www.lowcarbprogram.com and our Low Carb Program mobile app (each of
and together the “Sites” or “Service“) are owned and operated by
Diabetes Digital Media Limited of Technology House, Sir William Lyons Road, University of Warwick
Science Park, Coventry, CV4 7EZ (“we”, “us”, “our“).
Conditions and any other documents referred to therein) sets out how we process the personal data of each visitor
and customer (resident in the European Union) to the Sites, where such personal data is provided to us through any
of the Sites, via email communication and any branded pages on third party platforms (such as Facebook or
YouTube). Please read the following carefully to understand our views and practices regarding your personal data
and how we will treat it.
By ticking the box where indicated on the Sites, submitting your personal data to us, and using our
For the purposes of data protection law:
- If you are referred to the Low Carb Program by your NHS GP, the data controller is the Clinical Commissioning
Group (CCG) that commissioned the Service.
- In this instance, DDM is acting as a data processor for NHS Login for the ID Verification service and as a
processor for the Clinical Commissioning Group (CCG) that has directed us to deliver our Service.
- The data processor may adopt the legal basis of the data controller to allow them to carry out the
instructions of the controller. The NHS is not a third party for GDPR for the purposes of sharing/transfer.
- Otherwise, the data controller is Diabetes Digital Media Limited with registration number Z3613413.
Your continued use of the Sites and our services after posting will constitute your acceptance of, and agreement
to, any changes.
1. WHAT IS PERSONALLY IDENTIFIABLE INFORMATION (PII) / PERSONAL DATA?
Personal data or PII means any information relating to a person who can be identified either directly or
indirectly by that information; it may include name, address, email address, phone number, credit / debit card
number, IP address, location data, purchase history (“Personal Data”).
2. INFORMATION WE MAY COLLECT FROM YOU
2.1. We may collect and process the following data about you:
- Information you provide to us – This includes:
- Information provided at the time of registering to use our Sites, for the purchase of products and/or use
of our services, posting material, submitting testimonials, reviewing products, raising quotes or general
enquiries, completing an offer submission, entering a competition or requesting further services. We may
also ask you for information when you report a problem with our Sites or regarding the products and services
provided by us.
- Sensitive Personal Data concerning health matters from or about you if you disclose such
information on our Sites (when signing up for an account with us, when registering to take part in clinical
trials, making enquiries or otherwise). This includes information relation to your health condition,
treatments and medications you make take and healthcare and medical devices you may use.
- If you contact us, we may keep a record of that correspondence and/or any video or audio uploads or
- We may also ask you to complete surveys that we use for research purposes, although you do not have to
respond to them.
- Details of transactions you carry out through our Sites and of the fulfilment of your orders.
- Payment details including but not limited to the name on your bank card, the invoice address and partial
- Information we collect about you – When you visit the Sites we may automatically
collect information about your computer or device, including your IP address, information about your visit, your
browsing history, and how you use the Sites. This information may be combined with other information you provide
to us, as described above. You can see more about services we use below.
- Information we receive from other sources – We are also working closely with third
parties (including, for example, business partners, advertising networks, analytics providers, and search
information providers) and may receive information about you from them. This may be combined with other
information you provide to us, as described above.
2.2. Please note you have the option of what information in your account is publicly displayed. Furthermore,
within your account, you have the option to opt-in or opt-out of automatically generated e-mails from us.
2.3. Please note that as a free user of the Low Carb Program you will have limited accessibility to the program
and the features within it until a subscription is purchased. As a free user of the Low Carb Program we hold the
right to contact you with a personalised journey specifically for non-paying customers. The journey you receive
will be in accordance with the communication preferences that you select. We may contact you via email, SMS, and
push notifications. Communication preferences can be edited at any time via the preference centre in the settings
section of the program. Toward the expiry of your free user subscription we may contact you with information on
how to purchase a subscription and the benefits of doing so.
2.4. Data security is extremely important to us. All data is stored encrypted-at-rest (i.e. in storage) and also
during transit. Your data is stored in the United Kingdom, using Google Cloud services located in the United
2.5. Anonymised, aggregate data may be transferred outside of the United Kingdom for the purposes detailed in
2.6. Only data exported by the end user, with their consent to share, is shareable outside of the platform.
3. OUR NEWSLETTER
3.1. You may choose to opt in to receiving our newsletter, either directly through the “Join the Low Carb Program
Newsletter” page, by entering a competition, submitting a (travel insurance or life insurance) quote request or
when you complete a free meter enquiry form on our Sites. If you choose to opt in you will receive related
newsletters from us via email to your registered email address. If you do not wish to be added to our newsletter
database please do not opt in.
3.2. In order to unsubscribe from our newsletter please select the “unsubscribe” option in your welcome email (or
any subsequent newsletter emails). Please note this is an automated service and as such we cannot be responsible
for any errors which may occur in submitting your unsubscription request. Please contact us at [email protected] if you require any assistance with
unsubscribing from our newsletter.
