Last version: March 23, 2023

1.- Introduction

Your privacy is very important to us, that’s why we have developed this application, CORI, in a way that is respectful of your privacy, intimacy and your personal data. Your data is yours and in CORI you will have full control over it. In this privacy policy we will explain what personal data we process, how we process it, how we comply with the principles and obligations established by law and what your rights are in terms of data protection.

2.- Who are we?

CORI is an application that has been developed by the commercial company CORI HEALTH & CARE, S.L.U., with NIF number B01740364, and domiciled in Spain, inDiputación Foral de Álava 4, 3rd floor, Postal Code 01001 of Vitoria-Gasteiz (Álava).

CORI HEALTH & CARE, S.L.U. is registered in the Commercial Register of Alava, Volume 1705, Folio 221, Page VI-20033, 1st Inscription.

Accordingly, we inform you that, from the point of view of data protection regulations, the data controller is the company, with the data indicated above.

3.- What data do we process about you? 

We do not have access to the personal data you enter in CORI. Remember, your data is yours and you have control over it. CORI is an application that we have developed for you to manage your diabetes and other information associated with it.

The personal data processed through CORI is stored on your cell phone but, as you have control over it, you can download it in CSV format to export it to other devices or synchronize it with other services such as the following:

• Dexcom (https://developer.dexcom.com)
• Apple Health/Salud (https://www.apple.com/lae/privacy/)
  • We import Apple Health data from:
    • Glucose
    • Insulin
    • Carbs
    • WorkoutS
    • Hearth Rate
    • V02 Max
    • Distance
    • Flights Climbed
    • Energy Burned
    • Heart Rate Variability (HRV)
    • Gender
    • Birthdate
  • Save the data you add in the app in Health.
  • As a user, you have to give permission.

HealthKit data will only be used to provide health, motion or fitness services in connection with the App; HealthKit data will not be used for marketing, advertising or use-based data mining, including by third parties.

Also, if you want, you can upload the CORI data to iCloud to sync with that app so that it’s not just stored on your phone. In this sense, it is important that you keep in mind that, as the CORI data is stored on your cell phone, if you do not synchronize it with iCloud, in case it breaks down or you lose it, you would lose with it the data you have in CORI, so that it would not be available when you activate the app on a new cell phone.

In addition to all this, you have the ability to import data from another device or service into CORI. Therefore, you are responsible for the use you make of the application, how you treat your personal data through the application and the people to whom you give access.

On the other hand, we use analytical services on the use made by users of CORI, which allows us to detect and identify improvements to be made in the App. For this we use GoogleAnalytics, GoogleCrashlytics and RevenueCat although the data collected by these services are completely anonymous. When a user installs the app, GoogleAnalytics, Google Crashlytics and RevenueCat assign each user an ID randomly and anonymously, without us knowing the real identity of that user. In this way we can know, for example, the sessions that being that ID the one that allows us to know, for example, that a user ID has made a subscription in CORI or the sessions made in a day.

You can consult the privacy policy of Google Analytics in this link: https://www.google.com/policies/privacy/partners/ and You can also consult Google Analytics terms of service at the following link: https://support.google.com/analytics/answer/6004245

Below you can also consult GoogleCrashlytics terms of service: https://firebase.google.com/terms/crashlytics-app-distribution-data-processing-terms

You can consult RevenueCat’s privacy policy at the following link: https://www.revenuecat.com/privacy 

You can also consult RevenueCat’s terms of service at the following link:https://www.revenuecat.com/terms 

You can consult the Data Processing Addendum at this link: https://www.revenuecat.com/dpa 

4.- Invitations to/from other users to share CORI information

CORI allows those users who have the Pro subscription to share with others the information they have in the app. For this, different means can be used (email, message and others that can be seen in the sharing functionality).

In these cases an iCloud link is generated that the user can share with the person you want through the enabled means, which are external and outside CORI. Therefore, in these cases we do not process personal data of the people to whom the invitation is sent.

5.- Principles relating to processing under the General Data Protection Regulation

In CORI HEALTH & CARE, S.L.U. we are clear that the most important thing is the privacy of CORI users, so from the beginning we have conceived and developed it taking into account compliance with the principles required by the General Data Protection Regulation. But how do we comply with these principles? We explain it to you below:

1. Principle of legality, loyalty and transparency: we offer, through this privacy policy, detailed and transparent information about the treatment we do with the personal data of CORI users, always on the existence of a legal basis that legitimizes the processing of personal data.
2. Principle of purpose limitation: As we have already pointed out above, we do not collect personal data from CORI users as this is stored only on their own devices. We only use anonymous user data for analytical and statistical purposes, in order to be able to detect areas of improvement of the application but, as anonymous as they are, we cannot identify any user which really means that we do not process users’ personal data.
3. Principle of data minimization: As mentioned in the previous paragraph, we respect this principle of data minimization to such an extent that, unlike other applications, we do not process any personal data of CORI users. The only instance of processing is for anonymous application usage data.
4. Principle of accuracy: We do not really consider this principle to be applicable to us because, since we do not process personal data of users, it is obviously not possible to keep accurate and up-to-date data that is not processed.
5. Principle of limitation of the conservation period: this principle, which requires that personal data not be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, although they may be kept for longer periods provided that they are processed exclusively for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. We do not process personal data of CORI users, we only keep anonymized data for analytical purposes in order to detect areas for improvement, retaining them only for the period necessary to analyze and, if necessary, implement them, and then proceeding to their deletion.
6. Principle of integrity and confidentiality: at CORI HEALTH & CARE, S.L.U. we implement appropriate technical and organizational measures to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. In order to determine the security measures we apply, we conduct risk assessments, which we review periodically. We also guarantee the confidentiality of our information to which all persons and third parties who, in one way or another, provide services to us have access by signing the corresponding confidentiality contract.
7. Principle of proactive responsibility: In addition to implementing technical and organizational security measures, we document and review them in order to be able to guarantee and certify that the processing we carry out complies with the requirements of the General Data Protection Regulation.

6.-Data protection by design and by default

At CORI HEALTH&CARE, S.L.U. it was clear to us from the very beginning that the privacy of CORI users was going to be the most important thing. If we can give our users a tool to manage their diabetes information, why should we have access to their data?

That is why it is no problem for us to comply with this data protection principle by design and by default.

In the initial conception itself and in its subsequent development we have taken this principle into account and decided that, by default, CORI would allow to treat the minimum data necessary for the user to perform the control of their diabetes and that only they have access to them, being stored in their own device and, where appropriate, in third-party services with which the user wishes to synchronize them, without CORI HEALTH & CARE, S.L.U. storing them on its own servers or those of third parties contracted by us.

For our part, we have implemented measures aimed at complying with this principle and with the other obligations established by the General Data Protection Regulation in such a way that the only data we process are anonymous data, not linked to the user but are related to the device ID and usage data, interaction with CORI, all for analytical purposes aimed at being able to detect and implement improvements.

7.- Security

One of the most important premises for us, along with the privacy of CORI users, is security. Therefore, we implement the maximum security measures that are within our reach and that allow the existing technology at all times. In addition, we make periodic reviews to improve the security of the app.

In any case, CORI complies with the minimum requirements demanded by Apple for developers in terms of security measures.

8.- Information on personal data processing  

In accordance with the provisions of the General Data Protection Regulation and the Organic Law 3/2018 of December 5, 2018, on the Protection of Personal Data and guarantee of digital rights, we inform you of the following issues regarding the processing that we (do not) do with the personal data of CORI users:

Responsible for the treatment: CORI HEALTH &CARE, S.L.U., with Tax Identification Number B01740364, and address at Calle Las Escuelas 10, Oficina 10, C.P. 01001, Vitoria (Álava).

Personal data collected: As mentioned above, CORI HEALTH & CARE, S.L.U. does not collect personal data from CORI users, we only process anonymous and random ID data, not linked to the user but related to the device ID and usage data, interaction with CORI, all for analytical purposes aimed at detecting and implementing improvements.

Purpose of treatment: As we have just indicated, the only data we process from CORI users are not related to them but are completely anonymous and are used for the sole purpose of analyzing the use made of the application in order to detect and implement improvements in it.

Legitimacy of the treatment: the legal basis that legitimizes the processing of the above-mentioned anonymous data is that it is necessary to satisfy our legitimate interests in improving the functionality, features and performance of CORI.

Data recipients:

no personal data of CORI users is communicated to any third party as we do not have access to it. Only if the user invites other people, he will share with them (not us) the information he has in CORI.

In any case, for some matters we use the services of third parties, who act as data processors, with whom we have signed the corresponding data processing contract in accordance with the provisions of Article 28.3 of the GDPR.

International Data Transfers: we inform you that we do not carry out international transfers of personal data.

Data retention period: We keep anonymous user data only for the time necessary to analyze and, if necessary, implement issues and functionalities that can improve CORI so that they will be deleted afterwards.

Rights of the data subject with regard to the processing of his or her data: you have all the information about it in the section “What rights do you have regarding the processing of your personal data?”

Complaint to the supervisory authority: you have all the information about it in the section “What rights do you have regarding the processing of your personal data?”

9.- What rights do you have regarding the processing of your personal data? 

Right of access: in order to know and verify the lawfulness of the processing, you can ask us at any time to confirm whether CORI HEALTH & CARE, S.L.U. is processing your personal data and, if so, we will inform you, among other questions, about what data we are processing, its purpose, origin of the data, expected period of data retention and, where appropriate, recipients or categories of recipients.

Right of rectification: this right recognizes the possibility of requesting the rectification of inaccurate personal data or the completion of incomplete personal data, including by means of an additional declaration. In such a case, you must indicate in your request which data you are referring to and the correction to be made, and you must attach, if necessary, the documentation supporting the inaccuracy or incompleteness of the data being processed. However, as we do not have or process your personal data, this is a right that we cannot attend to. You will be able to rectify or modify your personal data yourself at CORI.

you can ask us to have your personal data deleted and no longer processed if they are no longer necessary for the purposes for which they were collected or otherwise processed, you withdraw your consent, they have been unlawfully processed or they must be deleted for compliance with a legal obligation.

In this case the same applies since, as we do not have access to your personal data we have no possibility to delete them but you can do it yourself in CORI and even delete the application from your device.

Right to limitation of processing: in this case CORI HEALTH&CARE, S.L.U. will only keep your personal data for the formulation, exercise or defense of claims, or for the protection of the rights of another natural or legal person or for reasons of important public interest. In this case, as we do not have your personal data, we can not meet this right because the data are on your device, we have no possibility to limit their treatment.

Right to data portability: This right allows you to ask us to provide your personal data, to you or to another person in charge that you indicate, in a structured, commonly used and machine-readable format. Likewise, we cannot provide you with any data because we do not have access to them, but you can download or export them to other services.

Right of opposition: In this case, you have the right to stop us from processing your personal data in the way you indicate, unless we have to continue processing them for compelling legitimate reasons or for the formulation, exercise or defense of possible claims. However, we can not meet such a request because we do not have your data, however, if you no longer want to use the application you can delete your data and even delete it from your device.

How to exercise your data protection rights? To exercise your rights you must send us a written request, indicating the right you wish to exercise, to CORI HEALTH & CARE, S.L.U., at Diputación Foral de Álava 4, 3rd floor – ZIP 01001 de Vitoria (Álava) or by sending an e-mail to hola@chubbyapps.com, enclosing in any case a photocopy of your ID card.

CORI HEALTH&CARE, S.L.U. will respond to all requests within the terms and conditions required by current legislation on the protection of personal data.

In any case, if you consider that we have not treated your personal data properly or that we have not properly addressed the exercise of your data protection rights, you can file a complaint with the Spanish Data Protection Agency, either through its electronic headquarters or at its address, at Calle Jorge Juan, nº 6, C.P. 28001, Madrid.

You have more information about data protection rights and claims before this supervisory authority at www.aepd.es.

10.- Cookies and other similar technologies

As the privacy of CORI users is very important to us, we do not use cookies or any other technology to track user activity that collects personal data about the user.

However, as noted in the third clause, we use the services of Google Analytics, Google Crashlytics and RevenueCat to analyze, anonymously, the use of the application to identify and implement improvements in CORI.

11.- Changes in the Privacy Policy

We are constantly trying to improve CORI to provide you with the best user experience so if those changes affect your privacy we will be forced to modify this Privacy Policy. The same applies in the event of legislative changes.

Therefore, if we change this Privacy Policy we will inform you through our website and in the application itself. In any case, at the beginning of these terms we indicate the date of the last version in force and the date of its publication.

12.- Applicable regulations

The terms of this Privacy Policy are governed by the European data protection regulations applicable to us, specifically, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

13.- We solve your doubts. 

If you have any questions regarding the terms of this Privacy Policy you may contact us by sending an email to hello@cori.care