Privacy policy
The privacy policy is effective as of 2024-09-20.
​
-
Introduction
​1.1 Evira AB, organisation number 559252–8995, (”Evira”, ”we” or "us”) provides a website (the “Website”) and an application for treatment of patients with obesity (the “Service”). Evira is the data controller for the processing of the personal data that we receive when you use the Website or the Service and is therefore responsible for ensuring that all personal data is processed correctly and in accordance with applicable data protection regulations.
​
1.2 When you seek care from any healthcare provider through the Website or in the Service (the “Healthcare provider”), it is the Healthcare provider who is the data controller for the processing of personal data that takes place for the purpose of providing you with the services that the Healthcare Provider offers, e.g. various types of healthcare services. In relation to these Healthcare Providers, Evira is the data processor regarding the processing of personal data in order to, for example, provide the Service.
​
​1.3 This privacy policy (the “Privacy Policy”) describes how we collect, process and protect personal data when you as a User visit the Website or use the Service, as well as the rights that pertain to you when we process your personal data.
​
1.4 If you have questions regarding our processing of your personal data, it is always possible to contact us. Information about us and our contact details can be found under section 9, “Contact details”, below.
​
2. Scope of the Privacy Policy
​2.1 The Privacy Policy covers the processing of personal data for which Evira is the data controller. The Privacy Policy thus does not cover the processing of personal data that Evira carries out as a data processor, i.e., on behalf of the Healthcare Provider. Evira is then bound by the instructions for personal data processing that Evira has received from the Healthcare Provider. In these situations, Evira will always ensure that processing takes place in accordance with applicable data protection regulations and as far as possible in accordance with this Privacy Policy.
​
2.2 The Privacy Policy applies to persons visiting the Website (“Website visitors”) or who are users of the Service, which includes Website visitors, patients, patient guardians and representatives of healthcare providers (“Users”).
​
3. Personal data that is processed
​​​
3.1 Personal data that may be processed by Evira
​
3.1.1 Personal data refers to any information that directly or indirectly can be attributed to a living individual. In the context of Evira being able to provide the Website and the Service, Evira may process personal data that relates to e.g. first and last name, phone number, address, postal code, email address, etc. (“Personal Data”).
​
3.1.2 Evira processes Personal Data in order to for example:
​​
(i) process your registration or termination of your account for usage of the Service;
​
(ii) provide authorization to log in and use your user account;
​
(iii) manage your choice of settings for using the Service; and
(iv) assist you with support issues and inquiries about your use of the Service.
3.1.3 The Personal Data that is processed pertains to:
​
(i) those uploaded through synchronisation of the equipment we lend out or other equipment that Users
choose to synchronise with the Service;
​
(ii) those collected when using the Service, such as crash reports;
​
(iii) other information that Users enter when in contact with us; and
​
(iv) data collected in connection with a Website visitor visiting the Website.
​
3.2 Evira’s processing of personal data on behalf of the Healthcare Provider
​3.2.1 Sensitive personal data are data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, and personal data concerning health or sexual life (“Sensitive Personal Data”). Health data may for example be health conditions, doctor’s appointments and treatments.
​
3.2.2 Evira only processes Sensitive Personal Data as a data processor in relation to the Healthcare Provider, who is the data controller for such Sensitive Personal Data. Therefore, it is the Healthcare Provider that processes, for example, patient data and health information for the purpose of providing healthcare through the Service and other necessary treatment or advice within the framework of the Healthcare Provider’s exercise of care.​
3.2.3 The Healthcare Provider is obligated to process Personal Data and Sensitive Personal Data in accordance with relevant data protection and patient data legislation. The Healthcare Provider instructs Evira to process Personal Data and Sensitive Personal Data for the purpose of providing the Service.
​
3.2.4 The Healthcare Provider also instructs Evira to continue to develop the Service, whereby Evira may process Personal Data and Sensitive Personal Data on behalf of the Healthcare Provider for the purpose of improving the Healthcare Provider’s provision of care and to develop the Service. This processing is carried out in accordance with the Healthcare Provider’s instructions given to Evira.
