This privacy notice (“policy”) (together with our Terms, which can be accessed at https://tesuhealth.com/terms-of-use/, and any other documents referred to on it) explains how we will process your personal information obtained through your access to the online and mobile services including but not limited to, tesuhealth.com, prediawell.com and all associated subdomains (the “website“) and the PreDiaWell® mobile application (the “app“), and through other interactions with you (e.g., marketing activities and networking events).
It also covers other situations where we process personal data that is not covered by other notices, such as in the case of our corporate partners’ and associated parties or organisations we work with.
Through use of the website and app (the “services”), registered users can access our online and mobile services that allows users to set up accounts for one or more repeat sessions. It is important that you read this privacy notice, together with any just in time privacy notices we may provide elsewhere on our website and app, so that you are fully aware of how and why we are using your data, and what data protection rights you have.
Your use of our website or app will constitute your acknowledgement of the terms of our privacy policy.
Updates
We keep the policy under regular review and make amendments to it whenever needed. Please check regularly for the updates.
Last revised date: 01 October 2024.
Version: 2.0
We also continuously review and update our policy to reflect changes in our data practices. Should there be any changes in the purpose for which we collect and use your personal data, we will update our policy accordingly and may re-obtain your consent if required by law. Please visit our website regularly for the latest updates.
About Tesu Health
When we say “we“, “us” or “our” in this policy, we mean Tesu Health Ltd, a company incorporated and registered in England and Wales with company number 15275028 and whose registered office is at 9 Hills Road, Cambridge, England, CB2 1GE.
For the purposes of the Data Protection Legislation, we are registered with the UK Information Commissioner’s Office as a Data Controller (Reg No. ZB724452). This means that we are responsible for deciding how we hold and use personal information about you.
What we do?
PreDiaWell® is a digital therapeutic software application intended to be used by adult patients diagnosed with prediabetes, to develop lifestyle changes for the treatment of prediabetes. PreDiaWell® uses a cognitive behavioural approach, with tasks such as daily nutrition and physical activity goals. PreDiaWell® also provides educational material on demand. The app is available in both iOS and Android app stores. PreDiaWell® does not interpret or make decisions on the data it conveys nor is it intended to provide automated treatment decisions or to be used as a substitute for professional judgement. All medical diagnosis and treatment are to be performed under the supervision and oversight of an appropriate healthcare professional. The healthcare professional should be updated on any changes of medications or diagnoses with any new medical condition.
Who can use PreDiaWell®?
PreDiaWell® app and services are available to the users above 18 years of age.
If you have any knowledge of a child accessing the app, please report it by emailing support@tesuhealth.com.
What data do we collect, and how do we process it?
We use your personal data only for the purposes we collected it for. We will use it for another reason only if it is aligned with the original purpose. We may process your personal data on multiple legal grounds, depending on the specific purpose for which we use your data. If required or permitted by law, we may process your personal data without your knowledge and consent.
We may collect, use, store and transfer different kinds of personal data which we have grouped together as follows:
Data Parameters | Source | Reason for Collection |
Personal Identifiers – Name – Surname – Phone Number | Provided by the user and/or the treating physician | To create a user account, to provide the appropriate content, to provide better services, to support your inquiries, to provide and improve customer support services. |
Other Personal Information – Gender – Age – Height – Weight | Provided by the user and/or the treating physician | To create a user account, to better understand the demography to provide the appropriate content, to provide a better therapy experience, to provide personalised care. |
Technical Data – Internet protocol (IP) address – Browser type and version – Time zone (setting) | From the device | To better understand app usage and issues and to provide relevant features and security updates. |
Physical Activity Data – Exercise volume – Step count – Activity duration | Provided by the user, from the device, connected devices | To provide users with personalised reminders, notifications, suggestions and content, to improve their interaction quality, for basic analytics-related studies that help us improve app features. |
Communication Data – Your Inquiries (Submitted through App/ Website) – Any other communication through email (or any other medium) | Provided by the user | To better serve your queries. To improve customer services. |
Usage Patterns – Screen Time – App/Website Navigation – Login Time – Time Active | From the device | To provide users with personalised reminders, notifications, suggestions and content |
How are we processing your data?
Any personal identifiers are only used for the basic functioning of the app. It will never be used for Marketing.
No personal behavioural profile is generated. It will never be used for Marketing.
Do we collect aggregate data?
