EFFECTIVE September 1, 2020
Our products and services include our websites (including our online store), our software applications (including our mobile apps such as the G6 APP, G5 APP, Follow and CLARITY app), the Dexcom G6® CGM System, the Dexcom G5® CGM System, CLARITY, and STUDIO (collectively, “Products and Services”).
· Affiliates means companies that are owned by Dexcom, Inc., and currently include the following:
Dexcom International Ltd.
Dexcom Philippines, Inc.
Dexcom Canada Co.
Dexcom (UK) Ltd.
Dexcom (UK) Intermediate Holdings Ltd.
Dexcom (UK) Operating Ltd.
Dexcom (UK) Distribution Ltd.
Dexcom Sweden AB
Dexcom Deutschland GmbH
Dexcom Suisse GmbH
Nintamed Handels GmbH
Dexcom Asia Pacific Operations Pte. Ltd.
Dexcom Malaysia Operations Sdn. Bhd.
WHAT, WHEN AND WHY WE COLLECT AND PROCESS PERSONAL INFORMATION ABOUT YOU
We may collect and process your Personal Information as described below. If you are in the United States, refer to our Notice of Privacy Practices https://www.dexcom.com/notice-of-privacy-practices.
We may collect and process:
· Site Information, which means information you input into, or is otherwise associated with your access and which may constitute Personal Information, to any of our websites. Site Information includes without limitation information about the devices, apps, internet service, IP address, and browsers that you use to access our website; your online browsing behavior such as the sites you visit before and after visiting our websites, your activities on our site including the pages you view, how long you view them, product descriptions read, forms submitted, videos watched, shopping cart contents, and your clicks on our site pages; and, the passwords, security answers, and your user preferences that you provide to us. Site information does not include Account Information, Communications Information, or Order Information (described below).
· Account Information, which means Personal Information associated with your Dexcom account. Account Information may include your contact information such as your name, billing and shipping address(es), phone number and email address; your Dexcom username and password; birth date and place; gender; pregnancy status; employment information, and your health information. Account Information also includes the contact information, username and health information of any person whose account is created at your request.
· Order Information, which means Personal Information associated with your order from or payment to us for any Dexcom Products or Services. Order Information includes your contact information such as your name, shipping and billing address(es), phone number and email address; Dexcom username and password; birth date and place; gender; pregnancy status; employment information; financial information; health insurance information; and, identification numbers associated with your Dexcom Products or Services (including the serial identification numbers associated with any receiver and transmitter that is provided to you or your dependent). Order Information also includes the username and health information of any person for whom you order or pay for our Products and Services.
· Health Data and Other Use Information, which means Personal Information associated with your use of our Products or Services, including those Products and Services accessible through our websites such as a Clarity account accessed through a browser, and which may constitute Personal Information. Use Information includes your health information generated from your use of our Products or Services such as your glucose readings; the date, time and device identifier associated with the glucose reading; thresholds that you input into Dexcom services or software apps and notifications triggered by such thresholds. It also includes contact information of any person that you designate to receive your health information through functionality of a Dexcom Product or Service (see below how we share information with your Designated Recipients; contact information; information about the devices, internet service, IP address, and browsers that you use to access and use our Products and Services; information about your settings and your activities associated with your use of our Products and Services (e.g. how frequently you use our services and your user preferences); usernames, passwords, security answers, and location data you input into our Products and Services; and, information associated with your viewing of any video available within our services; forms that you submit electronically through our services, including the any Dexcom Warriors application you submit. Use Information also includes the username and health information of any person for whom you order or pay for our Products and Services.
· Communications Information, which means any information that you communicate to us through any means, directly or indirectly, and that may be Personal Information. Communications Information includes the content of your communications to us along with any associated metadata. Communications Information may include contact information, financial information, and health information.
· Third-Party Information, which means any Personal Information about you that is provided to us by a third-party that you have authorized. Third-Party Information may include contact information and health information.
· Third-Party Site Information, which means any Personal Information associated with your activity on third-party websites that are accessed through our websites or software.
· Derived Information, which means information that we create by combining and/or analyzing some or all the information described above, and which may constitute Personal Information.
· Nonidentifiable Information, which means information that does not reveal your identity, could not be used to identify or track you, and, therefore, is not protected as Personal Information under applicable law.
· Other Identifiable Information. Other Identifiable Information means information that identifies you or could be used to identify your; that is not listed above; and, is collected pursuant to your consent or otherwise in accordance with applicable law.
HOW WE COLLECT PERSONAL INFORMATION ABOUT YOU
FROM YOU DIRECTLY.
