Privacy Policy
GDm-Health and DBm-Health
Huma Therapeutics Limited
Table of Contents
Introduction...................................................................................................................................... 1
The GDm-Health Application..................................................................................................................... 2
The DBm-Health Application......................................................................................................................2
If you are a Healthcare Patient….................................................................................................... 3
1. Purpose...................................................................................................................................................... 3
The GDm-Health App............................................................................................................................3
The DBm-Health App............................................................................................................................ 4
2. The data we collect and process about you.......................................................................................4
The GDm-Health App............................................................................................................................4
The DBm-Health App............................................................................................................................ 5
If you are a Healthcare Provider…..................................................................................................6
1. Purpose...................................................................................................................................................... 6
2. The data we collect and process about you.......................................................................................6
Patient and Healthcare Provider.....................................................................................................7
1. Legal Basis................................................................................................................................................. 7
2. Change of Purpose..................................................................................................................................8
3. External Third-Parties..............................................................................................................................8
4. International Transfers............................................................................................................................9
5. Data Retention..........................................................................................................................................9
6. Your rights................................................................................................................................................. 9
7. Data security and hosting....................................................................................................................11
8. Who we are and contact details......................................................................................................... 12
9. Changes to this Privacy Policy.............................................................................................................12
10. Agreement to this Privacy Policy......................................................................................................12
Introduction
Huma is committed to ensuring that we are transparent about our data practices, and
protecting your personal data. The following information explains who we are, the personal
information we collect, how we use it, and your rights in respect to it. When you use Huma,
you trust us with your sensitive health information. We are committed to keeping that trust.
1
Huma Therapeutics Limited (“Huma”, “we” or “us”) acts as a Data Processor in connection with
its processing of patient and healthcare provider data in respect of the delivery of the services
provided by the GDm-Health application and DBm-Health application (the “GDm-Health App”
or “DBm-Health App,” together, referred to as the “Apps”), and in respect of the instructions
received from the healthcare provider. Huma provides certain services to NHS Trusts and Health
Boards to support the delivery of patient care to patients at risk of gestational diabetes during
pregnancy.
The “Healthcare Provider” acts as a Data Controller in connection to the patient’s Personal
Data processed, with Huma providing a tool to facilitate the Data Controller’s patient care and
treatment decisions. If you are a patient, your Healthcare Provider may act as a Data Controller
in connection with your Personal Data.
💡
If you have any questions about how your data is used for this purpose,
please contact your Healthcare Provider. Your Healthcare Provider may
provide you with their own privacy notice.
In this Privacy Policy, we provide you with information about the collection, use, transfer and
other processing of your Personal Data in connection with the Apps. Please note that in addition
to this Privacy policy, the collection and use of your Personal Data will be subject to any
applicable privacy policies and disclosures of your Health Care Provider as the Data Controller.
The GDm-Health Application
This privacy notice applies to the GDm-Health App. The App is a remote mobile communication
system to support patients with diabetes in pregnancy including gestational diabetes mellitus
(GDM); a condition which results in high blood sugar levels in women who are pregnant. This
application is suitable for users aged 16 and above.
The primary purpose of the GDm-Health App is to enable patients and clinicians to remotely
monitor blood glucose (BG) levels and to provide a bi-directional communication system
between the patient and their clinician. The intended benefits of using GDm-Health are to
improve the patient’s control of their blood glucose levels and thus reduce the number of visits
to clinics alongside improving outcomes for mother and baby.
The GDm-Health system consists of:
● a smartphone ‘app’ (application) available on both iOS or Android platforms which can
connect to a blood glucose monitoring device via Bluetooth in order to communicate
blood glucose readings to the patient app
● a server-side platform hosting a ‘web-app’ (web-based application) which connects to a
database for clinicians to use.
The DBm-Health Application
This privacy notice applies to the DBm-Health App. DBm-Health is a mobile communication
system to support patients with diabetes; pre-diabetes and populations who require remote
2
monitoring to facilitate management by their clinicians. This application is suitable for users
aged 16 and above.
The purpose of the DBm-Health App is to enable patients and their clinicians to develop a
personalised care plan comprising lifestyle advice, treatment and clear targets for blood glucose
control. Patients can input their blood glucose readings into the app either directly or via a
compatible Bluetooth glucose meter, as well as other relevant data such as when any blood
glucose measurements were taken (e.g. before or after a meal, what they have eaten), which is
sent to their clinician in an easy-to-read format so they can:
● See individual blood glucose readings
● Identify patients whose glucose readings are out of range, allowing targeted support
● Filter patient lists to help prioritise interventions
● Message patients via the app or by text message
The DBm-Health system consists of:
● a smartphone ‘app’ (application) available on both iOS or Android platforms which can
connect to a blood glucose monitoring device via Bluetooth in order to communicate
blood glucose readings to the patient app
● a server-side platform hosting a ‘web-app’ (web-based application) which connects to a
database for clinicians to use.
