BETTERLIFE OY

PRIVACY POLICY – HEALTHZILLA WELLBEING MONITORING AND HEALTHY HABITS AS A SERVICE

Description of personal data processing in the Healthzilla Wellbeing Monitoring and Healthy Habits as a Service (“Service”) produced by Betterlife Oy. This document contains information about the personal data processing as required by the EU General Data Protection Regulation (GDPR).

DATA CONTROLLER

Betterlife Oy (business ID 3021664-6), address ℅ Terkko Health Hub,  Haartmaninkatu 4, Building 14, 00290 Helsinki, Finland (“Healthzilla” or “Controller”).

TERMS

“Customer” is a person or organization who is in a contractual relationship with Healthzilla for Healthzilla to produce the Service, using personal and measured information from the Subject(s), who are defined by the Customer. In a typical scenario the Customer is an employer, whose employees are Subjects. In another typical scenario the Customer is a wellness specialist, a coach, or a personal trainer, whose end-customers are Subjects. 

“Subject” is the person, whose information is used by Healthzilla to produce the Service, using pulse measurement data and other personal information about the Subject.

Healthzilla Wellbeing Monitoring and Healthy Habits as a Service (“Service”) is a service launched in 2020, requiring Subjects to install a local mobile application, which stores some personal information locally on their mobile device and  Healthzilla servers.

NOTES ABOUT THE CONTROLLER POSITION

For clarity: when the Service is produced by a partner of Healthzilla (person, company or organization, here “Service Provider”), for its own customers or employees, the Service Provider is the data controller in the sense of the personal data legislation and this description does not apply in such cases. In these cases, the Service Provider has acquired user permission for the Service and independently produces services from information of subjects defined by the Service Provider or its customers. The Service Provider is e.g. responsible for creating required personal data related documentation, informing the data subjects, ensuring the personal data handling is legal and fulfilling the other responsibilities of the data controller.

CONTACT PERSON FOR THE DATA CONTROLLER

The data Controller (Healthzilla) can be contacted by e-mail at tommi@healthzilla.ai or by telephone at +358 (0)40 767 8188. The contact person for information security matters is Tommi Ryyppö.

THE PURPOSE AND LEGAL BASIS OF PROCESSING THE PERSONAL DATA

The purpose of processing the personal data are the basic operation of the Service, including user support operations, collecting statistics regarding Service usage, and conducting scientific and market research.

The basic operation and purpose of the Service is to provide personalized and continuous stress and habit analysis to support the stress management and well-being of the Subject. The Subject’s personal qualities, habits data, data from wearable devices and health and fitness applications, as well as measured heartbeat analysis data are used to provide the Service. The service may additionally include personal recommendations and feedback to the Subject through the Healthzilla mobile application and dashboard. Additionally, the purpose of the Service is to provide aggregated and anonymized stress, well-being, and habits data a group of Subjects (typically employees or end-customers) as a whole through the Healthzilla dashboard. The details of the Service are described, in detail, in the contract between the Customer and Healthzilla. Personal data from or about individual Subject(s) will not be shared with or displayed to the Customer unless separately agreed with each Individual Subject (typically end-customers of wellness specialists, coaches, or personal trainers).

The Service may also include an anonymized feedback report to the Customer by email, or through Customer’s web interface, regarding the general well-being of a group of Subjects (typically employees or end-customers) as a whole. The details of the Service are described, in detail, in the contract between the Customer and Healthzilla. Personal data from or about individual Subject(s) will not be given to the Customer unless separately agreed with each Individual Subject (typically end-customers of wellness specialists, coaches, or personal trainers). Additionally, the following information limited to each Subject’s subscription status: initial e-mail address given by Customer as identifier (but not the current address, if Subject has changed it); initial activation date when subscription period has started; how long ago that user has last actively used the Service; and possible other corresponding general information about the subscription status for the purposes of preventing any misuse. (Note: if the Subject is a person who buys the Service for him/herself, the Subject is also a Customer and will naturally receive his/her own personal data.)

Personal data is also used for Service support operations, which typically include, for example, delivering user account information or a private web link to the Subject.

