Tidepool Privacy Policy
Effective Date: March 11, 2022, Version 2.4
Since Tidepool was founded in 2013, we’ve advocated that you own your own data, that you should be able to access it whenever and however you want, and that you should be able to share it however you see fit. In 2022, we feel more strongly about these tenets than ever. Our goal is to make Tidepool a great place for collaboration with you and your care team. To support this, we’ve updated how Clinicians and Researchers have access to information that you share. We’ve added details explaining when Clinicians or Researchers that are part of a Clinic might see your information. We’ve also added new Share features that make it easier for you to share your data with Clinicians and Researchers that are part of a Clinic. Please read our Privacy Policy to understand how you can control and manage your data and the choices you have. It describes the types of information we collect from PwD, Care Team Members, Clinicians, Researchers, Clinics, and casual site visitors, how we use it, how we protect it, and how we restrict its disclosure. This Privacy Policy is intended to comply with all applicable laws and regulations, including but not limited to the General Data Protection Regulation (“GDPR”) of the European Union.
You may use the Tidepool website without sharing any of your personal information with us. However, if you choose to use Tidepool’s services, it will become necessary for Tidepool to create an account for you and collect and process information about you. If you use any of the Tidepool Apps, we will need to process and use the personal information you and members of your Care Team provide in order to provide the services of the Tidepool Apps. The Tidepool Apps will not function without that information.
The privacy and security of your information is important to us. This privacy policy (“Privacy Policy”) describes how Tidepool Project (“Tidepool,” “us,” or “we”) collects, uses, processes, and discloses information in connection with our software applications, such as Tidepool for web, Tidepool for mobile, and the Tidepool Uploader, together with any other applications developed and/or distributed by Tidepool (the “Tidepool Apps”), including storage and retrieval of information by the Tidepool Apps on or through our hosted cloud platform (the “Tidepool Platform”). We collect information from the people who use the Tidepool Apps to help manage their diabetes (“PwD Users,” the person with diabetes or the parent/guardian of one), from the people with whom the PwD User chooses to share that information (“Care Team Members”), from doctors, healthcare professionals, and other clinicians who may use the Tidepool Apps to review information for people under their care (“Clinicians”) and from researchers who collect information from study participants for research purposes through the Tidepool Apps or Tidepool Platform (“Researchers”). PwD Users, Care Team Members, Clinicians, and Researchers may collectively be referred to herein as “Users” (or singularly, a “User”).
By using the Tidepool Apps, you agree to be bound by this Privacy Policy, as well as our Terms of Use, which are incorporated herein by reference. Please read this entire Privacy Policy and the Terms of Use. If you don’t agree with the terms of this Privacy Policy or the Terms of Use, please don’t use the Tidepool Apps or other applications that access your Tidepool account. This Privacy Policy applies to Tidepool’s treatment of “personal information,” which is information that directly or indirectly uniquely identifies a PwD User, Care Team Member, Clinician, or Researcher by reference to an identifier such as a name, identification number, location data, online identifier, or another factor specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual. This Privacy Policy therefore applies to health and other personal information, and the information, notes, and files PwD Users, any of a PwD User’s Care Team Members, or Clinicians, or Researchers upload, store, and manage using the Tidepool Apps. This Privacy Policy does not apply to the practices of companies that Tidepool does not own or control, or to individuals who Tidepool does not employ or manage.
BY USING ANY OF THE TIDEPOOL APPS YOU AGREE TO THE COLLECTION, USE, AND DISCLOSURE OF INFORMATION IN ACCORDANCE WITH THIS PRIVACY POLICY. IF YOU ARE A RESIDENT OF THE EUROPEAN UNION, WE WILL OBTAIN YOUR EXPLICIT CONSENT TO COLLECT AND PROCESS YOUR INFORMATION.
As this Privacy Policy explains, Tidepool is responsible for determining the purposes and means for the handling and processing of personal information subject to this Privacy Policy. Tidepool is the “controller” of that information for purposes of compliance with the GDPR. Tidepool is located and may be contacted at:
Tidepool Project
555 Bryant St., #429
Palo Alto, CA 94301
Attn: Privacy Officer
Telephone: 650-353-2352
E-Mail: info@tidepool.org
Tidepool’s Privacy Official serves as our data protection officer. Any PwD User, Care Team Member, Clinician, or Researcher, or any other data subject, may contact the Privacy Official directly with questions, complaints, or suggestions concerning privacy or data protection, at the following address:
Howard Look
Tidepool Project
555 Bryant St., #429
Palo Alto, CA 94301
Telephone: 650.353.2352
E-Mail: privacy@tidepool.org
As our services expand, we will evaluate our policies and practices and occasionally implement changes and refinements. If we make a change to this Privacy Policy that we determine, in our sole discretion, is material, we will endeavor to notify you (for example, by email to the email address in your Tidepool account) prior to the changes becoming effective. We will post all revised or new Privacy Policies on the Tidepool website at www.tidepool.org/legal, and indicate the date it was last revised.
Tidepool may treat the information of PwD Users, Care Team Members, Clinicians, Researchers, and Clinics differently. For this reason, this Privacy Policy has separate sections with information specific to PwD Users, to Care Team Members, to Clinicians, to Researchers, to Clinics, and a section that applies to everyone. To learn more, please review the following:
- Information for PwD Users - Frequently Asked Questions for PwD Users
1.1 What PwD User information does Tidepool collect and for what purposes?
1.1.1 Registration and Contact Information
1.1.2 Other Information You Provide to Us
1.1.3 Third-Party Applications
1.1.4 Study Management for Academic and Clinical Research
1.2 What choices do PwD Users have?
1.2.1 Care Team Access
1.2.2 Custodial Accounts
1.2.3 Options for Sharing Information with Device Makers
1.2.4 Options for Sharing Anonymized Information with Researchers or Other Research Databases
1.2.5 Export, Delete, or Change Your Information
1.2.6 Cancel Your Account
1.2.7 Other Rights You May Have Under HIPAA
1.2.8 Email Communications
1.3 How do I invite members to join my Care Team or invite others to use Tidepool Apps?
1.4 What about the practices of third-party applications that PwD Users can connect to Tidepool Apps or the Tidepool Platform?
1.5 Who else has access to my information?
1.6 Clinician users converting to a Clinic account - Information for Care Team Members - Frequently Asked Questions for Care Team Members
2.1 What information does Tidepool collect from Care Team Members and for what purposes?
2.1.1 Registration and Contact Information
2.1.2 Other Information You Provide to Us
2.2 What choices do Care Team Members have?
2.2.1 Change Your Information
2.2.2 Cancel Your Account
2.2.3 Email Communications - Information for Clinicians, Clinics, and Researchers - Frequently Asked Questions for Clinicians, Clinics, and Researchers
3.1 What information does Tidepool collect from Clinicians, Clinics, and Researchers, and for what purposes?
3.1.1 Registration and Contact Information
3.1.2 Other Information You Provide to Us; Custodial Accounts
3.1.3 Other Information that You Collect from Patients or Study Subjects
3.1.4 Business Associate Agreement
3.2 What choices do Clinicians, Clinics, and Researchers have?
3.2.1 Change Your Information
3.2.2 Cancel Your Account
3.2.3 Email Communications - Information for Everyone - Frequently Asked Questions for Everyone
4.1 Are there any territorial restrictions for using Tidepool Apps?
4.2 Do any third party service providers have access to my information?
4.3 When can Tidepool disclose my information?
4.4 How long does Tidepool keep my information?
4.5 How does Tidepool secure my information?
4.6 What about information about children?
4.7 What are my California Privacy Rights?
4.8 Does Tidepool use cookies?
4.9 Does Tidepool collect information automatically when I use the Tidepool Apps?
4.10 Can third parties collect information about me when I use the Tidepool Apps?
4.11 Does Tidepool recognize Do Not Track signals?
4.12 International Privacy Laws
4.13 Additional Rights
4.14 Legal Basis for Collection, Use, and Processing of Information
1. Information for PwD Users
We collect health and other information from you as a PwD User so that we can show it to you in useful ways within the Tidepool Apps. You may choose to share your health information with others and with applications that connect to the Tidepool Apps or the Tidepool Platform.
This section of the Privacy Policy describes what we do with PwD User information, including but not limited to health information, and is guided by the following principles:
- You own the information in your Tidepool account.
- You can request that your Tidepool account be deleted at any time. When your Tidepool account is deleted, all the information in account will also be deleted.
- You decide who has access to the information in your Tidepool account.
- You decide which third-party applications have permission to access to read or post new information on your behalf.
- You decide whether device makers have access to data from your devices.
- You decide if you would like to contribute the information in your Tidepool account to research.
- You can obtain an export of the information in your Tidepool account and take it with you whenever you like.
Frequently Asked Questions for PwD Users
- What PwD User information does Tidepool collect and for what purposes?
- What choices do PwD Users have?
- How do I invite members to join my Care Team or invite others to use Tidepool Apps?
- What about the practices of third-party applications that PwD Users can connect to Tidepool Apps or the Tidepool Platform?
- Who else has access to my information?
1.1 What PwD User information does Tidepool collect and for what purposes?
1.1.1 Registration and Contact Information To register as a PwD User for a Tidepool account, you must provide your email address and create a password. You use your email address and password to log in to your account. We will also collect contact information, such as your name, address, phone number, and certain information that does not itself directly identify you, such as your IP address. An IP address is a number assigned to you by your Internet service provider so you can access the Internet. Although we do receive IP addresses, we do not use them to identify you personally or disclose them to others.
We will use this information to: deliver, administer and improve the Tidepool Apps; provide customer service; improve and personalize your experience; better understand your needs; fulfill requests you make; deliver special announcements and updates about the Tidepool Apps; and contact you about any of the above as well as any changes to or notifications regarding your Tidepool account.
