Last updated 21 March 2022

Livit by Nightingale Health™ consumer service (“Service”) provides you information that helps you maintain and improve your health and wellbeing. You may either use the free version of the Service through our mobile application called Livit by Nightingale Health™ (“App”), or benefit from the possibility to purchase one of our health plans to receive personalized information on your current state of health based on your fingerprick blood sample (“Blood Test”). For more information on the Service, visit the App or Livit by Nightingale Health™ Consumer Terms of Service (“Terms of Service”).

Nightingale Health Plc or its group company with whom you have entered into an agreement regarding the Service (“Nightingale Health”, “we”, “us”) acts as the controller of the personal data collected and processed in connection with the Service and is committed to protecting your privacy in accordance with the applicable mandatory data protection legislation (“Data Protection Laws”). Please read this Privacy Policy to find out how Nightingale Health collects and processes your personal data when you access and use the Service.

1 What personal data do we process and where do we obtain such data

In connection with the Service, we process the following personal data about you depending on the choices and purchases you have made:

§ Basic information and preferences: first and last name; date of birth; account details (including email address, password, phone number); information on consents and refusals

§ Information related to the baseline estimate of healthy years: sex; height; weight; information on smoking; baseline estimate of healthy years people with similar baseline to you are likely to have during their life

§ Information related to the Blood Test and delivery of Blood Test results: shipping details (including delivery address) for the delivery of Nightingale Kit™; payment details (such as your credit card information); device identifier of the Nightingale Kit™ we have sent to you; your national identification number where required by applicable mandatory law; blood sample as well as data, analyses, and results derived from the blood sample

§ Information on customer history and use of the Service: information related to your contacts with us (such as feedback and recommendations you have shared with us, complaints and/or other inquiries you have made); data related to your use of the Service (such as information on which parts of the App you have used)

The personal data is primarily collected from you and from the blood sample you have provided to us. Information can also be updated from public registers as well as collected with tracking technologies through your use of the App. For more information on the tracking technologies that we use in the App, please visit our Cookie Policy.

2 For what purposes and on what bases do we process your personal data

We process your personal data for the purposes and on the legal bases set out below:

§ Provision of the Service in the form chosen by you. Processing of your personal data is based on the contract which is formed between Nightingale Health and you when you accept our Terms of Service. In addition, processing of your health-related information is based either on your consent or our legal obligation as a private healthcare service provider to collect and process certain personal data about our customers.

§ Customer support, customer communication, processing of customer feedback and claims. We process your personal data either based on the contract we have with you or our legitimate interest or legal obligation to provide customer support and important customer notices and to respond to customer complaints and other inquiries made to us.

§ Marketing of our services. Processing of your personal data for marketing purposes is based on our legitimate interest to market our services. Where required by applicable mandatory law, we will ask for your consent before sending you electronic direct marketing messages. You may opt-out of receiving electronic direct marketing at any time by following the unsubscribe instructions included in the electronic direct marketing messages we send to you. You may also opt-out at any time by contacting us using the contact details provided in Section 7.

§ In-App analytics to improve our services. Based on your consent, we use certain tracking technologies to carry out analytics in the App. Use of the information collected with the tracking technologies is based on our legitimate interest to improve our services. For more information, please visit our Cookie Policy.

§ Planning, monitoring, supervising, compiling statistics of, controlling quality of, and evaluating our operations and services. We process your personal data based on our legitimate interest or legal obligation to plan, monitor, supervise, compile statistics of, control quality of, and evaluate our operations and services.

§ Developing and improving our services. Processing of your personal data is based on our legitimate interest to develop and improve our services or your consent. For this purpose, data is only processed in anonymized form so that you can no longer be identified based on the data, unless otherwise agreed with your separate consent.

§ Detecting and preventing unlawful behavior and non-compliance with our terms and conditions; enforcing our legal rights. We process your personal data based on our legitimate interest to detect and prevent unlawful behaviour and non-compliance with our terms and conditions as well as to enforce our legal rights. In addition, the processing of your personal data may be based on our legal obligation.

Please note that if you refuse to provide the requested personal data necessary for the provision of the Service in the form chosen by you, we may not be able to provide the Service to you.

3 To whom do we disclose and where do we store your personal data

We treat your personal data as confidential. Persons processing your personal data are bound by a confidentiality obligation.

We may disclose your personal data to third parties in the following situations:

§ We may disclose your personal data within the Nightingale Health group of companies to the extent necessary for the provision of the Service.

§ Based on legislation, we may have either the right or the obligation to disclose your personal data to third parties, such as to judicial and other public authorities.

