1. Introduction

These Terms of Service (“Terms”) set forth the terms for purchasing and using the My Nightingale service (“Service”).

By placing an order, you agree to be bound by these Terms and use the My Nightingale Service in accordance with these Terms. By placing an order, you warrant that you are at least 18 years old. If you are buying the Service for someone else, you warrant that the user of the Service is at least 18 years old.

The Service is valid and can be used for 12 months from the purchase, or in case of gift card voucher, from redeeming the gift card voucher. The gift card voucher is valid until the expiry date indicated on the gift card voucher before which it must be redeemed.

We may revise these Terms from time to time in our sole discretion. The version of the Terms which exists at the time you place your order will be the terms which govern the Service. Please check this page before you submit an order for Services, as this version may be different from the version(s) which applied to previous order(s) for Services you submitted.

2. Scope of the Service

My Nightingale is a health service that provides comprehensive blood-based information to help you maintain and improve your health and wellbeing.

The Service consists of:
a) Blood test at Nightingale Nest;
b) measuring and analysing your blood sample using Nightingale’s proprietary technology; and
c) providing the results via My Nightingale app.

3. Pricing and Payment Terms 

The price of the Service is the price indicated on the order page of the My Nightingale site (“Site”) when you placed your order. Payment of the price of the Service shall be made at the time you place the order.

After payment, we will send you email to confirm your purchase.

You have a right to a refund within 14 days of purchase. However, if you take the blood test before the end of the 14-days cancellation period, a refund is no longer possible.

4. Results

Your My Nightingale blood test results (“Results”) include the Nightingale Health Index, a number of health indicators and biomarkers, which are parameters of metabolic health.

We aim to provide your Results within two to seven working days of the blood test. We will make every reasonable effort to ensure that your Results are delivered within the estimated timescale.

The Results are provided to you via My Nightingale app (“App”). To book time for blood test and to receive Results through My Nightingale app, you must create an account on the My Nightingale Site. You are solely responsible for keeping your password and account details confidential and are fully responsible for all activities that occur under your password or account.

The health indicators are based on scientific research findings on how the blood test results in some large studies correlate with common chronic diseases as well as overall health. The health indicators give you indicative information about your wellbeing. The health indicators cannot be considered as a diagnosis and as such cannot be used as a basis for diagnosis. 

Ketosis is reflected by a raised level of beta-hydroxybutyrate, the main ketone bodies circulating in your blood. Ketosis result is based on reference values as found in scientific literature or commonly used in laboratories giving you indicative information about your body’s ketosis state. Ketosis result cannot be considered as a diagnosis and as such cannot be used as a basis for diagnosis or for other diagnostic purposes.

Any intervention or other action you decide to do based on your Results is entirely at your own risk.

5. Intellectual Property Rights

You acknowledge and agree that Nightingale owns all intellectual property rights related to the Service.

6. Liability

Nightingale’s maximum liability for any responsibility under these Terms is limited to the amount you paid (or someone paid on your behalf) for the Service or one hundred (EUR 100) euros, where no amount is paid to us. Nightingale is not liable for any indirect damage.

7. Data Protection and Privacy

Nightingale is committed to the high standards of data protection and privacy set forth by the GDPR. Nightingale has implemented measures and systems to ensure the confidentiality of your data.

For a full description of data protection, see our Privacy Policy.

8. Subcontracting

Nightingale is entitled to use subcontractors to fulfil any of its obligations without separate permission from you.

9. Other terms

You may not transfer your rights or your obligations under these Terms without our prior written consent.

Each of the paragraphs of these Terms operates separately. If any court or relevant authority decides that any of them are invalid, illegal or unenforceable, the remaining paragraphs will remain in full force and effect.

These Terms constitute the entire agreement relating to the Service, and no other communications, whether oral or written, are considered as part of the Terms.

10. Applicable Law and Dispute Resolution

 These Terms are governed by the laws of Finland, excluding its regulations regarding the choice of law.

Any dispute relating to these Terms can be settled by the Consumer Disputes Board (for more information: kuluttajariita.fi) or the district court of Helsinki or the district court of your domicile.

Effective from 27 May 2020

1. Introduction

By visiting our website nightingalehealth.com (the “Site”) you agree to the following Terms and Conditions. Please note that you must not use the Site, if you object to any of the following Terms and Conditions. These Terms and Conditions, including any legal notices and disclaimers contained on the Site, constitute the entire agreement between “Nightingale Health Ltd” and you in relation to your use of the Site, and supersede all prior agreements and understandings with respect to the same.

2. Cookies

This Site uses cookies. By using this Site and agreeing to these Terms and Conditions, you consent to our use of cookies as stated in our Cookie policy.

3. Intellectual property rights

Unless otherwise stated, Nightingale Health Ltd owns the intellectual property rights of the Site and all of its published content. All material on the Site is subject to copyright protection (including but not limited to: corporate symbols, brand names, product names, trademarks, text, images and audio-visual elements), with all intellectual property rights reserved. Reproduction, transfer, distribution or storage (whether partial or full) of the content in any form, without our prior written permission, is prohibited, except in accordance with the following:

1. you may view, download and print pages from the Site for your own personal use (subject to the restrictions set out in the following section and elsewhere in these Terms and Conditions); 
2. press releases and other documents indicated as being public can be used also for public communications, provided that you clearly state the source of the information. 

4. Restrictions to using our Site

You are expressly restricted from:

1. selling, sublicensing and/or otherwise commercializing any material from the Site; 
2. publicly performing and/or displaying any Site material not already indicated as being public;
3. using the Site in any way that causes damage to it (such as impairing its availability or accessibility), or damages any person or business entity in any way which is unlawful, illegal, fraudulent or harmful;
4. using the Site to copy, store, host, transmit, send, use, publish or distribute any material which consists of (or is linked to) a computer virus or other malicious computer software;
5. engaging in any data mining, data harvesting, data extracting or any other similar activity in relation to the Site or its use; and
6. using the Site to engage in any advertising or marketing. 

Use of any external websites through links on the Site are subject to their own separate terms and conditions. We have no control over the contents or properties of such websites, and assume no liability for any matters arising out of your use of them. Unless specifically stated to the contrary, we do not endorse any website we link to, nor the owners, operators, contents or other related properties.

Certain areas of the Site may have restricted access. We may further restrict your access to any areas of the Site, at any time, in its sole and absolute discretion.

Any user ID and passwords you may have for the Site are confidential and you are responsible for maintaining the confidentiality of such information. 

5. Your content on our Site

In these Terms and Conditions, “Your Content” shall mean any audio, video, text, images or other material you choose to display on the Site. With respect to Your Content, by displaying it you grant Nightingale Health Ltd a non-exclusive, worldwide, irrevocable, royalty-free, sublicensable license, to use, reproduce, adapt, publish, translate and distribute it in any and all media. Your Content must be your own and must not be unlawful, unfit for publication, or infringing on any third-party’s rights. We reserve the right to remove any of Your Content from the Site at any time, for any reason, and without prior notice.

6. Warranties

The Site is provided “as is,” and on an “as available” basis. Nightingale Health Ltd makes no express or implied representations or warranties, of any kind related to the Site and its material.

Without prejudice Nightingale Health Ltd does not warrant the following:

1. the Site will be constantly available, or available at all;
2. the information on the Site is complete, true, accurate or non-misleading although reasonable care has been taken to ensure that the Site's contents are obtained or compiled from sources we believe to be reliable;
3. nothing on the Site constitutes, or is meant to constitute, advice of any kind. If you require advice in relation to any medical matter you should consult an appropriate healthcare professional.

7. Limitation of liability

In no event shall Nightingale Health Ltd, or any of its directors or employees, be liable to you for anything arising out of, or in any way connected with, your use or the inability to use this Site. We share no liability for any inaccuracies, delays, failures contained on the Site, or for any direct, indirect, consequential or special liability arising out of your use of it.

8. Indemnification

You hereby indemnify Nightingale Health Ltd for any damage Nightingale Health Ltd may incur and any third party claims against Nightingale Health Ltd, in relation to the material you submit.

9. Processing of your personal data

Nightingale Health Ltd maintains a high level of protection of your privacy. We process your personal data in accordance with the applicable Finnish and European Union personal data legislation. We may need to collect personal data through the Site for the information services you need and for marketing, sales and business development purposes. You may at any time request us to correct, update or delete your personal data. We may transfer personal data only to our trusted partners and as required by the law or formalities of public authorities. More information about protecting personal data and information security can be found in our Privacy Policy.

10. Other provisions

If any provision of these Terms and Conditions is found to be unenforceable or invalid under law, such unenforceability or invalidity shall not render these Terms and Conditions unenforceable or invalid as a whole, and such provisions shall be deleted without affecting the remaining provisions herein.

We are permitted to revise these Terms and Conditions at any time as we see fit without prior notification.

We are permitted to assign, transfer, and subcontract our rights and/or obligations under these Terms and Conditions without any notification or consent required. However, you shall not be permitted to assign, transfer, or subcontract any of your rights and/or obligations under these Terms and Conditions.

These Terms and Conditions, including any legal notices and disclaimers contained on this Website, constitute the entire agreement between Nightingale Health Ltd and you in relation to your use of this Website, and supersede all prior agreements and understandings with respect to the same.

11. Governing Law & Jurisdiction

These Terms and Conditions will be governed by and construed in accordance with the laws of Finland, without regard to the principles governing conflicts of any jurisdiction.

Controller and contact details 

Nightingale Health Ltd. (the “Company”)
Business ID: 1750524-0
Address: Mannerheimintie 164a, 00300 Helsinki
Phone: +358 20 730 1810
Email: privacy@nightingalehealth.com

If you have any questions relating to the processing of your personal data or if you wish to exercise your rights, please contact us by email or the postal address indicated above. We have privacy policies for the following categories:

• B2B customers and business contacts
• Recruitment candidates
• My Nightingale Service

BtoB Customers and other business contacts

This Privacy Policy describes how we collect and use personal data of our customers, potential customers and other business contacts.

