1        Putting you first – ViCentra’s Privacy & Cookies Statement

Comes into effect on September, 26th , 2023.

Your privacy is important to us. Putting people first is one of our most important principles – we treat others as we want to be treated and look out for each other. That includes protecting your personal data and ensuring you have control over it.

This statement explains how we collect, transfer, process, use, disclose and look after any personal data about you we hold. This statement also informs you on our security practices, your privacy rights and how the law protects you. We are committed to only collect and use your personal data in ways that are described here, and in conformity with our obligations and your rights under both the governing Privacy and Data Protection Laws, including the General Data Protection Regulation (GDPR).

We might need to update this statement from time to time. Please make sure to check our website from time to time to read the latest statement. It is equally important that the personal data we retain about you is accurate and up to date. As such we ask that you keep us informed if your personal data changes during your relationship with us.

 

1.1       About us

1.1.1        Who are we?

The ViCentra group (hereinafter “ViCentra”, “the Company”, “we” or “us”) is composed of different legal entities, including ViCentra B.V. (in the Netherlands), ViCentra Manufacturing B.V.(in the Netherlands), ViCentra Ltd (in the United Kingdom) and ViCentra GmbH (in Germany).

Through a combination of software, products and services, ViCentra offers an insulin therapy system designed to assist people with diabetes (hereinafter “Kaleido”). This statement applies to the processing of personal data of anyone who visits our websites, attends to our events, or uses our products and services. ViCentra acts as Data Controller as defined in the General Data Protection Regulation (EU) 2016/679. On very rare and specific situations, ViCentra might act as Data Processor or Joint Controller.

1.1.2        Contact details

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy statement. If you have any questions about this privacy statement, including any requests to exercise your legal rights, please contact our DPO using the details set out below. We highlight that the DPO is bound by law to maintain confidentiality with regards to any questions and/or issues you may present.

Email address: dpo@vicentra.com

Phone number: +31 (0) 800 19 10

Postal address: ViCentra B.V. attn. DPO, Rijnzathe 6, 3454 PV Utrecht, The Netherlands.

 

1.2       Your Data

1.2.1        When do we collect your data?

ViCentra may process personal data for various purposes and in various contexts, for example when:

• You visit our websites vicentra.com, hellokaleido.com or other ViCentra websites (the “Websites”).
• You register or attend any of our events, product demos, conferences, or trade shows (collectively, “Events”);
• If you are an end-user of Kaleido and we provide services such as product training, customer care, complaint handling, troubleshooting, and technical assistance with the product;
• You interact with us on social media, on our Websites, via email or phone;
• You apply for a position at ViCentra;
• We perform corporate functions, such as Human Resources (RH), Finance and Information Technology (IT) functions.

For the purposes and contexts listed above, ViCentra acts as data controller.

1.2.2        What personal data do we collect?

Depending on the situations described in Section 7.2.4.1 “Purposes for processing your personal data”, we may collect the following different types of information about you:

• Identity Data including your first name, last name, date of birth, gender, social security information, billing address, shipping address, email address and telephone number.
• Financial Data including your bank and bank account number, solely for the purpose of reimbursement of expenses you may have had with ViCentra (e.g. travel expense to attend product training);
• Education and work-related data if you are a candidate for a position at ViCentra, including the information contained in your CV.
• Usage Data including URL information, online identifiers such as cookie data and IP addresses, other identifiers such as user ID, organization ID, username, email address, and user type, pages and files viewed, search queries, and other actions you take, information about your device such as your device ID, hardware model, app version, access times and dates, IP addresses, network connection type, carrier and region, provider, plug-ins, integrations, referring website, app or ad, browser type, language, date and stamps time, and operating system.

Usage Data also includes information collected via Cookies. Each website and application will notify you separately of which cookies are being collected, and will give you an option to customize and consent (or not) the Cookies we would like to collect. Find more information about our use of Cookies below.

• Medical Data including information related to your diabetes condition: diabetes type, treatment details, current or previous therapy, health insurance data, basal rates and insulin type and doses, and any other data that you or your health care professional (“HCP”) may share with us.
• Complaint Data including information related to any complaint you may have lodged with ViCentra regarding your use of Kaleido, for example date and nature of the complaint, and result of the investigation.

