Privacy Policy – Nutrium's nutrition appointment service

Introduction

We care for your privacy and we want to share with you everything we do with your personal data. Throughout Nutrium's Privacy Policy you will be able to check what rights you have at your disposal, what data we process and with whom we share it, the period for which the personal data will be stored, and much more.

We made sure that this Policy is as transparent, clear and concise as possible. It is important that you read it carefully and calmly since the privacy we guarantee is only as complete as your knowledge of it.

We also recommend the full reading of the Regulation 2016/679 of the European Parliament and of the Council, also known as the General Data Protection Regulation (hereinafter GDPR), where you can learn more on privacy and protection of personal data.

Who are we?

Healthium - Healthcare Software Solutions, S.A. (hereinafter "Healthium"), based at Rua Andrade Corvo, n.º 242, Sala 106, 4700-204 Maximinos, Braga, registered under the unique registration and identification number of legal entity 513 624 503, is the Controller of your personal data within the scope of the online nutrition consultation scheduling service.

It is also the company responsible for the development of Nutrium software in its various dimensions. This software allows for the simplification of the most complex tasks of the nutrition Professionals, such as planning, analysis and creation of food plans, nutritional calculations, management and information analysis, among other functionalities.

Scope of this Privacy Policy

This Privacy Policy applies to all users who use Nutrium's appointment scheduling services, or similar scheduling services such as Nutrium Care, from a patient's perspective ("User"). Within these services, Healthium can be considered, under the scope of the GDPR, to be the Joint Controller or Controller of the personal data.

Purposes of processing and legal basis

The collection and processing of data is fundamental to the functioning of Nutrium and, in particular, to the online appointment scheduling service and the Nutrium Care service. It's based on that data that our project is built and it's that informational core that allows us to provide you with a quality service, putting you in touch with the best nutritionists on the market and simplifying the booking of nutrition consultations. In this context, Healthium treats your data with the following purposes and legal basis:

• User registration on the platform: registration on the Nutrium platform allows us to properly identify the User and correctly associate him/her with the professionals and consultations desired. In addition, these are the sets of data that we consider indispensable for the regular execution of the contractual relationship between the User and Healthium, under the scope of the provision of this service, and also the pre-contractual relationship between the User and the Professional that is formed with the appointment. The data we require at registration are: full name, gender, country of residence, date of birth, email and mobile phone number. The legal basis for this is the performance of the contract and the legitimate interest of Healthium, in accordance with Art. 6 (1) (b) and (f) of the GDPR.
• Provision of the appointment scheduling services: the primary objective of the service is to allow the User to schedule nutrition appointments, at a distance, with a Professional chosen from a list of professionals who are subscribed to the Nutrium service. In order to make this possible, Healthium makes available to the Professional the User's personal data relevant to the appointment making the connection between the parties and thus acting as an intermediary. Additionally, as part of Nutrium Care, Healthium processes personal data related to payments. The legal basis for this is the performance of the contract and the legitimate interest of Healthium, in accordance with Art. 6 (1) (b) and (f) of the GDPR.
• Direct communications: Healthium may send direct communications, by email or through notifications and text messages, such as: reminders regarding consultations; advertisement to specific professionals; dissemination of new services; newsletters, among other communications. The legal basis in this regard is the legitimate interest of Healthium under Art. 6 (1)(f) of the GDPR.
• Processing, support and analysis: this type of data collection is primarily intended to facilitate the work of our team whenever support and information regarding the use of the platform is needed. This information enables us to quickly resolve problems on our platforms or to improve them, and without it the normal operation of our service and its maintenance cannot be guaranteed. The legal basis here is consent (we refer specifically to cookies) and the legitimate interest of Healthium under art. 6(1)(a) and (f) of the GDPR.

For the purposes of processing that have as legal basis a legitimate interest of Healthium, you can request us our Legitimate Interests Assessment results at any time (only available for consultation in Portuguese and English).

Data retention period

Healthium will only store your data for as long as necessary to fulfill the purposes set out in this Policy or as long as required by applicable laws or regulations. User data is kept as long as the account is not deleted at his request. From that moment on all personal data is deleted permanently.

It is important to emphasize that Healthium is completely unrelated to the processing of personal data carried out by the Professional, therefore the deletion of data relating to the User's Nutrium account does not imply the simultaneous deletion of personal data processed by the Professional.

Transmission of data to third parties

Some of your personal data may be processed by third parties who are not part of our internal team. We have limited these operations to the bare minimum needed to continue to operate efficiently and, although in many of the cases listed below there is no real transfer of data in the classic sense of the term, we're making available to you the list of potential third parties and the respective categories of data to which they might have access.

• Nutrition Professionals: the personal data you provide to us as part of the appointment service is transferred to the Professional so that he can carry out the management and scheduling of the required appointments. The sets of data transferred are: full name, gender, country of residence, date of birth, email and mobile number.
• Analysis of the use of software: we resort to applications in order to analyze the use of our software, such as Google Analytics. These applications collect small pieces of information related to your mobile devices and browsers and the use of the platform in general. It is, therefore, a set of data that allows us to know precisely how you use the platform, the country, the date and time you enter the platform, among other information. We also collect data such as the I.P. address, the browser you access and its version, the language, your operating system, among others.
• Communications: our newsletters and contacts are sent, managed and processed by third parties specialized in mass mailing and advertising campaigns such as Mailjet.
• Support: we resort to external applications to provide support, for example, through chat.
• Data storage and processing: storage, processing and backup of your personal data is carried out securely in hosting and computing companies located mainly in Europe.
• Audits and maintenance: your data might be accessed within the scope of independent quality control and security audits of our services. All audits are subject to confidentiality and are closely monitored by the Healthium team. In addition, we use external software that helps us detect errors and debug the software.
• Payment processing: to ensure certain payments, we resort to third parties specialized in this type of operations, such as the Stripe payment service. In these circumstances, your payment information will be processed by Stripe, which may collect additional information, such as your billing address and banking information.

Where the transmission of personal data to third parties involves an international transfer of personal data, Healthium:

• will carry out this transfer on the basis of a Commission adequacy decision, according to which the country or international organization in question guarantees a level of personal data protection equivalent to that under European Union law;
• if there is no Commission adequacy decision, it will ensure that such transfers are made in stringent compliance with the law and that appropriate guarantees are implemented to ensure the protection of your personal data.

The Rights of the User

We want to ensure that your rights are fully respected.In situations where the automatic mechanisms already implemented do not allow us to fully guarantee these rights you can contact us through privacy@nutrium.com or dpo@nutrium.com.

• Right of access: the data subject has the right to access information concerning him/her and to know the purposes for which his/her personal data is processed, the categories of data processed, among other information.
• Right to rectification: the data subject has the right to obtain correction of inaccurate or incomplete personal data, and where it is compatible with the purposes of processing, the right to rectify it.
• Right to erasure ("right to be forgotten"): the data subject has the right to have his personal data deleted without undue delay.
• Right to restriction of processing and right to object: these rights may be exercised, if applicable, by reaching us through the contacts provide above. In specific situations you may exercise this right automatically via the links provided for this purpose, e.g. in the case of email advertising communications.
• Right to data portability: the data subject has the right to receive, in a reusable digital format, all information concerning him, which he has provided to Healthium.
• Right to withdraw consent: where data processing is carried out on the basis of your consent, you may withdraw it at any time. Withdrawal of consent does not compromise the lawfulness of processing carried out on the basis of previously given consent.
• Opposition to automated individual decisions: automated individual decisions, including profiling, which have a significant effect on the legal impact on the Users legal sphere are not applied.

Security

The security of your data and the services we provide are one of our highest priorities. As such, we regularly review our platforms and servers to ensure that all measures are being taken to mitigate security risks, using the most current encryption, surveillance and auditing techniques. These measures may only reflect on our servers or, otherwise, have immediate impact on our platforms, such as increased password complexity, new SSL certificates, two-step verification, and more.

Changes and amendments to this Privacy Policy

Nutrium's Privacy Policy is subject to constant and periodic review. As a result of legal developments, recommendations issued by the control authorities, or changes to our business model, among others, we may have to amend this Policy. We recommend that you visit this page regularly and keep up with the latest updates. We will notify you whenever we make substantial changes to this Policy that might jeopardize your rights.

Data Protection Authority

Without prejudice to any claims that you may submit to Healthium or our Data Protection Officer through the contacts made available on this page, you may also submit a complaint to the Portuguese Data Protection Authority through the following contacts: