Last Updated: September 13, 2024
We may also collect personal information through other online services you use to interact with us such as online webinars and social media platforms, where we may be unable to directly provide a link to this Privacy Notice because the online service is owned by another party.
Some of our other products and services will contain a link to their own privacy notice, which applies in lieu of this Privacy Notice.
If you are in the United States of America, please note this Privacy Notice does not cover our use, collection, or disclosure of your Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”). For more information about these practices, see our HIPAA Notice of Privacy Practices. If you are a California resident, please see section 11 below (“Notice for California Consumers and Your California Rights”), which sets forth additional information and rights you may have under California law relating to your information that is not HIPAA-covered PHI.
If you are in the European Union, Iceland, Liechtenstein and Norway (i.e., the "European Economic Area" or "EEA"), the United Kingdom ("UK"), Switzerland, or Canada, please see Section 12 (“Additional Information for Users Outside the United States”) for additional information which is specific to you.
This Privacy Notice does not cover personal information that may be collected about you as an applicant for a job at Tandem or as a member of Tandem's workforce.
If you have any questions or concerns about our use of your personal information, please contact us using the contact details provided at the bottom of this Privacy Notice.
Personal information generally means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly with you. Personal information does not include information that is de-identified or aggregated. We may combine your personal information with data we obtain from our Services, other users, or other parties. We reserve the right to convert, or permit others to convert, your personal information into deidentified, anonymized, aggregated, or pseudonymized data, as permitted by law.
What personal information we collect may differ depending on how you interact with us. For example, we collect personal information when you use our Services, such as when you use our Apps which track your insulin. This personal information may differ from personal information we collect from health care providers or a clinic administrators appointed by a health care provider (collectively referred to as “HCPs”).
Personal information we collect about you may include:
We may collect your personal information directly from you, from other parties, or from you indirectly through cookies and other technologies, including through the following sources.
Directly from You, When You:
Additional Sources:
We may also receive your personal information from a variety of sources, including external parties such as advertising networks, internet service providers or ISPs, contractors, data analytics providers, government entities, and social networks, as defined by applicable law.
In addition, we work with distributors across the world in order to provide our Services to you. Personal information will therefore be provided by you to the relevant in-country distributor when using a Tandem Service. The distributor may pass on some of this information to us if necessary, for example, to return a faulty device for investigation. Please check your relevant in-country distributor's privacy notice to find out more about the information which it will process.
We may also receive personal information from partner services when you connect our connected devices or our Services to them, or where you choose to use a Services feature provided by an external party. For example, we may also receive personal information about you from partners when you integrate a partner’s product with our connected devices or Services or otherwise authorize a partner service to provide personal information about you to us. Any use of an external online service may be subject to that service’s terms and privacy policies.
Indirectly Through Cookies and Other Technologies:
We may receive your personal information through the use of cookies and other tracking technologies. For more details, see the Cookies and Other Tracking Technologies section of this Privacy Notice.
We collect, use, disclose, or otherwise process your personal information for various purposes, including the following:
With your consent, or as allowed by applicable law, we may disclose your personal information, as described above, to:
We may also disclose your personal information to an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed sale or transfer of all or a portion of our business assets (e.g., further to an actual or proposed merger, reorganization, liquidation, bankruptcy, or any other business transaction), including negotiations of such transactions.
This Privacy Notice does not apply to the practices of companies we do not own or control. Our Services may provide a link or otherwise provide access to external services. We provide these links merely for your convenience. We have no control over, do not review, and are not responsible for external services. External services and other businesses may have their own privacy policies which are applicable.
We may use tracking technologies, such as cookies, including tracking technologies managed by vendors or external parties.
Tracking technologies can generally be categorized as follows:
We may combine tracking technology information with other personal information about you. We or external parties, on our behalf and pursuant to contract, may collect personal information about your online activities over time and across different online services when you use our Services.
We may use Google Analytics or other providers for analytics services. We may also implement Google Analytics Advertising Features such as remarketing with analytics and interest-based ads. We may use first-party cookies or other first-party identifiers as well as third-party cookies or other third-party identifiers to, e.g., deliver advertisements, measure your interests, and/or personalize content. For more information on how Google Analytics uses data collected through our Services, visit http://www.google.com/policies/privacy/partners. To opt out of Google Analytics cookies, visit https://tools.google.com/dlpage/gaoptout or download the Google Analytics Opt-Out Browser Add-On.
You may also opt out of certain tracking technologies by visiting the opt out services by the Digital Advertising Alliance in the US, the Canadian Digital Advertising Alliance in Canada, and the European Digital Advertising Alliance in the EU. You can visit Ad Choices (US), Your Ad Choices (Canada), or Your Online Choices (EU). Opting out through these services does not mean you will no longer receive advertising from us, or when you use the Internet.
Depending on your device settings, you may also opt out of certain interest-based advertising through the device’s "Limit Ad Tracking" or equivalent feature. Refer to your device for more information on what this opt out affects. For instance, you can generally adjust or reset the advertising identifiers on your mobile device in the device settings.
You can set your browser to refuse cookies from websites, but if you do so, you may not be able to access or use portions of our Services, and certain offerings on our Services may not function as intended or as well.
We are not responsible for opt out processes provided by external parties.
We use appropriate administrative, technical, physical, and organizational measures to protect the personal information we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. This includes managerial measures, including establishment and implementation of internal management plan and periodic training for employees; technical measures, including controlling access rights to personal information processing systems and encryption of important data; and physical measures, including external security and management of system servers. While we implement security measures designed to be appropriate to the relevant risks, please note no data transmission over the Internet or any wireless network can be guaranteed as being 100% secure.
We will store your personal information for no longer than is necessary for the performance of our obligations or to achieve the purposes for which the information was collected, or as may be required or permitted under applicable law. To determine the appropriate retention period, we will consider the amount, nature, and sensitivity of the data; the potential risk of harm from unauthorized use or disclosure of the data; the purposes for which we process the data and whether we can achieve those purposes through other means; and the applicable legal requirements. Unless otherwise required by applicable law, at the end of the retention period we will remove personal information from our systems and records or take appropriate steps to properly anonymize, deidentify, or aggregate it, where legally applicable.
Our Services may have settings available to you, depending on the Service, to allow you to set preferences. Information collected through our various Services, such as between our online portals and Apps, may not be synchronized (especially when you are not logged into one Service, and you are logged into another). Where information is not synchronized and you would like to have consistent settings, you may contact customer service if you have any issues or to make sure your settings across Services are consistent by accessing each Service independently.
If you receive marketing emails from us, you may opt out through the email’s instructions, as provided. Please note that regardless of your email preferences, we may send you notifications pertaining to the performance of our Services, such as revision of our Terms of Use or this Privacy Notice or other formal communications relating to Services you have purchased or use. If you receive texts from us, you may opt out by texting “STOP” to the number contacting you.
Parts of our Services may be available and/or directed to children. Where required by law, we seek to obtain the verifiable parental consent from the child’s parent or guardian. Where the law requires us to obtain verifiable parental consent and we learn that a child, as defined under that legal requirement, has provided us personal information independently without the permission of their parent or guardian, we delete that information.
This California Privacy Notice is provided pursuant to the California Consumer Privacy Act, as amended (the “CCPA”) and describes how Tandem may collect, use, and disclose personal information of consumers that reside in California. Please note certain information we collect, use, and disclose is considered PHI, as described above, and is therefore covered by our HIPAA Notice of Privacy Practices. For more information, please visit https://www.tandemdiabetes.com/legal/privacy/hipaa-notice-of-privacy-practices
Unless otherwise noted, the disclosures in Section 11 cover our activities in the twelve (12) months preceding the Effective Date, as well as our current practices.
How and Why We Collect, Use, and Disclose Your Personal Information
Tandem may collect, use, and disclose personal information for business purposes consistent with applicable laws as identified below. Where Tandem transfers applicable personal information to recipients, such as our service providers, it does so for the same business purposes described below.These examples may vary depending on the nature of your interactions with us.
Category of Consumer Personal Information | Categories of Sources from which Collected | Business Purposes for Collection, Use, or Disclosure | Categories of Recipients to Whom Consumer Personal Information May be Disclosed for a Business Purpose |
---|---|---|---|
Identifiers (such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, or other similar identifiers). | Directly from you Automatically when you use our electronic systems From service providers that help us to run our business
| Comply with applicable state and federal law Communicate with you Maintain business records Provide personalized advertising and marketing
| Examples include service providers, data analytics providers, security providers, background check vendors, and information technology vendors. |
Internet or other electronic network activity information, (including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement). | Directly from you Automatically when you use our electronic systems From service providers that help us to run our business
| Comply with applicable state and federal law Communicate with you Maintain business records Provide personalized advertising and marketing
| Examples include data analytics providers, security providers, and information technology vendors. |
Any personal information described in subdivision (e) of Section 1798.80 of the California Civil Code. | Automatically when you use our electronic systems From service providers that help us to run our business
| Comply with applicable state and federal law Communicate with you Maintain business records Provide personalized advertising and marketing
| Examples include data analytics providers, security providers, and information technology vendors. |
Approximate Geolocation data. | Automatically when you use our electronic systems From service providers that help us to run our business | Comply with applicable state and federal law Communicate with you Maintain business records Provide personalized advertising and marketing | Examples include data analytics providers, security providers, and information technology vendors. |
Commercial information, including records of personal property, Services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | Directly from you Automatically when you use our electronic systems From service providers that help us to run our business
| Comply with applicable state and federal law Communicate with you Maintain business records Provide personalized advertising and marketing
| Examples include service providers, data analytics providers. |
Professional or employment-related information. | Directly from you From service providers that help us to run our business
| Comply with applicable state and federal law Communicate with you Maintain business records
| Examples include background check vendors. |
We may also disclose each of the categories of personal information identified above to the respectively identified categories of recipients for operational or business purposes consistent with the purposes for collection or use designated, as is reasonably necessary and proportionate to achieve those purposes, or for another purpose that is compatible with the context in which the personal information was collected, including, but not limited to:
In addition to the other purposes for collection, use, and disclosure of personal information described in this Notice, we may collect, use, and disclose personal information as required by law, regulation or court order; to respond to governmental and/or law enforcement requests; to identify, contact or bring legal action against someone who may be causing injury to or interfering with our or others’ rights or property; to support any actual or threatened claim, defense or declaration in a case or before any jurisdictional and/or administrative authority, arbitration or mediation panel; or in connection with disciplinary actions/investigations. Likewise, we may use and disclose personal information to other parties in connection with the sale, assignment, merger, reorganization, or other transfer.
Selling and Sharing of Personal Information
We may sell or share the following categories of personal information with third parties for the purposes of cross-context behavioral advertising:
We sell and/or share this personal information with third parties for advertising purposes. The third parties to whom this personal information was sold and/or shared are advertisers and analytics vendors. When we use the terms sell, sold, or sale, we mean for valuable consideration and not monetary value.
We offer you the ability to opt out of sales and sharing of your personal information as set forth in the “Right to Opt Out of Sales and Sharing of Personal Information” section below.
We do not have actual knowledge that we sell or share the personal information of consumers under sixteen (16) years of age.
Data Retention
To learn more about our data retention practices, please see Section 8.
California privacy rights
If you are a resident of California, you have the right to submit certain requests relating to your personal information as described below. If you would like to submit a request pursuant to your rights under HIPAA instead of CCPA, please contact us at privacy@tandemdiabetes.com and indicate that you are making a HIPAA request. To exercise your CCPA rights, please submit a request by email to privacy@tandemdiabetes.com, or by calling us at 1-877-283-8720. Please note that, depending on the nature of your request, you may be asked to provide information to verify your identity before your request can be processed.
We will confirm receipt of your request and respond to your request as soon as we reasonably can and no later than legally required. You may designate an authorized agent to make a request on your behalf; however, you will still need to verify your identity directly with us before your request can be processed.
