Integritetspolicy för IQoro-appen

Introduction

In this Privacy Policy you can read about how the Swedish company: MYoroface AB with company registration number: 556902-6791 (hereinafter referred to as ”the Supplier” and ”we” or ”us”) Processes Personal Data that we get access to when a Data subject register a User account to the application IQoro-App (“Application”) or when a Data subject contacts us in matters regarding the app. References to ”you”, ”your” refer to the Data subject whose Personal Data we Process.

We care about your personal integrity. Therefore, we strive at all times to protect your Personal Data in the best way possible and to follow all applicable rules and laws concerning data protection. As part of this Privacy Policy, we want to inform you how we Process your Personal Data.

Definitions

The following terms used in this Privacy Policy shall have the meanings set forth below, both when expressed in the plural and the singular:

Website: refers to iqoro.com, owned by the Supplier.

Application: refers to the application ”IQoro-app” for iOS and Android. 

User: refers to individuals who use the Application.

User Account: refers to an identity in the Application that identifies a User and gives the User access to the Application’ features.

Data: refers to all data that is registered by Users, or that is generated or derived from Application, or otherwise created through Users’ use of the Application.

Personal data: All data that, directly or indirectly, alone or together with other data, can be linked to an identified or identifiable physical living person, is Personal data according to GDPR. Common examples of Personal data are: name, telephone number, address, email address, user ID, credit card number, registration number of a vehicle, IP address, etc.

Data subject: The natural person who can be identified through the Personal Data.

Processing: Processing of Personal data can be made in different ways. Everything that is made with Personal data, automated or otherwise, is a form of Processing. Processing can take place through an individual measure or through a combination of different measures. Examples of common Processes of Personal data are storage, erasure, sharing, usage, registration, copying, collection, organization, use, adjustment, destruction, etc.

Controller: According to the GDPR, anyone who determines the purpose of a particular Processing of Personal Data and how the Processing is to be carried out, is regarded as the Controller. Natural persons, legal persons, authorities, institutions or other bodies may be Controllers.

Processor: The one who Processes Personal data on behalf of a Controller, according to the Controller’s instructions, is to be regarded as a Personal Data Processor according to the GDPR.

Third party: A Third party means someone other than, the Controller (and the persons who are authorized to Process the Personal Data), the Data subject or the Processor (and the persons who are authorized to Process the Personal Data). A Third party may be a legal person or a natural person, institution, authority or other body.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

SCC: Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or later updated version.

Any other GDPR-related terms not defined here shall have the same meaning in this Privacy Policy as set forth in Article 4 of the GDPR.

Who is responsible for the Processing of Personal Data?

Our Processing of your Personal Data takes place in accordance with the GDPR (and SCC where applicable) and the data protection principles.

MYoroface AB is regarded as the Controller for the Processing of Personal data performed by us or on our behalf, and we are responsible for the Processing of these insofar as we determine the means and purpose of the Processing (according to the principle of liability). For example, MYoroface AB acts in the capacity of a Controller when we Process your Personal data that you provide to us in connection to a support matter regarding any questions about the Application, such as your email address. 

You can contact our Personal data representative by ringing +46 10 551 67 22 or by sending an email to info@iqoro.com.

Categories of Personal Data that we Process

In accordance with the principle of data minimization, we only process Personal Data that is adequate, necessary and relevant to fulfill the purposes for which it was collected. We mainly Process the categories of Personal Data listed below, which we can access when you use the Application or contact our support for support matters regarding the Application: 

  • Contact information: email address, name.
  • User information: Used-ID.
  • Other Personal data: any other Personal data that is provided to us, such as those that are registered in the Application by the User or that the User provides in any message that the User sends to us.

In accordance with the principle of purpose limitation, we only process Personal Data for special, explicitly stated and justified purposes. In addition, all Processing is legally established and legal in accordance with the provisions of the GDPR. Below you can read more about the legal basis and purpose of the Processing of Personal Data.

  • When you contact our support through email or telephone:

When you contact our support regarding support matters or questions connected to the Application through email or telephone, we get access to your Personal data that appears in connection with such contact. For example, we may get access to the following Personal data that you provide to us: name, telephone number, email address, user-ID (if applicable) and other information that you provide to us. This information is Processed by us so that we can know who we are talking to, to resolve the matter and to keep in touch in the support case. 

If you have a User Account to the Application when you contact our support  regarding support matters or questions connected to the Application, the processing of the above-mentioned Personal data is made on the legal basis of Agreement. 

If you do not have a User Account to the Application when you contact our support regarding support matters or questions connected to the Application, the processing of the above-mentioned Personal data is made on the legal basis of Legitimate interest.

  • When you enter into an agreement with us:

We Process your email address that you register in connection to creating a User account for the Application, in order to fulfil our contractual obligations towards you and in order to provide the Application to you. We will encrypt your email address for security reasons. You accept the Terms of Use of the Application when you register a User account for the Application and we thus enter into an agreement with each other. Legal basis for the Processing: Agreement.

  • When you use the Application:

The data we process when you use the application are your email address that you register in connection to creating a User account for the Application. We will encrypt your email address for security reasons. When you answer the daily symptom check and/or the weekly self-test, we process the score and date of completion of these as well as the written notes in the daily symptom check. The notes will be encrypted for security reasons. The reason for processing this data is to provide the user with a visual representation of their progress when training with IQoro. Legal basis for the Processing: Agreement.

  • Other purposes for our Processing of Personal Data:

If we are obliged by law, court or authority decision to Process certain Personal data, the Processing takes place on the basis of a Legal obligation as a legal basis. In such cases, the Processing takes place only to the extent that it is necessary for us to fulfill our legal obligations and then we only process the necessary Personal data, for as long as the law requires it (in accordance with the principle of storage limitation).

