Tidepool Privacy Policy

Effective Date: April 20, 2026, Version 3.0

Since Tidepool was founded in 2013, we’ve advocated that you should own your own data, that you should be able to access it whenever and however you want, and that you should be able to share it however you see fit. Today, we feel more strongly about these tenets than ever. Our goal is to make Tidepool a great place for collaboration with you and your care team.

Please read our Privacy Policy to understand how you can control and manage your data and the choices you have. It describes the types of information we collect from a Person with Diabetes (“PwD”), Care Team Members, Clinicians, Researchers, Clinics, and casual site visitors, how we use it, how we protect it, and how we restrict its disclosure. This Privacy Policy is intended to comply with all applicable laws and regulations, including but not limited to the General Data Protection (“GDPR”) of the European Union.

You may use the Tidepool website without creating an account. However, if you choose to use Tidepool’s services, it will become necessary for Tidepool to create an account for you and collect and process information about you. If you use any of the Tidepool Apps, we will need to process and use the personal information you and members of your Care Team provide in order to provide the services of the Tidepool Apps. The Tidepool Apps will not function without that information.

The privacy and security of your personal information is important to us. This privacy policy (“Privacy Policy”) describes how Tidepool Project (“Tidepool,” “us,” or “we”) collects, uses, processes, and discloses your personal information in connection with our software applications, such as Tidepool Web, Tidepool Mobile, Tidepool Loop, and the Tidepool Uploader, together with any other applications developed and/or distributed by Tidepool (the “Tidepool Apps”), including storage and retrieval of information by the Tidepool Apps on or through our hosted cloud platform (the “Tidepool Platform”). The term “personal information” as used in this Privacy Policy means information that directly or indirectly uniquely identifies a PwD User, Care Team Member, Clinician, or Researcher by reference to an identifier such as a name, identification number, location data, online identifier, or another factor specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual. We collect personal information from the people who use the Tidepool Apps to help manage their diabetes (“PwD Users,” the person with diabetes or the parent/guardian of one), from the people with whom the PwD User chooses to share that information (“Care Team Members”), from doctors, healthcare professionals, and other clinicians who may use the Tidepool Apps to review information for people under their care (“Clinicians”) and from researchers who collect information from study participants for research purposes through the Tidepool Apps or Tidepool Platform (“Researchers”). PwD Users, Care Team Members, Clinicians, and Researchers may collectively be referred to herein as “Users” (or singularly, a “User”). This Privacy Policy applies to personal information of PwD Users, any of a PwD User’s Care Team Members, or Clinicians, or Researchers upload, store, and manage using the Tidepool Apps. This Privacy Policy does not apply to the practices of companies that Tidepool does not own or control, or to individuals who Tidepool does not employ or manage.

By using the Tidepool Apps, you agree to be bound by this Privacy Policy, as well as our Terms of Use, which are incorporated herein by reference. Please read this entire Privacy Policy and the Terms of Use. If you don’t agree with the terms of this Privacy Policy or the Terms of Use, please don’t use the Tidepool Apps or other applications that access your Tidepool account.

As this Privacy Policy explains, Tidepool is responsible for determining the purposes and means for the handling and processing of personal information subject to this Privacy Policy. Tidepool is the “controller” of that information as set forth under applicable data protection law.

Tidepool’s Privacy Official serves as our data protection officer. Any PwD User, Care Team Member, Clinician, or Researcher, or any other data subject, may contact the Privacy Official directly with questions, complaints, or suggestions concerning privacy or data protection, at the following address:

Tidepool Project
555 Bryant St., #429
Palo Alto, CA 94301
Telephone: 650-353-2352
E-Mail: privacy@tidepool.org

As our services expand, we will evaluate our policies and practices and occasionally implement changes and refinements. If we make a change to this Privacy Policy that we determine, in our sole discretion, is material, we may notify you (for example, by email to the email address in your Tidepool account) prior to the changes becoming effective in accordance with applicable law. We will post all revised or new Privacy Policies on the Tidepool website at www.tidepool.org/legal, and indicate the date it was last revised.

Tidepool may treat the information of PwD Users, Care Team Members, Clinicians, Researchers, and Clinics differently. For this reason, this Privacy Policy has separate sections with information specific to PwD Users, to Care Team Members, to Clinicians, to Researchers, to Clinics, and a section that applies to everyone including visitors to our websites. To learn more, please review the following:

1. Information for PwD Users - Frequently Asked Questions for PwD Users
   1.1 What PwD User information does Tidepool collect and for what purposes?
     1.1.1 Registration and Contact Information
     1.1.2 Other Information You Provide to Us
     1.1.3 Third-Party Applications
     1.1.4 Study Management for Academic and Clinical Research
   1.2 What choices do PwD Users have?
     1.2.1 Care Team Access
     1.2.2 Custodial Accounts
     1.2.3 Options for Sharing Information with Device Makers
     1.2.4 Options for Sharing Anonymized Information with Researchers or Other Research Databases
     1.2.5 Export, Delete, or Change Your Information
     1.2.6 Cancel Your Account
     1.2.7 HIPAA Applicability
     1.2.8 Email Communications
   1.3 How do I invite members to join my Care Team or invite others to use Tidepool Apps?
   1.4 What about the practices of third-party applications that PwD Users can connect to Tidepool Apps or the Tidepool Platform?
   1.5 Who else has access to my information?
   1.6 Clinician users converting to a Clinic account
2. Information for Care Team Members - Frequently Asked Questions for Care Team Members
   2.1 What information does Tidepool collect from Care Team Members and for what purposes?
     2.1.1 Registration and Contact Information
     2.1.2 Other Information You Provide to Us
   2.2 What choices do Care Team Members have?
     2.2.1 Change Your Information
     2.2.2 Cancel Your Account
     2.2.3 Email Communications
3. Information for Clinicians, Clinics, and Researchers - Frequently Asked Questions for Clinicians, Clinics, and Researchers
   3.1 What information does Tidepool collect from Clinicians, Clinics, and Researchers, and for what purposes?
     3.1.1 Registration and Contact Information
     3.1.2 Other Information You Provide to Us; Custodial Accounts
     3.1.3 Other Information that You Collect from Patients or Study Subjects
     3.1.4 Business Associate Agreement
   3.2 What choices do Clinicians, Clinics, and Researchers have?
     3.2.1 Change Your Information
     3.2.2 Cancel Your Account
     3.2.3 Email Communications
4. Information for Everyone - Frequently Asked Questions for Everyone
   4.1 Are there any territorial restrictions for using Tidepool Apps?
   4.2 Do any third party service providers have access to my information?
   4.3 When can Tidepool disclose my information?
   4.4 How long does Tidepool keep my information?
   4.5 How does Tidepool secure my information?
   4.6 What about information about children?
   4.7 Does Tidepool use cookies?
   4.8 Does Tidepool collect information automatically when I use the Tidepool Apps?
   4.9 Can third parties collect information about me when I use the Tidepool Apps?
   4.10 International Privacy Laws
   4.11 Additional Rights
   4.12 Legal Basis for Collection, Use, and Processing of Information

1. Information for PwD Users

We collect health and other information from you as a PwD User so that we can show it to you in useful ways within the Tidepool Apps. You may choose to share your health information with others and with applications that connect to the Tidepool Apps or the Tidepool Platform.

This section of the Privacy Policy describes what we do with PwD User personal information, including but not limited to health information, and is guided by the following principles:

• Once you create an account, you control the information in your Tidepool account.
• You can request that your Tidepool account be deleted at any time. When your Tidepool account is deleted, information in your account will also be deleted unless otherwise it is necessary for Tidepool to retain the information to comply with legal or regulatory compliance obligations.
• You decide who has access to the information in your Tidepool account.
• You decide which third-party applications have permission to access to read or post new information on your behalf.
• You decide whether device makers have access to data from your devices.
• You decide if you would like to contribute the information in your Tidepool account to research.
• You can obtain an export of the information in your Tidepool account and take it with you whenever you like.

Frequently Asked Questions for PwD Users

• What PwD User information does Tidepool collect and for what purposes?
• What choices do PwD Users have?
• How do I invite members to join my Care Team or invite others to use Tidepool Apps?
• What about the practices of third-party applications that PwD Users can connect to Tidepool Apps or the Tidepool Platform?
• Who else has access to my information?

1.1 What PwD User information does Tidepool collect and for what purposes?

1.1.1 Registration and Contact Information

To register as a PwD User for a Tidepool account, you must provide your email address and create a password. You are only a PwD User if you register an account with Tidepool or “claim” an account created for you by your Clinician. We will also collect contact information, such as your name, address, phone number, and certain information that does not itself directly identify you, such as your IP address. Although we do receive IP addresses, we do not use them to identify you personally or disclose them to others.

We will use this information to: verify your identity and to protect the security of your personal information; deliver, administer and improve the Tidepool Apps; provide customer service; improve and personalize your experience; better understand your needs; fulfill requests you make; deliver special announcements and updates about the Tidepool Apps; exercise our legal rights and comply with our legal obligations; and contact you about any of the above as well as any changes to or notifications regarding your Tidepool account.

1.1.2 Other Information You Provide to Us

We also collect health and other information you provide to us through the Tidepool Apps. This may include your gender, age and birth date, weight, height, treatment and diagnosis information, health and well-being related information (including diet and activity information), information identifying the diabetes monitoring and treatment devices you use, and data you upload from your diabetes monitoring and treatment devices using Tidepool Uploader, other Tidepool Apps or through third-party applications that connect to the Tidepool Platform. You may also provide information to us through questionnaires we administer to understand how you may benefit from using the Tidepool Apps.

