Data Controller
Whenever this Privacy Notice refers to “we” or “ZenZen” it means the ZenZen, located at the business address Richard Sorge Straße 27, 10249 Berlin, Deutschland, ZenZen is the stated responsible entity and data controller under the data protection regulations. In other words, we decide on the purpose and means of processing your personal data (“User Data”) and is therefore responsible for its security and compliance with the applicable laws. Section 2 of this Privacy Notice contains detailed information on the necessary processing of your personal data.
The basis for this Privacy Notice is the General Data Protection Regulation of the European Union (“GDPR”, Regulation (EU) 2016/679); if your country of residence foresees additional or varying requirements, you can find information on those in section 9 of this Privacy Notice.
This Privacy Notice applies to User Data processed in connection with our products and services. As the responsible entity we are subject, for example, to information requirements that we wish to fulfill in connection with this Privacy Notice. We also provide additional information within our products, e.g. we may ask you for a new consent or explain the consequences of revocation. The information in our products does not contradict this privacy notice, but rather supplements it with brief and easily readable information so that you can make decisions more easily. This Privacy Notice and the additional information are easily accessible at any time from within our products and on our website.
Structure and consent concept
This Privacy Notice informs you about the purposes and scope of processing your User Data, data transfers, as well as your extensive rights. As our offer is exclusively aimed at persons with diabetes, your use of our products typically already provides information on your health condition. We therefore only process User Data as health data with your consent. We differentiate as follows:
“Necessary Processing of Personal Data” describes how we process your User Data which is required to fulfill the contract and to provide our services to you. Without this consent the use of our products is not possible from a legal and a factual point of view because our services depend on this processing.
“Processing for Product Improvement” explains how you can help us and other users, with your optional consent, by allowing us to use your data in particular to develop algorithms for therapy management, improve the product and so forth without us contacting you for advertising purposes etc. You can also use our products without giving us this consent - but your consent improves the database in the interest of all users so that we can improve our product more quickly.
“Processing for Marketing Purposes” describes how we contact you for marketing purposes, with your optional consent, e.g. by email, notifications etc. Here too you may use the products without consent but with your consent you will receive valuable information on our products or if, for example, your health insurance company covers new services.
Under “General Information” we have assembled the information that applies to all of the above consents to avoid repetition.
The above mentioned categories are described in more detail below. You may provide the relevant consents upon registration, upon request (e.g. during a pairing process) or later via the account settings. You may revoke any consents at any time via the account settings or by sending an email to support@zenzen.me. In such an instance we will inform you about the consequences of the revocation. The lawfulness of the processing prior to revocation remains unaffected.
In some cases, the processing of your data may take place independently of your consent on the basis of statutory principles, i.e. based on law (e.g. medical device regulations). We will inform you accordingly in appropriate cases.
2 CATEGORIES OF PERSONAL DATA WE PROCESS
Data Sources - ZenZen processes personal data that you directly or indirectly make available to us, for example by using our Products, that others provide to us, for example when you link your profile with a Partner Platform, or that we generated on our own, for example your user ID. Please note that the exact amount of personal data we process regarding you depends on how you use our products. Therefore, we may not process personal data concerning you in all categories.
Categories of personal data we collect from you or generate - these are the categories of personal data we might collect directly or indirectly from you and/or generate on our own:
Identity information – Any information that identifies you as an individual living person, including but not limited to: name (first name, last name, initials), date of birth, e-mail address, gender, profile picture, unique customer identifier number and password
Contact information – Any information that can be used to contact you, including but not limited to: phone number, shipping and billing address, e-mail address, social media handles or any other communication channel you have used to contact us.
Location information – Any information we can use to know or guess where you are, real time or otherwise, including but not limited to: chosen residential location, current log-in location (IP address), real-time device location information via device sensors and signals, GPS location (if you wish to it share with us, for example through your mobile device settings) or information that helps us guess where you may be such as the specific ZenZen website you have visited that might give us clues about where you are or when you “check-in” to an event or website on a social media page indicating location, if it is shared with us.
Size information – Any information related to your body measurements, including but not limited to: height, weight, circumferences, etc..
Purchase Information – Any information we use to complete or in relation to your purchase record and invoice, including but not limited to: payment provider, duration of ZenZen subscription, price, currency and VAT (based on country info). Although we do not store or otherwise process any credit card or bank details ourselves, we process a payment ID number given by the respective Payment Service Provider and can be allocated to you.