Right to Know. You have the right to know what personal information we have collected about you, which includes:
a. The categories of sources from which the personal information was collected.
b. Our business or commercial purposes for collecting, selling, or sharing personal information.
c. The categories of recipients to which we disclose personal information.
d. The categories of personal information that we sold, and for each category identified, the categories of third parties to which we sold that particular category of personal information.
e. The categories of personal information that we disclosed for a business purpose, and for each category identified, the categories of recipients to which we disclosed that particular category of personal information.
2. The specific pieces of personal information we have collected about you.
Right to Delete Your Personal Information. You have the right to request that we delete personal information we collected from you, subject to certain exceptions.
Right to Correct Inaccurate Information. If you believe personal information we maintain about you is inaccurate, you have the right to request we correct that personal information.
Right to Opt Out of Sales and Sharing of Personal Information. You have the right to opt out of the sale or sharing of your personal information and to request that we do not share your personal information for cross-context behavioral advertising in the context of cookies and other tracking technologies. To opt out of the sale or sharing of your personal information via cookies and other tracking technologies, please click on the “Do Not Sell or Share my Personal Information” link in the footer of our website. You may also opt out of the sale or sharing of your personal information through an opt out preference signal. In order to process your request through an opt out preference signal, you must use a browser supporting the preference signal.
Right to Limit Use and Disclosure of Sensitive Personal Information. We do not use or disclose sensitive personal information for purposes to which the right to limit use and disclosure applies under the CCPA.
Right to Non-Discrimination for the Exercise of Your Privacy Rights.
If you choose to exercise any of the privacy rights described above, we will not discriminate against you.
California Shine the Light
We do not share personal information with third parties or affiliates for those third parties’ or affiliates’ own direct marketing purposes. Californians may request information about our compliance with this law by contacting us at privacy@tandemdiabetes.com.
Canadian Residents
If you are located in Canada: If you are a Canadian resident, you have the right to request how we use your personal information and the recipients to which it has been disclosed. If you live in Canada and would like to receive written information about our policies and practices regarding service providers outside of Canada, please refer to our contact information below.
Data Subject Rights Relevant for Those in the EEA, UK and Switzerland
Please note, we do not currently use your personal information for automated decision making which produces legal effects concerning you or similarly significantly affects you.
The GDPR and UK GDPR provide EEA and UK residents with certain rights regarding their personal information. If you are a resident of the EEA or the UK, subject to certain conditions, you may ask us to take the following actions in relation to your personal information:
Withdraw your consent for processing personal information where applicable.
Under the Swiss Data Protection Act you have similar rights, subject to certain restrictions defined by law that we are entitled or even required to apply (e.g., to protect third party interests).
If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us at DPO@tandemdiabetes.com or you have the right to submit a complaint to a data protection regulator. EEA residents can find information about your data protection regulator here. The data protection regulator for residents of the UK is the Information Commissioner’s Office.
Additionally, if you reside in Italy and are an individual with a direct interest in a deceased user’s personal information, or are a representative of a deceased user acting to protect the deceased user or his/her family interests, then you have the right to exercise the rights described above except for the right to delete.
If you reside in France, you may designate a person to carry out specific or general instructions on how to store, delete or communicate the personal information relating to you after your death. If the instructions relate only to the personal information we hold about you, you may choose to directly notify us such instructions.
If you reside in Portugal, you may appoint who can exercise your rights or to give instructions not to exercise them at all after your death regarding special categories of personal information (such as health data) or data related with private life, images or communications.
You may exercise some of these rights and choices through Service features, such as editing your account settings or profile details when you are logged in. Additionally, you can submit requests by email to DPO@tandemdiabetes.com. We may request specific information from you to help us confirm your identity prior to processing your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us at DPO@tandemdiabetes.com or submit a complaint to a data protection regulator. EEA residents can find information about your data protection regulator here. The data protection regulator for residents of the United Kingdom is the Information Commissioner’s Office.
