Last updated 28 November 2022
Livit by Nightingale Health™ consumer service (“Service”) provides you information on your health and wellbeing as well as factors and habits that have been shown to help in maintaining and improving health and wellbeing. You may either use the free version of the Service through our mobile application called Livit by Nightingale Health™ (“App”), or purchase one of our health plans to receive personalized information on your current state of health based on your fingerprick blood sample (“Blood Test”). For more information on the Service, visit the App or Livit by Nightingale Health™ Consumer Terms of Service (“Terms”).
1 What personal data do we process and where do we obtain such data?
In connection with the Service, we process the following personal data about you depending on the choices and purchases you have made:
- Basic information and preferences: first and last name; date of birth; country where you use the Service; account details (including email address, password, phone number); information on consents and refusals
- Information related to the baseline estimate of healthy years: sex; height; weight; information on smoking; healthy years goal; baseline estimate of healthy years people with similar baseline to you are likely to have during their life
- Information related to the Blood Test and delivery of Blood Test results: purchased and active health plan(s); delivery details (including delivery address) for the delivery of Livit Blood Collection Kit™ ("Kit”) to you and return of your blood sample to us; payment details (such as your credit card information); device identifier of the Kit you have registered in the App; your national identification number where required by applicable mandatory law; blood sample as well as data, analyses, and results derived from or relating to the blood sample
- Information on customer history and use of the Service: information related to your contact with us (such as feedback and recommendations you have shared with us, complaints and/or other inquiries you have made); data related to your use of the Service (such as analytics information on which parts of the App you have used)
2 For what purposes and on what bases do we process your personal data?
We process your personal data for the purposes and on the legal bases set out below:
- Provision of the Service in the form chosen by you. Processing of your personal data is based on the contract which is formed between Nightingale Health and you in the App when you accept the Terms or purchase a health plan. In addition, processing of your health-related information is based either on a contract we have with you, your consent, or our legal obligation process certain personal data about our customers.
- Customer support, customer communication, processing of customer feedback and claims. We process your personal data based on the contract we have with you, or our legitimate interest to provide customer support and important customer notices and to respond to customer complaints and other inquiries made to us, or a legal obligation to communicate with you.
- Marketing of our services. Processing of your personal data for marketing purposes is based on our legitimate interest to market our services. Where required by applicable mandatory law, we will ask for your consent before sending you electronic direct marketing messages. You may opt-out of receiving electronic direct marketing at any time by following the unsubscribe instructions included in the electronic direct marketing messages we send to you. You may also opt-out at any time by contacting us using the contact details provided in Section 7.
- Planning, monitoring, supervising, compiling statistics of, controlling quality of, and evaluating our operations and services. We process your personal data based on our legitimate interest to plan, monitor, supervise, compile statistics of, control quality of, and evaluate our operations and services, or where we have a legal obligation to do so.
- Developing and improving our services. Sometimes we will use your personal data in an anonymized form to develop and improve our services. Since you cannot be identified, this is not personal data. However, if we do apply an identifier to such data, it will be personal data and we will only process it based on our legitimate interest to develop and improve our services, or with your prior consent.
- Detecting and preventing unlawful behavior and non-compliance with our terms and conditions; enforcing our legal rights. We process your personal data based on our legitimate interest to detect and prevent unlawful behaviour and non-compliance with our terms and conditions as well as to enforce our legal rights. In addition, the processing of your personal data may be based on our legal obligation.
We will only process your personal data on the basis of our legitimate interest where we consider that our legitimate interest is not outweighed or overridden by your rights. You may object to our use of your personal data by contacting us using details provided in Section 7.
Please note that if you refuse to provide the requested personal data necessary for the provision of the Service in the form chosen by you, we may not be able to provide the Service to you.
3 To whom do we transfer and disclose and where do we store your personal data?
We treat your personal data as confidential. Persons we ask to process your personal data are bound by a confidentiality obligation.
We may share your personal data to third parties in the following situations:
- We may share your personal data within the Nightingale Health group of companies to the extent necessary for the provision of the Service to you.
- We may share your personal data with external service providers which manage our IT, payment, marketing, analytics, data storage, and customer support systems. In addition, we may share your delivery information with our postal and courier service providers which deliver the Kit to you and return your blood sample to us. We conclude data processing agreements with all service providers which process personal data on behalf of us as processors. We require the service providers to process the personal data only to the extent necessary to provide the relevant service to us.
