Try Cori Free

Cori Privacy Policy

Last version: October 23, 2023

1. Introduction

Privacy is a fundamental human right. For this reason, we have developed Cori to be as respectful as possible of your privacy, intimacy, and personal data. Your data belongs to you, and with Cori, you have full control over it.

In this privacy policy, we will explain what personal data we process, how we process it, how we comply with the principles and obligations established by the regulations, and what your rights are concerning data protection.

2. Who are we?

Cori is an application that has been developed by the commercial company CORI HEALTH & CARE, S.L.U., with Tax Identification Number (NIF) B01740364, and domiciled in Spain, at Diputación Foral de Álava 4, 3rd Floor, Postal Code 01001 in Vitoria-Gasteiz (Álava).

CORI HEALTH & CARE, S.L.U. is registered in the Álava Commercial Registry, Volume 1705, Folio 221, Sheet VI-20033, First Entry.

In accordance with the above, we inform you that, from a data protection regulatory perspective, the data controller is the company, with the details previously provided.

3. What data do we process about you?

Cori is a non-medical application that allows you to monitor your diabetes through glucose, daily activity, sleep, and exercise. To use the application, it is essential to create a user account. All personal data manually or automatically entered into the application belong to the USER, who has the freedom to exercise all rights established by law.

3.1. Apple Health Data

Cori uses the APIs provided by Apple to read and/or write data found in the Apple Health application (https://www.apple.com/lae/privacy/) on your device. Specifically, for proper functioning, Cori requires reading:

  • Activity.
  • Height.
  • Pedaling cadence.
  • Aerobic capacity.
  • Walking/running distance.
  • Biking distance.
  • Snow sports distance.
  • Wheelchair distance.
  • Activity energy.
  • Workouts.
  • Walking stability.
  • Birthdate.
  • Heart rate.
  • Resting heart rate.
  • Respiratory rate.
  • Blood glucose.
  • Impulses.
  • Exercise minutes.
  • Standing minutes.
  • Blood oxygen.
  • Steps.
  • Weight.
  • Floors climbed.
  • Biking power.
  • Workout routes.
  • Gender.
  • Wheelchair.
  • Sleep.
  • Wrist temperature.
  • Heart rate variability.
  • Biking speed.

It also requires write access for:

  • Aerobic capacity.
  • Carbohydrates.
  • Walking/running distance.
  • Activity energy.
  • Workouts.
  • Heart rate.
  • Floors climbed.
  • Workout routes.
  • Heart rate variability.

Apple Health data will only be used to visualize movement, sleep, or exercise in relation to the App. In any case, they will not be used for marketing, advertising, or data extraction based on use, even by third parties.

Cori cannot read and/or write to Apple Health without your explicit consent. Once access is granted, the app can save this information on cloud servers contracted by CORI HEALTH & CARE, S.L.U. to provide functionalities described in the product sheet, such as cloud synchronization, among others.

You can find more information about Apple Health at the following link: https://support.apple.com/es-es/guide/iphone/iphbb8259c61/16.0/ios/16.0

3.2. Location Data

If you view and/or record your outdoor workouts with Cori, we can use your location data to show you a map of your workout route.

Cori cannot access your location data without your explicit consent. The application accesses your location data locally during the workout and/or when reading workout routes from Apple Health. It can access them as long as the user grants permission as described in point 3.2.

In any case, they will not be used for marketing, advertising, or data extraction based on use, even by third parties.

3.3. Other Personal Data

Cori collects other personal data, such as medication, your movement goals, training plans, streaks, and/or achievements to facilitate the proper functioning of the application and all its functionalities. These data are stored locally on your device and on cloud servers contracted by CORI HEALTH & CARE, S.L.U.

For this, we use MongoDB, where data is transferred securely and encrypted according to industry standards. MongoDB is certified under the EU-US Data Privacy Shield Framework. When a user creates their account, they are assigned a random ID, allowing the information to be stored anonymously in the database.

These anonymous data may be used to help us create, develop, deliver, protect, and improve our products, services, and content.

In this regard, it is important to note that to use Cori, it is essential to have a user account. Thus, if the USER loses access to their password, cannot recover it, and/or cannot access their Apple or Google account (if using them as authentication methods), they may lose access to all their information.

