Effective Date: 01-Jan-2021
Last Updated: 23-Mar-2024

‍

Overview of Personal Data Processing

(Full details and policy below)

Data controller, data protection officer (DPO) and data protection representative

• Controller: Elfie Pte. Ltd., located at Wishart Road, #05-27, The Foresta @ Mount Faber, Singapore 098752.
• DPO: [email protected]
• EU / Turkey Representative: Prighter Group (Maetzler Rechtsanwalts GmbH & Co KG – address in EU Schellinggasse 3/10 1010 Vienna Austria).

For what purposes does Elfie process personal data?

Personal data (including health data as consented) is processed to/for:

• Provide the products and services in the context of the Elfie App (including gamification features).
• Product improvement.
• Marketing purposes.
• Scientific and Enforcement purposes.
• Anonymisation and aggregation purposes.

The Elfie app is designed with user well-being in mind and is not intended to process or collect data in the context of medical care, medical monitoring nor diagnostics.

Which are my rights?

You have the access, rectification, erasure, objection, data portability and restriction of processing rights. You can also revoke your consent, where granted, at any time. 

You can exercise these rights at [email protected].

Is data obtained from third party sources?

No personal data obtained from third party sources

‍

Where can I obtain more information on the processing of personal data?

Below you will find full information on the processing of your personal data including, among others, retention periods, right to claim before supervisory authorities, information on international data transfers, sharing of data, categories of data processed, processors and security measures and country specific provisions.

‍

1 • Introduction

Data Controller

Whenever this Privacy Notice refers to “we” or “Elfie” it means the Elfie Pte. Ltd., located at Wishart Road, #05-27, The Foresta @ Mount Faber,Singapore 098752 and registered in Singapore under registration number 202035381C. Elfie is the stated responsible entity and data controller under the data protection regulations. In other words, we are the company that decides on the purpose and means of processing your personal data (“User Data”) and is therefore responsible for its security and compliance with the applicable laws. Section 2 of this Privacy Notice contains detailed information on the necessary processing of your personal data.

The basis for this Privacy Notice is the General Data Protection Regulation of the European Union (“GDPR”, Regulation (EU) 2016/679); if your country of residence foresees additional or varying requirements, you can find information on those in section 10 of this Privacy Notice.

This Privacy Notice applies to User Data processed in connection with our products and services. As the responsible entity we are subject, for example, to information requirements that we wish to fulfil in connection with this Privacy Notice. We also provide additional information within our products, e.g. we may ask you for a new consent or explain the consequences of revocation. The information in our products does not contradict this privacy notice, but rather supplements it with brief and easily readable information so that you can make decisions more easily. This Privacy Notice and the additional information are easily accessible at any time from within our products and on our website.

Structure

This Privacy Notice informs you about the purposes and scope of processing your User Data, data transfers, as well as your extensive rights. We only process User Data as health data with your consent. We differentiate as follows:

“Necessary Processing of Personal Data” describes how we process your User Data which is required to fulfil the contract and to provide our services to you. The processing of your personal data is required for this purpose.

“Processing for Product Improvement” explains how you can help us and other users, with your optional consent, by allowing us to use your data in particular to develop algorithms for therapy management, improve the product and so forth without us contacting you for advertising purposes etc. You can also use our products without giving us this consent - but your consent improves the database in the interest of all users so that we can improve our product more quickly. See more details below.

“Processing for Marketing Purposes” describes how we contact you for marketing purposes, with your optional consent, e.g. by email, notifications etc. Here too you may use the products without consent but with your consent you will receive valuable information on our products or if, for example, your health insurance company covers new services.

Under “General Information” section below we have assembled the information that applies to all of the above.

The above mentioned categories are described in more detail below. You may learn about how we process your personal data and provide the relevant consents (where applicable) upon registration, upon request (e.g. during a pairing process) or later via the account settings. Where consent is granted, you may revoke it at any time via the account settings or by sending an email to [email protected].