Personal data may be used to inform the Subject of Healthzilla services, such as sending a newsletter or other ways of maintaining the customer relationship. The personal data of the Subject may be used to market other Healthzilla services following the applicable personal data legislation.

If the applicable legislation requires the Subject consent for processing some of the personal data described in this document (for instance, concerning health related data i.e. so-called special categories of data), the consent will be acquired using an appropriate method. This may be done for example by checking a separate consent checkbox, making the choice in the technical settings of the Service or website or application, or by another specific action or statement to signify consent. Declining consent may impact the ability to offer the specific Service.

Log data of the Service use is additionally saved in order to protect the legitimate interests of the Customer, Healthzilla and the Subjects, for example in order to investigate possible security breaches or for example in order to be able to prove, that invoiced services have been delivered.

Personal data may be processed individually or together with Healthzilla’s and its subsidiary companies’ other personal data files. Healthzilla will keep an anonymized copy of data saved in the service for statistical and scientific research, such as for determining average reference values. Such statistical or scientific use of data is done using automated processes in such a way that data from an individual Subject cannot be identified during any stage of the process.

The legal justification for handling personal data is fulfilling the contract between the parties or the legitimate interest of the Controller, which is based on the relationship between the parties. The legal justification may also be the Subject consent, if the applicable legislation requires this.

THE PERSONAL DATA RETENTION PERIOD

Unless otherwise agreed, the personal data related to the measurement will be kept for 24 months after the last measurement to the Subject or the last time the Subject has logged in to the Healthzilla Service or otherwise used the Healthzilla Service, as reference for possible follow-up services which belong to the service concept, and subsequently erased. If the Subject has given a separate consent for a longer-term retention, the personal data may be kept longer accordingly.

DESCRIPTION OF THE GROUP OF DATA SUBJECTS

The personal data from participating Subjects is processed in the Service. In a typical case, the Customer of Healthzilla is the organization represented by the Subjects, often an employer, a wellness provider, or a recreational sports organization, and the Customer determines the group of Subjects.

REGULAR DATA SOURCES

The Customer provides Healthzilla the email address of each Subject. Each Subject is then emailed a personal web link to activate the Service.

The other personal data is provided by the Subjects themselves via the web interface or mobile application. Each individual Subject decides and enables personally what kind of personal data from wearable devices and health and fitness applications will be utilized for the Healthzilla Service. Healthzilla may additionally gather information from the Subjects through questionnaires or surveys when providing the Service.

Information will be also created analytically through Healthzilla’s own activities.

THE TYPE OF PERSONAL DATA

The database contains the following information (partial or complete) about the Subjects:

  • Full name (first and last)

  • Date of birth, gender, height, weight, body fat percentage

  • Workout/activity type and duration, maximum and resting heart rate, maximal oxygen consumption

  • Active energy, resting energy, exercise minutes

  • Steps, walking and running distance, flights climbed

  • Standing hours and standing minutes

  • Mindfulness and breathing minutes, fasting hours

  • Sleep hours, respiratory rate

  • Calorie intake

  • Noise exposure

  • Heart rate measurements (including resting heart rate, heart rate variability and other heart rate averages)

  • Diary entries created by the Subject during the measurement period, e.g. alcohol consumption, current and recent illnesses and medications, self-documented events noteworthy of interest to the Subject.

  • Contact information, e.g. address, email address and telephone number

  • Information about the employer, e.g. name, contact information and personnel group

  • Information about the use of the service

  • Information about the consents of processing data in the service

  • The results report with defined target actions created for the Subject based on the data analysis

  • Password

PRINCIPLES OF DATA PROTECTION

Healthzilla follows the best practices for managing data, including appropriate technical and organisational measures as required by the personal data legislation. Healthzilla protects the data so that only the authorized personnel defined by Healthzilla, who are bound by confidentiality agreement, have access to the file and only for purposes related to their work. These Healthzilla authorized personnel may be Healthzilla employees or subcontractors.

Healthzilla ensures that all data systems and computer equipment are sufficiently protected with appropriate technical methods, including access control to physical premises, firewalls, passwords, personal user IDs and personnel security training.