Profile and Community Information – Any information you provide to us in your social profile and/or when interacting with our communities and other users, including but not limited to: follower information in the ZenZen community, information provided when you participating in ZenZen events/challenges and groups/communities either as a trainer, team member, a participant or as a promoter, pictures and videos you share, information you provide in your profile biography, team memberships and roles there, interests, feedback, likes and comments, leaderboard rankings, event participation, joined groups including roles as well as challenge participations and success.
If you explicitly allow us to access your phone book, we will compare the email addresses of your contacts with email addresses from registered users within the ZenZen community and show you a list of people you might want to follow. Anyhow, we do not store this information.
Social Media Information – Any information about you we obtain through your interaction with us on social media channels, including but not limited to: any social media information that is publicly available such as your social media handles, social media interactions and public postings, “Likes” and other reactions, social media connections, photos that are public, or those send to us by mentioning us or following our social media posts by using “handles” or “hashtags” and comments or messages you shared with us publicly or privately on social media platforms.
Device Information – Any information related to your (mobile) device, which is collected by our Apps, including but not limited to: device EUI, device ID, device fingerprint, IP/Wifi Information, operating system, data stored on device when access is granted, log information when access to device is granted, Partner Platform Apps installed and device type and version.
Browsing information – Any information on your browsing behavior, including but not limited to: browser name, IP address, clickstream data, date and time of the visit, time remained on Website, pages visited, links clicked in our marketing messages or Website, transmitted data volume, the referral URL (if you came to our Website via a different site or an advertisement), browser language and version and add-ons
Activity information – Any information connected to your metabolic activities which you track using our Products or import, including but not limited to: activity type (meal, exercise, fasting, mood, sleep), exercise routine (start, finish time, duration), glucose score (day, meal, etc.), nutrition information, photos and personal notes.
Correspondence – Any information you share through correspondence you have with our Customer Happiness Agents, and/or other employees and personnel including any opinion you share with us that indicate your point of view and comments. This may include when you provide us feedback and review rating our service or products, or if you participate in any product research and development surveys.
Preference Information – Any information which indicates your preference whether explicitly, if provided by you, or inferred, including but not limited to: activity preference, site/brand preference, preferred language, product and product attributes preferences, units (glucose, weight, temperature) and personal goals and motivation (e.g. motivations, etc.)
Personal Data we receive from others. This is the personal data we receive from the following third parties:
Registration via Apple, Facebook or Google – If you register an ZenZen account via social login, we will receive the following information from the respective provider:
Apple Inc. (1 Apple Park Way Cupertino, CA 95014-0642 USA, “Apple”): First and last name, email address (if granted), gender and birthdate.
Meta Platforms Inc (1 Hacker Way Menlo Park, California 94025), First and last name, email address, gender, birthdate and profile picture.
Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA, “Google”): First and last name, email address, gender, birthdate and profile picture.
Partner Platforms – We offer an automatic import of your activity information from other platforms we have a partnership with (“Partner Platforms”). However, we only import personal data from Partner Platforms if you have given us and the partner the order to connect your ZenZen account with the respective Partner Platform.
Apple HealthKit – We provide the opportunity to sync our Products with Apple’s (Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA; “Apple”) HealthKit framework, which provides a central repository for health and fitness data on iPhone and Apple Watch.
Within the Health Kit settings, you can decide if you want to allow our Products to read the personal data listed there and import it to the Products, to write personal data collected in our Products in the Health Kit or both.
Google Fit – We provide the opportunity to sync our Products with Google’s Fit SDK which is an open platform that lets users control their fitness data.
Within Google Fits settings you can decide if you want to allow the Products to read personal data listed in Google Fit and import it to the Products, to write personal data collected in our Products in Google Fit or both.
3 PROCESSING FOR PRODUCT IMPROVEMENT
ZenZen would also like to use the data you provide via the ZenZen products to continuously improve and innovate our portfolio by gathering insights, detect patterns, generate real world evidence and develop predictive algorithms from health data. Such innovations will be used for decision support with the objective to further improve medical outcomes and the quality of life of people with diabetes.
We will only use your data and any additional data, as detailed below, if you provide us with your express consent. You can give and revoke your consent for the processing for product improvement at any time, in your account settings within our apps.
Additional data
In general, we use the same User Data to improve our products as stated in sections 2 and 3. In addition, ZenZen may also record the following User Data:
Usage Data - We record Activity Events, not necessarily related to the delivery of our services, which allow us to understand how you use our products. This enables us to assess how our products are used and to constantly improve our services.
Purpose of product improvement
As a result of a fast paced technological progress, we have to constantly analyze, develop, test, and improve our products and their interactions, in order to ensure that our content benefits users in the most effective way. To achieve this, we conduct usage and security tests and the knowledge gained is incorporated into improved new versions of our products. These improvements are also provided to you via frequent app updates.
