1. INTRODUCTION
In this Privacy Notice you can read about how Personal Data is Processed by the Swedish company Bio Health Solutions Sweden AB with company registration number 559416-9459 (hereinafter referred to as “we”, “our” or “us”). References to “you” or “your” refer to the Data Subject whose Personal Data we Process.
In this Privacy Notice, you can read about, among other things, the following:
- What Personal Data we Process.
- Why we Process the Personal Data
- Where the Personal Data will be stored.
- Who the Personal Data may be shared with.
- What rights the Data Subjects have under the GDPR.
- Other information about our Processing of Personal Data.
2. DEFINITIONS
In addition to the terms defined in the running text of this Privacy Notice, the following definitions, whether used in plural or singular, in definite or indeterminate form, shall have the following meanings:
User: refers to the individual who uses the Platform.
User Account: refers to a User’s registered User Account to the Platform.
Processing: refers to anything that is done with Personal Data, whether automated or not. Processing can occur through a single action or a combination of various actions. Examples of common Personal Data Processing include storage, deletion, sharing, reading, registration, copying, collection, organization, usage, adjustment, etc.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Personal Data: means any data which, directly or indirectly, alone or in combination with other data, can be linked to an identified or identifiable natural living person. Common examples of Personal Data are name, telephone number, address, e-mail address, User ID, etc.
Controller: means the natural or legal person who determines the purpose of a particular Processing of Personal Data and how the Processing is to be carried out. Natural persons, legal persons, public authorities, institutions or other bodies may be data Controllers.
Processor: means the natural or legal person who Processes Personal Data on behalf of the Controller, in accordance with the Controller’s instructions.
Platform: refers to the application “myTRED” for iOS and Android as well as any available web application.
Data subject: means the individual who can be identified by the Personal Data.
Third party: means anyone other than the Controller (and the persons authorised to Process the Personal Data), the Data Subject or the Processor (and the persons authorised to Process the Personal Data). Third parties may be a legal person or a natural person, institution, authority or other body.
Third party services: means third party information, services, products, systems, websites, software, networks, databases and Platforms to which our website links, or which an individual connects to or enables integration with when the individual uses our website.
Website: means www.tredapps.com including any subdomains.
Any other GDPR-related terms not defined herein shall have the same meaning in this Privacy Notice as set out in Article 4 of the GDPR.
3. PERSONAL DATA RESPONSIBILITY
We are the Controller of all Processing of Personal Data carried out by us or on our behalf, where we determine the purposes and means of the Processing of Personal Data, in accordance with the principle of accountability.
Our Processing of Personal Data is carried out in accordance with the GDPR and the data protection principles. In accordance with the purpose limitation principle, we only Process Personal Data for specified, explicit and legitimate purposes. In addition, each Processing is lawfully based in accordance with the provisions of the GDPR. We only Process Personal Data that is adequate, necessary and relevant to fulfil the purpose for which it was collected (according to the principle of data minimization).
We are not responsible for the Processing of Personal Data carried out by the Users of the Platform or any other third party.
Unless expressly stated otherwise, we are the data Controller for the Processing described in this Privacy Notice.
4. HOW TO ACCESS PERSONAL DATA
We usually receive Personal Data in the following situations:
- When someone contacts us.
- When we enter into a contract with you or another third party.
- In connection with the performance of a contract.
- When someone signs up to receive our newsletter.
- When someone visits the website or uses the Platform.
5. CATEGORIES OF PERSONAL DATA WE PROCESS
We mainly Process the following categories of Personal Data:
- Identification data: First name, last name, User ID.
- Contact details: Email address, phone number, social media username (if applicable).
- Case details: Individuals’ contact with our support or customer service, for example via email, case number and information regarding the case.
- Consent data: Information about consents given, for example regarding direct marketing or the use of cookies.
- Unit data: Data collected via cookies based on the website visitor’s consent, such as computer, tablet or phone data used when visiting our website, IP number, time zone, operating system, language settings, screen resolution and other data provided via cookies.
- Other: Any other Personal Data that is provided to us by the Data Subject or a third party.
6. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
We Process Personal Data primarily on the basis of one of the following legal bases:
- Consent: You have given your consent to the Processing of your Personal Data for one or more specific purposes (Article 6(1)(a) GDPR).
- Contract: The Processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into such a contract (Article 6(1)(b) GDPR).
- Legal obligation: The Processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(c) GDPR).
- Legitimate interest: The Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, unless your interests or fundamental rights and freedoms override and require the protection of Personal Data (Article 6(1)(f) GDPR).
