LIVI Privacy Notice
At LIVI, healthcare personnel, together with technical personnel, work jointly to develop and provide healthcare. For us at LIVI, you as an individual and as a patient always come first and this privacy notice (the “Privacy Notice”) explains how we handle your personal data when you sign up to and use our App and when you seek healthcare or similar services from us (the “Services”).
We explain in more detail in this Privacy Notice how LIVI works for you as a “user” and “patient” and who is responsible for the processing of personal data, which is carried out in connection with your use of the Services. We also describe which personal data about you is processed when you use the Services, how we process the personal data, and why. We also describe the legal basis for our processing and which external parties may handle personal data about you in order for us to provide you with the Services. You also receive information about your rights in relation to the processing of your personal data and what you can do to exercise these rights.
2. Who is responsible for the processing of personal data?
KRY International AB, company reg. no. 556967-0820 (“KRY International”), the parent company in the LIVI group, is a Swedish company that owns and makes available the ”LIVI” technical platform and application (the “App”) and is the data controller for the processing of the personal data, which you register in the App, up until the time at which you commence contact with a healthcare provider for medical advice and follow-up. When you seek healthcare from LIVI, it is solely established healthcare providers who are responsible for providing the healthcare, including the processing of personal data which is carried out in connection with providing you with healthcare.
In relation to the healthcare provided to you, KRY International acts, in its capacity as a processor of personal data, only as a supplier of the technical platform and the related service. This means that data related directly to your healthcare is only processed according to the instructions of the Healthcare Provider. In the event another healthcare provider joins the LIVI platform and processes your personal data in connection to your use of the Services, we will inform you when you use the Services so that you always know which healthcare provider is the controller of your personal data.
If you have any questions or comments regarding the processing of your personal data in connection with your use of the Services, you are always welcome to contact us and/or our data protection officer via our website at https://kry.se/kontakt/, or by sending an email to email@example.com.
Data controller Contact Details
SE-103 69 Stockholm
Digital Medical Supply UK Ltd.
20 Whitechapel Rd,
Third Party Healthcare Providers
The contact details of Third Party Healthcare Providers will be communicated to you before a consultation with such a provider.
3. Where do we collect your personal data which is processed when you use the Services?
3.1. Personal data which is registered via your user account in the App
KRY International and the Healthcare Provider process personal data about you, which you register via your account such as your name, gender, address, email address and picture (used for verification of identity) when you open your LIVI user account and, subsequently, any information you register when you use the App. In addition, KRY International may automatically collect and process the following information: (i) technical information, including IP address, login information, type and version of operating system and unit, time settings, language settings, cookies, etc.; and (ii) information about the Services we provide to you, such as how often you use the App, and which functionality you use within the App, but not any medical information, such as symptoms or medical history
These categories of personal data, which are provided when you download, sign up to and use the App, are referred to as “User Data” below.
3.2. Personal data about your health
When you seek healthcare from us, you are asked to share data linked to your physical and/or mental health. You do this primarily by filling in the relevant symptoms form in the App. This information may include, but is not limited to, information that you are suffering from an illness, your medical history, or your physiological or medical condition. We refer to this information as “Health Data”.
KRY International uses this Health Data to schedule a consultation for you with relevant healthcare staff at the Healthcare Provider (or Third Party Healthcare Providers) to inform such staff ahead of your consultation and to otherwise direct you to an appropriate form of care.
3.3. Personal data processed by the Healthcare Provider
As described above, the Healthcare Provider (and Third Party Healthcare Providers) may receive Health Data from KRY International in order to optimize the healthcare services they provide to you. The Healthcare Provider may also collect other information about you, such as information about you in the context of consulting and treating you as a patient, This may for example include data about your health status, symptoms, treatments, consultations and sessions, medications and procedures. Personal data related to your health or to you as a patient which is used by the Healthcare Provider to provide you with healthcare services is referred to below as “Patient Data”.
The Healthcare Provider may disclose Patient Data in the context of providing healthcare and/or relevant medical treatment, for example when referring you to another healthcare provider or to pharmacies for the purpose of your treatment or administering prescriptions.
3.4. Personal data from third parties including other healthcare providers
The Healthcare Provider may also receive Patient Data relating to the healthcare you have received from other healthcare providers who are not associated with LIVI. In the event this data is considered relevant to the provision of healthcare within the scope of the Services, it may be saved and processed by the Healthcare Provider and entered in your medical records by the clinician who is treating you.
4. Where is your personal data stored?
User Data and Health Data
This personal data is stored by KRY International, in infrastructure provided by one of KRY International’s subcontracted processors. User Data is handled and stored primarily within the EU/EEA. Health Data is always handled and stored within the EU/EEA.
The Healthcare Provider is obligated to maintain medical records when performing the Services. It stores relevant Patient Data in a medical record system (specifically developed in order to fulfil the requirements of the applicable legislation) which is operated on its behalf by a third party service provider.. Your Patient Data is handled and stored within the EU/EEA.
5. Why personal data is processed when you use LIVI
5.1. KRY International’s processing of your User Data
KRY International processes your User Data (as described above in section 3.1) for the following purposes:
(i) to process your application or terminate your user account in the App;
(ii) to provide you with authorization to login and use your user account;
(iii) to verify your identity and age;
(iv) to maintain correct and up-to-date information about you;
(v) for you to be able to monitor and administer ongoing care matters;
(vi) to measure and analyse use of the App, and to improve the App and the Services;
(vii) to handle your choice of settings and information about payment; and
(viii) to otherwise be able to provide the Services to you according to our General Terms and Conditions.
The legal basis for processing your User Data is that it is necessary for us to be able to provide you with the Services, and for the Healthcare Provider’s provision of good care in connection with your use of the Services. We need to process your User Data for the performance of the contract between us, which constitutes our General Terms and Conditions. The processing for the purposes of (vi) above is based on our legitimate interest to measure and analyse use of the App, and to improve the App and the Services we provide to you.
5.1. KRY International’s processing of your Health Data
As described above, KRY International also processes Health Data to schedule a consultation for you with relevant healthcare staff at the Healthcare Provider (or Third Party Healthcare Providers) to inform such staff ahead of your consultation and to otherwise direct you to appropriate form of care. The processing for the purposes described in this section is based on your consent. We may use strictly anonymised Health Data to improve our healthcare products and services. You have a right to withhold or withdraw consent, but KRY International will not be able to arrange consultations for you unless you agree KRY International may use Health Data to do this.
5.2. The Healthcare Provider’s processing of your Patient Data to provide healthcare services
The Healthcare Provider processes Patient Data (as described above in section 3.3) for the purpose of providing the Services to you in the form of healthcare and other necessary treatment, advice or administration, such as support for the clinicians within the scope of providing the healthcare itself.
The Healthcare Provider needs to process your Patient Data for the performance of its contract with you, comprised of our General Terms and Conditions. The legal basis for the Healthcare Provider’s processing of your Patient Data is that it is necessary for the purposes of preventive or occupational medicine, for medical diagnosis and the provision of health or social care. This may include sending you emails and other electronic communications, such as appointment reminders.
The Healthcare Provider’s business operations are governed by national legislation. It therefore processes your personal data in accordance with applicable law and as necessary to fulfil the legal obligations of the Healthcare Provider. This includes that the Healthcare Provider’s clinicians keep medical records, which the Healthcare Provider is obligated to save for a particular period of time. The Healthcare Provider also stores your medical information, such as notes from consultations, and your interactions with it for safety, regulatory, and compliance purposes. For example, it may need to review your information and, where necessary, make disclosures in compliance with reasonable requests by regulatory bodies including the Care Quality Commission, or as otherwise required by law or regulation.
The Healthcare Provider, as the data controller of your Patient Data, may use KRY International as a data processor to process Patient Data on its behalf to ensure that high standards of healthcare are maintained. For example, KRY International may process your Patient Data to analyse the efficiency of the Services, to ensure that applicable clinical and other guidelines are followed and to follow up on any issues identified with our Services.
5.3. Provision of support services related to your use of the Services
KRY International and the Healthcare Provider may communicate with you, in your capacity as a user of the Services. This includes, among other things, responding to inquiries and investigating complaints and support matters (including technical support) through our support service by telephone or via our digital channels. Depending on your matter, you may share additional User Data; Health Data and Patient Data which we then process to be able to help you use the Services in the best possible manner.
KRY International and the Healthcare Provider provide support as set forth above as a part of the Services (i.e. necessary to perform the contract with you and KRY International). To the extent the support services are related to care or processing of Patient Data (or sensitive personal data about you), the processing takes place in order to provide healthcare as part of the Services and ensure high standards of quality of healthcare.
5.4. To market products and services and improve your user experience
KRY International processes some of your User Data (as described above in section 3.1) for the purposes of providing you with news, updates and promotional content by email and text messages and other electronic communications channels, such as push notifications and in-App messages. Such communications may be based on what KRY International knows about you as a user and its understanding of how you use the App and the Services, for example which features you tend to use, and which prior communications you have showed an interest in, searches you have made, your various contacts with the Healthcare Provider, as well as basic demographic and geographic data about you, such as your age, gender and the region in which you reside. However, Health Data is not used for such communication unless you have provided explicit consent to receive communication related to your health.
When KRY International contacts you for marketing-related purposes, any processing of your personal data is based on it being in its legitimate interests to do so. KRY International’s legitimate interests include the provision of an online service enabling easy access to healthcare professionals for therapeutic purposes. Moreover, it sends marketing-related emails and text messages on the basis of the so-called ’soft opt-in’; that is, that KRY International obtained your contact details when you first registered with the App, that it is only sending emails and texts regarding the same or similar services, and that you were offered an opportunity to opt-out of such emails at the time. In addition, you may opt out of receiving marketing-related communications from KRY International at any time by updating your preferences in your account settings. As described above, any communication related to your health will only be sent based on your explicit consent.
5.5. To perform legal obligations
KRY International and the Healthcare Provider may also process your User Data, Health Data and Patient Data (as described above in sections 3.1 – 3.3) to the extent necessary to fulfil their legal obligations in the field of healthcare and as otherwise set forth in statutes, court judgments, or decisions by public authorities.
5.6. To be able to evaluate, develop and improve the quality of Services
KRY International and the Healthcare Provider may process your User Data for the purpose of developing and improving the Services and the IT systems used to provide the Services. This is done on the basis of our legitimate interests in continually improving the security and our handling of personal data, to make the App more user-friendly, for example by changing and personalising the user interface in order to simplify the user journey, or to highlight and improve functions which we deem relevant to our users. All other development of our Services takes place using anonymised data.
The Healthcare Provider will only process your Patient Data for the purpose of providing the Services (i.e. in order to be able to perform a contract between you and KRY International), to be able to ensure high standards of quality in healthcare, and to provide healthcare in accordance with applicable legislation and as described in section 5.2 above.
6. How long do we keep your personal data?
KRY International and the Healthcare Provider only process your personal data as long as is necessary for the purposes for which the information in question is processed according to section 5 above. This means we keep it as long as it is necessary in order for the Healthcare Provider to be able to provide good care or otherwise for KRY International and/or the Healthcare Provider to be able to provide the Services, or in order to fulfil our legal obligations.
The Healthcare Provider has legal obligations to save medical records connected to healthcare meetings with you for a specific period of time. It retains your Patient Data no longer than necessary for the purposes described in this Notice and has processes in place for how it stores or anonymises personal data.
User Data and Health Data
Your User Data is erased or anonymised not later than six (6) months from the time at which you close your LIVI user account, provided it is not necessary to save the personal data in order for us to fulfil our legal obligations or where the information is otherwise necessary in order to enforce legal claims.
In addition, where your User Data is processed by us on the basis of your consent we will delete or anonymise your data if you withdraw your consent. Further details are set out in section 9.
After the purpose of the information has been fulfilled, all information is anonymised or erased automatically.
7. Third parties with whom your personal data may be shared when you use the Services
7.1. Subcontractors of KRY International
In order for KRY International to be able to offer you the Services, it uses external suppliers that process personal data in certain cases, for example, IT service providers, such as operating and hosting providers. These service providers process personal data in the capacity of data processors on behalf of KRY International, for the sole purpose of providing the services requested by KRY International, and only according to KRY International’s instructions.
KRY International also retains the services of suppliers who work independently and who, in this way, are independently responsible for the processing of your personal data, such as providers of payment solutions. Where applicable, you will be requested to enter into separate agreements directly with such suppliers. We ask you to please note that this Privacy Notice does not apply to the processing of personal data which takes place through these suppliers. For information regarding how other suppliers process your personal data, please contact these suppliers.
7.2. Subcontractors of Healthcare Provider
The Healthcare Provider keeps medical records in accordance with applicable legislation in conjunction with the provision of healthcare within the scope of the Services. The medical records are saved in the medical record systems outside of the App with a third party hosting services provider based in the EU/EEA, at the request of the Healthcare Provider and according to the Healthcare Provider’s instructions. The Healthcare Provider is responsible for any personal data (Patient Data) which is stored in medical records.
7.3. Employers and insurance companies
If you have been referred to Healthcare Provider by your insurer, in order to handle your specific case, Healthcare Provider may disclose information to your insurer that you have used the Services and regarding your health condition, including copies of your medical records. Such a transfer of your personal data as set forth above is carried out by us in such case at the request of your insurer in our capacity as a controller of personal data. In other words, this requires that you have entered into an agreement with your insurer or otherwise explicitly consented to the processing in relation to your insurer. This Privacy Notice does not apply to the processing of personal data which is carried out by your insurer. For more information about how your insurer processes your personal data, please contact your insurer.
If you have been referred to us by your employer, we act as the controller of personal data. We do not disclose any sensitive personal data to your employer, i.e. information regarding your health, including whether you have used the Services.
8. Transfers to third countries
KRY International and the Healthcare Provider use IT suppliers for operating services outside of the EU/EEA. This means that KRY International and the Healthcare Provider will transfer your User Data outside the EU/EEA, currently to the United States.
Transfers of personal data take place to countries outside the EU/EEA only if the transfer is lawful according to the applicable data protection legislation regarding the protection of your privacy in the recipient country with reference to: (i) the EU Commission’s decision regarding adequate levels of protection; (ii) application of the EU Commission’s standard contract clauses for transfers to third parties; (iii) that the recipient is covered by the Privacy Shield rules and thus the requirement of an adequate level of protection (applies to transfers to the United States); or (iv) other applicable safeguards in order to fulfil applicable data protection legislation.
9. Your rights as a data subject in the App and user of the Services
You have a number of rights related to personal data we have about you.
You may at any time contact us in order to:
•request access to, and information about, the personal data which is being processed in conjunction with your use of the App and/or the Services;
•ask us to correct any incorrect information about you;
•request that your personal data be erased (however, we ask you here to note that Healthcare Providers have certain obligations by law to save certain personal data, particularly related to Patient Data, including keeping medical records in connection to use of the Services). At your request, all Patient Data which we do not have a legal obligation to retain will be erased;
•ask us to restrict the processing of your personal data where you believe such data to be inaccurate; our processing is unlawful; or we no longer need to process such data for a particular purpose unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it;
•object to the processing of your personal data where the legal justification for our processing of your personal data is our legitimate interest. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim;
•if we use your personal data on the basis of your consent, you have the right to withdraw your consent at any time, free of charge This includes where you wish to opt out from marketing messages. Withdrawal of consent does not affect the Healthcare Provider’s obligation to keep medical records, or to process your personal data in accordance with applicable law; or
•request that your personal data be moved to another controller of personal data by receiving your personal data, to the extent it has been provided by you, in an electronic format which is generally used in order to be able to transfer it to another party (the right of data portability).
Should you wish to contact us regarding any of the rights above, we encourage you to contact us via our website, or by sending an email to firstname.lastname@example.org. If you have a request related to the processing of your personal data by a Third Party Healthcare Provider, please contact it directly.
10. Your rights as a patient
As well as your rights as a data subject under data protection law in the UK, you may also have certain rights as a patient.
This includes your right to object to the sharing of your confidential medical data with others who are providing your care. If you exercise this right, our healthcare professionals can explain the potential impact of your objection on your care including, for example, not being able to refer you to a specialist or arrange further treatment.
11. Right to file a complaint with the Data Protection Authority
With this Privacy Notice we truly hope that we have made it clear to you how we handle your personal data. However, should you still have any questions, please feel free to contact us via the contact details provided in Section 9 above. We would also like to inform you that, should you believe that the processing of your personal data is incorrect or does not comply with legal requirements, you have the right to file a complaint with (a) the Information Commissioner’s Office if you are based in, or the issue relates to, the UK, or (b) the relevant Data Protection Authority if you are based in, or the issue you would like to complain about took place, elsewhere in the European Economic Area (EEA).
The Information Commissioner’s Office can be contacted as follows:
Telephone: +44 0303 123 1113
Address: Water Lane, Wycliffe House, Wilmslow, Cheshire, SK9 5AF
If you are based in, or the issue you would like to complain about took place, elsewhere in the European Economic Area (EEA), a list of local data protection authorities in the other EEA countries is available here
Issue Date: 30 July 2019