Personal Data Policy for Tandem Health

1. Introduction and Contact Information

1.1 Purpose of the Personal Data Policy

At Tandem Health AB ("Tandem" / "We"), we value your privacy. The purpose of this personal data policy is to inform you as a user, customer, or visitor how Tandem Health collects, uses, protects, and manages your personal data.  

This personal data policy pertains to the processing that Tandem performs as the data controller. The policy does not cover the processing of sensitive health data where Tandem processes the data as a data processor, which is regulated separately through our data processing agreement. The data processing agreement specifies how we handle and protect sensitive health-related information in accordance with applicable legislation and guidelines.

1.2 Data Controller and Data Protection Officer

Tandem Health AB is registered with the Swedish Companies Registration Office with org. no. 559444-6857 and has its head office at Kungsklippan 12, 112 25 Stockholm, Sweden. Tandem is the data controller in accordance with the EU General Data Protection Regulation (GDPR) for the personal data processing described in this information.

At Tandem, we have appointed a Data Protection Officer (DPO) who you can contact if you have any questions about how we process your personal data. You can contact our DPO at dpo@tandemhealth.ai.

 

2 Processing of Personal Data

2.1 What Personal Data We Collect About You

Tandem collects the following categories of personal data:

  • Contact and identification information: Name, date of birth, position, billing and delivery address, email address, phone number, etc.
  • Authentication information: personal identification number, HSA ID.
  • Financial information: Payment and billing details.
2.2 Why and on What Legal Basis We Process Your Data

Tandem process personal data in the following situations:

Customer Support for Users

  • Purpose of Processing: To offer support and service to our users.
  • Categories of Personal Data Processed for This Purpose: Contact and identification information.
  • Legal Basis for Processing: Performance of a contract (Article 6(1)(b) GDPR).

User Authentication

  • Purpose of Processing: To authenticate users to ensure safe and efficient use of our services.
  • Categories of Personal Data Processed for This Purpose: Contact and identification information regarding both you and your company, personal identification number, HSA ID.
  • Legal Basis for Processing: Performance of a contract (Article 6(1)(b) GDPR).

When You Purchase Our Services

  • Purpose of Processing: Purchase of our services.
  • Categories of Personal Data Processed for This Purpose: Contact and identification information, payment and billing details.
  • Legal Basis for Processing: Entry into and performance of a contract (Article 6(1)(b) GDPR).

Contact Via Web Forms

  • Purpose of Processing: To respond to inquiries and offer our services when you contact us via our web forms.
  • Categories of Personal Data Processed for This Purpose: Contact and identification information.
  • Legal Basis for Processing: Legitimate interest (Article 6(1)(f) GDPR) to respond to inquiries and provide you with our service offer.

Aggregated Usage Analysis

  • Purpose of Processing: To analyze user data on an aggregated level to improve and develop our services.
  • Categories of Personal Data Processed for This Purpose: Personal data that may be included are name and email address.
  • Legal Basis for Processing: Legitimate interest (Article 6(1)(f) GDPR) to develop and improve our services.

   

3. Storage of Data

Tandem stores your personal data for the time necessary to fulfil each processing purpose or to meet legal requirements. This means we retain your information as long as your account is active or as long as needed to provide you with services. We will also store your personal data to the extent required to fulfil our legal obligations, assert or defend legal claims, and execute our agreements. For example, applicable accounting legislation requires us to retain accounting information for at least seven (7) years. Personal data used to fulfil the contractual relationship between us and our customers are typically stored as long as the contract is valid and thereafter for a certain time if necessary to establish, assert, or defend legal claims.

 

4. Recipients of Personal Data

Tandem only shares personal data when it is necessary to fulfil the purposes described above. Your personal data may, for example, be shared with our service providers. Our service providers process the data on our behalf as data processors. Through a data processing agreement with the recipient, we ensure that personal data is processed in accordance with this information and applicable legislation.

Tandem may also share personal data as both Tandem and the recipient process personal data as independent data controllers, for example, when we are required to provide necessary information to authorities such as the Police, the Financial Supervisory Authority, and the Tax Agency.

If you have questions about the recipients of your personal data, you are welcome to contact our DPO at dpo@tandemhealth.ai.

 

5. Transfers of Personal Data to Countries Outside the EU/EEA

We process your personal data within the EU/EEA. In certain situations, personal data is shared with recipients in countries outside the EU/EEA. In such cases, we ensure that an adequate level of protection for personal data is maintained during the transfer, or that appropriate safeguards have been taken in accordance with applicable legislation. Appropriate safeguards include, among other things, the use of the EU Commission's standard contractual clauses when entering into agreements between Tandem and recipients outside the EU/EEA. We also assess if there is legislation in recipient countries that affects the protection of your personal data and, when required, take specific measures to ensure that the protection of your data remains during the transfer to the relevant country outside the EU/EEA.