2 • Necessary Processing of Personal Data

Based on the performance of the contractual relation established with you upon registering in the App, we will process your User Data listed below in order to be able to provide our services. If you do not allow this necessary processing, you cannot use the services of Elfie. You may select which services you want during the registration process and manage them in the account settings.

In order to protect your User Data, our services can only be used in connection with a user account. To CREATE A USER ACCOUNT we require, collect and process the following User Data:

• Personal or work Email address (work email only relates to ElfieWorks app version)
• Password (which we store cryptographically secure)
• Account ID (which we generate during account creation)
• Registration date
• Status of consents
• Device ID, manufacturer, device type, operating system version of your mobile device
• Language, country, time zone
• IP address

Your Personal / Work Email address, in connection with your chosen Password is necessary to create and maintain an account and create an Account ID when you register in our apps as well as to provide you with a secure way of logging into your account.

Your Personal/ Work Email Address is also used to communicate with you where this is required to support or troubleshoot our products. One purpose is the Elfie user support service, which you can contact at [email protected]. The information and personal data you wish to exchange with our user support service is solely your decision and we will never require any personal data which is not necessary to provide you with the information or support you request. Communication with you may be necessary, either by email, in-app message push notification in order to inform you about updates to our products and services or provide you with important security advice as well as assistance associated with your usage. This support communication - as an essential part of our products - is sent to you notwithstanding whether you have subscribed to our Newsletter or not, and are not marketing related.

When you install and use our app, we also collect information on the device you are using and generate crash and bug reports if required. This is necessary for us to troubleshoot and determine the circumstances of a potential problem. We record key data of your device and your usage behaviour as our contractual fulfilment, as well as to customise our products. This includes processing individual user information, such as your location, health conditions and objectives, for instance to configure the user interface. An automated analysis of your user behaviour is performed exclusively for the purpose of customising your use when fulfilling the contract and has no legal effect for you.

We also process your IP address to assess from which country or region you are using our services and to provide you with the features and information which is relevant in your country. Your IP address is also used to determine the data storage location for your account.

Your Work Email Address (only for ElfieWorks version of App) is necessary to validate and activate access to ElfieWorks services provided to you by your employer. It is also used to send ElfieWorks-specific information (e.g. company events and activities).

We finally process your Research Patient ID to customise our products to the research studies in which you elected to participate.

3 • Personal data provided in the context of App services

Also based in the performance of the contractual relationship established upon onboarding the App, we process the following:

General Data - to be able to address and contact you in a suitable way. It includes:

• First Name
• Year of Birth
• Biological Sex at birth
• Mobile Phone Number (this is not mandatory but advisable for account retrieval and security)
• Weigh and height 
• Comments to articles in the Community Feed (this is not mandatory but part of the App’s functionality)
• Email and telephone number of friends / family in the context of refer-to-a-friend or contact family supporter practices. In these cases, please obtain the consent from the recipients before sharing any personal data from them and inform them about this privacy policy.
• Image (this is not mandatory).

Health Master Data -
This data is collected and processed in order to be able to provide a personalised application experience. You would have explicitly consented for the use of health data and remember that you decide the amount and type of data you want to provide us with. It includes:

• Chronic Diseases and Type
• Blood Glucose Target Range
• Cholesterol Goal
• Blood Pressure Readings
• Blood Glucose Metre / Therapy Device
• Medication
• Basal Settings
• Correction Factors

Gamification and Usage Data -
This data is collected and processed in order to store and retain necessary information in case you participate in the Elfie gamification services (e.g. rewards, charities, luck draws, fortune wheel, company challenge…). It includes:

• App Store Download Information
• Vouchers Redeemed
• Charity Donations,
• Prize Won,
• Browser Type and Version
• Activity Events for Customization
• Support Queries.

Health Data
This data is collected and processed in order to be able to deliver the service which is offered by the Elfie app. You would have had explicitly consented for the use of health data and remember that you decide the amount and type of data you want to provide us with. It includes:

• Date, Time, Time Zone, Place, Type and Duration of Physical Activities
• Food Intake / Meal / Ingredients
• Pills taken
• Blood Glucose Measurements
• Blood Pressure Measurements
• Cholesterol Level Measurements
• Chest Pain Crisis Report
• Notes
• Body Weight, Height
• HbA1c
• Steps
• Images / Photos
• Medication
• Tags
• Values imported from 3rd Party Apps
• Sensor data, such as start date/time, end date/time, time zone, sensor value, sensor type
• Temporary basal rate and date
• App settings such as display options, activated integrations
• Calories burnt and sleep data from other Health Apps
• Coaching data such as status, targets, other illnesses

The scope of the personal data processed by Elfie depends on your registration and the use of our products. We only process User Data that you actively and voluntarily provide to Elfie. The entry of requested User Data is however a requirement for the comprehensive use of our products. If you do not enter optional data the associated functionality of our products is limited accordingly. 

If you pair Therapy Devices (e.g. blood pressure monitor, blood glucose monitor...) with your mobile device, data is being transferred between those devices and our apps. In those cases, only the data relevant for the operation of the device is being transmitted or imported into our apps.

When pairing a therapy device via Bluetooth ®, certain mobile devices require access to your location for the pairing process. If this is the case, you will be asked to allow access to the location. The purpose is to enable the therapy device to be detected through Bluetooth ®. This access is only necessary for the pairing action from a technical point of view; Elfie will not process your location for this purpose.

You can optionally activate synchronisation between our apps and Health Apps, such as those by Apple (HealthKit) or Google (Google Fit), and other connected services, which enables data to be exchanged between our apps and those Health Apps. This synchronisation only takes place if you activate this in the settings of our apps and configure the data that is being exchanged.

In addition to the User Data you provide voluntarily, there is also the option of independently activating or deactivating the recording of certain data in the settings of our apps and other software of your device (e.g. operating system, other apps, app stores etc.). If you have questions, please contact [email protected].

4 • Processing for product improvement

Elfie would also like to use the data you provide via the Elfie app to continuously improve and innovate our portfolio by gathering insights, detect patterns, generate real world evidence and develop predictive algorithms from health data. Such innovations will be used for decision support with the objective to further improve medical outcomes and the quality of life of people with chronic conditions. This information is obtained via cookies and/or similar technologies.

We will only use your data and any additional data, as detailed below, if you provide us with your express consent. You can give and revoke your consent for the processing for product improvement at any time, in your account settings within our apps.

Additional data

In general, we use the same User Data to improve our products as stated in sections 2 and 3 avoiding any use of health data for marketing purposes. In addition, Elfie may also record the following User Data:

Usage Data - We record Activity Events, not necessarily related to the delivery of our services, which allow us to understand how you use our products. This enables us to assess how our products are used and to constantly improve our services.

Purpose of product improvement

As a result of a fast paced technological progress, we have to constantly analyse, develop, test, and improve our products and their interactions, in order to ensure that our content benefits users in the most effective way. To achieve this, we conduct usage and security tests and the knowledge gained is incorporated into improved new versions of our products. These improvements are also provided to you via frequent app updates.

5 • Processing for marketing purposes

5.1. Newsletter

We would like to send you via your email interesting information on products and services in addition to the contractual scope, including information from carefully selected partners, and invitations to participate in surveys or other clinical research studies (“Newsletter”).

We will only process your personal data for this purpose and send you Newsletters if you actively consent and subscribe. You can revoke your consent at any time, via the link in every Newsletter or in your account settings in our apps.

5.2 Other types of marketing

Other consents, e.g. for surveys, notifications, or customised offers, are obtained as required when you are logged in. We always explain to you why we need certain data and also how you can revoke the consent.

From time to time we may also show you offers within the app without processing your personal data. These non-customized advertisements will also be shown to you if you have not provided your consent for processing your personal data for marketing purposes.

