top of page

PRIVACY POLICY 

FOR USERS AND PATIENT USERS

The platform myDiabby Healthcare is a Class IIa medical device under EU Regulation 2017/745 with IUD number 3770026228MYDIABBYXQ, and aims to help patients with type 1, type 2 and gestational diabetes manage their disease and enable healthcare professionals to access and remotely monitor their patients' data. 

MyDiabby Healthcare was designed and developed in France by MDHC, the publisher. It complies with the interoperability and security guidelines drawn up by the ANS (French Digital Health Agency).

MDHC is concerned about the protection of your personal data. It is committed to ensuring the highest level of security protection and confidentiality of your data in accordance with Law No. 78-17 of 6 January 1978 relating to information technology, files, and freedoms (hereinafter the "Data Protection Act") and Regulation 016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the "GDPR").

PURPOSE OF THE POLICY 

The purpose of this Policy is to inform Users and Patient Users using the platform myDiabby Healthcare, web and mobile application (hereinafter the Platform) about the processing of Personal Data carried out by MDHC in accordance with applicable legislation and regulations. 

It applies to all Users and Patient Users where we act as the "Controller" of Personal Data processed through the use of the Platform and the Showcase Site. 

In this policy, the terms "we", "us" and "our" refer to MDHC. The terms "you", "your" and "yours" may refer to you or the data subjects for whom we process personal data, depending on the context.

 

For further information on the legislation applicable to the protection of your personal data, you may consult the Commission Informatique et Liberté website at www.cnil.fr.  

DEFINITIONS 

"myDiabby User Account" means an account enabling a User to connect to the Platform in an authenticated and secure manner;

"Personal Data" means information relating to natural persons who are identified or identifiable, directly or indirectly, by a User;

“Health Data" refers to Personal Data relating to the physical or mental health of a natural person, including data produced during

preventive, diagnostic, treatment or medication dispensing activities by a Health Professional, as well as any element likely to characterize the health of a natural person; "Personal Data" refers to information relating to the physical or mental health of a natural person, including data produced during preventive, diagnostic, treatment or medication dispensing activities by a Health Professional, as well as any element likely to characterize the health of a natural person;

"DPO" means the Personal Data Protection Officer, in accordance with Article 37 of the GDPR ;

"Healthcare Professional" means any healthcare professional practicing in a private practice or a healthcare 

registered with their professional association or registration authority and using the Platform;

"Data Controller" means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data; 

"Sub-processor" means a Sub-processor appointed by MDHC who, in the course of providing services on behalf of MDHC, is authorized to process Personal Data;

"Processing" means any operation or set of operations, whether or not by automatic means, which is applied to Personal Data or sets of Personal Data;

"User" refers to a person who has a myDiabby account for personal use but is not monitored by a healthcare professional via myDiabby Healthcare. 

"Patient User" refers to a user who uses myDiabby Healthcare and is monitored by a healthcare professional as part of their medical follow-up.

 

1. WHO ARE THE DATA CONTROLLERS?

1. With regard to the Platform User's data relating to the creation and management of the User Account and the use of the Platform:

MDHC  is responsible for processing your personal data. 

You can contact MDHC by e-mail at the following address: support@mydiabby.com or by telephone at the following number: 01 76 40 01 78.

2. With regard to the Data of a Patient user for the purposes of his/her care and medical monitoring via the myDiabby Healthcarel remote monitoring medical device: 

The Healthcare Professional or Healthcare Organisation is the Data Controller; 

MDHC acts as a subcontractor on behalf of the Healthcare Professional or Healthcare Facility in accordance with the provisions of article 28 of the GDPR.  This means in particular on the instructions of the Data Controller and within the framework of technical and organizational measures guaranteeing the security of the processing.

