Privacy Policy
for Tummy Lab AB
Tummy Lab has adopted this privacy policy (“Privacy Policy”) to explain how Tummy Lab collects, stores and processes the information collected in connection with its online products, services, websites, social marketing sites, marketing communications and mobile applications (“Services”, “Tummy Lab Services”, “Tummy Lab Products”).
Tummy Lab bases it’s processing of personal data in the OECD Privacy Principles, the GDPR (Regulation (EU) 2016/679) and Swedish law.
The data controller responsible for processing of your personal data is:
Tummy Lab AB (556996-3787)
Magasinsgatan 18A
411 18 Gothenburg
Sweden
privacy@tummylab.com
+46 73 724 78 21
Tummy Lab has appointed a data protection officer, whom you can contact at: dpo@tummylab.com
What data do we collect?
Data collected from you
Most personal data is collected from you, through the use of Tummy Lab Services, this includes:
User profile
Data you submit while using Tummy Lab Services, like username, email, gender, date of birth, weight, and apple push notification identifier.
Settings
Configuration options for your Tummy Lab Services, e.g. if you want logging reminders.
Events logged in Tummy Lab Services (“Logged Events”)
Some Tummy Lab Services allows for logging of events to a Journal, examples of these are:
Food, medicine, and supplement intake.
Symptoms and bowel movements.
Tasks completed, days evaluated and media items viewed as part of the Tummy Lab program.
Sleep, physical training and other activities.
Custom data items created in Tummy Lab Services (“Custom Items”)
Some Tummy Lab Services allows for creating custom data items to associate with Logged Events, examples of these are:
Food Lists
Groceries
Restaurant meals
Symptoms
Evaluation Answers
Responses to evaluation questions answered throughout Tummy Lab Services.
IP addresses
A series of numbers that identifies one devices, of a group of devices, on the internet. They are a core part of how devices communicate over the internet.
Email metadata
Emails include metadata, like your email address, your name, and in most cases also your ip address.
Data generated by the Tummy Lab Services
Some personal data is created by the Tummy Lab Services, this includes:
Tummy Lab User ID (“User ID”)
An identifier that is unique for your user (within the Tummy Lab Services).
Records of Program Progress
Records for your progress through Tummy Lab educational programs, e.g. what courses and tasks you have completed.
Analysis Results & Reports
Data and reports about what action events (e.g. food intake, activities) are correlated to what symptom events (e.g. symptoms & bowel movements).
Technical description of crashes and error conditions (“Crash Reports”)
A report about a technical issue that happened while processing a backend request, or when an error occurred in a Tummy Lab Product running on your device. Contains mostly technical information, but can sometimes be tagged with your user id, ip address and/or other non-sensitive personal data to enable us to easier identify the technical issue at hand.
Analytics Identifier
An pseudo-anonymous identifier for a user, stored on your device using a cookie or using similar technology. Used to identify your Analytics Data while, avoiding to link it to your User ID and User profile.
Service Usage Patterns (“Analytics Data”)
Information about key interactions with Tummy Lab Services, scrubbed of user specific particulars.
As an example, a key interaction could be that you started the app, opened a specific view in the app, or then logged a food event. It would however not include information about what food you ate.
Data from third party organizations
In some cases, we also collect data about you from third party organizations in order to setup your access to our product, process and attribute payments, or identify you in context of a research study.
How we process your personal data
Delivering Services
The main reason for us to process your personal data is to be able to deliver the Tummy Lab Services. This includes:
Synchronizing and storing the data entered in, or generated through the use of, the Tummy Lab Services.
Analyzing your Logged Events and Custom Items to create personal Analysis Results & Reports for you and for other users.
When your data is used to create Analysis Results & Reports for other users, their report will only contain aggregated and anonymized data that can not be traced back to you.
Automated communications through email and push notifications, to remind you to keep up with your logging habits and progress in educational programs.
We’ll ask you to consent to this data processing when you start using Tummy Lab Services.
Personal data collected for this purpose will be kept for for approximately 24 months after you last accessed our services, or until you ask us to delete it.
Ensuring Security and Reliability of Services
In order to make sure that Tummy Lab Services are safe and reliable to use, we need to process some of your personal data. This processing includes:
Logging of request and connection attempts to our backend systems, in order to ensure secure and reliable service.
Keeping encrypted backups of data stored in our backend systems.
Receiving and processing issues sent to our support email systems.
Collect Crash Reports in Tummy Lab Products on running on your device.
Tag Crash Reports collected from Tummy Lab Services with your User ID and/or ip address.
We believe we have a legitimate interest to keep our systems reliable and secure, and indeed also a legal responsibility to do so. We’ll ask for your consent & opt-in to collect crash reports from your devices.
Personal data collected for this purpose will be kept for approximately 6 months, or until you ask us to delete it.
Product Development and User Research
In order to improve our product development decision-making, and to better understand our customers, we need to understand how our users is interacting with our Services.
This includes:
Collecting Analytics Identifiers and Analytics Data
Analyzing your personal data to create aggregated, anonymous, reports describing groups (or all) of our users. These reports will not be considered personal data, as no individuals personal data can be discerned from them.
We’ll ask you to consent and opt-in to this data processing before we collect Analytics Identifiers and Analytics Data, and/or before we analyze your data.
Personal data collected for this purpose will be kept for for approximately 24 months, or until you ask us to delete it.
Marketing / Mail lists
In order to provide you with information about Tummy Lab Services, we might collect your contact information (name, email and/or phone number) and use it to contact you with information and offerings about the Tummy Lab Services.
We’ll ask you to consent to this processing when you submit your contact information for this purpose.
All direct marketing messages from Tummy Lab will, if reasonable, include instructions for opting out from receiving further messages.
This data will be kept until you ask us to delete it.
Clinical Report
As part of some Tummy Lab Services, you might be offered the possibility to share your personal data with a separate service (provided by Tummy Lab AB or a separate entity) that creates reports intended for your medical professional.
We’ll ask you to consent to this processing before you submit data to such a service.
The reports will be kept in our systems for approximately 2 days, to allow for you to download them, and will then be automatically deleted.
Legal Reasons
We process personal data as required by law, e.g. the Bookkeeping Act’s requirement for us to keep our financial records. We do comply with requests to share your personal data with law enforcement authorities, but only to the extent required by law.
Research
Some Tummy Lab Services might allow you to share your personal data with third parties performing a research project. This will always be done on a opt-in basis and, if possible with regards to the goal of the research, only using anonymized data.
We’ll ask you to consent and opt-in to this data processing before sharing your personal data with a third party researcher.
Accounting to external payer
If an insurance company, medical institution or a similar organization is funding your access to Tummy Lab Services, we may report back to them your contact information and non-sensitive data about your progress using the relevant Services.
We believe we have a legitimate interest to do this processing, in that we need to be able to charge for your usage of our Services.
Other uses
We might at some times require to process your personal data for different purposes than what’s outlaid in this Privacy Policy. Where appropriate, we will inform you inform or ask for your consent for such processing.
Sensitive Data
Some Tummy Lab Services process personal data classified by the GDPR as especially sensitive. In our case, this is mostly data relating your Health - like symptoms you experience.
We will always ask for your consent to process sensitive data in Tummy Lab Services where we collect such data. We will take special care to protect sensitive personal data, e.g. by employing a security first mindset when developing our Services and by technically and organizationally limiting the amount of personnel who can access your personal data.
Third party organizations
Tummy Lab is not in the business of selling your personal data, and will only share your data with third party organizations as described in this Privacy Policy.
Contractors and Data Processors
Personal data collected from you may be shared with third-party providers (“Data Processors”) that process personal data on our behalf, e.g. hosting providers, analytics services, error monitoring services, sales process monitoring services and customer support systems. These Data Processors are only allowed to process data as instructed by us and described in this Privacy Policy.
We take great care in selecting Data Processors we feel we can trust to handle your data in a lawful, secure, and correct manor.
Organizations in Third Countries
At times we will need to transfer your personal data to Data Processors who are located in an country or region outside of EU/EES (“Third Countries”). We do this to ensure we use the best Data Processors available on the global market, allowing us to deliver better Services to you.
We ensure that our Data Processors either operates in countries the EU has deemed has an adequate level of data protection or are bound by the EU Commission’s model clauses, the EU-U.S. Privacy Shield, or similar instruments/mechanisms for the safeguard of the integrity and security of your personal data.
Courts, Governments and Crime Fighting Agencies
We may disclose your personal data in order to comply with a legal or regulatory obligation, if we reasonably believe we are required by law to do so.
We may also disclose personal data in order to protect and defend Tummy Lab, our business partners, or our users rights and interests, if doing so is compatible with with applicable personal data regulation.
Others
Subject to your consent, we might share your data with third party researcher projects.
We might share some personal data with an insurance company, medical institution or a similar organization that is funding your access to Tummy Lab Services.
We may also transfer your personal data in the event that our business (or part of it) is sold, for instance as part of a merger or an acquisition.
We might need to share your data with third parties for reasons not included in this Privacy Policy. If reasonable with regard to the sensitivity of the data and reason for sharing the data, we will ask for your consent before doing so.
Data Security
The security and integrity of your personal data is of the utmost importance for Tummy Lab. We employ industry standard security technology and organizational measures to create a multi-layered security approach. This includes methods like:
Limiting access to personal data for non-essential personal.
Isolate systems using firewalls and similar technologies.
Tune system configurations to avoid common security pitfalls.
Monitor for and swiftly applying security patches to systems and application libraries.
Develop software with a security-first mindset.
Your rights with regards to your personal data
Your rights with regard to your personal data includes access, correction, erasure, restriction, objection and data portability.
When Tummy Lab receive a request to exercise such a right, we will - after establishing your identity and the lawfulness of your request - process it without undue delay.
Please note that some of these rights are affected by our legal obligations, and the rights of both Tummy Lab and other persons. If this limits our ability to process a specific request with regards to personal data rights, we will do our best to explain why such a request can not be fulfilled.
To exercise your rights, contact us at privacy@tummylab.com
Complaints
If you have any questions, suggestions or complaints with regard to our processing of your personal data, you are always welcome to contact us at privacy@tummylab.com. You also have the right to file a complaint with a supervisory authority.
Cookies
Tummy Lab use Google Analytics to analyze anonymized web traffic. For this purpose, Google Analytics uses cookies. Information about Googles privacy policy might be found at https://www.google.com/policies/privacy/.
We also use cookies for other purposes, such as to operate the features of our web pages and systems.
Children under the age of 13
Tummy Lab does not knowingly collect any personal data from children under the age of 13, nor does Tummy Lab Services target children under 13.
If made aware that a person under 13 has submitted personal data through its Services, Tummy Lab will promptly erase such data.
Changes
Tummy Lab may make changes in this Privacy Policy from time to time. In such case we’ll aim to stay true to the original principles set out in this document, and when reasonable get in touch to allow you to review the changes.
*Last Edited: 2018-05-25*
