Livit by Nightingale Health™ Privacy Policy

Last updated 20 February 2023

Livit by Nightingale Health™ consumer service (“Service”) provides you information on your health and wellbeing as well as factors and habits that have been shown to help in maintaining and improving health and wellbeing. You may either use the free version of the Service through our mobile application called Livit by Nightingale Health™ (“App”), or purchase one of our health plans to receive personalized information on your current state of health based on your fingerprick blood sample (“Blood Test”). We also offer a genetic data service for customers who have used our Blood Test. For more information on the Service, visit the App, our website at nightingalehealth.com ("Website”), or Livit by Nightingale Health™ Consumer Terms of Service (“Terms”).

Nightingale Health Plc or its group company with whom you have entered into an agreement regarding the Service (“Nightingale Health”, “we”, “us”) acts as the controller of the personal data collected and processed in connection with the Service and is committed to protecting your privacy in accordance with the applicable mandatory data protection legislation (“Data Protection Laws”), including the EU General Data Protection Regulation 2016/679 ("GDPR”). Please read this Privacy Policy to find out how Nightingale Health collects and processes your personal data when you access and use the Service.

1 What personal data do we process and where do we obtain such data?

In connection with the Service, we process the following personal data about you depending on the choices and purchases you have made:

Basic information: first and last name; date of birth; country where you use the Service; account details (including email address, password, phone number)
Preferences and settings: information on consents and refusals; healthy years goal; your preferred settings (including language, notifications, units of measurement)
Purchase information: payment details (such as payment method used to make a purchase); purchased and active health plans and gift cards
Delivery information: delivery details (including delivery address) for the delivery of Livit Blood Collection Kit™ ("Kit”) to you and return of your blood sample to us; time of sample collection; device identifiers of the Kit you register in the App
Baseline information: sex; height; weight; body mass index; your national identification number where required by applicable mandatory law
Blood Test results: health results and related information (such as NMR spectral data) derived from the analysis of your blood sample
Genetic information: raw genetic data you upload to the Service including information on the genetic variants across your genome; harmonized genetic data file we create based on your raw genetic data; genetic results derived from the analysis of your raw genetic data
Customer support information: information you submit to our customer support (such as feedback and recommendations you share with us, complaints and/or other inquiries you make)
Customer survey information: information you submit as a response to our customer survey
Analytics information: data related to which parts of the Service, the App, and the Website you use

The personal data is primarily collected directly from you and as a result of analysis of the blood sample or raw genetic data you provide to us. Analytics information is collected with tracking technologies through your use of the App and the Website. For more information on the tracking technologies that we use, please visit our Cookie Policy.

2 For what purposes and on what bases do we process your personal data?

We process your personal data for the purposes and on the legal bases set out below:

Purpose of processing	Processed personal data	Legal basis
Provision of the Service	Basic information Preferences and settings Purchase information Delivery information	Contract between you and us formed when you accept the Terms or purchase a health plan (GDPR Art. 6.1b)
Provision of the Service	Baseline information Blood Test results Genetic information	Depending on the country where you use the Service, your explicit consent (GDPR Art. 6.1a and 9.2a) or our legal obligation to process information necessary for the provision of the Service (GDPR Art. 6.1c and 9.2h)
Customer support and important customer communications	Customer support information Additional information if needed to respond to your request or to send an important customer communication to you	Contract between you and us (GDPR Art. 6.1b) Our legitimate interest to provide customer support and send important customer notices and to respond to customer complaints and other inquiries made to us (GDPR Art. 6.1f) Our legal obligation to provide an important customer communication to you or to respond to your request (GDPR Art. 6.1c)
Customer survey	Basic information Customer survey information	Our legitimate interest to send out customer surveys and collect information on the performance of the Service (GDPR Art. 6.1f) If our customer survey includes collection of health data, we will request your explicit consent before collecting your responses (GDPR Art. 6.1a and 9.2a)
Planning, monitoring, supervising, compiling statistics of, controlling quality of, and evaluating our operations and services	Basic information Preferences and settings Purchase information Delivery information Customer support information Customer survey information Analytics information	Our legitimate interest to plan, monitor,supervise, compile statistics of, control quality of, and evaluate our operations and services (GDPR Art. 6.1f)
	Baseline information Blood Test results Genetic information	Our legal obligation to ensure the high standards of quality and safety of the Service and our medical devices used to provide the Service (GDPR Art. 6.1c and 9.2i)
Marketing of our services	Basic information	Our legitimate interest to market our services (GDPR Art. 6.1f) Where required by applicable mandatory law, we will ask for your consent before sending you electronic direct marketing messages
Collection of analytics information	Analytics information	Your consent (GDPR Art. 6.1a)
Developing and improving our services	All categories of personal data in an anonymized form	No legal basis needed as you can no longer be identified based on the data (the data is no longer personal data)
	Basic information Preferences and settings Purchase information Delivery information Customer support information Customer survey information Analytics information	Our legitimate interest to develop and improve our services (GDPR Art. 6.1f)
	Baseline information Blood Test results Genetic information	Your explicit consent requested separately for a specific development project (GDPR Art. 6.1a and 9.2a)
Detecting and preventing unlawful behavior and non-compliance with the Terms; enforcing our legal rights	Basic information Preferences and settings Purchase information Delivery information Customer support information Customer survey information Analytics information	Our legitimate interest to detect and prevent unlawful behaviour and non-compliance with the Terms and to enforce our legal rights (GDPR Art. 6.1f) Our legal obligation to detect and prevent unlawful behaviour (GDPR Art. 6.1c)
	Baseline information Blood Test results Genetic information	Our legal obligation to detect and prevent unlawful behaviour (GDPR Art. 6.1c and 9.2g) Processing for the establishment, exercise or defense of legal claims (GDPR Art. 6.1f and 9.2f)

We will only process your personal data on the basis of our legitimate interest where we consider that our legitimate interest is not outweighed or overridden by your rights. You may object to our use of your personal data by contacting us using details provided in Section 7.

Please note that if you refuse to provide the requested personal data necessary for the provision of the Service in the form chosen by you, we may not be able to provide the Service to you.

3 To whom do we transfer and disclose and where do we store your personal data?

We treat your personal data as confidential. Persons we ask to process your personal data are bound by a confidentiality obligation.

We may share your personal data to third parties in the following situations:

We may share your personal data within the Nightingale Health group of companies to the extent necessary for the purposes of processing described in Section 2 above.
We may share your personal data with external service providers which manage our IT, payment, marketing, analytics, data storage, webshop, and customer support systems. In addition, we may share your delivery information with our postal and courier service providers which deliver the Kit to you and return your blood sample to us. We conclude data processing agreements with all service providers which process personal data on behalf of us as processors.
We may also share your personal data with other third parties when necessary for providing the Service to you. We will only share this personal data for the purposes and under the legal bases described in Section 2 above. Where this is not the case, we will notify you and request your consent if necessary.

We may disclose your personal data in the following situations:

Based on legislation, we may have either the right or the obligation to disclose your personal data to third parties, such as to judicial and other public authorities.
If we are involved in a sale or transfer of business, a merger, a business reorganization, or a similar process, we may disclose your personal data to one or more third parties as part of the transaction.
We may also disclose your personal data to the extent necessary to protect our own or a third party's interests.

We primarily store and process your personal data in the geographic region where it has been collected, such as in the European Economic Area (EEA) or the United Kingdom (UK). However, we and our external service providers may also process the personal data outside such geographic region to the extent necessary for the purposes described in this Privacy Policy, and this may include transfers to third countries (countries outside the UK or the EEA that are not subject to a data protection adequacy decision) when necessary. In that case, we will provide adequate and appropriate safeguards in accordance with the Data Protection Laws to ensure sufficient protection for your personal data. For example, as regards personal data of EU or UK consumers, we either ensure that there is an adequacy decision by the European Commission or an adequacy regulation from the UK government (as applicable) in place regarding the recipient country. Alternatively, we will enter into the standard contractual clauses approved by the European Commission and/or the UK government (as applicable) with the recipient of your personal data. You may request more details about these safeguards by contacting us using the details provided in Section 7.

