Personvernerklæring
Controller and Data Protection Officer
Yazen Health AB, corporate identity number 559315-6234, with address Spolegatan 22, 222 19 Lund ("Yazen") is the data controller under the EU General Data Protection Regulation ("GDPR") for the processing of personal data for which we determine the purposes and means. The GDPR requires us to provide information about how we process personal data as a data controller in our operations.
Yazen has appointed a data protection officer handling matters regarding our compliance with data protection and personal data processing regulations. Please contact our data protection officer if you have any questions concerning our processing of your personal data by e-mail to dpo@yazen.com or by mail to Yazen Health AB at: Data Protection Officer, Spolegatan 22, 222 19 Lund, Sweden.
Personal data and processing
Personal data is any kind of information that is relating to a living person, either directly (for example name or social security number) or indirectly. Examples of information that can be indirectly related to a living person are behavior data, diagnosis, images and audio recordings that are processed in a computer without any names being mentioned.
All types of measures taken which include personal data constitute processing of personal data. Common examples of processing are collection, registration, organisation, structuring, using, storage, processing, transmission and deletion.
According to Article 6 of the GDPR, in order to process your personal data, we need to rely on a legal basis, which in our case is contract, consent, weighing of interests or legal obligation. Insofar as we process sensitive personal data (e.g. data about your health), we need to rely on a legal exception for such processing. Such exceptions can be found in GDPR Article 9.2a (explicit consent) and 9.2h (healthcare), 9.2b (labor law) and 9.2f (defense of legal claims).
We will only process sensitive personal data (such as data about your health) to provide you with healthcare or if we have received your explicit consent to do so.
How we process your personal data
Under the headings below, we describe in detail how we process your personal data in various respects, namely what personal data is processed, how it is processed, for what purposes, on what legal grounds, how the data is collected and with whom it is shared.
1. For website visitors
1.1 When you visit our website
Categories of personal data:
- User-generated technical data such as how you use the website or app.
- Data on your technical device
Type of processing:
- Personalising the website to simplify usage for you (e.g. by remembering your website settings and cookie options).
- Collection of data that is necessary to enable the operation of the website on your technical device.
Purpose:
Provision of website and app and related functionalities
Legal basis:
Legitimate interest to provide and customize the website and app
The personal data is collected from:
You, either by providing the information directly or through cookies.
Recipients/category of recipients of personal data:
- IT suppliers
Is there a legal obligation to provide us with the personal data?
No
Is it necessary to provide personal data to enter into or fulfill an agreement?
No
2. For recipients of treatment
2.1 When you create an account, and we evaluate if our service is suitable for you
Categories of personal data:
- Personal identification number
- Name
- Age
- Contact details
- Health data
- Information that you provide to us, such as information about your lifestyle
- Photos
- User identification
Type of processing:
- Data collection through questionnaires and meetings and evaluation of such data
- Scheduling and carrying through meetings and related documentation
- Collecting data through communication with healthcare profesional and evaluating such data
- Identification
- Account creation
- Communication with patient or potential patient
- Storage of data for documentation
- Evaluation of whether the service is suitable for you
Purpose:
Providing an account and assessing whether our service is suitable for you
Legal basis:
Contract
The personal data is collected from:
You
Recipients/category of recipients of personal data:
- Bank ID
- IT suppliers
Is there a legal obligation to provide us with the personal data?
No
Is it necessary to provide personal data in to enter into or fulfill an agreement?
Yes
2.2 When you sign up and pay for a subscription with us
Categories of personal data:
- Personal identification number
- Name
- Contact details
- Payment data, such as payment card or billing data
- Credit assessment
- User identification
Type of processing:
- Handling of payment (including obtaining any credit reports)
- Identification
- Organising and managing your subscription
- Communication with you
- Storage of data for documentation
Purpose:
Managing your subscription
Legal basis:
Contract
The personal data is collected from:
You
Provider of credit assessment
Supplier of payment solutions
Bank ID
Recipients/category of recipients of personal data:
- IT suppliers
- Bank ID
- Supplier of services for the management of prescriptions
- The Swedish state personal adress register (SPAR)
- Supplier of payment solutions
Is there a legal obligation to provide us with the personal data?
