Privacy Notice

Last Updated: October 31, 2024

Note if you are in the United States of America, this Privacy Notice does not cover Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”). For more information, see our HIPAA Notice of Privacy Practices.

This Privacy Notice describes how Tandem Diabetes Care, Inc. (“Tandem,” “us,” “we,” or “our”) collects, uses, and discloses your personal information through products and services that include a link to this Privacy Notice (collectively, our “Services”), which includes, but is not limited to certain of our:

Websites, such as www.tandemdiabetes.com and www.sugarmate.io (“Websites”).
Web and mobile apps (“Apps”) and third-party integrations.
Online portals.
Downloadable computer software.
Connected devices, such as insulin pumps.
Offline activities, such as in-person or virtual tradeshows, customer interactions, conferences, seminars, focus groups or other events in which we participate or host, our social media channels, and surveys or questionnaires and any feedback you voluntarily provide to us ("Offline Activities").

We may also collect personal information through other online services you use to interact with us such as online webinars and social media platforms, where we may be unable to directly provide a link to this Privacy Notice because the online service is owned by another party.

Some of our other products and services will contain a link to their own privacy notice, which applies in lieu of this Privacy Notice.

If you are in the United States of America, please note this Privacy Notice does not cover our use, collection, or disclosure of your Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”). For more information about these practices, see our HIPAA Notice of Privacy Practices. If you are a California resident, please see section 12 below (“Notice for California Consumers and Your California Rights”), which sets forth additional information and rights you may have under California law relating to your information that is not HIPAA-covered PHI.

If you are in the European Union, Iceland, Liechtenstein and Norway (i.e., the "European Economic Area" or "EEA"), the United Kingdom ("UK"), Switzerland, or Canada, please see Section 13 (“Additional Information for Users Outside the United States”) for additional information which is specific to you.

This Privacy Notice does not cover personal information that may be collected about you as an applicant for a job at Tandem or as a member of Tandem's workforce.

If you have any questions or concerns about our use of your personal information, please contact us using the contact details provided at the bottom of this Privacy Notice.

Navigation

1. Collection of Personal Information
2. Sources of Personal Information
3. Use of Personal Information
4. Disclosing Your Information
5. Personal Information Provided to External Businesses
6. Cookie and other Tracking Technologies
7. Interactive Features
8. Security
9. Data Retention

10. Your Choices
11. Children’s Personal Information
12. Notice for California Consumers and Your California Rights
13. Additional Information for Users Outside the United States
14. Do Not Track Disclosures
15. Updates to this Privacy Notice
16. How to Contact Us

1. Collection of Personal Information

Personal information generally means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly with you. Personal information does not include information that is de-identified or aggregated. We may combine your personal information with data we obtain from our Services, other users, or other parties. We reserve the right to convert, or permit others to convert, your personal information into deidentified, anonymized, aggregated, or pseudonymized data, as permitted by law.

What personal information we collect may differ depending on how you interact with us. For example, we collect personal information when you use our Services, such as when you use our Apps which track your insulin. This personal information may differ from personal information we collect from health care providers, clinic administrators appointed by a health care provider (collectively referred to as “HCPs”), visitors to our Websites or physical offices or individuals who contact us or voluntarily share personal information with us.

Personal information we collect about you may include:

Contact information. Name, email address, phone number, billing and mailing address, and zip code.
Identifiers. This may include your username, password, IP address, online identifiers, online advertising identifiers, and device identifiers or serial numbers.
Usage information. This may include your device type, device operating system, unique device identification numbers, browser-type, internet service provider, details of cookies stored on your browser, diagnostic performance reports, which webpages you visited and when, time spent on the Services and other similar technical information like software type, version, language, settings, and configuration. We may also collect information about how you or your device has interacted with our Services, our Websites and Offline Activities.
Customer records. This may include your birth date, signature, information provided to us when you contact us (including the reason for your inquiry, information necessary to address your inquiry and any other information you voluntarily provide and history of training with our Services.
Personal characteristics or traits. This includes demographic data, including those regarding characteristics protected by law, gender, and physical characteristics or description.
Commercial Information. Records of personal property, Services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Internet/Network Information. This includes browsing history, search history, usage information, information regarding a consumer’s interaction with our website, application, or advertisement.
Social Media Information. If you interact or engage with us through Social Media platforms, we may collect the content of your post (which may include photographs or videos you post), the nature of your interaction (such as a “Like” or a “Retweet”), and your screen name.
Geolocation Data. This may include your approximate geolocation.
Audio, electronic, visual, or similar information. This includes audio recordings of customer service calls, any images you voluntarily provide and in-office interaction data such as security camera footage.
Feedback data. Any data you voluntarily provide to us as part of our Offline Activities.
Health-related data. This includes medical history, pregnancy status, current diabetes therapy information, lab charts, diagnosis and prescription history (including diabetes type, use of medications, your current insulin brand and insulin dosing information), glucose and insulin data, blood sugar ranges, information related to your sleep, eating, and exercise habits, device data and any health information you voluntarily provide. For example, data collected from devices you use to access our Services, including data sent to us through App permissions, as well as device operating system, Bluetooth address, UPC, or purchase or device related information of that connected device, Services identification information such as a serial number, log of pump operations, and device interactions connected to our Services (such as interactions between the connected device and Services or any partner products, including continuous glucose monitoring devices and glycemic controllers). We may also collect information from our partner services when you connect our connected devices or our Services to them. For example, this may include information from manufacturers or suppliers of your previous or future pumps, manufacturers or suppliers of glucose monitors you use or have used, which could include glucose readings, existence of a health condition that may impact your therapy (such as pregnancy status, retinopathy, or neuropathy), eligibility for insurance coverage and payment amounts, evidence you received Services training, your HCP’s name and contact information, and/or details of your use of medical devices for diabetes therapy/medical treatment.
User generated content. This includes any content or material you publish, post, or submit to us, such as photos and videos.
Inferences derived from personal information. This may include information about your characteristics, behavior, attitudes, aptitudes, interests or preferences, which may include inferences derived from your use of connected devices, or from combining multiple sources or categories of information. We may also supplement certain information we collect from you with outside records. External parties may provide us with information about you in connection with a co-marketing agreement or in connection with a tracking technology.
HCP Information. If you use our Services as an HCP, we may collect your assigned HCP account ID number, Clinic ID number, and other information in relation to our interactions with you in your role as an HCP.

2. Sources of Personal Information

We may collect your personal information directly from you, from other parties, or from you indirectly through cookies and other technologies, including through the following sources.

Directly from You, When You:

Communicate with us over the phone or via electronic or paper forms and communications, ask a question, request information, submit a complaint, enter information on our Websites or seek customer support from us.
Post on our social media channels or interact or engage with us through Social Media platforms (including but not limited to Facebook, Twitter, Instagram, or Reddit).
Order Services, including submitting payment, and registering our Services.
Register for an online account.
Provide us your purchased items or Services for evaluation/troubleshooting or participating in Services training (which may be one-on-one or in group settings).
Visit our physical offices.
Use location-based services.
Interact with our online Services, which may have tracking technologies, such as cookies, that we or our vendors place on our online Services, or which may have external party features or Services, such as social media network tools.
Participate in our events, or other promotional activities, such as conferences or presentations.
Participate in a survey, participate in a focus group, test our devices, or provide your thoughts on our Services or marketing (e.g., Services ratings and reviews).
Interact with or sign up for our advertising, marketing or newsletter, including targeted ads or marketing communications, such as emails, where applicable.
Use connected devices, including our devices and those made by other companies, to interact with us or our Services.
Depending on your mobile device or App permission settings, our Apps may collect geolocation information (approximate location) and other information (for example, pair and access Bluetooth devices, view Wi-Fi and network connections, or receive data from the internet). If you do not consent to our collection of App permissions then this may impact on our ability to provide our Services, or features to you and the functionality of the App.

Additional Sources:

We may also receive your personal information from a variety of sources, including external parties such as advertising networks, internet service providers or ISPs, contractors, data analytics providers, government entities, and social networks, as defined by applicable law.

We may collect some information automatically from your computer, mobile phone, tablet, or other device when you visit our Websites or use our Services or participate in Offline Activities as well as security surveillance footage when you are physically present on our premises.

In addition, we work with distributors across the world in order to provide our Services to you. Personal information will therefore be provided by you to the relevant in-country distributor when using a Tandem Service. The distributor may pass on some of this information to us if necessary, for example, to return a faulty device for investigation. Please check your relevant in-country distributor's privacy notice to find out more about the information which it will process.

We may also receive personal information from partner services when you allow third parties to provide it to us. For example, when you connect our connected devices or our Services to them or integrate a third party's product with a product or service provided by us, or where you choose to use a Services feature provided by an external party. For example, we may also receive personal information about you from partners when you integrate a partner’s product with our connected devices or Services or otherwise authorize a partner service to provide personal information about you to us. Examples of such third parties include, without limitation, Dexcom, data received through Apple Health and/or Google Fit, data received from Nightscout, Amazon Alexa, Intercom, Siri Shortcuts, and iCloud.

We may also collect personal information about you from third parties who host social media webpages that we manage.

Any use of an external online service may be subject to that service’s terms and privacy policies.

Indirectly Through Cookies and Other Technologies:

We may receive your personal information through the use of cookies and other tracking technologies. For more details, see the Cookies and Other Tracking Technologies section of this Privacy Notice.

