Privacy Policy

Last Updated: October 2024

This Privacy Policy applies to the personal data processed by Intend app (“Intend” or "we") in relation to the users of Intend’s platform, mobile application ("App"), website, and any associated services or products (collectively, the "Intend Services"). It also applies to personal data processed by Intend regarding the representatives of our vendors, business partners, and customer organisations, including data processed within our CRM database and related to direct marketing activities. The individuals covered by this policy are hereinafter collectively referred to as "Users" or "you."

If you have any questions regarding how we process your personal data or if you wish to exercise any of your rights, including accessing or erasing your data, please contact our Data Protection Officer ("DPO") at [email protected].

This Privacy Policy only applies to data processing carried out by Intend as a data controller. We are not responsible for the privacy and data processing practices of any third parties. Please refer to their respective privacy policies for information on how they handle your data.

The controller for all personal data processed through the Intend Services is:

Cubi Tech SIA
Company registration number: 40103947559
Latvia

Data Collection

What Data We Collect and Why

We collect and process data to provide and improve the Intend Services, including the Intend App. We also collect user data to enable payment processing and for marketing purposes, such as sending you offers and updates about our products and services. The types of data we collect are grouped into two main categories:

Default Data: This includes essential information necessary to provide the Intend Services, such as personal data related to your purchases, account creation, and app usage. The legal basis for processing this data is the performance of the contract between you and Intend. We may also process this data based on our legitimate interest in maintaining the security and integrity of the Intend Services, as well as for the establishment, exercise, or defence of legal claims related to your use of our services. Additionally, we may process Default Data for direct marketing purposes, based on your explicit consent, which you can withdraw at any time.

Optional Data: This includes information that enhances your experience of the Intend App, such as dietary preferences, height, weight, and health-related metrics. Some features may not function as intended without certain Optional Data (e.g., logging meals in the app). The legal basis for processing Optional Data is either the performance of a contract or our legitimate interest in improving the Intend Services. If the data includes health-related information, we will rely on your explicit consent for processing.

Health Data: To function properly, the Intend App requires access to certain health-related data, such as glucose levels from your Continuous Glucose Monitor (CGM), dietary information, and other optional health metrics like BMI and heart rate. The legal basis for processing this sensitive data is your explicit consent, which you can revoke at any time through the app or by contacting us directly.

For research and development purposes, we may de-identify your health data to protect your privacy. De-identified data means that all personal identifiers have been removed, making it impossible to link the data back to you. However, pseudonymised data, which still allows for indirect identification, is treated as personal data and protected under this Privacy Policy.

Legal Basis for Data Processing

We rely on several legal grounds to process your data: Performance of a contract: To provide the Intend Services, process payments, and ship products.

Legitimate interests: For security, service improvement, marketing, and analytics purposes.

Consent: For processing health data and for direct marketing purposes. You can manage your consent preferences at any time through the app or by contacting our DPO.

Data Sharing and Third-Party Processors

We may share your data with third-party service providers to provide and enhance the Intend Services. These third parties include payment processors, cloud storage providers, and analytics platforms. We always ensure that appropriate data processing agreements are in place with these third parties to safeguard your data.

Some of the third-party service providers we work with include:

We take steps to minimise the amount of personal data shared and ensure that these providers process your data in compliance with applicable data protection laws.

International Data Transfers

Intend’s servers are located within the EU. However, some of our third-party providers may process your personal data outside of the EU/EEA. When personal data is transferred outside of the EU/EEA, we ensure an adequate level of data protection by relying on mechanisms such as the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or other legal frameworks recognised by the European Commission.

For more information on the safeguards we implement for international transfers, or to obtain a copy of these arrangements, please contact our DPO.

Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected. Default personal data is stored for up to five years after you stop using the Intend Services. In some cases, we may need to retain data for longer to comply with legal obligations, such as tax or accounting requirements.

Personal data processed on the basis of consent will be retained until you withdraw your consent. You can request the deletion or de-identification of your personal data at any time. However, please note that certain data, such as payment and order information, may be retained for fraud prevention and compliance purposes.

Your Rights

As a data subject, you have the following rights under the GDPR:

To exercise any of these rights, please contact our DPO at [email protected]. We will respond to your request in line with GDPR requirements.

If you are dissatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Data Security

We are committed to securing your personal data. All personal information collected through the Intend App is stored in secure, encrypted databases. We use AES-256 encryption to protect your data at rest, and access is restricted to authorised personnel only.

Our employees undergo annual GDPR and HIPAA training to ensure they handle personal data responsibly. Any personal health information (PHI) processed in connection with telemedicine services is handled in compliance with HIPAA, where applicable.

Data Export and Deletion

You can export your glucose, meal, and exercise data directly from the Intend App’s settings. You can also request a full export of your account information, including past invoices, through our membership management portal.

To delete your account, you can do so via the Intend App. However, deletion of your account does not automatically remove all data (e.g., payment records retained for compliance). You may contact us to de-identify or further erase any specific data by reaching out to [email protected].

Changes to this Policy

We may update this Privacy Policy from time to time. Any changes will be communicated to you via the Intend App or our website. Continued use of the Intend Services after such updates constitutes your acceptance of the revised policy.

If you have any questions or concerns regarding this Privacy Policy, please contact our Data Protection Officer at [email protected].