No
Is it necessary to provide personal data to enter into or fulfill an agreement?
Yes
2.3 When we provide your treatment
Categories of personal data:
- Name
- Personal identification number
- Health data (e.g. weight, general wellbeing, information about diseases, lab results, prescribed medication, information about treatments).
- Health connect data, see 2.3.1
- Contact details
- Photos
- Information about your lifestyle (including exercise and dietary habits)
- Information you provide to our systems or in your communication with us
- User identification
- Information you provide in our communication channels including
- Community
- your health data if you choose to provide it.
Type of processing:
- Identification
- Scheduling and carrying through meetings and related documentation
- Preparation of a care plan and evaluation of your progress, health, and care needs.
- Communicating with you (including advice and recommendations on i.a. exercise and diet).
- Prescription and administration of medication (prescriptions)
- Keeping of medical records including archiving
- Administration and evaluation of tests
- Referral to another healthcare provider
- Issuing certificates
- Provision, administration and moderation of a communication channel between you, healthcare professionals and other patients (Community).
Purpose:
Provision of treatment
Legal basis:
Contract
The personal data is collected from:
You and our suppliers and/or cooperation partners within healthcare (including laboratories).
Recipients/category of recipients of personal data:
- IT suppliers
- Bank ID
- Supplier of services for the management of prescriptions
- The Swedish state personal adress register (SPAR)
- Laboratories
- Other healthcare providers
- The recipients you specify when issuing certificates (e.g. employers or the Social Security Agency).
- Suppliers of postal services
Is there a legal obligation to provide us with personal data?
No
Is it necessary to provide personal data to enter into or fulfill an agreement?
No
2.3.1 Health Connect Data
Collection and Usage of Health Data
We value the privacy and security of our patients data. Our mobile application can optionally request access to health-related data, specifically the ability to read steps, distance, heart rate etc. This data is collected for the sole purpose of giving optimal personalised care.
Purpose of Health Data Access
By using this data, our doctors and other caregivers can give personalised treatment to our patients. A key part to losing weight is tracking your activity level and other health data.
User Consent
You can choose to opt-in to Health Data access and then, you explicitly consent to the collection and usage of health-related data for the purposes outlined in this privacy policy. You have the option to grant or deny these permissions within the app settings.
Security Measures
We implement robust security measures to protect the confidentiality and integrity of health-related data. This includes encryption and secure storage.
Data Retention
We retain health-related data only for as long as necessary to fulfil the purposes outlined in this privacy policy.
Third-Party Services
Our app does not share health-related data with any third-party services, advertisers, or external entities. We do not engage in the sale or exchange of user data.
2.4 When we perform quality assurance and ensure your patient safety
Categories of personal data:
- User identification
- Health data
Type of processing:
- Creation and management of the deviation lists
- Documentation of patient injuries
- Collecting, analysing and evaluating quality assurance
- Investigation of medical issues
- Implementation and evaluation of control measures
- Administration of cases with the Health and Social Care Inspectorate (IVO)
- Documentation and evaluation of potential side effects
Purpose:
Ensuring your patient safety, ensuring the quality of your care
Legal basis:
Legal obligation regarding safe healthcare and patient safety
The personal data is collected from:
You
Recipients/category of recipients of personal data:
- Authorities
- Insurance companies
- IT suppliers
Is there a legal obligation to provide us with the personal data?
No
Is it necessary to provide personal data to enter into or fulfill an agreement?
No
2.5 When you contact customer service, and we deal with your case
Categories of personal data:
- Contact details
- Name
- User identification
- Personal identification number
- Your health data
- The information you provide when communicating with our customer service
- The information needed to investigate your case, e.g. technical data
Type of processing:
- Communication with you
- Investigation and assistance with your case
- Follow-up and documentation of your case
Purpose:
Providing customer service and handling your case
Legal basis:
Our legitimate interest to provide customer service to you
The personal data is collected from:
You and our systems.
Recipients/category of recipients of personal data:
- IT suppliers
Is there a legal obligation to provide us with personal data?
No
Is it necessary to provide personal data to enter into or fulfill an agreement?
No
3. For our other contacts with potential customers, suppliers, partners, candidates, etc.
3.1 When we market our services
Categories of personal data:
- Name
- Contact details
- Details of your employment (including company and position)
- User behaviour on our website, such as how you click around
- Age and date of birth
- Gender
- Place of residence and position
- Information about your experiences and health provided in your 'testimonial'.
- Data provided by you in reviews through Trustpilot (data on your health if you choose to provide it).
- Information provided when you use the “invite a friend” functionality (e.g. name and contact information)
Type of processing:
- Sending out newsletters
- Sending of e.g. offers or campaigns
- Collecting, managing and storing your 'testimonial'
- Administration of agreements and consents regarding your 'testimonial'
- Publication of your "testimonial" on all internal and external digital channels and in internal and external printed media.
- Collection of your reviews from Trustpilot
- Publication of your reviews
- Send information to potential patient that has received an “invite a friend” invitation
- Providing credits to the patient that has sent the “invite a friend” invitation
- Analysis and segmentation of you and your use of our website to understand your interests and to provide relevant and customised advertising and other materials. e.g. invitations to events.
- Collecting, collating, analysing and transferring data to our marketing partners in order to serve targeted advertisements on social media and other digital platforms and websites.
Purpose:
Marketing of our service
Legal basis:
Legitimate interest.
Consent for the use of success stories in marketing
The personal data is collected from:
You, cookies, Trustpilot
Recipients/category of recipients of personal data:
- IT suppliers
- Companies we cooperate with regarding marketing
- Recipients of our marketing communications
- Visitors to our website
Is there any automated decision-making (including profiling):
Yes
Is there a legal obligation to provide us with the personal data?
No
Is it necessary to provide personal data to enter into or fulfill an agreement?
No
3.2 When we provide, evaluate, develop and improve our services and systems
Categories of personal data:
- Name
- Contact details (e.g. phone number, address, email address)
- Information about you (e.g. gender, age, date of birth)
- Video footage
- The comments you have provided on the use of our service
- Data regarding your use of our service and systems (e.g. click behaviour on our website).
Type of processing :
- Maintaining, updating and improving our service and systems
- Collection, analysis and segmentation of user behaviour, user experience and data.
- Troubleshooting and fixing errors in our systems
Purpose:
Provision, evaluation, development and improvement of our service and systems
Legal basis:
Legitimate interest
The personal data is collected from:
You and through our systems
Recipients/category of recipients of personal data:
- IT providers
Is there a legal obligation to provide us with personal data?
No
Is it necessary to provide personal data to enter into or fulfill an agreement?
No
3.3 When we conduct our business activities
Categories of personal data:
- User identification
- Contact details
- Name
- Details of your employment (including company and position)
- Information contained in contracts, invoices, order forms and other documents
- Information in communication with our suppliers, partners and other business relations.
Type of processing:
- Managing the salaries of our staff
- Administration of an invoice or payment document and related payment
- Managing customer relationships or business relationships
- Administration of invoicing and payment
Purpose:
Conducting our business activities.
Legal basis:
Fulfillment of contracts for patients.
Legitimate interest regarding employees of e.g. suppliers, partners or other business relations.
The personal data is collected from:
You, your employer or other sources of information. Some sources are publicly available e.g. websites.
Recipients/category of recipients of personal data:
- IT suppliers
Is there a legal obligation to provide us with personal data?
No
Is it necessary to provide personal data to enter into or fulfill an agreement?
No
3.4 When we fulfill our legal obligations
Categories of personal data:
- The information necessary to fulfil our legal obligations, e.g. name, personal identification number and data on your health.
- Information necessary for accounting purposes, such as names, choice of payment options and other information contained in the payment documents.
- Information contained in the request to exercise their rights (e.g. contact details)
Type of processing:
- Management of your request to exercise your rights under the GDPR including identification.
- Administration of accounts
- Managing and responding to information requests from public authorities
- Communication related to the request to exercise your rights
Purpose:
To fulfill our legal obligations
Legal basis:
Fulfillment of legal obligations
The personal data is collected from:
You, our systems and your employer.
