QLUPOD AG
Bahnhofstrasse 23
9100 Herisau
Switzerland

Tel: +41 (0)71 510 05 45

Licence: CHE-430.250.934

DATA PROTECTION POLICY

For the processing of personal data by QluPod AG (we, our or QluPod) when using our products and services, including our website and the QluPod mobile application accessible on the App Store and Google Play Store.

1. Introduction 

We are aware of the importance of protecting your privacy and transparency in the processing of your personal data.

This privacy notice (Privacy Notice) tells you what personal data we collect when you access and use our products and services and how we process that data. It applies generally to our activities in relation to our users’ personal data, but we may also have additional privacy notices that apply in relation to specific products and services.

By using our products and services, you expressly consent to us collecting and processing your personal data in accordance with this privacy notice.

1. Who is responsible for processing your personal data?

QluPod is responsible for the processing of your personal data. You can find our contact details in section 13.

1. What types of personal data does QluPod process?

QluPod collects personal information for a variety of purposes; to that end, we have created a list of the types of personal information that we may collect, either directly from ourselves or from other sources, to achieve those purposes.

The types of personal data we may collect include:

Customers

Personal data: First and last name, address, email, date of birth, age, gender, height, weight, sleeping patterns; and

Payment data: Credit card information; and health data: Blood pressure, heart rate.

Professional

Name of contact person, address, telephone number, company name, e-mail

1. How we collect your personal data

We collect the personal information that you provide to us or that is transmitted via the QluPod device you use.

We collect the personal data you provide to us when you use the Website, the Mobile Application and/or the services provided through the Website and the Mobile Application (the Services), for example, when you place an order, communicate with us, set up and/or manage your account, use our monitoring services or through forms you complete.

Some information is mandatory, others are optional.

The data fields marked with an asterisk must be filled in. If one or more mandatory fields are not completed, we will not be able to grant access to the Services. You are not required to fill in the optional data fields in order to access the services offered via the website and/or the mobile application. These fields can be filled in at any time.

Certain personal data is collected in automated form.

We automatically collect personal information when you use QluPod products or use our website, including through tools, web forms, cookies and other active elements as further described in this Privacy Notice.

You can set specific permissions for the automatic collection of your personal data when you configure your device or internet browser according to the available features. In addition, you can also set specific settings for the automatic collection of your personal data via the cookie settings plugin available on the website. For more detailed information, please refer to the Cookie Policy.

The personal data we process may contain sensitive data.

The information you provide directly or that is collected from you through the QluPod products or services you use may contain sensitive data about you, including some health data (such as information about your blood pressure, heart rate, weight, etc.) (Sensitive Data).

We process such sensitive data in accordance with applicable data protection laws where necessary.

1. How we process your personal data 

We process your personal data by automated means for the purposes set out in this Privacy Policy and in accordance with applicable law.

We process your personal data in accordance with applicable law, including the Swiss Data Protection Act and/or the EU General Data Protection Regulation (GDPR) and/or the UK General Data Protection Regulation, using computers or computer tools, in accordance with the purposes set out in this Privacy Policy.

We do not make decisions based solely on automated processing that produce legal effects concerning or significantly affect the data subject (automated individual decision-making). For example, we may process your personal data to profile you and provide you with a more personalised experience when using our services (profiling). You may have the right under applicable data protection laws to object to such activities (see section 12 below for more information on your rights).

We may process your personal data to delete any information that allows us to identify you (anonymisation). We may then use this anonymised data for purposes not envisaged in this Privacy Policy (including data mining, benchmarking, analytical purposes or the development and marketing of new services). You can object to the anonymisation of your personal data for this purpose at any time (for more information about your rights, see section 12).

We take appropriate technical and organisational security measures to prevent unauthorised access to, disclosure, alteration, change or destruction of your personal data, as described in section 11 below.

1. On what legal basis do we process your personal data?

We only process your personal data if we have a valid legal reason to do so.

We will only process your personal data if we have a valid legal ground for doing so. Depending on the processing in question, we will only process your personal data if:

• The data processing is necessary to fulfil our contractual obligations towards you or to take pre-contractual measures at your request (contractual necessity).

This is the case where the processing of your personal data is strictly necessary to provide you with the website and/or the mobile application and related services, as further explained in section 6. Where the GDPR applies, the contractual necessity is therefore based on Article 6(1)(b).

• Data processing is necessary to protect our legitimate interests, and only to the extent that your interests or fundamental rights and freedoms do not require the processing to be waived (legitimate interest).

Our legitimate interests include, in particular, (i) ensuring that the Website and/or Mobile Application and related services are provided efficiently and securely (e.g. through internal analysis of the stability and security of the Website and/or Mobile Application, updates and troubleshooting, and support services); (ii) improving and developing the Website and/or Mobile Application (including monitoring our performance or use of the Website and/or Mobile Application and our services, and for statistical purposes); (iii) obtaining cost-effective services (e.g. we may choose to use certain services provided by suppliers rather than performing the activity ourselves); (iv) achieving our business objectives; and (v) for other legitimate purposes expressly described in Section 6. e.g. we may choose to use certain services provided by suppliers instead of carrying out the activity ourselves); (iv) to achieve our business objectives; and (v) for the other lawful purposes expressly described in Section 6. Where the GDPR applies, the legitimate interest is based on Article 6(1)(f) of the GDPR.

• We have obtained your prior consent in a clear and unambiguous manner (consent).

Where the GDPR applies, consent is based on Article 6(1)(a) of the GDPR.

• Data processing is necessary to comply with our legal or regulatory obligations (Legal Obligation).

Finally, we will process your personal data if we are legally obliged to do so, as further explained in section 6. Where the GDPR applies, the legal obligation is based on Article 6(1)(c) of the GDPR.

In addition, we will only process your sensitive data if we have obtained your explicit consent for one or more specific purposes or if we can rely on another lawful justification in accordance with applicable data protection laws.

1. For what purposes do we process your personal data?

We process your personal data for legitimate and clearly defined purposes.

Your personal data is collected and processed to provide our services and for the other legitimate purposes expressly set out below and will not be further processed in a way incompatible with those purposes at the time of collection, but only to the extent necessary to achieve those purposes.

We process your personal data for the following purposes:

• To operate the website and/or the mobile application and to provide the related services.

We process your personal data primarily to provide the services and operate the website and mobile application based on our contractual need to do so, including creating and maintaining a user account, interacting with you, providing requested information and services, providing products, goods and services, and for customer and user management purposes.

When you use our blood pressure monitoring services and devices, we collect device sensor data, monitoring data and sensitive data such as blood pressure and heart rate measurements. This information is then processed to provide our services. We also collect information about the country and/or time zone from which you access our services. We do not track your exact location.

In addition to the personal data you provide when logging into your account or interacting with the Website and/or the Mobile Application (e.g. when you use your wristband to fill in forms or upload content to the Website and/or the Mobile Application), we automatically collect technical information about your interactions with the Website and/or the Mobile Application, such as the content accessed, the date and time of access and information about your web browser. We process this data to monitor the use of our services and manage their stability and security, based on our legitimate interest in doing so. We may also use this information to improve our services, as described in more detail below.

Your account information will be retained for as long as your account is active. If you cancel your account, your account information will be deleted or anonymised within 30 days of this event, unless the data must be retained for a valid reason (e.g. for evidentiary or tax reasons). This does not apply to log files, which are automatically deleted or anonymised 30 days after they are collected.

• Processing of product orders and payments.

In order to place an order, you will need to provide the information requested by you (e.g. contact details, billing and delivery address, payment method and similar information). We process this data based on our contractual need to do so.

We also automatically collect data related to your use of the website and/or mobile app in accordance with our cookie policy. When we process your data through essential cookies, the valid legal ground is our legitimate interest. All other data processing through cookies is based on your consent.

We use third-party services for payments and the dispatch of orders. For example, depending on the payment method selected, you will be redirected to the website of an online payment provider that is responsible for processing the payment. We only provide these third party providers with the data that is necessary for the processes they carry out. We process this data on the basis of our contractual need to do so.

In order to offer you QluPod’s payment methods, we may share your personal information in the form of contact and order details with QluPod during the checkout process so that Klarna can assess whether you qualify for their payment methods and tailor those payment methods to you.

The processing of order, inventory and billing data is based on our contractual need to provide you with the goods and services you have requested. We are also required by law to retain certain information such as invoices, contracts and other accounting-related information for a specified period of time (usually 10 years). Data on uncompleted orders is kept for 12 months and then deleted.

• To contact you and answer your enquiries.

You have the option of contacting us via the website, the mobile app or by email. In this context, we process the data you provide to us (including your contact information and the subject of the request). This data is used for the purpose of providing you with the requested information and services based on our contractual necessity.

The retention period depends on the reason for your request and its context. Requests relating to orders will be retained for the period specified for orders.

• For internal analysis and statistical purposes to improve our website and/or mobile application and services.

Where we have obtained your valid consent, we may process your personal data, in particular data relating to your use of the Website and/or the Mobile Application and your habits and preferences (e.g. our device information [serial number, software version, error/crash reports], the content you access, the date and time of access and your preferences), for internal analysis and statistical purposes in order to better understand the needs of our users and optimise their experience, as well as to improve the ergonomics and functionality of the Website, the Mobile Application and the Services in general. You can object to such processing at any time (for more information on your rights, see section 12 below).

• To provide you with targeted information or advertising based on the content you post and your interactions with the website.

Where we have obtained your valid consent, as part of the operation of the website we use the services of third parties such as Google, YouTube or Facebook, which may place cookies on your device to show you personalised advertising based on your interaction with the website. The privacy policies of these providers apply in relation to their activities. You can withdraw your consent at any time (see section 12 below for more information on your rights).

Please see the Cookie Policy for more information on the use of cookies for this purpose, including the length of time for which data collected in this way is stored, and the link to the privacy policies of these external service providers.

• To comply with our other legal obligations or for other legitimate interests.

We may further process your personal data if we are required to do so by law or have other legitimate interests. This is the case, for example, if we need to disclose certain information to authorities or retain it for tax or accounting purposes or for the establishment, exercise or defence of legal claims. The personal data we process for this purpose is that which we collected for one of the purposes set out elsewhere in this section. We retain the personal data for the duration of the legal obligation imposed on us.

• When we have received your consent.

In addition, we may process your personal data if we have previously obtained your unambiguous consent for specific purposes. Consent given can be revoked at any time, but this does not affect the data processed before revocation.

1. The circumstances in which we disclose your personal data to third parties

We may disclose your personal data to third parties if this is necessary for the operation of the website and/or the mobile application or to comply with a legal obligation.

We may share your personal data with third parties and subcontractors such as IT service providers, cloud service providers, database providers, automated marketing solution providers and consultants in connection with the operation of the Website and/or the Mobile Application.

In this case, you acknowledge that the third party operators of such services may access some of your personal data in connection with the Website and/or the Mobile Application.

Our website and/or mobile application may also contain links to other websites. This privacy notice applies only to our actions and does not apply to the practices of any third party companies, individuals or other websites referenced on the Website and/or Mobile Application. You should carefully review the privacy policies of other websites that you visit from the Website and/or the Mobile Application to learn more about their personal data processing practices. In this case, the collection and use of your personal data is subject to the privacy policies of those other websites. We are not responsible for their privacy practices.

We may also disclose your personal data to third parties if we are required to do so by law or have a legitimate interest in doing so.

We may also disclose your personal information if we have a legitimate interest in doing so, for example (i) to comply with a request from a judicial authority or to comply with a legal obligation; (ii) to bring or defend a claim or lawsuit; or (iii) as part of a reorganisation when we transfer our assets to another company.

1. International bank transfers

Your personal data will be stored in your country of residence but may be transferred to other countries in certain circumstances.

If you are a resident of the European Union, Switzerland or the United Kingdom, we store your personal data on servers in the European Union.

As a general rule, we do not transfer or make available your personal data to other countries. However, in certain circumstances, in particular in connection with the activities of our subcontractors, your personal data may be made available to recipients abroad (e.g. Google and Amazon Web Services are based in the USA). In such cases, we ensure that appropriate safeguards are in place in accordance with applicable data protection laws, for example by relying on the standard contractual clauses adopted by the European Commission.

You may request additional information in this regard and obtain a copy of the relevant security arrangements upon request by sending a request to the contact address set out in Section 13.

1. How long do we store your personal data?

Your personal data will not be stored longer than necessary.

We will delete or anonymise personal data as soon as it is no longer necessary for the purposes set out in section 6 of this privacy notice. This period varies depending on the type of data concerned and the applicable legal requirements. For more information on each type of processing, please see section 6. If you delete your user account, we will delete your personal data within 30 days of this event, unless the data must be retained for a valid reason.

In view of the legal obligations incumbent upon us, certain information relating in particular to the contractual relationship must be retained for at least 10 years.

1. Security

We maintain physical, technical and procedural safeguards to protect your personal information.

We are committed to the security of your personal data and have put in place physical, administrative and technical measures to protect your personal data and prevent unauthorised access to it. We use two-factor authentication whenever possible, virus protection and have a strict password policy. We limit access to your personal data to those who need it for the purpose described in this privacy policy. In addition, we use standard security protocols and mechanisms to share the transmission of sensitive data. When you enter sensitive data, we encrypt it using Transport Layer Security (TLS) technology.

Although we take reasonable steps to protect your personal information, no website or application is completely secure. Therefore, we cannot guarantee that the data you provide to us will be secure and protected from all unauthorised third party access and theft. We disclaim any liability in this regard.

The internet is a global environment. Therefore, when you submit information to us electronically, that information may be transmitted internationally over the Internet depending on your location. The Internet is not a secure environment and this privacy notice applies only to the use and disclosure of your personal information once it is under our control. Given the inherent characteristics of the Internet, all Internet transmissions are at your own risk.

If we have reasonable grounds to believe that your personal data has come into the possession of an unauthorised person and applicable law requires notification, we will notify you of the breach immediately by email (if available) and/or by other communication channel (including posting a notice on the website and/or mobile app).

1. Your rights in relation to the processing of your personal data

You have the right to access your personal data processed by us and may request without limitation that it be removed, updated or rectified.

Unless otherwise provided by law, you have the right to know whether we are processing your personal data. You may contact us to find out the content of such personal data, to verify its accuracy and, to the extent permitted by law, to request that it be supplemented, updated, rectified or erased. You also have the right to request us to stop a particular processing of personal data that may have been obtained or processed in breach of applicable law and you have the right to object to the processing of personal data on legitimate grounds.

By accessing your user account (if any), you can review, update, correct or delete the personal data held in your user account.

If you would like us to delete your personal data from our system, please send us a request to that effect to the contact details below. We will comply with your request unless we are required by law to retain the data. Please note that information we have copied may remain in backup storage for some time after your deletion request.

If you wish us to delete your personal data from our systems, you can send us a request to the contact details below, which we will comply with unless we need to retain your data for legal or other legitimate reasons.

When we rely on your consent to process your personal data, we obtain your freely given and specific consent by providing you with informed and unambiguous information about your personal data. You can withdraw this consent at any time.

Further details of your rights can be found in sections 4 and 5 of this privacy notice in relation to each processing activity we carry out.

The above does not limit other rights you may have under applicable data protection laws in certain circumstances. In particular, where the GDPR applies to the processing of your personal data, the GDPR grants you certain rights as a data subject if the individual conditions are met:

• Right of access (Art. 15 GDPR) – You have the right to request copies of your personal data from us.
• Right to rectification (Art. 16 GDPR) – You have the right to ask us to rectify personal data that you believe is inaccurate. You also have the right to ask us to complete information that you believe is incomplete.
• Right to erasure (Art. 17 GDPR) – You have the right to ask us to erase your personal data in certain circumstances.
• Right to restrict processing (Art. 18 GDPR) – You have the right to ask us to restrict the processing of your personal data in certain circumstances.
• Right to data portability (Art. 20 GDPR) – You have the right to request that we transfer to you or to another organisation the personal data that you have provided to us or that results directly from your activities (such as “observed” data from your use of a QluPod device) in a structured, commonly used and machine-readable format. However, the right to data portability is not absolute and portability does not include data that we generate internally based on your observed data.
• Right to object to processing (Art. 21 GDPR) – You have the right to object to the processing of your personal data based on our legitimate interests in certain circumstances. In this case, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims.

You do not have to pay any fees to exercise your rights. If you make a request, we have one month to reply to you.

You have the right to lodge a complaint with the competent authority.

Suppose you are not satisfied with the way we process your personal data. In this case, in addition to the rights described above, you can lodge a complaint with the competent data protection supervisory authority in the Member State where you have your habitual residence, place of work or the place of the alleged infringement.

Although this is not required, we recommend that you contact us first (see section 13) as we may be able to respond to your request directly.

1. Contact

If you believe that your personal data has been used in a way that is not in accordance with this policy, or if you have any questions about the collection or processing of your personal data, please contact us.

QluPod AG
IBahnhofstrasse 23
9100 Herisau
Switzerland

1. Translation

The original language of this privacy policy is English. Any translation provided is for convenience only. In the event of any conflict between the original English version and any translation, the English version shall prevail.