Last Updated: December 29, 2022
This Privacy Notice describes how Tandem Diabetes Care, Inc. (“Tandem,” “us,” “we,” or “our”) collects, uses, and discloses your personal information through products and services that include a link to this Privacy Notice (collectively, our “Services”), which includes, but is not limited to:
We may also collect personal information through other online services you use to interact with us such as online webinars and social media platforms, where we may be unable to or have not linked to this Privacy Notice because the online service is owned by another party.
If you are in the United States of America, please note this Privacy Notice does not cover our use, collection, or disclosure of your Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”). For more information about these practices, see our HIPAA Notice of Privacy Practices. If you are a California resident, please see the Notice for California Consumers and Your California Rights section below, which sets forth additional information and rights you may have under California law relating to your information that is not HIPAA-covered PHI.
If you are in the European Union, Iceland, Liechtenstein and Norway (i.e., the "European Economic Area" or "EEA"), the United Kingdom ("UK"), or Canada, please see Section 12 (Additional Information for Users Outside the United States) below for additional information which is specific to you.
This Privacy Notice does not cover personal information that may be collected about you as an applicant for a job at Tandem or workforce personnel of Tandem. Please visit our Privacy Notice for California Applicants and Privacy Notice for California Workforce Members.
If you have any questions or concerns about our use of your personal information, please contact us using the contact details provided at the bottom of this Privacy Notice.
Personal information generally means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly with you. Personal information does not include information that is publicly available, de-identified, or aggregated. We may combine your personal information with data we obtain from our Services, other users, or other parties. We reserve the right to convert, or permit others to convert, your personal information into deidentified, anonymized, aggregated, or pseudonymized data, as permitted by law.
What personal information we collect may differ depending on how you interact with us. For example, we collect personal information when you use our Services, such as when you use our Apps which track your insulin. This personal information may differ from personal information we collect from health care providers or a clinic administrators appointed by a health care provider (collectively referred to as “HCPs”).
Personal information we collect about you may include:
We may collect your personal information directly from you, from other parties, or from you indirectly through cookies and other technologies, including through the following sources.
We may also receive your personal information from a variety of sources, including external parties such as advertising networks, internet service providers or ISPs, contractors, data analytics providers, government entities, and social networks, as defined by applicable law.
We may also receive personal information from partner services when you connect our connected devices or our Services to them, or where you choose to use a Services feature provided by an external party. For example, we may also receive personal information about you from partners when you integrate a partner’s product with our connected devices or Services or otherwise authorize a partner service to provide personal information about you to us. Any use of an external online service may be subject to that service’s terms and privacy policies.
We collect, use, disclose, or otherwise process your personal information for various purposes, including the following:
With your consent, or as allowed by applicable law, we may disclose your personal information, as described above, to:
This Privacy Notice does not apply to the practices of companies we do not own or control. Our Services may provide a link or otherwise provide access to external services. We provide these links merely for your convenience. We have no control over, do not review, and are not responsible for external services. External services and other businesses may have their own privacy policies which are applicable.
We may use tracking technologies, such as cookies, including tracking technologies managed by vendors or external parties. Tracking technologies can generally be categorized as follows:
We may combine tracking technology information with other personal information about you. We or external parties, on our behalf and pursuant to contract, may collect personal information about your online activities over time and across different online services when you use our Services.
We may use Google Analytics or other providers for analytics services. We may also implement Google Analytics Advertising Features such as remarketing with analytics and interest-based ads. We may use first-party cookies or other first-party identifiers as well as third-party cookies or other third-party identifiers to, e.g., deliver advertisements, measure your interests, and/or personalize content. For more information on how Google Analytics uses data collected through our Services, visit www.google.com/policies/privacy/partners. To opt out of Google Analytics cookies, visit https://tools.google.com/dlpage/gaoptout or download the Google Analytics Opt-Out Browser Add-On.
You may also opt out of certain tracking technologies by visiting the opt out services by the Digital Advertising Alliance in the US, the Canadian Digital Advertising Alliance in Canada, and the European Digital Advertising Alliance in the EU. You can visit Ad Choices (US), Your Ad Choices (Canada), or Your Online Choices (EU). Opting out through these services out does not mean you will no longer receive advertising from us, or when you use the Internet.