To find out more about MyDiabby Healthcare 

The purpose of myDiabby Healthcare is to enable a healthcare professional to make a diagnosis, provide follow-up, prepare a therapeutic decision, prescribe procedures or products, remotely interpret the data required for your medical follow-up, monitor your state of health and, more generally, take all appropriate decisions regarding your care. When a patient uses the myDiabby Healthcare digital medical device for the purposes of remote medical monitoring, within the meaning of the applicable regulations, they consent to the sharing of their data via the remote monitoring digital medical device with their healthcare professional and/or team. The latter acts as a data controller for certain processing purposes. This policy therefore does not apply in this context. The contract between us and your healthcare professional (data controller) sets out our legal obligations as a data processor. We invite you to contact your healthcare professional to find out more about the processing of your personal data.

2. WHAT ARE THE PURPOSES OF THE PROCESSING?

When using the Platform, your data is collected to:

  • enable the creation and management of your mydiabby user account, which is necessary to use the Platform; 

  • enable a connected device and/or third-party application to be paired with the Platform;

  • allow you to use the Platform for medical monitoring purposes, in particular, to enter any data concerning your state of health;

  • if you agree to use telemedicine as part of your medical monitoring, allow you and the healthcare professionals who follow you to use the Application for remote monitoring purposes; 

  • transmit your data to the French social security system for reimbursement of your remote monitoring costs;

  • to personalize the functionalities we offer you via the platform and ensure their continuous improvement; 

  • manage and send you alerts that you set up according to your choice;

  • process and implement requests you send us concerning your rights of access, rectification, deletion, portability of your data as well as your rights to limit and object to the processing of your data or your right to define directives relating to the conservation, deletion and communication of your personal data after your death; 

  • offer you technical assistance in the use and operation of the Platform;

  • ensure the corrective and evolutionary computer maintenance of the Platform; 

  • monitoring the possible adverse effects of medical devices on human health (materiovigilance);

  • carry out statistics and research and development in the field of diabetes, including activities such as research projects, if necessary in collaboration with external researchers, companies specializing in medical research.

 

3. WHAT DATA IS COLLECTED?

This section includes: 

  1. the source of the data from which we may process your data; 

  2. the general categories of personal data we may process; 

  3. the purposes for which we may process personal data;  

  4. the lawful basis for processing.

 

1. Data sources 

- Personal Data collected directly from the User: 

All Personal Data relating to Users is collected by MDHC when their myDiabby accounts are created or via the forms and other documents they complete as part of using the Platform. Patients may also complete documents for Healthcare Professionals, using the Platform as part of Patient monitoring. 

To find out more:

 

This data is collected by MDHC in particular:

  • when you create your user account, which is necessary to use Plateform; 

  • when pairing a connected device and/or a third-party application with the Platform;

  • when you or your doctor enter data about your health condition via our Digital medical device; 

  • when you contact our customer service or help/support department;

  • when you ask us to keep you informed of developments and new features of the Application; 

  • when you set up alerts as part of your medical monitoring.

 

- Personal Data that MDHC collects automatically when using the Platform:

MDHC may automatically collect Personal Data when using the Platform. This automatic collection may occur through the use of cookies.

2. MDHC collects and processes the following information about you via the Platform:

(The compulsory or optional nature of the data concerning you is indicated on the form by an asterisk).

 

Administrative and contact details:

birth name*, name used, maiden name, first name(s) at birth*, first name used, date de naissance*, sexe*, adresse email*, mot de passe*, adresse postale, numéro de téléphone, photo de profil, document d’identité (le cas échéant), INS number, OID(1), INSEE code (place of birth)* social security number, mutual insurance information

Health data:

medical history, family history, type of diabetes, year of diagnosis of diabetes, predisposing factors, self-monitoring of blood glucose data, treatment data, self-monitoring equipment used, treatment equipment used, HbA1c, ketones, weight, height, physical activity, contextual elements such as stress, allergies, food diary, amount of carbohydrate intake expected date of delivery in the case of pregnancy, ultrasound data, pregnancy curves, the actual date of delivery, number of newborns at birth, weight, and height of newborn, nature of complications at birth, cesarean or vaginal delivery, dates of consultations, dates of hospital admissions, dates of home nurse visits.

Browsing data and technical identifier of the devices: 

- date and time of connections to the Application

- account data: date and time of account creation and deletion, the IP address of the connection

 

Audit log data:

The identification of the persons concerned by the data, the identification of the persons who have accessed the data on the Platform, the date and time of access, the methods of access and modifications to the data.