1.1.2 Other Information You Provide to Us We also collect health and other information you provide to us through the Tidepool Apps. This may include your gender, age and birth date, weight, height, treatment and diagnosis information, health and well-being related information (including diet and activity information), information identifying the diabetes monitoring and treatment devices you use, and data you upload from your diabetes monitoring and treatment devices using Tidepool Uploader, other Tidepool Apps or through third-party applications that connect to the Tidepool Platform.
We use the information you provide to us to deliver, administer, and improve the Tidepool Apps. We need this information to provide the visualization, data analysis, and other features available to you through the Tidepool Apps, which are also available to any of your Care Team Members. As we add new Tidepool features for PwD Users, we may, if necessary, use your information to provide those features to you. When you seek support from us, the individual(s) providing you with support may need to access your information in order to identify the problem you are seeking support for, though your information will only be used to help provide you with support.
With your permission, and only with your explicit consent, we may also provide your health information and internal, diagnostic data from your diabetes device to the maker of that device, include your information in a research database, or share your information with third-party applications that you choose to connect with.
With your permission, and only with your explicit consent, we may also use your personal information that you provide to us or that we obtain from third parties to provide you with periodic emails, newsletters or mailings, with information on Tidepool’s or our business partners’ products and services or other informational material we believe may be of interest to you. You have the option to decline these communications at any time by following the instructions below.
1.1.3 Third-Party Applications You may have the option to link or connect Tidepool Apps or the information collected with Tidepool Apps with certain third-party applications. We will not share the information in your Tidepool account with a third-party application without your explicit consent.
1.1.4 Study Management for Academic and Clinical Research You may be asked to participate in academic, clinical, commercial or other research studies, either by Tidepool or by entities performing research. You are under no obligation to participate in this research. If you do agree to participate, you will be asked to give us explicit consent to link your Tidepool account to the study coordination account, or to provide a unique identifier that will allow the researcher or institution to link other personally identifiable information to your Tidepool information. Only you can agree to this linkage with other information or databases. Tidepool will not link the information in your Tidepool account for academic, clinical, commercial or other research studies without your explicit consent. If you agree to participate in a research study, the person or organization conducting the study may require you to sign a written consent to participate in the study, which may include terms and conditions that apply to the research study and are different from those of this Privacy Policy.
1.2 What choices do PwD Users have? Under the Terms of Use, PwD Users own the health and other personal information, data, notes, and files that PwD Users upload, store, and manage using the Tidepool Apps or that are added by their Care Team Members. This means that you as a PwD User decide who has access to the information in your Tidepool account. You also have full control to edit permissions of Care Team Members, alter some types of information, export your information, or cancel your account and delete the information in that account from Tidepool’s systems.
1.2.1 Care Team Access You can grant access to your Tidepool account to health care professionals, clinics, family, friends, or anyone else, creating what we call a Care Team. The Care Team Members to whom you provide access will be able to view and comment on the health and other information in your account. Only if you grant them permission will Care Team Members be able to upload information to your account or, if applicable, edit information in your account. PwD Users own all content in their Tidepool accounts added or altered by their Care Team Members.
1.2.2 Custodial Accounts A Clinician such as your doctor or other health care provider, or a Researcher conducting a study in which you participate, may establish an account to store information about you in Tidepool. That Clinician or Researcher may invite you to open a Tidepool account. If you accept that invitation, you will become a PwD User and will have control of all the information associated with that account, which will be your Tidepool account. When you open the account, the Clinician or Researcher who invited you to open the account or their Clinic will automatically be a member of your Care Team. You may remove the Clinician, Researcher, or Clinic from your Care Team at any time.
If your Clinician or a Researcher told you to expect such an invitation and you did not receive it, please contact that Clinician or Researcher and ask them to verify your email address and re-send the invitation.
If a Clinician or Researcher who uses Tidepool to store information about you does not invite you to open an account, or if you decide not to do so, then you will not have control of the information associated with that account and this section of the Privacy Policy will not apply to you or to that information.
1.2.3 Options for Sharing Information with Device Makers You may have the option of granting the maker of your diabetes monitoring or treatment device with access to the information you upload to the Tidepool Platform. Providing your device maker with access to this information may assist the device maker to provide customer support or diagnose and address issues with the device. Providing data access to device makers also helps them understand how their devices are being used, which helps them make better devices in the future. We may charge device makers a fee to access this data.
Your device manufacturer may be able to identify you based on the serial number associated with the device.
Please note that any information you may have previously shared with a device maker may remain with the device maker if they have stored that information and cannot be removed or deleted by changing your sharing preference.
1.2.4 Options for Sharing Anonymized Information with Researchers or Other Research Databases You may have the option to donate your anonymized data with different Researchers or Research organizations, or with diabetes device or pharmaceutical companies in need of longitudinal datasets. Diabetes researchers have a very difficult time gaining access to quality diabetes data. We will give you the opportunity to make your anonymized information available to these organizations. By doing this we hope to contribute to a dramatic acceleration in the rate of innovation in diabetes care.
