INTRODUCTION
Personal Data is processed by Vitala in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - hereinafter referred to as "GDPR") and the regulations concerning the protection of personal data applicable in the Sweden.
GDPR applies to any software user processing data in the EU or processing data of EU citizens.
Detailed information on how the data is processed can be found below.
PERSONAL DATA
7.1 Saatamme luovuttaa henkilötietojasi henkilötietoavustajillemme, kuten IT- ja pilvipalveluiden tai maksuhallinnon palveluita tarjoaville yrityksille.
7.2 Jos epäillään lain tai yleisten käyttöehtojemme rikkomista, saatamme luovuttaa henkilötietojasi lainvalvontaviranomaisille ja lainopillisille neuv
1. Who is a data controller?
Data controller refers to the entity or person that determines the purposes, conditions, and means of the processing of personal data.
Aasa Health AB, org. no. 559116-7936, with address Ola Hanssonsgatan 4, apt 1004, 112 52 Stockholm, Sweden (“we”, “our” “us”, “the Company”, or “Vitala”). We are the data controller in the following cases:
- When you provide us with contact details;
- When we process technological data related to the use of the application;
- When you apply to us;
- When we conduct recruitments;
- When you are employed or when we commission you to perform services;
- When we process the complaint resolution process;
- When we archive data in accordance with legal requirements related to tax obligations;
- When we archive data in accordance with legal requirements related to employer obligations;
- When we archive data for the purpose of establishing, investigating, or defending legal claims.
2. Questions and contact information
If you have any questions or concerns after reading this document please do not hesitate to contact us. We appreciate your feedback. You can contact us by email gdpr@vitala.health .
3. Data Protection Officer
We have appointed a Data Protection Officer, Mrs. Beata Marek (“DPO”). You can contact our DPO by email gdpr@vitala.health .
4. What personal data can we collect and why?
As a data controller, we process personal data that comes directly from the person to whom the data pertains (“you”). This This may also include your activity in the Vitala App.
The table below describes what purpose, what data we process and what is the legal basis:

We, as a data processor, may also process medical data of the users of the Application. Detailed information about this can be found in the Privacy Policy of the App.
3. Source of data origin
We collect data directly from you. If you haven't provided us with data, we don't have it. However, in exceptional cases, if we are a data processor, we may process data provided by the healthcare provider who creates your account in the Application and then sends you an invitation.
4. Consent as a legal basis for data processing
Consent is voluntary. You can withdraw your consent at any time. Please note that if you withdraw your consent, we will no longer process the data associated with further processing, but we have the right to retain information for the purpose of establishing, investigating, or defending legal claims, based on the consent provided, including when you granted and subsequently withdrew your consent.
5. Data processing time
The processing time varies depending on the processing activities. Where we are a data processor, we process data in accordance with the agreement with the data controller. Where we are a data controller, we can clearly specify that, depending on the purpose, data is processed for the following durations:
- Support
From the moment you contact us for support until the end of the support, we process data (primary purpose). We have the right to retain information about the support provided for internal verification procedures, including for the purpose of establishing, investigating, or defending legal claims if they arise (secondary purpose). The data will be deleted after a period of 2 years.
- Contact
From the time you contact us until we provide you with a response (primary purpose). However, we may engage in prolonged correspondence, so we only delete correspondence after 2 years. We retain access to previous messages to understand the nature of the contact, the topics discussed, or to resume communication after an extended break with new information without duplicating previously provided information (secondary purpose).
- Marketing
From the time you grant us consent until you withdraw it (primary purpose). After this period, we may process information about when and for what you gave consent, as well as what information was provided to you and how, for the purpose of establishing, investigating, or defending legal claims. The data is deleted after a period of 2 years (secondary purpose). In the case of cookies, you manage cookie settings on our website, and your choices are automatically saved. Your last settings are remembered.
- Technology and development
From the moment you have an Account in our software until you delete your Account.
- Recruitment
From the moment of giving consent until the withdrawal of consent (primary purpose). After this period, we have the right to archive information about when and for what you gave consent. Although the recruitment process has ended, we retain this data for the purpose of establishing, investigating, or defending legal claims to demonstrate processing activities related to the consent you provided (secondary purpose). The data is deleted after a period of 2 years.
- HR
From the moment HR acquires data related to the management of employee processes until the end of the legal basis for processing the data. Labor law regulations impose obligations on us regarding data retention, including storing information related to employment.
- Bookkeeping
From the moment we receive data for accounting purposes until the end of the legal basis for processing the data. Tax regulations impose obligations on us regarding data retention, including storing information about issued invoices or accepted liabilities.
- Complaints
From the moment of filing a complaint until the completion of the complaint handling (primary purpose). After this period, we have the right to archive information about when, in connection with what, and how the complaint was processed and for whom, for the purpose of establishing, investigating, or defending legal claims (secondary purpose). The data is deleted after a period of 2 years.
- Claims
From the moment a claim is established or a claims process is initiated until the necessary period for handling the claim - any data subject to archiving may be processed for the purpose of handling this processing goal. The data is deleted when the statutory limitation periods for claims expire, or when the proceedings are concluded conclusively. We have the right to retain information beyond this period about when, in connection with what, and who was involved, what the outcome was, and if applicable, details of the proceedings - unless it concerns proceedings where the judgment is expunged, in which case the data is deleted in due course.
6. Your rights
You have the right to access your data, rectify, transfer (if the basis for processing is art. 6.1.a GDPR, delete or limit processing, the right to object (if the basis for processing is art. 6.1.f GDPR), the right to lodge a complaint to the supervisory body The supervisory authority, due to Vitala's registered office, is The Swedish Authority for Privacy Protection. More information you can find here: https://www.imy.se/en/individuals/forms-and-e-services/file-a-gdpr-complaint/
7. Data recipients
We may share your personal information with the following categories of individuals/entities:
Business Partners and Vendors: We share Personal Data with a limited number of partners, service providers, and other persons/entities who help run our business (“Business Partners”). Specifically, we may employ third-party companies and individuals to facilitate our Services, provide Serviceson our behalf, perform Service-related functions, or assist us in analyzing how our Services are used. Our Business Partners are contractually bound to protect your Personal Data and to use it only for the limited purpose(s) for which it is shared. Business Partners’ use of Personal Data may include, but is not limited to, the provision of services such as data hosting, IT services, customer services, and payment processing.
Our Advisors: We may share your Personal Data with third parties that provide advisory services to Vitala, including, but not limited to, our lawyers, auditors, accountants, and banks (collectively, “Advisors”). Personal Data will only be shared with Advisors if Vitala has a legitimate business interest in the sharing of such data.
Third Parties Upon Your Direction or Consent: You may direct Vitala to share your Personal Data with third parties. Upon your request and consent, we may share such Personal Data with those third parties that you identify.
Third Parties Pursuant to Business Transfers: In the event of are organization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of Vitala’s corporate entity, assets, or stock(including in connection with any bankruptcy or similar proceedings), we may share your Personal Data with a third party.
Government and Law Enforcement Authorities: If reasonable and necessary, we may share your Personal Data to (i) comply with legal processes or enforceable governmental requests, or as otherwise required bylaw; (ii) cooperate with third parties in investigating acts or omissions that violate this Privacy Policy or the Terms and Conditions; or(iii) bring legal action against someone who may be violating the Terms and Conditions or who may be causing intentional or unintentional injury or interference to the rights or property of Vitala or any third party, including other users of our Services.
8. What Happens to Personal Data Submitted by Minors?
Vitala does not knowingly collect Personal Data from individuals under the age of 18. Additionally, our Services are not directed to individuals under the age of 18. We request that these individuals not provide Personal Data to us. If we learn thatPersonal Data from users under the age of 18 has been collected, we will deactivate the User Account associated with that data and take reasonable measures to promptly delete such data from our records. If you are aware of a user under the age of 18 accessing the Services or Platform, please contact us at lisa@vitala.health.
9. Profiling
We do not profile personal data. We do not use automated programs.
10. Transfer of data to third countries
The transfer of data to third countries takes place on the basis of the agreements we have signed. The table below does not provide a compilation of entities used in connection with the management of employee affairs and work. This information is available in the relevant document for inspection by authorised personnel (employees and collaborators).
According to the provisions of the GDPR, each case of transferring personal data to a third country (outside the EEA) must be based on the appropriate legal basis for data processing. One of the mechanisms through which companies transfer personal data outside the EEA is the article 45 of GDPR. The European Commission has the power to determine, on the basis of article 45 of GDPR whether a country outside the EU offers an adequate level of data protection. The second way is the article 46.2.c of GDPR, so-called Standard Contractual Clauses (SCC). SCCs are template contracts that the European Commission has approved for use and permitted their application by issuing relevant decisions in this regard. Below are the entities we cooperate with and the appropriate legal basis for data transfer:
