SWEETCH PRIVACY POLICY

[Last Updated: Sep 2022]

This privacy policy (“Privacy Policy”) governs the data collection, processing, and usage made by Sweetch Health Ltd. (“Company”, “Sweetch”) “we” or “us”) with respect to the data we collect from individuals who use our services that include: (i) mobile application together with its related web interfaces and landing pages ("App"); and (ii) Cloud-based platform and web interface associated with the App ("Dashboard") (collectively, the "Services").

This Privacy Policy constitutes an integral part of the Services Terms and Conditions (together “Terms”), and provides you with information regarding our processing operations, including the lawful basis pursuant to which we process your Personal Data (as defined below), third parties to whom Personal Data will be transferred, data retention periods, as well as your rights under applicable privacy laws. Definitions used herein but not defined herein shall have the meaning ascribed to them in the Terms.

The users of the Services are: (i) App Users who use the App for achieving their personal health goals ("App User"); and (ii) third parties who use the Dashboard for monitoring their App Users' status and progress (e.g., a relevant healthcare provider of an App User), including our customers and partners who engaged us for providing the App Users with the Services ("Enterprise User" and "Enterprise Account Owner") (App User and Enterprise User together "you" or a "User"). You and the Company shall each be referred to herein as a "party" and collectively as the "parties".

It is important to note that the Services will track the App User’s daily activity and collect and analyze its Personal Data, including health-related data, as detailed hereunder, to define and create a personalized program and recommendations to assist the App User with achieving their personal health goals and manage their chronic condition.

You are not required by law to provide us with any Personal Data. Sharing Personal Data with us is entirely voluntary. However, in some cases, without providing your data we would not be able to provide you with all or some of our Services.

AMENDMENTS

We reserve the right to periodically amend or revise the Privacy Policy, which will immediately affect the implementation of the revised Privacy Policy in the Services. The last revision date will be reflected in the “Last Modified” heading located at the top of the Privacy Policy. We will make a reasonable effort to notify you if we implement any changes that substantially change our privacy practices. We recommend that you review this Privacy Policy periodically to ensure that you understand our privacy practices and to check for any amendments.

CONTACT DETAILS AND “CONTROLLER” FOR GDPR PURPOSES

We are Sweetch, a company incorporated in Israel. Our address is: 5 Jabotinsky St. Ramat Gan, Israel.

Under the European General Data Protection Regulation (”GDPR”), we are the data controller of the Services Users. That, without derogating from the responsibility and legal obligations of the relevant Enterprise Account Owner as the entity contracted us for providing you with Services.

Questions, comments, requests and complaints regarding this Privacy Policy and the information we hold are welcome and should be addressed to us contacting us through email: support@sweetch.com. All requests will be dealt with promptly and efficiently.

WHICH DATA DO WE COLLECT AND FOR WHAT PURPOSE?

“Non-Personal Data”: means non-identifiable, including statistical and aggregated, and “de-identified” data which can no longer be associated with any individual with no limitation (even if was derived from Personal Data). That includes technical data transmitted to us by your device when you access and interact with the Services, such as the type of browser, type of operation system, type of device used, the time and date you access our services, navigation, language preference, etc. Also, such data may include data regarding Users’ daily activities, Services Usage, Clinical and demographic information, but only to the extent such data was stripped off any identifier and can no longer be associated with the specific User from whom it was collected. Non-Personal Data is used mainly for technical analysis, research and development of our services in order to provide, maintain, develop and enhance it, and is not used to identify individuals. Under this Privacy Policy, we can use any aggregated, statistical, and such de-identified data with no limitation. Such data may be included in our proprietary information and does not deem as Personal Data under the law.

“Personal Data”: means, information which identifies or may identify, with reasonable effort, an individual. Such data includes, inter alia, your name, address, phone number, email address billing information and online identifiers (such as IP address or Cookie ID). Also, in certain cases and if you as a User of our App, Personal Data may include further and broader information regarding your activity and interaction with us or our services.

The Personal Data we collect and process is:

Account Data:

Type of Data – as detailed in the Terms, each User is registered in our systems under a personal account (“User Account”). The User Account data includes basic contact details such as name, email address, mobile number, login details (username and password), and your device details (type, screen resolution, etc.). with respect to App Users we will also collect relevant demographic data such as age, gender, height, weight, etc.
Purpose of Processing – providing the User with access to and the ability to use the Services.
Processing Actions – We will collect and process the Account Data, create a User Account in our systems, identify the User when accessing and registering to the Services and adjust the Services to the User’s preferences and characteristics. Also, we may use your contact details to send you updates and notifications regarding your use of the Services. Further, we may use the contact details to send you marketing communications about our other services and products where permitted by applicable law (unless you have opted out). Also, we may use your mobile number to send you notifications through SMS.
Lawful Basis – the lawful basis for processing your Account Data will be the contract between you and us, meaning we will use the data to provide you with Services. In cases where we will provide you with information of a marketing nature about our services and products, we will do so in our legitimate interest.