3.2.5 Collected information about the User’s physical health condition may be analysed together with any additional information recorded through forms or from clinic personnel to create a more comprehensive view of the User’s health condition. This could, for example, involve risk assessments for development of various related diseases or an assessment of which interventions are most likely to lead to long-term sustainable results. This processing may be performed by Evira on behalf of the Healthcare Provider and thus in accordance with the Healthcare Provider’s instructions given to Evira.
3.2.6 Anonymized data that do not constitute personal data may be shared by the Healthcare Provider with Evira for the purpose of conducting scientific evaluations and developing the Service.
​
4. Legal basis, purpose of the processing and storage
​
​4.1 When a Website visitor visits the Website we may process information about how they access the Website, which also includes information about operating systems, IP address, network identifiers, and website data. Personal data is processed so that we can improve the user experience and analyse the user of the Website. The processing of personal data is based on Evira’s legitimate interest in analysing the use of the Website and developing it.
​
4.2 As for our processing of Personal Data in connection with Users joining the Service, such collection of Personal Data takes place in order for us to fulfil our commitments to you as a User, i.e., to provide the Service. We thus rely on the legal basis of fulfilling a contractual obligation to process Personal Data. If the data is not provided, we cannot fulfil our commitments, and we cannot provide the Service. The User’s Personal Data will not be stored longer than necessary with regard to the purposes of the processing which by default is during the time the Services is provided to the User.
4.3 We may also process Personal Data for the administration of the Service. This includes the management and delivery of the Service, identification, handling of payments, and handling of claims and warranty matters. This collection of Personal Data is required in order for us to fulfil our commitments to the User, i.e., to provide the Service. If the data is not provided, we cannot fulfil our commitments and we cannot provide the Service. We store the Personal Data for this purpose during the time we provide the Service to the User and for a period of 36 months thereafter in order to be able to handle any claims and warranty issues.
​​
4.4 We also process Personal Data in order to fulfil our legal obligations when providing the Service. This includes processing that is necessary to be able to fulfil our legal obligations according to legal requirements, judgments or authority decisions (for example accounting laws). We may store the Personal Data for this purpose for a period of up to 7 years.
4.5 We also process Personal Data in order to handle service matters. The processing includes communicating and answering any questions to customer service (via telephone, in person or through digital channels), identification of Users, and investigation of any complaints. We have the right to handle the Personal Data when the processing is necessary to satisfy our and the User’s legitimate interest in handling customer service matters. We delete the Personal Data after the service case has been completed and the User has stopped using the Service.
4.6 Furthermore, we may process Personal Data to provider Users with information (e.g. to inform Users about our activities and news in the Service). It covers sending information through email for example. We do so on the legal grounds of consent and legitimate interest. The processing of Personal Data is necessary to satisfy our interest in providing information about our products and services. We store the Personal Data for one year from the last contact. If we have the User’s consent, we can store the Personal Data for a longer period of time. The user has the right to withdraw a given consent for the processing of Personal Data at any time by contacting Evira using the contact details provided in section 9 below.
​​
​4.7 Evira may confidentiality review Personal Data in order to ensure quality and to develop the care experience as well as to develop Evira’s treatment concept.
​
​4.8 Evira may also have Personal Data anonymized in order to develop and improve the Service and the Website, provided that it is compatible with applicable data protection rules and other provisions in the Privacy Policy.
​
5. Recipients of Personal Data and transfer outside of the EU/EEA
​
​5.1 Evira may hire other independent suppliers for services for processing Personal Data or for services where personal data may be available to the independent suppliers. This may involve, for example, consultants for security review of the system or to carry out research and development. These providers may process Personal Data because they may need limited access to collected Personal Data. Evira will always endeavour to limit such access to Personal Data and only share information that is necessary for the suppliers to perform their work or provide their services. Evira will also require these suppliers to:​
​
(i) protect the User’s Personal Data in accordance with this Privacy Policy; and
​
(ii) not to use the User’s Personal Data for any purpose other than providing the Service and the Website.
