, contractual or other lawful means. Please contact [email protected] for a copy of the safeguards which we have put in place to protect your anonymised and aggregated Personal Data and privacy rights in these circumstances.
8. RETENTION OF PERSONAL DATA
8.1. Your Personal Data will be retained until your last use of our services and normally for a period of three years thereafter, unless longer retention is required by applicable local law or where we have a legitimate and lawful purpose to do so. However, we will not retain beyond this period any of your Personal Data that is no longer required for the purposes set out in this Policy. The retention of your Personal Data will be subject to periodic review.
8.2. We may keep an anonymised form of your Personal Data, which will no longer refer to you, for statistical purposes without time limits, to the extent that we have a legitimate and lawful interest in doing so.
8.3. Please contact us at [email protected] if you would further details about our data retention periods.
8.4. You are free to withdraw your consent for Low Carb Program to process your personal information by deleting your Account – please instruct the Support Team to do so on your behalf. After you withdraw your consent, you will still be able to access some of the incredible features and content available on our websites.
9. DATA SUBJECT RIGHTS
9.1. Data protection law provides Data Subjects with numerous rights, including the right to: access, rectify, erase, restrict, transport, and object to the processing of, their Personal Data. Data Subjects also have the right to lodge a complaint with the relevant data protection authority if they believe that their Personal Data is not being processed in accordance with applicable data protection law.
- Right to make subject access request (SAR). Data Subjects may, where permitted by applicable law, request copies of their Personal Data. If you would like to make a SAR, i.e. a request for copies of the Personal Data we hold about you, you may do so by writing to [email protected] whose contact details are above. The request should make clear that a SAR is being made. You may also be required to submit a proof of your identity and a fee.
- Right to rectification. You may request that we rectify any inaccurate and/or complete any incomplete Personal Data.
- Right to withdraw consent. You may, as permitted by applicable law, withdraw your consent to the processing of your Personal Data at any time. Such withdrawal will not affect the lawfulness of processing based on your previous consent. Please note that if you withdraw your consent, you may not be able to benefit certain service features for which the processing of your Personal Data is essential.
- Right to object to processing, including automated processing and profiling. You may, as permitted by applicable law, request that we stop processing your Personal Data. In relation to automated processing and profiling, you may object to the processing and you will have the right to obtain human intervention.
- Right to erasure. You may request that we erase your Personal Data and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your Personal Data, such as, a legal obligation that we have to comply with, or if retention is necessary for us to comply with our legal obligations.
- Right to data portability. In certain circumstances, you may request that we provide your Personal Data to you in a structured, commonly used and machine readable format and have it transferred to another provider of the same or similar services. We will comply with such transfer as far as it is technically feasible. Please note that a transfer to another provider does not imply erasure of your Personal Data which may still be required for legitimate and lawful purposes.
- Your right to lodge a complaint with the supervisory authority. We suggest that you contact us about any questions or if you have a complaint in relation to how we process your Personal Data. However, you do have the right to contact the relevant supervisory authority directly. To contact the Information Commissioner’s Office in the United Kingdom, please visit the ICO website for instructions.
10.1. Diabetes Digital Media Limited comply with recognised International Data Management Standards, including ISO9001 and ISO27001 and have been accredited as part of this process.
10.2. Diabetes Digital Media Limited are fully compliant with The Data Protection Act 1998.
10.3. Sites are developed alongside recognised compliance standards such as NHS Data Standards, including the NHS Information Governance toolkit.
10.4. The iOS and Android Low Carb Program apps are compliant with OWASP Mobile Application Security Verification Standard (MASVS) Level 2+R.
The Sites may, from time to time, contain links to and from the websites of our partner networks, advertisers, affiliates and other third parties. If you follow a link to any of these websites, please note that these websites may have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.