4 How do we protect and how long do we retain your personal data?

Our internal organization is structured to meet the requirements of our Quality Management System certified according to EN ISO 13485, our Information Security Management System certified according to ISO/IEC 27001, and the requirements of the Data Protection Laws.

We apply appropriate physical, technical, and administrative safeguards to protect personal data from misuse. These safeguards include, among others, control and filtering of network traffic, use of encryption techniques and safe data centers, appropriate access control, controlled granting of access rights and supervision of their use, giving instructions to personnel processing personal data, and risk management related to planning, implementation, and maintenance of our services. Personal data are processed only by persons who need the personal data to perform their job duties.

When you upload your raw genetic data to the Service, that is done through a security tested website to ensure high standards of reliability. We will only accept specific file formats from selected third-party service providers, and reserve the right not to accept or analyze raw data files that we suspect to be in any way insufficient, corrupted, or insecure. We store your genetic information in an encrypted form in a safe data center and make sure that only persons with a justified need can access the data.

We store all information and materials qualifying as patient data and records under the applicable law in a patient data system. Access rights to the patient data system are granted strictly based on a person’s role and need to process the data for the purposes of the Service.

We retain your personal data in accordance with our internal record retention policies as long as reasonably necessary for the purposes for which they are processed in accordance with applicable laws, including for the purposes of any regulatory, accounting or reporting requirements. Patient data and records are retained subject to compliance with Data Protection Laws that stipulate mandatory retention periods (e.g., in Finland, patient records are retained for 12 years from the patient’s death, or, if such information is not available, 120 years from the patient’s birth). After measurement, blood samples are stored for quality control purposes, after which they are either anonymized or disposed of according to our internal processes. After the necessary retention period, we will either delete or anonymize all personal data.

5 Your rights as a data subject relating to the processing of your personal data

As a data subject, you have the following rights subject to the restrictions that follow from legislation:

Right of access to personal data. You have the right to know whether we process personal data about you and the right to request access to any personal data undergoing processing.
Right to rectification and erasure. You have the right to rectify inaccurate personal data about you and, in certain cases, the right to erasure of your personal data, e.g., personal data that is no longer necessary or accurate in relation to the purposes of the processing.
Right to restrict processing. You have the right request that we restrict our processing of your personal data, e.g., if you contest the correctness of the personal data we process or the lawfulness of the processing.
Right to object. You may object to the processing of your personal data, on grounds relating to your situation, e.g., if the processing is based on our legitimate interest or the personal data are processed for direct marketing purposes. We will give you the opportunity to opt out of future electronic direct marketing whenever we send you such marketing. You can also opt out at any time by contacting us using the contact details provided in Section 7. If you opt out from receiving our marketing communications, we retain certain limited personal data about you (e.g., name and email address) to ensure that we comply with your request.
Right to data portability. Under specific circumstances you have the right to request your personal data to be transferred from one system to another.
Withdrawal of consent. Where our processing of your personal data is based on your consent, you can, at any time, withdraw or restrict your consent. The withdrawal or restriction of consent does not affect the lawfulness of the processing carried out prior to the withdrawal or restriction.

You may exercise your rights by contacting us using the contact details provided in Section 7. The requests are always processed on a case-by-case basis. For your protection, we need to verify your identity before fulfilling your request. We will respond as soon as reasonably possible within the times set forth by applicable mandatory law. We reserve the right to deny your request based on applicable law and will inform you if we do so.

In addition, you have a right to lodge a complaint with your local supervisory authority if you consider that the processing of your personal data infringes the Data Protection Laws. Before contacting the supervisory authority, we recommend that you get in contact with us first, so we can consider your complaint. You may also contact us to receive the contact details of your local supervisory authority.

6 Changes to the Privacy Policy

We may revise this Privacy Policy from time to time. Any changes to this Privacy Policy will be posted on this page. We will use reasonable endeavors to contact you when we make significant changes.

7 Contact us

If you have any questions, feedback, or complaints about our processing of your personal data, or if you would like to exercise your rights under the Data Protection Laws, please contact us:

by email at privacy@nightingalehealth.com; or
by post at Data Protection Officer, Nightingale Health Plc, Mannerheimintie 164a, 00300 Helsinki, Finland.