Depending on your device settings, you may also opt out of certain interest-based advertising through the device’s "Limit Ad Tracking" or equivalent feature. Refer to your device for more information on what this opt out affects. For instance, you can adjust or reset the advertising identifiers on your mobile device in the device settings. iOS users can visit Settings > Privacy > Advertising > Reset Advertising Identifier. Android users can visit Google settings > Ads > Reset advertising ID.
We are not responsible for opt out processes provided by external parties.
We use appropriate administrative, technical, physical, and organizational measures to protect the personal information we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. This includes managerial measures, including establishment and implementation of internal management plan and periodic training for employees; technical measures, including controlling access rights to personal information processing systems and encryption of important data; and physical measures, including external security and management of system servers. While we implement security measures designed to be appropriate to the relevant risks, please note no data transmission over the Internet or any wireless network can be guaranteed as being 100% secure.
We will store your personal information for no longer than is necessary for the performance of our obligations or to achieve the purposes for which the information was collected, or as may be required or permitted under applicable law. To determine the appropriate retention period, we will consider the amount, nature, and sensitivity of the data; the potential risk of harm from unauthorized use or disclosure of the data; the purposes for which we process the data and whether we can achieve those purposes through other means; and the applicable legal requirements. Unless otherwise required by applicable law, at the end of the retention period we will remove personal information from our systems and records or take appropriate steps to properly anonymize, deidentify, or aggregate it, where legally applicable.
Our Services may have settings available to you, depending on the Service, to allow you to set preferences. Information collected through our various Services, such as between our online portals and Apps, may not be synchronized (especially when you are not logged into one Service, and you are logged into another). Where information is not synchronized and you would like to have consistent settings, you may contact customer service if you have any issues or to make sure your settings across Services are consistent by accessing each Service independently.
Parts of our Services may be directed to children. Where required by law, we seek to obtain the verifiable parental consent from the child’s parent or guardian. Where the law requires us to obtain verifiable parental consent and we learn that a child, as defined under that legal requirement, has provided us personal information, we delete that information.
This California Privacy Notice is provided pursuant to the California Consumer Privacy Act, as amended (the “CCPA”) and describes how Tandem may collect, use, and disclose personal information of consumers that reside in California. Please note certain information we collect, use, and disclose is considered PHI, as described above, and is therefore covered by our HIPAA Notice of Privacy Practices. For more information, please visit HIPAA Notice of Privacy Practices page.
Unless otherwise noted, the disclosures in Section 11 cover our activities in the twelve (12) months preceding the Effective Date, as well as our current practices.
Tandem may collect, use, and disclose personal information for business purposes consistent with applicable laws as identified below. Where Tandem transfers applicable personal information to recipients, such as our service providers, it does so for the same business purposes described below. These examples may vary depending on the nature of your interactions with us.
|Category of Consumer Personal Information||Categories of Sources from which Collected||Business Purposes for Collection, Use, or Disclosure||Categories of Recipients to Whom Consumer Personal Information May be Disclosed for a Business Purpose|
|Identifiers (such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, or other similar identifiers).||Directly from you Automatically when you use our electronic systems From service providers that help us to run our business ;||Comply with applicable state and federal law Communicate with you Maintain business records Provide personalized advertising and marketing||Examples include service providers, data analytics providers, security providers, background check vendors, and information technology vendors.|
|Internet or other electronic network activity information, (including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement).||Directly from you Automatically when you use our electronic systems From service providers that help us to run our business||Comply with applicable state and federal law Communicate with you Maintain business records Provide personalized advertising and marketing||Examples include data analytics providers, security providers, and information technology vendors.|
|Any personal information described in subdivision (e) of Section 1798.80 of the California Civil Code.||Directly from you Automatically when you use our electronic systems From service providers that help us to run our business||Comply with applicable state and federal law Communicate with you Maintain business records Provide personalized advertising and marketing||Examples include service providers, data analytics providers, security providers, and information technology vendors.|
|Geolocation data.||Automatically when you use our electronic systems From service providers that help us to run our business||Examples include data analytics providers, security providers, and information technology vendors.|
|Commercial information, including records of personal property, Services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.||Directly from you Automatically when you use our electronic systems From service providers that help us to run our business||Examples include service providers, data analytics providers.|
|Professional or employment-related information.||Directly from you From service providers that help us to run our business||Comply with applicable state and federal law Communicate with you Maintain business records||Examples include background check vendors..|
We may also disclose each of the categories of personal information identified above to the respectively identified categories of recipients for operational or business purposes consistent with the purposes for collection or use designated, as is reasonably necessary and proportionate to achieve those purposes, or for another purpose that is compatible with the context in which the personal information was collected, including, but not limited to:
In addition to the other purposes for collection, use, and disclosure of personal information described in this Notice, we may collect, use, and disclose personal information as required by law, regulation or court order; to respond to governmental and/or law enforcement requests; to identify, contact or bring legal action against someone who may be causing injury to or interfering with our or others’ rights or property; to support any actual or threatened claim, defense or declaration in a case or before any jurisdictional and/or administrative authority, arbitration or mediation panel; or in connection with disciplinary actions/investigations. Likewise, we may use and disclose personal information to other parties in connection with the sale, assignment, merger, reorganization, or other transfer.
We may sell or share the following categories of personal information with third parties for the purposes of cross-context behavioral advertising:
We sell and/or share this personal information with third parties for advertising purposes. The third parties to whom this personal information was sold and/or shared are advertisers and analytics vendors. When we use the terms sell, sold, or sale, we mean for valuable consideration and not monetary value.
We offer you the ability to opt out of sales and sharing of your personal information as set forth in the “Right to Opt Out of Sales and Sharing of Personal Information” section below.
We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.
To learn more about our data retention practices, please see Section 8.
If you are a resident of California, you have the right to submit certain requests relating to your personal information as described below. If you would like to submit a request pursuant to your rights under HIPAA instead of CCPA, please contact us at firstname.lastname@example.org and indicate that you are making a HIPAA request. To exercise your CCPA rights, please submit a request by email to email@example.com, or by calling us at 1-877-283-8720. Please note that, depending on the nature of your request, you may be asked to provide information to verify your identity before your request can be processed.
We will confirm receipt of your request and respond to your request as soon as we reasonably can and no later than legally required. You may designate an authorized agent to make a request on your behalf; however, you will still need to verify your identity directly with us before your request can be processed.
Right to Know
You have the right to know what personal information we have collected about you, which includes:
Right to Delete Your Personal Information
You have the right to request that we delete personal information we collected from you, subject to certain exceptions.
Right to Correct Inaccurate Information
If you believe personal information we maintain about you is inaccurate, you have the right to request we correct that personal information.
Right to Opt Out of Sales and Sharing of Personal Information
You have the right to opt out of the sale of your personal information and to request that we do not share your personal information for cross-context behavioral advertising in the context of cookies and other tracking technologies. To opt out of the sale or sharing of your personal information via cookies and other tracking technologies, please click on the “Do Not Sell or Share my Personal Information” link in the footer of our website. You may also opt out of the sale or sharing of your personal information through an opt-out preference signal. In order to process your request through an opt-out preference signal, you must use a browser supporting the preference signal.
Right to Limit Use and Disclosure of Sensitive Personal Information
We do not use or disclose sensitive personal information for purposes to which the right to limit use and disclosure applies under the CCPA.
Right to Non-Discrimination for the Exercise of Your Privacy Rights
If you choose to exercise any of the privacy rights described above, we will not discriminate against you.
California Shine the Light
We do not share personal information with third parties or affiliates for those third parties’ or affiliates’ own direct marketing purposes. Californians may request information about our compliance with this law by contacting us at firstname.lastname@example.org.
If You are Located in Canada
You are a Canadian resident, you have the right to request how we use your personal information and the recipients to which it has been disclosed. If you live in Canada and would like to receive written information about our policies and practices regarding service providers outside of Canada, please refer to our contact information below.