3. Use of Personal Information

We collect, use, disclose, or otherwise process your personal information for various purposes, including the following:

Providing Services. To provide you our Services, including creating and activating your account, linking you to others across platforms (such as your HCP or individuals which whom you chose to share your information), enabling your activity within our Services (including connecting with your HCP, other users, or health management followers), enabling external party features (e.g., social media connections) or other external-party products (e.g., connected devices), facilitating and managing purchases (including working with applicable insurance entities), providing software updates, shipping and tracking products and supplies and related materials, verifying customer information, establishing, performance or maintaining an agreement or contract with you and Services training.
To understand your use of our Services and ensure technical functionality of the Services. To ensure that our Services are compatible with your devices as well as administering our Websites, displaying information more effectively, diagnosing problems with our networks and servers, better understanding who visits our Websites and/or uses our Services, where you are located and what content on our Websites and/or Services is of interest to you and personalizing your experience while using our Services.
Health Management. To provide tailored information to support your health management such as providing insulin tracking, Services training, instructional feedback, and Services recommendations.
Geographic-Based Features. We may use location information, including approximate geolocation, to provide geographic-based features such geographically relevant services, offers, or ads, and to conduct analytics to improve our Services and facilitate navigation.
Research and Development. We may develop new Services features and create new Services or improve existing Services (including our Websites and Offline Activities), including using personal information for internal purposes related to certain research, analytics, development, statistical, demonstration, innovation, testing, monitoring, customer communication, risk management, and administrative purposes. This may include when you participate in surveys or research activities such as academic, commercial, and research study purposes. This may also include surveys regarding your preferences, or data derived from your use of our Services for internal analytics.
Advertising. We may personalize your experience with us and our Services by conducting advertising, such as contextual, targeted, or behavioral advertising. For example, this allows us to recommend Services you might like or find useful. It also allows us to assess user interactions, including ad impressions to unique visitors, and quality of ad impressions. We may also use social media services such as matched ads to deliver ads to you on those social media platforms. If you disclose personal information using a social network, that disclosure will be governed by the social network’s privacy policy and preferences or settings.
Marketing Messages. We may use your personal information to communicate with you about the Services you have purchased or used; provide you with promotional messages and personalized advertising (including invitations Offline Activities); to notify you of other Services; to notify you of Services we think may be of interest to you; and, for other marketing purposes, where permissible by law.
Customer Service. We may use your personal information to respond to your requests for technical support (including product complaints, troubleshooting or malfunction), online Services, Services information or to any other communication you initiate, including requests, inquiries, complaints and information you may provide on our Websites.
We may use personal information for security purposes to protect against unauthorized disclosure of personal information, as well as detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity. We may also use personal information for debugging to identify and repair errors that impair existing intended functionality of the Services.
Legal and Safety. We may use personal information to verify or maintain the quality or safety of a Service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the Service or device that is owned, manufactured, manufactured for, or controlled by us. We also use personal information to meet our legal obligations, work with law enforcement, and for public safety purposes. We may use personal information in order to comply with laws, regulations, court orders, or other legal obligations or to assist in an investigation, to protect and defend our rights and property, or the rights or safety of other parties, to enforce our Terms of Use, this Privacy Notice, or agreements with other parties, or for crime-prevention purposes.

4. Disclosing Your Information

With your consent, or as allowed by applicable law, we may disclose your personal information, as described above, to:

A person or entity that you allow us to share your personal data with, such as people with whom you voluntarily share your account.
We may disclose personal information to companies or ventures that are owned or controlled by us or our affiliates in order to provide and improve our Services, for marketing purposes, and for advertising.
Vendors. We may disclose personal information to contractors, business partners, marketing partners, analytics providers, and other vendors to provide, improve, and personalize Services or where we have your permission to do so. Our vendors may engage subcontractors to perform Services for us.
We may disclose personal information to social network providers.
Other Services Users. Where your personal information is disclosed publicly on our Services, such as when you allow us to share your feedback or testimonial or post in community forums or connect with others, it may be viewed by other visitors and users.
Your Insurance Providers. Depending on your location, we may assist you by providing personal information to your insurance providers to facilitate insurance coverage and payments for our Services.
Healthcare Providers (HCPs). We may disclose personal information to your healthcare providers to facilitate care. Note if you are in the United States of America, this Privacy Notice does not cover PHI under HIPAA. For more information, see our HIPAA Notice of Privacy Practices.
Distributors. We may disclose personal information to our distributors to provide the Services to you.12
We may disclose personal information for legal compliance, law enforcement, and public safety purposes, as allowed by law. For example, to law enforcement, government or regulatory bodies, lawful authorities, or other authorized external parties in order to comply with laws, regulations, court orders, or other legal obligations or to assist in an investigation, to protect and defend our rights and property, or the rights, vital interests or safety of other parties, to comply with law enforcement proceedings, to enforce our Terms of Use, this Privacy Notice, or agreements with other parties, to help with public health, safety issues or for crime-prevention purposes. This may include working with a medical examiner or funeral director.
Others. We disclose your personal information when you consent or direct us to disclose it, such as where you connect our connected devices to a compatible service not provided by us and individuals with whom you voluntarily share your account.