You will not be directly identifiable based on the information you choose to donate. However, it may be possible for others to identify you if you have made your information available publicly in other ways; for example, if you post pictures or information to social media that describes you or your health condition, such as tweeting a picture of your continuous glucose monitor readings, it may be possible for someone to correlate that with information in a Tidepool dataset. For this reason, all donations of your information will require your explicit consent. Donated, anonymized information will be stored and made available without any of your personal Tidepool account information. If you agree to donate your information, here is the information that will and will not be included (if provided):
- For each PwD User:
- Included: birth month and year, month and year of date of diagnosis, gender, and weight
- Not included: name, address, email address, birth day, notes, profile picture, or other personally identifiable information
- For all diabetes devices:
- Included: device event and data timestamps
- May be included: Brand and model of the device (some device makers preclude this).
- Not included: device serial number
- For blood glucose meters:
- Included: blood glucose readings
- For continuous glucose monitors (“CGM”):
- Included: estimated glucose, events tracked by the CGM, including meals, insulin, calibration, exercise
- For insulin pumps:
- Included: all pump settings, including bolus calculator parameters, basal rates, basal rate profiles, insulin to carb ratios, and insulin sensitivity factors as well as all events tracked by the pump, including meals, insulin dosed,temp basals and suspends events, and BG inputs. Note that some of the terms above may have slightly varying language on your device.
- For exercise monitors:
- Included: Exercise and activity data imported from devices or software, such as FitBit, FuelBand, Strava, and RunKeeper (not including GPS data or personally identifying information).
- Not included: GPS location data or other personally identifying information
We will not include in the anonymized datasets (1) freeform text and notes entered by you or your Care Team Members, or (2) any other data that could identify a specific individual.
The data from your device will be correlated across time and with the donated PwD User information using a random, cryptographically secure user key (a “one-way hash”). Having this key allows researchers to correlate multiple data points over time from a single person, but does not allow them (or anyone else without internal access to Tidepool servers) to identify the person.
You may be asked to donate your information via email or via using Tidepool Apps. If you would like to change your donation preference, you may do so by using the appropriate interface in Tidepool Apps. If you change your preference to stop donating your information, you will not be able to remove or delete anonymized information that was previously donated prior to the change.
1.2.5 Export, Delete, or Change Your Information You can change the contact information you provided when you registered by going to Account Settings. You can change or delete other information and data you have provided by editing or deleting that information directly using the utilities and features available in the Tidepool Apps. To learn how to export or delete your information, please visit support.tidepool.org.
1.2.6 Cancel Your Account You can cancel your account at any time. Upon cancellation, we will cease all use of your data and delete your account information and data. Please visit support.tidepool.org to learn how to cancel your account.
1.2.7 Other Rights You May Have Under HIPAA Tidepool may enter into relationships with a number of institutions or health care providers, such as Clinicians, Researchers, Clinics, or others, for whom Tidepool will act as a “business associate” under the federal Privacy and Security Rules issued under the Health Information Portability and Accountability Act (“HIPAA”). If you are a patient of one of these institutions or other providers, or are participating in a research study conducted by one of these organizations, Tidepool may have obligations to that institution or other provider under HIPAA and Tidepool’s business associate contract with the institution or other provider that affect the information about you that the institution or provider stores in the Tidepool platform. These “business associate” relationships will not affect information in your Tidepool account.
1.2.8 Email Communications You can choose to stop receiving marketing or informational emails from us by clicking the “unsubscribe” link at the bottom of any such email. We may from time to time send you certain communications such as regarding your account, the Tidepool App or the Tidepool Platform and you will not be able to opt out of those communications (e.g., communications regarding updates to our Terms of Use or this Privacy Policy).
1.3 How do I invite members to join my Care Team or invite others to use Tidepool Apps? If you would like to invite someone to become a member of your care team, we’ll ask you for the person’s email address for the sole purpose of sending an invitation. To do so, please select “Share” from within the Tidepool for web application. If you would like to invite a Clinic, we’ll ask you for the Clinic Share Code for the sole purpose of sending an invitation. To do so, please seelect “Share” from within the Tidepool for web application.
1.4 What about the practices of third-party applications that PwD Users can connect to Tidepool Apps or the Tidepool Platform? Our Privacy Policy applies solely to information collected by and through the Tidepool Apps. You may be able to connect this information to third-party applications from the Tidepool Apps, or by connecting your Tidepool account from within a third-party application, or you may choose to share your device data with a device maker. Please be aware that Tidepool doesn’t control and isn’t responsible for the privacy and security practices of the third party services you choose to connect with or those of your device makers. However, all third-party developers that connect to the Tidepool Platform will be required to certify that their privacy policy is consistent with the terms of this Privacy Policy. For example, third-party applications will need to agree to not disclose your personal information without your consent. We encourage you to become familiar with their information practices before choosing to share any personal information or data with them.