We use the information you provide to us to deliver, administer, and improve the Tidepool Apps as well as exercise our legal rights and comply with our legal obligations. We need this information to provide the visualization, data analysis, and other features available to you through the Tidepool Apps, which are also available to any of your Care Team Members. As we add new Tidepool features for PwD Users, we may, if necessary, use your information to provide those features to you. When you seek support from us, the individual(s) providing you with support may need to access your information in order to identify the problem you are seeking support for, though your information will only be used to help provide you with support.

As part of using Tidepool Apps and as part of certain initiatives, we may also collect reproductive health data you provide to us. This data may be used and disclosed in accordance with this Privacy Policy and applicable law. You can stop sharing reproductive health data with Tidepool by disconnecting third-party devices that share this information with Tidepool. Some third-party devices may also allow you to deselect reproductive health data types when connecting or reconnecting them. If you would like to delete reproductive health data you provided to us, you can cancel your account at any time (see Section 1.2.6). If you chose to donate your reproductive health data for research purposes and you change your preference to stop donating your reproductive health data, you will not be able to remove or delete anonymized data that was previously donated prior to the change. Please consider the laws governing reproductive health in your jurisdiction before providing Tidepool with such data.

With your permission, and only with your consent, we may also provide your health information and internal, diagnostic data from your diabetes device to the maker of that device, include your information in a research database, or share your information with third-party applications that you choose to connect with.

With your permission, and only with your consent, we may also use your personal information that you provide to us or that we obtain from third parties to provide you with periodic emails, newsletters or mailings, with information on Tidepool’s or our business partners’ products and services or other informational material we believe may be of interest to you. You have the option to decline these communications by unsubscribing at any time by following the instructions below.

1.1.3 Third-Party Applications

You may have the option to link or connect Tidepool Apps or the information collected with Tidepool Apps with certain third-party applications. We will not share the information in your Tidepool account with a third-party application without your explicit consent.

1.1.4 Study Management for Academic and Clinical Research

You may be asked to participate in academic, clinical, commercial or other research studies, either by Tidepool or by entities performing research. You are under no obligation to participate in this research. If you do agree to participate, you will be asked to give us explicit consent to link your Tidepool account to the study coordination account, or to provide a unique identifier that will allow the researcher or institution to link other personally identifiable information to your Tidepool information. Only you can agree to this linkage with other information or databases. Tidepool will not link the information in your Tidepool account for academic, clinical, commercial or other research studies without your explicit consent. If you agree to participate in a research study, the person or organization conducting the study may require you to sign a written consent to participate in the study, which may include terms and conditions that apply to the research study and are different from those of this Privacy Policy.

1.2 What choices do PwD Users have?

Under the Terms of Use, PwD Users control their health and other personal information, data, notes, and files that PwD Users upload, store, and manage using the Tidepool Apps or that are added by their Care Team Members. This means that you as a PwD User decide who has access to the information in your Tidepool account. You also have full control to edit permissions of Care Team Members, alter some types of information, export your information, or cancel your account and delete the information in that account from Tidepool’s systems.

1.2.1 Care Team Access

You can grant access to your Tidepool account to health care professionals, clinics, family, friends, or anyone else, creating what we call a Care Team. The Care Team Members to whom you provide access will be able to view and comment on the health and other information in your account. Only if you grant them permission will Care Team Members be able to upload information to your account or, if applicable, edit information in your account. PwD Users own all content in their Tidepool accounts added or altered by their Care Team Members.

1.2.2 Custodial Accounts

A Clinician such as your doctor or other health care provider, or a Researcher conducting a study in which you participate, may establish an account to store information about you in Tidepool. That Clinician or Researcher may invite you to open a Tidepool account. If you accept that invitation, you will become a PwD User and will have control of all the information associated with that account, which will be your Tidepool account. When you open the account, the Clinician or Researcher who invited you to open the account or their Clinic will automatically be a member of your Care Team. You may remove the Clinician, Researcher, or Clinic from your Care Team at any time.

If your Clinician or a Researcher told you to expect such an invitation and you did not receive it, please contact that Clinician or Researcher and ask them to verify your email address and re-send the invitation.

If a Clinician or Researcher who uses Tidepool to store information about you does not invite you to open an account, or if you decide not to do so, then you will not have control of the information associated with that account and this section of the Privacy Policy will not apply to you or to that information.

1.2.3 Options for Sharing Information with Device Makers

You may have the option of granting the maker of your diabetes monitoring or treatment device with access to the information you upload to the Tidepool Platform. Providing your device maker with access to this information may assist the device maker to provide customer support or diagnose and address issues with the device. Providing data access to device makers also helps them understand how their devices are being used, which helps them make better devices in the future.

Your device manufacturer may be able to identify you based on the serial number associated with the device. When you agree to provide information you upload to the Tidepool Platform to a device maker, such device maker’s policies regarding their use of your information will apply.

Please note that any information you may have previously shared with a device maker may remain with the device maker if they have stored that information and cannot be removed or deleted by changing your sharing preference.