We may also disclose your personal information to an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed sale or transfer of all or a portion of our business assets (e.g., further to an actual or proposed merger, reorganization, liquidation, bankruptcy, or any other business transaction), including negotiations of such transactions.

5. Personal Information Provided to External Businesses

This Privacy Notice does not apply to the practices of companies we do not own or control. Our Services may provide a link or otherwise provide access to external services. We provide these links merely for your convenience. We have no control over, do not review, and are not responsible for external services. External services and other businesses may have their own privacy policies which are applicable.

6. Cookies and Other Tracking Technologies

We may use tracking technologies, such as cookies, web beacons, mobile analytics and advertising IDs, and similar technologies including tracking technologies managed by vendors or external parties.

Tracking technologies can generally be categorized as follows:

Necessary or essential. These tracking technologies are used for core functionality, for example for security and to enforce your privacy preferences. Without these technologies, some functionality on our Services will fail.
Functional or analytics. These tracking technologies help to improve the Services by allowing us to understand how the Services are used and how the Services perform. We may also use location-aware technologies to locate you, including as determined by your IP address, for purposes such as verifying your location and delivering or restricting content based on your location.
Advertising. These tracking technologies help personalize ads that are shown to you on our Services, as well as on other parties’ online services. If enabled, these tracking technologies may allow other parties to engage in advertising based on your use of online services across platforms and over time.

We may use technology vendors in connection with your activity on certain pages of our Websites. The tools these vendors provide help us control how user personal information is collected by online tracking technologies. These tools also allow us to limit how certain types of Website user data, such as details about your activity on our Websites, may be transmitted to other parties.

We may combine tracking technology information with other personal information about you. We or external parties, on our behalf and pursuant to contract, may collect personal information about your online activities over time and across different online services when you use our Services.

We may use Google Analytics or other providers (such as Google Tag Manager and New Relic) for analytics services. We may also implement Google Analytics Advertising Features such as remarketing with analytics and interest-based ads. We may use first-party cookies or other first-party identifiers as well as third-party cookies or other third-party identifiers to, e.g., deliver advertisements, measure your interests, and/or personalize content.

For more information on how these providers use data collected through our Services or to opt-out, visit:

Google Analytics
- More information: www.google.com/policies/privacy/partners.
- Opt-out: To opt out of Google Analytics cookies, visit tools.google.com/dlpage/gaoptout or download the Google Analytics Opt-Out Browser Add-On.
Google Tag Manager
- More information: www.google.com/policies/privacy/partners
New Relic
- More information: newrelic.com/termsandconditions/services-notices
- Opt-out: Email requests to PersonalDataRequests[at]NewRelic.com

You may also opt out of certain tracking technologies by visiting the opt out services by the Digital Advertising Alliance in the US, the Canadian Digital Advertising Alliance in Canada, and the European Digital Advertising Alliance in the EU. You can visit Ad Choices (US), Your Ad Choices (Canada), or Your Online Choices (EU). Opting out through these services does not mean you will no longer receive advertising from us, or when you use the Internet.

Depending on your device settings, you may also opt out of certain interest-based advertising through the device’s "Limit Ad Tracking" or equivalent feature. Refer to your device for more information on what this opt out affects. For instance, you can generally adjust or reset the advertising identifiers on your mobile device in the device settings.

You can set your browser to refuse cookies from websites, but if you do so, you may not be able to access or use portions of our Services, and certain offerings on our Services may not function as intended or as well. In addition, iOS and Android operating systems provide options to limit tracking and/or reset advertising IDs.

To control web beacons, most email providers have settings which allow you prevent the automatic downloading of images, which will disable web beacons in the email messages you read.

We are not responsible for opt out processes provided by external parties.

7. Interactive Features

We may engage vendors to provide certain interactive features on our Services. Your use of these interactive features is voluntary, and we may retain the information that you submit through these features. For example, we may offer an interactive chat feature on our Services to answer questions and for other customer service purposes. When you participate in the interactive chat, either with a virtual or live agent, the contents of the chat may be captured and kept as a transcript. By using these features, you understand that our vendors may process the information obtained through the feature to provide the service on our behalf.

8. Security

We use appropriate administrative, technical, physical, and organizational measures to protect the personal information we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. This includes managerial measures, including establishment and implementation of internal management plan and periodic training for employees; technical measures, including controlling access rights and putting in place authentication controls for personal information processing systems and encryption of important data; and physical measures, including external security, event logging and management of system servers. While we implement security measures designed to be appropriate to the relevant risks, please note no data transmission over the Internet or any wireless network can be guaranteed as being 100% secure.

9. Data Retention

We will store your personal information for no longer than is necessary for the performance of our obligations or to achieve the purposes for which the information was collected, or as may be required or permitted under applicable law. To determine the appropriate retention period, we will consider the amount, nature, and sensitivity of the data; the potential risk of harm from unauthorized use or disclosure of the data; the purposes for which we process the data and whether we can achieve those purposes through other means; and the applicable legal requirements.

10. Your Choices

Our Services may have settings available to you, depending on the Service, to allow you to set preferences. Information collected through our various Services, such as between our online portals and Apps, may not be synchronized (especially when you are not logged into one Service, and you are logged into another). Where information is not synchronized and you would like to have consistent settings, you may contact customer service if you have any issues or to make sure your settings across Services are consistent by accessing each Service independently.

If you receive marketing emails from us, you may opt out through the email’s instructions, as provided. Please note that regardless of your email preferences, we may send you notifications pertaining to the performance of our Services, such as revision of our Terms of Use or this Privacy Notice or other formal communications relating to Services you have purchased or use. If you receive texts from us, you may opt out by texting “STOP” to the number contacting you.

11. Children’s Personal Information

Parts of our Services may be available and/or directed to children. Where required by law, we seek to obtain the verifiable parental consent from the child’s parent or guardian. Where the law requires us to obtain verifiable parental consent and we learn that a child, as defined under that legal requirement, has provided us personal information independently without the permission of their parent or guardian, we delete that information.

12. Notice for California Consumers and Your California Rights

This California Privacy Notice is provided pursuant to the California Consumer Privacy Act, as amended (the “CCPA”) and describes how Tandem may collect, use, and disclose personal information of consumers that reside in California. Please note certain information we collect, use, and disclose is considered PHI, as described above, and is therefore covered by our HIPAA Notice of Privacy Practices. For more information, please visit www.tandemdiabetes.com/legal/privacy/hipaa-notice-of-privacy-practices.

Unless otherwise noted, the disclosures in Section 11 cover our activities in the twelve (12) months preceding the Effective Date, as well as our current practices.

How and Why We Collect, Use, and Disclose Your Personal Information

Tandem may collect, use, and disclose personal information for business purposes consistent with applicable laws as identified below. Where Tandem transfers applicable personal information to recipients, such as our service providers, it does so for the same business purposes described below. These examples may vary depending on the nature of your interactions with us.

Category of Consumer Personal Information	Categories of Sources from which Collected	Business Purposes for Collection, Use, or Disclosure	Categories of Recipients to Whom Consumer Personal Information May be Disclosed for a Business Purpose
Identifiers (such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, or other similar identifiers).	Directly from you Automatically when you use our electronic systems From service providers that help us to run our business	Comply with applicable state and federal law Communicate with you Maintain business records Provide personalized advertising and marketing	Examples include service providers, data analytics providers, security providers, background check vendors, and information technology vendors.
Internet or other electronic network activity information, (including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement).	Directly from you Automatically when you use our electronic systems From service providers that help us to run our business	Comply with applicable state and federal law Communicate with you Maintain business records Provide personalized advertising and marketing	Examples include data analytics providers, security providers, and information technology vendors.
Any personal information described in subdivision (e) of Section 1798.80 of the California Civil Code.	Automatically when you use our electronic systems From service providers that help us to run our business	Comply with applicable state and federal law Communicate with you Maintain business records Provide personalized advertising and marketing	Examples include data analytics providers, security providers, and information technology vendors.
Approximate Geolocation data.	Automatically when you use our electronic systems From service providers that help us to run our business	Comply with applicable state and federal law Communicate with you Maintain business records Provide personalized advertising and marketing	Examples include data analytics providers, security providers, and information technology vendors.
Commercial information, including records of personal property, Services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	Directly from you Automatically when you use our electronic systems From service providers that help us to run our business	Comply with applicable state and federal law Communicate with you Maintain business records Provide personalized advertising and marketing	Examples include service providers, data analytics providers.
Professional or employment-related information.	Directly from you From service providers that help us to run our business	Comply with applicable state and federal law Communicate with you Maintain business records	Examples include background check vendors.

