Privacy Policy
For Patients
Senast uppdaterad: 17.06.2024
This notice describes how Personal Data (defined below) and/or medical information about you may be used and disclosed and how you can obtain access to this information. Please review it carefully.
INTRODUCTION
We at Aasa Health AB, org. no. 559116-7936, with address Ola Hanssonsgatan 4, apt 1004, 112 52 Stockholm, Sweden. (“we”, “our” “us”, “the Company”, or “Vitala”) value your privacy and are committed to keeping your personal data confidential. We use your data solely in the context of providing the Vitala application (“App”) for use by qualified physicians and staff (“Healthcare Providers”) to provide services and care to patients (“Patient Users” , “you”). The Healthcare Providers provide remote therapeutic monitoring (“RTM”) services, including all relevant content and functionality associated with the App and the RTM services (collectively, the “Services”).
1. Privacy Policy Applicability
This Privacy Policy applies to personal data processed through the App. The term "Personal Data" encompasses any information that can be used on its own or in combination with other information to identify an individual or contact a specific person. Some Personal Data may be considered "health data" (i.e., data related to your physical or mental health), "protected health information" or "PHI" (i.e., information that relates to your past, present, or future physical or mental health or condition(s), the provision of healthcare to you, or past, present, or future payments for your healthcare), and/or medical records as defined by law.
We take the protection of personal data seriously and comply with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - hereinafter referred to as "GDPR") and Swedish data protection regulations. Furthermore, we comply with the requirements of the California Consumer Privacy Act of 2018 (“CCPA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). You can find more information about this in the GDPR and HIPAA sections.
Note regarding third-party sites: Our App may contain links to other sites that are not operated by Vitala. If you click a third-party link, you will be directed to that third party’s site. We strongly advise you to review every site you visit for the privacy policy(ies). Vitala has no control over and assumes no responsibility for the content, privacy policies, or practices of any third-party sites or services. This Privacy Policy does not apply to your use of or access to any third-party sites or services.
2. Agreement to Privacy Policy Terms
BY ACCESSING AND/OR USING THE APP, YOU ARE ACKNOWLEDGING THAT YOU HAVE READ AND AGREE TO THE TERMS OF THIS PRIVACY POLICY. IF YOU DO NOT AGREE, YOU MUST IMMEDIATELY CEASE USING THE SERVICES AND PLATFORM.
3. Privacy Policy Updates
Please note that we occasionally update this Privacy Policy. Every Privacy Policy has a date from which its provisions are in effect. A newer version automatically replaces the previous one. We will inform you electronically about any new version of the Privacy Policy. If you do not agree with the new terms, please discontinue using the App. Continuing to use the App after the effective date of the Privacy Policy signifies your agreement to use the App under the conditions specified in the latest version of the Privacy Policy.
4. Language of the Privacy Policy
We would like to point out that the Privacy Policy is available in English, Finnish, and Swedish. For other languages, we use machine translation from English. Machine translation may not be perfect, so in cases of dispute over interpretation, English (the source language of translation) shall prevail. Please remember that we always prioritise the welfare of our users, and no provisions will be interpreted to the detriment of the consumer within the meaning of the law.
5. Questions and contact information
If you have any questions or concerns after reading this Privacy Policy, please do not hesitate to contact us. We appreciate your feedback. You can contact us by email gdpr@vitala.health .
PERSONAL DATA
6. General information
Please remember that we are not the data controller of your data provided at the registration stage in the App and in connection with the provision of Services in App by the Healthcare Provider to you. Information about the data controller is in the relevant privacy policy and is provided at the stage of confirming your invitation. In relation to (i) behavioural data; (ii) contact data; (iii) demographic data; (iv) medical data processed within the App, we act as the data processor.
Vitala acts as the data controller in App in relation to support data and technology data. We have appointed a Data Protection Officer, Mrs. Beata Marek (“DPO”). You can contact our DPO by email gdpr@vitala.health .
7. What data is processed in App?
We process different types of information from you. Each category of data is explained in depth below and the processing principles.
Behavioural Data: We may process data about how you behave and what your habits are based on information that you provide us directly or information that we download from an application that you integrate with our App (e.g. Google Fit or Health Connect). For example, if you allow us, we can track your walking/running activity and daily steps to then show this data in the App and include it in your prescriptions.
Legal basis for processing by the data controller: Article 6.1.b of the GDPR. You have the ability to decide to enable the feature and initiate data collection within the App. If you choose to do so, the data collected is in connection with the services provided to you by the Healthcare Provider. Vitala processes data based on a data processing agreement with the data controller.
Disabling this feature will stop further data collection. However, it does not mean that the data already collected will be deleted from the App. This data will remain visible, and your Healthcare Provider may have used or is using it to provide services to you, which is why it is not deleted. Deleting the Account in the Application will result in deletion of data within 30 days.