In some cases, it is optional for you to provide your Personal Data to us. However, for example, if you do not provide your Personal Data, we may not be able to provide the requested support or handle the case.
You may need to provide your Personal Data in order to enter into a contract with us or in order for us to comply with legal or contractual obligations. Unless otherwise stated, you will not suffer any consequences if you do not provide your Personal Data to us.
Where the Processing of your Personal Data is based on your consent, you have the right to withdraw the consent at any time, without affecting the lawfulness of the Processing on the basis of the consent, before it was withdrawn.
Where Processing of Personal Data is based on legitimate interest as a legal basis, our assessment is that the Processing does not constitute an infringement of your right to privacy and integrity. We have come to this conclusion, after weighing up on the one hand what the Processing in question means for your interests and right to privacy, and on the other hand our legitimate interest in the Processing in question. However, we never Process sensitive Personal Data based on legitimate interest as a legal basis.
7. SPECIFIC PROCESSES
Below you can read more about the legal basis and purposes of the Processing of Personal Data.
- 1. When you visit the website:
The website uses cookies. The use of non-essential cookies only takes place if you give your consent to it. You can withdraw your consent at any time, without affecting the lawfulness of the Processing carried out on the basis of the consent before it was withdrawn. Legal basis for the above mentioned Processing: Consent. You can read more information about how cookies are used in our Cookie Notice published on the website. - 2. When we get in touch via email, phone or social media.
You can contact us, and we can contact you, via email, phone or social media. You may also send notices to us through the applicable contact forms on our website. In these types of interactions, we will have access to the Personal Data that you provide. These may include your first name, last name, telephone number, email address, social media username (if applicable), the content of your message and other information you provide to us.
In our opinion, we have a legitimate interest in the Personal Data being Processed by us, so that we can know who we are talking to and to keep in touch with the matter.
Our assessment is also that the Processing is necessary for a purpose relating to a legitimate interest, and that your interest in the protection of your Personal Data does not override, and that the Processing in question does not infringe your fundamental rights and freedoms.
The provision of the Personal Data to us is voluntary, which means that it is not a statutory or contractual requirement or a requirement necessary to enter into a contract with us, and you are not obliged to provide the Personal Data, but the possible consequences of not providing such data is that we will not be able to handle the case.
Legal basis for the above mentioned Processing: Legitimate interest. - 3. When you register your User Account
You can register your User Account by downloading the application via Google Play or the App Store. To create your User Account, you need to enter your first and last name, email address and choose a password. In addition, you need to accept our terms of use.
We will then send an activation link to the email address you have used when registering. To activate your User Account, you need to click on the activation link.
Legal basis for the above mentioned Processing: Contract. - 4. When a User purchases our subscription service
In order for us to enter into a purchase agreement with a User regarding our subscription service, the User needs to accept our terms of purchase.
The payment for the subscription is made through a payment service provided by a third party (currently “Stripe”). Once the purchase has been completed, we may have access to the following information from the payment service provider in question: information about purchased subscription, subscriber’s first and last name, email address, customer ID, billing details (address, zip code, city and country), language, currency, invoice number, payment method, payment method ID, amount, frequency, payment status, payment date, date and time of invoice creation, Stripe ID.
If the payment is made via card payment, we may also have access to the following information from the payment service provider in question: First and last name, last four digits of the payment card, when the card expires (Monday and year), fingerprint ID (a unique identifier for a given card number or bank account in a Stripe account in order to detect a repeat customer), card type (Visa, Mastercard, etc.), issuer of the card (e.g. bank), payment method ID, billing address linked to the payment card (address, postcode, city and country), origin of the payment card (country).
There are several purposes for Processing the buyer’s Personal Data, and below you can read more about these purposes.
a) Conclusion and performance of the contract: First of all, this data is Processed in order for us to be able to enter into and fulfil the purchase agreement correctly in accordance with the agreed provisions. The Personal Data will only be Processed to the extent necessary to achieve this purpose. Legal basis for these Processing operations: Contract.
b) Charging: The data is also used for billing and payment Processing, which is necessary to ensure smooth and correct handling of financial transactions in accordance with agreed terms. Legal basis for these Processing operations: Contract.
c) Support: In addition, we Process this data in order to be able to effectively communicate with the User regarding their purchase of the subscription service and/or use of the Platform. Legal basis for these Processing operations: Legitimate interest.
d) Complaints: In the event of any complaints regarding our subscription service, we also Process the Personal Data in order to handle the complaint case and comply with our legal obligations under applicable consumer protection legislation. Legal basis for these Processing operations: Legal obligation.
