We  at Aasa Health AB, org. no. 559116-7936, with address Ola Hanssonsgatan 4, apt 1004, 112 52 Stockholm, Sweden. (“we”, “our” “us”,  “the Company”,  or  “Vitala”)  value your privacy and are committed to keeping your personal data confidential. We provide the Care Portal ("CP") for your use ("you"; "User") in accordance with the Terms and Conditions and Privacy Policy.

Please note that Vitala does not provide medical services. In specific cases, the Healthcare Provider, which may be you ("HP"; "Healthcare Provider"), provides medical services to patients. As an HP, you have access to the Personal Data of Application ("App") users, which you can add and delete through the CP. Vitala only provides services related to the maintenance and technical operation of the CP ("Services"), so please read the following Privacy Policy carefully.

BY ACCESSING AND/OR USING THE APP, YOU ARE ACKNOWLEDGING THAT YOU HAVE READ AND AGREE TO THE TERMS OF THIS PRIVACY POLICY. IF YOU DO NOT AGREE, YOU MUST IMMEDIATELY CEASE USING THE SERVICES AND CP.

This Privacy Policy applies to personal data processed through the CP. The term "Personal Data" encompasses any information that can be used on its own or in combination with other information to identify an individual or contact a specific person. Some Personal Data may be considered "health data" (i.e., data related to your physical or mental health), "protected health information" or "PHI" (i.e., information that relates to your past, present, or future physical or mental health or condition(s), the provision of healthcare to you, or past, present, or future payments for your healthcare), and/or medical records as defined by law.

We take the protection of personal data seriously and comply with regulations.  Furthermore, we comply with the requirements of the California Consumer Privacy Act of 2018 (“CCPA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Note regarding third-party sites:  CP may contain links to other sites that are not operated by Vitala. If you click a third-party link, you will be directed to that third   party’s   site.   We   strongly   advise   you   to   review   every   site   you   visit   for   the privacy policy(ies). Vitala has no control over and assumes no responsibility for the content,   privacy   policies,   or   practices   of   any   third-party   sites   or   services.   This Privacy Policy does not apply to your use of or access to any third-party sites or services.

We may modify this Privacy Policy from time to time. We will notify you of significant changes by e-mail. The changes will take effect within 30 days. If you do not agree with the proposed changes, you should stop using the CP before the change becomes effective. If you continue to use the CP after the effective date, you will be bound by the updated Privacy Policy terms.

We would like to point out that the Privacy Policy is available in English and other languages. For other languages, we use machine translation from English. Machine translation may not be perfect, so in cases of dispute over interpretation, English (the source language of translation) shall prevail.

Please remember that we always prioritise the welfare of our users, and no provisions will be interpreted to the detriment of the consumer within the meaning of the law.

If you have any questions or concerns after reading this Privacy Policy, please do not hesitate to contact us. We appreciate your feedback. You can contact us by email gdpr@vitala.health

For maximum transparency, we present a summary with respect to which Personal Data Vitala is a data controller or HP, and with respect to which Personal Data Vitala is a data processor. A detailed description of each type of Data can be found in section 7.

Vitala acts as the data controller in CP in relation to Support Data and Technology Data. We have appointed a Data Protection Officer, Mrs. Beata Marek (“DPO”). You can contact our DPO by email gdpr@vitala.health

We process different types of information. Each category of data is explained in depth below and the processing principles.

Contact Data: Your first name, last name, email address, and job title are visible in the CP and may be shared with App users (e.g., when an invitation is sent). We obtained your data from the HP, who provided the information for which users should have accounts created in the CP by us. We may send information related to service provision to your email address and phone number. This may also include CP notifications. For example, you might receive a message with a confirmation code. You may also receive system messages via email. We do not use your contact details to send spam, nor do we sell this data.

Legal basis for processing: Article 6(1)(b) of the GDPR. Communication is related to the proper functioning of the Application and the provision of services by the Healthcare Provider. Vitala processes data based on a data processing agreement concluded with the data controller.You can change your phone number and email address in the application settings. Data prior to the change is stored in connection with the records of SMS or email messages sent to you.

Deleting your Account in the CP will not result in the deletion of data unless the HP confirms the permanent deletion of the data. Remember that the data controller is the HP and certain data may be needed to demonstrate compliance with legal obligations regarding data retention or in connection with access to the services you provide or for the defense, pursuit, or establishment of legal claims.

‍Support Data: If you contact us for support or to lodge a complaint, we may collect your email address or telephone number and   technical   or   other   information   from   you   through   log   files   and   other technologies, some of which may qualify as Personal Data (e.g., IP address). Such information will be used for the purposes of troubleshooting and technical support in accordance with this Privacy Policy. You provide your data voluntarily.

Legal basis for processing by Vitala is article 6.1.f of the GDPR. The legitimate interest lies in providing you with assistance in connection with the operation of the CP. Please remember that we do not provide support in any other scope than issues related to the operation/non-operation/problems with functionalities in the CP.    

Data is obtained directly from you (your email address or phone number, or any other information you provide) or in connection with your actions in the CP (related to actions you take to verify a problem). Remember, we never ask for your login credentials, financial, or medical information. Never provide such information.

Communication with the support department is recorded, meaning that, under the right of control, it can be verified by us in terms of how the consultant provided assistance. We do not offer telephone support.

From the moment you contact us until your issue is resolved, the data is processed for the primary purpose of providing you with support. After providing you with support, the data is processed for secondary purposes, such as archiving our actions to assist you. The data is stored for the purpose of verifying the quality of service provided to you and for establishing, investigating, or resolving legal claims. Please note that we do not retain data beyond 24 months (after this period, it is deleted). After this period, if you file claims with us regarding technical support, we will not be able to assist you.

The data is processed within the European Economic Area. We do not profile you. The recipients of the data can only be authorised employees or contractors who provide services for us, especially IT solution providers and technical support representatives. More information can be found in 9 point. 

‍Technology Data: We may process your   IP   address   (or   proxy   server),   device   and   application   identification numbers,   location,   browser   type,   Internet   service   provider   and/or   mobile carrier,   the   pages,   and   files   you   viewed,   your   searches,   your   operating system,   and   system   configuration   information,   and   date/time   stamps associated   with   your   usage.   This   information   is   used   to   analyse   overall trends and help to resolve technical issues.

We do not monitor the activity of a specific user. We do not profile users. CP improvement is based on statistical analysis. However, if you contact us for technical support, we may track your activity if necessary and related to providing you with support. We do not, however, interfere with any data you have entered. We can only check what action may have caused a specific error in the CP. An IP address is considered Personal Data, so it is our duty to inform you that Vitala may collect additional information related to your use of the CP in connection with your IP address. You provide your data voluntarily.

Legal basis for processing by Vitala is article 6.1.f of the GDPR. The legitimate interest lies in processing data that contains logs that can later be used to provide technical support and software development. Anonymous data is used for statistics and service improvement - it is not associated with any user or IP address. The statistics only consist in counting the number of total clicks in the App, loading time, etc. 

Data is obtained directly from you. We emphasize that statistical data does not contain personal information and cannot be linked to a specific individual. However, your actions in the CP are recorded in the form of logs and are associated with your IP address.

The data is processed from the moment you have an Account in the CP until you delete your Account.

The data is processed within the European Economic Area. We do not profile you. The data recipients can only be authorised employees or contractors who provide services for us, especially IT solution providers and technical support representatives. More information can be found in 9 point. 

‍Statistical Data: Vitala processes aggregate data on the use of the CP by Users. However, this data does not count as Personal Data because we do not process any data that could link the readings we collect with you or any other User. Statistical Data allows us to analyze. On this basis, we create statistics that allow us to group information (not about specific natural persons) and use it for various purposes, such as creating publications, materials, CP development, etc. We do not collect the IP address, name, surname, e-mail address, number personal data and no other data allowing association with a specific natural person. However, we process de-identified data and statistics relating to age, gender, diseases, completed training sessions, self-reported results and ratings.

‍The user data from the App that can be procees in CP includes:

Behavioural Data: We and you may process data about how users App behave and what your habits are based on information that user provide us directly or information that we download from an application that you integrate with App (e.g. Google Fit or Health Connect).

Legal basis for processing: Article 6(1)(b) of the GDPR. The App user can decide to enable this feature and start collecting data in the App. This data will synchronise with the CP. Vitala processes data based on a data processing agreement concluded with the data controller.Disabling this feature will stop further data collection. However, this does not mean that the data already collected will be deleted from the App and CP. This data will remain visible, and the HP may use it or is using it to provide services to the App user. Deleting the Account in the App will result in the deletion of data within 30 days. Deleting the App user's Account in the CP will result in immediate data deletion.

‍Demographic Data: We and you may process demographic   data  which   may   include,   but   not   be   limited   to,   user App   name,   birth   year,   gender, height,   weight,   phone   number,   and   e-mail   address.   This data will synchronise with the CP.  The   collection   of   this demographic data is primarily used to create Account in App and provision of services by the Healthcare Provider. ‍

Legal basis for processing: Article 6.1.b of the GDPR. Vitala processes data based on a data processing agreement with the data controller.

Deleting the Account in the App will result in the deletion of data within 30 days. Deleting the App user's Account in the CP will result in immediate data deletion.

‍Medical Data: We and you may process information  regarding  user App  health  conditions,  including,  but  not  limited  to, images,  age,  gender,  weight,  height,  medical  history,  symptoms,  and communications between user App and you.

Legal basis for processing: Article 6.1.b of the GDPR. Vitala processes data based on a data processing agreement with the data controller.

Deleting the Account in the Application will result in deletion of data within 30 days. Deleting the App user's Account in the CP will result in immediate data deletion.

Your rights include:

- The right to know who is processing personal data, for what purpose and why.

You've been informed in point 7 who processes your data in the App and how. We've specified in which cases we act as the data controller and in which cases as the data processor.

- The right to access the personal data held by an organisation free of charge, and to receive a copy in an accessible format.
‍We provide access to data through the App. You can also contact us to verify the specific data we process. Remember that Vitala is the data controller only for support data and technology data. In all other aspects, your Healthcare Provider is the data administrator, and you can seek support from them for access to data.

- The right to object to an organisation processing personal data without consent, unless there is a higher priority public interest. The right to object at any time to direct advertising, i.e. advertising sent directly to the recipient. 
‍We do not send you any advertisements, and we do not process data based on your consent. Similarly, the data controller does not process your App data based on your consent and does not send any advertisements. If you receive an advertisement from your Healthcare Provider or inappropriate information through the App, please contact us. We emphasise that such actions are not allowed in the App. Please note that recommendations or prescriptions for medications, supplements, or other products provided by your Healthcare Provider do not constitute advertising.

- The right to have data corrected if they are incorrect, incomplete, or untrue when they are processed by an organisation. 
‍You can modify your data in the App at any time. Some data entered by your Healthcare Provider may not be changeable by you in the App. Contact your Healthcare Provider to change such data. Please remember that certain data may not be changed due to historical events and the obligation to maintain medical documentation. Your Healthcare Provider will inform you in detail if they refuse to change any data.

- The right to have data deleted, which is also referred to as the right to be forgotten. This right is applicable if a person’s data is no longer needed or is being processed illegally. 
‍We have the right to refuse data deletion under Article 17.3.e of the GDPR. We have provided detailed descriptions of the cases and the duration for which we process data for the purpose of establishing, investigating, or defending legal claims. Regarding data for which your Healthcare Provider is the administrator, you can find detailed information in the privacy policy of your Healthcare Provider.

- The right to move data relates to when personal data is being used by a company following consent or agreement. In that case, the data can be returned or transferred to another company at the individual’s request. This is referred to as the right to “data portability”. 
‍Vitala does not process your data in the App as a data controller based on a contract or consent. However, we specify that Vitala acts as a data processor in relation to (i) behavioural data; (ii)  contact data; (iii) demographic data; (iv) medical data - in this case the processing process complies with Healthcare Provider privacy policy and data processing agreement.

- The right to be informed of the loss of personal data means that an organisation that holds personal data must inform Authority for Privacy Protection and/or Data Protection Authority (depending on the registered office) about any personal data breaches that entail a risk to the privacy of an individual. If the breach poses a high risk to an individual, the individual must also be informed in person.
‍The relevant responsibility lies with the data controller. Vitala has implemented a process for handling data breaches or privacy violations, including assessing the impact of such breaches, in accordance with ENISA guidelines. This allows us to determine whether a data breach is of high, medium, or low severity. We also investigate privacy violations. In the case of data where we act as a processor, the data controller will be informed within the agreed-upon timeframe specified in the data processing agreement. Notification to the supervisory authority or data subjects may also occur if necessary. Regarding data for which Vitala is the data controller, appropriate actions will be taken after assessing the impact of the breach, including its severity.

- The right to lodge a complaint with the supervisory authority.
‍Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them violates the GDPR.The supervisory authority, due to Vitala's registered office, is The Swedish Authority for Privacy Protection.

More information you can find here: https://www.imy.se/en/individuals/forms-and-e-services/file-a-gdpr-complaint/

We may share your personal information with the following categories of individuals/entities:

‍Business Partners and Vendors: We share Personal Data with a limited number of partners, service providers, and other persons/entities who help run our business (“Business Partners”). Specifically, we may employ third-party companies and individuals to facilitate our Services, provide Serviceson our behalf, perform Service-related functions, or assist us in analyzing how our Services are used.

Our Business Partners are contractually bound to protect your Personal Data and to use it only for the limited purpose(s) for which it is shared. Business Partners’ use of Personal Data may include, but is not limited to, the provision of services such as data hosting, IT services, customer services, and payment processing.

‍Our Advisors:  We   may share your Personal Data with third parties that provide advisory services to Vitala, including, but not limited to, our lawyers, auditors, accountants, and banks (collectively, “Advisors”). Personal Data will only be shared with Advisors if Vitala has a legitimate business interest in the sharing of such data.

‍Third Parties Upon Your Direction or Consent: You may direct Vitala to share your Personal Data with third parties. Upon your request and consent, we may share such Personal Data with those third parties that you identify.

‍Third Parties Pursuant to Business Transfers:  In the event  of  are organization,   merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of Vitala’s corporate entity, assets, or stock(including in connection with any bankruptcy or similar proceedings), we may share your Personal Data with a third party.

‍Government and Law Enforcement Authorities: If reasonable and necessary, we may  share your Personal Data to (i) comply with legal processes or enforceable governmental requests, or as otherwise required bylaw; (ii) cooperate with third parties in investigating acts or omissions that violate this Privacy Policy or the Terms and Conditions; or (iii) bring legal action against someone who may be violating the Terms and Conditions or who may be causing intentional or unintentional injury or interference to the rights or property of Vitala or any third party, including other users of our Services.

Vitala does not knowingly collect Personal Data from individuals under the age of 18. Additionally, our Services are not directed to individuals under the age of 18. We request  that  these  individuals  not  provide  Personal  Data  to  us.  If  we  learn  that Personal Data from users under the age of 18 has been collected, we will deactivate the  User  Account  associated  with  that  data  and  take  reasonable  measures  to promptly delete such data from our records. If you are aware of a user under the age  of  18  accessing  the  Services  or  CP,  please  contact  us  at info@vitala.health

Deleting your Account in the CP: The Account can only be deleted by the administrator. Please contact the administrator or your employer for more information.

‍Deleting user App Account by HP: You can delete the patient account in the view after logging in.

‍Deleting your Account and processing Personal Data by Vitala: Support Data and Technological Data is processed by Vitala as a data controller. Regardless of whether you delete your Account or HP deletes it, Vitala will process collected information related to Support Data and Technology Data for 10 years from the moment of deleting your Account for the purposes of establishing, pursuing or defending legal claims.

Vitala  understands  the  importance  of  data  confidentiality  and  security.  We  use  a combination of reasonable physical, technical, and administrative security controls to (i) maintain the security and integrity of your Personal Data; (ii) protect against any threats or hazards to the security or integrity of your Personal Data; and (iii) protect against unauthorized access to or use of such information in our possession or control that could result in substantial harm to you.While  Vitala  uses  reasonable  security  controls, WE  CANNOT  GUARANTEE  OR WARRANT  THAT  SUCH  TECHNIQUES  WILL  PREVENT  UNAUTHORIZED  ACCESS  TOYOUR  PERSONAL  DATA.  VITALA  IS  UNABLE  TO  GUARANTEE  THE  SECURITY  ORINTEGRITY OF PERSONAL DATA TRANSMITTED OVER THE INTERNET, AND THERE ISNO GUARANTEE THAT YOUR PERSONAL DATA WILL NOT BE ACCESSED, DISCLOSED,ALTERED, OR DESTROYED BY BREACH OF ANY OF OUR PHYSICAL, TECHNICAL, OR ADMINISTRATIVE SAFEGUARDS.

‍YOU ASSUME THE RISK THAT UNAUTHORISED ENTRY OR USE, HARDWARE   OR   SOFTWARE   FAILURE,   AND   OTHER   FACTORS   MAY COMPROMISE THE SECURITY OF YOUR PERSONAL DATA AT ANY TIME. WE MAKE EVERY EFFORT TO ENSURE SUCH SITUATIONS DO NOT OCCUR.

Vitala stores Personal Data on secured servers and uses a combination of technical, administrative, and physical safeguards to protect your personal information. Such safeguards include, but are not limited to, authentication, encryption, backups, and access controls.

You are solely responsible for preventing unauthorised access to your devices and your User Account by protecting your account credentials and limiting access to your devices. Vitala has no access to or control over your device’s security settings, and it is your responsibility to implement any device-level security features and protections you feel are appropriate (e.g., password protection, encryption, remote wipe capability). We recommend that you take all appropriate steps to secure any device that you use.

Please note that Vitala will never send you an email requesting confidential information, such as account numbers, usernames, passwords, Social Security Numbers, medical or financial data. If you receive a suspicious email from Vitala, please notify us at info@vitala.health.

Further, if you know of or suspect any unauthorized use or disclosure of your User Account information or any other security concern, please notify Vitala immediately.

Vitala does not send any advertising messages via the CP. Marketing of services or sending commercial information is only possible based on the consent granted by the natural person. This takes place outside of CP channels.

Yes. You can give and manage your consent through the tool designed for cookie consent. It also contains a list of solutions that use cookies along with descriptions.

No.

This Privacy Policy is governed by and construed in accordance with the laws of Sweden. Any disputes or claims may be brought by the consumer and brought before the court having jurisdiction over the consumer's place of residence. A dispute may also be filed due to Vitala's registered office.

We are open to all the needs of users and our customers. Therefore, please contact us first before you decide to take legal action. We believe that we will be able to find an amicable solution to the situation.

At the same time, we would like to remind you that you have the right to lodge a complaint with the supervisory authority if you believe that your rights have been violated or we are acting inconsistently with GDPR. We do not limit your rights in any way. The national law in which you reside or where you use the CP applies.

We make the content of the Privacy Policy available at the following URL: https://www.vitala.health/legal. By using the CP, you agree to Privacy Policy terms.

The Privacy Policy may also be made available in a different manner, upon individual request of a given person, if such a person encounters problems in displaying or reading the Privacy Policy.

To this end, they are requested to get in touch with us: info@vitala.health

‍This Privacy Policy applies to the CP. It does not apply to services that have a separate privacy policy that does not contain this Privacy Policy.