§ We use external service providers, e.g., to manage our IT, payment, marketing, data storage, and customer support systems. We conclude data processing agreements with all service providers and require them to process personal data only to the extent necessary to provide such service.

§ If we are involved in a sale or transfer of business/assets, a merger, a business reorganization, or a similar process, we may transfer your personal data to one or more third parties as part of the transaction.

§ We may also share your personal data with other third parties if you separately consent to such sharing.

We primarily store and process your personal data in the geographic region where it has been collected. However, we and our external service providers may also process the personal data outside such geographic region to the extent necessary for the purposes described in this Privacy Policy. In that case, we will provide adequate and appropriate safeguards in accordance with the Data Protection Laws to ensure sufficient protection for your personal data. For example, as regards personal data of EU consumers, we either ensure that there is an adequacy decision by the European Commission in place or enter into the standard contractual clauses approved by the European Commission.

4 How do we protect and how long do we retain your personal data

Our internal organization is structured to meet the requirements of our Quality Management System certified according to EN ISO 13485, our Information Security Management System certified according to ISO/IEC 27001:2013, and the requirements of the Data Protection Laws.

We apply appropriate physical, technical, and administrative safeguards to protect personal data from misuse. These safeguards include, among others, control and filtering of network traffic, use of encryption techniques and safe data centers, appropriate access control, controlled granting of access rights and supervision of their use, giving instructions to personnel processing personal data, and risk management related to planning, implementation, and maintenance of our services. Personal data are processed only by persons who need the personal data to perform their job duties.

We store all information and materials qualifying as patient data and records under the applicable law in a patient data system. Access rights to the patient data system are granted strictly based on a person’s role and need to process the data for the purposes of the Service.

We retain your personal data as long as reasonably necessary for the purposes for which they are processed in accordance with applicable laws, including for the purposes of any regulatory, accounting or reporting requirements. Patient data and records are retained subject to compliance with Data Protection Laws that stipulate mandatory retention periods (e.g., in Finland, patient records are retained for 12 years from the patient’s death, or, if such information is not available, 120 years from the patient’s birth). After measurement, blood samples are stored for quality control purposes, after which they are either anonymized or disposed of according to our internal processes. After the necessary retention period, we will either delete or anonymize all personal data.

5 Your rights as a data subject relating to the processing of your personal data

As a data subject, you have the following rights subject to the restrictions that follow from legislation:

§ Right of access to personal data. You have the right to know whether we process personal data about you and the right to request access to any personal data undergoing processing.

§ Right to rectification and erasure. You have the right to rectify inaccurate personal data about you and, in certain cases, right to erasure of your personal data, e.g., personal data that are no longer necessary or accurate in relation to the purposes of the processing.

§ Right to restriction of processing. You have the right request restriction of processing, e.g., if you contest the correctness of the personal data we process or the lawfulness of the processing.

§ Right to object. You may object to the processing of your personal data, on grounds relating to your situation, e.g., if the processing is based on our legitimate interest or the personal data are processed for direct marketing purposes.

We will give you the opportunity to opt out of future electronic direct marketing whenever we send you such marketing. You can also opt out at any time by contacting us using the contact details provided in Section 7. If you opt out from receiving our marketing communications, we retain certain limited personal data about you (e.g., name and email address) to ensure that we comply with your request.

§ Right to data portability. Under specific circumstances you have the right request your personal data to be transferred from one system to another.

§ Withdrawal of consent. Where our processing of your personal data is based on your consent, you can, at any time, withdraw or restrict your consent. The withdrawal or restriction of consent does not affect the lawfulness of the processing carried out prior to the withdrawal or restriction.

You may exercise your rights by contacting us using the contact details provided in Section 7. The requests are always processed on a case-by-case basis. For your protection, we may need to verify your identity before fulfilling your request. We will respond as soon as reasonably possible within the times set forth by applicable mandatory law. We reserve the right to deny your request based on applicable law and will inform you if we do so.

In addition, you have a right to lodge a complaint with your local supervisory authority if you consider that the processing of your personal data infringes the Data Protection Laws. Before contacting the supervisory authority, we recommend that you get in contact with us.

6 Revisions to the Privacy Policy

We may revise this Privacy Policy from time to time. Any changes to this Privacy Policy will be posted on this page.

7 Contact us

If you have any questions, feedback, or complaints about our processing of your personal data, or if you would like to exercise your rights under the Data Protection Laws, please contact us:

§ by email at privacy@nightingalehealth.com; or

§ by post at Data Protection Officer, Nightingale Health Plc, Mannerheimintie 164a, 00300 Helsinki, Finland.