Last updated 14 September 2022

This Privacy Policy for Business Contacts and Website Visitors (“Privacy Policy”) describes how we collect and process personal data of representatives at our existing and potential customers, vendors and other business contacts as well as of visitors to our websites nightingalehealth.com, research.nightingalehealth.com, and assets.nightingalehealth.com (“Site”).

Nightingale Health Plc (“Nightingale Health”, “we”, “us”) acts as the controller of the personal data and is committed to protecting your privacy in accordance with the applicable mandatory data protection legislation (“Data Protection Laws”). Please read this Privacy Policy to find out how Nightingale Health collects and processes your personal data.

We have separate privacy policies for our consumer services, recruitment process, managers’ transactions, and general shareholders’ meetings. If you have purchased our consumer service Livit by Nightingale Health™ or My Nightingale™, apply for a job at Nightingale Health, perform a managerial role at Nightingale Health, or attend Nightingale Health’s annual general meeting or extraordinary general meeting, please visit the other privacy policies available through this link.

1 What personal data do we process and where do we obtain such data?

We mainly process personal data that we obtain directly from you, for example, when you contact us using the contact details available on the Site or enter into a business relationship with us. In addition, we may collect personal data from other sources, such as third-party websites, private and public registers, and our service providers.

We may process the following types of personal data about you depending on the interactions we have with you:

  • name, title, job description, company, postal address, email address, phone number;
  • login details (e.g., username and password) to restricted areas of the Site, such as the Nightingale Health Brand Assets;
  • information on customer history, your interactions with us, and use of our services and the Site (e.g., feedback and recommendations you have shared with us, complaints or other inquiries you have made, other contact you have had with us or assignments we have performed for you, information related to invoicing and service delivery, as well as analytics information on which parts of our services and Site you have used);
  • information on participation in our events and webinars;
  • information on consents and refusals you have provided to us; and
  • any other information you may share with us, or we generate, when you use our services, do business with us, or visit the Site.

For more information on cookies and other tracking technologies we use on the Site, please visit our Cookie Policy.

2 For what purposes and on what bases do we process your personal data?

We process your personal data for the purposes and on the legal bases set out below:

  • Provision of our services in the form chosen by you. Processing of your personal data is based on the contract which is formed between Nightingale Health and you when you purchase our services.
  • Customer support, customer communication, processing of customer feedback and claims. We process your personal data based on the contract we have with you, our legitimate interest to provide customer support and important customer notices and to respond to customer complaints and other inquiries made to us, or a legal obligation to communicate with you.
  • Communication and relationship management. We process your personal data based on our legitimate interest to manage our business relationships, facilitate communication with business contacts, and to process orders and perform accounting and invoicing.
  • Marketing of our services and monitoring the performance of our marketing campaigns. Processing of your personal data for marketing purposes is based on our legitimate interest to market our services and monitor the performance of our marketing campaigns. Where required by applicable mandatory law, we will ask for your consent before sending you electronic direct marketing messages, such as our newsletter. You may opt-out of receiving electronic direct marketing at any time by following the unsubscribe instructions included in the electronic direct marketing messages we send to you. You may also opt-out at any time by contacting us using the contact details provided in Section 7.
  • Organizing and allowing participation in events and webinars. We process your personal data based on a contract we have with you or our legitimate interest to organize and manage participation in events and webinars organized or promoted by us or our business partners.
  • Provision of Nightingale Health Brand Assets to you. We process your personal data based on a contract we have with you or our legitimate interest to provide the Nightingale Health Brand Assets to Nightingale Health’s business partners and media contacts to the extent necessary for the purposes of communication, marketing, sales, and promotion relating to Nightingale Health and/or our services.
  • Analytics to improve our services. Based on your consent, we use certain tracking technologies to carry out analytics on the Site. Use of the information collected with the tracking technologies is based on our legitimate interest to improve our services. For more information, please visit our Cookie Policy.
  • Planning, monitoring, supervising, compiling statistics of, controlling quality of, and evaluating our operations and services. We process your personal data based on our legitimate interest to plan, monitor, supervise, compile statistics of, control quality of, and evaluate our operations and services, or where we have a legal obligation to do so.
  • Developing and improving the Site and our services. Sometimes we will use your personal data in an anonymized form. Since you cannot be identified, this is not personal data. However, if we do apply an identifier to such data, it will be personal data and we will only process it based on our legitimate interest to develop and improve the Site and our services, or with your prior consent.
  • Detecting and preventing unlawful behavior and non-compliance with our terms and conditions; enforcing our legal rights. We process your personal data based on our legitimate interest to detect and prevent unlawful behaviour and non-compliance with our terms and conditions as well as to enforce our legal rights. In addition, the processing of the personal data may be based on our legal obligation.

We will only process your personal data on the basis of our legitimate interest where we consider that our legitimate interest is not outweighed or overridden by your rights. You may object to our use of your personal data by contacting us using details provided in Section 7.

Please note that if you refuse to provide the requested personal data necessary for the provision of our services in the form chosen by you, we may not be able to provide the requested services to you.

3 To whom do we transfer and share and where do we store your personal data?

We treat your personal data as confidential. Persons we ask to process your personal data are bound by a confidentiality obligation.

We may share your personal data to third parties in the following situations:

  • We may share your personal data within the Nightingale Health group of companies to the extent necessary, e.g., for the provision of our services to you.
  • We may share your personal data with external service providers which manage our IT, payment, marketing, analytics, data storage, and customer support systems. We conclude data processing agreements with all service providers and require them to process personal data only to the extent necessary to provide such service.
  • We may also share your personal data with other third parties when necessary for providing our services to you. We will only share this personal data for the purposes and under the lawful bases described above. Where this is not the case, we will notify you and request your consent if necessary.

We may disclose your personal data in the following situations:

  • Based on legislation, we may have either the right or the obligation to disclose your personal data to third parties, such as to judicial and other public authorities.
  • If we are involved in a sale or transfer of business, a merger, a business reorganization, or a similar process, we may transfer your personal data to one or more third parties as part of the transaction.
  • We may also disclose your personal data to the extent necessary to protect our own or a third party's interests.

We primarily store and process your personal data in the geographic region where it has been collected, such as in the European Economic Area (EEA) or the United Kingdom (UK). However, we and our external service providers may also process the personal data outside such geographic region to the extent necessary for the purposes described in this Privacy Policy, and this may include transfers to third countries (countries outside the UK or the EEA that are not subject to an adequacy decision) when necessary. In that case, we will provide adequate and appropriate safeguards in accordance with the Data Protection Laws to ensure sufficient protection for your personal data. For example, as regards personal data of individuals based in the EU or the UK, we either ensure that there is an adequacy decision by the European Commission or an adequacy regulation from the UK government (as applicable) in place regarding the recipient country. Alternatively, we will enter into the standard contractual clauses approved by the European Commission and/or the UK government (as applicable) with the recipient of your personal data. You may request more details about these safeguards by contacting us using the details provided in Section 7.

4 How do we protect and how long do we retain your personal data?

Our internal organization is structured to meet the requirements of our Quality Management System certified according to EN ISO 13485, our Information Security Management System certified according to ISO/IEC 27001:2013, and the requirements of the Data Protection Laws.

We apply appropriate physical, technical, and administrative safeguards to protect personal data from misuse. These safeguards include, among others, control and filtering of network traffic, use of encryption techniques and safe data centers, appropriate access control, controlled granting of access rights and supervision of their use, giving instructions to personnel processing personal data, and risk management related to planning, implementation, and maintenance of our services. Personal data are processed only by persons who need the personal data to perform their job duties.

We retain your personal data in accordance with our internal record retention policies as long as reasonably necessary for the purposes for which they are processed, including for the purposes of our business relationship with you, performance of a contract we have with you, or any regulatory, accounting or reporting requirements. However, we may retain your personal data for a longer period to the extent required by our automated backup system or if deemed necessary for the establishment, exercise or defense of legal claims. After the necessary retention period, we will either delete or anonymize all personal data.

5 Your rights as a data subject relating to the processing of your personal data

As a data subject, you have the following rights subject to the restrictions that follow from legislation:

  • Right of access to personal data. You have the right to know whether we process personal data about you and the right to request access to any personal data undergoing processing.
  • Right to rectification and erasure. You have the right to rectify inaccurate personal data about you and, in certain cases, the right to erasure of your personal data, e.g., personal data that is no longer necessary or accurate in relation to the purposes of the processing.
  • Right to restrict processing. You have the right to request that we restrict our processing of your personal data, e.g., if you contest the correctness of the personal data we process or the lawfulness of the processing.
  • Right to object. You may object to the processing of your personal data, on grounds relating to your situation, e.g., if the processing is based on our legitimate interest or the personal data are processed for direct marketing purposes.
  • We will give you the opportunity to opt out of future electronic direct marketing whenever we send you such marketing. You can also opt out at any time by contacting us using the contact details provided in Section 7. If you opt out from receiving our marketing communications, we retain certain limited personal data about you (e.g., name and email address) to ensure that we comply with your request.
  • Right to data portability. Under specific circumstances you have the right to request your personal data to be transferred from one system to another.
  • Withdrawalofconsent. Where our processing of your personal data is based on your consent, you can, at any time, withdraw or restrict your consent. The withdrawal or restriction of consent does not affect the lawfulness of the processing carried out prior to the withdrawal or restriction.

You may exercise your rights by contacting us using the contact details provided in Section 7. The requests are always processed on a case-by-case basis. For your protection, we may need to verify your identity before fulfilling your request. We will respond as soon as reasonably possible within the times set forth by applicable mandatory law. We reserve the right to deny your request based on applicable law and will inform you if we do so.

In addition, you have a right to lodge a complaint with your local supervisory authority if you consider that the processing of your personal data infringes the Data Protection Laws. Before contacting the supervisory authority, we recommend that you get in contact with us first, so we can consider your complaint. You may also contact us to receive the contact details of your local supervisory authority.

6 Changes to the Privacy Policy

We may revise this Privacy Policy from time to time. Any changes to this Privacy Policy will be posted on this page. We will use reasonable endeavors to contact you when we make significant changes.

7 Contact us

If you have any questions, feedback, or complaints about our processing of your personal data, or if you would like to exercise your rights under the Data Protection Laws, please contact us

  • by email at privacy@nightingalehealth.com; or
  • by post at Data Protection Officer, Nightingale Health Plc, Mannerheimintie 164a, 00300 Helsinki, Finland.