 

To find out more about the processing of your personal data, please click on this link: Click here
 

(1) OIDs (Object Identifiers) are universal identifiers for physical or virtual objects or sets of objects, based on an internationalised allocation system.​

 

4. WHO ARE THE RECIPIENTS?

4.1 Internal Recipients

 

In the context of your use of the Platform, MDHC employees, authorized in the performance of their duties, may have access to your data insofar as this is reasonably necessary for the purposes, and on the legal bases, defined in this policy.

 

4.2 External recipients

MDHC undertakes not to disclose your personal data to unauthorized third parties. We will protect and consider your interests at all times. However, we may disclose your personal data to the extent reasonably necessary for the purposes for which it was collected and in accordance with the legal bases set out in this policy. In certain cases, the external recipients are as follows:


1) your healthcare professional and your healthcare team;

2) our health data host and other sub-contractors;

3) manufacturers of your medical device and/or publishers of third-party Applications;

4) the French National Health Insurance (Assurance maladie) for reimbursement of your remote monitoring costs (where applicable);

5) recipients in charge of clinical studies in diabetes research;

6) the Agence nationale de sécurité du médicament et des produits de santé (French National Agency for the Safety of Medicines and Health Products) in the event of an incident or risk of serious incident linked to the Platform being reported;

7) public authorities such as the CPAM, ANSM or CNIL and the competent legal authorities;

 

To find out more about : 

1) In the context of telemonitoring, your data, particularly that concerning your state of health, is communicated to your healthcare team (GPs, specialist doctors and healthcare professionals) responsible for monitoring you and to its administrative staff. All these healthcare professionals are bound by professional secrecy. 

2) MDHC uses subcontractors who may process Users' personal data in connection with the provision of the Platform. We may disclose your personal data to our suppliers or subcontractors to the extent reasonably necessary to provide the various features of the Platform. However, personal data is subject to enhanced security measures. 

In accordance with our commitments, we choose our subcontractors by checking that:

- contractual compliance with the requirements of Article 28-3 of the General Data Protection Regulation."

- the level of protection of personal data is equivalent to that of MDHC;

- the implementation of all appropriate measures to ensure the protection of your personal data that they may be required to process;

 

If you would like to obtain the current list of MDHC subcontractors processing your personal data, please contact us at the following address: support@mydiabby.com.

3) We may disclose your personal data to third party applications, such as medical device manufacturers or APIs, with whom you have chosen in your sole discretion to share your personal data. We will not share this data with medical device manufacturers or third party applications without your consent. Once your data is shared at your discretion, we no longer control its access, use or disclosure by the application concerned. In addition, before consenting to share data you must agree to the terms of use and privacy policy of the medical device manufacturer or third party application.

4) The Platform myDiabby Healthcare  is a digital medical device reimbursed by the French National Health Insurance for the remote monitoring of Type 1 and Type 2 diabetes. Where applicable, as part of the reimbursement of your telemonitoring treatment, your data used for invoicing the Application is transmitted to the Health Insurance. 

5) In the context of research and development in the field of diabetes, anonymised statistical data is used and sent to the recipients responsible for the study in compliance with the rights and freedoms of individuals. To find out more, please consult the INFORMATION IN THE FRAMEWORK OF RESEARCH AND DEVELOPMENT IN THE FIELD OF DIABETES section of this Policy.

6) Where MDHC becomes aware of an incident or risk of a serious incident relating to the Platform, it must report this to the French National Agency for the Safety of Medicines and Health Products, where appropriate. In accordance with our legal obligations, in particular the current Medical Devices Directive (93/42/EEC) and the Medical Devices Regulations in force from 26 May 2021, we may process information about you for the purposes of archiving incidents and complaints which may be made available to public authorities upon their request.

7) We may also disclose your personal data to other public authorities such as the CPAM or the CNIL where this is necessary to comply with a legal obligation to which we are subject. We may also be required to communicate information relating to the User to the competent administrative and judicial authorities in the context of legal requests.