If you are a Healthcare Patient…
1. Purpose
These Apps help you share information relating to your health, your condition and how it affects
you with your Healthcare Provider. It also helps your Healthcare Provider interpret that
information and share their recommendations and treatment options with you.
The GDm-Health App
● The GDm-Health App allows you to enter blood glucose readings and record extra
information about your reading (e.g. a note to your nurse). This information is sent by the
app to your Healthcare Provider;
● Your Healthcare Provider will have access to your Personal Data. Your Healthcare Provider
may contact you using the GDm-Health App.
● Huma may access your Personal Data for the purpose of providing you with the
GDm-Health App to you and/or your Healthcare Provider.
● Huma may also have access to Personal Data generated in connection with the
GDm-Health App to ensure the safe and proper functional, operational and technical
performance of the app and otherwise to comply with law and regulation. Where your
Healthcare Provider has authorised Huma to do so, this data may also be used for
medical research purposes or for product improvement.
3
● Huma will not use your Personal Data to market any products or services to you.
The DBm-Health App
● The DBm-Health App allows you to enter blood glucose readings (either directly through
the App or via a compatible Bluetooth glucose meter) and record extra information about
your reading, such as when any blood glucose measurements were taken (e.g. before or
after a meal, what they have eaten). This information is sent by the app to your
Healthcare Provider;
● Your Healthcare Provider will have access to your Personal Data. Your Healthcare Provider
may contact you using the DBm-Health App.
● Huma may access your Personal Data for the purpose of providing you with the
DBm-Health App to you and/or your Healthcare Provider.
● Huma may also have access to Personal Data generated in connection with the
DBm-Health App to ensure the safe and proper functional, operational and technical
performance of the app and otherwise to comply with law and regulation. Where your
Healthcare Provider has authorised Huma to do so, this data may also be used for
medical research purposes or for product improvement.
● Huma will not use your Personal Data to market any products or services to you.
2. The data we collect and process about you
Personal Data includes any information, whatever its source or form, that allows us to identify
you (directly or indirectly). It does not include data which cannot be used to identify you. This is
no longer considered to be Personal Data. We may collect and process your personal and
sensitive data (as described in the table below). This data may be collected when you interact
with the Apps or the web-app, when it is manually input by you including into data forms,
surveys or questionnaires to be filled by you, or through a connected device.
We ask that you carefully read the following description of the Personal Data that we may
process in connection with the app and web-app:
4
The GDm-Health App
● Identity and contact Personal Data
including your first name, last name,
unique identifiers, unique activation
codes and/or email address you used
to register for your App account, DOB,
Mobile Number, Telephone Number,
Postcode, Local Hospital Number, and
NHS Number. This will be provided by
you at the point you register an
account with the web-app, data related
to you that has been encrypted or
pseudonymised.
● Sensitive data, including health data
(such as information about your health
records, your estimated date of
delivery, blood glucose readings (e.g.
blood glucose level, prandial tag for
reading, medications taken), free text
commentary, medical history (e.g. type
of diabetes, date of diagnosis,
medications information and units),
accessibility information (collected by
your Healthcare Provider), and
ethnicity (if your Healthcare Provider
requests this information be collected
and if you choose to disclose this
information).
● Technical data includes your
registered username, IP address, device
related data (such as device type or
browser information).
● Communications information
including messages and notes from the
midwife, user feedback (collected via
various means including via in-app
feature, and emails) and administration
of experience surveys (for the purpose
of supporting service maintenance and
improvement on behalf of the
Healthcare Provider), previous
communications with Huma, reminders,
email messages, text-messages,
push-notifications, your communication
preferences and any communication
you have had with us directly (for
example, if you reach out to us to receive
technical support).
● Usage data which may include your
App activity data, information about how
you use our App and communicate with
us. Where you provide your consent,
Huma may collect, use, and store activity
data about your use of GDm-Health. This
information will not identify you but help
us to improve the GDm-Health service for
the patients and clinicians who use it.
Where your Healthcare Provider has given us permission to do so, the data recorded in and
generated by your use of the GDm-Health Application may be anonymised and used for medical
research.