Recipients/category of recipients of personal data:
- IT suppliers
- Authorities
Is there a legal obligation to provide us with personal data?
No
Is it necessary to provide personal data to enter into or fulfill an agreement?
No
3.5 When defending and protecting our legal interests, averting abuse, and preventing and investigating offences against the company.
Categories of personal data:
- Information that is necessary for us to defend and protect our legal interests, e.g. contact details, name, personal identification number, information provided in communication with us, invoicing documents.
Type of processing:
- Provision of documentation for the preparation of police reports and such
- Preparation police reports
- Preparation of documentation for and conduct of court hearings or other dispute resolution procedures.
- Other processing operations necessary for the defence of our legal interests
- Evaluating whether to block user from our service due to inappropriate behaviour (e.g. providing misleading information).
Purpose:
Defending and monitoring of our legal interests
Legal basis:
Legitimate interest.
Fulfilment of legal obligation (if there is such)
The personal data is collected from:
You, our systems, your employer and authorities.
Recipients/category of recipients of personal data:
- IT suppliers
- Authorities
- Courts
Is there a legal obligation to provide us with personal data?
No
Is it necessary to provide personal data to enter into or fulfill an agreement?
No
3.6 When you apply for employment with us or have been provided as a reference in a recruitment process.
Categories of personal data:
- Name
- Contact details
- Nationality, place of birth and passport details
- Details of your past and present employment
- Data on your skills and personal characteristics
- Information on your education and qualifications
- Information contained in communications with you
- Information about your application, such as your CV, application letter and letters of recommendation.
- Information you provide in an interview
- Test results
- Information provided by the reference about you
- Information you provide in reference interviews
Type of processing:
- Communication with you
- Administration of your application
- Evaluation and selection of job applicants
- Managing and liaising with references provided
- Evaluation and verification of your competences
- Execution and evaluation of tests
- Communication with potential recruitment agencies
Purpose:
Carry through the recruitment process.
Legal basis:
Legitimate interest to carry through the recruitment processes.
The personal data is collected from:
You, your references, recruitment agencies, and publicly available sources.
Recipients/category of recipients of personal data:
- IT suppliers
- Recruitment companies
Is there a legal obligation to provide us with personal data?
No.
Is it necessary to provide personal data to enter into or fulfill an agreement?
No.
From which sources do we obtain your personal data
In addition to the data that you provide to us, or that we collect from you based on your use of our service, we may also collect personal data via cookies or from other third parties. Information about where the data was collected and whether it comes from a third party can be found in each box under "The personal information is collected from".
Automated decisions and profiling
Profiling means that we analyze information about you to assess personal characteristics, which allows us to understand you as a customer and create the best possible offers for you. The extent to which we carry out profiling and for which purposes is described in detail above.
Recipients of data
Employees of Yazen
Your personal data will be shared with our employees (including consultants) who need access to them in order to fulfil their tasks.
Processors
In cases where it is necessary for us to be able to offer our services, we share your personal data with companies that are processors in relation to us. This applies, for example, to our suppliers of IT solutions and marketing. A processor is a company that processes information on our behalf and based on our instructions.
The processors may only process personal data in accordance with the purposes and instructions on processing and security that we have provided to them in a data processing agreement.
Independent controllers
We also share your personal data with certain companies that are independent controllers. The fact that the receiving entity is an independent controller means that we are not determining how the personal data disclosed will be processed by the receiving entity. Independent controllers with whom we share your personal data are:
- State authorities (the police, the Swedish Tax Agency, The Health and Social Care inspectorate/IVO, The Social Insurance Agency/Försäkringskassan, or other authorities) if we are obliged to do so by law or in the event of a suspected offence.
- Companies offering payment solutions
- Bank ID
- Insurance companies
- Other healthcare providers and laboratories
When your personal data is shared with a company that is an independent data controller, that company's privacy notice will be applicable.
How long do we store/save your data?
We only process your personal data for as long as it is necessary for the purposes described above.