4. MEDICAL INFORMATION
You should be aware that information captured via our Sites may be viewed by our medical team. None of this
information will be passed to any other person except for:
- disclosure for the prevention of crime;
- in accordance with applicable law;
- compliance with the direction of any regulatory or governing bodies;
- for the purposes of preventing injury or harm to you as the data subject; or
- when registering to receive services or take part in clinical trials/surveys, to the responsible
5. PURPOSES FOR WHICH WE PROCESS PERSONAL DATA
5.1. We will only process your Personal Data, in accordance with applicable law, for the following purposes:
- creating and maintaining your customer account, if you become a registered customer with us;
- handling and fulfilling your requests, if you request goods and/or services from us;
- offering our services to you in a personalised way, for example, we may provide you with
information, products or services that you request from us or which we feel may interest you, where you have
consented to be contacted for such purposes;
- facilitating your relationship with your health insurance company, if you have been referred
to us and based solely on your involvement with the Low Carb Program;
- to publish testimonials you submit about us and/or the Sites and to identify you as the
author of such testimonial(s) (identification will be limited to your [first name, age, gender and location];
- for research and statistical purposes, but any Personal Data relating to your health will
always be anonymised and aggregated and will not identify you;
- administering any promotion or competition, that you enter via the Sites or via email
- to allow you to participate in interactive features of our services, when you choose to do
- resolving any disputes, if you lawfully exercise your rights or if you wish to dispute any
part of our service offering;
- sending you personalised marketing communications, where you have agreed that we may do so,
in order to keep you informed of our products and services, as well as those of our selected partners’ and
Providers’, which we (or they) consider may be of interest to you;
- providing you, or allow carefully selected third parties to provide you, with information about
products or services, that may interest you;
- serving personalised advertising to your devices; delivering ads based on your interests
ascertained from your past requests, visits of subpages and purchases on third party websites, and other data
- ensuring the security of your account and our business, preventing or detecting fraud or abuses of our
Sites, for example, by requesting verification information in order to reset your account password (if
- developing and improving our products and services, for example, by reviewing visits to the
Sites and its various subpages, demand for specific products and services and user comments;
- to administer the Sites and for internal business administration and operations, including
troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to notify you about changes to our services and to send you service emails relating to the
activities you have asked us to undertake on your behalf;
- as part of our efforts to keep the Sites safe and secure;
- to comply with our legal obligations to carry out the instructions of the controller, for
example, if you are referred to the Service by your NHS GP, we may adopt the legal basis of the controller to
allow us to carry out their instructions, and may, for instance, share data with the NHS Clinical Commissioning
Group (CCG) that provided you access to the Service; and
- to comply with applicable law, for example, in response to a request from a court or
regulatory body, where such request is made in accordance with the law.
5.2. Your consent, as the “Data Subject”, to the processing as specified in this Policy is the primary legal
ground for our processing of your Personal Data. However, there may be circumstances where we may also rely on
other valid legal grounds for the processing of your Personal Data, such as:
- your request for content, products or services necessitating steps including processing of your Personal Data
to be taken prior to entering into contract with you and any processing that is necessary for the performance of
- legitimate interests we pursue as a business, except where such interests are overridden by your interests and
fundamental rights; and
- compliance with any legal obligation to which we are subject, such as, for example, the processing for the
purposes of complying with applicable law.
5.3 Please note that if you access our service using your NHS login details, the identity verification services
are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital
to get an NHS login account and verify your identity, and uses that personal information solely for that single
purpose. For this personal information, our role is a “processor” only and we must act under the instructions
provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice
and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to
6. DISCLOSURE OF YOUR INFORMATION
There are circumstances where we wish to disclose or are compelled to disclose your Personal Data to third
parties. This will only take place in accordance with the applicable law and for the purposes listed above. These
scenarios include disclosure to:
- our subsidiaries, branches or associated offices;
- your health insurance company (who may have referred you to the Low Carb Program or who you have otherwise
notified us of) in order for them to contact you to discuss your insurance policy in connection with your
participation in the Low Carb Program;
- your NHS Clinical Commissioning Group, if they have referred you to the Low Carb Program. Any information
shared with your NHS Clinical Commissioning Group will be in anonymised aggregated form and will not identify
you. You will always be asked to opt-in to sharing any identifiable data;
- the Swiss Re Group, who is a leading global reinsurer and who facilitates our relationship with your health or
life insurance company. This data is only shared if you have been provided the Low Carb Program
by your insurance company. Any information shared with the Swiss Re Group will be in anonymised aggregated form
only and will not identify you;
- where you submit testimonials about us and/or the Sites, in order for those agents to publish such
testimonials via various media (which may include online and printed publications and/or film);
- our outsourced service providers and suppliers to facilitate the provision of goods and/or services to you,
together with such other goods and/or services as we and/or they feel may interest you;
- to research organisations where the information has been anonymised and aggregated;
- our advertising partners who enable us to deliver personalised ads to your devices or similar advertising;
- subject to your consent, to our marketing partners, who may contact you by post, email, telephone, SMS or by
other means. If you do not wish to be contacted, you may unsubscribe by notifying us at [email protected] by clicking “unsubscribe” in the
- analytics and search engine providers that assist us in the improvement and optimisation of the Sites. Your
Personal Data is generally shared in a form that does not directly identify you;
- third party analytics providers that assist us in establishing trends amongst our users based on the
information you provide to us and generating associated content (for example, news articles and/or social media
- selected third party service providers in order to share the statistical and analytical information generated
above, in an anonymised and aggregated format only;
- third party service providers and consultants in order to protect the security or integrity of our business,
including our databases and systems and for business continuity reasons;
- another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration,
financing, sale, merger, reorganisation, change of legal form, dissolution or similar event. In the case of a
merger or sale, your Personal Data will be permanently transferred to a successor company;
- public authorities where we are required by law to do so;
- if required, in order to receive legal advice; and
- any other third party where you have provided your consent.
7. INTERNATIONAL TRANSFER OF PERSONAL DATA
We may transfer your anonymised and aggregated Personal Data to a third party in countries outside the country in
which it was originally collected for further processing in accordance with the purposes set out above. In
particular, your anonymised and aggregated Personal Data may be transferred throughout our group and to our
research partners abroad. In these circumstances, we will, as required by applicable law, ensure that your privacy
rights are adequately protected by appropriate technical, organisation, contractual or other lawful means. Please
contact [email protected] for a copy of the safeguards
which we have put in place to protect your anonymised and aggregated Personal Data and privacy rights in these
8. RETENTION OF PERSONAL DATA
8.1. Your Personal Data will be retained until your last use of our services and normally for a period of three
years thereafter, unless longer retention is required by applicable local law or where we have a legitimate and
lawful purpose to do so. However, we will not retain beyond this period any of your Personal Data that is no
longer required for the purposes set out in this Policy. The retention of your Personal Data will be subject to
8.2. We may keep an anonymised form of your Personal Data, which will no longer refer to you, for statistical
purposes without time limits, to the extent that we have a legitimate and lawful interest in doing so.
8.3. Please contact us at [email protected] if you would
further details about our data retention periods.
8.4. You are free to withdraw your consent for Low Carb Program to process your personal information by deleting
your Account – please instruct the Support Team to do so on your behalf. After you withdraw your consent,
you will still be able to access some of the incredible features and content available on our websites.
9. DATA SUBJECT RIGHTS
9.1. Data protection law provides Data Subjects with numerous rights, including the right to: access, rectify,
erase, restrict, transport, and object to the processing of, their Personal Data. Data Subjects also have the
right to lodge a complaint with the relevant data protection authority if they believe that their Personal Data is
not being processed in accordance with applicable data protection law.
- Right to make subject access request (SAR). Data Subjects may, where permitted by applicable
law, request copies of their Personal Data. If you would like to make a SAR, i.e. a request for copies of the
Personal Data we hold about you, you may do so by writing to [email protected]
whose contact details are above. The request should make clear that a SAR is being made. You may also be
required to submit a proof of your identity and a fee.
- Right to rectification. You may request that we rectify any inaccurate and/or complete any
incomplete Personal Data.
- Right to withdraw consent. You may, as permitted by applicable law, withdraw your consent to
the processing of your Personal Data at any time. Such withdrawal will not affect the lawfulness of processing
based on your previous consent. Please note that if you withdraw your consent, you may not be able to benefit
certain service features for which the processing of your Personal Data is essential.
- Right to object to processing, including automated processing and profiling. You may, as
permitted by applicable law, request that we stop processing your Personal Data. In relation to automated
processing and profiling, you may object to the processing and you will have the right to obtain human
- Right to erasure. You may request that we erase your Personal Data and we will comply, unless
there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping
your Personal Data, such as, a legal obligation that we have to comply with, or if retention is necessary for us
to comply with our legal obligations.
- Right to data portability. In certain circumstances, you may request that we provide your
Personal Data to you in a structured, commonly used and machine readable format and have it transferred to
another provider of the same or similar services. We will comply with such transfer as far as it is technically
feasible. Please note that a transfer to another provider does not imply erasure of your Personal Data which may
still be required for legitimate and lawful purposes.
- Your right to lodge a complaint with the supervisory authority. We suggest that you contact
us about any questions or if you have a complaint in relation to how we process your Personal Data. However, you
do have the right to contact the relevant supervisory authority directly. To contact the Information
Commissioner’s Office in the United Kingdom, please visit the ICO website for instructions.
10.1. Diabetes Digital Media Limited comply with recognised International Data Management Standards, including
ISO9001 and ISO27001 and have been accredited as part of this process.
10.2. Diabetes Digital Media Limited are fully compliant with the General Data Protection Regulation (GDPR).
10.3. Sites are developed alongside recognised compliance standards such as NHS Data Standards, including the NHS
Information Governance toolkit.
10.4. The iOS and Android Low Carb Program apps are compliant with OWASP Mobile Application Security Verification
Standard (MASVS) Level 2+R.
The Sites may, from time to time, contain links to and from the websites of our partner networks, advertisers,
affiliates and other third parties. If you follow a link to any of these websites, please note that these websites
may have their own privacy policies and that we do not accept any responsibility or liability for these policies.
Please check these policies before you submit any personal information to these websites.