5
The DBm-Health App
● Identity and contact Personal Data
including your first name, last name,
unique identifiers, unique activation
codes and/or email address you used
to register for your App account, DOB,
Mobile Number, Telephone Number,
Postcode, Local Hospital Number, and
NHS Number. This will be provided by
you at the point you register an
account with the web-app, data related
to you that has been encrypted or
pseudonymised.
● Sensitive data, including health data
(such as information about your health
records, blood glucose readings (e.g.
blood glucose level, prandial tag for
reading, medications taken), free text
commentary, medical history (e.g. type
of diabetes, date of diagnosis,
medications information and units),
accessibility information (collected by
your Healthcare Provider), and
ethnicity (if your Healthcare Provider
requests this information be collected
and if you choose to disclose this
information).
● Technical data includes your registered
username, IP address, device related
data (such as device type or browser
information).
● Communications information
including messages and notes from the
midwife, user feedback (collected via
various means including via in-app
feature, and emails) and administration
of experience surveys (for the purpose
of supporting service maintenance and
improvement on behalf of the
Healthcare Provider), previous
communications with Huma, reminders,
email messages, text-messages,
push-notifications, your communication
preferences and any communication
you have had with us directly (for
example, if you reach out to us to receive
technical support).
● Usage data which may include your
App activity data, information about how
you use our App and communicate with
us. Where you provide your consent,
Huma may collect, use, and store activity
data about your use of the DBm-Health
App. This information will not identify you
but help us to improve the DBm-Health
service for the patients and clinicians who
use it.
Where your Healthcare Provider has given us permission to do so, the data recorded in and
generated by your use of the DBm-Health Application may be anonymised and used for medical
research.
If you are a Healthcare Provider…
1. Purpose
Huma provides certain services to you to support the delivery of patient care by your NHS
Trust/Board to patients at risk of gestational diabetes during pregnancy. Your use of the
web-based GDm-Health and DBm-Health services and any associated content is governed by the
agreement between Huma and the applicable Healthcare Provider.
6
The web-app helps you review information relating to your patient’s health, condition and how it
affects them with you, to facilitate your provision of patient care and/or treatment. In some
instances the Web App will also help you interpret that information and share your
recommendations and treatment options with your patient. You will act as Data Controller in
connection to the patient’s Personal Data processed for this purpose, with Huma providing a
tool to facilitate your patient care and treatment decisions.
The purpose of this Healthcare Provider privacy section of this Policy is to explain how Huma
intends to use your Personal Data in connection with the web-app for this secondary purpose
and other purposes in connection with which Huma acts as a controller as outlined in this notice.
2. The data we collect and process about you
Personal Data includes any information, whatever its source or form, that allows us to identify
you (directly or indirectly). It does not include data which cannot be used to identify you. This is
no longer considered to be Personal Data. We may collect and process your personal and
sensitive data (as described in the table below). This data may be collected when you interact
with the app or when it is manually input by you (including into data forms, surveys or
questionnaires to be filled by you).
We ask that you carefully read the following description of the Personal Data that we may
process in connection with the Apps and web-app:
● Identity and contact Personal Data
including your first name, last name,
unique identifiers, telephone
number(s) you used to register for
your Web-App account. We may also
collect your email address, and your
job role and job title, as well as your
NHS smart card number (if you choose
to share it).
● Your patient care and treatment
decisions. This information will only
be shared with us if the patient to
whom the information relates has
consented to Huma’s processing of
their health data.
● Usage data includes information
about how you use our Portal and
communicate with us. User interaction
data may be used to improve the
application or web-app.
● Technical data includes your registered
user name, IP address and device
related data.
● Communications information
including user feedback (collected via
phone or email) for the purpose of
providing patient support with
adherence levels and service
maintenance and improvement on
behalf of the Healthcare Provider,
experience surveys, previous
communications with Huma, reminders,
email messages, text-messages, and
push-notifications.
● Marketing and communications
data includes your preferences in
receiving marketing from us, your
communication preferences and any
communication you have had with us
directly (for example, technical support).
7
Patient and Healthcare Provider
1. Legal Basis
Our legal basis for processing your Personal Data (as per Article 6 of GDPR), depends on the
reason or reasons we collect and use yourPersonal Data. In general, namely:
Contract
Performance of a contract between Huma and your Healthcare Provider (if
you are a Patient), or between Huma and you (if you are the Healthcare
Provider).
Consent
Your consent.
If you are a Patient, your Healthcare Provider has agreed to the processing
of Personal Data including special category data for one or more specific
purposes.
Legal Obligation
Where processing is necessary to comply with a legal obligation (for
example, our medical device vigilance and adverse event reporting obligations
under the Medical Devices Regulations (EU) 2017/2185 or for tax purposes).
Please note that we may process your Personal Data without your
knowledge or consent where this is required or permitted by law.
Legitimate
Interest
Processing may take place to fulfil a legitimate interest that we may have as
a business.
2. Change of Purpose
We shall only use your Personal Data for the purposes for which we collected it, unless we
reasonably consider that we need to use it for another reason and that reason is compatible
with the original purpose. If you wish to get an explanation as to how the processing for the new
purpose is compatible with the original purpose, please contact us privacy@huma.com.
If we need to use your Personal Data for an unrelated purpose, we shall notify you and we shall
explain the legal basis which allows us to do so.
3. External Third-Parties
Where permitted under applicable law, we may share your Personal Data with the parties set out
below. We require all third parties to respect the security of your Personal Data and to treat it in
accordance with the law. We may share your Personal Data with limited third-parties:
8
In order to enable Huma to provide the GDm-Health and DBm-Health App to you, Huma
may disclose your personal data to its third-party processors.
Your data is shared with these limited suppliers or contractors, for the purposes described in this
notice and in line with the agreement we have in place with your Healthcare Provider. We share
your personal information outside our organisation with our suppliers or contractors, for the
purposes described in this notice and in line with the agreement we have in place with your
Healthcare Provider. They are bound by obligations of confidentiality. Our suppliers and
contractors may include: IT and communications service providers, payment processors; call
centres; repair service providers; marketing agencies and partners; and our courier and delivery
suppliers.
We do not allow our third-party service providers to use your Personal Data for their own purposes
and only permit them to process your Personal Data for specified purposes and in accordance with
our instructions or the Healthcare Provider’s instructions, as applicable.
If you use third party apps, products or services to measure data about your health that
you then input into the GDm-Health and DBm-Health App, your use of those apps, products
and services will be subject to the applicable third party terms of use and privacy policies, and
Huma will not have any responsibility for them or the information they provide.
In addition, we may disclose information about you to other third parties that act as
Data Controllers in their own right, such as:
● regulators, tax authorities and other applicable authorities who require reporting of
processing activities in certain circumstances;
● legal advisors, regulators, law enforcement agencies, where required to do so by law, such
as in connection with any legal proceedings or prospective legal proceedings, law
enforcement purposes, or in order to establish, exercise or defend our legal rights;
● a third party to whom we may choose to sell, transfer or merge parts of our business or
our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a
change happens to our business, then the new owners may use your Personal Data in the
same way as set out in this privacy policy.
4. International Transfers
Huma may provide access to your Personal Data to third party processors located outside of the
United Kingdom to support the delivery of the GDm-Health and DBm-Health Apps to you. Some
of these processors may be located in a jurisdiction, such as the United States, whose privacy
laws may not be equivalent to the United Kingdom. We apply appropriate safeguards in respect
of such transfers to protect your Personal Data in accordance with applicable data protection law
(for example, we may use standard data protection contractual clauses to protect your Personal
Data, and where we do, a copy of these clauses is available upon request by contacting us via the
details below).
5. Data Retention
9
We shall only retain your Personal Data for as long as reasonably necessary to fulfil the purposes
we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting
or reporting requirements. We may retain your Personal Data for a longer period in the event of
a complaint or if we reasonably believe there is a prospect of litigation in respect to our
relationship with you. Insofar as the processing of Personal Data is based on your consent, we
shall delete this data if you withdraw your consent.
To determine the appropriate retention period for Personal Data, we consider the amount,
nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or
disclosure of your Personal Data, the purposes for which we process your Personal Data and
whether we can achieve those purposes through other means, and the applicable legal,
regulatory, tax, accounting or other requirements.
6. Your rights
Under certain circumstances, you have rights under data protection laws in relation to your
Personal Data. If you wish to exercise any of the rights set out above, please contact us at
privacy@huma.com. Please note that if you contact us in relation to exercising your rights in
connection with processing which the Healthcare Provider, as opposed to Huma, acts as a Data
Controller, we shall normally respond requesting that you forward your request to the Healthcare
Provider, as they will be better placed to respond.
No fee usually required
You will not have to pay a fee to access your Personal Data (or to exercise any of the other
rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive
or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and
ensure your right to access your Personal Data (or to exercise any of your other rights). This is a
security measure to ensure that Personal Data is not disclosed to any person who has no right
to receive it. We may also contact you to ask you for further information in relation to your
request to speed up our response.
If you elect not to provide Personal Data
You may choose not to provide us with your Personal Data . However, if you choose not to
provide your Personal Data , we may not be able to provide you our services.
You have the right to:
Be informed of the purpose and the valid legal basis or practical justification for collecting
the Personal Data, and that your data shall not be processed later in a manner inconsistent
with that purpose.
Request access to your Personal Data (commonly known as a "data subject access
request"). This enables you to receive a copy of the Personal Data we hold about you and to
check that we are lawfully processing it.
10
Request correction of the Personal Data that we hold about you.
This enables you to have any incomplete or inaccurate data we hold about you corrected,
though we may need to verify the accuracy of the new data you provide to us. It is important
that the Personal Data we hold about you is accurate and current. Please contact us at
privacy@huma.com if your Personal Data changes during your relationship with us.
Request erasure of your Personal Data.
This enables you to ask us to delete Personal Data where there is no good reason for us
continuing to process it. You also have the right to ask us to delete your Personal Data where
you have successfully exercised your right to object to processing (see below), where we may
have processed your information unlawfully or where we are required to erase your Personal
Data to comply with local law. Note, however, that we may not always be able to comply with
your request of erasure for specific legal reasons which will be notified to you, if applicable, at
the time of your request.
Object to processing of your Personal Data where we are relying on a legitimate interest
(or those of a third party) you can object to processing on this ground if you feel it impacts
your fundamental rights and freedoms. You also have the right to object where we are
processing your Personal Data for direct marketing purposes. In some cases, we may
demonstrate that we have compelling legitimate grounds to process your information which
override your rights and freedoms.
Request restriction of processing of your Personal Data. This enables you to ask us to
suspend the processing of your Personal Data in the following scenarios:
● If you want us to establish the data's accuracy.
● Where our use of the data is unlawful but you do not want us to erase it.
● Where you need us to hold the data even if we no longer require it as you need it to
establish, exercise or defend legal claims.
● You have objected to our use of your data but we need to verify whether we have
overriding legitimate grounds to use it.
Request the transfer of certain of your Personal Data to you or to a third party (the right
of data portability). We shall provide to you, or a third party you have chosen, your Personal
Data in a structured, commonly used, machine-readable format. Please note that this right
only applies to information you provided to us and which we process on the basis of consent
or where it is necessary to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your
Personal Data.
However, please note that this will not affect the lawfulness of any processing carried out
before you withdraw your consent. If you withdraw your consent, we may not be able to
provide certain products or services to you. We shall advise you if this is the case at the time
you withdraw your consent.
Lodge a Complaint
11
If you feel our processing of your Personal Data violates applicable data protection law, you have
the right to lodge a complaint at any time to the competent supervisory authority. We would,
however, appreciate the chance to deal with your concerns before you approach the competent
regulator or the applicable data protection regulator so please contact our Data Protection
Officer (“DPO”) in the first instance using any of the contact details listed below.
If you wish to exercise any of the rights set out above, please contact us at
privacy@huma.com. Please note that if you contact us in relation to exercising your rights in
connection with processing which the Healthcare Provider, as opposed to Huma, acts as a
Controller, we shall normally respond requesting that you forward your request to the Healthcare
Provider, as they will be better placed to respond.
7. Data security and hosting
We have put in place appropriate security measures to prevent your Personal Data from being
accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we
limit access to your Personal Data to those employees, agents, contractors and other third
parties who have a business need to know. They will only process your Personal Data on our
instructions and they are subject to a duty of confidentiality. Access to your information is limited
in accordance with our agreement with your Healthcare Provider.
8. Who we are and contact details
Huma Therapeutics Limited is a company based in the UK and registered under number
07725451, with its registered office located at 13th Floor Millbank Tower, 21-24 Millbank, London,
England, SW1P 4QP.
Huma has appointed a DPO who is responsible for overseeing questions in relation to this
privacy policy. If you have any questions about this privacy policy or our privacy practices,
including any requests to exercise your legal rights, please contact us using the details shown
below.
Please note that if you contact us in relation to processing in connection with which the Healthcare
Provider (as opposed to Huma) acts as a Data Controller, we will normally respond requesting that
you forward your request to the Healthcare Provider, as the Healthcare Provider will be better
placed to respond.
● Full name and address of legal entity: Huma Therapeutics Limited 13th Floor Millbank
Tower, 21-24 Millbank, London SW1P 4QP
● Email address: Please contact us at privacy@huma.com
9. Changes to this Privacy Policy
We may update this privacy notice from time to time. If we do, we shall update the date it was
last changed below. This notice was last updated on 05 February 2024. We will contact you to
let you know about any substantive change.
12
10. Agreement to this Privacy Policy
Your use of the App signifies your acceptance of this Policy, and the terms and conditions that
govern it. If you do not agree to this policy, you must not use any of the content or the services
offered through the App.
13