We may also collect, use and share anonymised, aggregated data such as statistical or demographic data. Anonymised data may be derived from your personal data but is not considered personal information in law as this information does not directly or indirectly reveal your identity. e.g., we may aggregate information on how you use our website and/or app to calculate the percentage of users accessing a specific website and/or app feature.
Failure to provide personal data: Where we need to collect personal data by law, or for the provision of services, and you fail to provide that data when requested, we may not be able to carry out or provide you with our services. In this case, we will notify you if this is the case at the time.
How Tesu Health uses data?
We must have a legal basis to process each bit of your personal data. The type of basis will vary based on the type of data, parties involved, etc. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the Information Commissioner’s Office (ICO)’s website. The legal bases relied upon in processing of your personal data are:
- Consent ( 6 (1) a) UK GDPR)
- Performance of a contract ( 6 (1) b) UK GDPR)
- Legal obligation ( 6 (1) c) UK GDPR)
- Legitimate interest ( 6 (1) f) UK GDPR)
For clarity, these legal bases are explained in more detail here:
- Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
- Performance of a contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
- Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
- Legitimate interests – we have a legitimate interest in using your personal information. In particular, we have a legitimate interest in using your personal information for product development and internal analytics purposes, and otherwise to improve the safety, security, and performance of our services. We only rely on our legitimate interests to process your personal information when these interests are not overridden by your rights and interests.
We follow the “Data minimisation” principle, which means we limit the collection of personal information to what is directly relevant and necessary to accomplish the stated purpose. We retain that data only for as long as is required to fulfil that purpose.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
Cookies: You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. PreDiaWell® app on the other hand, does not use cookies. For more information about the cookies we use, please see our Cookie Policy at https://tesuhealth.com/cookie-policy-uk/.
How do we share your data with third parties?
To be able to provide our services, we use third-party suppliers to store and process your data. We evaluate service provider security and privacy practices. We strictly require compliance with confidentiality and non-disclosure obligations, as well as applicable laws and regulations, including related data protection laws. We also require that they or their providers (fourth parties) access your information only to the extent necessary to perform the tasks on our behalf. We are using the following third-party service providers.
Cloud service providers
To provide the service, we collect, transfer and store your data in secure servers provided by our authorised cloud service providers. We maintain a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) with our cloud service providers. We use Microsoft Azure Services (Azure) and OVH Cloud Services as our cloud service provider.
Other service providers
Service Providers | Purpose & Other Details |
Firebase, Google Analytics | To analyse the app event data. Only pseudonymized user identifiers are shared along with the event data. User conversations and personal information are not shared. All event data is encrypted so no medical profiles get created by analytics providers. No data is used for any direct advertising or direct marketing. The use of Google Analytics is governed by the Google Data Policy and Privacy Policy. Events automatically collected by Firebase can be found here. Your use of Firebase is subject to the Firebase Terms of Service, Acceptable Use Policy, and Crashlytics Terms of Service. We maintain data processing agreements (DPAs) with SCCs with these service providers. |
Microsoft 365 | We use Microsoft 365 to provide our corporate email service, to store Information received from our clients and end-users in OneDrive. We maintain a DPA with SCCs with Microsoft 365. |
CloudFlare | We use Cloudflare for CDN and DDoS protection. Cloudflare helps us serve you securely and efficiently. To provide these services Cloudflare accesses your IP Address. Cloudflare may access/ process your browser and operating system related information for logging and abuse prevention purposes. Read Cloudflare’s Terms of Service, Privacy Policy, and GDPR Compliance to learn more about how they process your data. We maintain Data Processing Agreements (DPA) with SCCs with these service providers. |
How do we share your data with your GP?
We may share your personal data (including sensitive personal data) with your GP who provide treatment to you. We do so that they can provide you with healthcare services and so that they can maintain a complete and accurate record of your health.
Once you have consented to share your data with your GP your personal and health data is shared with that GP for direct care purposes under the lawful basis of UK GDPR Article 6(1)(e) ‘Public Task’, GPs will usually meet the conditions of UK GDPR Article 9(2)(h). This means that the GP does not need your consent to use, store or process your personal data, including any sensitive personal data.
Personal data which the GP receives may be included in, and form part of, your medical record. The GP will be the data controller for all personal data held by it outside of our system and will process your personal data on the lawful basis of Public Task.
Further information about how your GP uses your personal data can be found in your GP’s Privacy Policy, this can usually be found on the GP’s website or is obtainable from your GP.
Should you have any questions regarding how data is shared with your GP, please enquire via email to our Data Protection Officer (DPO): privacy@tesuhealth.com.
We will not share your personal data with third parties without your consent unless instructed to do so by your GP.
Should you become aware of any unauthorised accessing the app and providing personal data, please let us know immediately at: privacy@tesuhealth.com.
How do we handle your data when used for research and analytics purposes?
We use the minimum required data for research purposes and aggregated data for publications. This helps us improve our products and services and contribute to user-centred care best practices around the world.
You can always write to us at research@tesuhealth.com to restrict processing and opt-out of your data for research purposes.
Your use of third party weblinks
The website(s) may contain links to third-party websites and resources. Clicking on these links may allow third parties to collect or share information about you. We do not control these third-party websites and are not responsible for their privacy policy. We encourage you to read the privacy policy and terms of use for the external links you access.
How secure is your data?
We have appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it
Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Art. 33 of GDPR (EU), “Notification of a personal data breach to the supervisory authority”, requires us to report any suspected breach to authorities. Following the Data Protection Act 2018 (UK), we will report any suspected data breach of personal data within 72 hours to the Information Commissioner’s Office.
The security of your data is important to us. We have implemented adequate technical and organisational safeguards to protect your data.
- Encryption
- We use TLS and SSL encryption protocols to secure data during transfer
- We use the AES-256 protocol to encrypt data while at rest.
- Our systems are secured with role-based access, strong passwords and multi-factor authentication/ verification
- We maintain and frequently review data processing agreements with our service providers.
- Regular security awareness trainings are provided to our staff.
- We regularly perform security penetration tests of our app, website and infrastructure.
- PreDiaWell® App is registered with UK MHRA as a UKCA-marked Class I medical device.
- Tesu Health Ltd complies with the requirements of the Cyber Essentials scheme and has been issued a certificate.
Electronic transmissions of data or data storage methods are not perfect or inviolable. We will do our best to protect your personal information, but we cannot guarantee its absolute security. We also need your help to ensure the security of your data. Do not copy the conversation and share it with strangers.
Data retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or possible litigation.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
By law we have to keep basic information about our clients (including contact, identity, financial and transaction data) for six years after they cease being our customer. In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Right to withdraw consent
You have the right to withdraw your consent for the use of your personal data at any time. To exercise this right, please notify our Data Protection Officer at privacy@tesuhealth.com. Upon receiving your request, we will cease the processing of your data for the purposes you originally consented to, unless otherwise required by law.
Data deletion
We use data overwriting and cryptographic erase methodologies for data deletion. These methods comply with the latest industry standards and ensure user data safety.
Data deletion during erasure (to be forgotten): any data deletion done whilst following up on a data erasure request is irreversible as the data is deleted from all copies, including backups.
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us e-mailing our DPO: privacy@tesuhealth.com.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the Information Commissioner’s Office (ICO).
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
Data protection rights
Under data protection legislation, data subjects have the following rights with regards to their personal information. You can find out more about your data protection rights and the exemptions which may apply on the Information Commissioner’s Office (ICO)’s website:
- Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.
- Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.
- Your right to erasure – You have the right to ask us to delete your personal information.
- Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information.
- Your right to object to processing – You have the right to object to the processing of your personal data.
- Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.
- Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.
You can exercise these rights free of charge, unless your request is manifestly unfounded or excessive (in which case we may charge a reasonable administrative fee or refuse to respond to such request).
To make a data protection rights request, please e-mail our Data Protection Officer: privacy@tesuhealth.com.
Legal rights You have rights under Data Protection Legislation in relation to control your personal information held with us. You can exercise these rights free of charge, unless your request is manifestly unfounded or excessive (in which case we may charge a reasonable administrative fee or refuse to respond to such request).
What may we need from you?
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. Time limit to respond: We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month (but no longer than two months) if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.
How to contact for additional questions, comments or concerns?
We have appointed a Data Protection Officer (DPO) if you have any questions in relation to this privacy policy. If you have any questions about this privacy policy, or a request to exercise your legal rights, please contact your data protection officer using the details provided below.
Full name of legal entity: Tesu Health Ltd
Name of DPO: Gurkan Caner Birer
Email address: privacy@tesuhealth.com
Postal address: 9 Hills Road, Cambridge, England, CB2 1GE