You can consult MongoDB’s privacy policy at this link: https://www.mongodb.com/legal/privacy

3.4. Technical and Usage Data

Lastly, we use analytics services on the use made by Cori users, which allows us to detect and identify improvements to be made in the App. For this, we use TelemetryDeck and RevenueCat, although the data collected by these services are completely anonymous. When a user installs the app, TelemetryDeck and RevenueCat assign each user a random and anonymous ID, without us knowing the real identity of that user. This way, we can know, for example, that a user ID has subscribed to Cori or the sessions carried out in a day.

You can consult TelemetryDeck’s privacy policy at this link: https://telemetrydeck.com/pages/privacy-policy.html

Next, you can also check TelemetryDeck’s terms of service: https://telemetrydeck.com/pages/termsofservice.html

You can review RevenueCat’s privacy policy at the following link: https://www.revenuecat.com/privacy

You can also consult RevenueCat’s terms of service at the following link: https://www.revenuecat.com/terms

You can review the Data Processing Addendum at this link: https://www.revenuecat.com/dpa

4. Principles related to processing according to the General Data Protection Regulation

At CORI HEALTH & CARE, S.L.U., we are clear that the most important thing is the privacy of Cori users. Therefore, from the beginning, we have conceived and developed it taking into account compliance with the principles required by the General Data Protection Regulation. But how do we comply with these principles? We explain it below:

  1. Principle of lawfulness, loyalty, and transparency: Through this privacy policy, we offer detailed and transparent information about the treatment we give to the personal data of Cori users, always based on the existence of a legal basis that legitimizes the processing of personal data.
  2. Purpose limitation principle: All data is stored anonymously in the database, using the random ID assigned to each user when creating their account. We only use anonymous user data to develop, protect, and improve our products, services, and content.
  3. Data minimization principle: We collect the minimum essential data for the proper functioning of the application, with the user having the ability to grant or not such information, as well as the ability to delete it.
  4. Accuracy principle: The user can create, view, update, and delete their data whenever they consider, being able to keep them up to date.
  5. Storage limitation principle: This principle, which requires that personal data not be retained in a way that allows the identification of the subjects for longer than necessary for the purposes of processing personal data, can, however, be retained for longer periods as long as they are treated exclusively for archiving in the public interest, scientific or historical research purposes, or statistical purposes. We do not process personal data from Cori users, we only have anonymized data to detect areas of improvement, keeping them only for the necessary period to analyze and, if applicable, implement them, subsequently proceeding to their deletion.
  6. Integrity and confidentiality principle: At CORI HEALTH & CARE, S.L.U., we apply appropriate technical and organizational measures to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against its loss, destruction, or accidental damage. To determine the security measures we apply, we conduct risk assessments, which we review periodically. We also guarantee the confidentiality of our information to which all persons and third parties who provide us with services in one way or another have access, signing the corresponding confidentiality agreement.
  7. Principle of proactive responsibility: In addition to applying technical and organizational security measures, we document and review them to ensure and prove that the treatments we carry out comply with the requirements of the General Data Protection Regulation.

5. Data Protection by Design and by Default

At CORI HEALTH & CARE, S.L.U., we were clear from the outset that the privacy of Cori users would be of utmost importance. Therefore, for us, complying with this principle of data protection by design and by default presents no problem.

From the initial conception and subsequent development, we considered this principle and decided that, by default, Coriwould allow the processing of the minimum data necessary for the user to monitor their health. These data are stored on cloud servers that comply with all the security and privacy requirements established by current law.

On our part, we have implemented measures aimed at complying with this principle and the other obligations established by the General Data Protection Regulation. As a result, the only data we process are anonymous data (not linked to users but to random identifiers), usage and interaction data with Cori, all for analytical purposes aimed at developing, protecting, and improving our products, services, and content.

6. Security

One of the most important premises for us, alongside the privacy of Cori users, is security. Therefore, we implement the highest security measures within our reach and permitted by existing technology at any given time. Additionally, we conduct periodic reviews to enhance the security of the app.

In any case, Cori meets the requirements set by Apple for developers in terms of security measures.

7. Information on the Processing of Personal Data

In accordance with the provisions of the General Data Protection Regulation and Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights, we inform you of the following matters related to the processing that we (do not) carry out of the personal data of Cori users:

Data Processing Manager: CORI HEALTH & CARE, S.L.U., with tax identification number (NIF) B01740364, and address at Diputación Foral de Álava Street 4, 3rd Floor, Postal Code 01001, Vitoria (Álava).

Personal Data Collected: As we have previously pointed out, CORI HEALTH & CARE, S.L.U. does not collect personal data from Cori users. We only process anonymous and random ID data (not linked to the users but to random identifiers), usage data, and interaction data with Cori, all for analytical purposes aimed at developing, protecting, and improving our products, services, and content.