We will delete or anonymize your personal data when you no longer use our services or the personal data is no longer necessary for the purposes it has been collected for, unless we have a legal obligation to save the personal data or we need to do so to defend our legal claims. For example, as a registered healthcare provider, we have an obligation under the Patient Data Act to save patient records for ten (10) years, which means that we cannot delete or anonymize the information contained in patient records before that time has passed. Further, there are legal requirements stating that accounting documents need to be saved for seven (7) years, etc.
Personal data stored on the basis of your consent will be deleted if you withdraw your consent. You can read more about how to withdraw your consent in below. Withdrawal of consent does not affect our obligation to keep records or process personal data in accordance with applicable laws as stated above.
Where we process your personal data
We always endeavor to ensure that your personal data is processed within the EU/EEA but it may happen that your personal data is transferred to a third country. Regardless of where your personal data is processed, we take reasonable legal technical and organizational security measures to ensure that the level of protection is the same as within the EU/EEA. In cases where personal data is processed outside the EU/EEA, the level of protection is guaranteed either by a decision from the European Commission that the country in question ensures an adequate level of protection or by the use of so-called appropriate safeguards. If you would like more information about the protection measures taken, you are welcome to contact us by email to dpo@yazen.com.
Risks and security measures
Yazen uses technical and organizational security measures to protect your personal data against loss and to protect it against unauthorized access. This includes, for example, secure and private connections (such as VPN), encryption, and that access to your personal data is always limited to those employees who need access to perform their jobs. We continuously evaluate our systems and procedures and policies to ensure that they are secure and protected.
What are your rights?
You have several rights under the GDPR. These rights are summarized below. More information about your rights can be found on the Swedish Authority for Privacy Protection/IMY's website: https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/the-data-subjects-rights/
If you wish to exercise your rights or have questions, please contact us. Contact details can be found at the top of this data protection notice.
Right to information
You have the right to be informed about how we process your personal data, which we provide you through this privacy notice.
Right of access
You can request information as to whether we process personal data relating to you and, if so, receive a copy of the personal data processed - a so-called register extract - together with certain more detailed information
Right of rectification
We have a responsibility to ensure that the personal data we process is correct, but if you consider that personal data relating to you is incorrect or incomplete, you have the right to request that the information be corrected.
Right to object
When we process your personal data within the framework of our legitimate interest, you have the right to object to the processing at any time. If we cannot show that there are legitimate grounds for continuing to process the personal data, we must cease the processing.
Right to withdraw consent
If our processing of your personal data is based on your consent, you can withdraw your consent at any time by sending an email to dpo@yazen.com or letter to our Data Protection Officer (see contact details under the heading "Controller and Data Protection Officer"). Withdrawal of consent does not affect the legality of the processing of your personal data that took place before the withdrawal. Withdrawal of consent does not affect our obligation to keep patient records or process personal data in accordance with applicable legislation. In other words, when there is such relevant legislation to adhere to, we might still have the obligation to process your personal data according to such legislation and if so, we must continue the processing to the extent the legislation states.
Right to limitation of processing
In certain cases, for example if you have objected to the processing, you have the possibility to request a limitation of the processing of your personal data. By requesting a limitation, you have, at least for a certain period of time, the possibility to stop us from using the data other than to, for example, defend legal claims. You can also prevent us from erasing the data, for example if you need the data to claim damages.
Right to erasure
In certain cases, you can obtain the erasure of your personal data. When your personal data is necessary for the purposes for which it was collected, is needed to fulfill a legal obligation or when we need to establish, to assert or defend legal claims, we cannot erase the data.
Right to data portability
If we process personal data relating to you to fulfill an agreement, you have the possibility in certain cases to obtain your personal data to use it somewhere else, for example transferring the data to another personal data controller.
Comments on our processing?
If you have any concerns about our processing of your personal data, please feel free to contact us. You can find our contact details above.
You can also lodge a complaint with the IMY. Information on how to do this can be found on the IMY page on lodging a complaint.
If you have suffered damage due to the unlawful processing of your personal data, you may be entitled to compensation. You can then claim damages from us or bring an action for damages in court. You can find our contact details above.