App User’s Daily Habits and Health-related data (“Profile Data”):

Type of Data – as explained in the Terms, the Services intend to create a personal profile and personalized health plan for each App User. For that purpose, the App will collect from each App User certain clinical and health-related data, including known conditions and disease, medications, blood sugar levels (“BG Levels”), dietary restrictions and preferences, daily habits, and other related data required for creating a profile for the App User in our systems.
Purpose of Processing – providing the App User with the Services while creating a personal profile used as a basis for recommending and creating a personal health plan for the App User.
Processing Actions – We will collect and process the Profile Data, analyze it, create a profile of the relevant App User, and use it to customize and personalize the Services for the App User. We will also allow the relevant Enterprise Users related to each App User to access and view the Profile Data, and in some instances, update it.
Lawful Basis – the lawful basis for collecting and processing your Profile Data is your consent, provided through the App and its relevant interfaces.

App User’s Usage and Tracking Data (“Activity and Tracking Data”):

Type of Data – as part of using the App, we will collect and process usage and activity data regarding each App User. Such data may include data regarding meals and nutrition, BG Levels and weight, medications consumed, physical activity, location data, motion trackers data, and other data regarding the App User’s daily conduct and habits. Each such action shall be recorded in our systems alongside its date and time of occurrence.
Purpose of Processing – providing the App User with the Services, including recommendations and notifications to assist them in achieving their personal health goals.
Processing Actions – We will collect Activity and Tracking Data directly and automatically. As part of using the App, the App User will be asked to feed and fill in certain information regarding their activity, such as their daily nutrition, activity, and the completion of recommendations provided through the App. Further, the App will collect certain Activity and Tracking Data through the User’s cellular device sensors (location, GPS, motion sensors, etc.), calendar, smartwatches and other wearable technologies, and Measurement Tools such as the glucometer and scale included in the Sweetch Kit. We may use this activity data to calculate further information about the App User, such as distance walked or run, or calories burned, so that the calculated information can be used as part of the functionality of the Services. The automatic collection of Activity and Tracking data shall be subject to specific authorizations and permissions provided to by the App User through his phone. We will also share the App User’s data with its relevant Enterprise Users for overseeing and monitoring the App User’s progress and use of the Services.
Lawful Basis – the lawful basis for collecting and processing your Activity and Tracking Data the Contract between us, meaning, the provision of the Services to you upon your request. Health-related and behavioral data is processed subject to your consent provided through the App.

Contact us and Support Data (“Support Data”):

Type of Data – If you choose to approach us with any inquiry regarding your use of the Services, we will retain such Support Data, which may include, Account Data, inquiry data (content, logs and debugging information, and dates and times), correspondence history and a record of how we addressed the inquiry.
Purpose of Processing – Addressing your inquiries as a User if the Services.
Processing Actions – We will collect and process Support Data and open a ticket in our relevant systems (e.g., CRM, including through relevant third parties), to provide you with the support or information you have requested. We will retain our correspondence with you for as long as needed, subject to applicable law.
Lawful Basis – the lawful basis for processing your information will be the contract between you and us, meaning we will use the data for addressing your requests and inquiries. After addressing the request, we will retain the Support Data as part of our business records under our legitimate interest.

Technical and Usage Data (“Usage Data”):

Type of Data – typically collected and generated automatically, directly from the User’s device and through their interaction with the Services, including online identifiers associated with your device (such as IP address), dates and times of use, language, resolution, light and other view preferences, battery consumption, analytical data regarding the usage of the services, etc. Also, we may collect some technical and online identifiers data by cookies, pixels, SDKs, and other similar technologies (“Cookies”).

***Please see additional information regarding Cookie’s usage below.

Purpose of Processing – Improving & customizing the Website, safety, security and fraud prevention of the Website, and advertising purposes.
Processing Actions – We, directly or through the use of third parties, will collect your data, aggregate it and statistically analyze it (whether alone or together with other Visitor’s data), aggregate, generate reports based on such analysis and retain records of any such usage data. We process and retain this data for enhancing your experience and auditing and tracking usage statistics and traffic flow, customizing the Services for you, or adjusting its content, including advertisements, for your use. We also process it to protect the Service's security and our and third parties rights (subject to applicable law requirements).
Lawful Basis – We use the usage data based on the contract necessity to provide you with the information requested. Further, we may use Usage Data internally to improve our services, develop its underlying algorithms, and create new features and services subject to our legitimate interests. Any use of Cookies or other technologies for marketing or other purposes that are not an inherent part of the Services operation will be done only following your consent provided through the designated tool or banner in the Dashboard or App.

On any occasion where the processing of your Personal Data is based upon consent, you may withdraw such consent by contacting us through the contact means provided below.

Please note that the actual processing operation per each purpose of use and lawful basis detailed in the table above may differ. Such processing operation usually includes a set of operations, made by automated means, such as collection, storage, use, disclosure by transmission, erasure, or destruction. Transfer of personal data to third-party countries, as further detailed in the Data Transfer section, is based on the same lawful basis as stipulated in the table above.

Also, we may collect Personal Data that includes information of medical nature from you or the relevant Enterprise User. If you reside in the US, some of this information may, but not necessarily in all cases, be protected under the Health Insurance Portability and Accountability Act of 1996 and associated regulations ("HIPAA"). We will always treat such data with great care and in accordance with all applicable laws.

Health Connect data (for Android users) – if you are an Android user, as part of providing you with the App services, we may use Health Connect data. The use of information received from Health Connect will always adhere to the Health Connect Permissions Policy, including the Limited Use requirements.

In addition, we may use certain Personal Data to prevent potentially prohibited or illegal activities, fraud, misappropriation, infringements, identity thefts, and any other misuse of our services and to enforce the Terms, as well as to protect the security or integrity of our databases and our services, and to take precautions against legal liability. Such processing is based on our legitimate interests.

Cookie Usage

In our web interfaces, including any landing page or dashboard, we may use cookies, web beacons, pixels, SDKs, and other tools and technologies (together Cookies) to improve your experience while using our services. We may use various types of Cookies:

Essential Cookies – which are necessary for the App to work correctly (usually appear under our name/cookie tag);
Functional Cookies – designated to save your settings on the App - your language preference or other view preferences (also, under our name/cookie tag);
Session Cookies – used to support the Service's functionality – such Cookies are stored only temporarily during a browsing session and are deleted from your device when you close the browser.
Targeting Cookies - these cookies are used to collect information from you to help us improve our services and serve you with targeted advertisements that we believe will be relevant to you (e.g., Google’s Cookies).
Analytics Cookies - give us aggregated and statistical information to improve our services and further develop it e.g., Segment.com, Domo, Google Analytics, Mixpanel, etc.

Please note that the data collected by Cookies may be linked to and combined with any other data, including Personal Data.

Cookie’s data is usually collected through the use of third-party services, like Google, Facebook, etc. In those cases, your Personal Data might be transferred to those third parties, which might link it and use it together with other information they have on you from other sources. Such data is “owned” and processed separately by those third-parties under their terms and conditions and the direct accounts or subscriptions you have with those third parties. For example, suppose you have a Facebook account, the Personal Data collected through Facebook’s Cookies on our website might be linked to other data that Facebook collects from you as a Facebook user, and might be used by Facebook per the independent agreements between you and Facebook.

The specific cookies we currently use in our Dashboard, and your choices with regard to such use are detailed in the dedicated cookie banner in the Dashboard.

HOW WE COLLECT INFORMATION

According to the nature of your interaction with our services, we may collect information as follows:

Automatically – As part of using the Services, some data might be collected automatically regarding your activity as a User. Automatic collection of Activity and Tracking Data is subject to specific authorizations and permissions provided by the App User through their cellular device. Also, such data may be collected indirectly from Measurement Tools (as described in the Terms).
Provided by you voluntarily – we will collect information if and when you choose to provide us with information, such as when you feed information to the App as part of using it or when you contact us.
Provided to us by our Partners (as defined below) – as part of providing our services to You.

SHARING DATA WITH THIRD PARTIES

We do not sell your Personal Data. We will only share it with third parties in the following events:

Sharing of Data with an Enterprise Account Owner and its Enterprise Users: we will share each App User Data with its relevant Enterprise Account Owner and Enterprise Users, to allow them manage, control and optimize the provision of the Services to the App User;
Legal Requirement: We will share your information in this situation only if we are required to do so to comply with any applicable law, regulation, legal process, or governmental request (e.g., to comply with a court injunction, comply with tax authorities, etc.);
Policy Enforcement: We will share your information, solely to the extent needed to (I) enforce our policies and agreements; or (ii) to investigate any potential violations thereof, including without limitations, detect, prevent, or take action regarding illegal activities or other wrongdoings, suspected fraud or security issues;
Company’s Rights: We will share your information to establish or exercise our rights, to prevent harm to our rights, property, or safety, and to defend ourselves against legal claims, when necessary, subject to applicable law;
Third Party Rights: We will share your information, solely to the extent needed to prevent harm to the rights of our users, yourself, or any third party’s rights, property, or safety;
Business Purpose - we may disclose your personal information to a third party for a business purpose, as detailed above.
Service Providers – we share your information with third parties that perform services on our behalf (e.g. cloud computing and storage, SDKs, customer service, tracking, servers, service functionality, marketing, support, etc.) these third parties may be located in different jurisdictions.
Corporate Transaction - we may share your information in the event of a corporate transaction (e.g. sale of a substantial part of our business, merger, consolidation or asset sale). In the event of the above, our affiliated companies or acquiring company will assume the rights and obligations as described in this Privacy Policy;
Authorized Disclosures - we may disclose your information to third parties when you consent to a particular disclosure. Please note that once we share your information with another company, that information becomes subject to the other company’s privacy practices.

