Last updated on Nov 10, 2023
We at the ThyForLife group i.e. ThyForLife Health Inc and its subsidiaries, (“ThyForLife”, “we”, “us”, or “our”) are committed to protecting the privacy and security of your personal information. Your privacy is important to us and maintaining your trust is paramount.
1. Who we are
1.2 The Services
Delivered in the form of an application (the “App”), ThyForLife is a thyroid tracker with multiple functions and tools for tracking medication, bloodwork, and symptoms. There is also a website and social media pages where ThyForLife is presented.
2. The Personal Data we process about you
ThyForLife may process the following kinds of personal data about you (collectively referred to as “Personal Data”):
Account data –
includes registration date, payment plan and whether you have an active subscription or not
Contact data –
includes address, billing address, delivery address, email address and telephone number
Device data –
includes device identifier, your mobile operating system, the type of mobile browser you use and time zone setting
IP data –
includes your approximate position based on your IP address
Identity data –
includes first name, last name, username and date of birth
Marketing data –
includes your preferences in receiving marketing from us
Profile data –
includes your feedback and survey responses
Sensitive data –
includes health data, referred to as special categories of Personal Data as defined in article 9 of the European Union’s General Data Protection Regulation (“GDPR”), such as information on your personal thyroid health (bloodwork information, weight, thyroid condition, symptoms, medication, supplements, health records, prescriptions, ultrasound reports, medical tests, etc.) and personal notes
Transaction data –
includes details about purchases and payments, but excluding bank account and full payment card details (we do however receive card expiration date and some payment card digits from our payment service providers in order to allow access to the App)
Usage data –
includes details of your use of the Services, such as traffic data and the features that you access
User data –
includes data provided by you when setting up an account with ThyForLife and using the App, such as Contact, Identity, Marketing and Sensitive Data as well as other Personal Data that you may provide in connection with such use
3. How we collect your personal data
ThyForLife may process the following kinds of personal data about you (collectively referred to as “Personal Data”):
3.1 Information you give us
ThyForLife processes Personal Data provided by you when registering for an account, signing up for a subscription, and using the App, using our social media platforms, answering surveys, contacting our customer support or otherwise corresponding or interacting with us and our Services
You can choose to connect the App to other sources of health data. We will then collect personal data that you share with us from the source/sources of your choice.
When signing up for the App, you will be requested to consent to our use of your Sensitive Data (please note that you will need to consent in order for the App to work). You have the right to withdraw your consent at any time by changing the setting in the App, permanently deleting your account directly in the App or by contacting us at firstname.lastname@example.org. If you provide sensitive data to us by other means than the app – for example via support – contact us for further action.
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during our relationship with you
3.2 Information we automatically collect about you and your device
3.3 Information we receive from suppliers
We receive Device and Usage Data about you from analytics providers such as Google Analytics and Transaction and Contact Data from our payment service providers.
4. How we use your Personal Data
4.1 To enable and provide the Services
It follows from the nature of our Services that we must process such Personal Data that you add to the Services to enable and provide them. This includes to administer the Services and our relationship with you, to calculate and analyze your medical data, to secure the quality and develop the Services and to communicate and provide customer support, as further explained below. Consent for processing sensitive personal data must be obtained in order for the app to work.
4.1.2 To administer the Services and our relationship with you
We use your User and IT Data to administer the Services and our relationship with you. This includes setting up your account for the App, troubleshooting, system testing as well as notifying you of changes to the Services or technical issues and reaching out to you via in-app messages to ensure your correct and optimal use of the App.
Contract, Consent, Legitimate interest in running the business, provide and ensure the proper function and use of the Services.
4.1.3 To secure the quality and develop the Services
We process your User, Usage and Account Data to monitor and analyze how our customers engage and interact with the Services so that we can secure the quality and develop the Services to better align them with your usage patterns and preferences. While we have access to Personal Data for the purpose of analytics, the results are aggregated and stripped of any Personal Data.
We may also contact and enable you to complete surveys. We use the Profile Data from these surveys to better understand how we can improve your user experience.