Contact Data: We may send information to your email address and phone number that is related to the provision of services. This may also include notifications regarding the App. For example, you may receive an SMS with a confirmation code for your account. You may also receive system messages via email. We do not use your contact information for sending spam, and we do not sell this data.
Legal basis for processing by the data controller: Article 6.1.b of the GDPR. Communication occurs in connection with the proper functioning of the App and the provision of services by the Healthcare Provider. Vitala processes data based on a data processing agreement with the data controller.
You can change your phone number and email address in the App settings. The data prior to the change is stored in relation to records of SMS or email messages sent to you.
Deleting the Account in the Application will result in deletion of data within 30 days.
Demographic Data: We may process demographic data which may include, but not be limited to, your name, birth year, gender, height, weight, phone number, and e-mail address. The collection of this demographic data is primarily used to create your Account and provision of services by the Healthcare Provider.
Legal basis for processing by the data controller: Article 6.1.b of the GDPR. Vitala processes data based on a data processing agreement with the data controller.
Deleting the Account in the Application will result in deletion of data within 30 days.
Medical Data: We may process information regarding your health conditions, including, but not limited to, images, age, gender, weight, height, medical history, symptoms, and communications between you and your Healthcare Provider who is providing Services to you via the App. We collect this information to provide you with the Services and to provide your Healthcare Provider with the information required to provide medical treatment through the App.
Legal basis for processing by the data controller: Article 6.1.b of the GDPR. Vitala processes data based on a data processing agreement with the data controller.
Deleting the Account in the Application will result in deletion of data within 30 days.
Support Data: If you contact us for support or to lodge a complaint, we may collect your email address or telephone number and technical or other information from you through log files and other technologies, some of which may qualify as Personal Data (e.g., IP address). Such information will be used for the purposes of troubleshooting and technical support in accordance with this Privacy Policy. You provide your data voluntarily.
Legal basis for processing by Vitala is article 6.1.f of the GDPR. The legitimate interest lies in providing you with assistance in connection with the operation of the App. Please remember that we do not provide support in any other scope than issues related to the operation/non-operation/problems with functionalities in the App.
Data is obtained directly from you (your email address or phone number, or any other information you provide) or in connection with your actions in the App (related to actions you take to verify a problem). Remember, we never ask for your login credentials, financial, or medical information. Never provide such information.
Communication with the support department is recorded, meaning that, under the right of control, it can be verified by us in terms of how the consultant provided assistance. We do not offer telephone support.
From the moment you contact us until your issue is resolved, the data is processed for the primary purpose of providing you with support. After providing you with support, the data is processed for secondary purposes, such as archiving our actions to assist you. The data is stored for the purpose of verifying the quality of service provided to you and for establishing, investigating, or resolving legal claims. Please note that we do not retain data beyond 24 months (after this period, it is deleted). After this period, if you file claims with us regarding technical support, we will not be able to assist you.
The data is processed within the European Economic Area. We do not profile you. The recipients of the data can only be authorised employees or contractors who provide services for us, especially IT solution providers and technical support representatives. More information can be found in 9 point.
Technology Data: We may process your IP address (or proxy server), device and application identification numbers, location, browser type, Internet service provider and/or mobile carrier, the pages, and files you viewed, your searches, your operating system, and system configuration information, and date/time stamps associated with your usage. This information is used to analyse overall trends and help to resolve technical issues.
We do not monitor the activity of a specific App user. We do not profile users. App improvement is based on statistical analysis. However, if you contact us for technical support, we may track your activity if necessary and related to providing you with support. We do not, however, interfere with any data you have entered. We can only check what action may have caused a specific error in the App. An IP address is considered Personal Data, so it is our duty to inform you that Vitala may collect additional information related to your use of the App in connection with your IP address. You provide your data voluntarily.
Legal basis for processing by Vitala is article 6.1.f of the GDPR. The legitimate interest lies in processing data that contains logs that can later be used to provide technical support and software development. Anonymous data is used for statistics and service improvement - it is not associated with any user or IP address. The statistics only consist in counting the number of total clicks in the App, loading time, etc.
Data is obtained directly from you. We emphasize that statistical data does not contain personal information and cannot be linked to a specific individual. However, your actions in the App are recorded in the form of logs and are associated with your IP address.
The data is processed from the moment you have an Account in the App until you delete your Account.
The data is processed within the European Economic Area. We do not profile you. The data recipients can only be authorised employees or contractors who provide services for us, especially IT solution providers and technical support representatives. More information can be found in 9 point.
8. Your rights
Your rights include:
The right to know who is processing personal data, for what purpose and why.
You've been informed in point 7 who processes your data in the App and how. We've specified in which cases we act as the data controller and in which cases as the data processor.
The right to access the personal data held by an organisation free of charge, and to receive a copy in an accessible format.
We provide access to data through the App. You can also contact us to verify the specific data we process. Remember that Vitala is the administrator only for support data and technology data. In all other aspects, your Healthcare Provider is the data administrator, and you can seek support from them for access to data.
The right to object to an organisation processing personal data without consent, unless there is a higher priority public interest. The right to object at any time to direct advertising, i.e. advertising sent directly to the recipient.
We do not send you any advertisements, and we do not process data based on your consent. Similarly, the data controller does not process your App data based on your consent and does not send any advertisements. If you receive an advertisement from your Healthcare Provider or inappropriate information through the App, please contact us. We emphasise that such actions are not allowed in the App. Please note that recommendations or prescriptions for medications, supplements, or other products provided by your Healthcare Provider do not constitute advertising.
The right to have data corrected if they are incorrect, incomplete, or untrue when they are processed by an organisation.
You can modify your data in the App at any time. Some data entered by your Healthcare Provider may not be changeable by you in the App. Contact your Healthcare Provider to change such data. Please remember that certain data may not be changed due to historical events and the obligation to maintain medical documentation. Your Healthcare Provider will inform you in detail if they refuse to change any data.
The right to have data deleted, which is also referred to as the right to be forgotten. This right is applicable if a person’s data is no longer needed or is being processed illegally.
We have the right to refuse data deletion under Article 17.3.e of the GDPR. We have provided detailed descriptions of the cases and the duration for which we process data for the purpose of establishing, investigating, or defending legal claims. Regarding data for which your Healthcare Provider is the administrator, you can find detailed information in the privacy policy of your Healthcare Provider.
The right to move data relates to when personal data is being used by a company following consent or agreement. In that case, the data can be returned or transferred to another company at the individual’s request. This is referred to as the right to “data portability”.
Vitala does not process your data in the App as a data controller based on a contract or consent. However, we specify that Vitala acts as a data processor in relation to (i) behavioural data; (ii) contact data; (iii) demographic data; (iv) medical data - in this case the processing process complies with Healthcare Provider privacy policy and data processing agreement.
The right to be informed of the loss of personal data means that an organisation that holds personal data must inform Authority for Privacy Protection and/or Data Protection Authority (depending on the registered office) about any personal data breaches that entail a risk to the privacy of an individual. If the breach poses a high risk to an individual, the individual must also be informed in person.
The relevant responsibility lies with the data controller. Vitala has implemented a process for handling data breaches or privacy violations, including assessing the impact of such breaches, in accordance with ENISA guidelines. This allows us to determine whether a data breach is of high, medium, or low severity. We also investigate privacy violations. In the case of data where we act as a processor, the data controller will be informed within the agreed-upon timeframe specified in the data processing agreement. Notification to the supervisory authority or data subjects may also occur if necessary. Regarding data for which Vitala is the data controller, appropriate actions will be taken after assessing the impact of the breach, including its severity.
The right to lodge a complaint with the supervisory authority.
Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them violates the GDPR.
The supervisory authority, due to Vitala's registered office, is The Swedish Authority for Privacy Protection. More information you can find here: https://www.imy.se/en/individuals/forms-and-e-services/file-a-gdpr-complaint/
9. Data recipients
We may share your personal information with the following categories of individuals/entities:
Business Partners and Vendors: We share Personal Data with a limited number of partners, service providers, and other persons/entities who help run our business (“Business Partners”). Specifically, we may employ third-party companies and individuals to facilitate our Services, provide Serviceson our behalf, perform Service-related functions, or assist us in analyzing how our Services are used. Our Business Partners are contractually bound to protect your Personal Data and to use it only for the limited purpose(s) for which it is shared. Business Partners’ use of Personal Data may include, but isnot limited to, the provision of services such as data hosting, IT services, customer services, and payment processing.
Our Advisors: We may share your Personal Data with third parties that provide advisory services to Vitala, including, but not limited to, our lawyers, auditors, accountants, and banks (collectively, “Advisors”). Personal Data will only be shared with Advisors if Vitala has a legitimate business interest in the sharing of such data.
Third Parties Upon Your Direction or Consent: You may direct Vitala to share your Personal Data with third parties. Upon your request and consent, we may share such Personal Data with those third parties that you identify.
Third Parties Pursuant to Business Transfers: In the event of are organization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of Vitala’s corporate entity, assets, or stock(including in connection with any bankruptcy or similar proceedings), we may share your Personal Data with a third party.
Government and Law Enforcement Authorities: If reasonable and necessary, we may share your Personal Data to (i) comply with legal processes or enforceable governmental requests, or as otherwise required bylaw; (ii) cooperate with third parties in investigating acts or omissions that violate this Privacy Policy or the Terms and Conditions; or(iii) bring legal action against someone who may be violating the Terms and Conditions or who may be causing intentional or unintentional injury or interference to the rights or property of Vitala or any third party, including other users of our Services.
10. What Happens to Personal Data Submitted by Minors?
Vitala does not knowingly collect Personal Data from individuals under the age of 18. Additionally, our Services are not directed to individuals under the age of 18. We request that these individuals not provide Personal Data to us. If we learn thatPersonal Data from users under the age of 18 has been collected, we will deactivate the User Account associated with that data and take reasonable measures to promptly delete such data from our records. If you are aware of a user under the age of 18 accessing the Services or Platform, please contact us at lisa@vitala.health.
11. Deleting Account
If you wish to delete your account, please contact your Healthcare Provider or please contact us at info@vitala.health .
Deleting the Account in the Application will result in deletion of data within 30 days.
In the case of support data and technology data, the data is not deleted after you delete your account. The data is retained for the purpose of establishing, investigating, or defending legal claims for an additional period of 2 years. In relation to this data, Vitala is the data controller.
12. Security of personal data
Vitala understands the importance of data confidentiality and security. We use a combination of reasonable physical, technical, and administrative security controls to (i) maintain the security and integrity of your Personal Data; (ii) protect against any threats or hazards to the security or integrity of your Personal Data; and (iii) protect against unauthorized access to or use of such information in our possession or control that could result in substantial harm to you.
While Vitala uses reasonable security controls, WE CANNOT GUARANTEE OR WARRANT THAT SUCH TECHNIQUES WILL PREVENT UNAUTHORIZED ACCESS TO YOUR PERSONAL DATA. VITALA IS UNABLE TO GUARANTEE THE SECURITY ORINTEGRITY OF PERSONAL DATA TRANSMITTED OVER THE INTERNET, AND THERE ISNO GUARANTEE THAT YOUR PERSONAL DATA WILL NOT BE ACCESSED, DISCLOSED,ALTERED, OR DESTROYED BY BREACH OF ANY OF OUR PHYSICAL, TECHNICAL, OR ADMINISTRATIVE SAFEGUARDS. YOU ASSUME THE RISK THAT UNAUTHORISED ENTRY OR USE, HARDWARE OR SOFTWARE FAILURE, AND OTHER FACTORS MAY COMPROMISE THE SECURITY OF YOUR PERSONAL DATA AT ANY TIME. WE MAKE EVERY EFFORT TO ENSURE SUCH SITUATIONS DO NOT OCCUR.
13. What Safeguards Does Vitala Have in Place to Secure Personal Data?
Vitala stores Personal Data on secured servers and uses a combination of technical, administrative, and physical safeguards to protect your personal information. Such safeguards include, but are not limited to, authentication, encryption, backups, and access controls. More information you can find in HIPAA section.
14. How can you protect your data?
You are solely responsible for preventing unauthorised access to your devices and your User Account by protecting your account credentials and limiting access to your devices. Vitala has no access to or control over your device’s security settings, and it is your responsibility to implement any device-level security features and protections you feel are appropriate (e.g., password protection, encryption, remote wipe capability). We recommend that you take all appropriate steps to secure any device that you use.
Please note that Vitala will never send you an email requesting confidential information, such as account numbers, usernames, passwords, Social Security Numbers, medical or financial data. If you receive a suspicious email from Vitala, please notify us at info@vitala.health.
Further, if you know of or suspect any unauthorized use or disclosure of your User Account information or any other security concern, please notify Vitala immediately.
ADVERTISING, MARKETING, AND TRACKING
15. Does Vitala Send Marketing or Advertisement Materials?
Vitala does not send any advertising messages via the App. Marketing of services or sending commercial information is only possible based on the consent granted by the natural person. This takes place outside of App channels.
16. Are cookies processed in the App?
No
17. Are tracking algorithms used in the App?
No
19. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of Sweden. Any disputes or claims may be brought by the consumer and brought before the court having jurisdiction over the consumer's place of residence. A dispute may also be filed due to Vitala's registered office.
We are open to all the needs of users and our customers. Therefore, please contact us first before you decide to take legal action. We believe that we will be able to find an amicable solution to the situation.
At the same time, we would like to remind you that you have the right to lodge a complaint with the supervisory authority if you believe that your rights have been violated or we are acting inconsistently with GDPR. We do not limit your rights in any way. The national law in which you reside or where you use the App applies.
20. Miscellaneous
We make the content of the Privacy Policy available when you download the App and first launch the App. You can read it at any time on our website at the following URL: https://www.vitala.health/en/privacy , Privacy Policy App tab and in App. By using the App, you agree to Privacy Policy terms.
The Privacy Policy may also be made available in a different manner, upon individual request of a given person, if such a person encounters problems in displaying or reading the Privacy Policy. To this end, they are requested to get in touch with us: info@vitala.health
This Privacy Policy applies to the App. It does not apply to services that have a separate privacy policy that does not contain this Privacy Policy.
