This privacy policy covers the use of the hosted CARP service at the Technical University of Denmark.

Who we are

“We” are the Copenhagen Center for Health Technology (CACHET). CACHET is a public research center for health technology and is created as a strategic partnership between the Capital Region of Denmark, the City of Copenhagen, the Faculty of Health and Medical Sciences at the University of Copenhagen, and the Technical University of Denmark.

Our website address is: http://www.cachet.dk.

Read more about the organisation of CACHET and the people responsible at: https://www.cachet.dk/about/organisation.

This is the Privacy Policy for the CACHET Research Platform (CARP). CARP is used by researchers in CACHET to collect, store, manage, and analyze data for research purposes.

CARP is operated by the Technical University of Denmark (DTU) at the Department of Health Technology, who is the data controller for CARP. CARP complies to the privacy policy of DTU.

The legal entity responsible for processing your personal data is:

Technical University of Denmark (DTU)
Department of Health Technology
Ørsteds Plads
Building 345C
2800 Kongens Lyngby

Email: cachet@dtu.dk

Contact details for DTU’s data protection officer are:

DTU
Attn. DPO
Anker Engelunds Vej 1
Building 101A
2800 Kongens Lyngby

Email: dpo@dtu.dk
Tel.: +45 25 25 25 25

As a data controller, CACHET is committed to giving the utmost attention to the security and protection of your privacy. CACHET processes your personal data in compliance with applicable privacy and personal data laws according to the European General Data Protection Regulation (GDPR).

This Privacy Policy explains how we process your personal data when you participate in our research. Our research make use of various software applications (“Applications”) (including mobile and web applications), cloud-based services (“Services”), and connected devices (“Devices”) that gather, store and process data as part of our research. This data may also provide you insights and services to help you lead a healthier life.

Informed Consent

All data collection in CARP is done as part of a Research Study (“Study”). A Study will always have a researcher who is responsible for the Study (“Researcher”).

Participation or enrolment (“Enrolment”) in a Study is always voluntary and you can leave the Study at any time and without providing any reason.

When you enrol into a Study, you will walk through an informed consent flow (“Informed Consent”), which will inform you about:

  • The purpose of the Study and the name of the Researcher in charge
  • What data is being collected
  • What privacy measures are taken to protect your data in the Study
  • What data is used for (“Purpose”)
  • You time commitment
  • The tasks you need to do in the Study
  • How you can withdraw from the Study

Before enrolling in a Study you need to read, understand, and sign this Informed Consent. The signed informed consent document is stored in CARP.

What data we collect

Depending on the Study you are part of, CARP may collect the following types of data from you:

  • Identity data which can directly identify you, such as your email address, social security number, username, name, phone number, and address. 
  • Demographics data which provide information about your socio-economical status, such as sex, gender, birth date, employment, education, income, and diagnosis.
  • Activity data which are measures of your physical activities, such as number of steps, distance travelled, visited locations,, number of calories burned, type of activity, level of activity, and activity duration.
  • Physiological data which correspond to a measurement of your physical features and your body activity. This may includes your weight, muscle, fat, water percentage, heart rate, blood pressure, blood glucose, electrocardiogram, heart sound, temperature, and sleep cycles.
  • Health data including exercise-, smoking- and alcohol habits, stress, mental health, wellbeing, and sleep quality
  • Environmental data which are measures about your environment or surroundings, such as noise level, light level, temperature level, CO2 concentration, weather, air quality, nearby devices, IP address, and geo-location.
  • Phone usage data which are measures of your use of the phone, such as active screen time, app usage, and phone logs.
  • Technical data such as Wi-Fi network, technical logs, battery measurement, debug technical information, and website cookies.

The Informed Consent for a Study will always list in details what data is being collected as part of the Study and why (the “Purpose”).

How we use data

The data collected through the Applications and Services of CARP is processed by CACHET for the following specific purposes.

  • Conduct Research. Personal data processed by CACHET are accessible by the Researcher conducting a Study for the research purpose stated in the Informed Consent. This will include the processing of the personal data collected as part of the Study. Person-identifiable data will never be disclosed as part of a research study (see below).
  • Provide Insight and Services. Personal data processed by CACHET are stored on your CARP account and accessible on the Study Application. This will be available for you for personal health insight and service. Personal data may be indicated as raw data (number of steps, weight, etc.), or as a result of specific processing (heart rate, respiration, movement which produces your sleep patterns, etc.).
  • Improving the CARP Applications and Services. We may use your anonymous personal data to improve our Applications and Services, and to correct or modify software settings.

Who we share your data with

We do not share your personal data with anyone unless you give us an Informed Consent to do so.

In the case that a Study wants to share your data with another organisation outside DTU – for example the University of Copenhagen or a Hospital – a data processing agreement will be made with this organisation prior to the start of the Study (“pre-Study”). You will then give your informed consent to sharing of your data with this organisation as part of the informed consent flow, before participating in the Study.

In the case that a Study wants to share your data with another organisation outside DTU after a Study is finished (“post-Study”) a data processing agreement will be made with this organisation. You will then be contacted to give your informed consent to sharing of your data with this organisation. If you do not consent to sharing of your data, your data will not be shared.

How we publish your data

Your personal data will not be published.

As part of our research, your data will be subject to data processing and analysis, and the result of such analysis will be part of scientific dissemination in academic journals, conferences, and public data sets.

However, any such results will only be published in anonymised formats with no person-identifiable data. Anonymisation will be done by statistical aggregation and by removing all person-identifiable data from such research dissemination.

How long we retain your data

We will keep your data as long as it is relevant for the research purpose of the Study from which it was collected.

What rights you have over your data

You can request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

How we process your data

CARP processes data in three places:

  • In an app on your smartphone (both iOS and Android)
  • In a web application
  • On the CARP server

Data processed on the smartphone is done using a pseudonym and data is not linked directly to you. No data is stored on the smartphone.

All communication between the smartphone and the CARP server is encrypted.

All server-side CARP services, including web applications, are subject to user authentication and authorization.

All data is encrypted on the CARP server.

The CARP server is hosted within EU.

What third parties we receive data from

A Study might include data collected from connected devices. Such devices may need the creation of a service account at the device manufactor (“Third Party”). The device may send the collected data to the Third Party’s service account, from which CARP will collect it. Examples of such Third Party service accounts include Fitbit, Withings, Dexcom, and Garmin.

The processing of data from such third party in CARP will always be subject to your authorisation (using e.g. OAuth).

Your use of the Third Party’s service is subject to the User Terms and Privacy Policy of this Third Party.

The use of a Third Party service is always voluntary in a Study.