This privacy policy covers the use of the “CARP Studies” app for Android and iOS as provided by the Department of Health Technology at the Technical University of Denmark.

Who we are

“We” are the Department of Health Technology at the Technical University of Denmark (DTU Health Tech). DTU Health Tech is a public research department for health technology.

Our website address is: https://www.healthtech.dtu.dk/

DTU operates the Copenhagen Research Platform (CARP). CARP is used by researchers at DTU to collect, store, manage, and analyze data for research purposes. The cloud-based CARP Services is operated by the Technical University of Denmark (DTU) at the Department of Health Technology, which is the data controller for CARP. CARP Services has a separate privacy policy.

The legal entity responsible for processing your personal data is:

Technical University of Denmark (DTU)
Department of Health Technology
Ørsteds Plads
Building 345C
2800 Kongens Lyngby

Contact details for DTU’s data protection officer are:

DTU
Attn. DPO
Anker Engelunds Vej 1
Building 101A
2800 Kongens Lyngby

Email: dpo@dtu.dk
Tel.: +45 25 25 25 25

As a data controller, DTU is committed to giving the utmost attention to the security and protection of your privacy. DTU processes your personal data in compliance with applicable privacy and personal data laws according to the European General Data Protection Regulation (GDPR).

This Privacy Policy explains how we process your personal data when you use the CARP Studies app (“CARP Studies” or “App”) that gathers, stores, and processes data as part of our research. This data may also provide you with insights and services to help you lead a healthier life.

Informed Consent

All data collection in the CARP Studies app is done as part of a Research Study (“Study”). A Study will always have a researcher who is responsible for the Study (“Researcher”).

Participation or enrolment (“Enrolment”) in a Study is always voluntary and you can leave the Study and uninstall the CARP Studies app at any time and without providing any reason.

When you enroll in a Study, you will walk through an informed consent flow (“Informed Consent”), which will inform you about:

  • The purpose of the Study (“Purpose”)
  • The name of the Researcher(s) in charge
  • What data is being collected
  • What data is used for
  • Who data is shared with (if any)
  • What privacy measures are taken to protect your data in the Study
  • Your time commitment
  • The tasks you need to do in the Study
  • How you can withdraw from the Study

Before enrolling in a Study in the CARP Studies app you need to read, understand, and sign this Informed Consent. The signed informed consent document is stored in CARP Services.

What data do we collect?

Depending on the Study you are invited to participate in, the CARP Studies app may collect the following types of data from you:

  • Identity data that can directly identify you, such as your email address, social security number, username, name, phone number, and address. 
  • Demographic data that provides information about your socioeconomic status, such as sex, birth date, employment, education, income, and health history.
  • Location and Activity data are measures of your physical activities, such as the number of steps, distance traveled, visited locations, number of calories burned, type of activity, level of activity, and activity duration.
  • Physiological data corresponds to a measurement of your physical features and body activity. This may include your weight, muscle, fat, water percentage, heart rate, blood pressure, blood glucose, electrocardiogram, heart sound, temperature, and sleep cycles.
  • Health data including exercise-, smoking- and alcohol habits, stress, mental health, well-being, and sleep quality
  • Environmental data are measures of your environment or surroundings, such as noise level, light level, temperature level, CO2 concentration, weather, air quality, nearby devices, IP address, and geolocation.
  • Phone usage data that measures your use of the phone, such as active screen time.
  • Technical data such as Wi-Fi & Bluetooth network, technical logs, battery measurement, debug information, and website cookies.

The Informed Consent for a Study will always detail what data is being collected as part of the Study and why (the “Purpose”).

How do we collect data?

The CARP Studies app can collect data in four main ways:

  1. Passive Data – this is data collected from the phone’s onboard sensors. This includes location data from the phone’s GPS sensor, step data from the phone’s built-in pedometer, information about the battery level and charging status from the phone’s battery, and screen event data collected whenever the phone is locked and unlocked.
  2. Active Data – this is data provided by the user. This can be a simple question like “Where are you now?” or “What symptoms did you experience when you woke up?”. Or it can be longer surveys like the WHO-5 well-being survey or the Karolinska Sleepiness Scale survey. This can also be to collect an audio sample of e.g. coughing or it can include taking a picture of e.g. a wound as it is healing. In clinical / health studies this kind of data is also called “patient-reported data”.
  3. Health Data – this is health collected from the phone’s health database. On iOS this is the Apple Health database and on Android, this is the Google Health Connect database. Depending on the configuration of the Study, we may collect activity data (like accumulated step counts or calories burned), sleep data, or data collected from wearable devices (like a Withings Smart Scale), which are connected to the phone’s health database.
  4. Sensor Data – this is data collected from wearable and environmental sensors connected to the Studies App. This includes heart rate sensors like the Polar devices or ECG sensors like the Movesense devices. These sensors connect to the phone via the Bluetooth protocol. It might also include environmental sensors like weather or air quality sensors located in the vicinity of the user. These sensors are connected to the phone and app using the HTTP/TCP/IP protocol.

Note that each Study will be configured to collect different kinds of data. The Informed Consent will always describe in detail what data is collected, how, and for what purpose.

How do we use data?

The data collected through the CARP Studies app is processed by DTU for the following specific purposes:

  • Conduct Research. Personal data processed by DTU are accessible by the Researcher conducting a Study for the research Purpose stated in the Informed Consent. This will include the processing of personal data collected as part of the Study. Personal (person-identifiable) data will never be disclosed as part of a research study (see below).
  • Provide Insight and Services. Personal data processed by DTU are stored on your CARP account and high-level summaries are accessible in the “Data” tab in the Carp Studies app. This will be available for you for personal health insight and service. Personal data may be indicated as raw data (number of steps, weight, etc.), or as a result of specific processing (heart rate, respiration, movement which produces your sleep patterns, etc.).
  • Improving the CARP Applications and Services. We may use your anonymous personal data to improve our Applications and Services and to correct or modify software settings.

Who do we share your data with?

We do not share your personal data with anyone unless you give us Informed Consent to do so.

In the case that a Study wants to share your data with another organization outside DTU – for example the University of Copenhagen or a Hospital – a disclosure or data processing agreement will be made with this organization prior to the start of the Study (‘”pre-study”). You will then give your informed consent to sharing your data with this organization as part of the informed consent flow, before participating in the Study.

In the case that a Study wants to share your data with another organization outside DTU after a Study is finished (“post-Study”) a disclosure or data processing agreement will be made with this organization. You will then be contacted to give your informed consent to sharing your data with this organization. If you do not consent to the sharing of your data, your data will not be shared.

We will never donate or sell your data to anyone during or after a Study.

How do we publish your data?

Your personal data will not be published.

As part of our research, your data will be subject to data processing and analysis, and the result of such analysis will be part of scientific dissemination in academic journals, conferences, and public data sets.

However, any such results will only be published in anonymized formats with no person-identifiable data. Anonymization will be done by statistical aggregation and by removing all person-identifiable data from such research dissemination.

How long do we retain your data?

We will keep your data as long as it is relevant for the Purpose of the Study from which it was collected.

What rights do you have over your data?

You can request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

How do we process your data?

CARP processes data in three places:

  • In the CARP Studies app on your smartphone (both iOS and Android)
  • In a web application (the CARP portal)
  • On the CARP server (CARP Web Services)

Data processed on the smartphone is done using a pseudonym and data is not linked directly to you. No data is stored on the smartphone.

All communication between the smartphone and the CARP server is encrypted.

All CARP services, including the use of the CARP Studies app, are subject to user authentication and authorization.

All data is encrypted on the CARP server.

The CARP server is hosted within the EU.

What third parties do we receive data from?

A Study might include data collected from connected devices. Such devices may need the creation of a service account at the device manufacturer (“Third Party”). The device may send the collected data to the Third Party’s service account, from which CARP will collect it. Examples of such third-party service accounts include Fitbit, Withings, Dexcom, and Garmin.

The processing of data from such third parties in CARP will always be subject to your authorization (using e.g. OAuth).

Your use of the Third Party’s service is subject to the User Terms and Privacy Policy of this Third Party.

The use of a third-party service is always voluntary in a Study.