We, and Service Providers acting on our behalf, collect Personal Information about you when you provide it to us directly. For example, you may provide Personal Information to us when you communicate with us using any means, order our Products or Services, pay for our Products or Services, create an account with us, use our Products or Services (including Clarity), complete forms on our websites, seek technical or customer support from us with respect to our Products or Services, submit questions or complaints to us, and otherwise provide us Personal Information about you.
FROM THIRD PARTIES YOU AUTHORIZE.
We collect Personal Information about you from third-parties when you have authorized such third-parties to provide it to us. For example, we collect information about you from third-parties when you integrate a third-party’s product into our software, integrate our products into a third-party’s software, or otherwise authorize a third-party data service to provide information about you to us. We also collect Personal Information about you from third parties who host social media webpages that we manage, as far as this is done based upon your consent or otherwise in line with applicable data protection law.
FROM YOU INDIRECTLY THROUGH COOKIES AND OTHER TECHNOLOGIES.
We also collect Personal lnformation about you when you use our Products or Services to provide functionality to our Products and Services; to recognize you across devices when using our Products and Services; in each case this is justified under applicable data protection law for our legitimate business purposes. These legitimate business purposes include evaluating information about the use of our Products and Services and identifying trends; developing or enhancing our Products and Services; providing an experience tailored to you when you use our Products and Services; effecting certain security controls; and, identifying the advertisements and offers we think may interest you so that we may display them to you when you use our Products and Services.
Please note that, though some browsers have incorporated “Do Not Track” (DNT) features that send a signal to the websites you visit to indicate that you do not wish to be tracked, we do not have the ability to recognize or honour browser DNT or similar signals at this time.
· Web beacons, pixel tags or clear GIFs track and otherwise process your activities on our services, websites and emails you send, receive or read through our services or websites. Furthermore, they can be used to measure the success of our marketing campaigns, and compile statistics about use and response rates. We will not undertake such activities without your consent where such consent is required under applicable law.
· Device and connection information is information that we or our Service Providers (defined below) collect about your computer, phone, tablet or other devices you use to access our services and websites. This information includes your connection and your settings when you interact with our services and websites along with information about your operating system, browser type, IP address, URLs of websites that you visited before you visiting our websites, URLs of websites that you visit after visiting our websites, device identifiers, and crash data. We may use your IP address to, among other things, approximate your location. We will not undertake such activities without your consent where such consent is required under applicable law.
WHAT IS THE LEGAL BASIS FOR PROCESSING?
We may need to hold, process, and transfer your Personal Information but will do so solely for legitimate business purposes in accordance with applicable laws, regulations, and guidelines. We will only disclose your Personal Information on a need-to-know basis to those who are authorized to use it for these purposes.
We process the Personal Information listed above for purposes including:
· As required to establish, perform, maintain, or terminate a contractual relationship with you and to enable us to manage your account and Dexcom Products and Services applicable to you.
· As required to enable our business and pursue our legitimate business interests where our interests are not overridden by your data protection rights, as applicable. If you require further information on our legitimate business interests, please contact us at the information below.
· Compliance with applicable laws and protection of our legitimate business interests, legal rights and obligations.
· Where you have given consent.
HOW WE SHARE PERSONAL INFORMATION WE COLLECT
Most Personal Information will remain with us, but we may share your Personal Information for the purposes explained above with the following recipients, and in each case always in accordance with applicable privacy and data protection laws. If you are in the United States, refer to our Notice of Privacy Practices https://www.dexcom.com/notice-of-privacy-practices for additional information about how we share your protected health information.
We share information we collect and process with:
· Designated Recipients. Individuals or entities that you designate or instruct us to share your Personal Information with. Designated Recipients are not Service Providers (defined above), and include:
· Followers. Individuals or entities that you designate as “Followers” within our Products and Services.
· Third-Party Integrations. Third-parties whose products or services that you choose to integrate into our Products and Services, including any connected insulin pens or pumps.
· Other Third-Party Products or Services.Third-parties whose products or services within which you choose to access or otherwise integrate our Products and Services, or the data generated from our Products and Services, including third-party health applications.
· Other Third-Parties You Designate. Third-parties, including health care providers, that you otherwise designate.
You are responsible for determining your Designated Recipients and providing us accurate information for your Designated Recipients. We do not verify the accuracy of any information you provide with respect to your Designated Recipients.
Please note that when you add a “Follower” as a Designated Recipient, that person could forward your invitation to another who can accept the invitation and start to receive your Personal Information. Please do not add any person or entity as a “Follower” unless you trust that person or entity, as we have no responsibility or control with respect to what that Follower does with your Personal Information or invitation.
· Affiliates, as defined in Section “Introduction” above. These entities are bound, as required by law, to ensure that Personal Information is protected consistent with EU standards as explained below as well as applicable laws, ordinances and guidelines in other jurisdictions.
· Service Providers, which means third-party entities, business partners or others that provide services or perform functions on our behalf so that we may operate and manage our business, including but not limited to providing our Services and Products to you. Our Service Providers include entities that perform the following on our behalf:
· Marketing and surveys;
· Data hosting, storage, retrieval and analytics services;
· Administrative functions and processes, including but not limited to email services and shipping services;
· Legal functions and processes;
· Control and compliance processes; and
· Staff augmentation.
· Government Authorities and Law Enforcement Officials, which means any applicable governmental, regulatory or law enforcement agency. These include but are not limited to the US Food and Drug Administration (FDA), US Department of Health and Human Services (HHS), and health, medical devices and data protection supervisory authorities throughout all jurisdictions where we operate.
· Courts and Administrative Tribunals, which means any court of law or other tribunal where we may establish, exercise or defend our legal claims and rights.
· BBB National Programs, Inc., which is a non-profit organization based in the United States that operates the independent dispute resolution mechanism referred to as the BBB EU Privacy Shield.
· Distributors, which means any entity with whom we have established a relationship for the purpose of their distribution of our Products and Services to you, and who administer, manage and service the customer relationship that such entity has with you.
· Reorganization Parties, which means any company with whom a transaction between that company and us would result in a merger, acquisition, dissolution, or sale of Dexcom, Inc.’s and/or one or more of its Affiliates. Reorganization Parties also includes such company’s advisors and our advisors related to the merger, acquisition, dissolution or sale.
A list of the third parties, or categories of third parties, who process Personal Information can be obtained on request by contacting us at the information below.
HOW WE TRANSFER PERSONAL INFORMATION INTERNATIONALLY
We operate in various countries throughout the world, including, but not limited to, the US, Canada, countries located in the EU and EEA, Australia, UK, Japan, South Korea, and the Philippines, so your Personal Information may be stored or processed in any country where we have facilities or in countries where our Service Providers are located. For example, your Personal Information may be processed in the Philippines for customer service and/or technical support purposes.
These countries may not have data privacy and protection laws that are equivalent to the laws of your country. In such case, we may rely on mechanisms permitted under the laws of your country where you are located to affect the transfer with appropriate safeguards.
Please note that if you use our Products or Services in the EU, UK, EEA, or Switzerland, we have committed to handling such Personal Information in accordance with the European law principles for international transfers such as EU Standard Contractual Clauses.
Privacy Shield Notice
Although the EU-US Privacy Shield has been invalidated as a valid data transfer mechanism for EU data to the United States, we are still committed to our obligations regarding data protection under its framework. This mechanism is not used by Dexcom, Inc. or its Affiliates as a mechanism for transfers to the US.
For data transfers from Switzerland to the US, Dexcom, Inc. is still registered with the Swiss-US Privacy Shield Framework.
To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.
HOW WE SECURE PERSONAL INFORMATION WE COLLECT
We use appropriate administrative, organizational and technical safeguards to protect information from loss, misuse, and unauthorized access, disclosure, alteration and destruction in light of the nature of the information processed. Personal Information transmitted through our Products and Services is encrypted when transmitted. Please note that no data transmission or storage system is guaranteed to be entirely secure. If you feel that your interaction with us is no longer secure, please contact us immediately. Please note that we do not request information (including financial or other sensitive information) to create an account or process orders for our Products or Services through phone communication or unsolicited email. If you receive a phone communication or unsolicited email that purports to be from us and seeks such information, do not respond and contact us immediately. For more information on how you may safeguard your Personal Information and protect yourself against identity theft, visit https://www.consumer.ftc.gov/topics/privacy-identity-online-security.
HOW LONG WE STORE PERSONAL INFORMATION WE COLLECT
We will retain your Personal Information only for the limited period of time needed to fulfil purposes of processing mentioned above. After that time your Personal Information will be erased.
Where we process Personal Information with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests), if there is no other legal ground for further processing (e.g., a statutory obligation to retain your Personal Information). We also keep a record of the fact that you have asked us not to process your data so that we can respect your request in future. We will further delete your Personal Information when you object to the processing in accordance with “YOUR RIGHTS AND HOW TO EXERCISE YOUR RIGHTS” (see below) or when we are obligated to delete it in accordance with an obligation under applicable law.