 

5. WHERE IS YOUR DATA HOSTED?

Your personal data collected via the Platform is hosted in France on a dedicated infrastructure appropriate for hosting health data and designed to ensure its security and confidentiality in accordance with the provisions of the French Data Protection Act and the GDPR.

In this respect, MDHC has subcontracted the performance of this hosting service to an approved health data host within the meaning of the provisions of Article L.1111-8 of the Public Health Code and listed by ANS on the list of approved health data hosts: the company Avenir Télématique (hereinafter "ATE"). 

MDHC undertakes to renew the contract with ATE when it expires or to enter into a new agreement for the same purpose with another approved host of its choice.

MDHC shall in no case commit itself beyond the commitments, in particular in terms of protection of health data, subscribed by ATE towards MDHC.

 

6. ARE THERE ANY INTERNATIONAL TRANSFERS OF YOUR DATA?

If you reside within the European Union, your personal data and medical records will always be hosted within the European Union and protected by the General Data Protection Regulation (GDPR). 

We may use subcontractors based outside the European Union or the European Economic Area to outsource certain functionalities of the Platform. If personal data is transferred outside the European Union or the European Economic Area, we will always ensure that the transfer is lawful. Any international transfer of personal data will be protected by appropriate safeguards, namely the use of standard contractual clauses adopted or approved by the European Commission, an adequacy decision from the European Commission or your explicit consent.

 

7. WHAT IS THE SHELF LIFE?

 

All Personal Data collected is processed and stored for a limited period depending on the purpose of the Processing and the legislation applicable to the Platform.


When using the Platform outside of remote monitoring, your data is kept according to the following archiving procedure:

  •  in the active database, until the closure of your user account; 

  • then, in an intermediate archive within the framework of a separate information system with restricted access, for six (6) years, increased, if necessary, by the duration of any litigation that may be initiated;

  • at the end of this period, your personal data will be permanently deleted. You can also choose to permanently anonymise your personal data from your account. This data may be used for research and development in the field of diabetes.

 

In the context of the use of the Platform for remote monitoring purposes, your data is kept according to the following archiving procedure: 

  • in an active database, for the period during which you are managed via the Platform by your healthcare professional or your healthcare team in charge of your follow-up, plus a period of three (3) months;

  • then, in an intermediate archive as part of a separate information system with restricted access, for ten (10) years, plus, where applicable, the duration of any legal proceedings that may be brought before the data is permanently deleted. For your information, your health data will also be stored securely by your healthcare professional or team in accordance with the legal obligation to archive medical records; 

  • For more information about the storage of your healthcare data, please contact your healthcare professional or team;

  • At the end of this period, your personal data will be permanently deleted. You can also choose to permanently anonymise your personal data from your account. This data will be used for research and development in the field of diabetes.

In any event, if your user account is inactive for more than two (2) years, it will be automatically closed. We will alert you via the e-mail address you provided prior to this closure to allow you to object to it or to allow us to archive your data for a determined and reasonable period not exceeding two (2) years, to reactivate your account in the future. At the end of this period, your data will be rendered anonymous.

In the context of processing carried out as a Subcontractor, we act solely on the instructions of our Data Controllers. We do not ourselves determine how long your personal data is kept. However, as a service provider, we may set default retention periods in order to ensure the compliance and security of its Services.

8. INFORMATION ON SHARING YOUR HEALTH DATA WITH YOUR HEALTHCARE TEAM

The healthcare professionals involved in the care of a patient via the Platform constitute a care team within the meaning of article L. 1110-12 of the French Public Health Code. 

1) The members of the care team may access your medical file, share it with each other and exchange personal information about you which they consider relevant, for the purposes of your care and to ensure the coordination and quality of care. As such, when you create a myDiabby user account, you have the option of agreeing to share your personal information and your medical record with the healthcare professional and your healthcare team involved in your remote medical monitoring.

2) Nurses may also access your data and interpret your health data as part of your remote monitoring care via the Platform.

3) Administrative staff may access your personal data as part of the administrative management of your remote monitoring care. 