We may use Aggregated Data, which is derived from your personal data but does not reveal your identity, for scientific research, demographic and statistical purposes. For example, we may aggregate your usage data to assess the use of a specific product feature.

1.2.3        How do we collect data about you?

Directly from you

When you contact us via our Websites, phone or email, or when you interact with us on social media. This can happen, for instance, when you provide your personal data to us on the contact form available on our Website (www.hellokaleido.com) or if you assist to one of our events. It can also happen if you participate in a promotion survey, give us feedback, or otherwise interact with us.

Third Parties, Partners and Publicly Available Sources

We may receive personal data about you from various third parties and public sources. For example, if you are a health care professional, we may collect your contact information from the website of the hospital you work for, or because it was provided to us directly by the hospital. If you are a customer, we may receive some data about you from your health care professional, or from your Kaleido distributor. In such cases, we assume these parties were authorized by you to discuss with us about your treatment and potential use of Kaleido.

From our use of Cookies

ViCentra Websites www.hellokaleido.com and www.vicentra.com use Cookies to distinguish you from other users of the Websites and optimize your browsing experience. Upon opening ViCentra’s Websites, the Cookies banner informs you about our use of Cookies and directed to this Privacy Statement for more information.

A cookie is a small piece of data (text file) that a website, when visited by a user, asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those Cookies are set by us and called first party cookies. Depending on which of our Websites you are visiting, we may also use third party cookies (e.g. Google Analytics).

We use the following Cookies:

• Necessary Cookies: these cookies help make our website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
• Statistics Cookies: helps website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
• Marketing Cookies: these cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

 

You can opt-in or opt-out of each Cookie category (except strictly necessary Cookies) through the Cookie banner that appears on our Websites.

You can use the settings of your browser to modulate or block Cookies. However, if your browser blocks all Cookies, you may not be able to access the full functionalities of our Websites.

1.2.4        Our purpose for processing your personal data and the legal ground which permit such processing

1.2.4.1       Purposes for processing your personal data

The following table provides an overview of our purpose for processing your personal data, and matches such purposes with the legal basis for doing so and the categories of personal data we use for each purpose.

The purposes for processing your personal data are the following:

(1) To provide the Service. This includes registering you as a potential customer, registering you as a new customer, providing you with tailored product and related services, managing payments, fees and charges, collecting and recovering money owed to us, responding to your questions including troubleshooting, complaints, customer care and performance issues, exchanging information with your HCP about the prescription and usage of your Kaleido product, asking you to take a feedback survey, setting up the mandatory training for your use of Kaleido, evaluating the product, service quality, performance and usage, sending you tailored marketing and communication information where you have consented for such communication or if you are a Kaleido user, and improving the performance of the service and core functionality.

(2) To manage our Websites. This includes providing our Websites, improving them, ensuring their security, handling contact forms, and displaying personalized advertisement and content.

This is, for example, processing personal data to operate our Websites and deliver the content you accessed or requested, to analyse current trends to improve user experience, to monitor and investigate the activity in our Websites, to conduct market research, show you tailored advertising and personalized content in our Websites.

(3) To manage Events. This includes processing for registrations, managing accounts, sending communications, handling contact forms, and registering attendees.

This is, for example, processing personal data to register you in an event, to manage the event, or send you communications related with the event. In most cases, we process the usual personal data required as “registration information”, such as name, email address, or phone number.

(4) To exercise corporate functions. As any company, ViCentra has various departments tasked with performing various corporate functions, such as Human Resources (HR), Finance, Legal and Information Technology (IT) departments. In this regard, we may process personal data regarding our candidates for a position at ViCentra, contractors, suppliers or customers to be able to perform these functions and only to the extent required to perform these functions.

This is, for example, the processing of the personal data contained in your job application when you apply for a position at ViCentra.       

Some departments are tasked with research and development activities for data/ statistical analysis purposes, new functionality, features and product development following established protocols to ensure the privacy of your data. In most cases, this is carried out in using aggregated or pseudonymized data.

(5) Other Purposes. These include complying with a legal obligation incumbent on us, a law enforcement or national security request, or to establish, exercise or defend legal claims.

This is, for example, when we are required to cooperate with public and government authorities, courts or regulators in accordance with our legal obligations under applicable law, to the extent that this requires the processing or disclosure of personal data to protect our rights or meet our legal duties.

This also includes, health oversight and disclosures to government agency for health benefits, and processing or disclosure to report adverse events (or similar), and/or any other reporting duty as required by law.

1.2.4.2       Legal ground allowing for personal data processing

The table below lists which legal ground is used for each of the (1) to (5) personal data processing purposes presented in the Section 7.2.4.1 “Purposes for processing your personal data” above.

Purpose (1 to 5)	Legal Ground
(1)   To provide the service	–        For the performance of the agreement by which you become a Kaleido end-user; –        To comply with a legal obligation incumbent on us. For example, to handle complaints, customer care, or report adverse events as required by the governing European medical devices laws and regulations; –        For our legitimate interest in providing and managing our services, providing a service in line with customer’s expectations and contractual obligations, managing our business, providing innovative services, and sending direct marketing communications; –        Based on your specific and explicit consent; –        If it involves the processing of health related data, for a task carried out in the public interest in conjunction with a public interest in the area of public health, such as ensuring high standards of quality and safety of medical devices on the basis of the governing European medical devices laws and regulations (and others applicable).
(2)   To manage our Websites	–        For our legitimate interest in: a) providing online content to our customers and potential customers related to our service offers and related information; b) providing a relevant and functioning website; c) providing a safe and secure website for our visitors; d) advertising our products and services to our visitors and customers; –        Based on your specific and explicit consent, when you provided such consent (e.g., if you subscribed to receive updates and advertising from ViCentra, or if you submitted a contact form, or uploaded your CV).
(3)   To manage Events	–        Based on your specific and explicit consent; –        For our legitimate interest in managing such Events.
(4)   To exercise corporate functions	–      To comply with a legal obligation, for instance, in the field of employment, health, labor, and tax; –      For our legitimate interest in exercising corporate management; –      Based on consent, when we specifically requested that from you, or if it can be derived from your actions; –      If it involves the processing of health related data, for our legitimate interest in conjunction with scientific research purposes, subject to the safeguards of Art. 89 of the GDPR.
(5)   Other Purposes	–      To comply with legal obligations, such as a court or authority request to disclose personal data. In general, to comply with legal processes, court orders, to respond to lawful requests, or for audit purposes. –      For our legitimate interest, for instance, if we need to establish a legal claim or defend ourselves to protect us from misuse or improper use of our websites or services, to protect personal property or safety, to pursue legal remedies available to us and limit our damages.

 

1.2.5        Sharing your personal data

We might share your personal data in the following circumstances:

Vendors, contractors, and other service providers

We may share your information with third party vendors, contractors, and other service providers who we employ to perform tasks on our behalf. These companies include (for example) our corporate services providers (e.g., Egnyte), website analytics companies (e.g., Google Analytics), product feedback or help desk software providers (e.g., Reset, Alchemer), Customer Relationship Management (CRM) services providers (e.g., Salesforce), email and collaboration service providers (e.g., Microsoft) and others.

If ViCentra receives your personal data and subsequently transfers that information to a third-party agent or service provider for processing, ViCentra remains responsible for ensuring that such third-party agent or service provider processes your personal data to the standard required by the governing Privacy and Data Protection Laws, including the GDPR.           

ViCentra Group Companies

We may also share your personal data with our parent companies, subsidiaries and/or affiliates for purposes consistent with this Privacy Statement. Personal data may be transferred between ViCentra Entities to ensure efficient and effective business operations and to enable the ViCentra Entities to provide customer, sales, marketing, human resource, finance, information technology, legal, quality assurance, software/product development, and other support services.

Disclosures for National Security, Law Enforcement, and other Regulatory Reporting Obligations

• We may share your personal information to ensure high standards of quality and safety of health care related to our medical devices and applications.
• We may share personal information to comply with our legal or regulatory obligations including, but not limited to, our obligations related to adverse event reporting, pharmacovigilance, post market surveillance, product safety and other regulatory reporting obligations.
• Under certain circumstances, we may be required to disclose your personal data in response to valid requests by public authorities, including to meet national security or law enforcement requirements or to investigate fraud.
• We may also disclose your personal information to third parties as necessary to investigate potential data incidents, or to protect the rights, property or safety of us, the users of our Websites, or others.