We may also disclose each of the categories of personal information identified above to the respectively identified categories of recipients for operational or business purposes consistent with the purposes for collection or use designated, as is reasonably necessary and proportionate to achieve those purposes, or for another purpose that is compatible with the context in which the personal information was collected, including, but not limited to:

Auditing our ads;
Helping to ensure security and integrity of your personal information;
Debugging, repairing, and improving functionality;
Short-term, transient use;
Performing services on our behalf;
Internal research for technological development; and
Verifying the quality and/or safety of our devices.

In addition to the other purposes for collection, use, and disclosure of personal information described in this Notice, we may collect, use, and disclose personal information as required by law, regulation or court order; to respond to governmental and/or law enforcement requests; to identify, contact or bring legal action against someone who may be causing injury to or interfering with our or others’ rights or property; to support any actual or threatened claim, defense or declaration in a case or before any jurisdictional and/or administrative authority, arbitration or mediation panel; or in connection with disciplinary actions/investigations. Likewise, we may use and disclose personal information to other parties in connection with the sale, assignment, merger, reorganization, or other transfer.

Selling and Sharing of Personal Information

We may sell or share the following categories of personal information with third parties for the purposes of cross-context behavioral advertising: identifiers, internet or other electronic network activity, and approximate geolocation data. We sell and/or share this personal information with third parties for advertising purposes. The third parties to whom this personal information was sold and/or shared are advertisers and analytics vendors. When we use the terms sell, sold, or sale, we mean for valuable consideration and not monetary value.

We offer you the ability to opt out of sales and sharing of your personal information as set forth in the “California Privacy Rights” section below.

We do not have actual knowledge that we sell or share the personal information of consumers under sixteen (16) years of age.

Data Retention

To learn more about our data retention practices, please see Section 9.

California Privacy Rights

If you are a resident of California, you have the right to submit certain requests relating to your personal information as described below. If you would like to submit a request pursuant to your rights under HIPAA instead of CCPA, please contact us at privacy@tandemdiabetes.com and indicate that you are making a HIPAA request. To exercise your CCPA rights, please submit a request by email to privacy@tandemdiabetes.com, or by calling us at 1-877-283-8720. Please note that, depending on the nature of your request, you may be asked to provide information to verify your identity before your request can be processed.

We will confirm receipt of your request and respond to your request as soon as we reasonably can and no later than legally required. You may designate an authorized agent to make a request on your behalf; however, you will still need to verify your identity directly with us before your request can be processed.

Right to Know. You have the right to know what personal information we have collected about you, which includes:

1. The categories of personal information we have collected about you, including:

a. The categories of sources from which the personal information was collected.

b. Our business or commercial purposes for collecting, selling, or sharing personal information.

c. The categories of recipients to which we disclose personal information.

d. The categories of personal information that we sold and shared, and for each category identified, the categories of third parties to which we sold and shared that particular category of personal information.

e. The categories of personal information that we disclosed for a business purpose, and for each category identified, the categories of recipients to which we disclosed that particular category of personal information.

2. The specific pieces of personal information we have collected about you.

Right to Delete Your Personal Information. You have the right to request that we delete personal information we collected from you, subject to certain exceptions.

Right to Correct Inaccurate Information. If you believe personal information we maintain about you is inaccurate, you have the right to request we correct that personal information.

Right to Opt Out of Sales and Sharing of Personal Information. You have the right to opt out of the sale or sharing of your personal information and to request that we do not share your personal information for cross-context behavioral advertising in the context of cookies and other tracking technologies. To opt out of the sale or sharing of your personal information via cookies and other tracking technologies, please click on the “Do Not Sell or Share my Personal Information” link in the footer of our website. You may also opt out of the sale or sharing of your personal information through an opt out preference signal. In order to process your request through an opt out preference signal, you must use a browser supporting the preference signal.

Right to Limit Use and Disclosure of Sensitive Personal Information. We do not use or disclose sensitive personal information for purposes to which the right to limit use and disclosure applies under the CCPA.

Right to Non-Discrimination for the Exercise of Your Privacy Rights. If you choose to exercise any of the privacy rights described above, we will not discriminate against you.

California Shine the Light

We do not share personal information with third parties or affiliates for those third parties’ or affiliates’ own direct marketing purposes. Californians may request information about our compliance with this law by contacting us at privacy@tandemdiabetes.com.

13. Additional Information for Users Outside of the United States

Canadian Residents

If you are located in Canada: If you are a Canadian resident, you have the right to request how we use your personal information and the recipients to which it has been disclosed. If you live in Canada and would like to receive written information about our policies and practices regarding service providers outside of Canada, please refer to our contact information below.

Data Subject Rights Relevant for Those in the EEA, UK and Switzerland

Please note, we do not currently use your personal information for automated decision making which produces legal effects concerning you or similarly significantly affects you.

