InPen privacy statement


Introduction

This Privacy Statement tells you how Companion Medical, Inc. (“Companion”), a wholly owned subsidiary of Medtronic MiniMed, Inc. (“Medtronic”), and Medtronic affiliates (together with Companion referred as “we”) protect and use information that we gather through the InPen™ App. InPen™ App working together with InPen™ smart insulin pen is called InPen™ System. The InPen™ System automatically records dose size and timing of insulin doses, provides reminders if insulin is not taken, includes an insulin dose calculator with personalized settings, tracks insulin on board, and has the ability to integrate with other diabetes technologies, including a continuous glucose monitor (CGM).

This Privacy Statement describes how your personal information (including personal health information) is collected, used, stored and shared when you use InPen™ App. It also describes the rights you have regarding our use of your personal information and how you can contact us to exercise these rights.

This Privacy Statement does not apply to situations where we have notified you that an alternative Privacy Statement applies. We intend to deal with your information in a manner that is fair and in line with your expectations and encourage you to read and consider the information provided in this Privacy Statement to confirm that is the case.

For the purpose of this privacy statement, “you” means any individual that uses InPen™ App or whose behalf InPen™ App is used, as applicable.


Who is responsible for processing your personal information?

Except as otherwise described in this Privacy Statement, the Medtronic affiliate listed in Annex 1 (at the end of the privacy statement) in your country is responsible for the processing of your personal information through InPen™ App.

Your personal information (including your personal health information) processed in InPen™ App may also be used by your health care professional in connection with your treatment and your medical files. Your health care professional is solely responsible for the processing of your personal information (including your personal health information) in connection with the provision of your medical treatment and care.


What personal information do we collect and use?

We collect, store and use your personal information (including personal health information) that you provide directly into InPen™ App or that is generated through the use of InPen™ App. The following types of personal information will be collected or otherwise processed through InPen™ App:

Account information

Accounts in InPen™ App are created for InPen™ users who are 18-year-old or above or who are represented by a parent / legal guardian if they are below 18.

For all account creation, the following information is collected:

  • Contact information and account details: first and last name (nickname possible at user’s discretion), email address and password


Once you create an account, the following types of information are collected through your use of InPen™ App:

  • Demographic information, such as your age, gender, height, weight and (optional) photo/avatar
  • Information about your diabetes care, such as your diabetes type, year of diagnosis, glucose values, insulin temperature, carbs/meals and insulin type, doses, prior insulin delivery method, therapy settings and recommendations
  • Information related to your use of any linked products or services, such as a continuous glucose monitor
  • Information about your use of the InPen™ (including its serial number) and InPen™ App, such as InPen™ App usage data and date of first use


Analytics data

Analytics tools such as Google Analytics for Firebase are used to collect information about the use of the InPen™ App for troubleshooting purposes and to maintain the quality of the services, as part of the services provision.

No information about device identifier is collected and only the following information is collected:

  • Store from which the app was downloaded and installed
  • Version name (Android) or the Bundle version (iOS)
  • User’s country of residence
  • Brand name of the user’s mobile device (e.g., Motorola, LG, or Samsung)
  • Mobile device category (e.g., phone or tablet)
  • Mobile device model name (e.g., iPhone5s)
  • App usage information about the first time and last time you opened InPen™ App
  • Version of the device operating system (OS) (e.g., 9.3.2)


Guardian™ Connect or Guardian™ App / CareLink™ Personal data

If you use a Medtronic standalone Continuous Glucose Monitor (CGM) (Guardian™ Connect / Guardian™ App), you can view your CareLink™ Personal CGM data in your InPen™ App account by linking your Medtronic CareLink™ Personal account with your InPen™ App account. In order to establish the link, you will be required to enter, in your InPen™ App account, your CareLink™ Personal username and password. Then, the following types of information will be processed through the InPen™ App:

  • CGM data uploaded in CareLink™ Personal;

The InPen™ App will generate your InPen™ reports based on data uploaded through both your InPen™ and Medtronic CGM.


For what purposes is your personal information used?

We process your personal information obtained through InPen™ App for the purposes listed below. For each purpose, the legal basis to process your personal information is specified.

1. Processing for the provision of services

InPen™ App is designed to process your personal health information in order to help track your insulin doses, get personalized recommendations, and keep an eye on the active insulin injected via InPen™ throughout the day via reports generated by the InPen™ App (“InPen™ Reports”).

We are required to obtain your explicit consent to process your personal information (including personal health information) for this purpose.

You are under no obligation to provide your consent. However, as this is related to the primary function of InPen™ App, we cannot provide InPen™ App without your explicit consent. If you do not provide your consent, InPen™ can still be used to dispense insulin but no data functions will be made accessible.

We also process your personal information (including personal health information) in order to provide you with customer and product support such as technical and operational support to help you resolve problems, issues or questions regarding InPen™ App. We do so based on our legitimate interests in ensuring high standards of quality and safety, and where applicable, to comply with our obligation as a manufacturer of medical devices.

2. Processing for statistical analysis to contribute to the improvement and development of products and services and overall improvement of therapy management

We intend to further research and develop new products and services for diabetes management and improve existing products and services (including InPen™ System-related services as well as to develop marketing materials and improve training, education and support programs), investigate and document outcome and device safety, as well as to improve therapy management and treatment overall. For this purpose, we would like to create and use statistics calculated from your personal information (including personal health information).

Outcomes of statistical analysis will be based on aggregated data which does not contain any information that can be used to directly identify you, but it doesn’t completely exclude such possibility.

We ask for your explicit consent to process your personal information (including personal health information) for this purpose. Please note that such consent is voluntary and that you will not be stopped or prevented from accessing InPen™ App if consent is not provided.

3. Processing for the provisions of services when linking with Medtronic CareLink™ Personal

We also ask for your explicit consent to link your Medtronic CareLink™ Personal account (if any) with your InPen™ App account.

You are under no obligation to provide your consent. Please note that such consent is voluntary and that you will not be stopped or prevented from accessing InPen™ App if your consent is not provided.

4. Processing necessary to comply with a legal obligation

We process your personal information (including personal health information) to comply with our vigilance and post-market surveillance obligations.

Operations in InPen™ App may require monitoring of the safety and reliability of the app under applicable regulations. If we detect potential abnormalities, we are required by law to notify you and/or regulatory authorities and to inform you of any remedial action. Therefore, we process your personal information to comply with a legal obligation.

Your personal information is processed for this purpose as it can be necessary to ensure high standards of medical devices. Where sufficient to meet the legal obligation, we will use your personal information in a way that does not directly identify you.

5. Processing for the establishment, exercise or defense of legal claims

We may process your personal health information where necessary for the establishment, exercise or defense of legal claims or in the case where courts are acting in their judicial capacity. Should we do so, your personal information for this purpose will be processed based on our legitimate interests.


How is your personal information protected?

To protect your personal information (including personal health information), we maintain appropriate administrative, technical and organizational safeguards. The appropriate safeguards include individual user accounts to which access is only granted with a valid username and password.

Your personal information is encrypted when it is processed in InPen™ App. The InPen™ App server is continuously monitored for potential attacks or intrusions. We regularly review our policies and procedures, and the physical environment of our equipment to improve the technical and organizational measures taken in regard to security measures with the aim to protect your personal information (including personal health information) against accidental, unlawful or unauthorized disclosure, alteration or destruction.


Sharing your personal information

We do not share your personal information (including personal health information) collected through InPen™ App except as described below.

With your health care professional

With your explicit consent, your InPen™ reports may be shared with your health care professional via CareLink™ system, upon your health care professional’s request, providing the following conditions are met:

  • Your CareLink™ Personal account is linked with your InPen™ App account, and
  • Your CareLink™ Personal account is also linked to the CareLink™ system account used by your health care professional.


With our service providers

In the ordinary course of business, we will share your personal information (including personal health information) with third-party service providers who perform services on our behalf and only based on our documented instructions, including our hosting service provider.

With other Medtronic companies

We may also share your personal information (including personal health information) with our affiliates as described below.

1. Recipients associated with processing for the provision of services and where applicable linking with CareLink™ Personal

Companion Medical, Inc (with its registered address at 12230 World Trade Drive Suite, 100 San Diego, CA 92128, United States) is the legal manufacturer of InPen™ App, and as such may be requested by the Medtronic local affiliates (listed in Annex 1, at the end of the privacy statement) to provide assistance with technical and operational support.

If you choose to share your personal data with healthcare professionals in context of your medical treatment or other parties external to Companion or Medtronic, they will be solely responsible for their own use, or further processing, of your personal data.

2. Recipients associated with processing for statistical analysis to contribute to the improvement and development of products and services and overall improvement of therapy management

Companion Medical, Inc will develop reports based on aggregated statistics collected from your personal information (including personal health information). Such reports may be used to support the activities connected with research and development, to contribute to the improvement and development of products and services and/or to develop marketing and promotional materials which may be used during presentations and conferences.

Reports may also be shared with affiliated local Medtronic entities to support such activities about improvement and development of products and services and/or development of marketing and promotional materials at the local level.

3. Recipients associated with processing necessary to comply with a legal obligation

In accordance with the applicable laws governing medical devices, certain vigilance and post marketing surveillance obligations are imposed on the manufacturer and its legal representative which imply the processing of your personal information (including personal health information). Any processing of your personal information to comply with a legal obligation will be done in compliance with the requirements as prescribed by the legal obligations.Your personal information (including personal health information) may also be shared with regulatory bodies or governmental agencies under such legal obligations.For users located in the European Economic Area, European Union, Cormedics Medizintechnik GmbH based in Bahnhofstrasse 32, 82041 Deisenhofen Germany has been appointed by Companion Medical, Inc to be its legal representative under the Medical Device Regulation. Your personal information (including personal health information) may be shared Cormedics Medizintechnik GmbH for vigilance purposes, in accordance with the Medical Device Regulation.

With competent public authorities

We may share your personal information (in a way that does not directly identify you) with regulatory bodies to support regulatory filings, where applicable. We may also share your information with competent law enforcement agents or representatives, governmental agencies or bodies, including competent data protection authorities, to comply with any reasonable request from those authorities, in which case the processing will be limited to what is minimally required to comply with the request.

We also reserve the right to transfer personal information we have about you in the event we sell or transfer all or portion of our business or assets. Should such a sale or transfer occur, we will use reasonable efforts to direct the transferee to use the personal information you have provided to us in a manner consistent with this Privacy Statement. Following such sale or transfer, you may contact the entity to which we transferred your personal information with any inquiries concerning the processing of that personal information.

Cross border data transfers

Your personal health information processed is InPen™ is stored in servers located within the European Union, more specifically in the Netherlands and Belgium. There is only a very limited transfer of your personal health information to the United States of America, if any. More precisely, such transfer would occur on a single user case for technical support requests or for legal reporting obligation.

Your contact information and account details are stored in the United States of America.

For users located in the European Economic Area, European Union, United Kingdom or Switzerland, the processing of your personal information in a country for which there is no adequacy decision will take place based on the European Commission standard contractual clauses or one of the other transfer mechanisms foreseen by the European Union General Data Protection Regulation 2016/679. If you wish to receive a copy of the mechanisms used for cross border data transfers, please contact us as specified in the “Contact us” section below.


How long is your personal information retained for?

We keep your personal information (including personal health information) for so long as necessary to fulfill the purposes for which we are allowed to use it, as set out in this Privacy Statement.


What are your rights concerning your personal information?

Subject to applicable laws, you have the following rights with respect to the processing of your personal information as described in this Privacy Statement:

  • to request access to your personal information. You can exercise this right directly through your InPen™ App account. Alternatively, you can contact us as explained below.
  • to withdraw - at any time - any consent you previously provided to us. If you do so, this will not affect the lawfulness of data that have been processed before you withdrew consent. Note that if you withdraw the consent requested to provide you with the InPen™ App services, we will no longer be able to provide you with the services connected to the InPen™ App;
  • to ask us to rectify any inaccurate information about yourself or to complete any information you deem incomplete. You can exercise this right directly through the InPen™ App by correcting your information in the settings of your InPen™ App account. Alternatively you can contact us as explained below. Please be informed that we can ask you to demonstrate that the personal information you want to correct is indeed erroneous;
  • to obtain your personal information you provided to us based on your consent in a way that is accessible and machine-readable and to request us to transfer such data to another organization;
  • to ask for the deletion of your personal information that is being processed or retained by us, when this personal information is no longer necessary in light of the purposes explained above and there is no legal or regulatory obligation which obliges us to keep it;
  • to ask us to restrict the processing of your personal information if and when (a) you contest the accuracy of the information, (b) the processing is illegitimate and you request the restriction of its use instead of its deletion, or (c) your personal information is no longer needed for the purposes which are outlined above, but you need it in judicial proceedings;
  • to object to the processing of your personal information based on our legitimate interests;


Where applicable, in accordance with local law, you have the right to lodge a complaint with a Data Protection Authority in case you are not satisfied with our response.


Updates to this Privacy Statement

This Privacy Statement will be reviewed and updated periodically to reflect changes to our privacy practices or relevant laws. We will notify you of any significant changes and indicate at the top of this Privacy Statement when it was most recently updated.


Contact us

If you wish to exercise any of your data protection rights of if you have any questions regarding the processing of your personal information (including your personal health information) in accordance with this Privacy Statement, you can contact our Data Protection Officer at the following e-mail address: rs.privacyeurope@medtronic.com.


Annex 1

List of local entities

Please find your location below for the details and contact information of the local entity in your country.