When a Processing of Personal data takes place on the basis of a Legitimate interest as a legal basis, our assessment is that the Processing does not constitute an infringement of your right to privacy and integrity. We have come to this conclusion, after having made a balance between on the one hand what the Processing in question means for your interests and the right to privacy, and on the other hand our legitimate interest in the Processing in question. However, we never process sensitive Personal Data on the basis of this legal basis.

Based on our Legitimate Interest, we may process Personal data to:

  • protect our rights and property,
  • carry out direct marketing of our services,
  • ensure the technical functionality of the Application,
  • collect anonymous statistics, performance measurements, etc. regarding the Application.
  • answer any questions or other posts published in our social media pages/groups.

Storage location and duration

We strive to store all Personal Data that we Process within the EU/EEA, in accordance with the principle of integrity and confidentiality. If Personal data is stored in a country outside the EU/EEA, we shall ensure that such storage site ensures an adequate level of protection in accordance with the provisions of the GDPR and SCC.

Personal data is stored for as long as it is necessary to fulfill the purposes for which it was collected. When the Personal data no longer needs to be stored for the purposes, it is either deleted (erased) or anonymized, in accordance with the principle of storage limitation.

Sharing of Personal Data

We may share Personal Data that we Process if it is necessary to prevent, detect, prevent or investigate criminal activity and to protect our interests and our property.

We employ various service providers to:

  • safeguard our legal interests,
  • fulfill our contractual and legal obligations,
  • detect and prevent technical, operational or safety problems, and
  • provide, improve and maintain the Application (software maintenance).

Examples of service providers that we engage are: web/app developers, data centre etc. Before we share any Personal data to such service providers, we enter into a Data Processing Agreement with them in accordance with the provisions of the GDPR (alternatively SCC if the Processor is located in a country outside the EU/EEA). This is done to ensure a secure and correct Processing of Personal Data.

Technical and organizational security measures

We implement technical and organizational security measures with a focus on the integrity of the Data subjects. The measures are intended to protect against intrusion, abuse, loss, destruction and other changes that may pose a risk to privacy (according to the principle of privacy and confidentiality). Below are examples of some security measures we take and implement:

  • Internal routines have been established with instructions regarding the Processing of Personal data that all staff must follow. Among other things, internal routine for erasure of Personal data and handling/documentation of Personal data breaches.
  • Internal routines, policies and instructions are reviewed regularly, at least annually and as needed.
  • A contact person for Personal data matters has been appointed, who also responds directly to the company’s top management.
  • Access to databases, IT systems and parts of the IT infrastructure and network requires a password.
  • The Processors and sub-processors hired guarantee an adequate level of technical and organizational security for the services provided and the tasks performed.
  • All staff have undertaken an obligation to observe confidentiality regarding Personal data that is Processed within the framework of the business and the performance of the work.
  • We follow the seven data protection principles in all Processing of Personal data. The principles are documented in internal routines, which our staff have access to and which they follow in all Processing of Personal data for which we are responsible for.

Data subjects’ rights according to GDPR

If we Process your Personal Data, you have different rights under our GDPR regarding our Processing of your Personal Data. You have the right to:

  • be informed about the collection and the use of your Personal data, 
  • access your Personal data and supplementary information, 
  • have your inaccurate Personal data rectified or completed if it is incomplete, 
  • have your Personal data erased (to be forgotten) in certain circumstances, 
  • restrict Processing of your Personal data in certain circumstances, 
  • data portability, which allows you to obtain and reuse your Personal data for your own purposes across different services, 
  • object to Processing in certain circumstances, 
  • rights in relation to automated decision making and profiling, 
  • withdraw your consent at any time (where relevant), 
  • complain to the Supervisory authority regarding our Processing of Personal data, and
  • be informed about any Personal data breach concerning your Personal data in certain circumstances.

We hereby inform you that some of the rights only apply in certain situations and only if it is legal and possible for us to implement your request. You are welcome to contact us through the contact information listed below, if you would like to invoke any of the above rights regarding your Personal data that we Process.

Personal data breaches

Regulatory authorities are independent public authorities. Each EU country has designated its own regulatory authority to handle GDPR-related matters. In Sweden, the Swedish Authority for Privacy Protection (IMY) is the supervisory authority.

According to the GDPR, a Personal data breach means a security breach that has caused Processed Personal data to be destroyed, lost, altered or obtained by an unauthorized person. A breach can be made intentionally or unintentionally, for example through negligence or due to crime.

We follow the provisions of the GDPR regarding the handling, reporting and documentation of Personal data breaches. When required by the GDPR, we will report Personal data breaches to the IMY within 72 hours and notify the Data subjects affected by the Personal data breach.

Changes

The contents of this Privacy Policy may be updated from time to time, without prior notice. For example, if it is necessary to clarify something or if our Processing of Personal data changes. The latest version is always published on the Application. You are responsible for reading the contents of this Privacy Policy and keeping up to date on any changes.

Questions or complaints

If you have any questions, concerns or if you are dissatisfied with our Processing of your Personal data, you are always welcomed to contact us. Below are our company and contact information:

Company: MYoroface AB 

Reg. no: 556902-6791

Address: Sjötullsgatan 16, 824 55 Hudiksvall

Email: info@iqoro.com

Our contact person for Personal data matters:

We have appointed a contact person for Personal data matters who you can contact if you have questions regarding our Processing of Personal data.

Name: Linn Hägg

Email: linn@myoroface.com

You also have the right to contact the Swedish Authority for Privacy Protection to submit a complaint.

Name: Integritetsskyddsmyndigheten (IMY).

Phone: 08-657 61 00.

Email: imy@imy.se.

Postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm.