www.lowcarbprogram.com and our Low Carb Program mobile app (each of and together the “Sites” or “Service“) are owned and operated by DDM Health Ltd of Technology House, Sir William Lyons Road, University of Warwick Science Park, Coventry, CV4 7EZ (“we”, “us”, “our“).
For the purposes of data protection law: the data processor and data controller is DDM Health Ltd with registration number Z3613413. This means we are responsible for the data we receive through the use of our apps and for determining the purpose(s) and manner in which it is processed. As we provide our services to third parties, such as healthcare organisations and trusts, we may be processing the information on their behalf and subject to their lawful basis for processing and/or our own legitimate interests. To learn more about data processors and data controllers, please see the ICO definition of what are processors and controllers.
Signing up to use the apps, you consent to us having and using your data to provide our service. We take this responsibility extremely seriously and are committed to clinical, technical and operational excellence. If you stop providing your personal information or you choose to withdraw your consent to us processing your information, we will be no longer able to provide you with the service.
1. WHAT IS PERSONALLY IDENTIFIABLE INFORMATION (PII) / PERSONAL DATA: Personal data or PII means any information relating to a person who can be identified either directly or indirectly by that information; it may include name, address, email address, phone number, credit / debit card number, IP address, location data, purchase history (“Personal Data”).
2. INFORMATION WE MAY COLLECT FROM YOU
2.1. We may collect and process the following data about you:
2.2. Please note you have the option of what information in your account is publicly displayed. Furthermore, within your account, you have the option to opt-in or opt-out of automatically generated e-mails from us.
2.3. Please note that as a free user of the Low Carb Program you will have limited accessibility to the program and the features within it until a subscription is purchased. As a free user of the Low Carb Program we hold the right to contact you with a personalised journey specifically for non-paying customers. The journey you receive will be in accordance with the communication preferences that you select. We may contact you via email, SMS, and push notifications. Communication preferences can be edited at any time via the preference centre in the settings section of the program. Toward the expiry of your free user subscription we may contact you with information on how to purchase a subscription and the benefits of doing so.
2.4. Data security is extremely important to us. All data is stored encrypted-at-rest (i.e. in storage) and also during transit. Your data is stored in the United Kingdom, using Google Cloud and Microsoft Azure services located in the United Kingdom.
2.5. Anonymised, aggregate data may be transferred outside of the United Kingdom for the purposes detailed in Section 7.
2.6. Only data exported by the end user, with their consent to share, is shareable outside of the platform.
2.7. What data do you collect and why? Low Carb Program is a personalised platform that moves away from a ‘one size fits all’ approach to the treatment and care of people and instead uses data to better manage peoples’ health to achieve the best outcomes in the self-management of health or predisposition to disease. As our health is determined by our inherent differences combined with our lifestyles and environment, by combining and analysing information that participants wish to share, with other clinical and diagnostic information, patterns can be identified that can help to determine our individual risk of developing disease; detect illness earlier; and, determine the most effective interventions to help improve our health, be they medicines, lifestyle choices, or even simple changes in diet.
To sign up, you just need to enter your date of birth, email address and choose a password. We need your date of birth to ensure you are of legal age to use the app in your jurisdiction, and your gender to tailor your experience (education, resources, coaching, activities).
After signing up, you are asked to select:
- Health conditions: selecting your health condition and diagnosis year will provide you with the appropriate education tailored to your health condition and resources.
- Medications: selecting your medications will ensure you see resources that are suited to the medications you take.
- Location: choose your country (and optionally, GP surgery) to see local resources and appropriate information.
- Goal: your goal enables the education and support you receive to be tailored to your health goals.
- Gender: to provide you with information related to your gender (e.g., menopause).
- Diet: selecting your dietary preferences and allergies enables appropriate meal plans to be shown to you. You can also decide which dietary approach you would like your education to be focused on.
- Ethnicity: select your ethnicity and preferred language to see culturally relevant meal plans and recipes.
- Occupation: optionally, select your occupation to see resources and signposting appropriate to you.
- Units of measurement: choose the units you'd like to track your health in.
- Lifestyle: enter your weight, height, HbA1c (if you have it) to start with a baseline set of data so you can see your progress, and select whether you smoke or test your blood glucose to see education on these topics.
- Username: optionally, set a username as your a handle for your account when you converse with others in the community or through coaching rather than your name.
This is the minimum amount of information required to create your account.
After this, you can choose to tailor and improve your user experience optionally as follows, and use features of the app that track data:
- Food diary: you can track the food that you eat via barcode scanning, text input of photos, the nutritional information is used against your preset macro ratios to share with you how many grams of carbs, fats and protein you have left to consume within the day to meet your targets.
- Health tracking: This data can be tracked by integrating your wearable device, self-inputted or logged from workouts you complete within the app. This data is used to track how active you have been and used to visually represent your data over time.
We also collect usage data from use of the web and app, which you can opt-out of by contacting the Support Team. To get in touch, tap on Help > Contact us.
3. NOTIFICATIONS (EMAIL, IN-APP NOTIFICATIONS)
3.1. You may choose to opt-in and out to receive our email and in-app communications. You can choose to opt-in (informed consent) to receive marketing communications once a member of the platform.
3.2. In order to unsubscribe from emails, please select “Unsubscribe” from an email or toggle in-app. Similarly, toggle notifications from Settings > Notifications. Please contact us at email@example.com if you require any assistance with unsubscribing from our newsletter.
4. MEDICAL INFORMATION
4.1. You should be aware that information captured via our Sites may be viewed by our medical team. None of this information will be passed to any other person except for:
5. PURPOSES FOR WHICH WE PROCESS PERSONAL DATA
5.1. We will only process your Personal Data, in accordance with applicable law, for the following purposes:
5.2. Your consent, as the “Data Subject”, to the processing as specified in this Policy is the primary legal ground for our processing of your Personal Data. However, there may be circumstances where we may also rely on other valid legal grounds for the processing of your Personal Data, such as:
5.3. NHS Login: Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a processor only and we must act under the instructions provided by NHS Digital (as the controller) when verifying your identity. The data processor may adopt the legal basis of the data controller to allow them to carry out the instructions of the controller. The NHS is not a third party for GDPR for the purposes of sharing/transfer. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
5.4. Should the purpose of data collection change, you will be informed and opt-in consent re-obtained.
5.5. No user data is intended to be shared or processed for any purpose that has not been made clear to the user. The platform has been developed to ensure that data minimisation principles are met. What this means is, that we build solutions that use as little data as required to provide a clinically safe and enjoyable user experience. DDM has followed data minisation principles by ensuring that data collected and processed is not be held or further used unless:
5.6. To opt out of each, or any, of the processing activities, please contact us at firstname.lastname@example.org. If you opt out of us holding and maintaining your account or us complying with applicable law you will not be able to use the Service because these processing activities are required to deliver you the Service.
6. DISCLOSURE OF YOUR INFORMATION
6.1. There are circumstances where we wish to disclose or are compelled to disclose your Personal Data to third parties. This will only take place in accordance with the applicable law and for the purposes listed above. These scenarios include disclosure to:
7. INTERNATIONAL TRANSFER OF PERSONAL DATA
7.1. We may transfer your anonymised and aggregated Personal Data to a third party in countries outside the country in which it was originally collected for further processing in accordance with the purposes set out above. In particular, your anonymised and aggregated Personal Data may be transferred throughout our group and to our research partners abroad. In these circumstances, we will, as required by applicable law, ensure that your privacy rights are adequately protected by appropriate technical, organisation, contractual or other lawful means. Please contact email@example.com for a copy of the safeguards which we have put in place to protect your anonymised and aggregated Personal Data and privacy rights in these circumstances.
8. RETENTION OF PERSONAL DATA
8.1. Your Personal Data will be retained until your last use of our services and normally for a period of three years thereafter, unless longer retention is required by applicable local law or where we have a legitimate and lawful purpose to do so. However, we will not retain beyond this period any of your Personal Data that is no longer required for the purposes set out in this Policy. The retention of your Personal Data will be subject to periodic review.
8.2. We may keep an anonymised form of your Personal Data, which will no longer refer to you, for statistical purposes without time limits, to the extent that we have a legitimate and lawful interest in doing so.
8.3. Please contact us at firstname.lastname@example.org if you would further details about our data retention periods.
8.4. You are free to withdraw your consent for Low Carb Program to process your personal information by deleting your Account – please instruct the Support Team to do so on your behalf. After you withdraw your consent, you will still be able to access some of the incredible features and content available on our websites.
9. DATA SUBJECT RIGHTS
9.1. Data protection law provides Data Subjects with numerous rights, including the right to: access, rectify, erase, restrict, transport, and object to the processing of, their Personal Data. Data Subjects also have the right to lodge a complaint with the relevant data protection authority if they believe that their Personal Data is not being processed in accordance with applicable data protection law. To execute any of your rights listed, please contact us by writing at email@example.com. We will get back to you in 1 working day, and respond to any requests to exercise your rights within 21 working days.
9.2. We do not knowingly collect Personal Data online from individuals under 18 without parental consent. If you become aware that a child has provided us with Personal Data without parental consent, please contact us at firstname.lastname@example.org. If we become aware that an individual under 18 has provided us with Personal Data without parental consent, we will take steps to remove the data and cancel that individual’s account.
9.3. Low Carb Program retains your Personal Data:
9.4. Personal Data is destroyed when it is no longer necessary for the purposes listed in 9.3. The specific destruction process and method are as follows:
9.5 NHS Login: Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
10.1. DDM Health Ltd comply with recognised International Data Management Standards, including ISO9001 and ISO27001 and have been accredited as part of this process.
10.2. DDM Health Ltd are fully compliant with the General Data Protection Regulation (GDPR).
10.3. Sites are developed alongside recognised compliance standards such as NHS Data Standards, including the NHS Information Governance toolkit.
10.4. The iOS and Android Low Carb Program apps are compliant with OWASP Mobile Application Security Verification Standard (MASVS) Level 2+R.
10.5. Low Carb Program is a MHRA-regulated Class I Medical Device.
10.6. Our MHRA number is 8939.
11.1. The Sites may, from time to time, contain links to and from the websites of our partner networks, advertisers, affiliates and other third parties. If you follow a link to any of these websites, please note that these websites may have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.
12. DATA PROTECTION OFFICER
12.1. The Data Protection Offier is Amar Singh. To contact the DPO, please email email@example.com or use the in-app contact form.