Providing our Products
We process your personal data to be able to provide you with a seamless user experience when using our Products and the Products features.
We may collect your Personal Data for this purpose by using technologies such as cookies, pixels and tags to collect your device information. For more information on the cookies we use, the personal data they collect, and how to disable them, please see our Cookie Policy .
The legal basis for these processing activities is the performance of your user agreement with us.
The data categories processed for this purpose are Identity Information, Contact Information, Location Information, Purchase information, Size Information, Profile and Community Information, Device Information, Browsing Information, Activity Information, Correspondence and Preference Information.
4 PROCESSING FOR MARKETING PURPOSES
4.1. Newsletter
We would like to send you interesting information on products and services in addition to the contractual scope, including information from carefully selected partners, and invitations to participate in surveys or other sales promotions and marketing activities (“Newsletter”).
We will only process your personal data for this purpose and send you Newsletters if you actively consent and subscribe. You can revoke your consent at any time, via the link in every Newsletter or in your account settings in our apps.
4.2 Other types of marketing
Other consents, e.g. for surveys, notifications, or customized offers, are obtained as required when you are logged in. We always explain to you why we need certain data and also how you can revoke the consent.
From time to time we may also show you offers within the app without processing your personal data. These non-customized advertisements will also be shown to you if you have not provided your consent for processing your personal data for marketing purposes.
5 USAGE FOR STATUTORY PURPOSES
5.1 Scientific research and statistics
ZenZen is committed to the science of all aspects of diabetes. Therefore, anonymous User Data may also be used for the purposes of research and statistics (always whilst complying with the recognized ethical scientific standards) and internal analyses. This is used mainly to determine and improve the effectiveness of techniques for controlling and treating diabetes. The legal basis for this is Article 9 (2) j) of the GDPR which provides for processing of Special Categories of Personal Data for scientific research and statistical purposes. We will always make sure that all User Data is properly anonymised before it is used for those purposes.
5.2 Enforcement of rights
The use of personal data may also be necessary to prevent abuse by users or to assert, exercise, or defend legal claims. We may be forced into disclosure due to binding laws, court or official decisions and instructions, criminal investigation, or in the public interest. In such cases, the storage and processing of your data is permitted by law without your consent. The legal basis for this is Article 9 (2) f) GDPR.
5.3 Compliance with medical device legislation
As the manufacturer or distributor of a medical device, we are subject to elevated requirements for monitoring the functionality of our products. This vigilance system required for regulatory purposes may also involve the processing of personal data. The legal basis for this is Article 9 (2) i) GDPR, which provides for processing necessary for reasons of public interest in the area of public health.
6 GENERAL INFORMATION
6.1 Purpose limitation and security
ZenZen uses your personal data exclusively for the purposes determined in this Privacy Notice and the relevant consents. We ensure that each processing is restricted to the extent necessary for its purpose.
We always guarantee adequate security and confidentiality of your personal data. This covers protection from unauthorized and illegal processing, unintentional loss, unintentional destruction or damage using appropriate technical and organizational measures. We use strict internal processes, security features, and the latest encryption methods, always taking into account state-of-the-art technology.
6.2 Data Processors
Our products are subject to complex processes that, in light of our millions of users, we have to manage and keep up-to-date. For technical support we therefore use certain affiliated companies of the Roche Group – F. Hoffmann-La Roche Ltd. - and third-party suppliers (“Data Processors”) in order to offer a comprehensive and optimal use of our products to you. The categories of Data Processors are listed in more detail in section 6.5.
ZenZen transfers User Data to Data Processors exclusively within the framework of this Privacy Notice and only to fulfill the purposes stated within. Data Processors work according to our specifications and instructions; they are not permitted to use the personal data of our users for their own or other purposes.
We use Data Processors offering sufficient guarantees that suitable technical and organizational measures are undertaken in a way that the processing of personal data complies with the statutory requirements and our Privacy Notice. The protection of the rights of our users is ensured by concluding binding contracts that meet the strict requirements of GDPR.
Third-party suppliers appointed by ZenZen may only use other processors (subcontractors) with our prior consent. If a subcontractor does not comply with the same data protection obligations and all of the appropriate security measures that we impose on our Data Processors, we will prohibit the use of such a subcontractor.
6.3 Encryption, pseudonymization, and anonymization
Each transfer of personal data, without exception and by default, is encrypted during transfer. Using HTTPS (hypertext transfer protocol secure) we ensure that your data is not intercepted by unauthorized third parties.