You may object to your personal data being shared between the healthcare professionals and service providers involved in the implementation of remote monitoring by sending your request to this effect either directly to one of the members of the medical team, or to the following address: support@mydiabby.com.

 

9. INFORMATION ON THE REMOTE MEDICAL MONITORING OF PATIENTS' DIABETES ON MYDIABBY HEALTHCARE

Since 1 July 2023, remote medical monitoring of diabetes has been one of the medical procedures reimbursed by the French social security system (following publication of the registration order on 22/06/2023, available at this link. It is available to healthcare professionals for enhanced management of their patients.

This means that healthcare professionals can prescribe the "remote monitoring of diabetes" medical procedure "in the same way" as a physical device, for a defined period and with the patient's agreement.

As part of your remote monitoring treatment, if you are a patient, non-identifying technical and statistical data resulting from the use of the Application may be sent to public authorities when this is necessary to comply with a legal obligation to which we are subject.

 

10. INFORMATION IN THE FIELD OF DIABETES RESEARCH AND DEVELOPMENT

In the context of research and development in the field of diabetes, the processing of particular categories of personal data requires us to ask for your consent when creating your account. Depending on the case,  the processing is necessary for reasons of substantial public interest and the processing is necessary for archiving purposes in the public interest, for scientific research purposes or for statistical purposes. Anonymised data are kept for the time necessary to prepare and publish the study.

Only authorized persons complying with the rules of professional ethics applicable to their sectors of activity may access or modify the data resulting from such processing kept by MDHC. It is impossible to disseminate this data without it being anonymised before being disseminated, unless this is absolutely necessary for the presentation.

Furthermore, we inform you that your personal data, once irreversibly anonymised, may be the subject of analyses and statistical studies in compliance with the provisions of the Data Protection Act and the GDPR. 

Under no circumstances will your data be used for commercial purposes. It will not be transferred or used for any other purpose than those stated in this article

 

If you would like to know more about the use of your health data for research and development in the field of diabetes, you can contact us by e-mail at the following address: support@mydiabby.com

To find out more about: 

Anonymised data does not constitute information that can be used to identify you and therefore cannot be traced back to you. Anonymised data may be exported, including outside the EU.  Anonymisation procedures compliant with the GDPR are used by MDHC for personal data collected within the EEA. The legal basis for this type of processing is your explicit consent.

 

11. WHAT IS OUR POLICY ON COOKIES?

 A cookie is a small file stored by a server in a user's terminal (computer, telephone, etc.) and associated with a web domain (i.e. in most cases with all the pages of a single website).  This file is automatically sent back when you subsequently contact the same domain.

As part of your browsing on our website, MDHC uses essential cookies, which are exempt from your consent under the GDPR. These cookies are strictly necessary for the operation and proper administration of the myDiabby showcase site, the provision of services requested by the internet user, the protection of the myDiabby Platform from computer attacks and navigation on the showcase site.

 

Retention period : 

 

- Cookies for measuring system efficiency: up to 12 months 

- Cookies for security: session

- Session user identification cookies: up to 12 months

 

12. WHAT ABOUT THE DATA OF UNDER-AGE USERS?

The Platform is intended for people of all ages. For children under the age of 15, the consent of a parent or legal guardian is required to use the Platform. Users of legal age may declare beneficiaries who are minors, under their own and exclusive responsibility. However, they must inform them of the terms and conditions of access to the Platform and obtain their consent. Use of the Platform by minors is under the responsibility and control of Users holding parental authority.

 

For further information 

 

It should be noted that in France, the age required to consent alone to an information society service is 15 (article 45 of the French Data Protection Act). 

 

The minor User is under 15 years of age: 

The User holding parental authority guarantees to have provided the minor with information relating to the Platform and consent to the processing of his/her health data. 

 

The minor User is over 15 years of age: 

The minor has given his/her consent to the processing of his/her Health Data. The minor attached to the myDiabby Account of the User holding parental authority is informed that the holder of parental authority may access his/her data, including his/her Health Data, from his/her mydiabby Account.
 

13. WHAT SECURITY MEASURES ARE IN PLACE TO PROTECT YOUR DATA?

Our security measures:

We implement all technical and organizational measures to ensure the security of processing and the confidentiality of your Personal Data. 