The GDPR and UK GDPR provide EEA and UK residents with certain rights regarding their personal information. If you are a resident of the EEA or the UK, subject to certain conditions, you may ask us to take the following actions in relation to your personal information:

Provide you with information about our processing of your personal information and give you access to your personal information.
Update or correct inaccuracies in your personal information.
Delete your personal information.
Transfer a machine-readable copy of your personal information to you or an external party of your choice.
Restrict the processing of your personal information.
Object to our processing of your personal information for direct marketing purposes.
Obtain information about and object to our reliance on legitimate interests as the basis for processing of your personal information.

You may designate someone to act on your behalf, for example, if you have given someone power of attorney or if someone is your legal guardian.

Withdraw your consent for processing personal information where applicable. Under the Swiss Data Protection Act you have similar rights, subject to certain restrictions defined by law that we are entitled or even required to apply (e.g., to protect third party interests).

Additionally, if you reside in Italy and are an individual with a direct interest in a deceased user’s personal information, or are a representative of a deceased user acting to protect the deceased user or his/her family interests, then you have the right to exercise the rights described above except for the right to delete.

If you reside in France, you may designate a person to carry out specific or general instructions on how to store, delete or communicate the personal information relating to you after your death. If the instructions relate only to the personal information we hold about you, you may choose to directly notify us such instructions.

If you reside in Portugal, you may appoint who can exercise your rights or to give instructions not to exercise them at all after your death regarding special categories of personal information (such as health data) or data related with private life, images or communications. You may exercise some of these rights and choices through Service features, such as editing your account settings or profile details when you are logged in. Additionally, you can submit requests by email to DPO@tandemdiabetes.com. We may request specific information from you to help us confirm your identity prior to processing your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us at DPO@tandemdiabetes.com or submit a complaint to a data protection regulator. Find information about your data protection regulator for EEA residents. The data protection regulator for residents of the United Kingdom is the Information Commissioner’s Office. If you live in Switzerland, you can lodge a complaint with the Federal Data Protection and Information Commissioner.

International Data Transfers

Our servers, which provide your Service content and store the personal information you provide to us, are located in the U.S. and the Netherlands. If you are accessing the Service from another country, please be aware you are transmitting information collected through the Service, including your personal information, to the countries where our servers are located. Depending on where you access the Service from, the data will be processed on one of those servers. These countries may not afford the same privacy protections as the country where you are using the Service. For users outside of the EEA and the UK, your use of the Service, including your provision of any personal information to us via the Service, demonstrates your acknowledgement of and agreement to this personal information processing.

Subject to applicable data transfer protection laws, we may transfer your personal information among our affiliate entities or to external parties located in other countries where we have implemented appropriate transfer mechanisms and safeguards. However, we implement appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice.

If you are located in the EEA, UK and Switzerland

Where we transfer your personal information to countries and territories outside of the EEA, the UK and Switzerland, which have been formally recognised as providing an adequate level of protection for personal information, we rely on the relevant “adequacy decisions” from the European Commission, “adequacy regulations” from the Secretary of State in the UK, and the adequacy assessment from the Swiss Federal Council, as applicable (together referred to as "EEA/UK/Swiss adequacy decisions").

Some EEA /UK/Swiss adequacy decisions require Tandem to take steps in order for relevant transfers to be covered, in particular for transfers to the U.S. under the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF ("UK Extension"), and the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF") as set forth by the U.S. Department of Commerce.

Tandem Diabetes Care, Inc) has certified to the U.S. Department of Commerce that they adhere to:

the EU-U.S. Data Privacy Framework Principles ("EU-U.S. DPF Principles") with regard to the processing of personal data received from the EEA in reliance on the EU-U.S. DPF and from the UK in reliance on the UK Extension to the EU-U.S. DPF; and

the Swiss-U.S. Data Privacy Framework Principles ("Swiss-U.S. DPF Principles") with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

To learn more about the Data Privacy Framework ("DPF") and to view our certification, see here. It is important however for us to provide you with the following information about our certification:

We will only rely on the UK Extension and the Swiss-U.S. DPF as transfer mechanisms under the applicable data protection laws, once respectively (i) the adequacy regulations implementing the data bridge for the UK Extension; and/or (ii) the Swiss Federal Council's recognition of adequacy of the Swiss-U.S. DPF, enter into force.
We are responsible for the processing of personal data received under each DPF and, subsequently, transfers to a third party acting on our behalf. We comply with the DPF Principles for all onward transfers of personal data we receive in reliance on the EU-U.S. / Swiss-U.S. DPF Principles and/or the UK Extension, including the onward transfer liability provisions. In particular, where we have received your personal information in the U.S. in reliance upon the EU-U.S. / Swiss-U.S. DPF Principles and/or the UK Extension, if we subsequently transfer that information to a third party acting on our behalf, and that third party processes your personal data in a manner inconsistent with the Principles, we will remain liable unless we can prove we are not responsible for the event giving rise to the damage.
With respect to personal data received or transferred pursuant to each of the DPFs, Tandem is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you want to contact us with any inquiries or complaints regarding our reliance on the DPFs, you can email us at privacy@tandemdiabetes.com or please see the How to Contact Us section at the end of this Privacy Notice;
If you have an unresolved privacy concern that we have not addressed satisfactorily, you can contact the individual panel established by the EU DPAs and, as applicable, the UK Information Commissioner’s Office (ICO) (and the Gibraltar Regulatory Authority (GRA)), and/or the Swiss Federal Data Protection and Information Commissioner (FDPIC) free of charge to make a complaint. Tandem commits to cooperate and comply with the advice of this panel. Under certain conditions, more fully described on the DPF website you may also invoke binding arbitration when other dispute resolution procedures have been exhausted .

Where the transfer is not subject to an adequacy decision or regulations, we take appropriate safeguards to require your personal information will remain protected. The safeguards we use under GDPR, include the European Commission’s Standard Contractual Clauses ("SCCs") as issued on 4 June 2021, in the form of modules 1 (controller to controller), module 2 (controller to processor), module 3 (processor to processor) and/or module 4 (processor to controller), as appropriate depending on our relationship with the recipient(s). We incorporate the UK's International Data Transfer Addendum to the EU Commission SCCs as permitted under Article 46 of the UK GDPR, when transferring personal information protected under UK GDPR and the Swiss Addendum to the SCCs as provided by the FDPIC in its statement of 27 August 2021.

Our SCCs can be provided on request. Please note some sensitive commercial information may be redacted. For details of what personal information may be transferred to group entities or third parties, please see the Disclosing Your Information section of this Notice above.

In exceptional circumstances, personal information may also be transferred to countries that are not subject to an adequacy decision or regulations on the basis of a derogation. A derogation may apply, for example, in case of legal proceedings abroad, if transfer is necessary for the performance of a contract, if you have consented to the transfer, or if the data has been made generally available by you and you have not objected to the processing.

If you are located in Canada

If you live Canada and would like to receive written information about our policies and practices regarding service providers outside of Canada, please refer to the “How to Contact Us” heading below.

Legal Bases Relevant for Those in the EEA and UK

For users located in the European Economic Area and the United Kingdom, the following information specifically applies to you. Our processing of your personal information is carried out under the following legal bases:

The processing is necessary for us to provide you with the Services you request, or to respond to your inquiries, such as to comply with our contractual obligation to fulfill transactional services.
We have a legal obligation to process your personal information, such as compliance with applicable tax and other government regulations or compliance with a court order or binding law enforcement request.
To protect your vital interests, or those of others.
We have a legitimate interest in carrying out the processing activity. In particular, we have a legitimate interest in the following cases:

To analyze and improve the safety and security of the Service. This includes implementing and enhancing security measures and safeguards and protecting against fraud, spam, and abuse.
To maintain and improve the Service.
To operate the Service and provide you with certain information and communications tailored to, and in accordance with, your preferences.

You have consented to the processing of your personal information. When you consent, you may change your mind at any time.

Given the nature of our business, we may process special categories of your personal information in the form of health information. This information includes diabetes therapy data, such as your glucose levels, related exercise and eating habits and lab charts. We will only process this information in accordance with applicable law such as obtaining your explicit consent or where processing is necessary for reasons of public interest in the area of public health.

14. Do Not Track Disclosures

At this time, some of our Websites do not respond to Do Not Track (“DNT”) signals sent from your web browser. A uniform standard has not yet been adopted to determine how DNT signals should be interpreted and what actions should be taken by websites and third parties that receive them.

15. Updates to this Privacy Notice

We may update this Privacy Notice from time to time. You can see when this Privacy Notice was last updated by checking the “Last Updated” date displayed at the top of this Privacy Notice. Any changes to this Privacy Notice take effect immediately after being posted or otherwise provided by Tandem.

16. How to Contact Us

If you reside in the US:

Tandem Diabetes Care, Inc. Attn: Legal Department
12400 High Bluff Drive San Diego, CA 92130

Email: privacy@tandemdiabetes.com

If you reside in the European Economic Area or the UK, please either contact:

Tandem directly at privacy@tandemdiabetes.com or Tandem’s EEA and UK Data Protection Officer (DPO) at

Fieldfisher LLP Attn: Data Privacy Riverbank House
2 Swan Lane London EC4R 3TT

Email: DPO@tandemdiabetes.com

The data controller of your personal information is Tandem Diabetes Care, Inc.