The EZTrack for Atopic Dermatitis mobile application (the “Application”) is made available by Genzyme Europe B.V. (“Sanofi”, “we” or “us”), an affiliate of the French parent company Sanofi SA. For this Application, Genzyme Europe B.V. is the Data Controller (as defined below). This Application is a Class I Medical Device as defined in the Medical Device Directive 93/42/EEC.
By “Personal Data” we mean any information relating to an identified or identifiable natural person, as further defined in the General Data Protection Regulation (EU) 2016/679.
By “Data Controller” we mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, as further defined in the General Data Protection Regulation (EU) 2016/679.
2. About the Application
The Application is designed for use outside the clinic or office setting by individual patients with Atopic Dermatitis. The Application is intended to give you a tool to track your symptoms, provide insights into your disease status and educate you about Atopic Dermatitis and other relevant health related topics. Your disease state can be measured with the three (3) scoring tools in the Application.
The Application is designed and intended for use by UK residents who are at least 16 years of age. Children under the age of 16 are prohibited from using this Application. We do not knowingly collect data relating to children under the age of 16.
3. Personal Data processed by using this Application
There is a variety of Personal Data that is processed when you download and use the Application. This Personal Data may be provided by you directly or it may be information that we collect about you and your device from your use of the Application. The types of information that may be processed are listed below.
a. Login information:
b. Health information:
when you use the Application, you may enter information about your health condition or health status in the Application (e.g. daily symptom tracking by taking photos of your skin and assessing severity, itchiness and sleep loss, and skin flair triggers such as weather, air pollutants, food and stress; tracking impact of these symptoms on your daily life by completing the questionnaires or using other scoring tools available in the Application). All of this health information is processed and stored on your device only;
c. Photo, camera, and microphone information:
when you use the Application, the Application allows you to process photo, camera and microphone data. This information is processed with your explicit consent only (i.e. you have to amend the default settings to allow the Application to process this data). All of this information is processed and stored on your device only;
d. Precise real-time location information:
when you use the Application, the Application allows you to process precise information about the location of your mobile device. This information is processed with your explicit consent only (i.e. you have to amend the default settings to allow the Application to process this data); and
e. Connection data:
when you use the Application, any information regarding your connection and access to this App (e.g. type of mobile device used, timestamp of your connection, IP address, screen visited, etc.) will be processed to understand the usage pattern.
Providing any or all of the above information is voluntary. You can decide for yourself which information you want to provide. Once you have decided to provide information, be honest with the information you put into the Application. If you provide wrong information or choose not to provide certain information, that may limit the functionalities of the Application and/or the Application may not give you the right result.
4. Personal Data processed by Sanofi
The Application has a “Support” page that will allow you to submit questions, request technical guidance, or provide comments to an email address.
Sanofi will collect your Personal Data when you send a message to us. We collect any information which you include in your message.
5. Use and Sharing of Personal Data
Use and sharing of the information listed in Section 3
The information listed in Section 3 will be used to enable you to use all the functionalities, features and benefits of the Application. Most of this information is stored only on your device with the exception of the login information. As a result, if you delete the Application or your device is lost, stolen, or upgraded, most of the information in the Application will be lost. In such cases we recommend that you reinstall the Application.
The login information is stored on a qualified 3rd party vendor server in order to manage, reset and recover your user account in case you lose the login information or the device. Sanofi has no access to your login information.
Sanofi will process your login information on the basis of your consent which you will provide when you create an account. Other than as described above, the information listed in Section 3 will not be shared with Sanofi or any third parties.
The Application does however allow you to share the information listed in Section 3, for instance with:
recipients, such as your healthcare provider, via email or printed PDF (e.g. your daily entries (photos, itchiness and sleep lost)); or
with other applications on your device (e.g. you may decide to allow the Application to provide notifications, messages, and reminders).
You will be responsible for any personal data you choose to share in this manner, Sanofi will not be responsible for this.
Use and sharing of the information listed in Section 4
We will use the information listed in Section 4 only for the purpose of contacting you and addressing your questions. We will process any Personal Data you provide on the basis that it is necessary for our legitimate interests (to respond to your request).
We may anonymize this information so that it is no longer possible to identify you as an individual and use that anonymized information for any purpose.
We will only share the information listed in Section 4 with our affiliated companies and external service providers we trust. We will not share your information about you with other persons or organizations, unless we believe in good faith that this is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, respond to a government request or otherwise exercise our legal rights or defend against legal claims, or when we believe it is necessary to share that kind of information in order to assist in an investigation regarding, or to prevent, illegal activities, suspected fraud, or situations involving potential threats to the safety of any person.