International Data Transfers
Our servers, which provide your Service content and store the personal information you provide to us, are located in the U.S. and the Netherlands. If you are accessing the Service from another country, please be aware you are transmitting information collected through the Service, including your personal information, to the countries where our servers are located, depending on where you access the Service from, and the data will be processed on one of those servers. These countries may not afford the same privacy protections as the country where you are using the Service. For users outside of the EEA and the UK, your use of the Service, including your provision of any personal information to us via the Service, demonstrates your acknowledgement of and agreement to this personal information processing.
Subject to applicable data transfer protection laws, we may transfer your personal info to external parties located in other countries. We implement appropriate transfer mechanisms and safeguards, including implementing Standard Contractual Clauses with parties we transfer data to (including Standard Contractual Clauses published by the European Commission for transfer outside of the EEA and Standard Contractual Clauses published by ICO for transfers outside of the UK).
If You are Located in the EEA and UK
Where we transfer your personal information to countries and territories outside of the EEA and the UK, which have been formally recognised as providing an adequate level of protection for personal information, we rely on the relevant “adequacy decisions” from the European Commission and “adequacy regulations” from the Secretary of State in the UK (together referred to as "EEA/UK adequacy decisions").
Where the transfer is not subject to an adequacy decision or regulations, we take appropriate safeguards to require your personal information will remain protected in accordance with this Privacy Notice. The safeguards we use for personal information protected under GDPR, include the European Commission’s Standard Contractual Clauses as issued on 4 June 2021, in the form of modules 1 (controller to controller), module 2 (controller to processor), module 3 (processor to processor) and/or module 4 (processor to controller), as appropriate depending on our relationship with the recipient(s). We incorporate the UK's International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as permitted under Article 46 of the UK GDPR, when transferring personal information protected under UK GDPR.
Our Standard Contractual Clauses can be provided on request. Please note some sensitive commercial information may be redacted from the Standard Contractual Clauses. For details of what personal information may be transferred to group entities or third parties, please see the Disclosing Your Information section of this Notice above.
For users located in the European Economic Area and the United Kingdom, the following information specifically applies to you. Our processing of your personal information is carried out under the following legal bases:
Given the nature of our business, we may process special categories of your personal information in the form of health information. This information includes diabetes therapy data, such as your glucose levels, and lab charts. We will obtain your explicit consent prior to processing such information.
Please note, we do not currently use your personal information for automated decision making which produces legal effects concerning you or similarly significantly affects you.
The GDPR and UK GDPR provide EEA and UK residents with certain rights regarding their personal information. If you are a resident of the EEA or the UK, subject to certain conditions, you may ask us to take the following actions in relation to your personal information:
If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us at DPO@tandemdiabetes.com or you have the right to submit a complaint to a data protection regulator. EEA residents can find information about your data protection regulator here. The data protection regulator for residents of the UK is the Information Commissioner’s Office.
Additionally, if you reside in Italy and are an individual with a direct interest in a deceased user’s personal information, or are a representative of a deceased user acting to protect the deceased user or his/her family interests, then you have the right to exercise the rights described above except for the right to delete.
If you reside in France, you may designate a person to carry out specific or general instructions on how to store, delete or communicate the personal information relating to you after your death. If the instructions relate only to the personal information we hold about you, you may choose to directly notify us such instructions.
If you reside in Portugal, you may appoint who can exercise your rights or to give instructions not to exercise them at all after your death regarding special categories of personal information (such as health data) or data related with private life, images or communications.
You may exercise some of these rights and choices through Service features, such as editing your account settings or profile details when you are logged in. Additionally, you can submit requests by email to DPO@tandemdiabetes.com. We may request specific information from you to help us confirm your identity prior to processing your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us at DPO@tandemdiabetes.com or submit a complaint to a data protection regulator. EEA residents can find information about your data protection regulator here. The data protection regulator for residents of the United Kingdom is the Information Commissioner’s Office.
We may update this Privacy Notice from time to time. You can see when this Privacy Notice was last updated by checking the “Last Updated” date displayed at the top of this Privacy Notice. Any changes to this Privacy Notice take effect immediately after being posted or otherwise provided by Tandem.
Tandem Diabetes Care
Attn: Legal Department
12400 High Bluff Drive
San Diego, CA 92130
Attn: Data Privacy Riverbank House
2 Swan Lane
London, EC4R 3TT
The data controller of your personal information is Tandem Diabetes Care, Inc.