 

In view of the nature of the Personal Data and the risks presented by the processing, we take all useful precautions (control of logical access, securing of computer channels, double authentication procedures with personal and secure access via confidential identifiers and passwords, logging of connections, traceability measures, encryption, anonymisation of certain personal data, archiving procedure, physical protection of premises, etc. ) to preserve the security of Personal Data and prevent them from being distorted, damaged or accessed by unauthorized third parties. 

 

We regularly conduct penetration tests to monitor, evaluate and assess the effectiveness of the security measures in place.

 

We also ensure that data protection and security are taken into account in the planning and development of our Platform.

 

Security measures put in place by your healthcare professional:

Each healthcare professional who receives Personal Data in the context of your medical care undertakes to guarantee its security and confidentiality.

 

To find out more about how your healthcare professional ensures the security of your data, please contact your healthcare professional.

 

14. WHAT ARE YOUR RIGHTS?

In compliance with Applicable Regulations, you have a right to access, rectification, erasure, and portability of your data as well as a right to withdraw consent at any time (if such processing is based on consent), a right to restrict and oppose the processing of your data. 

In addition, you may set out instructions on the retention, erasure, and disclosure of your personal data after your death.

For more information on your rights, you can consult the CNIL website. (https://www.cnil.fr/fr/les-droits-pour-maitriser-vos-donnees-personnelles).
 

For any request for your rights access, in case of reasonable doubts about the identity of the applicant, we must proceed to the verification of your identity by asking you to provide us with a copy of an identity document (identity card or passport) or any other element allowing us to prove your identity.

At the healthcare professional's request, we can assist them in following up on requests made by their Patients using the Platform.

At any time, you may lodge a complaint with a supervisory authority, in particular with the Commission Nationale de l'Informatique, and withdraw your consent to the processing of your data where appropriate.  You can submit your complaint on the CNIL website (https://www.cnil.fr/fr/plaintes) or by post by writing to : CNIL - Service des Plaintes - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07. 

You can exercise your rights by sending a specific request with proof of identity to the following address:  support@mydiabby.com

Find out more about my rights: 

- the right to information: you have the right to obtain concise, transparent, comprehensible and easily accessible information on the way in which we or your healthcare professional process your data and on your rights through a transparent, clear and precise personal data protection policy; 

- the right of access: you have the right to access the data processed by MDHC or your healthcare professional, and to obtain a copy;

 

- the right of rectification: you have the right to demand that your data be rectified if it is inaccurate or out of date and/or that it be completed if it is incomplete;

- the right to portability of Data whose processing is based on consent or the performance of the contract: you have the right to receive the data concerning you that you have provided to us in a structured, commonly used and machine-readable format. This only applies where processing is based on your consent or the performance of a contract; 

- the right to request a restriction on data processing: in certain cases, you have the right to request that the processing of your data be restricted, so that we cannot retain your data;

- the right to object to the processing of data: you may at any time object to the processing of your data where the processing is based on our legitimate interests, unless we have compelling legitimate grounds or the data is necessary for the establishment, exercise or defense of legal claims; 

- the right to erasure (the right to be forgotten): in certain cases, you have the right to obtain the erasure of your data; 

- the right to digital death: you have the right to define the fate of your data after your death and request that your data be registered with a trusted digital third party certified by the CNIL.

 

15. WHAT ARE OUR POLICY APPLICATION CONDITIONS?

We may modify, supplement, or update this Policy to take into account any regulatory, legal, or technical developments. You will be notified in writing at least thirty (30) days by email prior to the effective date of any major change to this Policy.

 

If you do not agree with the terms of the new Policy, we invite you to delete your user account. After this period, the new Policy will apply to all access and use of our Services.

Date of last update: 21/02/2024  

 

16. HOW TO CONTACT OUR DPO? 

If you have any questions or complaints about this myDiabby Healthcare data use policy, you can contact us at the following address:

 

MDHC - DPO, 66 avenue des Champs Elysées, 75008 Paris or at dpo@mydiabby.com

bottom of page