This privacy policy covers the use of the Copenhagen Research Platform (CARP) services as provided and hosted by the Technical University of Denmark (DTU).

Who we are

“We” are the Department of Health Technology at the Technical University of Denmark (DTU Health Tech). DTU Health Tech is a public research department for health technology.

Our website address is: https://www.healthtech.dtu.dk/

This is the Privacy Policy for the Copenhagen Research Platform (CARP). CARP is used by researchers at DTU to collect, store, manage, and analyze data for research purposes.

CARP is operated by the Technical University of Denmark (DTU) at the Department of Health Technology, which is the data controller for CARP. CARP complies with the privacy policy of DTU.

The legal entity responsible for processing your personal data is:

Technical University of Denmark (DTU)
Department of Health Technology
Ørsteds Plads
Building 345C
2800 Kongens Lyngby

Contact details for DTU’s data protection officer are:

DTU
Attn. DPO
Anker Engelunds Vej 1
Building 101A
2800 Kongens Lyngby

Email: dpo@dtu.dk
Tel.: +45 25 25 25 25

As a data controller, DTU is committed to giving the utmost attention to the security and protection of your privacy. DTU processes your personal data in compliance with applicable privacy and personal data laws according to the European General Data Protection Regulation (GDPR).

This Privacy Policy explains how we process your personal data when you participate in our research. Our research makes use of various software applications (“Applications”) (including mobile and web applications), cloud-based services (“Services”), and connected devices (“Devices”) that gather, store, and process data as part of our research. This data may also provide you with insights and services to help you lead a healthier life.

Informed Consent

All data collection in CARP is done as part of a Research Study (“Study”). A Study will always have a researcher who is responsible for the Study (“Researcher”).

Participation or enrolment (“Enrolment”) in a Study is always voluntary and you can leave the Study at any time and without providing any reason.

When you enroll in a Study, you will walk through an informed consent flow (“Informed Consent”), which will inform you about:

  • The purpose of the Study and the name of the Researcher in charge
  • What data is being collected
  • What privacy measures are taken to protect your data in the Study
  • What data is used for (“Purpose”)
  • Your time commitment
  • The tasks you need to do in the Study
  • How you can withdraw from the Study

Before enrolling in a Study you need to read, understand, and sign this Informed Consent. The signed informed consent document is stored in CARP.

What data do we collect?

Depending on the Study you are part of, CARP may collect the following types of data from you:

  • Identity data that can directly identify you, such as your email address, social security number, username, name, phone number, and address. 
  • Demographic data which provides information about your socioeconomic status, such as sex, gender, birth date, employment, education, income, and diagnosis.
  • Activity data are measures of your physical activities, such as the number of steps, distance traveled, visited locations, number of calories burned, type of activity, level of activity, and activity duration.
  • Physiological data corresponds to a measurement of your physical features and your body activity. This may include your weight, muscle, fat, water percentage, heart rate, blood pressure, blood glucose, electrocardiogram, heart sound, temperature, and sleep cycles.
  • Health data including exercise-, smoking- and alcohol habits, stress, mental health, well-being, and sleep quality
  • Environmental data are measures of your environment or surroundings, such as noise level, light level, temperature level, CO2 concentration, weather, air quality, nearby devices, IP address, and geolocation.
  • Phone usage data which are measures of your use of the phone, such as active screen time, app usage, and phone logs.
  • Technical data such as Wi-Fi network, technical logs, battery measurement, debug technical information, and website cookies.

The Informed Consent for a Study will always list in detail what data is being collected as part of the Study and why (the “Purpose”).

How do we use data?

The data collected through the Applications and Services of CARP is processed by DTU for the following specific purposes.

  • Conduct Research. Personal data processed by DTU are accessible by the Researcher conducting a Study for the research purpose stated in the Informed Consent. This will include the processing of the personal data collected as part of the Study. Person-identifiable data will never be disclosed as part of a research study (see below).
  • Provide Insight and Services. Personal data processed by DTU are stored on your CARP account and accessible on the Study Application. This will be available for you for personal health insight and service. Personal data may be indicated as raw data (number of steps, weight, etc.), or as a result of specific processing (heart rate, respiration, movement which produces your sleep patterns, etc.).
  • Improving the CARP Applications and Services. We may use your anonymous personal data to improve our Applications and Services and to correct or modify software settings.

Who do we share your data with?

We do not share your personal data with anyone unless you give us an Informed Consent to do so.

In the case that a Study wants to share your data with another organization outside DTU – for example the University of Copenhagen or a Hospital – a data processing agreement will be made with this organization before the start of the Study (“pre-Study”). You will then give your informed consent to sharing your data with this organization as part of the informed consent flow, before participating in the Study.

In the case that a Study wants to share your data with another organization outside DTU after a Study is finished (“post-Study”) a data processing agreement will be made with this organization. You will then be contacted to give your informed consent to sharing your data with this organization. If you do not consent to the sharing of your data, your data will not be shared.

How do we publish your data?

Your personal data will not be published.

As part of our research, your data will be subject to data processing and analysis, and the result of such analysis will be part of scientific dissemination in academic journals, conferences, and public data sets.

However, any such results will only be published in anonymized formats with no person-identifiable data. Anonymization will be done by statistical aggregation and by removing all person-identifiable data from such research dissemination.

How long we retain your data?

We will keep your data as long as it is relevant for the research purpose of the Study from which it was collected.

What rights do you have over your data?

You can request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

How do we process your data?

CARP processes data in three places:

  • In an app on your smartphone (both iOS and Android)
  • In a web application
  • On the CARP server

Data processed on the smartphone is done using a pseudonym and data is not linked directly to you. No data is stored on the smartphone.

All communication between the smartphone and the CARP server is encrypted.

All server-side CARP services, including web applications, are subject to user authentication and authorization.

All data is encrypted on the CARP server.

The CARP server is hosted within the EU.

What third parties do we receive data from?

A Study might include data collected from connected devices. Such devices may need the creation of a service account at the device manufacturer (“Third Party”). The device may send the collected data to the Third Party’s service account, from which CARP will collect it. Examples of such third-party service accounts include Fitbit, Withings, Dexcom, and Garmin.

The processing of data from such third parties in CARP will always be subject to your authorization (using e.g. OAuth).

Your use of the Third Party’s service is subject to the User Terms and Privacy Policy of this Third Party.

The use of a third-party service is always voluntary in a Study.