The information we collect

We mainly process personal data obtained directly from you. We may collect your personal data whenever you contact us, use our resources or visit our website nightingalehealth.com (the “Site”). In addition, your personal data may be collected and updated from other sources, such as websites of associated companies, private and public registers, and other service providers (e.g. Suomen Asiakastieto Oy).

We mainly process the following types of information:

• name, title, job description, company, postal address, email address, phone number; 
• customer history (e.g. contacts, assignments, feedback, information related to invoicing); 
• interests and profiling information to personalize our services;
• information on the use of services, such as browsing and search history, cookies as stated in our cookie policy;
• customer feedback and contacts;
• direct marketing restrictions; and
• any other information provided to us by our customers and business contacts or generated in the course of providing services.

Why we collect your data and legal basis for our processing

We process your personal data mainly for the following purposes based on your consent, our legitimate interest (e.g. customer relationship management, business development and marketing), a performance of a contract with you, or a legal obligation: 

• to develop the Site;
• to provide newsletters and services and other communications which we think will be of interest to you;
• to fulfill our contractual (and other) obligations;
• to fulfill our legal responsibilities;
• to manage and develop our business relationships, products and services;
• to help us to identify new customers;
• for direct marketing and statistical purposes, customer profiling and market surveys to personalize or otherwise improve our services and communications for the benefit of our customers.

How we protect your personal data

Our internal organization is structured to meet the requirements of our Quality Management System certified according to EN ISO 13485 and the data protection legislation applicable to our operations. We have implemented appropriate technical and organizational measures to secure your personal data from loss, misuse, unauthorized access, disclosure, alteration and destruction.

Our personnel are trained on appropriate information security practices covering necessary security and safety matters, such as ensuring the confidentiality of personal data and preventing exposure of personal data to non-authorized persons. Only authorized employees of the Company (or other companies working on our behalf), who need your personal data to perform their job duties, have access to and the right to process your personal data in our system. Access to the system requires the use of a personal username and password for each user.

Whenever we process your personal data we honor and take account of your privacy rights under the applicable data protection legislation. As a part of our Quality Management System, we regularly check our security policies and procedures to ensure our systems and your personal data are secure and protected.

Disclosures of personal data

We do not disclose or sell data to third-parties, unless disclosure is required by the law, formalities of public authorities, or for some other justified purpose. However, we may share information with our external service providers who are obliged to process the data on our behalf and for the abovementioned purposes, mainly to maintain our IT, customer and marketing systems.

Transfers of personal data outside of the EU/EEA

We do not transfer your personal data outside of the EU/EEA area. However, some of our external service providers or servers used may be located (or store data) outside of the EU/EEA. In these cases, we will ensure that your personal data is subject to an adequate level of protection, as required by the applicable data protection legislation. 

How long we store your personal data

Your personal data will be stored for the purposes mentioned above as long as:

• we have a meaningful business or other contact with you;
• the data is necessary for the performance of a contract; or
• as required by applicable laws and regulations. 

However, we may retain your personal data for a longer period to the extent required by our automated backup system or if deemed necessary for the establishment, exercise or defense of legal claims.

We regularly review the need for data storage and delete the data no longer necessary for the abovementioned purposes in a secure manner, taking into account the applicable legislation.

What are your rights and how to exercise them

You have the right, with the restrictions that follow from legislation, to:

• access the personal data we process about you and request a copy of the data;
• request that we make corrections to any incorrect or incomplete personal data about you in our records and in some cases, the erasure of your personal data;
• request that we restrict the processing of your personal data only to storage, e.g. if you contest the correctness of the data or the lawfulness of the processing;
• object to the processing of your personal data when the processing is based on our legitimate interest;
• receive, under certain preconditions, your personal data that you have provided to us in a structured, commonly used, and machine-readable format, and the right to transmit the data to another controller; and
• withdraw your consent, if we are processing your data based on your consent. 

To exercise your rights, requests must be made in writing to the email or the postal address indicated above. You may exercise your rights free of charge. However, we reserve the right to charge a reasonable fee in accordance with the applicable data protection legislation.

In addition, you always have the right to refuse the use of your personal data for opinion surveys, direct marketing and profiling in connection to such marketing. A refusal can be made at any time by using the email or postal address indicated above, or by unsubscribing from our mailing list by following the instructions included in our marketing emails.

If you consider that the processing of your personal data infringes the applicable data protection legislation, you have also the right to lodge a complaint with a supervisory authority.

Changes to our Privacy Policy

If we make any changes to our Privacy Policy, the updated Privacy Policy can be found on our website with an indication of the amendment date. Please review this Privacy Policy from time to time to stay updated on any changes. If the changes are significant, we may also inform you about this by other means, for example by sending an email.

Last updated in September 2018.

Recruitment candidates

This Privacy Policy describes how we collect and store personal data of our recruitment candidates for recruitment purposes.

The information we collect

We mainly collect and store information obtained directly from you. We do not collect data from any external sources (e.g. potential referees) without your prior consent, unless otherwise provided by law.

We mainly process the following information about you:

• name, contact information, education, work experience and any other information you provide to us in your application and CV;
• date of application and applied position; and
• other information necessary for recruitment that you provide to us during the recruitment process.

Why we collect your data and legal basis for our processing

We collect personal information about you in the recruitment process to assess whether you could be a suitable candidate for an open position.

We process your personal data only for legitimate human resources and business management purposes based on your consent or request prior entering into an employment agreement, our legitimate interest (e.g. to comply with our employer obligations and to protect our legal position in the event of legal proceedings) or a legal obligation.

How we protect your personal data

Our internal organization is structured to meet the requirements of our Quality Management System certified according to EN ISO 13485 and the data protection legislation applicable to our operations. We have implemented appropriate technical and organizational measures to secure your personal data from loss, misuse, unauthorized access, disclosure, alteration and destruction.

Our personnel are trained on appropriate information security practices covering necessary security and safety matters, such as ensuring the confidentiality of personal data and preventing exposure of personal data to non-authorized persons. Only authorized employees of the Company (or other companies working on our behalf), who need your personal data to perform their job duties, have access to and the right to process your personal data in our system. Access to the system requires the use of a personal username and password for each user. If we need to process your personal data manually, it is stored in locked cabinets within office premises and protected by an access control system.

Whenever we process your personal data we honor and take account of your privacy rights under the applicable data protection legislation. As a part of our Quality Management System, we regularly check our security policies and procedures to ensure our systems and your personal data are secure and protected.

Disclosures of personal data

We do not disclose your personal data to third-parties, unless disclosure is required by the law, formalities of public authorities (e.g. employment authorities), or for some other justified purpose. However, we may share your information with our employees and external service providers who are obliged to process the data on our behalf and for the abovementioned purpose, mainly to assist us in the recruitment process (e.g. Azets Insight Oy) or maintain our IT systems (e.g. cloud hosting and storage services).

Transfers of personal data outside of the EU/EEA

We do not transfer your personal data outside of the EU/EEA area. However, some of our external service providers or servers used may be located (or store data) outside of the EU/EEA. In these cases, we will ensure that your personal data is subject to an adequate level of protection as required by the applicable data protection legislation.

How long we store your personal data

We store your application and any other information you have provided to us until the recruitment process has been completed and for a one (1) year period thereafter. On your consent, your information can be stored for as long as we consider your application relevant to us, a maximum period of two (2) years, in order to consider your application to a further job opportunity. Thereafter, we may retain a minimum amount of your personal data to record your recruiting activity with us.

In addition, we may retain your personal data for a longer period to the extent required by our automated backup system or if deemed necessary for the establishment, exercise or defense of legal claims.

We regularly review the need for data storage and delete data no longer necessary for the abovementioned purposes in a secure manner, taking into account the applicable legislation.

What are your rights and how to exercise them

You have the right, with the restrictions that follow from legislation, to:

• access the personal data we process about you and request a copy of the data;
• request that we make corrections to any incorrect or incomplete personal data about you in our records and in some cases, the erasure of your personal data;
• request that we restrict the processing of your personal data only to storage, e.g. if you contest the correctness of the data or the lawfulness of the processing;
• object to the processing of your personal data when the processing is based on our legitimate interest;
• receive, under certain preconditions, your personal data that you have provided to us in a structured, commonly used, and machine-readable format, and the right to transmit the data to another controller; and
• withdraw your consent, if we are processing your data based on your consent. 

In addition, you have the right to refuse the use of your personal data for direct marketing and profiling in connection to such marketing any time. We do not make any recruiting or hiring decisions based solely on automated decision-making.

To exercise your rights, please send your request in writing to the email or the postal address indicated above.

If you consider that the processing of your personal data infringes the applicable data protection legislation, you have also the right to lodge a complaint with a supervisory authority.

1. Data Controller and contact details for register related matters

Nightingale Health Ltd. (business ID 1750524-0) 
Mannerheimintie 164a, 00300 Helsinki 
Phone: +358 20 730 1810 
Email of the Data Protection Officer: privacy@nightingalehealth.com

2. For what purposes and on what basis do we process your personal data?

The register has been set up for My Nightingale -service (the “Service”) provided by Nightingale Health Ltd.. We process your data for the following purposes:

• Providing, organizing, planning, developing and implementing the Service (incl. purchase of the Service, user account creation, sampling, sample analysis and delivery of results);
• Managing and developing our customer relationships (incl. customer service and communications, customer feedback and electronic direct marketing), invoicing the Service and processing payments;
• Monitoring the Service and its use, controlling quality, supervising health care professionals’ operations and resolving potential damages and claims;
• Planning, compiling statistics of and evaluating our operations; and
• Developing and improving products and services in an anonymized form so that the person can no longer be identified.

The processing of the personal data is based on laws and regulations, such as:

• EU General Data Protection Regulation 2016/679, points a), b), c) and f) of Article 6(1)
• Act on the Status and Rights of Patients 17.8.1992/785
• Act on the Electronic Processing of Client Data in Social and Health Care 9.2.2007/159
• Decree of the Ministry of Social Affairs and Health on Health Records 30.3.2009/298, as well as a consent, an agreement and a legitimate interest of Nightingale Health Ltd. (incl. planning and reporting our operations, marketing and collection).

3. What kind of personal data do we process and from where do we collect the data?

We are processing the following personal data:

Basic information: 

• Personal data necessary for identification of the customer and organizing transactions
• Name and national identification number or other unique identifier to identify a person;
• Contact details, such as address, phone number and email;
• Self-created password for the Service;
• Payment details, such as credit card details.
• Information on consents and refusals 

Health data necessary for the Service:

• Service events and thereto related patient data and other health data (incl. date of sampling, sample type, unique sample identifier, gender, date of birth, information on potential medication or other clinically relevant information);
• Blood sample and the data received from the blood sample (incl. biomarkers) as well as analyses and results derived from them;
• Other necessary information required to secure organizing, planning, implementation and monitoring of the Service.

Data related to the customer history:

• Data related to appointments, contacts, use of Service and website (incl. cookies as stated in our cookie policy), feedbacks, customer satisfaction surveys, invoicing and collection.

The personal data stored in the register is primarily collected from you and the blood sample you have given. Information can be updated from public registers, such as the Population Register.

4. To whom do we disclose data, and do we transfer data outside the EU or the EEA?

Your health data is confidential. Persons processing the health data are bound by confidentiality obligation. Health data can be disclosed with a customer’s written consent or as provided by law. A consent to disclose health data can be restricted or withdrawn at any time.

Based on legislation, we have either the right or the obligation to disclose data e.g. to the supervisory authorities, such as Regional State Administrative Agencies, Office of the Data Protection Ombudsman, National Supervisory Authority for Welfare and Health, municipalities’ social welfare authorities, and judicial authorities.

We use external service providers to manage our IT, marketing, patient data, and customer information systems. We conclude data processing agreements with all service providers and require them to process personal data only to the extent necessary to provide such service.

We do not transfer your patient data outside the EU or the EEA. However, our external service providers may process your other personal data outside the EU or the EEA. In that case, we will provide adequate and appropriate safeguards in accordance with the applicable data protection legislation.

5. How do we protect the data and how long do we retain them?

Our internal organization is structured to meet the requirements of our Quality Management System certified according to EN ISO 13485 and the data protection legislation applicable to our operations. We apply the appropriate physical, technical, and administrative safeguards to protect data from misuse. These safeguards include, among others, control and filtering of network traffic, use of encryption techniques and safe data centers, appropriate access control, controlled granting of access rights and supervision of their use, giving instructions to the personnel participating in the personal data processing, and risk management related to the planning, implementation, and maintenance of our services. Personal data are processed only by those persons, who need the personal data to perform their job duties. Confidential patient data and records are stored in a patient data system, to which access rights are granted based on the role described in the employees’ job description. Manual material is archived in a locked area accessible only to restricted persons according to EN ISO 13485 Quality Management System.

Material on a paper format is stored in a locked area accessible only to persons who are processing such matters or documents.

To ensure the implementation of data protection, we conclude data processing agreements with our subcontractors who are processing personal data on our behalf.

Patient data are retained for as long as necessary, subject to compliance with the retention periods stipulated by the applicable laws and regulations (such as the Act on the Status and Rights of Patients and the Decree of the Ministry of Social Affairs and Health on Patient Records). As a rule, the retention period is 12 years from the patient’s death, or, if such information is not available, 120 years from the patient’s birth. After the measurement, the blood samples are stored for three months for quality control purposes, after which they are either anonymized or disposed of according to the process of EN ISO 13485 Quality Management System. Otherwise, the personal data are retained for as long as necessary for the purposes mentioned in section 2, after which they are either deleted or anonymized.

6. Your rights as a data subject relating to the processing of the data

As a data subject, you have the following rights: 

• Right of access to personal data
• Right to rectification of inaccurate personal data and, in certain cases, right to erasure of personal data, e.g. personal data that are no longer necessary or accurate in relation to the purpose of the register;
• Right to restriction of processing, e.g. if you contest the correctness of the personal data or the lawfulness of the processing;
• Right to object, e.g., on grounds relating to your particular situation, to processing of personal data that is based on a legitimate interest, or at any time, where personal data are processed for direct marketing purposes.
• Right to data portability from one system to another
• Right of access to a patient register log data 
  In accordance with the Act on Client Data (Act on the Electronic Processing of Client Data in Healthcare and Social Welfare 9.2.2007/159), you can request for the log data concerning your own patient data. The right to obtain the log data may be restricted, if the discloser of the log data is aware that providing the log data could seriously endanger the health or care of the individual or the rights of someone else. In addition, there is no right to obtain log data that are older than two years, unless there is a specific reason for that.
• Withdrawal of consent. Where the processing of the personal data is based on a consent, you can, at any time, withdraw or restrict your consent. The withdrawal of the consent shall not affect the lawfulness of the processing carried out prior to the withdrawal.

