Tidepool Privacy Policy

Effective Date: November 2, 2015, Version 1.0

The privacy and security of your information is important to us. We collect information from people who use Tidepool applications to help manage their diabetes (“Users”) and from the people with whom the User chooses to share that information (“Care Team Members”). BY USING ANY OF THE TIDEPOOL APPS YOU AGREE TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION IN ACCORDANCE WITH THIS PRIVACY AND DATA POLICY.

Tidepool treats the information of Users and Care Team Members differently. For this reason, this Privacy Policy has separate sections that apply to Users, to Care Team Members, and to both Users and Care Team Members.


Privacy Policy – for Users

1. Summary

We collect your information so that we can show it to you in useful ways in our applications like Blip, the Tidepool Uploader, Nutshell and Sonar. Our applications store and retrieve data through our hosted cloud platform, called the Tidepool Platform. You may choose to share your health information with others and with applications that connect to the Tidepool Platform.

This Privacy Policy describes what we do with your information and is guided by the following principles:

This summary is for your convenience only and has no legal effect.

2. The Privacy and Security of Your Information is Important to Us.

This Privacy Policy describes how Tidepool Project (“Tidepool,” “us,” or “we”) collects, uses, and discloses information collected from you as a User in connection with your use of our web- and mobile-based applications (such as Blip and Tidepool Uploader; together with any other web- and mobile-based applications developed by Tidepool, the “Tidepool Apps”).

This Privacy Policy is a part of the Tidepool Project Applications Terms of Use (“Terms of Use”). The Terms of Use is the contract between you and Tidepool that governs your access and use of the Tidepool Apps and makes you the legal owner of the data, notes, files and other information you store and manage using the Tidepool Apps. By becoming a registered User and creating an account (“Account”) with Tidepool, you must also accept the Terms of Use. Please read this entire Privacy Policy and the Terms of Use.

The summary above is for your convenience only and has no legal effect. In the event of any conflict between the provisions of the Terms of Use and this Privacy Policy, the terms and conditions of the Terms of Use will prevail. If you don’t agree with the terms of this Privacy Policy or the Terms of Use, please don’t use the Tidepool Apps. BY USING ANY OF THE TIDEPOOL APPS YOU AGREE TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION IN ACCORDANCE WITH THIS PRIVACY POLICY.

As our services expand, we will evaluate our policies and practices and occasionally implement improvements and refinements. If we make a change to this Privacy Policy that we determine, in our sole discretion, is material, we will notify you (for example, by email to the email address in your account) prior to the changes becoming effective. We will post all revised or new Privacy Policies on the Tidepool website at www.tidepool.org/legal and indicate the date it was last revised.

3. Frequently Asked Questions

3.1 What does this provicay policy cover?

This Privacy Policy applies to Tidepool’s treatment of “personal information,” which is information that uniquely identifies a User or otherwise contains personally identifiable information. This Privacy Policy also applies to the data, notes, and files you or any of your Care Team Members upload, store, and manage using the Tidepool Apps. This Privacy Policy does not apply to the practices of companies that Tidepool does not own or control, or to individuals who Tidepool does not employ or manage.

3.2 What information does Tidepool collect and for what purposes?

Registration and Contact Information

To register as a User, you must provide your email address and create a password. You use your email address and password to log in. We may also collect contact information, such as your name, address, phone number, and certain non-personal information that does not itself identify you, such as your IP address.

We may use this information to: deliver, administer and improve the Tidepool Apps; provide customer service; improve and personalize your experience; better understand your needs; fulfill requests you make; deliver special announcements and updates about the Tidepool Apps; and contact you about any of the above as well as any changes to or notifications regarding your Account.

Other Information You Provide to Us

We also collect other information you provide to us through the Tidepool Apps. This includes your gender, age and birth date, weight, height, treatment and diagnosis information, health and well-being related information (including diet and activity information), information identifying the diabetes monitoring and treatment devices you use, and data you upload from your diabetes monitoring and treatment devices using Tidepool Uploader.

We use this information to provide the visualization, data analysis, and other features available through the Tidepool Apps, which are also available to any Care Team Members you choose. When you seek support from us, the individual(s) providing you with support may need to access your information in order to identify the problem you are seeking support for, though the use of your information will only be used to help provide you with support.

With your permission, we may also provide your personal health data and internal, diagnostic data from your diabetes device to the maker of that device, include your anonymized data in the Tidepool Anonymized Diabetes Database, or share your information with third-party applications that you choose to connect with.

Data Access for Device Makers

You have the option of granting the maker of your diabetes monitoring or treatment device with access to the information you upload from the device via the Tidepool Uploader. Providing your device maker with access to this data may assist the device maker in provide customer support or diagnose and address issues with the device. Providing data access to the device maker also helps them understand how their devices are being used, which helps them make better devices in the future. We may charge device makers a monthly fee for access to this data.

You may choose to provide the makers certain device makers, including but not limited to the following, with information collected from your device via the Tidepool Uploader:

Your device manufacturer may be able to identify you based on the serial number associated with the device and other information about you in its possession.

Tidepool Anonymized Diabetes Database

You have the option to donate your anonymized data to the Tidepool Anonymized Diabetes Database, a database made available for diabetes research. Diabetes researchers have a very hard time getting access to quality data from diabetes devices. We are making the Tidepool Anonymized Diabetes Database available for free to anyone agreeing to the applicable terms of use. By doing this we hope to contribute to a dramatic acceleration in the rate of innovation in diabetes care.

You will not be identifiable based on the information you donate to the Tidepool Anonymized Diabetes Database. We take care to store identifying information (like your name, address, or birthday) separately from the donated data. If you agree to donate your information, here is the information you will be donating (if provided):

For each User:

For all diabetes devices:

For blood glucose meters:

For continuous glucose meters (“CGM”):

For insulin pumps:

For exercise monitors:

We will not include in the anonymized diabetes database (1) freeform text and notes entered by you or anyone you’ve provided access to or (2) any other data that could identify a specific individual.

The data from your device will be correlated across time and with the donated User information using a random, cryptographically secure user key (a “one-way hash”). This identifier is “one-way,” which means that not even we can figure out who it refers to. However, having this key allows researchers to correlate multiple data points over time from a single person.

Third-Party Applications

You may have the option to link or connect Tidepool Apps and the information collected with Tidepool Apps with certain third-party applications. We will always ask your permission before sharing your information with any third-party application.

Study Management for Academic & Clinical Research

You may be asked to participate in academic or clinical research studies, either by Tidepool or by other academic or clinical research entities. You are under no obligation to participate in these studies. If you do agree to participate in a study, you may be asked to link your Tidepool account to the study coordination account, or to provide a unique identifier that will allow the researcher or research institution to link other personally identifiable information to your Tidepool data. Only you can agree to this linkage of other information or databases; Tidepool will never provide access to information that we store about you without your consent.

Information we collect automatically about you when you use Tidepool Apps

We receive and store certain types of information whenever you interact with Tidepool Apps. We automatically receive and record information on your activity on our server logs, including your IP address, and the app features you access and use. Generally, we automatically collect usage information, such as the number and frequency of Users or Care Team Members, the features of the Tidepool Apps you use, and how you interact with them. We only use this data in aggregate form, that is, as a statistical measure, and not in a manner that would identify you personally. This type of aggregate data enables us to figure out how you use parts of the Tidepool Apps so that we can improve them.

3.3 What choices do I have about the use of my information?

Under the Terms of Use you own the personal information, data, notes, and files that you upload, store, and manage using the Tidepool Apps or that are added by your Care Team Members. This means that you decide who has access to your information. You also have full control to add or delete your information, alter some types of information, export your information, or cancel your Account.

Care Team Access

You can grant access to your Account to health care professionals, family, friends, or anyone else on your care team. The Care Team Members you provide access will be able to view and comment on the data and information in your Account. Only if you grant them permission will Care Team Members be able to upload data to your Account or, if applicable, edit data in your Account. They will not be able to alter or delete any information or data in your Account. You, and only you, can add and delete Care Team Members and adjust their access setting at any time by going to the Blip application. You own all content in your Account added or altered by your Care Team Members and may delete it at any time.

Sharing with Device Makers

You have the option to share the data you upload from your diabetes monitoring or treatment device using the Tidepool Uploader with maker of that device. You were given the option to share this information when you registered with Tidepool. If you would like to change your sharing preference, you can do so at any time by going to Account Settings. Please note that any data you may have previously shared with a device maker may remain with the device maker if they have stored that information and cannot be removed or deleted by changing your sharing preference.

Sharing with the Tidepool Anonymized Diabetes Database

You have the option to donate your anonymized data to the Tidepool Anonymized Diabetes Database. You were given the option to donate your anonymized data when you registered with Tidepool. If you would like to change your donation preference, you may do so by going to Account Settings. If you change your preference to not donate, you will not be able to remove or delete anonymized data previously donated.

Export, Delete, or Change Your Information

You can change the contact information you provided when you registered by going to Account Settings. You can change or delete other information and data you have provided by editing or deleting that information directly using the utilities and features available in the Tidepool Apps. You can also export your data by going to Account Settings or by sending an email to support@tidepool.org.

Cancel Your Account

You can also cancel your Account at any time. Upon cancellation, we will delete your account information and data.

Other Rights You May Have under HIPAA

Tidepool may enter into relationships with a number of institutions or health care providers for whom Tidepool will act as a “business associate” under the federal Privacy and Security Rules issued under the Health Information Portability and Accountability Act (“HIPAA”). If the User is a patient of one of these institutions or other providers, Tidepool may have obligations to that institution or other provider under HIPAA and Tidepool’s business associate contract with the institution or other provider that affect your information.

Email Communications

You can choose to stop receiving marketing or informational emails from us by clicking the “unsubscribe” link at the bottom of any such email.

Corporate Events

If Tidepool is involved in a merger, acquisition, sale, or other disposition of all or a substantial portion of its assets, you will be notified via email of any change in ownership and the choices you can make about your personal information. You can always choose to export or delete your personal information and data stored on Tidepool Apps.

3.4 Hold old do Tidepool App users need to be?

You must be 13 or older to register with Tidepool Apps as a User. If you are at least 13 but are under the age of 18, you may only register with and use Tidepool Apps with your parent’s or legal guardian’s express prior consent. If you are a parent or legal guardian who has consented to the use of Tidepool Apps by a person between the ages of 13 and 18, you are fully responsible for that person’s use of Tidepool Apps and agree to be bound by the terms of this Privacy Policy. If we discover that a person under 13 has registered as a User, we will delete the person’s account.

3.5 How do I invite members to join my Care Team or invite others to use Tidepool Apps?

If you would like to invite someone to become a member of your care team, we’ll ask you for the person’s email address for the sole purpose of sending an invitation. To do so, please select “Share” from within the Blip application. If you would like to invite someone to become a User of any Tidepool App, we’ll ask you for the person’s email address for the sole purpose of sending an invitation.

3.6 What about the practices of third-party applications that you can connect to Tidepool Apps?

Our Privacy and Data Policy applies solely to information collected by and through the Tidepool Apps. You may be able to connect to third-party applications from the Tidepool Apps or you may choose to share your device data with a device maker. Please be aware that Tidepool doesn’t control and isn’t responsible for the privacy and security practices of your device maker or third-party applications. We encourage you to become familiar with their data practices before choosing to share any personal information or data with them.


Privacy Policy – for Care Team Members

4. Summary

Users have control of their data. This means that as a Care Team Member your access to a User’s data and information is controlled by the User and that any comments or information that you add may be deleted by the User at any time.

This Privacy Policy describes what we do with the information you provide us when you register and in your use of Tidepool applications.

This summary is for your convenience only and has no legal effect.

5. The Privacy and Security of Information Is Important to Us.

This Privacy Policy describes how Tidepool Project (“Tidepool,” “us,” or “we”) collects, uses, and discloses information collected inform you as a Care Team Member in connection with your use of our web- and mobile-based applications (such as Blip and Tidepool Uploader; together with any other web- and mobile-based applications developed by Tidepool, the “Tidepool Apps”).

This Privacy Policy is a part of the Tidepool Project Applications Terms of Use (“Terms of Use”) . The Terms of Use is the contract between you and Tidepool that governs your access and use of the Tidepool Apps. By becoming a registered Care Team Member and creating an account (“Account”) with Tidepool, you must also accept the Terms of Use. Please read this entire Privacy Policy and the Terms of Use.

The summary above is for your convenience only and has no legal effect. In the event of any conflict between the provisions of the Terms of Use and this Privacy Policy, the terms and conditions of the Terms of Use will prevail. If you don’t agree with the terms of this Privacy Policy or the Terms of Use, please don’t use the Tidepool Apps. BY USING ANY OF THE TIDEPOOL APPS YOU AGREE TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION IN ACCORDANCE WITH THIS PRIVACY POLICY.

As our services expand, we will evaluate our policies and practices and occasionally implement improvements and refinements. If we make a change to this Privacy Policy that we determine, in our sole discretion, is material, we will notify you (for example, by email to the email address in your account) prior to the changes becoming effective. We will post all revised or new Privacy Policies on the Tidepool website, tidepool.org/legal and indicate the date it was last revised.

6. Frequently Asked Questions

6.1 What does this Privacy Policy cover?

This Privacy Policy applies to Tidepool’s treatment of “personal information,” which is information that uniquely identifies a Care Team Member or otherwise contains personally identifiable information. This Privacy Policy also applies to notes and other information that you as a Care Team Member add to a User’s Account using the Tidepool Apps. This Privacy Policy does not apply to the practices of companies that Tidepool does not own or control, or to individuals that Tidepool does not employ or manage.

6.2 What information does Tidepool collect and for what purposes?

Registration and Contact Information

To register as a Care Team Member, you must provide an email address and create a password. You use your email address and password to log in. We may also collect contact information, such as your name, address, phone number, and certain non-personal information that does not itself identify you, such as your IP address.

We may use this information to: deliver, administer and improve the Tidepool Apps; provide customer service; improve and personalize your experience; better understand your needs and interests; fulfill requests you make; deliver special announcements and updates about the Tidepool Apps; and contact you about any of the above as well as any changes to or notifications regarding your Account.

Other Information You Provide to Us

We also collect other information you provide to us through the Tidepool Apps. As a Care Team Member, this information will mostly be information or comments about the User or Users that add you using the Tidepool Apps. We use the information you provide for the commenting and other features of the Tidepool Apps. Your User has the ability to delete information or comments you add to their Account at any time. If you choose to, you can upload a photo of yourself to be used as your profile photo.

Your User has the option to donate anonymized data from his or her Account to the Tidepool Anonymized Diabetes Database. If the User donates his or her data, information or data that you add to the User’s Account that does not include personally-identifying information may be included.

Information we collect automatically about you when you use Tidepool Apps

We receive and store certain types of information whenever you interact with Tidepool Apps. We automatically receive and record information on your activity on our server logs, including your IP address, and the app features you access and use. Generally, we automatically collect usage information, such as the number of Users or Care Team Members or the frequency of their app usage, the features of the Tidepool Apps you use, and how Users and Care Team Members interact. We only use this data in aggregate form, that is, as a statistical measure, and not in a manner that would identify you personally. This type of aggregate data enables us to figure out how users use different parts of the Tidepool Apps so that we can improve them.

6.3 What choices do I have about the use of my information?

Your User owns all content you generate on their Accounts and you have no control over that information. However, you can delete or change other personal information.

Change Your Information You can change the contact information you provided when you registered by going to Account Settings.

Cancel Your Account You can also cancel your Account at any time. Upon cancellation, we will delete your Account information but not information or comments you have added to any User Accounts.

Email Communications You can choose to stop receiving marketing or informational emails from us by clicking the “unsubscribe” link at the bottom of any such email.

Corporate Events If Tidepool is involved in a merger, acquisition, sale, or other disposition of all or a substantial portion of its assets, you will be notified via email of any change in ownership and any choices you can make about your personal information.

6.4 How old do Tidepool App Care Team users need to be?

You must be 13 or older to register with Tidepool Apps as a Care Team Member. If you are at least 13 but are under the age of 18, you may only register with and use Tidepool Apps with your parent’s or legal guardian’s express prior consent. If you are a parent or legal guardian who has consented to the use of Tidepool Apps by a person between the ages of 13 and 18, you are fully responsible for that person’s use of Tidepool Apps and agree to be bound by the terms of this Privacy Policy. If we discover that a person under 13 has registered as a Care Team Member, we will delete the person’s account.

6.5 How do I invite others to use Tidepool Apps?

If you would like to invite someone to become a User of any Tidepool App, we’ll ask you for the person’s email address for the sole purpose of sending an invitation.


Privacy Policy – Additional Terms for Users and Care Team Members

The following additional terms apply to both Users and Care Team Members.

7. Frequently Asked Questions

7.1 Are there any territorial restrictions for using Tidepool Apps?

At this time, Tidepool Apps are only intended for use in the United States.

7.2 Do any third party servcie providers have access to my information?

We may employ independent companies or other third parties and individuals to help us provide, facilitate or improve the Tidepool Apps (such as customer service support or data hosting). These service providers may have access to your personal information and data as necessary to perform their services for Tidepool.

7.3 When might Tidepool have to disclose my information?

Other than sharing you have agreed to, we will only disclose personal information or data in the following limited circumstances relating to abuse or misuse of the Tidepool Apps or legal process.

(1) If Tidepool believes you’ve misused or abused the Tidepool Apps or the personal information of any User or Care Team Member, or attempted to interfere with or harm the Tidepool Apps, we will investigate and cooperate with appropriate law enforcement, including, if necessary or appropriate, by disclosing your name, registration information or IP address and any other relevant information, to protect our rights or property, or those of our Users, Care Team Members, and others. We will cooperate fully with any legal process or criminal investigation into the misuse or abuse of the Tidepool Apps.

(2) We may disclose your information or data as required by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property, or the rights, property or safety of our Users, Care Team Members, or others.

(3) If under HIPAA we act as the business associate of an institution or other health care provider of which the User is a patient, we may disclose your information to that institution or other provider if you have authorized such disclosure.
Where your personal information and data has been requested by any governmental entity or other third party pursuant to subpoena or similar legal process, we will notify you as quickly as practicable before providing any such information, unless we are legally prohibited from doing so or we believe in good faith that disclosure is or may be necessary to protect life, avoid serious physical injury or property loss or damage, or to prevent or investigate an ongoing crime.

7.4 How long does Tidepool keep my information?

Tidepool will retain your Account and related information on your behalf as long as needed to support your use of the Tidepool Apps and comply as necessary with our legal obligations, resolve disputes, and enforce our agreements. We may delete your Account due to inactivity, but we will notify you by email prior to doing so and give you a reasonable opportunity to either transfer your data or begin active use of your Account again.

7.5 How does Tidepool secure my information?

To help protect the privacy of personal information and data you transmit using Tidepool Apps, we use technology designed to encrypt your personal information and data before it is sent to us over the internet. In addition, we take steps to protect the personal information and data that you provide us against unauthorized access. However, the software, hardware and networks that support the Tidepool Apps may, from time to time, require maintenance or experience problems or breaches of security beyond our control.

Please also be aware that despite our best intentions and the guidelines outlined in this Privacy and Data Policy, no data transmission over the internet or encryption method can be guaranteed to be 100% secure. Tidepool cannot guaranty the security of the information you provide us, and therefore you use Tidepool Apps at your own risk.

While we take steps to protect your personal information and data and keep it secure, you also play a role in protecting your information. You can help to maintain the security of this information by not sharing your account information and password with anyone and by preventing unauthorized use of your mobile device.

7.6 What about my privacy rights in California?

We act in accordance with the principle behind the California “Shine the Light” law, CA Civil Code § 1798.83, which gives consumers the right to know about certain personal information shared with third parties. We will never do that without your express permission, except as described in this Privacy Policy. Under California law, a California resident with whom we have an established relationship has the right to request certain information with respect to the types of personal information that Tidepool has shared with third parties for these purposes, and the identities of those third parties, within the immediately preceding calendar year, subject to certain exceptions. All requests for such information must be in writing and sent to Tidepool at the mailing address set forth below.

7.7 Where can I send questions, comments or suggestions about Tidepool’s privacy practices?

We welcome your questions and feedback and will work to improve our practices based on useful input we receive. Please contact us at privacy@tidepool.org or via mail at:

    Tidepool Project
    Attn: Legal Department
    555 Bryant St., #429
    Palo Alto, CA 94301