- We may also share your personal data with other third parties when necessary for providing the Service to you. We will only share this personal data for the purposes and under the lawful bases described above. Where this is not the case, we will notify you and request your consent if necessary.
We may disclose your personal data in the following situations:
- Based on legislation, we may have either the right or the obligation to disclose your personal data to third parties, such as to judicial and other public authorities.
- If we are involved in a sale or transfer of business, a merger, a business reorganization, or a similar process, we may disclose your personal data to one or more third parties as part of the transaction.
- We may also disclose your personal data to the extent necessary to protect our own or a third party's interests.
4 How do we protect and how long do we retain your personal data?
Our internal organization is structured to meet the requirements of our Quality Management System certified according to EN ISO 13485, our Information Security Management System certified according to ISO/IEC 27001:2013, and the requirements of the Data Protection Laws.
We apply appropriate physical, technical, and administrative safeguards to protect personal data from misuse. These safeguards include, among others, control and filtering of network traffic, use of encryption techniques and safe data centers, appropriate access control, controlled granting of access rights and supervision of their use, giving instructions to personnel processing personal data, and risk management related to planning, implementation, and maintenance of our services. Personal data are processed only by persons who need the personal data to perform their job duties.
We store all information and materials qualifying as patient data and records under the applicable law in a patient data system. Access rights to the patient data system are granted strictly based on a person’s role and need to process the data for the purposes of the Service.
We retain your personal data in accordance with our internal record retention policies as long as reasonably necessary for the purposes for which they are processed in accordance with applicable laws, including for the purposes of any regulatory, accounting or reporting requirements. Patient data and records are retained subject to compliance with Data Protection Laws that stipulate mandatory retention periods (e.g., in Finland, patient records are retained for 12 years from the patient’s death, or, if such information is not available, 120 years from the patient’s birth). After measurement, blood samples are stored for quality control purposes, after which they are either anonymized or disposed of according to our internal processes. After the necessary retention period, we will either delete or anonymize all personal data.
5 Your rights as a data subject relating to the processing of your personal data
As a data subject, you have the following rights subject to the restrictions that follow from legislation:
- Right of access to personal data. You have the right to know whether we process personal data about you and the right to request access to any personal data undergoing processing.
- Right to rectification and erasure. You have the right to rectify inaccurate personal data about you and, in certain cases, the right to erasure of your personal data, e.g., personal data that is no longer necessary or accurate in relation to the purposes of the processing.
- Right to restrict processing. You have the right request that we restrict our processing of your personal data, e.g., if you contest the correctness of the personal data we process or the lawfulness of the processing.
- Right to object. You may object to the processing of your personal data, on grounds relating to your situation, e.g., if the processing is based on our legitimate interest or the personal data are processed for direct marketing purposes.
We will give you the opportunity to opt out of future electronic direct marketing whenever we send you such marketing. You can also opt out at any time by contacting us using the contact details provided in Section 7. If you opt out from receiving our marketing communications, we retain certain limited personal data about you (e.g., name and email address) to ensure that we comply with your request.
- Right to data portability. Under specific circumstances you have the right request your personal data to be transferred from one system to another.
- Withdrawal of consent. Where our processing of your personal data is based on your consent, you can, at any time, withdraw or restrict your consent. The withdrawal or restriction of consent does not affect the lawfulness of the processing carried out prior to the withdrawal or restriction.
You may exercise your rights by contacting us using the contact details provided in Section 7. The requests are always processed on a case-by-case basis. For your protection, we may need to verify your identity before fulfilling your request. We will respond as soon as reasonably possible within the times set forth by applicable mandatory law. We reserve the right to deny your request based on applicable law and will inform you if we do so.
In addition, you have a right to lodge a complaint with your local supervisory authority if you consider that the processing of your personal data infringes the Data Protection Laws. Before contacting the supervisory authority, we recommend that you get in contact with us first, so we can consider your complaint. You may also contact us to receive the contact details of your local supervisory authority.
7 Contact us
If you have any questions, feedback, or complaints about our processing of your personal data, or if you would like to exercise your rights under the Data Protection Laws, please contact us:
- by email at email@example.com; or
- by post at Data Protection Officer, Nightingale Health Plc, Mannerheimintie 164a, 00300 Helsinki, Finland.