Where we share information with service providers and partners, we ensure they only have access to such information that is strictly necessary in order for us to provide the services. These parties are required to secure the data they receive and to use the data for pre-agreed purposes only, while ensuring compliance with all applicable data protection regulations.

As part of the App we may use certain SDKs (a Software development kit) which is a set of tools that provide us with the ability to build a custom app which can be based on, or connected to, another program. SDKs are used only in our Mobile App. SDK create the opportunity to enhance our Mobile App with more functionality, as well as include advertisement and push notifications, if applicable. SDKs will be used for collection of the same data types as detailed above, for the purposes detailed alongside.

DATA TRANSFER

Any information you provide us may be transferred to and processed in countries other than the country from which you accessed our services. If you are a resident of the European Economic Area ("EEA") we will take appropriate measures to ensure that your Personal Data receives an adequate level of data protection upon its transfer outside of the EEA. If you are a resident of a jurisdiction where the transferring of your Personal Data requires your consent, then your consent to this Privacy Policy includes your express consent for such data transfer.

USER RIGHTS

You may have certain rights regarding your Personal Data

We acknowledge that different people have different privacy concerns and preferences. Our goal is to be clear about what information we collect, so that you can make meaningful choices about how it is used. We provide you with the ability to exercise certain choices, rights and controls in connection with your information. Depending on your relationship with us (e.g., if you are a visitor of our website or an App User), data protection and privacy laws provide you with some of the following principal rights regarding your Personal Data, including (and depending on your jurisdiction): The right to access your Personal Data that we process; The right to ensure your Personal Data is accurate, complete and up to date; The right to have your Personal Data amended (by correcting, deleting or adding information); The right to object to the processing of your Personal Data, to the extent applicable; The right to send or “port” your Personal Data; The right to file a complaint with a supervisory authority in your jurisdiction; The right to withdraw consent, subject to legal or contractual restrictions and reasonable notice; Right to Non-Discrimination, etc.

You may exercise any or all of your above rights in relation to your Personal Data by contacting us through the email address above.

Further, certain rights are available within the App: you may correct and revise the Account Information, Contact Data, Profile Data, etc. Also, you have the ability to delete your account. Therefore, we recommend you use the technical solutions we have provided you with to exercise your rights.

Where we are not able to provide you with the information for which you have asked, we will endeavor to explain the reasoning for this and inform you of your rights, including the right to complain to the supervisor authority (in the event you are EEA resident). We reserve the right to ask for reasonable evidence to verify your identity before we provide you with any such information in accordance with applicable law.

RETENTION

We retain Personal Data we collect as long as it remains necessary for the purposes set forth above, all in accordance with applicable laws or until an individual requests to opt-out of such collection. For example, we will retain any User’s data for at least 6 years after the termination of use, for the purpose of legal defense and in accordance with the relevant statute of limitation. Additionally, if you receive our services under a contract with a third party (such as the Enterprise Account Owner), the third party is responsible for setting the Retention terms. We may at our sole discretion, delete or amend information from our systems, without providing any notice to you, once we deem it is no longer necessary for our purposes.

SECURITY

We implement extensive security measures to reduce the risks of damage, loss of information and unauthorized access or misuse of Personal Data. We implement appropriate data collection, storage and processing practices and security tools to protect personal data against unauthorized access, alteration, disclosure or destruction. You should be aware that no security measures are completely fail-proof, and it is impossible to prevent any and all threats to the security of data and systems. Therefore, you should be aware that any processing of digital Personal Data holds certain inherent risks, and we cannot guarantee that our services and databases will be immune to any wrongdoings, malfunctions, unauthorized interceptions or access, malware attacks or other kinds of abuse and misuse.

CHILDREN

Our services are not directed, nor is it intended for use by children (the phrase "child" shall mean an individual that is under age defined by applicable law which concerning the European Economic Area (“EEA “) is under the age of 16 and with respect to the U.S.A, under the age of 13) and we do not knowingly process a child’s information. We will discard any information that we receive from a user who is considered a "child" immediately upon our discovery that such a user shared information. Please contact us if you have reason to believe that a child has shared any information with us.