6 • Usage for scientific and enforcement purposes – anonymous data

6.1 Scientific research and statistics

Elfie is committed to the science of all aspects of chronic disease management. Therefore, anonymous data from User Data may also be used for the purposes of research and statistics (always whilst complying with the recognized ethical scientific standards) and internal analyses. This is used mainly to determine and improve the effectiveness of techniques for controlling and treating chronic conditions. The legal basis for the anonymisation process consists in the legitimate interest (art. 6.1.f GDPR) in scientific research and statistical purposes (after carrying out a balancing test to ascertain that such interest is not overridden by users’ rights and freedoms) in conjunction with Article 9 (2) j) of the GDPR which provides for processing of special categories of personal data such as health data for scientific research and statistical purposes. We will always make sure that all User Data is properly anonymised before it is used for those purposes. 

Anonymised data is not subject to EU personal data protection regulations.

In this context, Elfie is committed to the supporting stakeholders involved in the prevention, diagnostic, and management of chronic diseases. Therefore, such anonymous data may also be shared or sold to third parties (e.g. Health Care Organisations, Health Care Professionals, Pharmaceutical companies, Pharmacies, Insurance Companies, Employers), in respect of all applicable data privacy & protection regulations, for the purposes of public health research, scientific and marketing publications, and performance management. 

6.2 Enforcement of rights

The use of personal data may also be necessary to prevent abuse by users or to assert, exercise, or defend legal claims. We may be forced into disclosure due to binding laws, court or official decisions and instructions, criminal investigation, or in the public interest. In such cases, the storage and processing of your data is permitted by law without your consent. The legal basis is our legitimate interest (art. 6.1.f GDPR) in protecting the due use of the App and our rights (after carrying out a balancing test to ascertain that such interest is not overridden by users’ rights and freedoms) in conjunction with Article 9 (2) f) GDPR.

7 • General information

7.1 Purpose limitation and security

Elfie uses your personal data exclusively for the purposes determined in this Privacy Notice and the relevant consents. We ensure that each processing is restricted to the extent necessary for its purpose.

We always guarantee adequate security and confidentiality of your personal data. This covers protection from unauthorised and illegal processing, unintentional loss, unintentional destruction or damage using appropriate technical and organisational measures. We use strict internal processes, security features, and the latest encryption methods, always taking into account state-of-the-art technology.

7.2 Data Processors

Our products are subject to complex processes that we have to manage and keep up-to-date. For technical support we therefore use third-party suppliers (“Data Processors”) in order to offer a comprehensive and optimal use of our products to you. The categories of Data Processors are listed in more detail in section 8.5.

Elfie transfers User Data to Data Processors exclusively within the framework of this Privacy Notice and only to fulfil the purposes stated within. Data Processors work according to our specifications and instructions; they are not permitted to use the personal data of our users for their own or other purposes.

We use Data Processors offering sufficient guarantees that suitable technical and organisational measures are undertaken in a way that the processing of personal data complies with the statutory requirements and our Privacy Notice. The protection of the rights of our users is ensured by concluding binding contracts that meet the strict requirements of GDPR.

Third-party suppliers appointed by Elfie may only use other processors (subcontractors) with our prior consent. If a subcontractor does not comply with the same data protection obligations and all of the appropriate security measures that we impose on our Data Processors, we will prohibit the use of such a subcontractor.

7.3 Encryption, pseudonymization, and anonymization

Each transfer of personal data, without exception and by default, is encrypted during transfer. Using HTTPS (hypertext transfer protocol secure) we ensure that your data is not intercepted by unauthorised third parties.

In addition, for the purposes of data security and minimization, we also use other processes for the encryption and pseudonymization of User Data. This depends on the type, scope, and purpose of the relevant data processing and takes into account the latest technology. For example, we only disclose or transfer User Data that a Data Processor requires to carry out their tasks.

When a contractual relationship with a Data Processor is terminated, such Data Processor must, at Elfie’s discretion, either return all User Data or delete it if there are no statutory retention obligations.

Data that requires no personal reference for processing (e.g. for research and analysis) is subject to anonymization. This is done in a way that irreversibly and directly and indirectly prevents a connection or attribution to a specific Data Subject in all cases.

7.4 EU and Third Countries

We primarily select Data Processors which are based in or whose servers are located in the Singapore or European Union (EU) or European Economic Area (EEA).

