Privacy policy for Website and Mobile Application

Last Updated: June 2024

 

Introduction

Mia Health is a software service consisting of mobile and web applications owned, operated, and developed by Mia Health AS (address: Krambugata 2, 7011 Trondheim, Norway, org. no. 918343814) (hereinafter "we," "us," or "Mia Health"), a Norwegian limited liability company. We take your privacy seriously. We are committed to keeping your personal information private and secure.

This privacy policy describes how Mia Health, as the data controller, handles personal data that we collect or receive through your visit to our website, www.miahealth.no, and your use of the Mia Health mobile application (hereinafter "the Services").

Mia Health is a Norwegian company, and this means that we are obligated to process your personal data in accordance with the Norwegian Personal Data Act of 2018 and the EU General Data Protection Regulation 2016/679 (GDPR), regardless of where you, as a user of the Services, are located in the world. If you are a resident outside the EEA, you may have additional or supplementary rights under national or local privacy legislation. In such cases, we will inform you of these rights as far as possible and facilitate your exercise of these rights.

It is important that you read this privacy policy and understand how we collect, store, and otherwise process your personal data. You are advised to review this privacy policy periodically to stay informed of any updates made due to changes in law, our practices, or other reasons. We will notify you if we make any significant changes to the privacy policy.

We process your personal data to be able to deliver our Services in their entirety and to improve them.

• We store information you provide and that is collected when the mobile application is in use.
• We use this information to provide you with estimates about your physical condition and evaluate your performance.
• We share anonymized and pseudonymized information with our data processors to improve our products, for analysis purposes, and to provide customer support to our users.
• If you choose to link your account to an organization, we may request that you share personal data for statistical purposes (anonymized) with the organization you are affiliated with. We will inform you in each case which personal data is shared and ask for your consent. You can withdraw this consent at any time.
• If you choose to link your account to a provider, we may request that you share personal data with the relevant provider. We will inform you in each case which personal data is shared and ask for your consent. You can withdraw this consent at any time.
• We only allow our third-party service providers to use the information we share with them for what is strictly necessary to perform the service they provide to us.
• Your activity data and calculated health risks may be included in anonymized statistics. This is used to document the effect of our services.

Apart from the cases mentioned in this privacy policy, we will not share, publish, sell, or otherwise disclose any of your personal data to any third parties without your specific request to do so. Below you will find detailed information about our processing of your personal data.

What Information We Process, and the Purpose and Legal Basis for Processing

Account Information for Registration and Use of the Services To register as a user in the Mia Health mobile application, you must register a minimum amount of information that can identify you. These are your name, email address, and password. The legal basis is that the processing is necessary to fulfill our agreement to provide the Services to you.

Health Data in Mia Health Using the data you share, we can calculate various parameters and insights regarding your health and activity level. As a result, we will collect, process, and store information from our users that constitutes medical/health data, defined as special categories of personal data under the GDPR and other privacy laws, as further described in this section.

When you register with Mia Health, you must provide the following information:

• Date of birth, gender, height, and weight: We process this personal data to provide personalized calculations about the necessary activity level and estimate your health risk.
  
  
• Resting and maximum heart rate: We process this information to provide an estimate of your ongoing fitness development, health risk, and necessary activity level. You can either provide this information manually or it is retrieved from one of your connected devices.

Furthermore, through Mia Health, we will process medical/health data such as calculations of maximum oxygen uptake and fitness age derived from a combination of collected data from connected devices, physiological data you have provided to us, and manually registered activities. Health information processed by us through this service may include the following:

• VO2max: Using the data you share with us, we will calculate your maximum oxygen uptake. We use this to determine your fitness age and provide you with tips and advice on health and lifestyle.
  
  
• Fitness age: This parameter is used as a reference to your physical fitness in relation to health risk.

The legal basis for processing your health data is your explicit consent to the processing. You can withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Please note that if you do not consent to our processing such personal data in Mia Health, this will mean that we cannot deliver all the functions and services that Mia Health has to offer you.

Other Activities in Mia Health
We process personal data about you through your general use of the Mia Health mobile application. This may include information you share in different features in the mobile application, such as chat and feed/area for events and competitions. The legal basis is that the processing is necessary to fulfill our agreement to provide the Services to you.

Device Data
Some actions performed in the app, such as logging in and upgrading to a paid version, trigger the collection of data about your device. This includes information such as the device type and model and the software version you are using. We use this information to improve our products and to provide better customer support to our users. The legal basis is that the processing is necessary to safeguard Mia Health's legitimate interests for the aforementioned purposes, and that the legitimate interests are not overridden by your rights and freedoms.

Technical Information and Log Data
When you use our portal solutions, we collect information that your computer/mobile/tablet or browser sends to us. This may include your IP address, information about the device, information about the browser, as well as information about which pages you visit, the time and duration of the visit, and other statistics. We do this to improve our products. The legal basis is that the processing is necessary to safeguard Mia Health's legitimate interests for this purpose, and that the legitimate interests are not overridden by your rights and freedoms.

Connected Devices
When you choose to connect a heart rate monitor or another sensor to the Service, we will collect information from these devices to your account with us. This data will be processed for the same purposes as those you manually provide in our product. Read more about the processing of this information in the section on "Health Data in Mia Health."

Communication
If you contact us, either via email, phone, or our support service on the website, we will process your personal data such as your name, email address, phone number, subscription information, and any other information you choose to share with us. The legal basis is our legitimate interest in responding to your inquiries.

We may contact you with important information, newsletters, marketing, or other information. The purpose is to provide you with information relevant to your subscription, such as error messages, changes, etc. The purpose of sending you marketing and newsletters is to market new updates and tips about our Services. All marketing is sent in accordance with Norwegian marketing law, under which we can only send you marketing via electronic communication channels, such as email and SMS, if you have explicitly consented to this or the sending can be based on our existing customer relationship with you, cf. the Marketing Act § 15 first and third paragraphs.

The legal basis for contacting you with important information, marketing, or other information is therefore your explicit consent or our legitimate interest in sending you this information.

Cookies
Cookies are small amounts of data that may include a unique identifier that can be stored on your device. Some of these cookies are persistent, meaning they will remain stored on your electronic device for a limited period after you have left our website. Session cookies are deleted as soon as you leave the website.

We use cookies to collect information and control access to our services. We use both necessary and functional cookies for these purposes. You can set your device to reject our use of cookies, but please be aware that you may lose access to parts of our services where we use necessary or functional cookies.

The legal basis for our use of cookies that involves the processing of your personal data, such as IP address and time of visit, is your explicit consent. For strictly necessary cookies, the legal basis is our legitimate interest in displaying a functional website and mobile application.

Data Storage and How We Share and Make Personal Data Available

General Disclosure of Personal Data to Third Parties
We do not disclose your personal data to others unless you consent to the sharing or there is a lawful basis for such disclosure. Examples of such bases include the necessity to fulfill an agreement with you, a legal obligation requiring us to disclose your personal data, or our legitimate interests justifying the sharing of information.

Data Processors
We use external subcontractors (data processors) for technical support, data storage and security, and accounting and bookkeeping. Data processors may have access to your personal data. In such cases, we have entered into data processing agreements to ensure information security at all stages of processing.

Our data processors may be located outside the EU/EEA. We will only transfer personal data outside the EU/EEA if there is a legal basis for such transfer under Chapter V of the GDPR. You may contact us to learn which basis is used for the transfer. We will always prefer data storage within the EU/EEA where possible.

We use the following data processors for data storage, data analysis, marketing, payment, webinar, and live chat solutions:

• Hubspot: Used for customer service/support for our customers and users. Hubspot Privacy Policy
• Amazon Web Services: Used as a cloud solution for our services. AWS Privacy Policy
• Google Analytics: Used for statistical analysis of traffic in our services. Google Analytics Privacy Policy
• Firebase: Used for the distribution of our mobile applications and associated technical analysis and usage analysis. Firebase Privacy Policy
• Apple App Store: Used for downloading applications and subscription payments. Apple Privacy Policy
• Google Play Store: Used for downloading applications and subscription payments. Google Play Store Privacy Policy
• Microsoft Teams: Used for webinars. Microsoft Privacy Statement

Affiliation with Company or Organization
If you are invited by a company or organization to participate in their campaign with Mia Health, you will be asked to share your personal data. We will inform you about what data is shared and how it is used, and you will need to give your consent before any data is shared. You can stop sharing data at any time through the sharing center in the mobile application. We recommend that you contact the company or organization directly for more information about their processing of your personal data.

Affiliation with Practitioner
If you are invited by a practitioner, trainer, or other person providing personal follow-up to participate in their follow-up service with Mia Health, you will be asked to share your personal data. We will inform you about what data is shared and how it is used, and you will need to give your consent before any personal data is shared. You can stop sharing your personal data at any time through the sharing center in the mobile application. We recommend that you contact the practitioner directly for more information about their processing of your personal data.

Affiliation with Research Project
If you are invited by a research project to participate in their studies administered via Mia Health’s platform, you will be asked to share your personal data. We will inform you about what personal data is shared, and you will need to give your consent before any personal data is shared. Depending on the specific study, you may also need to sign separate agreements directly with the research institution. For sharing your personal data via Mia Health, you can stop the sharing at any time through the sharing center in the mobile application. We recommend that you contact the research institution directly for more information about their processing of your personal data.

Retention and Deletion of Personal Data
We will not store your personal data longer than necessary to fulfill the purpose of the processing and our legal obligations. For example, personal data processed based on your consent will be deleted if you withdraw your consent. Personal data processed to fulfill an agreement with you will be deleted once the agreement is fulfilled and all obligations arising from the contractual relationship are met, such as legal obligations related to accounting, customer relationship follow-up regarding complaints, etc. Data processed due to a legal obligation will be deleted as soon as we are no longer legally required to retain the data.

Security of Processing

All processing of personal data is secured with the required technical and organizational measures. We handle information confidentially and ensure that it is accurate, accessible, and managed according to the sensitivity of the information. We conduct necessary risk assessments for the processing of personal data and restrict access to personal data to personnel or third parties who process the data on our behalf. These parties are subject to confidentiality obligations.

Your Rights

As a user of our Services, you have the right to:

• Access: You can request a copy of the personal data we process about you.
• Rectification: You can request that we correct or supplement personal data that is incorrect or misleading.
• Erasure: You can request that we delete your personal data when the data is no longer necessary for the purposes for which it was collected, or if the processing of your data is based on your consent and you withdraw this consent.
• Restriction: You can request that we restrict the processing of your personal data.
• Data Portability: You can request that we provide your personal data in a structured, commonly used, and machine-readable format, and you have the right to transfer this data to another data controller.
• Objection: You can object to the processing of your personal data on grounds relating to your particular situation. You can also object to the processing of your personal data for direct marketing purposes.

You can exercise your rights by contacting us using the contact information provided in this privacy policy. We will respond to your request without undue delay and within one month. If we cannot comply with your request within one month, we will inform you of the reason and the time frame within which we can respond (up to three months). We may require proof of identity to ensure that your personal data is not disclosed to unauthorized persons.

Information Security and Retention We have implemented appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Access to personal data is limited to authorized personnel who need access to perform their duties.

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The retention period for different types of personal data varies depending on the nature of the data and the purpose for which it was collected.

When your personal data is no longer necessary or required to be retained by law, we will securely delete or anonymize it.

Changes to This Privacy Policy We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or other reasons. We will notify you of any significant changes to this privacy policy by posting the updated policy on our website and/or through other communication channels. Your continued use of our Services after the effective date of the updated privacy policy constitutes your acceptance of the changes.

Contact Us If you have any questions about this privacy policy or our processing of your personal data, please contact us at: Mia Health AS Krambugata 2, 7011 Trondheim, Norway Email: privacy@miahealth.no

For further assistance, you can also contact your national data protection authority.