5.2 Evira uses IT providers within the EU/EEA for the operation of the Service and storage of Personal Data. When transferring Personal Data to a third country (i.e. a country outside the EU/EEA), Evira takes appropriate measures to ensure that the transfer takes place in accordance with applicable data protection legislation. This includes approved transfer mechanisms according to Chapter V GDPR such as standard data protection clauses, decisions on adequate levels of protection, and additional protective measures.​
​
6. Rights as a registered user
​
​6.1 As a User you have the right to:
​
(i) request information about which personal data we process about you and request a copy of these (extract
from the register);
​
(ii) have incorrect personal data corrected and in some cases ask us to delete Personal Data;
​
​ (iii) object to certain personal data being processed and request that the processing of personal data is limited;
​
(iv) have the personal data you have provided to us transferred to another data controller (right to data
portability); and
​
(v) if you are dissatisfied with how we process your personal data, you can file a complaint with the relevant
supervisory authority for data inspection.
​
6.2 Users can retrieve, delete or limit the processing of personal data by sending a support message in the Service. Please note that if a User requests that we limit the processing of or delete the User’s Personal Data, it may mean that we will not be able to provide the Service.
​
7. Security
​
​7.1 Evira has taken appropriate technical and organisational measures to protect Personal Data against loss, misuse, unauthorised access, disclosure, alteration, and destruction. To ensure that Personal Data is processed in a secure and confidential manner, we use industry-standard technologies, including TLS and token-based authorisation, to limit access to data and protect against intrusion. All access to administrative and clinic accounts with access to user data requires authentication with two factors (BankID or equivalent solutions). For more information regarding Evira’s security measures when processing Personal Data, please refer to Evira’s information security standards policy.
​
7.2 Since access to Personal Data is given after logging in, it is important that Users choose a secure password so that no one else can access the information. Since the email address is used for communication, it is important that the User protects it with a secure password and promptly informs us if the User loses control over it.
​
8. National Data Opt-Out Compliance
​
​8.1 The National Data Opt-Out allows patients that get treatment within the NHS to choose to prevent their confidential patient information from being used for purposes other than their individual care. This opt-out respects our patients’ wishes and ensures that their privacy is upheld to the highest standard.
​
8.2 Evira fully respects and complies with the National Data Opt-Out policy. We have systems in place to ensure that patient data is not used or disclosed in a way that would contradict the opt-out. If any use or disclosure of data needs to adhere to the opt-out, we remove records for patients who have chosen this preference.
​
8.3 Our processes related to the National Data Opt-Out are regularly reviewed to ensure continued compliance and respect for our patients’ preferences. Our Data Security and Protection Toolkit assessment confirms our adherence to the policy.
​
9. Changes to the Privacy Policy
​
​9.1 Evira reserves the right to revise the Privacy Policy. The date of the latest change is stated at the beginning of the Privacy Policy. If Evira introduces changes to the Privacy Policy, we will publish these changes on: https://www.evira.se/en/privacy-policy The User is recommended to regularly read the Privacy Policy to be aware of any changes.
​
9.2 If we change the Privacy Policy in a way that significantly differs from what was stated when the User’s consent was collected, we will notify about these changes and, if necessary, obtain new consent to our personal data processing, for example, by displaying a clear message in the Service or by sending an email. Therefore, we ask Users to make sure to read all such messages carefully.
​
10. Contact details​
For questions regarding Evira’s Privacy Policy or regarding Evira’s processing of Personal Data, contact:
EU: Evira AB, org. nr. 559252–8995
UK: Evira Ltd, company nr. 15159570
Data Protection Officer: Timmy Nielsen: dataprotection@evira.se
Visiting address:
Triewaldsgränd 2
111 29 Stockholm
Sweden
Postal address:
Evira AB
Triewaldsgränd 2
111 29 Stockholm
Sweden
Email: info@evira.se