WE TREAT YOUR DATA AS OUR HEALTH
We are Loono, a team of doctors, medical students, and other professionals. However, in legal jargon, we are also the data controllers of the personal data you submit to us when you use our Loono app (we will call the Loono app the "App").
According to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (let's call it "GDPR"), we need to inform you as a precautionary measure about what we will do with your personal data.
Since we want you to introduce yourself and give us some information, let us introduce ourselves first. We are Loono, z. s., based at náměstí Winstona Churchilla 1800/2, Žižkov, 130 00 Prague 3, ID: 02905639, contact email: email@example.com.
You may be asking what it means that we are data controllers. It means that we determine the purposes and means of processing the personal data you transmit. So, we decide what data we collect, what we do with it, who we involve in the processing or how we deal with your rights. Therefore, we hereby want to inform you about the whole processing process so that you know that we also treat your data as our health.
We will explain the following step by step:
what personal data we process;
why we want them and what makes us want them;
to whom we may pass personal data to make the App work;
how long we will keep the personal data;
why you might get the occasional email from us;
what rights you can exercise in relation to the GDPR.
We understand you are not here to read a novel, but you want to discover the essentials. That is why we try to explain everything simply. Unfortunately, legalese can be complicated, so if there is anything you do not understand, email us at the email above, and we will explain it to you.
1. What personal data do we process?
You may have noticed this already, but when you downloaded the App and started it, we asked you a few basic questions and allowed you to create an account. Here is the information we will process about you throughout your life in our App:
Basic information about your gender, date of birth, information about visits to different doctors – unless you create an account, this information will only be stored on your device, and we will no longer be able to access it. Just be careful how you set your privacy preferences on your device, so you are not surprised.
Information for setting up a user account – you can choose to set up a user account. In this case, we will ask you for your nickname (which can be anything you want), email and pre-populate this information according to your Apple ID or Google account. We will also ask you for your date of birth and your gender. The date of birth and gender selection is the basis for how the App works (unfortunately, you cannot schedule medical appointments without knowing your age, and even using the App itself is limited to age 18).
Information we get when you use our App – when you use the App, you can earn points, choose which doctor you've seen or are about to see, upload a profile photo, share your location with us and provide us with other information the App allows you to. It will always depend on how you use the App and whether you have created a user account (as this information is linked to your account).
While using the App, you may see our pop-up asking you to give us your consent to share your story because we know that our App is full of stories. And we would like to share some of them publicly. But we will only do that if you permit us. See the pop-up for more specifics on exactly what you are giving consent for, for how long, what happens next, or how you can withdraw it.
Technical information running in the background – you can see and recognise not all the information we receive. So, while we hope it never happens, the App may stop working, freeze, or some other problem occurs. That is why we use technical information about the device on which the App is installed, and we also collect information about the length of time it takes to view each page and section of the App, loading times, operating system information, and other technical information. Yes, this is also personal information because it can be linked to your user account, and we then know that this technical information is yours. We obtain this information by accessing your device directly or through third-party services, particularly Google Firebase.
Cookies pixels and other data from tools – we need visibility into how the campaigns we run in connection with the App are performing. That is why we implemented the Facebook Pixel tool into the App. This will record the information you are viewing in the App and, where appropriate, combine the data with other information held by the tool operator, Meta Platforms Ireland Ltd. However, as we do not want to run this tool without your knowledge, you must consent via the App to enable it. We also inform you that when you consent, this information may be shared with the provider of this tool.
The App is not designed to assess your health. However, it may be that the information as you enter it may combine to form a range that shows your health status. Alternatively, you can enter information into the App yourself that relates to your health.
When registering for the App, you must consent to us storing this personal data. Unfortunately, there is no way to use our App as a registered user without us processing all your data on our end, including sensitive data. We must store it to ensure the functionality of the App, to recommend tours to you, and to adapt the App to your needs and those of other users (basic statistical reports, but don't worry, we will never create them identifying specific persons) or to handle the messages you send to the expert advice centre. We do not use the information you provide for profiling. We do not assess your health. We do not perform any automated processing. Thus, the legal basis for this processing is the consent you give us when you register and the performance of our mutual relationship.
Suppose you name anyone else in the App and enter their details. In that case, you are expressly responsible for ensuring that the person concerned agrees or has been informed of this.
2. Why do we want your personal data, and what gives us the right to do so?
We have described above what personal data we need. However, we have so far only indicated why we want it.
We primarily want personal data to provide you with our services related to using the App. Although it may not be evident initially, we have a contractual relationship. We have allowed you to use the App, and you use the App, within the limits we have allowed you to do so, to enter information, earn points, edit your profile, and use other functionality. One such functionality, for example, is the display of a leaderboard on which you rank in the number of points you have earned on the App. For this functionality, we will process your data for ranking. We thus process personal data based on the performance of a contractual relationship that exists between us (we are entitled to do so by Article 6(1)(b) GDPR).
However, we also process your data to ensure the smooth functionality of the App and to adapt it to your needs further. We are entitled to do this based on the so-called legitimate interest according to Article 6(1)(f) GDPR, which is that we want to ensure the good functioning of the App (we use technical information for this, but we may also use other data about you). As part of our legitimate interest, we aim to find out how successful the App is, whether the users who use it change, how users feel about prevention, how you interact with notifications, how many errors you have had while using it, etc. Our interest is to develop the App further, adapting it to your preferences and those of other users.
If you get an email from us and you do not know why you got it, see section 4 of this policy, where we explain everything.
3. To whom can we transfer personal data?
Running an app can be chemistry. Just as there is no one doctor to examine you for everything, we cannot provide all the activities and functional parts of the App. That is why we may turn to other entities and pass your personal information to them. GDPR calls them recipients of personal data. However, we only pass on the necessary information and certainly do not do it to make a profit.
The following recipients have access to personal data:
However, we store everything on servers in the EU, and the terms include a processing agreement with standard contractual clauses.
Google and Apple – since we allow you to sign in with your Apple or Google accounts, we need to have a "conversation" with these operators about what they will give us and give them information about the fact that you have set up an account.
Meta Platforms is the company that provides the Facebook Pixel tool we mentioned above.
Breezy s. r. o., provides our website and helps us with its operation.
Google Ireland Ltd., whose registered Office is at Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, operates Google Analytics. This tool is used on our website and only launched when you consent – Google's Terms & Conditions here: https://policies.google.com/technologies/cookies?hl=cs.
Google provides us with a service called Google Firebase, which allows us to check for technical issues and App outages. The processing of personal data is based on processing terms and other mechanisms (standard contractual clauses), and more detailed information is available here: https://firebase.google.com/terms/data-processing-terms?hl=en&authuser=0.
SmartSelling a. s., which helps us with email distribution and automation.
OneSignal Inc. provides us with notification functionality and is registered with the Data Privacy Framework: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt00000008wTNAAY&status=Active.
Our developers and staff – there are enough people involved in the development that we can give them your information if needed, but only for this development.
4. Why did you get an email from us?
You have created an account on the App, entered all your details, you are happily using the App, and then suddenly you get an email, and you do not know why. Below, we explain when we send emails and what you can do about it.
Create a user account and provide us with your email address. We will send you any comments about your GP visit or other information related to your use of the App, either based on our relationship with you that you have created an account with us or based on our legitimate interest. This is to keep you informed and remind you about appointments related to some of our marketing activities. We care about your health, so hopefully, you will understand that we want to remind you on time.
At the same time, we have a blog full of interesting news, and occasionally, we organise an interesting event or event that might interest you. However, because these emails are no longer related to the App's operation, the law considers them commercial communications. Therefore, we will only send you these newsletters if you agree to receive them in advance by ticking the relevant checkbox.
You will have the option to opt-out in any email. We certainly do not want to be a nuisance. You can also adjust your newsletter preferences in the App settings. This opt-out will revoke the consent you have given us for the period until you have just opted out of receiving commercial communications.
We will also email you if you use our expert advice service. We will happily answer your questions about our articles and expert information via email.
5. How long will we keep personal data?
We will always store personal data for as long as the storage is necessary, given our purpose for processing. This is a simple rule. We will keep personal data for as long as you have set up your account on the App. You can cancel this anytime and choose which information you want to remove when you cancel. Do not want to keep your points or tour history, or do you like us to remind you by email of your tours anymore? You can choose to cancel your user account in the App.
If you are not active on the App for over two years, we will remind you by email, so you do not forget that we still have your details saved. We will delete your account if you still do not log in after the reminder.
The storage time will, therefore, always depend on the existence of the user account.
We will continue to process technical and usage information even after you no longer have a user account. However, we pride ourselves on proper anonymisation so that we will not be able to identify who it was retrospectively, and we will only use the data for statistical and analytical purposes to further improve the App.
6. What are your rights?
Concerning our processing, you can claim:
- the right of access to personal data;
- the right to rectification;
- the right to erasure ("right to be forgotten");
- the right to restriction of data processing;
- the right to object to processing;
- the right to data portability;
- the right to refuse consent to receive newsletters;
- the right to complain about the processing of personal data.
The right of access means that you can ask us at any time to confirm whether or not the personal data concerning you are being processed and, if so, for what purposes, to what extent, to whom they are disclosed, how long we will process them, whether you have the right to rectification, erasure, restriction of processing or to object, where we obtained the personal data and whether automated decision-making, including possible profiling, is taking place based on the processing of your personal data. You also have the right to obtain a copy of your personal data.
The right to rectification means you can ask us to correct or complete your personal data if it is inaccurate or incomplete. You can exercise this right without contacting us by clicking on your user profile and selecting "Edit Account". You can then quickly correct any inaccurate information you have provided us.
The right to erasure means that we must erase your personal data if (i) it is no longer necessary for the purposes for which it was collected or otherwise processed, (ii) the processing is unlawful, (iii) you object to the processing, and there are no overriding legitimate grounds for the processing, (iv) we are under a legal obligation to do so, or (v) you withdraw your consent concerning the personal data you have consented to the processing of. Or write that you think we should no longer hold your data, and we will investigate it and let you know.
The right to restrict processing means that until we have resolved any disputed issues about the processing of your personal data, we may not process your personal data other than to store it and, where appropriate, use it only with your consent or for the establishment, exercise, or defence of legal claims.
The right to object means that you can object to processing your personal data that we process for direct marketing purposes or legitimate interest, including profiling based on our legitimate interest. Suppose you object to processing for direct marketing purposes. In that case, your personal data will no longer be processed for those purposes (this means, for example, just the newsletters you receive from us – the theory is a bit more complicated, but if you click in the email to tell us you don't want the emails, we'll stop). Suppose you object to processing based on other grounds. In that case, we will evaluate the objection and then tell you whether we have complied and will no longer process your data or that the objection was unjustified, and processing will continue. In any case, processing will be restricted until the objection is resolved.
The right to data portability means that you have the right to obtain personal data relating to you that you have provided to us based on consent or a contract, which is also processed by automated means in a structured, commonly used, and machine-readable format and the right to have that personal data transmitted directly to another controller.
You can also withdraw your consent, for example, to receive newsletters directly in each newsletter we send you (if you receive it based on your consent). If we ask you for consent elsewhere, we will let you know how to withdraw it.
If you have a privacy-related comment, complaint, or query or are exercising any of your rights, please contact us at firstname.lastname@example.org. We will respond as soon as possible, but no later than one month.
The Office also supervises our activities for Personal Data Protection, to which you can file a complaint if you are dissatisfied. You can find out more on the website of the Authority (www.uoou.cz). However, we would be happy if you consult us first about any problem.
7. How up-to-date are these principles?
The policy applies from 24 January 2023; however, there may be changes in the future. We certainly plan to develop the App further, which may lead to us collecting and processing more of your data. If this happens, we will inform you before processing, and we will also keep past versions so you can keep track of what was valid and when.
Did you read the policy this far? Congratulations! There is no more. By now, you should know exactly what is going on with your data and hopefully understand why we need it all. Have a fun time using the App, and thank you for visiting the company of (un)ordinary heroes!