In other cases, we may retain data for an appropriate period after any relationship with you ends to protect ourselves from legal claims, to administer our business, or to the extent permitted by applicable law, which may require us to hold your Personal Information for specific periods.
YOUR RIGHTS AND HOW TO EXERCISE YOUR RIGHTS
Dexcom takes your privacy seriously and provides the full suite of GDPR rights to all our users globally. Where our use of your Personal Data is based on your consent, you also have the right to withdraw that consent at any time (please see below for more details).
Your rights with respect to your Personal Information that Dexcom collects, uses or otherwise processes are described below. If you are in the United States of America, refer to our Notice of Privacy Practices (NOPP) https://www.dexcom.com/notice-of-privacy-practices for additional information about your protected health information rights under the US Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations.
You may exercise your rights by visiting our Privacy Portal at https://onetrustapp.dexcom.com/dsarwebform/75f39504-0b24-4647-b3b2-7260802503a1/8ee37a30-29db-4cbd-9cae-70aa744e4432.html or otherwise contacting us via email at [email protected]. For certain information, you may exercise you rights through the functionality that we provide on our site or software as further described below.
When you submit a request to us to exercise your rights, we will respond as appropriate and within the timeframe permitted under applicable law. We will retain your request and our response (including any supporting documentation) in compliance with applicable law. Also, we will continue to retain and otherwise process your Personal Information to the extent required to comply with applicable law; or, to establish, exercise or defend our legal claims and rights.
· Access. You have a right to access your Personal Information that we, or our third-parties acting on our behalf, process to the extent the information does not contain Personal Information of another individual.
· Correction. You have a right to correct or rectify your Personal Information unless you are located in the US. If you are located in the US, you have a right to correct or rectify your Personal Information as specified in our Notice of Privacy Practices pursuant to HIPAA https://www.dexcom.com/notice-of-privacy-practices.
· Erasure. You have a right to have your Personal Information erased with limited exception. Specifically, you have a right to have your Personal Information erased if an exception does not apply and your Personal Information is no longer required for the purpose(s) it was collected or otherwise processed; our processing is based on your consent and you withdraw your consent; you have objected to our processing and there are no overriding legitimate grounds for processing (including but not limited to completing a transaction with you, fulfilling a contract with you, protecting against security incidents, fraud, malicious or illegal activity); we have not lawfully processed your Personal Information; or erasure is required under applicable law.
Your right to have your Personal Information erased does not apply when: applicable law requires otherwise; processing is required to exercise the right of freedom of expression and information; processing is required to comply with a legal obligation; processing is required for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes to the extent permitted by applicable law and erasure will seriously impair or prevent the achievement of such processing objectives; or, processing is required to establish, exercise, or defend legal claims and rights. With respect to your Personal Information that is contained in our backups and is not subject to one of the preceding exceptions, we will delete your Personal Information permanently and securely in accordance with our schedule for the disposition of backups.
· Restrict Processing. You have a right to limit the use or otherwise temporarily restrict Dexcom’s processing of your Personal Information for a defined period of time.
· Object to Processing. With limited exceptions, you have a right to object to Dexcom’s processing of your Personal Information where the processing is based on legitimate interests pursued by us; the processing is for the purpose of direct marketing; or the processing is for scientific, historical research or statistical purposes. However, you do not have a right to object to processing where we can demonstrate legitimate grounds that override this right; the processing is required to comply with applicable law; the processing is required to establish, exercise or defend legal claims or rights; or, you are in the US, our Notice of Privacy Practices https://www.dexcom.com/notice-of-privacy-practices pursuant to HIPAA applies and limiting our use or sharing will affect your care.
· Withdraw Consent. You may opt out or revoke your consent to, as applicable, receive promotional communications from us by selecting the “unsubscribe” link in the promotional email we send you, by phoning us at our phone number communicated to you in the promotional email or by contacting us at the information below. Please note that, even after you opt-out or revoke your consent to receive promotional materials from us, you will continue to receive transactional messages if you have an account with us or otherwise use our Products or Services. We may also need to retain certain information for recordkeeping purposes.
You may also be able to opt out of or revoke your consent to, as applicable, receiving web-based personalized advertisements from companies who are members of the Network Advertising Initiative http://optout.networkadvertising.org/?c=1 or participate in the Digital Advertising Alliance Self-Regulatory Program http://www.aboutads.info/. You can access any settings offered by your mobile operating system to limit ad tracking on mobile devices, and you can install the Aphonics mobile app to learn more about how you may opt out of personalized ads in mobile apps.
