Privacy Statement

Updated

8 Feb 2022

1. General

Data protection means protecting personal data and safeguarding appropriate data

processing. Personal data is data related to an identified or identifiable person. In the

following, “Evexia” and “we” will refer to the processing of personal data within the Evexia

Oy and its affiliated companies (“Evexia” or “we”). Evexia processes your data with due

care, in accordance with all applicable laws and regulations, as applicable. In this Privacy

Statement, we provide information about the processing of personal data at Evexia, what

personal data we process, how we use your data and what rights you have regarding the

processing of your data.

This Privacy Statement may be updated from time to time. You can find the current version

on our website evexia.fi or from our mobile application. This Privacy Statement applies to

all personal data that Evexia processes as a controller during the provision of our services.

In some cases, we might be also processors of personal data. In these cases we process

personal data on behalf of third party service providers, such as health care service

providers in accordance with data processing agreement and you are informed about your

rights by such third party controller.

2. Whose personal data do we process?

Evexia processes in its operations the following groups of data subjects:

● Evexia’s customers (for example contact persons of customer entities)

● End-users of mobile application or other digital services (such as website) provided

by Evexia

● Persons belonging to Evexia marketing target groups

● Evexia’s staff members, such as employees or other persons working for Evexia

and job applicants

● Contact persons of institutions closely related to Evexia’s operations

3. What personal data does Evexia process?

Personal data is usually collected directly from you or it is obtained from the use our digital

services. Sometimes we may also require additional information to keep the data up to

date or to ensure that the information we receive is correct.

The personal data collected by us can be divided as follows:

● Basic information, such as customer’s or staff member’s name, personal identity

code if needed, gender and contact details,

● Interaction information, such as communications related to the customer

relationship, co-operation, or job application, for example, orders, information on the

website and application users, digital service event logs, cookie data and contacts

with other customers.

● Usage information of our mobile application

● Contract information, such as employment contract, co-operation contract or

different types of customer agreements

● Financial information, such as payments made and invoices.

●

Personal data we collect from you

From end-users of our digital services, we process information that (i) you provide to us

and (ii) observe from the use of our services.

In our business operations, we process basic information, interaction information, contract

information and other information provided by our customers, staff members and contact

persons of institutions closely related to Evexia’s operations.

The health-related information and fitness data processed through our mobile application

we process on behalf of controller such as hospitals. The processing of such data is

conducted under data processing agreement and is subject to your prior approval in

accordance with applicable data protection law.

Personal data that we can collect from sources other than you

We collect personal data from publicly available sources, such as registers maintained by

authorities (e.g. Population Register, the Tax Administration’s registers, company registers

and supervisory authorities’ registers) and publicly available profiles social media (such as

job applicants information from LinkedIn), if it is necessary for the purposes listed below.

4. How can we process your personal data and on what legal bases?

Concluding and managing service and product agreements (performance of a contract)

The primary purpose of personal data processing is to manage and carry out the tasks

specified in the contract. This means for example customer, cooperation or employment

relationship management, support and communication (including feedback and complaint

handling), maintenance, software and system updates, user identification as well as for

diagnostic and repair purposes.

Customer communications, marketing, product and customer analyses, information

security and fraud prevention (legitimate interest)

We have a legitimate interest to process personal data for customer communications and

in connection with marketing, product and customer analyses. This allows us to improve

our product range and optimise the services offered to customers. We market, for

example, our products and services to existing and potential customers electronically. We

also send customer communications (e.g. newsletters and feedback surveys) to our

existing customers. The tag used in the email links we send can be used to associate the

email sent to you with the customer information we hold on you. The use of the tag allows

you to manage your personal communication settings through the links in the emails sent

to you. We carry out digital marketing through, for example, third party advertising

platforms that can be targeted using, for instance, custom audience groups. You can

object to targeting. Marketing may also involve profiling.

In addition, we use your personal data for the following purposes based on legitimate

interests pursued by us:

● We shall use your device information (such as device country code), app usage

data to analyse and improve our services and user experience. You can object to

such processing.

● In addition, we use your personal data for information security purposes and to

detect or prevent various types of misuse of services and frauds based on our

legitimate interest in order to provide you with secure and reliable services.

Compliance with requirements and obligations laid down in the law (statutory obligation)

Compliance with the obligations laid down in the law, regulations and decisions issued by

authorities may require us to process personal data. Examples of statutory obligations that

require the processing of personal data:

● accounting and tax regulations

● regulatory reporting

Consent

In certain situations, we ask for your consent to process your personal data. Such

situations may include, for example, consent to electronic direct marketing. The consent

request contains information on the processing of such data. If you have given your

consent to the processing of your personal data, you also have the right to withdraw your

consent.

5. Automated decision-making and profiling

Automated decision-making means making decisions based solely on automated

processing of personal data. We don’t use automated decision-making in our business

operations.

Profiling means automated processing of personal data, involving, for example, the

assessment or anticipation of a person’s areas of interest or behavior. We use profiling to

target direct marketing on third party advertising platforms. The targeting of online

advertising is based on website visitor data: visitors can be shown, for example,

advertisements on products and services related to pages they have visited earlier. The

profiling carried out in connection with marketing does not include automated

decision-making that has significant legal effects.

6. Sharing of personal data

We may share your personal data in the following situations:

● Our mobile application supports sharing of health related and fitness data from your

device to certain organizations such as health care providers and doctors. Such

data sharing is conducted only based on your prior authorization. These

organizationsare controllers of such data and we only process such data on behalf

of controller in question. You may find more details of their processing of personal

data from the privacy statement of these controllersWe recommend you to read

carefully the privacy statements/policies of the controllers you are sharing your app

data with.

● When our digital marketing activities utilise different third-party advertising

platforms' features, we may target you by uploading your information (e.g. a hashed

email address or phone number) to such platform. We may also use third-party

tracking platforms, which collect data about how users interact with our ads for ads

attribution analysis and effect evaluation purposes. Such third parties are operating

under contract and acting on behalf of us and include data transfers to partners

located in the US.

● Our third-party vendors, who provide us with IT (including cloud-based) and

business support as well as customer care services. All such third parties are

operating under contract and acting on behalf of us.

● When required in response to a legal process or request from a competent authority

according to applicable laws or in connection with a legal proceeding or process.

● When required as part of a merger, acquisition, sale of assets (such as service

agreements) or transition of service to another group entity or another company.

When transferring and disclosing your data outside the EU/EEA, where the local law may

not provide the same level of protection as in the EU/EEA, we shall comply with applicable

legal requirements for providing adequate safeguards to such transfers by incorporating

the European Commission's Standard Contractual Clauses (SCC) or by requesting your

prior consent.

7. How long do we store your data?

We will only retain your data as long as is necessary for the performance of the contract

and as long as required by the provisions laid down by laws and regulations concerning

the retention of the data. If we retain your data for purposes other than the performance of

a contract, such as accounting requirements, we will retain the data only if it is necessary

for that purpose and/or provided for by law and regulations.

8. What Are Your Rights and Options?

You have the following rights and options:

8.1 Access your data

You can request information and a copy of your personal data that we have collected and

stored in relation to our services.

8.2 Rectify your data

To keep your data up-to-date and accurate, you can access and modify your data by

contacting us.

8.3 Port your data

You can port the personal data that you have provided to us in relation to our services in a

commonly-used and machine-readable format.

8.4 Erase your data

You may at any time:

● Contact us if you think the processing of your personal data is unlawful and your

data should be erased.

We will erase or anonymise your personal data within a reasonable period of time based

on your aforementioned actions and in accordance with the retention periods.

8.5 Withdraw your consent

You may withdraw your consent if you have given one.

8.6 Object to processing

You may object to processing based on legitimate interest.

8.7 Restrict processing

If you want to restrict the processing of your personal data, please contact us. You have

the right to restrict the processing of your data under the following circumstances:

● Your data is unlawfully processed, but you do not want to erase it.

● You have a legal claim that you need to establish, exercise, or defend, and you

requested us to keep your data when we would not keep it otherwise.

● You have contested the accuracy of your personal data and the accuracy of your

data is pending our verification.

● Your request for objection is pending our verification process.

8.8 General on data subject rights and right to lodge a complaint

When making the request to exercise your data subject rights, please specify the scope

and the grounds for the request and provide us with the email address or phone number

that you use our services. We will contact you to verify your identity to proceed with your

request. Please consider that rights under data protection regulation are not absolute. We

exercise rights in accordance with applicable law and applicability of the relevant right is

assessed case by case. For example, if you make a request for deletion of your data and

we are required by applicable law to retain such personal data, we may not be able to

comply with your request.

If your request concerns data we are processing on behalf of controller, we shall forward

your request to the relevant controller.

If you find the processing of your personal data to conflict with the applicable legislation,

you have the right to lodge a complaint with the Finnish Data Protection Ombudsman.

9. How to Contact Us?

The controller of the processing of the personal information is: Evexia Oy with a company

ID 3112305-4. You can contact us at e-mail address: team@evexia.fi

10 . Applicability and changes

We encourage you to regularly check for the latest version of this Statement in the app

settings as we may update it from time to time. In the event of material changes to this

Statement, we will notify you in advance by means of notification dialogs, push messages,

emails, and so on, depending on the nature of the change.