In exceptional cases we may appoint third-party suppliers who are located in or who have servers outside of Singapore or the EU. However, even in these cases your personal data is subject to an equally high protection level in line with the GDPR (including third parties in Singapore)– either through an EU adequacy decision, which considers data protection in certain third-party countries to be appropriate, or through the Standard Contractual Clauses approved by the European Commission, which the contractual relationships with our contracted Data Processors are based on, or through comparable legal instruments permitted under the GDPR after due assessment on the recipient country context. A copy of such guarantees or information on these can be requested via [email protected].

Furthermore, we ensure that our Data Processors have additional security standards in place, such as individual security measures and data protection provisions or certifications under the GDPR.

7.5 Categories of Data Recipients

Our cooperation partners are bound by the agreements signed with Elfie as well as by the GDPR and only process data according to our instructions. We provide our users’ data only to fulfil the respective contract:

Customer support services and their tools help our User Support to quickly and efficiently handle our users’ inquiries. Here, for example, queries are recorded from various communication channels and grouped according to topics using ticketing systems.

Analysis service providers and their tools help us to understand how users use our products in order for us to provide customised communication and product improvements in the future. 

Marketing service providers support us in creating, sorting, customising, and sending newsletters, emails, and other messages about our products to our users.

Hosting and cloud services and their tools are used to store data and to produce anonymized analyses (see section 8.3 above).

Certain functions within our app, such as Elfie coach, allow you directly to share certain User Data with a third party from within our products. In this case you are deciding on your discretion which data you share with which party at what point in time. Therefore such data transfers are solely your responsibility.

7.6 Storage and deletion

Your User Data is stored on your device as well as on our servers. The servers’ location where your User Data is being stored is Singapore. We reserve the right to migrate and store User Data on servers in the European Union for European citizens and residents. Regardless of the storage location we ensure that the high protection level pursuant to the GDPR is guaranteed at all times; this applies to data at rest, but also to data that is stored temporarily at a different location or is transferred for processing.

Elfie only stores your personal data for the duration of the contract and / or until you delete via Settings the info / account. In some cases, longer storage may be required in order to fulfil post-contractual obligations or to comply with statutory obligations or disclosure duties, or to assert, exercise, or defend legal claims. Personal data that needs to be retained for this purpose is transferred to a separate archive storage and is not used for any purpose other than the purpose of retention unless it is required by law. Where users remain inactive for a period of 5 years, Elfie will initiate actions to delete the account following GDPR obligations.

Personal data recorded/stored in paper documents is destroyed by shredding those documents. Personal data stored in the form of an electronic record is deleted using a technical method which does not allow reproducing the record.

7.7 Technical and Organisational Measures

Administrative measures: security & compliance officer, a data protection officer, asset management, regular employee training, development principles

Technical measures: Access control, password policy, backup policy, disaster recovery process, security updates/patch policy, infrastructure and network policies and processes, infrastructure penetration testing, infrastructure monitoring, data encryption in transport and at rest

Physical measures: Physical access control

7.8 Minors

You must be at least 18 years (or such greater age required in your country) to register for our Products. We are committed to protecting the privacy of children. As such, we do not intentionally collect data from users under the age of 18 years old in connection with our general purpose website(s), app(s) or other services. If you are the parent or guardian of a child under the age of 18 who has submitted information through this Site, please email us to [email protected] in order to request deletion.

7.9 Data protection officer

Our Data Protection Officer is available to answer all questions regarding the processing of your User Data and data protection at Elfie. You can contact our Data Protection Officer via [email protected]. Our Data Protection Officer monitors compliance with all data protection regulations and is subject to strict statutory secrecy and confidentiality obligations.

Our Data Protection Officer is widely involved in all topics associated with protecting the personal data of our users. As a trained expert, our Data Protection Officer monitors our processing on an ongoing basis, informs and regularly advises the entire Elfie team in order to ensure the best possible protection of your User Data.