Purpose of the Processing: As we have just indicated, the only data we process from Cori users are not related to them but are completely anonymous and are used solely for the purpose of analyzing the use of the application with the aim of developing, protecting, and improving our products, services, and content.

Legitimation of the Processing: The legal basis that legitimizes the processing of the aforementioned anonymous data is that it is necessary to satisfy our legitimate interests in improving the functionality, features, and performance of Cori.

Data Recipients: Personal data from Cori users is not communicated to any third party. However, for some matters, we use third-party services, which act as data processors, with whom we have signed the corresponding data processing contract in accordance with the provisions of Article 28.3 of the GDPR.

International Data Transfers: Your data can be transferred to servers located in other countries. These servers have the certification of the EU-US Data Privacy Shield Framework.

Data Retention Period: We only retain anonymous user data for the period necessary to analyze and, if applicable, implement issues and features that can improve Cori. Afterward, they will be deleted.

Rights of the Interested Party Regarding Data Processing: You can find all the information regarding this in the section “What are your rights regarding the processing of your personal data?”

Complaint to the Control Authority: You can find all the information regarding this in the section “What are your rights regarding the processing of your personal data?”

8. What Rights Do You Have Regarding the Processing of Your Personal Data?

Right of Access: To know and verify the lawfulness of the processing, you can request at any time that CORI HEALTH & CARE, S.L.U. confirm whether or not they are processing your personal data. If so, we will inform you, among other things, about the data we are processing, its purpose, the origin of the data, the expected retention period, and, if applicable, recipients or categories of recipients.

Right to Rectification: This right allows you to request the rectification of any inaccurate personal data or the completion of incomplete data, including through an additional statement. In such a case, you should specify in your request which data you are referring to and the correction that needs to be made. However, you can rectify or modify your personal data in Cori on your own.

Right to Erasure (“Right to be Forgotten”): You can request that your personal data be deleted and stop being processed if they are no longer necessary for the purposes for which they were collected or otherwise processed, you withdraw your consent, they have been unlawfully processed, or they must be deleted to comply with a legal obligation. You can delete the data, your account, or even remove the Cori app from your device.

Right to Restriction of Processing: In this case, CORI HEALTH & CARE, S.L.U. will only retain your personal data for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

Right to Data Portability: This right allows you to request that we provide you with your personal data, to you or another controller you indicate, in a structured, commonly used, and machine-readable format. You can download or export them to other services from the Cori app on your device.

Right to Object: In this case, you have the right to request that we stop processing your personal data in the manner you indicate unless we have compelling legitimate grounds for the processing. If you no longer want to use the application, you can delete your data, your account, or even remove the app from your device.

How to Exercise Your Data Protection Rights? To exercise your rights, you must send us a written request, specifying the right you wish to exercise, to CORI HEALTH & CARE, S.L.U., at Diputación Foral de Álava Street 4, 3rd Floor – Postal Code 01001, Vitoria (Álava), or by sending an email to hello@cori.care, always including a photocopy of your ID.

CORI HEALTH & CARE, S.L.U. will respond to all requests within the time frames and conditions required by current personal data protection regulations.

In any case, if you believe that we have not properly processed your personal data or have not properly addressed the exercise of your data protection rights, you can file a complaint with the Spanish Data Protection Agency, either through its electronic headquarters or at its address, Jorge Juan Street, No. 6, Postal Code 28001, Madrid.

You can find more information about data protection rights and complaints before this Control Authority at www.aepd.es.

9. Cookies and Similar Technologies

Privacy is of utmost importance to us for Cori users. In the application, we neither use cookies nor any other user activity tracking technology that collects personal data about them.

However, as we pointed out in the third clause, we use the services of TelemetryDeck and RevenueCat to analyze, anonymously, the use of the application to identify and implement improvements in Cori.

10. Changes to the Privacy Policy

We constantly strive to improve Cori to provide you with the best user experience. Therefore, if these changes affect your privacy, we will be obligated to modify this Privacy Policy. The same applies in the event of legislative changes.

Thus, if we change this Privacy Policy, we will inform you through our website and in the application itself. In any case, at the beginning of these terms, we indicate the date of the last version in force and the date of its publication.

11. Applicable Regulations

The terms of this Privacy Policy are governed by the European data protection regulations that apply to us, specifically, Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).

12. We Answer Your Questions.

If you have any questions regarding the terms of this Privacy Policy, you can contact us by sending an email to hello@cori.care.