Who is processing the Data?
We as Salu (Salu Health OÜ) build, operate and provide the Platform to individuals to enable access to a Medical team, carrying out the Medical Consultation and storing their health-related data on the Platform. All healthcare services are delivered to you by our Medical team, or our Partner Clinic(s) and its Medical team. In general, all Services provided on the Platform (online medical consultation) are provided by our Medical team, and all Services provided outside of the Platform (healthcare services requiring a physical examination, analyses, procedures, etc.) are provided by the Partner clinic.
Salu Health OÜ is the data controller and responsible for processing your personal data when using the Platform, except in case the data is processed in relation to provision of healthcare related services by our Partner clinic. When the Services, including healthcare services, is provided by our Medical team, then we are the data controller. When the Medical team of the Partner Clinic provides healthcare services to you (including preparing for, carrying out and subsequent activities related to the Medical Consultation), the data controllers are both the Partner Clinic and us – (i) the Partner Clinic is the data controller in order to and to the extent required to provide healthcare services to you; (ii) we act as the data controller in order to and to the extent required to build, operate and maintain the Platform and provide the Service, including store your data on the Platform, however, not for the purpose of providing the healthcare services to you.
When you start a Medical Consultation, you authorise and agree to share your personal data with us, the Partner Clinic and both of our the Medical teams directly involved in carrying out the respective Medical Consultation.
What kind of Data do we collect and handle?
We process the following data about you and the profiles you create under your Account:
- Personal details: Your personal details, including first and last name; age or date of birth, email address, phone number, identity code, identification document and other personal details you may have forwarded to us;
- Consultation data (special category of personal data): All data related to Medical Consultations, including data provided by you or the Medical team before, during or after the Medical Consultation; video or voice recordings of the Medical Consultation;
- Health data (special category of personal data): Data you insert on our Platform about your health (such as age, gender, height, weight, blood type, allergies, chronic diseases, medications, vaccines, etc.), data that you share before and during the Medical Consultation (including description of symptoms, health related problem, media and visuals you upload), advice and recommendations given by the Medical team on the Platform (e.g., medical assessment or guidance given by the Medical team);
- Preference and Usage data: Your preferences and usage on the Platform (e.g., language preferences, which features you do and do not use);
- Card data: Details of your card, including the first or last 4 digits of your card number, name on your card and its expiry date;
- Customer Support data: Communication between you and us (e.g., emails, phone calls, messages);
- Other data: Other data not listed above, which is generated as a result of or related to using our Platform (e.g., your feedback, comments and complaints regards the Platform or the Service).
Why do we process the Data?
We process your data for you to be able to use the Services with high quality, safely and conveniently. This includes enabling you to receive adequate medical advice during a Medical Consultation and be able to store and access your health-related data you have stored on the Platform.
We collect and handle your personal data for the following purposes:
- Contractual purposes: to enter into and perform a contract between you and us, including enable you to use the Platform and the Services. This includes gathering your personal data to identify and verify you, create and manage your account, collect health related data (special category of personal data) to be able to provide adequate medical advice and healthcare related services on and off the Platform, to store and process your health data on our Platform and in the third-party databases such as Estonian health records database / Digilugu or other governmental database;
- Quality purposes: To monitor, document and improve our Platform and Services provided thereon, including see that the medical advice given on the Platform is relevant, adequate and precise, bugs and errors occurring on our Platform are fixed, etc.;
- Analytical purposes: To gain better understanding of your preferences, how the Service is provided by our partners (including availability and response times of the Medical team), use of the Platform and the Service and how to improve the usability of our Service;
- Security purposes: To monitor and reduce fraud and security related issues on the Platform.
- Upon your consent: We may collect and process some of your data based on consent you give to us.
We process your data under the following lawful grounds (General Data Protection Regulation or GDPR, 2016/679/EC):
- Contractual purposes: GDPR art 6 (1) (b), as relevant processing is necessary for the entry into and performance of a contract between you and us;
- Quality purposes: GDPR art 6 (1) (f), as we have sufficient legitimate interest to conduct relevant processing – to gain a better understanding of the advice and recommendations and its quality given to our users, also how our partners are performing;
- Analytical purposes: GDPR art 6 (1) (f), as we have sufficient legitimate interest to conduct relevant processing – to gain a better understanding of the preferences of our users and how do users interact with our Platform and how we can improve our Platform and Services;
- Security purposes: GDPR art 6 (1) (f), as we have sufficient legitimate interest to conduct relevant processing – to monitor and prevent fraud and security related issues on our Platform;
- Upon your consent: GDPR art 6 (1) (a), as relevant processing is based on your consent.
What kind of personal data is used for which purpose?