Austria:
Medtronic Austria GmbH
Millennium Tower,
Handelskai 94-96,
A-1200 Wien, Vienna
rs.privacyeurope@medtronic.com

Bahrain:
Medtronic Meta FZ-LLC Office Park,
Block D, 2nd floor | P.O. Box
500638 Dubai,
United Arab Emirates
rs.privacyeurope@medtronic.com

Belgium:
N.V. Medtronic Belgium S.A.
Burgemeester E. Demunterlaan 5 /
Avenue du Bourgmestre E. Demunter 5
Brussel / Bruxelles 1090
België / Belgique
diabetes.benelux@medtronic.com
rs.privacyeurope@medtronic.com

Czech Republic:
Medtronic Czechia s.r.o
Prosecká 852/66,
190 00 Prague 9,
Czech Republic
zakaznicky.servis@medtronic.com
rs.privacyeurope@medtronic.com

Denmark:
Medtronic Danmark A/S
Arne Jacobsens Allé 17,
DK-2300 København S,
Denmark
kundeservice@medtronic.com
rs.privacyeurope@medtronic.com

Finland:
Medtronic Finland
Oy Hitsaajankatu 20, PO Box 230,
FI-00811 Helsinki,
Finland
tilaukset.suomi@medtronic.com
rs.privacyeurope@medtronic.com

France:
9, Boulevard Romain Rolland
75014 PARIS
France
contactfrance@medtronic.com
rs.privacyeurope@medtronic.com

Germany:
Medtronic GmbH Geschäftsbereich Diabetes
Earl-Bakken-Platz 1,
40670 Meerbusch,
Germany
minimed.germany@medtronic.com
rs.privacyeurope@medtronic.com

Greece:
Medtronic Hellas S.A. 5,
Ag. Varvaras str. 15231 Halandri,
Athens,
Greece
rs.privacyeurope@medtronic.com

Republic of Ireland and Northern Ireland:
Medtronic Ireland Ltd Unit GA,
Swords Business Campus, Balheary Road,
Swords,
Co. Dublin.,
Ireland
csd.ireland@medtronic.com
rs.privacyeurope@medtronic.com

Israel:
Medtronic Israel LTD
Hamada 10,
Herzeliyya, 46733,
Israel
rs.privacyeurope@medtronic.com

Italy:
Medtronic Italia S.p.A.
Via Varesina 162,
20156 Milano,
Italia
rs.privacyeurope@medtronic.com

Kuwait:
Medtronic Meta FZ-LLC Office Park,
Block D, 2nd floor | P.O. Box
500638
Dubai,
United Arab Emirates
rs.privacyeurope@medtronic.com

The Netherlands:
Medtronic Trading NL BV
Larixplein 4
5616 VB Eindhoven
The Netherlands
diabetes.benelux@medtronic.com
rs.privacyeurope@medtronic.com

Norway:
Medtronic Norge AS Vollsveien 2 A,
Postboks 458,
1327 Lyssaker,
Norway
bestilling@medtronic.com
rs.privacyeurope@medtronic.com

Poland:
Medtronic Poland Sp. Z o.o.
Ul. Polna 11,
00-633 Warszawa,
Poland
diabetes.help@medtronic.com
rs.privacyeurope@medtronic.com

Qatar:
Medtronic Meta FZ-LLC Office Park,
Block D, 2nd floor | P.O. Box
500638 Dubai,
United Arab Emirates
rs.privacyeurope@medtronic.com

Romania:
Medtronic Romania Baneasa Business & Technology Park
Șos. Bucuresti-Ploiești nr. 42-44 Cladirea B,
aripa B2, Etaj 2 013696, Sector 1,
București,
Romania
rs.privacyeurope@medtronic.com

Slovakia:
Medtronic Slovakia, O.Z.
Karadžičova 16,
821 08 Bratislava,
Slovakia
objednavka@medtronic.com
rs.privacyeurope@medtronic.com

Slovenia:
Medtronic d.o.o
Ameriška ulica 8,
1000 Ljubljana,
Slovenia
rs.privacyeurope@medtronic.com

South Africa:
Medtronic South Africa
54 Maxwell Drive,
North Woodmead Office Park,
Woodmead, Gauteng,
South Africa
rs.privacyeurope@medtronic.com

Spain:
Medtronic Ibérica. S.A.U
VAT nº: A-28389484
Calle de María de Portugal 11
28050 Madrid,
Spain
rs.privacyeurope@medtronic.com

Sweden:
Medtronic AB
Isafjordsgatan 1,
Box 1034,
164 21 KISTA,
Sweden
rs.privacyeurope@medtronic.com

Switzerland:
Medtronic (Schweiz) AG / Medtronic (Suisse) SA
Talstrasse 9,
3053 Münchenbuchsee,
Switzerland
rs.privacyeurope@medtronic.com

United Kingdom:
Medtronic UK Ltd
Building 9, Suite 4, Croxley Green Business Park,
Watford, WD18 8WW,
United Kingdom
rs.ukdiabetesproductsupport@medtronic.com
rs.privacyeurope@medtronic.com