Contract, Consent, Legitimate interest to analyze how our customers use the Services and to develop and improve them
4.1.4 To communicate with you and provide customer support
We will process Personal Data that you provide in inquiries to our customer support, on our social media channels or through contact forms provided by us at congresses and events, for the purpose of communicating with you and act on complaints. What type of Personal Data we collect for this purpose depends on the nature of your inquiry. If you are a User, our support agents may request access to your User Data if necessary to appropriately respond to your inquiry. Such access is subject to strict access controls and security measures to protect your integrity
When you interact with us publicly on our social media channels, ensure that you do not submit any Personal Data that you do not want to be seen by other people. We recommend that you also read through the privacy policies of such platforms
Contract, Consent, Legitimate interest to respond to your inquiries, as far as Personal Data is processed to communicate with you on matters that are not related to your agreement with us
4.2 To process purchases and deliver the Services
We use your Identity, Contact, Transaction, IP Data and Account Data to process purchases and manage the delivery of products from the Webshop and subscriptions. This includes logistics, preventing fraudulent payments and contacting you regarding
4.3 To conduct research
Thyroid patients’ health is important to ThyForLife and we invest in scientific research in order to advance the global understanding of thyroid diseases. We also conduct research for the purpose of evaluating the effectiveness and suitability of the App for different user groups.
We use the results of our research to communicate the benefits and limitations of ThyForLife to healthcare professionals. All our published research could be subjected to independent peer-review and has ethical approval from the relevant professional bodies where required.
If we have your consent, we will use your User Data and other Personal Data that you may provide, in pseudonymized or anonymized form (see the Glossary for more information on pseudonymization), for scientific studies, scientific articles and other research purposes as may be disclosed when your Personal Data is collected. However, Personal Data is anonymized and aggregated before any such publications are shared outside of ThyForLife. We may also contact you with requests to participate in specific research projects run by us or our business partners.
ThyForLife may also contribute to research carried out by selected universities, institutions and other parties by sharing anonymized and minimized data with them. For the avoidance of doubt, we do not share any Personal Data with such external parties.
Finally, we may analyze sensitive data in order to publicly share insights learned from aggregated data with the purpose of increasing the public knowledge and understanding of thyroid diseases management. This kind of publication is always based on aggregated anonymized data and as such doesn’t contain any personal information.
5.1 Marketing Communication
Legitimate interest to market ourselves and our Services.
5.2 Social media marketing – custom audiences, lookalike audiences and advertising
We use tools that help us identify and reach out to existing and new customers, by matching cookies, device identifiers and hashed (a pseudonymisation technique) email addresses of people who have been using our Services with people on social media platforms to create so called “Custom Audiences” (this enables us to send targeted ads to people who have been using our Services), and “Lookalike Audiences” (this enables us to send targeted ads to people who have similar traits to our Custom Audience). The social media platforms will not share the hashed email address with third parties or other advertisers and will delete it promptly after the match process is complete. Please note that we do not share any Sensitive Data or group users based on sensitive data for the purpose of Custom and Lookalike Audiences
Legitimate interest to market ourselves and our Services
5.3 Surveys and interviews
You may also be contacted and enabled to complete surveys or take part in interviews for marketing purposes. We will process the Profile Data that you provide in such surveys and interviews to analyze user preferences, improve and assess the effectiveness of marketing activities, use as marketing material or other promotional purposes as disclosed when your Personal Data is collected
5.4 Marketing opt-out
You always have the right to opt-out of receiving marketing communication or having your data being processed to identify Custom and Lookalike Audiences from us by opting out, by adjusting your settings in the App or contacting us at email@example.com
6. How long we keep your Personal Data
7. Disclosures of your Personal Data
ThyForLife never sell your Personal Data and we conduct extensive assessments before engaging any processor to ensure that they have appropriate technical and organizational measures in place that provide adequate protection of your Personal Data. Anyone who is processing Personal Data on our behalf is bound by contractual obligations to keep Personal Data confidential and secure, and to use it only for the purposes as instructed by us.
ThyForLife may share your Personal Data:
7.2 Payment service providers
We do not process your financial data such as bank account and full credit card number. That information is provided directly to our payment service providers. Our payment service providers are themselves responsible for the processing of your personal data which means that you will be requested to enter into separate agreements directly with them. The personal data you provide to them will be stored in accordance with their privacy policies, which we recommend you to read carefully.
Any payment transactions carried out by our payment service providers are encrypted and subject to compliance with the Payment Card Industry Security Standard (“PCI DSS”) regulations. PCI DSS requirements help ensure the secure handling of payment information.