7.10 Changes

Technology and processes used for our services as well as data protection legislation are constantly being developed. Therefore we will have to undertake changes in our products and services from time to time. We will inform you of any changes in this Privacy Notice via appropriate means and with advance notice period. If necessary we will ask you for new consent before further processing your personal data.

8 • Your rights

Elfie would like to make sure you are fully aware of all of your data protection rights. In case you want to execute any of your rights, please contact us at [email protected]. You may also exercise some of these rights directly through Elfie’s App (via Settings).

In general, if you make a request to Elfie, we will provide you with your requested information as quickly as possible, latest within one month, or within any shorter period in case the local data protection regulations in your country require a shorter period. You can find more information on those local provisions in section 9 of this Privacy Notice.

Every user is entitled to the following:

8.1 The Right to Access

You have the right to request a copy of your personal data as well as all information relating to the processing of your personal data. This includes information on whether we are processing or not your personal data, the processing purposes, data and recipient categories, storage time, origin of your personal data, and your rights under the data protection regulations. You can find all of this information in this Privacy Notice and you can also contact us at [email protected].

8.2 The Right to Rectification

You have the right to request that Elfie correct any information you believe is inaccurate. You also have the right to request Elfie to complete any information you believe is incomplete. You can correct or complete most of your personal data yourself within our App’s settings and you can also contact us at [email protected].

8.3 The Right to Erasure

You have the right to request that Elfie erase your personal data. However, please be aware that we will have to retain certain personal data even after you have requested the deletion to comply with statutory obligations. You can erase most of your personal data yourself within our App’s settings and you can also contact us at [email protected].

8.4 The Right to Restrict Processing

You have the right to request that Elfie restrict the processing of your personal data, under certain circumstances, for example for the duration of any investigation review that you have requested, by contacting us at [email protected] 

8.5 The Right to Object to Processing

You have the right to object to Elfie’s processing of your personal data, under certain circumstances and where the processing is based on the legitimate or public interest, by contacting us at [email protected].

8.6 The Right to withdraw your consent

If we process your personal data based on your consent, you may revoke the consent at any time. However, revoking your consent will not affect the lawfulness of the processing before the revocation. We will continue to provide our services if they do not depend on the consent that has been revoked. In many cases, you can revoke your consent yourself within our App’s settings and you can also contact us at [email protected].

8.7 The Right to Data Portability

You have the right to request that Elfie transfer the data you have provided to us to another organisation, if this is technically feasible, or directly to you, in electronically readable, commonly used and structured form.

8.8 Complaints

If you feel we are not protecting your data protection rights adequately, please contact us at any time at [email protected] or contact our data protection officer directly at [email protected]. We will handle your request immediately.

You can also file a complaint before data protection supervisory authorities (see here: https://edpb.europa.eu/about-edpb/about-edpb/members_en) 

9 • Country specific provisions

9.1 EU countries and Turkey

Privacy Compliance within Europe: To ensure our compliance with Article 27 of the GDPR within the European Union market, we have appointed Prighter Group (Maetzler Rechtsanwalts GmbH & Co KG – address Schellinggasse 3/10 1010 Vienna Austria) as our privacy representative and GDPR point of contact.

Privacy Compliance within Turkey: In compliance with the Turkish Personal Data Protection Law (KVKK), we have additionally appointed Prighter Group in Turkey, as our privacy representative and point of contact for the Turkish market.

Contact for Exercising Data Subject Rights: Through Prighter, you can easily exercise your privacy-related data subject rights under the GDPR, KVKK, or other applicable law (e.g. requests to access, update or erase personal data). For any EU, Turkish or data subject rights inquiries via our appointed representatives, please visit https://prighter.com/q/18718275968

9.2 Singapore, Hong Kong, Vietnam, Brazil, and other countries

To uphold data privacy rights and serve as a point of contact for data subject requests across our other country markets, we have appointed Andy Prakash, Chief Data Privacy & Protection Officer, as our central privacy representative.

You may exercise your privacy rights under applicable law without fear of discrimination. To request access to, change, restrict processing, delete or receive a copy of your personal data, please contact our Chief Data Privacy & Protection Officer at [email protected].

‍