6. Third Party Analytics
When the Application is downloaded and used, we may automatically collect information on the usage of the Application by its users. For instance, what kind of functionalities are used, how long users spend on each page in the Application, how users arrived at the Application and where they downloaded it from. We use this information to analyze the usage of the Application and identify opportunities for further development and optimization of the Application. We also use this to understand the effectiveness of our awareness campaigns for the Application across channels. In general, the (third party) analytical tools (e.g. Google Analytics, Crashlytics) that we use to collect and analyze this kind of information do so without collecting and processing any information that can identify the identity of the users of the Application. However, in some instances the tools (e.g. Adjust, Firebase) may collect certain “online identifiers” relating to you or your device, such as your hashed IP address or a mobile identifier. Although this data will not be combined with any other data that identifies you, it is your Personal Data. This information will be shared with the third-party providers of the tools in question, such as Adjust and Firebase, who will only use it for the purposes described above. It may also be shared with the providers of the channels on which we carry out our awareness campaigns for the Application, such as Facebook and Google, but only for the same purposes. However, Sanofi will not have access to this information and it will not be shared with any other persons or organisations. This information will be processed on the basis of the consent you provide when you create an account.
7. International Transfers
Some of our affiliated companies and external service providers may be based outside of the European Economic Area (EEA), such as the United States. This means that information about you may be transferred outside of the EEA to countries that may provide a lower standard of protection for your information. When we transfer information about you outside the EEA, we do so in compliance with applicable data protection laws and will ensure that this information is kept secure and the recipient has an adequate level of security. We will rely on appropriate contracts or suitable safeguards with recipients in countries outside the EEA to ensure this information is properly protected. Please contact us using the details below should you wish to find out more information on the contracts and suitable safeguards.
8. Your Rights and Choices
In accordance with the General Data Protection Regulation, you have the:
Right of access. You may contact us to get confirmation as to whether or not we are processing Personal Data concerning you. Where that is the case, we will inform you about the categories of Personal Data we process, the processing purposes, the categories of recipients to whom Personal Data have been or will be disclosed and the envisaged storage period or criteria to determine that period.
Right to correction. You have the right to have inaccurate or incomplete Personal Data we store about you, corrected.
Right to object. In case our processing operations are based on the legitimate interests of Sanofi, you have the right to object at any time to these processing operations. We will then no longer process your Personal Data, unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Right to restriction of processing. You have the right to ask us to restrict the processing your Personal Data in specific situations as foreseen by applicable data protection law (e.g. when the accuracy of your Personal Data is contested by you, for a period enabling us to verify the accuracy of your Personal Data).
Right to erasure. You have the right to ask us to erase your Personal Data from our systems if your Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed. Furthermore, you have the right to erasure if you successfully exercise your right to object as described above, unless we have an overriding legitimate ground to not erase the relevant data. We may not immediately be able to erase all residual copies from our servers and backup systems after the active data have been erased. Such copies shall be erased as soon as reasonably possible.
Right to data portability. You have the right to receive your Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit such data to a third party where this is technically feasible. Please note that this right only applies to Personal Data which you have provided to us.
Right to withdraw consent. Where we are relying on consent to process your personal data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
You also have the right to file a complaint before your local data protection authority if you believe that Sanofi has processed your Personal Data unlawfully. In the UK this is the Information Commissioner’s Office ((www.ico.org).
9. Data Retention
The information listed in Section 3 above will only be stored on your device (with the exception of your login information, as described in Section 5 above). This information will be retained until you delete it or delete the Application. Your login information will be retained until you delete your account. If you do not use your account for 12 months, we will automatically delete your account.
The information listed in Section 4 above and the third party analytics information listed in Section 6 above will be not be kept in an identifiable form for longer than necessary. We determine the retention period of this information on the basis of the following criteria: (a) the purpose for which we use the information: we keep the information as long as necessary for that purpose; and (b) legal obligations: various laws and regulations impose minimum retention periods we are obliged to comply with.
We are concerned about safeguarding your Personal Data against unauthorized access, use and loss. We have appropriate administrative, technical, and physical measures in place to safeguard your login information as well as the information specified in Sections 4 and 6 above.
The information listed in Section 3 (with the exception of your login information, as described in Section 5 above) is stored on your mobile device only and keeping that information secure is your responsibility. Please consult your device’s documentation on how to manage local storage and how to apply appropriate security controls to the device for the protection of such information. We urge you to use caution when storing information in the Application or transmitting information over the Internet, especially information related to your health. Please keep your login details confidential. Please be aware that, although we endeavor to provide reasonable security as part of the functioning of the Application, no security system can prevent all potential security breaches.
11. Third Party Sites and Services
The Application may contain links to websites, other apps and other online services operated by third parties that are not under our control. We are not responsible for the collection, use, and disclosure of your Personal Data on those websites, apps and other online services by those third parties. We encourage you to review the privacy policies of each website, app and other online services you visit before you submit any Personal Data.
13. Contact and Questions
In order to exercise the above mentioned rights, or if you have any questions about our privacy practices or our use or disclosure of your Personal Data while using the Application, please contact our Privacy Officer at:
Genzyme Europe B.V.
1105 BP Amsterdam
+31 (0)20 245 4000