At LIVI, healthcare personnel, together with technical personnel, work jointly to develop and provide healthcare. For us at LIVI, you as an individual and as a patient always come first and this privacy notice (the “Privacy Notice”) explains how we handle your personal data when you sign up to and use our App and when you seek healthcare or similar services from us (the “Services”).
We explain in more detail in this Privacy Notice how LIVI works for you as a “user” and “patient” and who is responsible for the processing of personal data, which is carried out in connection to your use of the Services. We also describe which personal data about you is processed when you use the Services, how we process the personal data, and why. We also describe the legal basis for our processing and which external parties may handle personal data about you in order for us to provide you with the Services. You also receive information about your rights in relation to the processing of your personal data and what you can do to exercise these rights.
2. Who is responsible for the processing of personal data?
KRY International AB, company reg. no. 556967-0820 (“KRY International”), the parent company in the LIVI group, is a Swedish company that owns and makes available the ”LIVI” technical platform and application (the “App”) and is the data controller for the processing of the personal data, which you register in the App, up until the time at which you commence contact with a healthcare provider for medical advice and follow-up, or otherwise voluntarily submit information related to your health. When you seek healthcare from LIVI, it is solely established healthcare providers who are responsible for providing the healthcare, including the processing of personal data which is carried out in connection to your use of the Services.
In the UK, it is KRY International’s wholly owned affiliate, Digital Medical Supply UK Ltd., company reg. No. 11126560, which provides healthcare within the Services (the “Healthcare Provider”), unless the identity of another healthcare provider is communicated to you in connection with your use of the Services. Therefore, when you start providing information about your health in the App, Digital Medical Supply UK Ltd (or such other healthcare provider as is communicated to you) is the data controller. In relation to healthcare, KRY International acts, in its capacity as a processor of personal data, only as a supplier of the technical platform and the related service. This means that your personal data is only processed according to the instructions of the Healthcare Provider. In the event another healthcare provider joins the LIVI platform and processes your personal data in connection to your use of the Services, we will inform you when you use the Services so that you always know which healthcare provider is the controller of your personal data.
If you have any questions or comments regarding the processing of your personal data in connection to your use of the Services, you are always welcome to contact us and/or our data protection officer via our website at https://kry.se/kontakt/, or by sending an email to firstname.lastname@example.org.
Data controller Contact Details
SE-103 69 Stockholm
Digital Medical Supply UK Ltd.
20 Whitechapel Rd,
Other healthcare providers
The contact details of other healthcare providers will be communicated to you at the time you are notified they are providing the Services to you.
3. Where do we collect your personal data which is processed when you use the Services?
3.1. Personal data which is registered via your user account in the App
KRY International and the Healthcare Provider process personal data about you, which you register via your account such as your name, gender, address, email address and picture (used for verification of identity) when you open your user account with us and, subsequently, any information you register when you use the App. In addition, we may automatically collect and process the following information: (i) technical information, including IP address, login information, type and version of operating system and unit, time settings, language settings, cookies, etc.; and (ii) information about the Services we provide to you.
These categories of personal data, which are provided when you download, sign up to and use the App, are referred to as “User Data” below.
3.2. Personal data to and from the Healthcare Provider
When you seek healthcare from us, you are asked to share data linked to your physical and/or mental health. You do this primarily by filling in the relevant symptoms form in the App or by submitting data via your health profile. This information may include, but is not limited to, information that you are suffering from an illness, your medical history, or your physiological or medical condition. The Healthcare Provider with whom you come into contact by using the Services may also transfer personal data about you in the context of providing healthcare and/or relevant medical treatment. For example when referring you to another healthcare provider or to pharmacies for the purpose of your treatment or administering prescriptions.
Personal data related to your health which the Healthcare Provider uses in order to provide healthcare services is referred to below as “Patient Data”.
3.3. Personal data from third parties including other Healthcare Providers
Your personal data may also be updated and processed by us as Patient Data based on the healthcare you have received from other healthcare providers who are not associated with LIVI. In the event this data is considered relevant to the provision of healthcare within the scope of the Services, it may be saved and processed by the Healthcare Provider and entered in your medical records by the clinician who is treating you.
4. Where is your personal data stored?
The App is a technical platform owned and controlled by KRY International. The App is continually being developed and quality-ensured by KRY International. Instead, this personal data is stored by KRY International, in infrastructure provided by one of KRY International’s subcontracted processors. The personal data is handled and stored primarily within the EU/EEA.
No sensitive personal data, such as information related to your health, is stored outside of the EU/EEA in connection to your use of the Services. The Healthcare Provider is obligated to maintain medical records when performing the Services and relevant Patient Data is filed in a medical record system (specifically developed in order to fulfil the requirements of the applicable legislation) at the request of the Healthcare Provider. Your medical record is handled and stored within the EU/EEA.
5. Why personal data is processed when you use LIVI
5.1. KRY International’s processing of your User Data
KRY International processes your User Data (as described above in section 3.1) for the following purposes:
(i) to process your application or terminate your user account in the App;
(ii) to provide you with authorization to login and use your user account;
(iii) to verify your identity and age;
(iv) to maintain correct and up-to-date information about you;
(v) for you to be able to monitor and administer ongoing care matters;
(vi) to measure and analyse use of the App, and to improve the App and the Services;
(vii) to handle your choice of settings and information about payment; and
(viii) to otherwise be able to provide the Services to you according to our General Terms and Conditions.
The legal basis for processing your User Data is that it is necessary for us to be able to provide you with the Services, and for the Healthcare Provider’s provision of good care in connection with your use of the Services. We need to process your User Data for the performance of the contract between us, which constitutes our General Terms and Conditions. The processing for the purposes of (vi) above is based on our legitimate interest to measure and analyse use of the App, and to improve the App and the Services we provide to you.
5.2. The Healthcare Provider’s processing of your Patient Data to provide healthcare services
The Healthcare Provider processes Patient Data (as described above in section 3.2) for the purpose of providing the Services to you in the form of healthcare and other necessary treatment, advice or administration, such as support for the clinicians within the scope of providing the healthcare itself.
We need to process your Patient Data for the performance of this contract between us, comprised of our General Terms and Conditions. The legal basis for the Healthcare Provider’s processing of your Patient Data is that it is necessary for the purposes of preventive or occupational medicine, for medical diagnosis and the provision of health or social care. This may include sending you emails and other electronic communications, such as appointment reminders.
As a Healthcare Provider, our business operations are governed by national legislation. We therefore process your personal data in accordance with applicable law and as necessary to fulfil the legal obligations of the Healthcare Provider. This includes that our clinicians keep medical records, which the Healthcare Provider is obligated to save for a particular period of time.
The Healthcare Provider, as the data controller of your Patient Data, may use KRY International as a data processor to process Patient Data on its behalf to ensure that high standards of healthcare are maintained and, to the extent such data is subject to obligations of medical confidentiality, you consent to it doing so. For example, KRY International may process your Patient Data to analyse the efficiency of the Services, to ensure that applicable clinical and other guidelines are followed and to follow up on any issues identified with our Services.
KRY International may also process anonymous data derived from your use of the Services to improve the Services, for example, to develop new features for our App, to customise our Services, optimise our user journey and improve our users’ experience of the App more generally.
5.3. Provision of support services related to your use of the Services
KRY International and the Healthcare Provider may communicate with you, in your capacity as a user of the Services. This includes, among other things, responding to inquiries and investigating complaints and support matters (including technical support) through our support service by telephone or via our digital channels. Depending on your matter, you may share additional User Data and Patient Data which we then process to be able to help you use the Services in the best possible manner.
KRY International and the Healthcare Provider provide support as set forth above as a part of the Services (i.e. necessary to perform the contract with you and KRY International). To the extent the support services are related to care or processing of Patient Data (or sensitive personal data about you), the processing takes place in order to provide healthcare as part of the Services and ensure high standards of quality of healthcare.
5.4. To market products and services and improve your user experience
KRY International processes some of your User Data (as described above in section 3.1) for the purposes of providing you with news, updates and promotional content by email and text messages and other electronic communications channels, such as push notifications and in-App messages. Such communications may be based on what we know about you as a user and our understanding of how you use the App and the Services, for example which features you tend to use, and which prior communications you have showed an interest in, searches you have made), your various contacts with the Healthcare Provider, as well as basic demographic and geographic data about you, such as your age, gender and the region in which you reside.
When we contact you for marketing-related purposes, any processing of your personal data is based on it being in our legitimate interests to do so. Our legitimate interests include the provision of an online service enabling easy access to healthcare professionals for therapeutic purposes. Moreover, we send marketing-related emails and text messages on the basis of the so-called ’soft opt-in’; that is, that we obtained your contact details when you first registered with the App, that we are only sending emails and texts regarding the same or similar services, and that you were offered an opportunity to opt-out of such emails at the time. In addition, you may opt out of receiving marketing-related communications from us at any time by updating your preferences in your account settings.
5.5. To perform legal obligations
KRY International and the Healthcare Provider may also process your User Data and Patient Data (as described above in sections 3.1 – 3.2) to the extent necessary to fulfil its legal obligations in the field of healthcare and as otherwise set forth in statutes, court judgments, or decisions by public authorities.
5.6. To be able to evaluate, develop and improve the quality of Services
KRY International and the Healthcare Provider may process your User Data for the purpose of developing and improving the Services and the IT systems used to provide the Services. This is done on the basis of our legitimate interests in continually improving the security and our handling of personal data, to make the App more user-friendly, for example by changing and personalising the user interface in order to simplify the user journey, , or to highlight and improve functions which we deem relevant to our users. All other development of our Services takes place using anonymised data.
The Healthcare Provider will only process your Patient Data for the purpose of providing the Services (i.e. in order to be able to perform a contract between you and KRY International), to be able to ensure high standards of quality in healthcare, and to provide healthcare in accordance with applicable legislation and as described in section 5.2 above.
6. How long do we keep your personal data?
We only process your personal data as long as is necessary for the purposes for which the information in question is processed according to section 5 above. This means we keep it as long as it is necessary in order to for the Healthcare Provider to be able to provide good care or otherwise be able to provide the Services, or in order to fulfil our legal obligations.
The Healthcare Provider has legal obligations to save medical records connected to healthcare meetings with you for a specific period of time. We retain your Patient Data no longer than necessary for the purposes we describe in this Notice and have processes in place for how we store or anonymise personal data.
Your User Data is erased or anonymised not later than six (6) months from the time at which you close your user account with us, provided it is not necessary to save the personal data in order for us to fulfil our legal obligations or where the information is otherwise necessary in order to enforce legal claims.
In addition, where your User Data is processed by us on the basis of your consent we will delete or anonymise your data if you withdraw your consent. Further details are set out in section 9.
After the purpose of the information has been fulfilled, all information is anonymised or erased automatically.
7. Third parties with whom your personal data may be shared when you use the Services
7.1. Subcontractors of KRY International
In order for us to be able to offer you the Services, we use a external suppliers that process personal data in certain cases, for example, IT service providers, such as operating and hosting providers. These service providers process personal data in capacity of data processors on behalf of KRY International, for the sole purpose of providing the services the requested by KRY International, and only according to KRY International’s instructions.
KRY International also retains the services of suppliers who work independently and who, in this way, are independently responsible for the processing of your personal data, such as providers of payment solutions. Where applicable, you will be requested to enter into separate agreements directly with such suppliers. We ask you to please note that this Privacy Notice does not apply to the processing of personal data which takes place through these suppliers. For information regarding how other suppliers process your personal data, please contact these suppliers.
7.2. Subcontractors of Healthcare Provider
The Healthcare Provider keeps medical records in accordance with applicable legislation in conjunction with the provision of healthcare within the scope of the Services. The medical records are saved in the medical record systems outside of the App with a third party hosting services provider based in the EU/EEA, at the request of the Healthcare Provider and according to the Healthcare Provider’s instructions. The Healthcare Provider is responsible for any personal data (Patient Data) which is stored in medical records.
7.3. Employers and insurance companies
If you have been referred to us by your insurer, in order to handle your specific case, we may disclose information to your insurer that you have used the Services and regarding your health condition, including copies of your medical records. Such a transfer of your personal data as set forth above is carried out by us in such case at the request of your insurer in our capacity as a controller of personal data. In other words, this requires that you have entered into an agreement with your insurer or otherwise explicitly consented to the processing in relation to your insurer. This Privacy Notice does not apply to the processing of personal data which is carried out by your insurer. For more information about how your insurer processes your personal data, please contact your insurer.
If you have been referred to us by your employer, we act as the controller of personal data. We do not disclose any sensitive personal data to your employer, i.e. information regarding your health, including whether you have used the Services.
8. Transfers to third countries
KRY International and the Healthcare Provider use IT suppliers for operating services outside of the EU/EEA. This means that KRY International and the Healthcare Provider will transfer your User Data outside the EU/EEA, currently to the United States.
Transfers of personal data take place, however, only in exceptional cases to countries outside the EU/EEA and only provided that the transfer is lawful according to the applicable data protection legislation regarding the protection of your privacy in the recipient country with reference to: (i) the EU Commission’s decision regarding adequate levels of protection; (ii) application of the EU Commission’s standard contract clauses for transfers to third parties; (iii) that the recipient is covered by the Privacy Shield rules and thus the requirement of an adequate level of protection (applies to transfers to the United States); or (iv) other applicable safeguards in order to fulfil applicable data protection legislation.
9. Your rights as a data subject in the App and user of the Services
You have a number of rights related to personal data we have about you.
You may at any time to contact us in order to:
•request access to, and information about, the personal data which is being processed in conjunction with your use of the App and/or the Services;
•ask us to correct any incorrect information about you;
•request that your personal data be erased (however, we ask you here to note that Healthcare Providers have certain obligations by law to save certain personal data, particularly related to Patient Data, including keeping medical records in connection to use of the Services). At your request, all Patient Data which we do not have a legal obligation to retain will be erased;
•ask us to restrict the processing of your personal data where you believe such data to be inaccurate; our processing is unlawful; or we no longer need to process such data for a particular purpose unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it;
•object to the processing of your personal data where the legal justification for our processing of your personal data is our legitimate interest. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim;
•if we use your personal data on the basis of your consent, you have the right to withdraw your consent at any time, free of charge This includes where you wish to opt out from marketing messages. Please note that KRY International and the Healthcare Provider handle your personal data for different purposes (both as a technical supplier of the App but also as a Healthcare Provider). Withdrawal of consent does not affect the Healthcare Provider’s obligation to keep medical records, or to process your personal data in accordance with applicable law; or
•request that your personal data be moved to another controller of personal data by receiving your personal data, to the extent it has been provided by you, in an electronic format which is generally used in order to be able to transfer it to another party (the right of data portability).
Should you wish to contact us regarding any of the rights above, we encourage you to contact us via our website, or by sending an email to email@example.com.
10. Your rights as a patient
As well as your rights as a data subject under data protection law in the UK, you may also have certain rights as a patient.
This includes your right to object to the sharing of your confidential medical data with others who are providing your care. If you exercise this right, our healthcare professionals can explain the potential impact of your objection on your care including, for example, not being able to refer you to a specialist or arrange further treatment.
11. Right to file a complaint with the Data Protection Authority
With this Privacy Notice we truly hope that we have made it clear to you how we handle your personal data. However, should you still have any questions, please feel free to contact us via the contact details provided in Section 9 above. We would also like to inform you that, should you believe that the processing of your personal data is incorrect or does not comply with legal requirements, you have the right to file a complaint with (a) the Information Commissioner’s Office if you are based in, or the issue relates to, the UK, or (b) the relevant Data Protection Authority if you are based in, or the issue you would like to complain about took place, elsewhere in the European Economic Area (EEA).
The Information Commissioner’s Office can be contacted as follows:
Telephone: +44 0303 123 1113
Address: Water Lane, Wycliffe House, Wilmslow, Cheshire, SK9 5AF
If you are based in, or the issue you would like to complain about took place, elsewhere in the European Economic Area (EEA), a list of local data protection authorities in the other EEA countries is available here
Issue Date: 31 March 2019