· Sharing with Designated Recipients. For Designated Recipients that are Followers or third-party integrations, you may revoke your sharing with these Designated Recipients through the relevant Dexcom or Clarity app within which you have added the Designated Recipients. For all other Designated Recipients, you may stop sharing by contacting us.
· Portability. You have a right to request the transfer of your Personal Information in certain circumstances. This includes data we process in an automated way based on your consent, to perform a contract with you, or to take steps you request before entering into a contract with you.
· Right to Lodge a Complaint. If you have unresolved concerns, you also have the right to complain to data protection authorities. The relevant data protection authority will be the supervisory authority located in the EU Member State that you reside in.
Please note that where we require your Personal Information to comply with legal or contractual obligations, provision of such data is mandatory: If such data is not provided, then we will not be able to manage the relationship, or to meet obligations placed on us. In all other cases, provision of requested Personal Information is optional.
OTHER IMPORTANT PRIVACY INFORMATION
Personal Information of Children
Our Products and Services are not directed to children who are under the age of 13 years (or, if in the EEA, 16 years), and we do not knowingly collect Personal Information from them without the consent of their respective parent or legal guardian. If we learn that a child under 13 years old (or, if in the EEA, 16 years old) has provided us his/her Personal Information without the consent of his/her parent or legal guardian, we will delete that information. If you believe a child under the age of 13 (or, if in the EEA, 16) has provided us his/her Personal Information without the consent of his/her parent or legal guardian, please contact us.
Please note that the domain owner of any email address used to create an account or otherwise interact with our Products and Services may assert administrative control over your account and the information provided to you at the email address it owns.
For privacy inquires or complaints, or to exercise any of your privacy rights, we may be contacted:
· By Email at [email protected]
· Through our privacy portal at https://onetrustapp.dexcom.com/dsarwebform/75f39504-0b24-4647-b3b2-7260802503a1/8ee37a30-29db-4cbd-9cae-70aa744e4432.html
· By mail at: Dexcom, Inc.
Attn: Data Privacy Officer
6340 Sequence Drive
San Diego, CA 92121
United States of America
If you are in Canada and would like to no longer receive marketing from us, email us at [email protected]; write us at 501-4445 Lougheed Highway, Burnaby, BC V5C 0E4; or, phone us at 1-844-832-1810.
If you are in the EEA, we may be contacted:
· Through our privacy portal at https://onetrustapp.dexcom.com/dsarwebform/75f39504-0b24-4647-b3b2-7260802503a1/8ee37a30-29db-4cbd-9cae-70aa744e4432.html
· By email at [email protected]
· By mail at: Dexcom Deutschland GmbH.
Attention: Data Protection Officer
Dexcom Deutschland GmbH
Because email communications are not always secure, please do not include credit card or other sensitive information in any unencrypted email to us given that email communications are not always secure.
ADDITIONAL INFORMATION FOR CALIFORNIA RESIDENTS
Dexcom collects personal information categories including identifiers, inferences, and usage data. Dexcom collects this information when you visit our website to operate, manage, and promote our business, including developing, maintaining and supporting our Products and Services, and to tailor your experience when accessing or using our websites. Dexcom discloses this information to third parties for the purposes of counting ad impressions of unique visitors, verifying positioning and quality of ad impressions, showing you Dexcom ads that we think may interest you, and auditing compliance with laws and other standards. Dexcom does not sell your information for money, but we do disclose your information to certain third parties that provide valuable services to us, such as analytics and advertising services, which may be considered a “sale” under the CCPA. Categories of third parties with whom we have shared personal information in the last 12 months include third-party integrations for advertising and website analytics.
California residents have the right to make the following requests, up to twice every 12 months:
· The right to request the specific pieces of personal information Dexcom has collected about You.
· The right to request that Dexcom disclose what personal information we collect, use, disclose, or sell.
· The right to request that Dexcom delete personal information that Dexcom has collected about You (subject to certain exceptions).
· The right to opt out of the sale of Your personal information.
You may exercise your rights to access and delete data by visiting our privacy portal at https://onetrustapp.dexcom.com/dsarwebform/75f39504-0b24-4647-b3b2-7260802503a1/8ee37a30-29db-4cbd-9cae-70aa744e4432.html or by emailing us at [email protected].
Consistent with California law, if you choose to exercise your rights, we won’t charge you different prices or provide different quality of services unless those differences are related to the value of your information.