1.2.6        Storing your personal data

We will not retain your personal data for longer than necessary according to the established purposes listed in Section 7.2.4.1 “Purposes for processing your personal data” of this Privacy Statement.

The length of retention periods is based on certain criteria. ViCentra may need to retain certain data for an appropriate period, for example in order to provide you a tailored Service, to comply with legal obligations, or to establish, exercise or defend legal claims. The retention period in such cases is usually set by law.

For more information about retention periods, you can contact us. See Section 7.1.2 “Contact Details”.

1.2.7        Transferring your data to other countries

For the purposes listed in Section 7.2.4.1 “Purposes for processing your personal data”, your personal data may be transferred and processed outside of your geographical zone, and in countries that may not provide for the same level of data protection as your geographical zone.

In such cases, ViCentra ensures that the recipient of your personal data provides an adequate level of protection, for example by entering into appropriate processing agreements and, if necessary, standard contractual clauses or an alternative lawful data transfer mechanism. Where required by applicable law, we will only share, transfer or store your personal data outside of your jurisdiction with your prior consent.

1.2.8         Keeping your data safe

ViCentra has taken appropriate technical and organisational measures to protect your personal data.

Despite these security measures, there is always a possibility that a data breach could occur. ViCentra has an internal process in place and trained employees to face such possibility.

In the event of a data breach that would be likely to result in a high risk to your rights and freedoms, ViCentra will inform you about it without undue delay.

If you wish to learn more about our technical and organisational measures, please contact us using the contact details found in Section 7.1.2 “Contact details” of this Privacy Statement.

1.3       What are your rights?

1.3.1        Your legal rights

The governing Privacy and Data Protection Laws, including the GDPR, give you rights over your personal data, including:

• The right to be provided with transparent and easily accessible information regarding the processing of your personal data.
• The right to access your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• The right to have your personal data rectified, corrected or updated. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• The right to have your personal data erased, including from any third parties where your personal data has been shared with or disclosed to.
• The right to object to or restrict the processing of your personal data.
• The right to withdraw your consent.

1.3.2        Exercising your legal rights

If you wish to exercise any of your rights listed in Section 7.3.1 “Your legal rights” above, please contact us using the contact details found in Section 7.1.2 “Contact details” of this Privacy Statement.

 

We will do our best to respond to your request within one month, and will contact you if we need more information from you in order to fulfil your request or verify your identity. Occasionally, a request might take longer than a month to fulfil, depending on the number and complexity of requests we receive. In such case, we will inform you.

You do not have to pay to access your personal data or to exercise your other rights. However, we may charge a reasonable fee depending on the amount of work needed to deal with your request.

 

Please note that not all requests regarding your legal rights can be completed; for example, erasure of data that is mandatory for ViCentra to keep to comply with governing European medical devices laws and regulations is not possible. In such cases, we will inform you about this at the time of your request.

 

Should you have concerns about your privacy rights or should you feel unsatisfied with the treatment of your request, we remind you that you have the right to lodge a complaint with a supervisory authority under the governing Privacy and Data Protection Laws, including the GDPR. If you are located in the European Economic Area (EEA), you can find the contact details of your national data protection authority on this website: https://edpb.europa.eu/about-edpb/board/members_en.

 

1.4       Other provisions

1.4.1        Personal data from children

We do not knowingly collect or solicit personal information from anyone under the age of 16. If you are under 16, please do not attempt to register for the Services or send any personal data about yourself to us. If we become aware that we have collected personal data from a child under age 16, we will delete such personal data without undue delay. If you believe that a child under 16 may have provided us personal data, please contact us using the details provided in Section 7.1.2.

1.4.2        Marketing Communications

If you previously consented to receiving marketing updates from ViCentra, you can always opt-out from receiving them using the unsubscribe link at the bottom of the emails, or by contacting us using the instructions provided in Section 7.3.2 “Exercising your legal rights”.

 

Please note that if you are an end-user of Kaleido, we still must send you non-promotional communications such as safety related updates.