PRIVACY POLICY - Health Folder - the only medical documentation folder you will ever need

INFORMATION ABOUT THE POLICY
1. We describe here how we process the personal data of users of the Health Folder Service and what rights and options these individuals have.
2. This policy constitutes the fulfillment of the obligation outlined in Article 13(1) and (2) and Article 14(1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).
3. Terms capitalized have the meanings defined in the Terms and Conditions.
WHO WE ARE
1. The controller of your personal data processed in accordance with this Privacy Policy is Pragmatic Coders Spółka z ograniczoną odpowiedzialnością, with its registered office in Kraków, address: ul. Opolska 100, 31-323 Kraków, entered in the Register of Entrepreneurs of the National Court Register by the District Court for Kraków Śródmieście in Kraków, XI Economic Department of the National Court Register under the number KRS: 0000601571, NIP: 6772398603, REGON: 363386171, with a share capital of 7,500.00 PLN (hereinafter referred to as the “Controller“).
2. In matters concerning your personal data, you can contact us:
  - By traditional mail sent to the address: ul. Opolska 100, 31-323 Kraków, or
  - Via email: kontakt@healthfolder.pl.
WHAT DATA WE PROCESS AND UNDER WHAT RULES
1. In connection with using the Health Folder Service, we process the following personal data:
  1. Information necessary to create an Account, provided to us during the User Account registration, such as first name, last name, email address, country of residence, and age.
  2. Contact information provided to us by you or that we hold in connection with our relationship, such as first name, last name, email address, and phone number.
  3. Health-related information, including information constituting medical documentation, provided by you, such as blood test results. We may also process data contained in medical documentation uploaded by you to the Service, such as your PESEL number or home address.
  4. Personal information and health-related information, including medical documentation of close family members of the User, in the case of a Family Account and if such information has been provided by the User. In this case, we do not collect this data directly from you but from the User, who provides it to us and for whom you are a close family member.
2. We process your personal data for the following purposes:
  1. Account creation on the Service – based on the necessity of processing to perform the electronic service agreement (under Article 6(1)(b) of the GDPR);
  2. Providing services within the Service, including ensuring proper service quality – based on the necessity of processing to perform the agreement to which you may be a party (under Article 6(1)(b) of the GDPR);
  3. Providing services within the Service, especially in cases where the processed data includes special categories of personal data, such as medical data or health-related data, with your explicit consent (under Article 9(2)(a) of the GDPR);
  4. Settlement of agreements concluded with you, based on the legal obligation imposed on the Administrator by tax and accounting regulations (under Article 6(1)(c) of the GDPR);
  5. Fulfilling legal obligations imposed on the Administrator, under national and European Union law, including regulations governing the provision of electronic services (under Article 6(1)(c) of the GDPR);
  6. Providing customer support and ongoing technical assistance when using our services – based on the necessity of processing to perform the agreement (under Article 6(1)(b) of the GDPR);
  7. Communicating with you regarding our services and handling queries, issues, or complaints related to the services or agreement – based on the necessity of processing to perform the agreement and the Administrator’s legitimate interest (under Article 6(1)(b) and Article 6(1)(f) of the GDPR);
  8. Responding to inquiries sent through contact forms or contact details on the website – based on the Administrator’s legitimate interest (under Article 6(1)(f) of the GDPR);
  9. Analyzing how you use the Service, improving its functioning, and enhancing its security – based on the Administrator’s legitimate interest (under Article 6(1)(f) of the GDPR);
  10. Pursuing and defending claims in courts and administrative bodies, based on the Administrator’s legitimate interest (under Article 6(1)(f) of the GDPR);
  11. Surveying your satisfaction with our services and improving the Service – based on the Administrator’s legitimate interest (under Article 6(1)(f) of the GDPR);
  12. Training the AI model and improving the Service, especially when processing special categories of personal data, with your explicit consent (under Article 9(2)(a) of the GDPR);
  13. Data archiving and backups, as part of the obligation to properly secure data (under Article 6(1)(c) and Article 6(1)(f) of the GDPR);
  14. Sending Newsletters, based on the necessity of processing to perform the Newsletter service agreement (under Article 6(1)(b) of the GDPR and Article 10(2) of the Act of 18 July 2002 on the provision of electronic services);
  15. Sending marketing information about our products and services, including commercial information via electronic means, with your consent (under Article 6(1)(a) of the GDPR and Article 10(2) of the Act on the provision of electronic services);
  16. Taking additional actions upon a client’s request, with your consent (under Article 6(1)(a) of the GDPR);
  17. Taking additional actions involving special categories of personal data, such as health data, with your explicit consent (under Article 9(2)(a) of the GDPR).
3. Providing personal data for the purpose of creating an Account is voluntary but necessary for entering into an agreement for the provision of electronic services in the form of creating and subsequently using an Account. The consequence of not providing personal data will be the inability to create an Account and to provide services within the Service.
4. Providing personal data for the purpose of providing services is voluntary but necessary for the proper provision of services within the Service. The consequence of not providing personal data will be the inability to provide services within the Service.
5. Providing personal data for contact purposes is voluntary but may be necessary to respond to your inquiry and/or to establish contact with you.
6. Providing personal data for receiving marketing and commercial information is voluntary but necessary for receiving such information. The consequence of not providing personal data will be the inability to receive marketing and commercial information regarding our services (e.g., information about new services).
7. Providing personal data for the purpose of training the AI model and improving the Service is voluntary. The consequence of not providing data will be the inability to improve the Service.
WHERE AND HOW DO WE PROCESS DATA AND TO WHOM DO WE TRANSFER IT
1. The personal data we process may be transferred to our partners to the extent necessary for the proper performance of services, namely:
  1. Third parties providing services on our behalf, which are necessary to achieve the purposes for which we process your data (e.g. IT services, accounting, electronic communication, data hosting, services ensuring the functioning of the Website, data analysis, email distribution, as well as marketing and commercial information), in particular entities such as:
    - Amazon Web Services Inc., which provides us with infrastructure and development tools,
    - Alphabet Inc. (Google LLC), which provides us with analytical tools and databases,
    - Microsoft Corp., which provides us with development tools,
    - Smartlook.com s.r.o., which provides us with analytical tools,
    - The Rocket Science Group LLC, which provides us with tools for email distribution and marketing and commercial information.
  2. external providers, such as payment operators,
  3. persons providing medical services, in particular medical doctors, if you give your consent,
  4. recipients to whom disclosure is required by applicable laws or court orders or by another authority,
  5. other recipients if you give your consent, or when the transfer of data is necessary to protect your vital interests or the vital interests of other entities.
2. The personal data we process is stored electronically on our devices, external servers of our partners, and partially in physical form at our headquarters.
3. All databases we use are located within the European Economic Area (“EEA”). We make efforts to ensure that no data is transferred outside this area. However, due to our use of Amazon Web Services (“AWS”), data of users using the iOS system may also be partially stored on servers in the United States. The transfer of this data outside the EEA is based on Article 45(3) of the GDPR, i.e., under the European Commission’s Implementing Decision of July 10, 2023, which confirms an adequate level of data protection under the Data Privacy Framework, of which AWS is a certified participant.
4. Each time your personal data is transferred outside the European Economic Area (EEA) to countries that do not provide the same or an adequate level of data protection as required by the laws applicable in Poland, we will ensure that it is done on a valid legal basis and with the use of legally required safeguards.
PROCESSING TIME
1. Your personal data will be processed:
  1. for the purpose of fulfilling the contract entered into via the Service – for the time necessary to fulfill it, and in the case of a paid contract, also for its settlement, but no longer than until the statute of limitations on claims arising from the contract;
  2. for the purpose of contacting you – from the date the data is collected until the correspondence related to your inquiry is concluded or until we can reasonably assume no further contact is necessary;
  3. for the purpose of sending marketing and commercial information – until the consent is withdrawn;
  4. for the purpose of pursuing and defending claims – for a period no longer than the statute of limitations for claims;
  5. for the purpose of fulfilling legal obligations – for no longer than the time required to demonstrate that these obligations have been properly fulfilled;
  6. for the purpose of archiving and making backups – for the period determined according to the Administrator’s backup and archiving policy;
  7. based on your consent – until it is withdrawn, however, this does not affect the legality of data processing by the Administrator prior to its withdrawal;
  8. based on the Administrator’s legitimate interest – for as long as this interest persists, but no longer than until you submit an effective objection to such processing.
2. However, we will process the data no longer than until you express an effective objection to its processing when our legal basis for processing is our legitimate interest, or no longer than until the consent is withdrawn if it is the legal basis for data processing.
DATA SECURITY
1. We make every effort to prevent unauthorized access to personal data. We continuously analyze risks to ensure that personal data is secure and that its processing complies with the GDPR and other applicable legal regulations.
2. All entities to which we entrust the processing of personal data guarantee the implementation of appropriate data protection and security measures required by law.
RIGHTS OF THE PERSON WHOSE DATA WE PROCESS
1. Individuals whose personal data we process have the right to obtain information about data processing and access to their data, to obtain copies, to rectify, delete, transfer data, and to restrict the processing of personal data.
2. In cases where data is processed solely based on legitimate interest, the person whose data we process has the right to object to such processing.
3. If data is processed based on consent, you can withdraw that consent at any time, and this will not affect the lawfulness of the processing that occurred before you withdrew your consent.
4. Regarding any of the rights mentioned above, you can contact us, particularly using the contact details provided in section II.2 of the Privacy Policy.
5. If you believe that the processing of personal data violates applicable data protection laws, the person whose data we process may file a complaint with the President of the Personal Data Protection Office. All necessary information on how to submit such a complaint can be found here: www.uodo.gov.pl.
COOKIES AND SIMILAR TECHNOLOGIES
1. Cookies are small text files that are stored on your device when you browse a website.
2. We do not directly use cookies, but we utilize technology that serves a similar function:
  - File name: authorisation token
  - Reason for using the file: ensuring user security; allowing users access to the Service
  - Expiration date of the file: 1 hour
3. The use of the above token is essential for the proper functioning of the Service.
4. If you do not want us to use this technology, you can block this option in your browser, but this will prevent you from using the Service.
CHANGES TO THE POLICY
1. We continuously verify the accuracy of this Policy and may change it at any time. Unless stated otherwise in the changes made, they take effect at the time of publication.
2. The last update to the policy was made on October 21, 2024.