Terms and ConditionsPrivacy PolicyPartner Terms and Conditions

Privacy Policy

💡  This Privacy Policy is applicable to the personal data processed by Human Engineering Health Oy (Veri or we) relating to the users of Veri’s platform, mobile application (App) and website as well as any services or products included thereto (collectively, the Veri Services). This Privacy Policy is also applicable to personal data processed by Veri in regard to the representatives of our vendors, business partners and customer organizations, including personal data processed within our CRM database or in connection to our direct marketing activities. The aforementioned data subjects are hereinafter collectively referred to as Users or you. Last updated: July 2024

If you have any questions regarding your data processing, access, or data erasure pertaining to the Veri Services, you can reach out to our Data Protection Officer at dpo@veri.co

Please note that this Privacy Policy only applies to processing carried out by Veri as a data controller. This Privacy Policy does not address, nor are we responsible for, the privacy and data processing practices of any third parties.

The controller for all personal data processed through the Veri Services is Human Engineering Health Oy (business ID: 3115245-3) The address of the controller is Kaikukatu 4 C, 00530 Helsinki, Finland. Please note that our US subsidiary Human Engineering Inc. or a party nominated by it shall also act as a controller for the personal data of our US-based data subjects.

Data Collection

What data do we collect and why

We use data to provide you with and improve the Veri Services, namely the Veri App. We also use data of our Users as customers to enable payment processing, and for marketing purposes by sending offers and guidance to our customers and prospects interested in our products and services.

Default data is information we need in order to provide the Veri Services to you. This information typically includes personal data concerning your purchases of relevant Veri Services as well as subsequent account creation as detailed below. The legal basis for processing Default data is primarily performance of contract. However, we may also process such Default data for our legitimate interest of ensuring the security and integrity of the Veri Services or for establishment, exercise or defense of legal claims pertaining to your use of the Veri Services. Further, Default data may be processed for direct marketing purposes based on your underlying consent which you may revoke at any time.

Optional data is the information needed to provide the best possible usage experience of the Veri app, or it can be information we collect to improve the Veri Services and its usability or send you tailored messaging. Some features might not work as intended without certain optional data (for example, you need to add food into the Veri app for the meal logging to work).

Note that we also need to process certain health-related information for the Veri app to work properly. This includes glucose data from your CGM and, based on your choosing, dietary information, height, weight, BMI and heart rate.

The possible personal data categories falling under Optional data are further highlighted below.

The legal basis for processing optional data for providing the intended user experience for Veri App is performance of contract whereas we rely on our legitimate interest to process information for the development of the Veri Services and its usability via analytics or marketing the Veri Services. For personal data falling under article 9 of the GDPR, i.e., health-related information, we further rely on your explicit consent.

For the purposes of developing and improving the Veri Services, we de-identify in multiple cases the collected data when possible. De-identifying means removing or masking the personal identifier so that someone’s identity cannot be revealed. The technical solutions of de-identifying vary between our use cases from pseudonymization to anonymisation.

Pseudonymized data shall be treated as personal data and processed in accordance with this Privacy Policy and applicable laws. It mainly relates to user analytics purposes pertaining to the Veri App and does not by default include sensitive personal data.

💼 Account information

  • When you purchase Veri products and services through our website, we collect your name, email, phone number, billing, and shipping address.
  • We also collect your payment details. In countries where it is required, we will also collect your date of birth to determine your eligibility to receive the CGMs.
  • This information is required for account creation, payment, and for us to ship our products to you.


🧾 (US) Medical consult questionnaire

  • In the US, when purchasing Veri Services, our telemedicine partner needs to collect information about your health to determine your eligibility to receive the CGMs. This data is processed in compliance with our obligations as a HIPAA Business Associate.
  • This information is required in the US to receive the CGMs and for us to fulfill our service.


📱 App information - General

  • When you use the Veri app, you can log the following data: meals, activities, notes, sleep, and meal pictures. You can also add your date of birth, personal goals, and dietary information.
  • You can import data from 3rd parties such as Apple Health, Google Fit, Oura, or Fitbit.
  • This data is optional, and it is used to enhance your product experience. Some features might require your data to work as intended. After de-identification, we might use this data for research purposes and to improve the Veri app, for example by training our algorithms and understanding our customer base for product development.
  • Veri also has features such as automated tutorials and reminders which require the app to collect event logs of app usage to function properly. This data is default data as it is required to provide our service.


🩺 App information - Health

  • For Veri to work, we need to collect glucose data from your CGM via the manufacturer’s software. This data transfer is subject to the manufacturer’s privacy policy. We use the glucose data and its derivatives to create metrics and scores that are based on glucose (for example Metabolic Healthspan).
  • When you use the Veri app, you can also log your height, weight, BMI, and heart rate.
  • This data is used to provide the Veri app experience, which is mainly based on glucose data. Other health data is optional and they are used to enhance the product experience. After de-identification, we might use this data for research purposes and to improve our product, for example by training our algorithms and understanding our customer base for product development.


💡 Analytics and Marketing

  • If you wish to help our product development and improve our understanding of our customer base, you can opt-in to share detailed de-identified event logs of the usage of our service, such as how often a certain feature is being used.
  • You can also opt-in for sharing your optional general app information such as your birthday for us to send you targeted marketing and discounts.
  • We collect event logs also on our website, which are optional and you can opt-in to them by accepting cookies.
  • We collect Veri app crash reports and error logs to provide high-quality service for everyone and improve the quality of our service. This data is default data as it is required for us to provide our service to our customers.


💌 Communication

  • We may store support conversations, feedback, or emails you have sent us.
  • If you participate in customer interviews, our team will always ask for your consent before recording the conversation.
  • If you give us in-app feedback about our features, we might also store some de-identified app information, such as how long have you used a certain feature. This is used for analysis and product development.


Where do we collect data

We collect personal data generated through the Veri Services that have either been provided or shared directly by the User or arisen from the User’s use of the Veri Services. Additionally, we collect personal data Veri through 3rd parties where the User has chosen to share their data with us (i.e. Google Fit, Apple Health, Oura) and on the Coaching Dashboard available to our partners and their clients.


Data storage

We retain your data as long as is necessary for us to fulfill the purpose for which the data is collected. Your Default personal data shall be stored for a maximum of five years after you stop using the Veri Services. However, in some instances we may have to process personal data for longer periods in order to fulfill our legal obligations. Your personal data processed on the basis of consent will be processed for as long as you give us your consent to do so.


Data processors

We may transfer your personal data to third-party service providers to for example provide our Veri app service, communicate with you, manage your subscription for the Veri Services, or handle payments and shipping. We always transfer as little data as possible and have adequate personal data processing agreements and safeguards in place with each 3rd party we use.


3rd party services used in the Veri app and services

  • Cloud infrastructure, automation, data storage: AWS, Google (Cloud & Firebase), Zapier, Vercel
  • Telemedicine partners: Foundation Health, OpenLoop, Beluga Health
  • Order fulfillment: Health Warehouse, OGOShip, Blueco
  • Payments & subscription management: Stripe, Chargebee, RevenueCat
  • Glucose data: Abbott
  • App analytics, Feedback collection: Mixpanel
  • AI photo recognition and analytics: OpenAI, Google
  • Internal service development: Google (Drive), Slack, Notion
  • Communication, Support: Intercom, CustomerIO, Circle, Google (Gmail)
  • Customer interviews: Otter.ai, Typeform, Calendly
  • Web analytics: Hotjar, Facebook Pixel, Google Analytics, Captiv8, IPGeolocation, Convert Insights
  • Marketing analytics: Trevor, Stitch, Fivetran


Transfers outside the EU/EEA

Veri App’s servers are located in Paris, France. Where we process your personal data to provide and improve the Veri App or analyze usage data, we may transfer personal data to the US. When processing personal data outside the EU/EEA, we ensure an adequate level of data protection, for example through EU-U.S Data Privacy FrameworkStandard Contractual Clauses or other similar arrangements.


Data export and deletion

You can export your glucose-, meal-, and exercise data from the Veri app settings.

You can export past invoices in our membership management portal, where you can also view your payment history and shipping details.

You can also choose to delete your Veri account within the Veri app, however, this does not destroy your logged data with us. It also does not remove any active subscriptions. You’ll need to either cancel your subscription separately or ask our team to help with the cancellation by emailing care@veri.co.

At your request, we can de-identify your account in our membership platform, however, we cannot remove past payment and order data as it is stored for fraud prevention and compliance reasons. We also cannot directly remove your data from any 3rd party platforms we use but you can contact us to request the data deletion on your behalf.

Data protection

How we secure your data

We value your privacy. We value security.

Your App information is stored in secure databases hosted by well-established third parties. The data is encrypted at rest using the industry standard AES-256 encryption algorithm. The third parties do not have access or permission to use your personal information, except for necessary cloud storage or retrieval activities.

The secure databases have also been configured so that our employees cannot directly see or access your stored personal app information. To improve our product further, develop our algorithm, and understand our customer base, we de-identify the information to ensure your privacy stays intact.

All our employees who may interact with your personal information, such as your shipping address information or your messages to our customer support, have gone through both annual GDPR and HIPAA training.

GDPR

In the EU and UK, we follow, respectively, the GDPR and UK GDPR principles and obligations.

Under GDPR and UK GDPR regulations, customers in the EU & UK have the following rights:

  • Right to inspect: You can ask which data we hold of you
  • Right to rectify: You can correct us if you find any mistakes in the data we hold
  • Right to erasure: You can ask us to delete the data we have of you, to the extent we are able to do so
  • Right to restriction of processing: You can ask us to stop processing your data
  • Right to data portability: You can ask for your data
  • Right to object: You can object to the way we use your data

You can contact our Data Protection Officer with any questions, access, removal or other GDPR-related matters at dpo@veri.co.

In addition, you have the right to make a complaint with the data protection authorities if you think the processing of your data infringes data protection laws.

HIPAA

Veri is considered a Business Associate as defined under the Health Insurance Portability and Accountability Act (HIPAA) to our independent pharmacy and fulfillment network partners with respect to the information you provide in the medical consult form. We treat all personal health information (PHI) collected in the medical consult process in compliance with our Business Associate Agreements with our Covered Entity partners.

Veri is not intended for medical use and does not provide medical care, and is thus not a Covered Entity under HIPAA. Regardless, all glucose data is transferred in encrypted form and stored securely. The access to all data is strictly limited. Veri maintains access logs to all data to ensure compliance with HIPAA. We utilize Safe Harbor de-identification methods.

Corporate customers and Business partner relationships

Personal data is processed to maintain our relationships with our business partners.

Category of data subjects: Representatives of corporate business partners and individual business partners.

Categories of personal data: Basic information and contact details.

Legal basis for processing: Performance of our contractual obligations or consent.

Amendments

We have a unilateral right to modify this privacy notice. We modify the privacy notice whenever necessary, for example in the case of changing legislation. The modifications take effect immediately when we post an up-to-date version of this privacy notice to our website.

If we make significant changes to the privacy notice, or if there is a significant change in the way it is used, we will notify the data subjects.