Last updated 28 November 2022

Livit by Nightingale Health™ consumer service (“Service”) provides you information on your health and wellbeing as well as factors and habits that have been shown to help in maintaining and improving health and wellbeing. You may either use the free version of the Service through our mobile application called Livit by Nightingale Health™ (“App”), or purchase one of our health plans to receive personalized information on your current state of health based on your fingerprick blood sample (“Blood Test”). For more information on the Service, visit the App or Livit by Nightingale Health™ Consumer Terms of Service (“Terms”).

Nightingale Health Plc or its group company with whom you have entered into an agreement regarding the Service (“Nightingale Health”, “we”, “us”) acts as the controller of the personal data collected and processed in connection with the Service and is committed to protecting your privacy in accordance with the applicable mandatory data protection legislation (“Data Protection Laws”). Please read this Privacy Policy to find out how Nightingale Health collects and processes your personal data when you access and use the Service.

1 What personal data do we process and where do we obtain such data?

In connection with the Service, we process the following personal data about you depending on the choices and purchases you have made:

- Basic information and preferences: first and last name; date of birth; country where you use the Service; account details (including email address, password, phone number); information on consents and refusals

- Information related to the baseline estimate of healthy years: sex; height; weight; information on smoking; healthy years goal; baseline estimate of healthy years people with similar baseline to you are likely to have during their life

- Information related to the Blood Test and delivery of Blood Test results: purchased and active health plan(s); delivery details (including delivery address) for the delivery of Livit Blood Collection Kit™ ("Kit”) to you and return of your blood sample to us; payment details (such as your credit card information); device identifier of the Kit you have registered in the App; your national identification number where required by applicable mandatory law; blood sample as well as data, analyses, and results derived from or relating to the blood sample

- Information on customer history and use of the Service: information related to your contact with us (such as feedback and recommendations you have shared with us, complaints and/or other inquiries you have made); data related to your use of the Service (such as analytics information on which parts of the App you have used)

The personal data is primarily collected directly from you and as a result of analysis of the blood sample you have provided to us. Information can also be collected and compared to analytics databases with tracking technologies through your use of the App. For more information on the tracking technologies that we use in the App, please visit our Cookie Policy.

2 For what purposes and on what bases do we process your personal data?

We process your personal data for the purposes and on the legal bases set out below:

- Provision of the Service in the form chosen by you. Processing of your personal data is based on the contract which is formed between Nightingale Health and you in the App when you accept the Terms or purchase a health plan. In addition, processing of your health-related information is based either on a contract we have with you, your consent, or our legal obligation process certain personal data about our customers.

- Customer support, customer communication, processing of customer feedback and claims. We process your personal data based on the contract we have with you, or our legitimate interest to provide customer support and important customer notices and to respond to customer complaints and other inquiries made to us, or a legal obligation to communicate with you.

- Marketing of our services. Processing of your personal data for marketing purposes is based on our legitimate interest to market our services. Where required by applicable mandatory law, we will ask for your consent before sending you electronic direct marketing messages. You may opt-out of receiving electronic direct marketing at any time by following the unsubscribe instructions included in the electronic direct marketing messages we send to you. You may also opt-out at any time by contacting us using the contact details provided in Section 7.

- In-App analytics to improve our services. Based on your consent, we use certain tracking technologies to carry out analytics in the App. Use of the information collected with the tracking technologies is based on your consent, or our legitimate interest to improve our services. For more information, please visit our Cookie Policy.

- Planning, monitoring, supervising, compiling statistics of, controlling quality of, and evaluating our operations and services. We process your personal data based on our legitimate interest to plan, monitor, supervise, compile statistics of, control quality of, and evaluate our operations and services, or where we have a legal obligation to do so.

- Developing and improving our services. Sometimes we will use your personal data in an anonymized form to develop and improve our services. Since you cannot be identified, this is not personal data. However, if we do apply an identifier to such data, it will be personal data and we will only process it based on our legitimate interest to develop and improve our services, or with your prior consent.

- Detecting and preventing unlawful behavior and non-compliance with our terms and conditions; enforcing our legal rights. We process your personal data based on our legitimate interest to detect and prevent unlawful behaviour and non-compliance with our terms and conditions as well as to enforce our legal rights. In addition, the processing of your personal data may be based on our legal obligation.

We will only process your personal data on the basis of our legitimate interest where we consider that our legitimate interest is not outweighed or overridden by your rights. You may object to our use of your personal data by contacting us using details provided in Section 7.

Please note that if you refuse to provide the requested personal data necessary for the provision of the Service in the form chosen by you, we may not be able to provide the Service to you.

3 To whom do we transfer and disclose and where do we store your personal data?

We treat your personal data as confidential. Persons we ask to process your personal data are bound by a confidentiality obligation.

We may share your personal data to third parties in the following situations:

- We may share your personal data within the Nightingale Health group of companies to the extent necessary for the provision of the Service to you.

- We may share your personal data with external service providers which manage our IT, payment, marketing, analytics, data storage, and customer support systems. In addition, we may share your delivery information with our postal and courier service providers which deliver the Kit to you and return your blood sample to us. We conclude data processing agreements with all service providers which process personal data on behalf of us as processors. We require the service providers to process the personal data only to the extent necessary to provide the relevant service to us.