We process the following data for the following purposes:
- Personal Details: Contractual and security purposes, upon your consent
- Consultation data: Contractual and quality purposes, upon your consent
- Health data: Contractual and quality purposes, upon your consent
- Preference and Usage data: Contractual and analytical purposes, upon your consent
- Card data: Contractual and security purposes
- Customer support data: Contractual, analytical, security and quality purposes
- Other data: Contractual purposes, upon your consent
How do we collect and process the data?
We generally collect your personal data, including special categories of personal data, directly from you or through the governmental health records databas (in Estonia, Digilugu). You are not obliged to provide any information on our Platform, however, this may help to use some or all Services available on the Platform.
This is collected and processed as you use the Service and insert the data on the Platform. As the Medical team examines your personal data and provides medical consultation to you (for example, Medical team gives an assessment on your health related question or suggests what kind of health issue you might have), we also receive and process your personal data, including health related data, received from the Medical team or a Partner Clinic or other governmental databases storing your data.
Your data is handled and stored within the European Union. We do not process your personal data for automated decision making and profiling.
With whom do we share the data?
We may share your personal data with the following third parties:
- Partner Clinics and their Medical team
- Official governmental health database such as Digilugu
- Payment processors who process your transactions
- Communication service providers who facilitate emails, calls, SMS messages and other communication between you and us
- Technical platforms and tools used by us
- Public authorities whom we are obliged to disclose your personal data under the law
- Other parties involved with the provision of the Platform and Services
Your data will not be shared with anyone, unless this is directly required to provide the Services in which case the data is only shared on a need-to-know basis. This means, only those persons can access your data that are crucial for providing the Services. For example, a respective Medical team member or a Partner Clinic can access your personal data only if this is required in relation to providing medical advice or healthcare related services to you (e.g., prepare for and carry out the Medical Consultation).
How long is the data stored?
We store your personal data for the following periods, unless the law prescribes a different period in which case the mandatory period stated by the law shall apply:
- Personal details: Deleted shortly after the termination of your Account;
- Consultation data: 30 years as of its creation;
- Health data: 30 years as of its creation;
- Preference and usage data: Deleted shortly after the termination of your Account;
- Card data: Deleted shortly after the termination of your Account;
- Customer support data: 5 years as of its creation;
- Other data: Deleted shortly after the termination of your Account;
- Accounting related data: 7 years as of its creation;
After the period stated above ends, we will delete your personal data.
Your rights related to Your data handling
You do not have any statutory obligation to provide us your personal data. However, in order for us to be able to provide you the Services and access to the Platform, we need to collect and process your personal data. However, please note that you might not be able to access or use the Platform or a part thereof in case you do not provide some or all of the data requested on the Platform or by a Medical team member.
In connection with processing of your personal data, you have the following rights:
- Right to Information: You have the right to receive the information provided in this Policy Notice. The valid version of this Policy Notice is available on Salu website.
- Right to Access: You have the right to ask from us to provide you with a copy of your personal data processed by us.
- Right to Rectification: You have the right to ask us to rectify your personal data in case the data is incorrect or incomplete.
- Right to Erasure: You have the right to ask us to erase your personal data, unless we are obliged to continue processing your personal data under law or under a contract between us, or in case we have other lawful grounds for the continued processing of your personal data. We will, in any case, delete your personal data as soon as it no longer has lawful grounds for processing your personal data.
- Right to Restriction: You have the right to ask us to restrict the processing of your personal data in case the data is incorrect or incomplete or in case your personal data is processed unlawfully.
- Right to Data Portability: You have the right to ask us to provide you or, in case it is technically feasible, a third party, your personal data, which you yourself have provided to us and which is processed in accordance with your consent or a contract between you and us.
- Right to Object: You have the right to object to processing your personal data in case you believe we have no lawful grounds for processing your personal data. For any processing conducted in accordance with your consent, you can always withdraw your consent by sending an email to firstname.lastname@example.org, using the email address you used when registering your Account.
Kindly note that under GDPR art 12 ( 3 ), we must respond to your application within 1 month. In case it is necessary due to the number and complexity of applications filed with us, we may, under GDPR art 12 ( 3 ), also respond to your application within 3 months.
Our Cookies policy
At any point of time you can disable cookies by doing relevant changes in your browser settings. You can find relevant information on how cookies work and how to disable them by reading the information / help materials of your browser or visiting the website www.aki.ee/et/kupsised or www.allaboutcookies.org. However, keep in mind that some functionalities of our webpage, Platform and Services might not function properly if the cookies are disabled.
Should you have any questions or comments regarding the processing of your personal data by us, you are always welcome to contact us or our data protection officer. Our data controller contacts: Salu Health OÜ, Estonian registry code 16298668, email: email@example.com.
In case you have complaints related to collecting and handling your data, you may contact Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or other relevant Data Protection Authority of the state in which you have permanent residence.