You may exercise your rights by submitting a free-form written request by email or letter to the addresses mentioned in section 1 above. The requests are always processed on a case-by-case basis.

In addition, you have a right to lodge a complaint  with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the EU General Data Protection Regulation.

1. Rekisterinpitäjä ja yhteystiedot rekisteriasioissa 

Nightingale Health Oy (y-tunnus 1750524-0)
Mannerheimintie 164a, 00300 Helsinki
Puh. +358 20 730 1810
Tietosuojavastaavan sähköposti: privacy@nightingalehealth.com

2. Mihin tarkoituksiin ja millä perusteella käsittelemme henkilötietojasi?

Rekisteri on perustettu Nightingale Health Oy:n tarjoamaa My Nightingale -palvelua varten (”Palvelu”). Käsittelemme tietojasi seuraaviin käyttötarkoituksiin:

• Palvelun tarjoamiseen, järjestämiseen, suunnitteluun, kehittämiseen ja toteutukseen (ml. Palvelun ostaminen, käyttäjätilin luominen, näytteenotto, näytteiden analysointi ja tulosten toimittaminen);
• Asiakassuhteen hoitoon ja kehittämiseen (ml. asiakaspalvelu ja -viestintä, asiakaspalautteet sekä sähköinen suoramarkkinointi) sekä Palvelun laskuttamiseen ja maksujen prosessointiin;
• Palvelun ja sen käytön seurantaan, laadunvalvontaan sekä terveydenhuollon ammattihenkilöiden toiminnan valvontaan ja mahdollisten vahinkojen tai kanteiden selvittämiseen;
• Toiminnan suunnitteluun, tilastointiin ja arviointiin; ja
• Tuotteiden ja palveluiden kehittämiseen ja parantamiseen anonymisoidussa muodossa siten, että henkilö ei ole enää tunnistettavissa. 

Henkilötietojen käsittely perustuu lakeihin ja asetuksiin, kuten:

• EU:n tietosuoja-asetus 2016/679, 6 artiklan 1 a), b), c) ja f) kohdat
• laki potilaan asemasta ja oikeuksista 17.8.1992/785
• laki sosiaali- ja terveydenhuollon asiakastietojen sähköisestä käsittelystä 9.2.2007/159
• sosiaali- ja terveysministeriön asetus potilasasiakirjoista 30.3.2009/298 sekä suostumukseen, sopimukseen ja Nightingale Health Oy:n oikeutettuun etuun (ml. toiminnan suunnittelu ja raportointi, markkinointi ja perintä). 

3. Millaisia henkilötietoja käsittelemme ja mistä keräämme tiedot?

Käsittelemme seuraavia henkilötietoja:

Perustiedot:

• Asiakkaan yksilöimiseksi ja asioinnin järjestämiseksi tarvittavat henkilötiedot:
• Nimi ja henkilötunnus tai muu tunniste henkilön yksilöimiseksi
• Yhteystiedot, kuten osoite, puhelinnumero ja sähköposti
• Asiakkaan luoma salasana Palveluun
• Maksutiedot, kuten luottokorttitiedot
• Tieto annetuista suostumuksista ja kielloista. 

Palvelua varten tarvittavat terveystiedot:

• Palvelutapahtumat ja niihin liittyvät potilastiedot sekä muut terveystiedot (ml. näytteenottopäivä, näytetyyppi, näytteen yksilöivä tunniste, sukupuoli, syntymäaika, tieto mahdollisesta lääkityksestä tai muusta kliinisesti merkityksellisestä tiedosta);
• Verinäyte ja siitä saatavat tiedot (ml. biomarkkeritiedot) sekä niistä johdetut analyysit ja tulokset.
• Palvelun järjestämisen, suunnittelun, toteuttamisen ja seurannan turvaamiseksi vaadittavat tarpeelliset muut tiedot. 

Asiakashistoriaan liittyvät tiedot:

• Ajanvaraukseen, yhteydenottoihin, Palvelun ja verkkosivujen käyttöön (ml. evästeet evästeselosteessamme todetuin tavoin), palautteisiin, asiakastyytyväisyyskyselyihin, laskutukseen ja perintään liittyvät tiedot. 

Rekisteriin tallennettavat henkilötiedot kerätään ensisijaisesti sinulta itseltäsi ja antamastasi verinäytteestä. Tietoja voidaan päivittää julkisista rekistereistä kuten väestörekisteristä.

4. Mille tahoille luovutamme tietoja ja siirrämmekö tietoa EU:n tai ETA:n ulkopuolelle?

Terveystiedot ovat salassa pidettäviä. Tietoja käsittelevillä on salassapito- ja vaitiolovelvollisuus. Terveystietoja voidaan luovuttaa asiakkaan kirjallisella suostumuksella tai laissa säädetyn mukaisesti. Suostumusta tietojen luovuttamiseen voi milloin tahansa rajata tai peruuttaa kokonaan.

Lainsäädännön perusteella meillä on joko oikeus tai velvollisuus luovuttaa tietoja esim. seuraaville tahoille: 

• Valvontaviranomaiset kuten mm. aluehallintovirasto, tietosuojavaltuutetun toimisto, Valvira, kuntien sosiaaliviranomaiset, oikeusviranomaiset.

Käytämme ulkopuolisia palveluntarjoajia IT- ja markkinointijärjestelmien, potilastietojärjestelmän sekä asiakastietojärjestelmän hallintaan. Solmimme kaikkien palveluntarjoajien kanssa sopimuksen henkilötietojen käsittelystä ja edellytämme yhteistyökumppaneidemme käsittelevän henkilötietoja vain siinä määrin kuin se on tarpeen ko. palvelun tuottamiseksi.

Emme siirrä potilastietojasi EU:n tai ETA-alueen ulkopuolelle. Ulkopuoliset palveluntarjoajamme voivat kuitenkin käsitellä muita henkilötietojasi EU:n tai ETA-alueen ulkopuolella. Siinä tapauksessa huolehdimme riittävistä ja asianmukaisista suojatoimista soveltuvan tietosuojalainsäädännön mukaisesti.

5. Miten suojaamme tietoja ja kuinka kauan säilytämme niitä?

Sisäinen organisaatiomme on rakennettu vastaamaan EN ISO 13485 sertifioidun laatujärjestelmämme vaatimuksia ja toimintaamme sovellettavaa tietosuojalainsäädäntöä. Käytämme asianmukaisia fyysisiä, teknisiä ja hallinnollisia suojakeinoja tietojen suojaamiseksi väärinkäytöksiltä. Tällaisia keinoja ovat mm. tietoverkkoliikenteen kontrollointi ja suodattaminen, salaustekniikoiden, turvallisten laitetilojen käyttö, asianmukainen kulunvalvonta, hallittu käyttöoikeuksien myöntäminen ja niiden käytön valvonta, henkilötietojen käsittelyyn osallistuvan henkilöstön ohjeistaminen sekä palvelujemme suunnittelussa, toteuttamisessa ja ylläpidossa tapahtuva riskienhallinta. Henkilötietoja käsittelevät ainoastaan sellaiset henkilöt, joille se on työtehtävien hoitamisen vuoksi tarpeellista. Salassa pidettävien potilastietojen ja asiakirjojen säilytykseen käytetään potilastietojärjestelmää, johon myönnetään oikeudet roolipohjaisesti työtehtävien perusteella. Manuaalinen aineisto arkistoidaan lukittuun tilaan, johon on pääsy vain EN ISO 13485 laatujärjestelmän mukaisesti rajatuilla henkilöillä.

Paperimuodossa oleva aineisto säilytetään lukituissa tiloissa, joihin on pääsy vain ko. asioita tai asiakirjoja käsittelevillä henkilöillä.

Varmistamme meidän lukuumme henkilötietoja käsittelevien alihankkijoiden kanssa tehtävillä tietojenkäsittelysopimuksilla tietosuojan toteutumisen.

Potilastietoja säilytetään niin kauan kuin on tarpeen ottaen huomioon laista ja asetuksista (kuten laki potilaan asemasta ja oikeuksista sekä sosiaali- ja terveysministeriön asetus potilasasiakirjoista) noudatettavaksi tulevat säilytysajat. Säilytysaika on pääsääntöisesti 12 vuotta potilaan kuolemasta tai, jos siitä ei ole tietoa, 120 vuotta potilaan syntymästä. Verinäytteet säilytetään laadunvalvontatarkoitusta varten kolme kuukautta mittauksesta, jonka jälkeen verinäytteet joko anonymisoidaan tai hävitetään EN ISO 13485 laatujärjestelmän prosessia noudattaen. Muilta osin henkilötietoja säilytetään niin kauan kuin se on tarpeellista edellä kohdassa 2 mainittujen käyttötarkoituksien toteuttamiseksi, minkä jälkeen ne joko poistetaan tai anonymisoidaan.

6. Oikeutesi rekisteröitynä tietojen käsittelyyn liittyen

Rekisteröitynä sinulla on seuraavat oikeudet:

• Oikeus saada pääsy henkilötietoihin
• Oikeus epätarkkojen tai virheellisten henkilötietojen oikaisemiseen ja tietyissä tapauksissa myös oikeus henkilötietojen poistamiseen, esim. rekisterin käyttötarkoituksen kannalta turhat ja väärät tiedot
• Oikeus käsittelyn rajoittamiseen, esim. henkilötietojen paikkansa pitämättömyyden tai käsittelyn lainvastaisuuden perusteella
• Vastustamisoikeus esim. silloin, kun henkilötietojen käsittelyn perusteena on oikeutettu etu henkilökohtaiseen erityiseen tilanteeseesi liittyvällä perusteella tai aina, kun henkilötietoja käsitellään suoramarkkinointia varten
• Oikeus siirtää henkilötiedot järjestelmästä toiseen
• Oikeus potilasrekisterin lokitietoihin. Asiakastietolain (laki sosiaali- ja terveydenhuollon asiakastietojen sähköisestä käsittelystä 9.2.2007/159) mukaisesti voit pyytää omia potilastietojasi koskevat lokitiedot. Oikeutta saada lokitietoja voidaan rajoittaa, jos lokitietojen luovuttajan tiedossa on, että lokitietojen antamisesta saattaisi aiheutua vakavaa vaaraa henkilön terveydelle tai hoidolle taikka jonkun muun oikeuksille. Myöskään kahta vuotta vanhempia lokitietoja ei ole oikeutta saada, jollei siihen ole erityistä syytä.
• Suostumuksen peruuttaminen 
  Voit milloin tahansa peruuttaa suostumuksen tai rajata sitä silloin, kun henkilötietojesi käsittely perustuu suostumukseen. Suostumuksen peruuttamisella ei ole vaikutusta ennen peruutusta tehtyyn tietojenkäsittelyn laillisuuteen.

Voit käyttää oikeuksiasi toimittamalla vapaamuotoisen kirjallisen tietopyynnön ja/tai vaatimuksen, joka käsitellään aina tapauskohtaisesti, sähköpostitse tai kirjeitse edellä kohdassa 1 mainittuihin osoitteisiin.

Lisäksi sinulla on oikeus tehdä valitus valvontaviranomaiselle, erityisesti siinä EU-jäsenvaltiossa, jossa vakinainen asuinpaikkasi tai työpaikkasi on taikka jossa väitetty rikkominen on tapahtunut, jos katsot, että sinua koskevien henkilötietojen käsittelyssä rikotaan EU:n tietosuoja-asetusta.

As is common practice with almost all professional websites, nightingalehealth.com (the “Site”) uses cookies. Cookies are small files that are downloaded to your device in order to improve your experience whenever you visit us.

We store cookies on your device if they are strictly necessary for the operation of this Site. With your consent, we may also use other types of cookies to personalise content and advertisements and to analyse our traffic. We share information about your use of our Site with our social media, advertising and analytics partners, who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

How long are cookies retained on your device?

Cookies can either be session cookies (they last only until you close your browser) or persistent (they remain on your computer or device until you delete them). Session cookies are usually used to remember relevant settings of your browsing session. Persistent cookies may typically be used for targeted advertising and gaining insight on how you use our Site. 

We use both session and persistent cookies. Persistent cookies are stored on your hard drive in between browser sessions until you delete them or they reach their expiry date as set forth in our cookie declaration.You can at any time change or withdraw your consent. You can at any time change or withdraw your consent.

You can find more information about cookies used on this Site (Cookie declaration) and check your current state and change your consent here.

Third-party Cookies 

Third-party cookies are cookies set by someone other than us for purposes such as collecting information on user behavior, demographics, or personalized marketing. When using our Site, you may encounter embedded content or you may be directed to other websites for such activities as making a payment. These websites and embedded content may use their own cookies. We do not have control over the placement of cookies by other websites, even if you are directed to them from our Site.

This Site uses Google Analytics, a third-party web analytics service. Occasionally we may also use the data collected by Google Analytics to produce browser-specifically targeted advertising provided by Google Adwords.

Google’s Privacy Policy is available at: http://www.google.com/intl/en/policies/privacy/

In addition, we use Leadfeeder to further refine the data collected by Google Analytics.

Leadfeeder’s Privacy Policy is available at: https://www.leadfeeder.com/privacy/

When you subscribe to our newsletter, MailChimp (The Rocket Science Group, LLC), which we use to manage our newsletter subscriber lists and send emails to our subscribers, may collect information about your device and interaction with an email by using cookies and other tracking technologies.

MailChimp’s privacy policy is available at: https://mailchimp.com/legal/privacy/ 

To provide answers for frequently asked questions on the My Nightingale service FAQ page, we use Intercom. In addition, we may use Intercom to communicate with you and answer your questions about the My Nightingale service on the FAQ page.  

You can find Intercom’s Privacy Policy at: https://www.intercom.com/terms-and-policies#privacy 

To process payments as part of the purchasing process for the My Nightingale service, we use Stripe.  

You can find Stripe’s Privacy Policy at: https://stripe.com/en-fi/privacy 

Learn more about how we process personal data in our Privacy Policy. If you are looking for further information, or have any questions about cookies, please don’t hesitate to contact us via email.

Email: privacy(at)nightingalehealth.com