- We may also share your personal data with other third parties when necessary for providing the Service to you. We will only share this personal data for the purposes and under the lawful bases described above. Where this is not the case, we will notify you and request your consent if necessary.

We may disclose your personal data in the following situations:

- Based on legislation, we may have either the right or the obligation to disclose your personal data to third parties, such as to judicial and other public authorities.

- If we are involved in a sale or transfer of business, a merger, a business reorganization, or a similar process, we may disclose your personal data to one or more third parties as part of the transaction.

- We may also disclose your personal data to the extent necessary to protect our own or a third party's interests.

We primarily store and process your personal data in the geographic region where it has been collected, such as in the European Economic Area (EEA) or the United Kingdom (UK). However, we and our external service providers may also process the personal data outside such geographic region to the extent necessary for the purposes described in this Privacy Policy, and this may include transfers to third countries (countries outside the UK or the EEA that are not subject to a data protection adequacy decision) when necessary. In that case, we will provide adequate and appropriate safeguards in accordance with the Data Protection Laws to ensure sufficient protection for your personal data. For example, as regards personal data of EU or UK consumers, we either ensure that there is an adequacy decision by the European Commission or an adequacy regulation from the UK government (as applicable) in place regarding the recipient country. Alternatively, we will enter into the standard contractual clauses approved by the European Commission and/or the UK government (as applicable) with the recipient of your personal data. You may request more details about these safeguards by contacting us using the details provided in Section 7.

4 How do we protect and how long do we retain your personal data?

Our internal organization is structured to meet the requirements of our Quality Management System certified according to EN ISO 13485, our Information Security Management System certified according to ISO/IEC 27001:2013, and the requirements of the Data Protection Laws.

We apply appropriate physical, technical, and administrative safeguards to protect personal data from misuse. These safeguards include, among others, control and filtering of network traffic, use of encryption techniques and safe data centers, appropriate access control, controlled granting of access rights and supervision of their use, giving instructions to personnel processing personal data, and risk management related to planning, implementation, and maintenance of our services. Personal data are processed only by persons who need the personal data to perform their job duties.

We store all information and materials qualifying as patient data and records under the applicable law in a patient data system. Access rights to the patient data system are granted strictly based on a person’s role and need to process the data for the purposes of the Service.

We retain your personal data in accordance with our internal record retention policies as long as reasonably necessary for the purposes for which they are processed in accordance with applicable laws, including for the purposes of any regulatory, accounting or reporting requirements. Patient data and records are retained subject to compliance with Data Protection Laws that stipulate mandatory retention periods (e.g., in Finland, patient records are retained for 12 years from the patient’s death, or, if such information is not available, 120 years from the patient’s birth). After measurement, blood samples are stored for quality control purposes, after which they are either anonymized or disposed of according to our internal processes. After the necessary retention period, we will either delete or anonymize all personal data.

5 Your rights as a data subject relating to the processing of your personal data

As a data subject, you have the following rights subject to the restrictions that follow from legislation:

- Right of access to personal data. You have the right to know whether we process personal data about you and the right to request access to any personal data undergoing processing.

- Right to rectification and erasure. You have the right to rectify inaccurate personal data about you and, in certain cases, the right to erasure of your personal data, e.g., personal data that is no longer necessary or accurate in relation to the purposes of the processing.

- Right to restrict processing. You have the right request that we restrict our processing of your personal data, e.g., if you contest the correctness of the personal data we process or the lawfulness of the processing.

- Right to object. You may object to the processing of your personal data, on grounds relating to your situation, e.g., if the processing is based on our legitimate interest or the personal data are processed for direct marketing purposes.

We will give you the opportunity to opt out of future electronic direct marketing whenever we send you such marketing. You can also opt out at any time by contacting us using the contact details provided in Section 7. If you opt out from receiving our marketing communications, we retain certain limited personal data about you (e.g., name and email address) to ensure that we comply with your request.

- Right to data portability. Under specific circumstances you have the right request your personal data to be transferred from one system to another.

- Withdrawalofconsent. Where our processing of your personal data is based on your consent, you can, at any time, withdraw or restrict your consent. The withdrawal or restriction of consent does not affect the lawfulness of the processing carried out prior to the withdrawal or restriction.

You may exercise your rights by contacting us using the contact details provided in Section 7. The requests are always processed on a case-by-case basis. For your protection, we may need to verify your identity before fulfilling your request. We will respond as soon as reasonably possible within the times set forth by applicable mandatory law. We reserve the right to deny your request based on applicable law and will inform you if we do so.

In addition, you have a right to lodge a complaint with your local supervisory authority if you consider that the processing of your personal data infringes the Data Protection Laws. Before contacting the supervisory authority, we recommend that you get in contact with us first, so we can consider your complaint. You may also contact us to receive the contact details of your local supervisory authority.

6 Changes to the Privacy Policy

We may revise this Privacy Policy from time to time. Any changes to this Privacy Policy will be posted on this page. We will use reasonable endeavors to contact you when we make significant changes.

7 Contact us

If you have any questions, feedback, or complaints about our processing of your personal data, or if you would like to exercise your rights under the Data Protection Laws, please contact us:

- by email at; or

- by post at Data Protection Officer, Nightingale Health Plc, Mannerheimintie 164a, 00300 Helsinki, Finland.