In addition, for the purposes of data security and minimization, we also use other processes for the encryption and pseudonymization of User Data. This depends on the type, scope, and purpose of the relevant data processing and takes into account the latest technology. For example, we only disclose or transfer User Data that a Data Processor requires to carry out their tasks.
When a contractual relationship with a Data Processor is terminated, such Data Processor must, at ZenZen’s discretion, either return all User Data or delete it if there are no statutory retention obligations.
Data that requires no personal reference for processing (e.g. for research and analysis) is subject to anonymization. This is done in a way that prevents a connection or attribution to a specific Data Subject in all cases.
6.4 EU and Third Countries
We primarily select Data Processors which are based in or whose servers are located in the European Union (EU) or European Economic Area (EEA).
In exceptional cases we may appoint third-party suppliers who are located in or who have servers outside the EU. However, even in these cases your personal data is subject to an equally high protection level in line with the GDPR – either through an EU adequacy decision, which considers data protection in certain third-party countries to be appropriate, or through the Standard Contractual Clauses approved by the European Commission, which the contractual relationships with our contracted Data Processors are based on, or through comparable legal instruments permitted under the GDPR. A copy of such guarantees or information on these can be requested via privacy@zenzen.me.
Furthermore, we ensure that our Data Processors have additional security standards in place, such as individual security measures and data protection provisions or certifications under the GDPR.
6.5 Categories of Data Recipients
Our cooperation partners are bound by the agreements signed with ZenZen as well as by the GDPR and only process data according to our instructions. We provide our users’ data only to fulfill the respective contract:
Manufacturers and suppliers require personal data, such as names and addresses to handle orders for goods. A typical example is the delivery of a blood glucose meter.
Insurance companies may exchange data with us if you buy our products as part of your health insurance (statutory or private). If applicable, this enables billing based on the tariff of your insurance company.
Accounting and payment service providers support us in the ongoing billing of our chargeable products.
Customer support services and their tools help our User Support to quickly and efficiently handle our users’ inquiries. Here, for example, queries are recorded from various communication channels and grouped according to topics using ticketing systems.
Analysis service providers and their tools help us to understand how users use our products in order for us to provide customized communication and product improvements in the future. This way we can for example avoid that a pump user with type 1 diabetes receives messages about type 2 diabetes or pens.
Marketing service providers support us in creating, sorting, customizing, and sending newsletters, emails, and other messages about our products to our users.
Hosting and cloud services and their tools are used to store data and to produce anonymized analyses (see section 7.3 above).
Certain functions within our app, such as the report generation or communication options with your healthcare professional or ZenZen coach, allow you directly share certain User Data with a third party from within our products. In this case you are deciding on your discretion which data you share with which party at what point in time. Therefore such data transfers are solely your responsibility.
6.6 Storage and deletion
Your User Data is stored on your device as well as on our servers. The server location where your User Data is being stored is determined during registration based on your Geolocation. This way we decide if your data is either stored on servers in the European Union or the USA. Regardless of the storage location we ensure that the high protection level pursuant to the GDPR is guaranteed at all times; this applies to data at rest, but also to data that is stored temporarily at a different location or is transferred for processing.
ZenZen only stores your personal data for the duration of the contract. In some cases, longer storage may be required in order to fulfil post-contractual obligations or to comply with statutory obligations or disclosure duties, or to assert, exercise, or defend legal claims. Personal data that needs to be retained for this purpose is transferred to a separate archive storage and is not used for any purpose other than the purpose of retention unless it is required by law.
Personal data recorded/stored in paper documents is destroyed by shredding those documents. Personal data stored in the form of an electronic record is deleted using a technical method which does not allow reproducing the record.
6.7 Technical and Organizational Measures
Administrative measures: ISO/IEC 27001 certified information security management system, security officer, a data protection officer, asset management, regular employee training, development principles
Technical measures: Access control, password policy, backup policy, disaster recovery process, security updates/patch policy, infrastructure and network policies and processes, infrastructure monitoring, data encryption in transport and at rest
Physical measures: Physical access control
6.8 Minors
You must be at least 18 years (or such greater age required in your country) to register for our Products. The Products may be used for minors in accordance with the intended use of the Products. In this case the caregiver has to register for our Products in order to manage the account for the minor (see section 3.2.4 of our General Terms and Conditions). This also applies to processing of such personal data, which is only legal if and to the extent to which the consent has been obtained by and through the parent/guardian. Otherwise use of our products is prohibited.
6.9 Data protection officer
Our Data Protection Officer is available to answer all questions regarding the processing of your User Data and data protection at ZenZen. You can contact our Data Protection Officer via privacy@zenzen.me. Our Data Protection Officer monitors compliance with all data protection regulations and is subject to strict statutory secrecy and confidentiality obligations.
Our Data Protection Officer is widely involved in all topics associated with protecting the personal data of our users. As a trained expert, our Data Protection Officer monitors our processing on an ongoing basis, informs and regularly advises the entire ZenZen team in order to ensure the best possible protection of your User Data.
6.10 Changes
Technology and processes used for our services as well as data protection legislation are constantly being developed. Therefore we will have to undertake changes in our products and services from time to time. We will inform you of any changes in this Privacy Notice via appropriate means and with advance notice period. If necessary we will ask you for new consent before further processing your personal data.
7. YOUR RIGHTS
ZenZen would like to make sure you are fully aware of all of your data protection rights. In case you want to execute any of your rights, please contact us at privacy@zenzen.me.
In general, if you make a request to ZenZen, we will provide you with your requested information as quickly as possible, latest within one month, or within any shorter period in case the local data protection regulations in your country require a shorter period. You can find more information on those local provisions in section 9 of this Privacy Notice.
Every user is entitled to the following:
7.1 The Right to Access
You have the right to request a copy of your personal data as well as all information relating to the processing of your personal data. This includes information on the processing purposes, data and recipient categories, storage time, origin of your personal data, and your rights under the data protection regulations. You can find all of this information in this Privacy Notice and you can also contact us at privacy@zenzen.me.
7.2 The Right to Rectification
You have the right to request that ZenZen correct any information you believe is inaccurate. You also have the right to request ZenZen to complete any information you believe is incomplete. You can correct or complete most of your personal data yourself within our apps.
7.3 The Right to Erasure
You have the right to request that ZenZen erase your personal data. However, please be aware that we will have to retain certain personal data even after you have requested the deletion to comply with statutory obligations.
7.4 The Right to Restrict Processing
You have the right to request that ZenZen restrict the processing of your personal data, under certain circumstances, for example for the duration of any investigation review that you have requested.
7.5 The Right to Object to Processing
You have the right to object to ZenZen’s processing of your personal data, under certain circumstances.
If we process your personal data based on your consent, you may revoke the consent at any time. However, revoking your consent will not affect the lawfulness of the processing before the revocation. We will continue to provide our services if they do not depend on the consent that has been revoked.
7.6 The Right to Data Portability
You have the right to request that ZenZen transfer the data we have collected to another organization, if this is technically feasible, or directly to you, in electronically readable form.
7.7 Complaints
If you feel we are not protecting your data protection rights adequately, please contact us at any time at support@zenzen.me or contact our data protection officer directly at privacy@zenzen.me. We will handle your request immediately.
You also have the right to submit a complaint with the relevant Data Protection Authority for ZenZen, which is the Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin, Tel.: +49 30 13889-0, Fax: +49 30 2155050, E-Mail: mailbox@datenschutz-berlin.de - Startseite - Berliner Beauftragte für Datenschutz und Informationsfreiheit . In addition, you have the right to complain to a supervisory authority in the EU member state in which you are resident, in which your workplace is located, or which is the location of a suspected infringemen
8 COUNTRY SPECIFIC PROVISIONS
8.1 Germany
Certain products and services of ZenZen may be part of statutory health programs, e.g. Digital Healthcare Act in Germany (“Digital Healthcare Application”). Such User Data of Digital Healthcare Applications will be processed in accordance with all legal requirements which are specified in more detail in this section.
User Data of Digital Healthcare Applications will not be processed for product improvement and marketing purposes. When it comes to the lawful basis for data processing based on statutory law, User Data of Digital Healthcare Applications will only be processed for patient safety reasons (incident reporting to BfArM) in accordance with section 6.3.
8.2 USA
Patient Information
In accordance with HIPAA, any use or disclosure of protected health information by ZenZen or any subcontractor will be governed by the respective service agreement and a Business Associate Agreement executed between you and ZenZen.
Your Rights if Your Data is Covered by California Law
If you are a California resident as defined by the California Consumer Privacy Act (CCPA), you can find a description of these rights covered in the California Supplemental Privacy Notice. That privacy notice contains information on how to contact ZenZen to exercise any of your rights under that law.
California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please use the contact information provided in the California Supplemental Privacy Notice.
Minors
We are committed to protecting the privacy of children. As such, we do not intentionally collect data from users under the age of 13 years old in connection with our general purpose website(s), app(s) or other services. If you are the parent or guardian of a child under the age of 13 who has submitted information through this Site, please email us to privacy@zenzen.me in order to request deletion.