7.3 International transfer
Your Personal Data may be transferred and processed in countries outside the EU/EEA where ThyForLife’ affiliates or service
providers are located. Such international transfers are carried out in accordance with applicable laws and are subject to at least one of the following safeguards to protect your Personal Data:
The recipient country has been deemed to provide an adequate level of protection for personal data by the European Commission.
We have entered into model contracts approved by the European Commission which give personal data the same protection it has
in Europe. If your Personal Data is processed in the United States, it may also be subject to protection by federal and state
regulations, as well as agency policy and guidance by the Federal Trade Commission.
8. How we protect your Personal Data
9. Third party links
10. Your rights in relation to your Personal Data
10.1 Your rights
You have the right to: request access to and information about your Personal Data that is being processed by us, request correction of your personal data if it is inaccurate or incomplete, including to provide additional data if relevant information is missing, request
erasure of your Personal Data, object to our processing of your Personal Data (i) if the processing is based on our legitimate interest,
or (ii) for direct marketing purposes, request that we restrict the processing of all or some of your Personal Data in certain situations
and to ask us not to send you any direct marketing, and request a copy of your Personal Data in a structured, commonly used and machine readable format and that we transfer your personal data to another controller.
10.2 How to exercise your rights
You may contact us in writing at any time to exercise your rights, preferably using the email address that is associated with your user account. Your account also has a Unique ID number that you can use to communicate with us, so we do not have to use any of your personal data when troubleshooting your account. We use a Firebase installation ID (FID) or a privately stored GUID whenever possible as Android identifiers as a way to anonymize your account. We may need to request specific information from
you to help us confirm your identity.
We do our best to respond to your request within a few days, and at least within one (1) month. If the request is complicated or if we have received a large number of requests, we may need to prolong our response time with one (1) additional month.
You can exercise your rights at no cost to you. However, we may charge you a reasonable fee if your request is clearly unfounded, repetitive or excessive.
Our Services are subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). While we maintain and use Personal Data, we are not a “Covered Entity” or “Business Associate” as defined by HIPAA.
12. California Residents
We permit residents of California to use our Services. Therefore, it is our intent to comply with the California Business and Professions Code 22575-22579 and the California Consumer Privacy Act of 2018 (“CCPA”). If you are a California resident you may request certain information regarding our disclosure of Personal Information to any third parties for their direct marketing purposes. In summary, you must presume that we collect electronic information from all visitors. You may contact us either at firstname.lastname@example.org with any questions or to exercise your rights as a California Resident.
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. Personal Information under the CCPA does not include: Publicly available information from government records. De-identified or aggregated consumer information. Information excluded from the CCPA’s scope, such as: Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data. Financial Information covered by the Gramm-Leach-Bliley Act, and implementing regulations.
12.1 Response Timing and Format
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we
will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
We will not discriminate against you for exercising any of your CCPA rights. We will not: Deny you goods or services. Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties. Provide
you a different level or quality of goods or services. Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
We also advise you to take precautionary steps to ensure that the privacy of your data is maintained. Always be responsible for ensuring that no one can see or have access to your personal accounts and login username and password information. If you are using a public computer, such as a library or university, or a shared system, remember to always log out of the ThyForLife Application or Services. When you use the ThyForLife Application or Services through your employer’s computer or a mobile device owned by your employer or through an internet café, library or other internet link that is potentially insecure, then you use it at your risk.
14. Changes to the Policy
Anonymized data – means that the identifying information is irreversibly removed so that an individual is not identifiable. Anonymized
data is not Personal Data.
App – ThyForLife’s mobile application
Consent – means that you have expressed your agreement to our processing of your personal data for a specific purpose by a statement or clear opt-in. You can withdraw your consent at any time by changing your settings in the App, contacting us at email@example.com or following the instructions provided when the consent was collected.
Legal obligation – means that the processing of your Personal Data is necessary for compliance with a legal obligation that we are bound by, e.g. medical device regulations or accounting laws.
Legitimate interest – means that we assess that we have a legitimate interest in conducting and managing our business that, considering and balancing any potential impact on you and your rights, we do not consider are overridden by the impact on you. Please contact us if you would like to know more about how we have conducted this balance of interest.
Minimized data – means that only the minimal amount of data needed for a certain kind of processing is included.
Pseudonymized data – means that identifying information is replaced with something else so that additional information is needed to re-identify an individual. Pseudonymization is a security measure.