International Data Transfers
Our servers, which provide your Service content and store the personal information you provide to us, are located in the U.S. and the Netherlands. If you are accessing the Service from another country, please be aware you are transmitting information collected through the Service, including your personal information, to the countries where our servers are located. Depending on where you access the Service from, the data will be processed on one of those servers. These countries may not afford the same privacy protections as the country where you are using the Service. For users outside of the EEA and the UK, your use of the Service, including your provision of any personal information to us via the Service, demonstrates your acknowledgement of and agreement to this personal information processing.
Subject to applicable data transfer protection laws, we may transfer your personal information among our affiliate entities or to external parties located in other countries where we have implemented appropriate transfer mechanisms and safeguards.
If you are located in the EEA, UK and Switzerland
Where we transfer your personal information to countries and territories outside of the EEA, the UK and Switzerland, which have been formally recognised as providing an adequate level of protection for personal information, we rely on the relevant “adequacy decisions” from the European Commission and “adequacy regulations” from the Secretary of State in the UK, and the Swiss Federal Council (together referred to as "EEA/UK/Swiss adequacy decisions").
Some EEA /UK/Swiss adequacy decisions require Tandem to take steps in order for relevant transfers to be covered, in particular for transfers to the U.S. under the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF ("UK Extension"), and the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF") as set forth by the U.S. Department of Commerce.
Tandem's US entities (Tandem Diabetes Care, Inc. and Sugarmate, LLC) have certified to the U.S. Department of Commerce that they adhere to:
the EU-U.S. Data Privacy Framework Principles ("EU-U.S. DPF Principles") with regard to the processing of personal data received from the EEA in reliance on the EU-U.S. DPF and from the UK in reliance on the UK Extension to the EU-U.S. DPF; and
the Swiss-U.S. Data Privacy Framework Principles ("Swiss-U.S. DPF Principles") with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.
To learn more about the Data Privacy Framework ("DPF") and to view our certification, see here. It is important however for us to provide you with the following information about our certification:
Where the transfer is not subject to an adequacy decision or regulations, we take appropriate safeguards to require your personal information will remain protected. The safeguards we use under GDPR, include the European Commission’s Standard Contractual Clauses ("SCCs") as issued on 4 June 2021, in the form of modules 1 (controller to controller), module 2 (controller to processor), module 3 (processor to processor) and/or module 4 (processor to controller), as appropriate depending on our relationship with the recipient(s). We incorporate the UK's International Data Transfer Addendum to the EU Commission SCCs as permitted under Article 46 of the UK GDPR, when transferring personal information protected under UK GDPR.
Our SCCs can be provided on request. Please note some sensitive commercial information may be redacted. For details of what personal information may be transferred to group entities or third parties, please see the Disclosing Your Information section of this Notice above.
Legal Bases Relevant for Those in the EEA and UK
For users located in the European Economic Area and the United Kingdom, the following information specifically applies to you. Our processing of your personal information is carried out under the following legal bases:
Given the nature of our business, we may process special categories of your personal information in the form of health information. This information includes diabetes therapy data, such as your glucose levels, and lab charts. We will only process this information in accordance with applicable law such as obtaining your explicit consent or where processing is necessary for reasons of public interest in the area of public health.
We may update this Privacy Notice from time to time. You can see when this Privacy Notice was last updated by checking the “Last Updated” date displayed at the top of this Privacy Notice. Any changes to this Privacy Notice take effect immediately after being posted or otherwise provided by Tandem.
If you reside in the US
Tandem Diabetes Care, Inc.
Attn: Legal Department
12400 High Bluff Drive
San Diego, CA 92130
Email: privacy@tandemdiabetes.com
If you reside in the European Economic Area or the UK, please either contact:
Tandem directly at privacy@tandemdiabetes.com or
Tandem’s EEA and UK Data Protection Officer (DPO)
at
Fieldfisher LLP
Attn: Data Privacy
Riverbank House
2 Swan Lane
London
EC4R 3TT
Email: DPO@tandemdiabetes.com
The data controller of your personal information is Tandem Diabetes Care, Inc.