1.5 Who else has access to my information? You can see who your information is shared with by logging into your Tidepool account and selecting the “Share” link.
Some Clinicians, Researchers, or Clinics who you include on your Care Team may participate in other information sharing agreements, and may share some or all of your health information as part of those agreements. For example, your Clinician may participate in the T1D Exchange Registry, QI Collaborative, or other similar information sharing registry, which provides information collection and research services for a network of clinical sites. Please check with your health care provider, Clinic, Clinician, or Researcher to ask how they may be sharing your health information.
1.6 Clinician users converting to a Clinic account In some instances, a Clinician user you are sharing with may convert to a new Clinic account or merge into an existing Clinic account. If this happens, we will notify you of this conversion. Your sharing relationship will convert to the new Clinic account. You can stop sharing your data with that Clinic account at any time.
2. Information for Care Team Members
PwD Users have control of the information in their Tidepool accounts. This means that as a Care Team Member your access to a PwD User’s data and information is controlled by the PwD User and that any comments or information that you add may be deleted by the PwD User at any time.
Frequently Asked Questions for Care Team Members
- What information does Tidepool collect from Care Team Members and for what purposes?
- What choices do I have about the use of my information?
2.1 What information does Tidepool collect from Care Team Members and for what purposes?
2.1.1 Registration and Contact Information To register as a Care Team Member, you must provide an email address and create a password. You use your email address and password to log in. We also collect contact information, such as your name, address, phone number, and certain non-personal information that does not itself directly identify you, such as your IP address. An IP address is a number assigned to you by your Internet service provider so you can access the Internet. Although we do receive IP addresses, we do not use them to identify you personally or disclose them to others.
We use this information to: deliver, administer and improve the Tidepool Apps; provide customer service; improve and personalize your experience; better understand your needs and interests; fulfill requests you make; deliver special announcements and updates about the Tidepool Apps; and contact you about any of the above as well as any changes to or notifications regarding your account.
2.1.2 Other Information You Provide to Us We may also collect other information you provide to us through the Tidepool Apps. As a Care Team Member, this information will mostly be information or comments about the PwD User or PwD Users that add you as a Care Team Member using the Tidepool Apps. We use the information you provide as a Care Team Member to display notes, comments and other features of the Tidepool Apps. A PwD User has the ability to delete information or comments you add to his or her account at any time.
A PwD User has the option to donate anonymized information from his or her account to the Tidepool Anonymized Diabetes Database. If the PwD User donates his or her information, information or data that you add to the PwD User’s account that is being donated will exclude comments that you make on that account.
2.2 What choices do Care Team Members have? A PwD User owns all content you generate on that PwD User’s accounts and you have no control over that information, except in the course of editing comments you have made as long as the PwD User permits such changes. However, you can delete or change your personal information.
2.2.1 Change Your Information You can change the contact information you provided when you registered by going to Account Settings.
2.2.2 Cancel Your Account You can also cancel your account at any time. Upon cancellation, we will delete your account information but not information or comments you have added to any PwD User accounts.
2.2.3 Email Communications You can choose to stop receiving marketing or informational emails from us by clicking the “unsubscribe” link at the bottom of any such email. We may from time to time send you certain communications such as regarding your account, the Tidepool App or the Tidepool Platform and you will not be able to opt out of those communications (e.g., communications regarding updates to our Terms of Use or this Privacy Policy).
3. Information for Clinicians, Clinics, and Researchers
As a Clinician or Researcher, you will be able to create accounts and collect information on behalf of people that you provide care for, or people that are participating in a research study that you are conducting. These accounts are called Custodial Accounts. You can optionally provide an email address that will cause an account invitation to be sent to an individual, allowing that person to sign up for and claim the Tidepool account, and become a PwD User. When you create a Custodial Account, you have control over that account and information at the outset. Once the account is claimed by a PwD User, that PwD User takes over control and ownership of the information and account, and you become a member of that PwD User’s Care Team.
Frequently Asked Questions for Clinicians, Clinics, and Researchers
- What information does Tidepool collect from Clinicians, Clinics, and Researchers and for what purposes?
- What choices do Clinicians, Clinics, and Researchers have?
3.1 What information does Tidepool collect from Clinicians, Clinics, and Researchers and for what purposes?
3.1.1 Registration and Contact Information To register for a Tidepool account as a Clinician or Researcher, you must provide an email address and create a password. You use your email address and password to log in to the account. We also collect other information about you and your Clinic, such as your name, your clinic or institution name, address, phone number, and certain information that does not itself directly identify you, such as your IP address or your role within your organization. An IP address is a number assigned to you by your Internet service provider so you can access the Internet. Although we do receive IP addresses, we do not use them to identify you personally or disclose them to others.
We may use this information to: deliver, administer and improve the Tidepool Apps; provide customer service; improve and personalize your experience; better understand your needs and interests; fulfill requests you make; deliver special announcements and updates about the Tidepool Apps; and contact you about any of the above as well as any changes to or notifications regarding your account.
3.1.2 Other Information You Provide to Us; Custodial Accounts We also collect other information you provide to us through the Tidepool Apps. As a Clinician or Researcher, you will be able to create accounts for your patients or study subjects, called “Custodial Accounts.” When you create these accounts, you may choose to, but are not required to, identify those individuals by their name, date of birth, and an optional Medical Record Number (MRN). You may also optionally provide an email address for each individual. Providing an email address will initiate an email invitation that will allow the individual to sign up for Tidepool and claim the account, thereby taking ownership of the account information. It is your responsibility to ensure the accuracy of that email address.
If an individual chooses to sign up for Tidepool and claim an account, he or she then takes ownership of the account and becomes a PwD User, as defined above. The account will be automatically shared with you, making you a Care Team Member, as defined above. The PwD User may remove you as a Care Team Member at any time.
We may also collect other information you provide to us through the Tidepool Apps. This may include gender, age and birth date, weight, height, treatment and diagnosis information, health and well-being related information (including diet and activity information), information identifying the diabetes monitoring and treatment devices you upload for individuals, and data that you upload from their diabetes monitoring and treatment devices using Tidepool Uploader.
We use this information to provide the visualization, data analysis, and other features available through the Tidepool Apps. When you seek support from us, the individual(s) providing you with support may need to access your information in order to identify the problem you are seeking support for, though the use of your information will only be used to help provide you with support.
3.1.3 Other Information that You Collect from Patients or Study Subjects Through the course of providing care or conducting a research study, you may collect information other than through Tidepool. Only information collected by Tidepool or via Tidepool Apps is covered by this Privacy Policy.
3.1.4 Business Associate Agreement If Tidepool will be acting as your business associate under the federal Privacy and Security Rules issued under the Health Information Portability and Accountability Act (“HIPAA”), our obligations regarding the privacy and security of the personal information you store in Tidepool will be governed by a separate written business associate agreement between us. Tidepool will not be subject to any business associate agreement unless it is executed on Tidepool’s behalf by an authorized person.
3.2 What choices do Clinicians, Clinics, and Researchers have? A PwD User owns all content you generate on that PwD User’s accounts and you have no control over that information, except in the course of editing comments you have made as long as the PwD User permits such changes. However, you can delete or change your personal information.
3.2.1 Change Your Information You can change the contact information you provided when you registered by going to Account Settings.
3.2.2 Cancel Your Account You can also cancel your account at any time. Upon cancellation, we will delete your account information but not information or comments you have added to any PwD User accounts.
3.2.3 Email Communications You can choose to stop receiving marketing or informational emails from us by clicking the “unsubscribe” link at the bottom of any such email. We may from time to time send you certain communications such as regarding your account, the Tidepool App or the Tidepool Platform and you will not be able to opt out of those communications (e.g., communications regarding updates to our Terms of Use or this Privacy Policy).
4. Information for Everyone
The following information applies to all Users of the Tidepool Apps and Tidepool Platform: PwD Users, Care Team Members, Clinicians and Researchers.
Frequently Asked Questions for Everyone
- Are there any territorial restrictions for using Tidepool Apps?
- Do any third party service providers have access to my information?
- When can Tidepool disclose my information?
- How long does Tidepool keep my information?
- How does Tidepool secure my information?
- What about information from children?
- What are my privacy rights in California?
- Does Tidepool use cookies?
- Does Tidepool collect information automatically when I use the Tidepool Apps?
- Can third parties collect information about me when I use the Tidepool Apps?
- Does Tidepool recognize Do Not Track signals?
- International Privacy Laws
- Additional Rights
- Legal Basis for Collection, Use, and Processing of Information
4.1 Are there any territorial restrictions for using Tidepool Apps? At this time, Tidepool Apps are only intended for use in the United States and the European Union (‘EU’). The Tidepool Apps and Tidepool Platform are hosted in the United States and all information is stored in the United States. By using the Tidepool Apps and Tidepool Platform you consent to processing and storage of your information in the United States. For further information if you are an EU resident and using the Tidepool App or visiting the Tidepool website from the EU, please see the section below on International Privacy Laws.
4.2 Do any third party service providers have access to my information? We may employ independent companies or other third parties and individuals to help us provide, facilitate or improve the Tidepool Apps (such as customer service support or data hosting). These service providers may have access to your personal information and data as necessary to perform their services for Tidepool.
4.3 When can Tidepool disclose my information? Other than the sharing you have authorized, we will only disclose your personal information or data as disclosed in this Privacy Policy. We may disclose your information in the following circumstances:
- We may disclose information about you to help complete a transaction for you or to our agents or service providers performing functions on our behalf.
- We may also disclose your information in the event of a purchase, transfer or sale of services or assets (e.g., in the event that some or all of our assets are acquired by another party, customer information may be one of the transferred assets).
- If Tidepool believes you’ve misused or abused the Tidepool Apps or the personal information of any PwD User, Care Team Member, Clinician, Researcher, or Clinic or attempted to interfere with or harm the Tidepool Apps, we will investigate and cooperate with appropriate law enforcement, including, if necessary or appropriate, by disclosing your name, registration information or IP address and any other relevant information, to protect our rights or property, or those of our PwD Users, Care Team Members, Clinicians, Researchers, Clinics, and others. We will cooperate fully with any legal process or criminal investigation into the misuse or abuse of the Tidepool Apps.
- We may disclose your information or data to comply with the law, applicable regulations, governmental and quasi-governmental requests, court orders or subpoenas, to enforce our Terms of Use or other agreements, or to protect our rights, property or safety or the rights, property or safety of our users or others (e.g., to a consumer reporting agency for fraud protection, etc.). Where your personal information and data has been requested by any governmental entity or other third party pursuant to subpoena or similar legal process, we will attempt to notify you as quickly as practicable before providing any such information, unless we are legally prohibited from doing so or we believe in good faith that disclosure is or may be necessary to protect life, avoid serious physical injury or property loss or damage, or to prevent or investigate an ongoing crime.
Tidepool may disclose anonymous or statistical information about the use of the Tidepool Apps at any time without restriction.
4.4 How long does Tidepool keep my information? Tidepool will retain your account and related information on your behalf as long as needed to support your use of the Tidepool Apps, for necessary backup purposes and comply as necessary with our legal obligations, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements and comply with applicable laws. We may delete your account due to inactivity, but we will notify you by email prior to doing so and give you a reasonable opportunity to either transfer your information or begin active use of your account again.
4.5 How does Tidepool secure my information? To help protect the privacy of personal information and data you transmit using Tidepool Apps, we use technology designed to encrypt your personal information and data before it is sent to us over the internet. In addition, we take reasonable physical, administrative, and technical steps to protect the personal information and data that you provide us against unauthorized access. However, the software, hardware and networks that support the Tidepool Apps may, from time to time, require maintenance or experience problems or breaches of security beyond our control.
Please also be aware that despite our best intentions and the guidelines outlined in this Privacy Policy, no data transmission over the internet or encryption method can be guaranteed to be 100% secure. Tidepool cannot guarantee the security of the information you provide us, and therefore you use Tidepool Apps at your own risk.
While we take steps to protect your personal information and data and keep it secure, you also play a role in protecting your information. You can help to maintain the security of this information by using a unique, strong password, not sharing your account information and password with anyone, and by preventing unauthorized use of your computers and mobile devices.
4.6 What about information about children? Tidepool does not allow children under the age of 13 to register or use the Tidepool Apps and we require that children between 13 and 18 must have their parent’s or legal guardian’s consent to register or use Tidepool Apps. Tidepool does not knowingly collect information from children under the age of 13. If we discover that a person under 13 has registered as a PwD User or Care Team Member we will delete that person’s account.
4.7 What are my California Privacy Rights? Tidepool complies with the California Consumer Privacy Act of 2018. We also act in accordance with the principle behind the California “Shine the Light” law, CA Civil Code § 1798.83, which gives consumers the right to know about certain personal information shared with third parties for their use in directly marketing their own products or services. We will never do that without your express permission, except as described in this Privacy Policy. Under California law, a California resident has the right to request that Tidepool disclose our data collection and sales practices, including the categories of information we collect, how we use that information, and whether we disclose or sell that information to others. This Privacy Policy explains these matters, and we never sell information we collect about you and that identifies you without your express consent. If you do consent and then want to withdraw your consent, please follow the instructions on this page. California residents also have the right to request a copy of the information we collect, and to have the information we collect deleted, all as described in this Privacy Policy. If you want to receive a copy of that information, or request that we delete it, please follow the instructions on this page. Finally, we will not discriminate against you in any way based on your exercise of your rights under California law.
4.8 Does Tidepool use cookies? We use cookies (a piece of data or file that a website can send to your browser, which may then store it on your computer system) and similar technology to collect aggregate (non-personal) information about usage of Tidepool Apps by all of our Users and to help us remember you and your preferences when you revisit the Tidepool Apps. These cookies may stay on your browser into the future until they expire or you delete them. Some cookies that assist in the functionality of the Tidepool Apps, like page loading, usually are erased when you close your browser window. You may prevent our use of cookies by changing the settings on your internet browser. If you block our cookies, the Tidepool website and/or Tidepool Apps may not function properly or provide full functionality. Further general information about cookies and how they work is available at www.allaboutcookies.org.
4.9 Does Tidepool collect information automatically when I use the Tidepool Apps? We receive and store certain types of information whenever you interact with Tidepool Apps. We automatically receive and record information on your activity on our server logs, including your IP address. Generally, we also automatically collect usage information, such as the features of the Tidepool Apps that you use and how you use them, the number of Care Team Members, devices you upload, and how PwD Users and Care Team Members interact. We may use this information, as well as your personal information such as your email address, to provide personalized features and functionality, for example to provide reminders to upload data from your diabetes devices. We may also use this data to help us understand how you and other Users use parts of the Tidepool Apps so that we can improve them. We may disclose anonymous statistical information to third parties about how Tidepool Apps are used without your permission.
Tidepool Apps may also produce error codes and other diagnostic logging information that help us improve our software. These logs include IP address, email address, local hostname, browser version, operating system version, connected devices, and software error stack trace. This information is only about Tidepool Apps, and is only used by Tidepool to improve Tidepool Apps. These logs are only retained for 180 days.
4.10 Can third parties collect information about me when I use the Tidepool Apps? We do not allow third parties to place cookies through the Tidepool Apps or to collect information about a consumer’s online activities over time and across different websites when he or she uses our Tidepool Apps. We do not permit third parties to place cookies through our Tidepool Apps to perform marketing functions but we may allow service providers to place cookies to assist us with analytic functions. For these analytic functions, we may use Google Analytics and Google Analytics Demographics and Interest Reporting to collect information regarding visitor behavior and visitor demographics on some of our services, and to develop website content. This analytics data is not tied to any personal information. For more information about Google Analytics, please visit www.google.com/policies/privacy/partners/. You can opt out of Google’s collection and Processing of data generated by your use of the services by going to http://tools.google.com/dlpage/gaoptout.
4.11 Does Tidepool recognize Do Not Track signals? We currently do not use technology that recognizes a “do-not-track” signal from your web browser.
4.12 International Privacy Laws If you are using the Tidepool Apps from outside the United States, please note that you are sending your information, including your personal information, to the United States, where Tidepool’s servers are located. Your information may then be transferred within the United States or to another country. The United States or these other countries may not have data protection laws as comprehensive or protective as the laws of your country or of the European Union. However, Tidepool’s collection, use, and processing of your information will in all events continue to be conducted in accordance with this Privacy Policy.
4.13 Additional Rights Under the GDPR, residents of the European Union have specified rights in connection with their personal information held by Tidepool. Tidepool has chosen to provide these rights to all Tidepool users. Therefore, in addition to the other rights described in this Privacy Policy, you have the right:
To be informed about the information that Tidepool collects about you, and how we use and disclose that information. This Privacy Policy describes those matters.
To have access to information about you. All the information about you in your Tidepool account is available to you at any time and upon request. If you cancel your account, that information will be deleted, but we will provide you with a reasonable opportunity to obtain a copy of that information, free of charge, before it is deleted.
To correct any personal information that you believe is incorrect or incomplete. You can use the Tidepool Apps at any time to correct or complete any information about you. If you correct or add to information that has been provided by a Care Team Member or a Clinician or Researcher, that person or persons that are a part of a Clinic will be able to see the changes you have made.
To have your information deleted. If you wish to delete your personal information from Tidepool’s systems, you may at any time cancel your account.
To restrict the use or processing of your information. If you believe any information about you is inaccurate, Tidepool will cease using or processing that information at your request.
To receive a copy of your personal information. You may use the Tidepool Apps at any time to download a copy of your information free of charge.
To object to the use or processing of your information. You may cancel your account and delete your information from Tidepool at any time. If you object to Tidepool’s retaining, using, or processing your information after you cancel your account, on grounds relating to your particular situation, you may submit that objection to the Privacy Official.
If you feel that Tidepool is not abiding by the terms of this Privacy Policy, please contact Tidepool Privacy Official at the contact information provided above.
If a Clinician, Clinic, or Researcher uses Tidepool to store information about you and you do not own the account, and as you will not have control of the information associated with that account, you will need to contact the Clinician, Clinic, or Researcher, if you wish to access, correct, update or request removal of any of your information or if would like more information on the privacy practices concerning your personal information.
If any request remains unresolved, you also have the right to complain to your national data protection authority for your EU Member State where you are resident.
Tidepool does not use your personal information for automated decision-making, as defined in the GDPR. Tidepool will not make any decision solely by automated means without human involvement, including profiling, that will produce legal effects upon a user, or that will have a similarly significant effect upon a user. The Tidepool apps may through automated means evaluate diabetes device and other data related to your health condition, and offer treatment recommendations to you and your treating physician. As is provided by the Terms of Use, Tidepool’s recommendations are not substitutes for the evaluation of your health care needs by a qualified physician or for the diagnosis and treatment decisions for you that your physician will make. Tidepool does not choose any treatment plan for you or decide the health care services users will receive. If the user authorizes it, all personal information the user has in Tidepool will be available to the user’s physician, so that physician may use that information to make medical treatment decisions independently.
4.14 Legal Basis for Collection, Use, and Processing of Information In accordance with the GDPR, the legal basis for our collection and processing of your information is your consent for us to do so. Your consent will be recorded when you register to use the Tidepool Apps. You may withdraw your consent at any time by canceling your account, and the information in that account about you will be deleted. However, we may need to retain a portion of your information for a reasonable period of time for legitimate purposes that are reasonable necessary for the proper management and administration of Tidepool’s business and the satisfaction of our legal obligations to third parties.