The data is kept in information systems produced and controlled by Healthzilla and the data is handled with Healthzilla designed user interfaces. The personal link to the data entry form, which the Subject uses to enter personal data, only works for a limited time and will expire soon.

If Healthzilla uses third parties (subcontractors) for technical maintenance of the data, Healthzilla fulfils the responsibilities required by the data protection legislation related to subcontractors. In all cases, the data is kept in information systems governed by Healthzilla or in the mobile device of the Healthzilla application user, and neither Healthzilla nor subcontractors will save information in any other systems.

TRANSFER OF PERSONAL DATA

Personal data may not be transferred without the data Subject’s consent outside Healthzilla or its subsidiary companies in a manner that the data could be identified, except in following exceptional circumstances: if required by any ruling of a governmental or regulatory authority, court, or by mandatory law; or if it is otherwise necessary for the purposes of preventing, or investigating, any breach of law, user terms or good practices or to protect the rights of Healthzilla or a third party.

Personal data of the Subjects will not be given to the Customer except in cases where each individual Subject explicitly consents to sharing of personal data with the Customer (typically end-customers of wellness specialists, coaches, or personal trainers). The Customer only receives periodic average or summary information about their Subject group’s wellbeing as a whole through the report or dashboard. The averages will not be provided if the number of Subjects measured or number of data updates since the previous information is so small, that individual data could be directly or indirectly recognized from the information or changes in the information, unless the Subjects in question have given their explicit consent for the transfer. The Customer will also receive information about which Subjects are actively using the Service (including how many months ago the Subject has used the Service), so that the Customer may choose to discontinue unused Service or advice Subjects to use the Service.

With the separate consent of the Subject, access to personal data may be given to a specified third party, such as a party providing health care to the Subject.

Personal data of the Subjects may be processed by authorized third parties, who process the data on behalf of the Controller for the purposes described in this document (for instance, service providers of technical infrastructure or services). Such service providers may use the personal data only according to the instructions from the Controller, i.e. only for the purpose for which the data has been collected. The Controller requires that the service providers operate according to the applicable legislation and this privacy policy, ensuring appropriate security for the personal data.

Personal data is primarily stored on Healthzilla servers located in the US and will not be transferred to countries outside the US, unless otherwise separately agreed. Data may be temporarily transferred outside the US if it is necessary for the technical implementation of the service or personal data processing, such as when sending service related information to the Subject’s email address, which is located on a foreign email server. Additionally, personal data is stored locally on the mobile application of the Subject’s mobile device.

THE RIGHTS OF THE DATA SUBJECT

The data Subject has the rights according to the personal data legislation applicable in Finland, including the EU General Data Protection Regulation (GDPR), to inspect his/her personal information, change or request to change his/her information and under some circumstances, the right to request erasure of personal information. Therefore, the Subject has the right to request the Controller to correct inaccurate or incorrect personal information without unnecessary delay. The Subject has the right to request erasure of his/her information without unnecessary delay, for example when the personal data is no longer required for the original purposes, the personal data has been processed unlawfully, or the Subject withdraws consent to the processing and when there is no other legal ground for the processing.

The Subject has the right to request the Controller to limit the processing in certain situations, including when the Subject denies the information being accurate or the processing is illegal. Under some circumstances the Subject also has the right to object to the processing.

The Subject may, under some circumstances, have the right to request transferring the personal data from one system to another. Whenever the legal justification for processing the personal data is consent, the Subject also has the right to withdraw the consent at any time.

The Controller wishes that any disputes concerning the processing of personal data are primarily resolved in a conciliatory manner between the parties. The Subject has also the right to lodge a complaint to the authorities responsible for personal data protection.

Any requests to inspect, modify or erase the personal data shall be indicated to Healthzilla in person, or by a signed letter or similarly verified document, so that Healthzilla can confirm the requestor has the right to make such a request. The request can be made with e-mail, if using the e-mail address registered when using the service. Healthzilla may need to identify the Subject and ask for additional information in order to fulfil this kind of requests.

This description of the personal data processing has been updated 21.10.2020. Healthzilla follows the changes in legislation and regulator instructions related to personal data processing and develops the service further and will therefore reserve the right to make changes to this description.