1.2.4 Options for Sharing Anonymized Information with Researchers or Other Research Databases

You may have the option to donate your anonymized data to different Researchers or Research organizations, or with diabetes device or pharmaceutical companies in need of longitudinal datasets. Diabetes researchers have a very difficult time gaining access to quality diabetes data. We may use information collected about you from the use of our Services to give you the opportunity to make your anonymized information available to these organizations. By doing this we hope to contribute to a dramatic acceleration in the rate of innovation in diabetes care.

If you choose to share your anonymized information for these research purposes, we will not share directly identifiable information about you. However, it may be possible for others to identify you if you have made your information available publicly in other ways. For example, if you post pictures or information to social media that describes you or your health condition, such as posting a picture of your continuous glucose monitor readings on a social media platform, it may be possible for someone to correlate that with information in a Tidepool dataset. For this reason, all donations of your information will require your explicit consent. More information about what data may be shared, who may have access to this data, and the purposes it may be used for will be provided in the consent for these activities.

You may be asked to donate your information via email or via using Tidepool Apps. If you would like to change your donation preference, you may do so by using the appropriate interface in Tidepool Apps. If you change your preference to stop donating your information, you will not be able to remove or delete anonymized information that was previously donated prior to the change.

1.2.5 Export, Delete, or Change Your Information

You can change the contact information you provided when you registered by going to Account Settings. You can change or delete other information and data you have provided by editing or deleting that information directly using the utilities and features available in the Tidepool Apps. To learn how to export or delete your information, please visit support.tidepool.org.

1.2.6 Cancel Your Account

You can cancel your account at any time. Upon cancellation, we will cease use of your data and delete your account information and data within the Tidepool Apps. If you have shared data with a Clinician or Clinic, your data may have become part of your provider’s official medical record. In this case, you may need to contact your Clinician or Clinic directly to request they submit a data deletion instruction to Tidepool. Deletion of information removes the information from use within the Tidepool Apps, but may not immediately remove the information from Tidepool’s systems where retention is required or permitted by law and regulatory obligations. Information retained for these purposes will be subject to appropriate safeguards and controls and will not be used for account functionality.

Please visit support.tidepool.org to learn how to cancel your account.

1.2.7 HIPAA Applicability

Tidepool may enter into relationships with a number of institutions or health care providers, such as Clinicians, Researchers, Clinics, or others, for whom Tidepool provides services to as a “business associate” under the federal Privacy and Security Rules issued under the Health Information Portability and Accountability Act (“HIPAA”). If you are a patient of one of these institutions or other providers, Tidepool may have obligations to that institution or other providers under HIPAA and Tidepool’s business associate contract with the institution or other providers that affect the information about you that the institution or provider stores in the Tidepool platform.

1.2.8 Email Communications

You can choose to stop receiving marketing or informational emails from us by clicking the “unsubscribe” link at the bottom of any such email. We may from time to time send you certain communications such as information regarding your account, the Tidepool App or the Tidepool Platform and you will not be able to opt out of those communications (e.g., communications regarding updates to our Terms of Use or this Privacy Policy).

1.3 How do I invite members to join my Care Team or invite others to use Tidepool Apps?

If you would like to invite someone to become a member of your Care Team, we’ll ask you for the person’s email address for the sole purpose of sending an invitation. If you would like to invite a Clinic, we’ll ask you for the Clinic Share Code for the sole purpose of sending an invitation. To do so, please select “Share” from within the Tidepool for web application.

1.4 What about the practices of third-party applications that PwD Users can connect to Tidepool Apps or the Tidepool Platform?

Our Privacy Policy applies solely to information collected by and through the Tidepool Apps while such information remains in Tidepool’s control. You may be able to connect this information to third-party applications, or by connecting your Tidepool account from within a third-party application, or you may choose to share your device data with a device maker. Please be aware that Tidepool doesn’t control and isn’t responsible for the privacy and security practices of the third party services you choose to connect with or those of your device makers. We encourage you to become familiar with their information practices before choosing to share any personal information or data with them.

1.5 Who else has access to my information?

You can see who your information is shared with by logging into your Tidepool account and selecting the “Share” link.

Some Clinicians, Researchers, or Clinics who you include on your Care Team may participate in other information sharing agreements, and may share some or all of your health information as part of those agreements. For example, your Clinician may participate in the T1D Exchange Registry, QI Collaborative, or other similar information sharing registry, which provides information collection and research services for a network of clinical sites. Please check with your health care provider, Clinic, Clinician, or Researcher to ask how they may be sharing your health information.

1.6 Clinician users converting to a Clinic account

In some instances, a Clinician user you are sharing with may convert to a new Clinic account or merge into an existing Clinic account (such as when a clinician moves from one clinic to another). If this happens, we will notify you of this conversion. Your sharing relationship will convert to the new Clinic account. You can stop sharing your data with that Clinic account at any time.

2. Information for Care Team Members

PwD Users have control of the information in their Tidepool accounts. This means that as a Care Team Member your access to a PwD User’s data and information is controlled by the PwD User and that any comments or information that you add may be deleted by the PwD User at any time.

Frequently Asked Questions for Care Team Members

• What information does Tidepool collect from Care Team Members and for what purposes?
• What choices do I have about the use of my information?

2.1 What information does Tidepool collect from Care Team Members and for what purposes?

2.1.1 Registration and Contact Information

To register as a Care Team Member, you must provide an email address and create a password. We also collect contact information, such as your name, address, phone number, and certain non-personal information that does not itself directly identify you, such as your IP address. Although we do receive IP addresses, we do not use them to identify you personally or disclose them to others.

We use this information to: verify your identity and to protect the security of your personal information; deliver, administer and improve the Tidepool Apps; provide customer service; improve and personalize your experience; better understand your needs and interests; fulfill requests you make; deliver special announcements and updates about the Tidepool Apps; exercise our legal rights and comply with our legal obligations; and contact you about any of the above as well as any changes to or notifications regarding your account.

2.1.2 Other Information You Provide to Us

We may also collect other information you provide to us through the Tidepool Apps. As a Care Team Member, this information will mostly be information or comments about the PwD User or PwD Users that add you as a Care Team Member using the Tidepool Apps. We use the information you provide as a Care Team Member to display notes, comments and other features of the Tidepool Apps, as well as exercise our legal rights and comply with our legal obligations. A PwD User has the ability to delete information or comments you add to his or her account at any time.

A PwD User has the option to donate anonymized information from his or her account to the Tidepool Anonymized Diabetes Database. If the PwD User donates his or her information, information or data that you add to the PwD User’s account that is being donated will exclude comments that you make on that account.

You may also provide information to us through questionnaires we administer to understand how you may benefit from using the Tidepool Apps. We use the information you provide to us to deliver, administer, and improve the Tidepool Apps.

2.2 What choices do Care Team Members have?

When you are added as a member of a PwD User’s Care Team, that PwD user owns all content you generate on that PwD User’s accounts and you have no control over that information, except in the course of editing comments you have made as long as the PwD User permits such changes. However, you can delete or change your personal information.

2.2.1 Change Your Information

You can change the contact information you provided when you registered by going to Account Settings.

2.2.2 Cancel Your Account

You can also cancel your account at any time. Upon cancellation, we will delete your account information in the Tidepool Apps but not information or comments you have added to any PwD User accounts. Deletion of information removes the information from use within the Tidepool Apps, but may not immediately remove the information from Tidepool’s systems where retention is required or permitted by law and regulatory obligations. Information retained for these purposes are subject to appropriate safeguards and controls and will not be used for account functionality.

2.2.3 Email Communications

You can choose to stop receiving marketing or informational emails from us by clicking the “unsubscribe” link at the bottom of any such email. We may from time to time send you certain communications such as regarding your account, the Tidepool App or the Tidepool Platform and you will not be able to opt out of those communications (e.g., communications regarding updates to our Terms of Use or this Privacy Policy).

3. Information for Clinicians, Clinics, and Researchers

As a Clinician or Researcher, you will be able to create accounts and collect information on behalf of people that you provide care for, or people that are participating in a research study that you are conducting. These accounts are called Custodial Accounts. You can optionally provide an email address that will cause an account invitation to be sent to an individual’s email, allowing that person to sign up for and claim the Tidepool account, and become a PwD User. When you create a Custodial Account, you have control over that account and information at the outset. Once the account is claimed by a PwD User, that PwD User takes over control and ownership of the information and account, and you become a member of that PwD User’s Care Team.

Frequently Asked Questions for Clinicians, Clinics, and Researchers

• What information does Tidepool collect from Clinicians, Clinics, and Researchers and for what purposes?
• What choices do Clinicians, Clinics, and Researchers have?

3.1 What information does Tidepool collect from Clinicians, Clinics, and Researchers and for what purposes?

3.1.1 Registration and Contact Information

To register for a Tidepool account as a Clinician or Researcher, you must provide an email address and create a password. We also collect other information about you and your Clinic, such as your name, your clinic or institution name, address, phone number, and certain information that does not itself directly identify you, such as your IP address or your role within your organization. Although we do receive IP addresses, we do not use them to identify you personally or disclose them to others.

We may use this information to: verify your identity and to protect the security of your personal information; deliver, administer and improve the Tidepool Apps; provide customer service; improve and personalize your experience; better understand your needs and interests; fulfill requests you make; deliver special announcements and updates about the Tidepool Apps; exercise our legal rights and comply with our legal obligations; and contact you about any of the above as well as any changes to or notifications regarding your account.

3.1.2 Other Information You Provide to Us; Custodial Accounts

We also collect other information you provide to us through the Tidepool Apps. As a Clinician or Researcher, you will be able to create accounts for your patients or study subjects, called “Custodial Accounts.” When you create these accounts, you may choose to, but are not required to, identify those individuals by their name, date of birth, and an optional Medical Record Number (MRN). You may also optionally provide an email address for each individual. Providing an email address will initiate an email invitation that will allow the individual to sign up for Tidepool and claim the account, thereby taking ownership of the account information. It is your responsibility to ensure the accuracy of that email address.

If an individual chooses to sign up for Tidepool and claim an account, he or she then takes ownership of the account and becomes a PwD User, as defined above. The account will be automatically shared with you, making you a Care Team Member, as defined above. The PwD User may remove you as a Care Team Member at any time.

We may also collect other information you provide to us through the Tidepool Apps. This may include gender, age and birth date, weight, height, treatment and diagnosis information, health and well-being related information (including diet and activity information), information identifying the diabetes monitoring and treatment devices you upload for individuals, and data that you upload from their diabetes monitoring and treatment devices using Tidepool Uploader.

We use this information to provide the visualization, data analysis, and other features available through the Tidepool Apps, as well as exercise our legal rights and comply with our legal obligations. When you or the PwD User seek support from us, the individual(s) providing you with support may need to access your information in order to identify the problem you are seeking support for, though the use of your information will only be used to help provide you with support.

You may also provide information to us through questionnaires we administer to understand how you may benefit from using the Tidepool Apps. We use the information you provide to us to deliver, administer, and improve the Tidepool Apps.

3.1.3 Other Information that You Collect from Patients or Study Subjects

Through the course of providing care or conducting a research study, you may collect information other than through Tidepool. Only information collected by Tidepool or via Tidepool Apps is covered by this Privacy Policy.

3.1.4 Business Associate Agreement

If Tidepool will be acting as your business associate under HIPAA, our obligations regarding the privacy and security of the personal information you store in Tidepool will be governed by a separate written business associate agreement between us. Tidepool will not be subject to any business associate agreement unless it is executed on Tidepool’s behalf by an authorized person.

3.2 What choices do Clinicians, Clinics, and Researchers have?

3.2.1 Change Your Information

You can change the contact information you provided when you registered by going to Account Settings.

3.2.2 Cancel Your Account

You can cancel your account at any time. Upon cancellation, we will delete your account information within the Tidepool Apps but not information or comments you have added to any PwD User accounts. Deletion of information removes the information from use within the Tidepool Apps, but may not immediately remove the information from Tidepool’s systems where retention is required or permitted by law and regulatory obligations. Information retained for these purposes are subject to appropriate safeguards and controls and will not be used for account functionality.

3.2.3 Email Communications

You can choose to stop receiving marketing or informational emails from us by clicking the “unsubscribe” link at the bottom of any such email. We may from time to time send you certain communications such as regarding your account, the Tidepool App or the Tidepool Platform and you will not be able to opt out of those communications (e.g., communications regarding updates to our Terms of Use or this Privacy Policy).

4. Information for Everyone

The following information applies to all Users of the Tidepool Apps and Tidepool Platform: PwD Users, Care Team Members, Clinicians and Researchers.

Frequently Asked Questions for Everyone

• Are there any territorial restrictions for using Tidepool Apps?
• Do any third party service providers have access to my information?
• When can Tidepool disclose my information?
• How long does Tidepool keep my information?
• How does Tidepool secure my information?
• What about information from children?
• Does Tidepool use cookies?
• Does Tidepool collect information automatically when I use the Tidepool Apps?
• Can third parties collect information about me when I use the Tidepool Apps?
• Does Tidepool recognize Do Not Track signals?
• International Privacy Laws
• Additional Rights
• Legal Basis for Collection, Use, and Processing of Information

4.1 Are there any territorial restrictions for using Tidepool Apps?

At this time, Tidepool Apps are only intended for use in the United States. The Tidepool Apps and Tidepool Platform are hosted in the United States and all information is stored in the United States. By using the Tidepool Apps and Tidepool Platform you consent to processing and storage of your information in the United States. For further information if you are an EU resident and using the Tidepool App or visiting the Tidepool website from the EU, please see the section below on International Privacy Laws.

4.2 Do any third party service providers have access to my information?

We may employ independent companies or other third parties and individuals to help us provide, facilitate or improve the Tidepool Apps (such as customer service support or data hosting). These service providers may have access to your personal information and data as necessary to perform their services for Tidepool.

4.3 When can Tidepool disclose my information?

Other than the sharing you have authorized, we will disclose your personal information or data as disclosed in this Privacy Policy. We may disclose your information in the following circumstances:

• We may disclose information about you to our service providers and business partners that assist us with operating our business and providing you with our services.
• We may disclose information about you to help complete a transaction for you or to our agents or service providers performing functions on our behalf in connection with providing you the services.
• We may also disclose your information in the event of a merger, reorganization, or sale of our assets which involve the transfer of user information.
• If Tidepool believes you’ve misused or abused the Tidepool Apps or the personal information of any PwD User, Care Team Member, Clinician, Researcher, or Clinic or attempted to interfere with or harm the Tidepool Apps, we will investigate and cooperate with appropriate law enforcement, including, if necessary or appropriate, by disclosing your name, registration information or IP address and any other relevant information, to protect our rights or property, or those of our PwD Users, Care Team Members, Clinicians, Researchers, Clinics, and others. We will cooperate fully with any legal process or criminal investigation into the misuse or abuse of the Tidepool Apps.
• We may disclose your information or data to comply with the law, applicable regulations, governmental and quasi-governmental requests, court orders or subpoenas, to enforce our Terms of Use or other agreements, or to protect our rights, property or safety or the rights, property or safety of our users or others (e.g., to a consumer reporting agency for fraud protection, etc.). Where your personal information and data has been requested by any governmental entity or other third party pursuant to subpoena or similar legal process, we will attempt to notify you as quickly as practicable before providing any such information, unless we are legally prohibited from doing so or we believe in good faith that disclosure is or may be necessary to protect life, avoid serious physical injury or property loss or damage, or to prevent or investigate an ongoing crime.

Tidepool may disclose de-identified, anonymous, or statistical information about the use of the Tidepool Apps at any time without restriction.

4.4 How long does Tidepool keep my information?

Tidepool will retain your account and related information on your behalf as long as needed to support your use of the Tidepool Apps, for necessary backup purposes and comply as necessary with our legal obligations, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements and comply with applicable laws. To determine the appropriate retention time for your information, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of your information, the purposes for which we process your information, and whether we can achieve these purposes through other means, as well as applicable legal requirements. We may delete your account due to inactivity, but we will notify you by email prior to doing so and give you a reasonable opportunity to either transfer your information or begin active use of your account again.

4.5 How does Tidepool secure my information?

To help protect the privacy and security of personal information and data you transmit using Tidepool Apps, we take reasonable physical, administrative, and technical steps to protect the personal information and data that you provide us against unauthorized destruction, loss, alteration, disclosure, use, or access. However, the software, hardware and networks that support the Tidepool Apps may, from time to time, require maintenance or experience problems or breaches of security beyond our control.

Please also be aware that no data transmission over the internet can be guaranteed to be 100% secure. Tidepool cannot guarantee the security of the information you provide us, and therefore you use Tidepool Apps at your own risk.

While we take steps to protect your personal information and data and keep it secure, you also play a role in protecting your information. You can help to maintain the security of this information by using a unique, strong password, not sharing your account information and password with anyone, and by preventing unauthorized use of your computers and mobile devices.

4.6 What about information about children?

Tidepool does not allow children under the age of 13 to register or use the Tidepool Apps. Only a parent or guardian may register for a data storage account profile and input children’s personal information on behalf of an individual under 13. As described above, a Clinician or Researcher may also register for a Custodial Account on behalf of a child under 13. Additionally, we require that children between 13 and 18 must have their parent’s or legal guardian’s consent to register or use Tidepool Apps. If we discover that a person under 13 has registered as a PwD User or Care Team Member, we will delete that person’s account.

4.7 Does Tidepool use cookies?

We use cookies (a piece of data or file that a website can send to your browser, which may then store it on your computer system) and similar technology to collect device information and aggregate information about usage of Tidepool Apps by all of our Users and to help us remember you and your preferences when you revisit the Tidepool Apps. These cookies may stay on your browser into the future until they expire or you delete them. Some cookies that assist in the functionality of the Tidepool Apps are usually erased when you close your browser window. You may prevent our use of cookies by changing the settings on your internet browser. If you block our cookies, the Tidepool website and/or Tidepool Apps may not function properly or provide full functionality. To learn more about how Tidepool uses cookies and what options you may have please review our cookie policy available at https://developer.tidepool.org/cookie-policy/.

Your browser may tell you how to be notified when you receive certain types of cookies or how to restrict or disable certain types of cookies. Note, however, that without cookies, you may not be able to use all of the features of our website. For mobile devices, you can manage how your device and browser share certain device data by adjusting the privacy and security settings on your mobile device.

4.8 Does Tidepool collect information automatically when I use the Tidepool Apps?

We receive and store certain types of information whenever you interact with Tidepool Apps. We automatically receive and record information on your activity on our server logs, including your IP address. Generally, we also automatically collect usage information, such as the features of the Tidepool Apps that you use and how you use them, the number of Care Team Members, devices you upload, and how PwD Users and Care Team Members interact. We may use this information, as well as your personal information such as your email address, to verify your identity and to provide personalized features and functionality, for example to provide reminders to upload data from your diabetes devices. We may also use this data to help us understand how you and other Users use parts of the Tidepool Apps so that we can improve them, as well as exercise our legal rights and comply with our legal obligations. We may disclose anonymous statistical information to third parties about how Tidepool Apps are used without your permission.

Tidepool Apps may also produce error codes and other diagnostic logging information that help us improve our software. These logs include IP address, email address, local hostname, browser version, operating system version, connected devices, and software error stack trace. This information is only about Tidepool Apps, and is only used by Tidepool to improve Tidepool Apps. These logs may be stored indefinitely.

4.9 Can third parties collect information about me when I use the Tidepool Apps?

We may allow third parties to place cookies through the Tidepool Apps for analytics. We do not permit third parties to place cookies through our Tidepool Apps to perform third-party marketing functions. For more information about how we use cookies and what options you have to limit third party cookies, please view our cookie policy at https://developer.tidepool.org/cookie-policy/.

You may see certain ads on other websites because we may engage third-party ad buying networks. Through such ad buying networks, we can target our messaging to users through demographic, interest-based, and contextual means. The information our ad networks may collect on our behalf includes data about your visits to websites that serve our advertisements, such as the pages or advertisements you view and the actions you take on the websites. This data collection takes place on third-party websites that participate in these ad networks. This process helps us track the effectiveness of our marketing efforts. To learn how to opt out of this ad network interest-based advertising, visit Your AdChoices.

For more information, review the Self-Regulatory Principles for Online Behavioral Advertising (“Principles”) of the Digital Advertising Alliance. You can visit Ad Choices for information on how to indicate your preferences, including opting out of interest-based advertising with participating entities. Note that opting out of interest-based advertising does not mean you will no longer see advertisements from us because your information may have been collected and shared prior to your opt-out request, the ads may not be customized to your specific interests, or the ads may be served based on your interactions with other companies and their websites. When you opt-out of receiving interest-based advertisements through the links above, cookies and other technologies on our Site may still collect information about your use of our website, including for analytics, fraud prevention, and any other purpose permitted under the Self-Regulatory Principles.

4.10 International Privacy Laws

If you are using the Tidepool Apps from outside the United States, please note that you are sending your information, including your personal information, to the United States, where Tidepool’s servers are located. Your information may then be transferred within the United States or to another country. When Tidepool conducts such transfers, we put in place appropriate safeguards in accordance with applicable legal requirements. Tidepool’s collection, use, and processing of your information will in all events continue to be conducted in accordance with this Privacy Policy.

4.11 Additional Rights

Under the GDPR, residents of the European Union have specified rights in connection with their personal information held by Tidepool. Tidepool has chosen to provide these rights to all Tidepool users. Therefore, in addition to the other rights described in this Privacy Policy, you have the right:

• To be informed about the information that Tidepool collects about you, and how we use and disclose that information. This Privacy Policy describes those matters.
• To have access to information about you. All the information about you in your Tidepool account is available to you at any time and upon request. If you cancel your account, that information will be deleted, but we will provide you with a reasonable opportunity to obtain a copy of that information, free of charge, before it is deleted.
• To correct any personal information that you believe is incorrect or incomplete. You can use the Tidepool Apps at any time to correct or complete any information about you. If you correct or add to information that has been provided by a Care Team Member or a Clinician or Researcher, that person or persons that are a part of a Clinic will be able to see the changes you have made.
• To have your information deleted. If you wish to delete your personal information from Tidepool’s systems, you may at any time cancel your account.
• To restrict the use or processing of your information. If you believe any information about you is inaccurate, Tidepool will cease using or processing that information at your request.
• To receive a copy of your personal information. You may use the Tidepool Apps at any time to download a copy of your information free of charge.
• To object to the use or processing of your information. You may cancel your account and delete your information from Tidepool at any time. If you object to Tidepool’s retaining, using, or processing your information after you cancel your account, on grounds relating to your particular situation, you may submit that objection to the Privacy Official.

Please contact Tidepool Privacy Official at the contact information provided above in order to exercise your privacy rights described in this Privacy Policy.

If a Clinician, Clinic, or Researcher uses Tidepool to store information about you and you do not own the account, you will not have control of the information associated with that account, you will need to contact the Clinician, Clinic, or Researcher if you wish to access, correct, update or request removal of any of your information or if would like more information on the privacy practices concerning your personal information.

If any request remains unresolved, you also have the right to complain to your national data protection authority for your EU Member State where you are resident.

Tidepool does not use your personal information for automated decision-making, as defined in the GDPR. Tidepool will not make any decision solely by automated means without human involvement, including profiling, that will produce legal effects upon a user, or that will have a similarly significant effect upon a user. The Tidepool apps may through automated means evaluate diabetes device and other data related to your health condition, and offer treatment recommendations to you and your treating physician. As is provided by the Terms of Use, Tidepool’s recommendations are not substitutes for the evaluation of your health care needs by a qualified physician or for the diagnosis and treatment decisions for you that your physician will make. Tidepool does not choose any treatment plan for you or decide the health care services users will receive. If the user authorizes it, all personal information the user has in Tidepool will be available to the user’s physician, so that physician may use that information to make medical treatment decisions independently.

4.12 Legal Basis for Collection, Use, and Processing of Information In accordance with the GDPR, the primary legal basis for our collection and processing of your information is your consent for us to do so. Your consent will be recorded when you register to use the Tidepool Apps. You may withdraw your consent at any time by canceling your account, and the information in that account about you will be deleted. However, we may need to retain a portion of your information for a reasonable period of time for legitimate purposes that are reasonably necessary for the proper management and administration of Tidepool’s business and the satisfaction of our legal obligations to third parties. Unless otherwise stated in this Privacy Policy, we may also process your information pursuant to our legitimate interests to administer the Tidepool Apps or to protect our legal rights, interests, or the interests of others.