e) Accounting: We also Process accounting documents as part of our business, including invoices and receipts. This Processing is necessary to meet requirements under the Swedish Tax Agency and applicable legislation, including the Accounting Act (SFS 1999:1078). These accounting documents may contain Personal Data, such as first name, last name, address details and other contact details. Such documentation will be stored for as long as the law and/or the Swedish Tax Agency requires it. Legal basis for these Processing operations: Legal obligation. - 5. When a User uses the Platform
We Process information about travel destinations, entry and exit dates (alternative list & calendar) that the User registers in the Platform. After the User has registered a trip, the User can perform a destination analysis and symptom analysis:
– Destination analysis: When the User performs a destination analysis, it is done in an anonymized format. We cannot link a completed destination analysis to the User in question or to a specific trip, which means that the anonymous information does not constitute Personal Data under the GDPR.
– Symptom analysis: When the User performs a symptom analysis, it is done in an anonymized format. We cannot link a completed symptom analysis to the User in question or to a specific trip, which means that the anonymous information does not constitute Personal Data under the GDPR.
User’s vaccine information
Through the Platform, the User can choose to take pictures of their vaccination passports and upload them to the Platform. The images of the vaccination passports are only stored locally on the User’s device, and are only visible in the Platform installed on that device, which means that we will not be able to access any copy of the image. We therefore do not Process any information about the User’s vaccination passport.
The User can choose to highlight different diseases that are included in the Platform that the User is vaccinated against. This information will only be visible on the User’s device and we cannot link the information provided to the User in question, which means that the anonymous information does not constitute Personal Data under the GDPR.
Logging of the use of the Platform
When a User uses the Platform, the following information is logged:
– Account information: Date and time of creation of the User Account, User ID, first and last name, email address, country, ISO country code, language, if the User has completed its profile.
– Authentication and access: Authentication method, date and time of last login in the Platform, when the User accepted the terms of use, when the User confirmed that they have read our Privacy Notice.
– Subscription status: If the User has tried premium, if the User has a premium account, the status of the subscription (trialing, active, canceled), when the trial period started, when the trial period ends.
– Payment information: Stripe customer ID, stripe link to their customer page.
– Partner information: Partner (which partner recruited the User), tracking (list of partners the User has been recruited from), the User’s device ID (to see which partner they have been recruited from before creating the User Account)
– Other information: If welcome emails have been sent, information about saved trips, scheduled notifications to be sent to the User, feedback that the User has submitted.
Legal basis for these Processing operations: Legitimate interest.
User Reporting and Feedback
When a User reports errors or provides feedback via the Platform in logged-in mode, we Process the following information:
1. User ID and registered email address: Identifies which User reports the issue or provides feedback, which enables feedback to the User with updates or additional questions.
2. Status of the case: Indicates whether a case is resolved or not by a variable (values “yes” or “no”).
3. Time of reporting: The date and time when the error was reported or the feedback was provided, which helps us better understand and fix the issue.
4. Description of the error or feedback: Detailed information from the User about the problem or feedback, which helps us identify and resolve any errors or improve the Platform.
This information is used solely for the purpose of improving the User experience and ensuring that any issues can be quickly identified and resolved. We Process all collected information in accordance with this Privacy Notice and applicable data protection legislation.
Legal basis for these Processing operations: Legitimate interest. - 6. Newsletter
You can consent to receive newsletters from us by giving your active consent for us to Process your email address in order to send the newsletters to you. Providing your email address to us for this purpose is voluntary, which means that it is not a statutory or contractual requirement or a requirement necessary to enter into a contract with us, and you are not required to provide your email address, but the possible consequences of not providing your email address to us are that we will not send you our newsletters.
You can unsubscribe from the newsletter at any time by clicking on the unsubscribe link in the newsletter, thereby withdrawing your consent. If you withdraw your consent, we will not continue to send you newsletters.
Legal basis for the above mentioner Processing: Consent.
If you unsubscribe from the newsletters, you will be removed from the mailing list of the recipients of the newsletters, but your email address will remain in the database with a block for receiving newsletters. The purpose of this is to ensure that you do not receive multiple newsletters from us.
If you want your email address to be deleted also from the block list, you can contact our support by email and request this. You are hereby informed that if your email address is deleted from the block list, it means that you can receive newsletters from us again if you or someone else registers your email address to receive newsletters again.
In our opinion, we have a legitimate interest in the Personal Data being Processed for the above-mentioned purposes. The Processing is necessary for a purpose relating to a legitimate interest, and that your interest in the protection of your Personal Data does not override. Our assessment is that the Processing in question does not infringe on your fundamental rights and freedoms.
Legal basis for the above-mentioned Processing operations: Legitimate interest. - 7. Other purposes for our Processing of Personal Data:
We Process Personal Data based on our legitimate interest, based on legitimate interest as the legal basis, for the following purposes:
– Direct marketing: We Process Personal Data to conduct direct marketing of our services to Users who have consented to receive our newsletters or Users who have previously purchased our subscription service.
– Technical functionality: We develop and ensure the technical functionality of the website and Platform, and in connection with this we may Process Personal Data necessary for this purpose. - 8. STORAGE LOCATION
We always strive to Process Personal Data within the European Union (EU) or the European Economic Area (EEA). In some cases, however, Personal Data may be transferred and Processed outside the EU/EEA. For example, if we engage a service provider located outside the EU/EEA who Processes Personal Data on our behalf as our data Processor. If Personal Data is transferred and Processed outside the EU/EEA, this is done in accordance with applicable data protection legislation.
In order to ensure adequate protection of your Personal Data in such transfers, we take appropriate safeguards. This may include obtaining your consent, using standard contractual clauses approved by the European Commission, or ensuring that the recipient country has adequate data protection laws. - 9. STORAGE DURATION
We Process Personal Data for as long as it is necessary to fulfil the purposes for which it was collected, including to comply with any legal, accounting or reporting requirements, in accordance with the principle of storage minimisation.
The exact duration of the retention period depends on the type of Personal Data and the purpose for which they were collected.
When the Personal Data no longer needs to be stored, it is either deleted or anonymised in accordance with our internal screening procedures. We may also delete the Personal Data at your request if we do not need to Process the Personal Data in question to comply with contractual or legal obligations.
Please note that deleted information may be stored in backup files for a limited period of time before permanent deletion occurs.
In the event that a claim is made against us, we may retain the Personal Data until the expiry of the statutory limitation period. Similarly, in the event of an ongoing dispute, relevant Personal Data will be stored until the dispute has been resolved. We ensure compliance with applicable laws and regulations regarding the storage of Personal Data in these circumstances. - 10. TRANSFER OF PERSONAL DATA
We Process all Personal Data that we have access to with care. In order to effectively run our business, we may need to transfer Personal Data with selected service providers that we engage or if it is necessary for us to comply with applicable law.
All transfer of Personal Data takes place in accordance with applicable data protection laws and regulations, with a focus on protecting your rights and your privacy.
We may transfer Personal Data to the recipients set out below, in order to achieve the purposes set out in Section 7 (Specific Processing Activities) and as described below.
– Government authorities
We may provide necessary information to government authorities, such as the police, tax authorities or other government authorities if we are legally required to disclose or share Personal Data with them in order for us to comply with our legal obligations. Legal basis for these Processing operations: Legal obligation.
Personal data may also be disclosed to government authorities in response to lawful requests or when necessary to prevent, detect or investigate criminal activity. This disclosure is made to protect the property, interests and safety of us and other relevant parties. Legal basis for these Processing operations: Legitimate interest.
– Suppliers
We may share Personal Data with our suppliers, including data Processors, to protect our interests, comply with contractual and legal obligations, detect and prevent problems, and improve our services, Platform and other digital channels. Legal basis for these Processing operations: Legitimate interest.
Our suppliers include server and hosting companies, app developers, accounting firms, accounting software, newsletter mailing systems and other suppliers who contribute to our business.
Before we share Personal Data with a supplier acting as our data Processor, we enter into a data processing agreement with them in accordance with the requirements of Article 28 GDPR. - 11. YOUR RIGHTS ACCORDING TO THE GDPR
Below is a summary of the rights that you have as a Data Subject under the GDPR:
Right to information: You have the right to receive information about our collection and use of your Personal Data. This includes information about the purposes of the Processing, the categories of Personal Data concerned and any third parties with whom your Personal Data may be shared. We provide information about our collection and use of personal information in this Privacy Notice.
Right of access: You have the right to access your Personal Data held by us. You can request information about the Processing of your Personal Data, receive a copy of the Personal Data in a machine-readable format (provided that there is no applicable exception to the right of access) and be informed about the safeguards in place for cross-border transfers. However, this does not mean that you have the right to receive the documents containing the Processed Personal Data.
Right to rectification: You have the right to request rectification of inaccurate or incomplete Personal Data about you that we Process. If we Process Personal Data about you that is incorrect or incomplete, we will, at your request or on our initiative, supplement, correct or delete the Personal Data in question. If you request that your Personal Data be rectified, we shall inform all recipients of this data of the rrectification, provided that this is possible or not too burdensome for us. You also have the right to know who has received your Personal Data.
Right to erasure: Under certain circumstances, you have the right to have your Personal Data erased. This applies, for example, if the data is no longer necessary for the purpose for which it was collected, or if you withdraw your consent and there is no other legal basis for the Processing. However, legal obligations may prevent us from immediately erasing part of the Personal Data. If you request the erasure of your Personal Data, we must inform all parties that received the data of the erasure, provided that this is possible or not too burdensome for us.
Right to restriction: You have the right to restrict the Processing of your Personal Data under certain conditions. This means that your data can only be stored and not further Processed, or only Processed for specific and limited purposes. An example of when this right applies is when the Personal Data we Process needs to be rectified. If you request that we rectify your Personal Data, you can also ask us to restrict the Processing of the specific data until it has been corrected. We will inform you when the restriction ends.
Right to data portability: You have the right to receive your Personal Data in a structured, commonly used and machine-readable format. You can also request the transfer of your data to another data Controller, where technically possible. This right only applies if the Processing of Personal Data is carried out automatically and only if our Processing is carried out for the performance of a contract to which you are a party or based on your consent.
Right to object: You have the right to object when your Personal Data is Processed after a balance of interests. If you raise an objection under this right, we shall cease Processing, unless our interest overrides your interests, rights and freedoms. However, you always have the right to request that your Personal Data is not Processed for direct marketing purposes. Such objections may be raised at any time. If an objection is made to direct marketing, the Personal Data can no longer be Processed for such purposes and we will inform you when we have deleted the Personal Data if you request it.
Right not to be subject to automated decision-making: You have the right not to be subject to decisions based solely on automated Processing, including profiling, if these decisions significantly affect you. Exceptions apply if the decision is necessary for the performance of a contract or is permitted by law. If an automated decision has been made, with or without profiling, you can request that it be reviewed or contested. We do not make automated decisions, whether with or without profiling. - 12. HOW TO EXERCISE THE RIGHTS
You are welcome to contact us via the contact details set out below, if you would like to invoke any of the above-mentioned rights regarding your Personal Data that we Process.
It is free of charge to exercise the rights, provided that your requests are not excessive, repetitive or manifestly unfounded. In such cases, we have the right to charge a reasonable fee for handling your request or the right to refuse the execution of your request.
Before we handle or respond to your request, we may request additional information from you if it is necessary for us to confirm your identity.
We will inform you of our handling of your request without delay and at the latest within one month of receiving the request. If the request is complex or if, for example, we have received a large number of requests, this period may be extended by a further two months. In such cases, we will notify you of the extension within the first month after we receive your request.
It is important to note that the rights are subject to certain limitations and conditions under the GDPR. Some of the rights apply only in certain situations and only if it is legal and possible for us to implement your request.
If we are unable to comply with your request due to applicable law or other exceptions, we will notify you of this and inform you of the reasons why we are unable to comply with your request with the limitations imposed by law. - 13. AMENDMENTS
We review the content of this Privacy Notice on a regular basis to ensure that the information is accurate and up-to-date. The content may, with or without prior notice, be updated as necessary. You are responsible for reviewing the content of our at any time current Privacy Notice and for keeping up to date with any changes. We will notify you if we make material changes provided that such disclosure is mandatory under applicable law. The version applicable from time to time is always published on the website and in the Platform. - 14. QUESTIONS OR COMPLAINTS
If you have any questions regarding the content of this Privacy Notice or our Processing of Personal Data, or if you are dissatisfied with our Processing of your Personal Data, you are always welcome to contact us via the following contact details:
Our company and contact information
Company: Bio Health Solutions Sweden AB.
Org. no: 559416-9459,
Email: privacy@tredapps.com.
Postal address: c/o Attana AB, Engelbrekts väg 6, 191 62 Sollentuna.
Supervisory authority
If you are not satisfied with the way we Process your Personal Data, you also have the right to lodge a complaint with the relevant supervisory authority. Our supervisory authority is the Swedish Authority for Privacy Protection:
Name: Integritetsskyddsmyndigheten (IMY).
Telephone: 08-657 61 00.
Email: imy@imy.se.
Postal address: Integritetsskyddsmyndigheten, Box 8114, SE-104 20 Stockholm, Sweden.
Please note that depending on your country of residence, there are different supervisory authorities that you can contact regarding questions or complaints about the Processing of your Personal Data. You can find the different supervisory authorities in the EU Member States via the following link:
https://edpb.europa.eu/about-edpb/about-edpb/members_en