 

6. Your Rights

Individuals whose personal data is processed have several rights under the GDPR. As a data controller, we are responsible for having procedures in place to handle requests to exercise these rights. Your rights concerning your personal data are as follows:

  • Right to Information - You, as the data subject, have the right to receive information about how we process your personal data. We inform you through this policy and by answering your questions. You can find more about the right to information on the website of the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten).
  • Right to Access - You, as the data subject, have the right to receive confirmation from us if we process your personal data, access the personal data, and certain information about the processing itself (e.g., the purpose of the processing). You can find more information about the right to access on the website of the Swedish Authority for Privacy Protection.
  • Right to Rectification - You, as the data subject, have the right to have incorrect personal data about you corrected by us without undue delay, as well as the right to supplement incomplete data. You can find more information about the right to rectification on the website of the Swedish Authority for Privacy Protection.
  • Right to Erasure (Right to be forgotten)- You, as the data subject, have the right to have your personal data erased under certain circumstances. The right to erasure does not apply if the processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation that requires processing under Union or Member State law that we are subject to, or for the establishment, exercise, or defense of legal claims.

The right to erasure may, depending on the basis for your request, also be limited if the data is still necessary for the purpose or if there are compelling legitimate grounds for the processing that override your right to erasure under Article 21.1 GDPR. However, the right to erasure always exists in the case of processing for direct marketing purposes upon objection under Article 21.2 GDPR. For more information about the right to erasure, visit the website of the Swedish Authority for Privacy Protection.

  • Right to Restriction of Processing - You, as the data subject, have the right to require the restriction of processing of your personal data. The right to restriction of processing applies if you contest the accuracy of the data if the processing is unlawful, if the data is no longer needed for the purposes but you need them to establish, exercise, or defend legal claims. The right also applies while awaiting verification of which party's reasons outweigh if you have objected to processing in accordance with Article 21.1 GDPR. You can find more information about the right to erasure on the website of the Swedish Authority for Privacy Protection.
  • Right to Object - You, as the data subject, have the right to object to processing based on public interest, the exercise of official authority, or legitimate interest. In such a situation, the processing ceases unless there are compelling legitimate grounds that override your interests or if the purpose of the processing is to establish, exercise, or defend legal claims. Processing for direct marketing ceases if you object to such processing. You can find more information about the right to object on the website of the Swedish Authority for Privacy Protection.
  • Right to Data Portability - You, as the data subject, have the right, in certain cases, to receive the data you have provided us and have the data transferred to another data controller. The right exists when we process personal data automatically and based on your consent or on a contract. You can find more information about the right to data portability on the website of the Swedish Authority for Privacy Protection.
  • Rights in Relation to Automated Decision-Making - You, as the data subject, have the right not to be subject to automated decision-making that has legal effects or similarly significantly affects you. The right does not exist if it is necessary for the performance of a contract, is permitted by Union or Member State law that applies to us, or is based on your consent. You can find more information about your rights regarding automated decision-making on the website of the Swedish Authority for Privacy Protection.
  • Right to Lodge a Complaint - You, as the data subject, have the right, according to Article 77 GDPR, to lodge a complaint with a supervisory authority if you believe that the processing is in violation of the regulation. The relevant supervisory authority for our processing of your personal data is the Swedish Authority for Privacy Protection. You can find more information and complaint forms on the website of the Swedish Authority for Privacy Protection.

Contact us at info@tandemhealth.se if you wish to exercise your rights or if you believe that the processing of your personal data violates the GDPR.

 

7. Automated Decision-Making

Your personal data will not be subject to automated decision-making that has legal effects or similarly significantly affects your situation.

 

8. Security Measures

To protect your personal data against unauthorized access, alteration, dissemination, or destruction, we take appropriate technical and organizational security measures. These include but are not limited to:

  • Use of encryption technologies to protect data during transmission.
  • Implementation of access controls and identity and access management systems to ensure that only authorized personnel have access to personal data.
  • Regular security reviews and penetration tests to detect and address potential vulnerabilities.
  • Training our staff in data protection principles and security.
  • Establishing procedures for incident management and recovery to handle potential data breaches.
  • By continuously monitoring and updating our security protocols, we ensure that your personal data is protected.

 

9. Updates to the Personal Data Policy

Tandem Health continually works to improve our services. Therefore, we may update this information. When we make changes to the policy, we will publish the updated version on our website and indicate the date of the latest update. For updates of significant importance to the processing of your personal data, we provide information about this through email or a notice on our website in accordance with applicable legislation. Please visit this page regularly to stay informed about how we process your personal data.

The information was last updated on July 10, 2024.

 

10. Contact Us

If you do not find answers to your questions in the information in the previous sections, you are warmly welcome to contact our Data Protection Officer at dpo@tandemhealth.ai.