Privacy Statement Coala Solutions

CL 11-01-06 ver 06 ENG

1. General

Coala Solutions has developed the Coala Heart Monitor, which is a medical system for remote cardiac monitoring. The results of the monitoring are presented to the user of the Coala Heart Monitor in the Coala App. If the Coala Heart Monitor is provided to you via a healthcare provider, the results of the monitoring are also presented to the connected healthcare provider in the web-based Coala Care platform.

If you use our products and services, personal data are processed. Personal data is any information that relates to an identified or identifiable living individual. Examples of personal data are a name, a home address and an ID card number.

These personal data may relate to users of our products and services, to employees of healthcare providers (like administrators or caregivers), to visitors of our website, to individuals that have subscribed to our newsletter via our website and to our business contacts. Coala Solutions is committed to protecting these personal data and has drafted this Privacy Statement to provide transparency on how Coala Solutions treats personal data.

If you have any questions or concerns regarding this Privacy Statement or the protection of your personal data, please feel free to contact us via info@coalasolutions.com or via the contact details that you will find on the final page of this Privacy Statement.

2. Who is responsible for the processing of your personal data?

If you use the Coala Heart Monitor as a consumer for your own purposes, Coala Solutions acts as a data controller responsible for the processing of your personal data. Coala Solutions also acts as a data controller when processing your data if you visit our website, have assigned to our newsletter, and for the other processing purposes mentioned below under No. 3.

However, if the Coala Heart Monitor is prescribed to you by a healthcare provider in order to monitor your health in the framework of the healthcare to be provided by this healthcare provider, Coala Solutions processes personal data solely on behalf of that healthcare provider. In that situation, the connected healthcare provider is as a controller responsible for the processing of the personal data and Coala Solutions acts as a processor. For those situations, we have entered into data processing agreements with the relevant healthcare providers on how we process personal data on their behalf and the security measures that we take. Further details on the relevant processing activities can be found in paragraph 3 below.

3. Which personal data is used and for what purposes?

In providing our products and services, Coala Solutions collects certain personal data. We can process these personal data in various ways. In paragraph 3.1 you will find information about our processing of personal data in general. In paragraph 3.2 and further, you will find an overview of various topics with more detailed information about the processing of personal data in that context.

3.1. General processing purposes

In general, we may always process your personal data for the following purposes:

  • For maintenance, administration and network and security purposes.
  • For internal control and business operations.
  • For determining, exercising and defending our rights.
  • For complying with legal obligations (incl. fraud prevention) and requests of authorized governmental institutions.

3.2. To make a user account for the Coala App

  • Persons involved. Users of the Coala App.
  • The purpose of the processing. In order to be able to use the Coala App, you need a user account. We will process your personal to make your user account and to know your identity.
  • The personal data that is processed. Name, e-mail address, a personal ID and address.
  • Legal grounds for the processing.
    • If you use the Coala Heart Monitor and Coala App without the involvement of any healthcare provider, we collect this information directly from you. The legal ground for personal data processing for this purpose is that it is necessary for us to fulfill our obligations under our agreement with you as a user. If these data are not provided to us you cannot use the Coala App.
    • If you use the Heart Monitor by prescription of a healthcare provider in order to monitor your health in the framework of the healthcare to be provided by this healthcare provider, we may obtain these personal data from your healthcare provider.  In this situation, the legal ground for processing can be found in the execution of the medical treatment agreement that the healthcare provider has with you and your consent. In this situation, we process your personal data on behalf of the healthcare provider. The healthcare provider is the controller of the processing and Coala Solutions is the processor.

3.3. To handle orders

  • Persons involved. Users of the Coala Heart Monitor.
  • The purpose of the processing: We process personal data to process orders. We use this information for identity confirmation, to manage payments, to deliver products, to handle returns and complaints, and to otherwise communicate regarding orders.
  • The personal data that is processed. Name, contact details and address.
  • Legal grounds for the processing.
    • If you order the Coala Heart Monitor directly from us without the involvement of a healthcare provider, we collect this information directly from you. The legal ground for personal data processing for this purpose is that it is necessary for us to fulfill our obligations under our agreement with you. If these personal data are not provided to us we cannot process your order.
    • If you use the Coala Heart Monitor by prescription of a healthcare provider in order to monitor your health in the framework of the healthcare to be provided by this healthcare provider, your healthcare provider may provide us with (parts of) the relevant personal data. In this situation, the legal ground for processing can be found in the execution of the medical treatment agreement that the healthcare provider has with you and your consent. In this situation, we process your personal data on behalf of the healthcare provider. The healthcare provider is the controller of the processing and Coala Solutions is the processor.

3.4. When using the Coala Heart Monitor, the Coala App and the Coala Care platform

  • Persons involved. Users of the Coala App, the Coala Heart Monitor and the Coala Care platform and employees of healthcare providers.
  • The purpose of the processing.
    • We record, digitize and store personal data when you use the Coala Heart Monitor in order to measure and analyze by Coala Solutions smart algorithms.
    • We process personal data in the Coala App, in order to analyze by Coala’s smart algorithms, to present you with the results, to guide you and store your personal journal.
    • If you use our products by prescription of a healthcare provider in order to monitor your health in the framework of the healthcare to be provided by this healthcare provider, we process personal data on the web-based Coala Care platform to present the connected healthcare provider with the results and to be able to store it in the user’s medical journal.
    • If you use our products by prescription of a healthcare provider in order to monitor your health in the framework of the healthcare to be provided by this healthcare provider, we process personal data in the Coala App and the Coala Care platform for the healthcare provider to be able to communicate with the user of the Coala Heart Monitor.
  • The personal data that is processed.
    • Regarding the user: name, e-mail address, patient ID (optional), date of birth, comments about specific measurements, comments about a patient, messages sent to the patient, account status (active/inactive), nation configuration, gender, heart sound recording data, ECG recording data, feeling at the time of measurement, blood pressure (optional), length, weight (optional), medication status, smoking status, information regarding pacemaker/implanted device, unit settings, language settings, paper size setting, which healthcare providers user has approved, thumb result, chest result and app result.
    • Regarding employees of the healthcare provider (like administrators or caregivers): name, e-mail address, healthcare provider he/she is working for, nation configuration.
  • Legal grounds for the processing.
    • If you use our products without the involvement of a healthcare provider, the legal ground for personal data processing for this purpose is that it is necessary for us to fulfill our obligations under our agreement with you. If you do not provide us with these personal data, we cannot provide our services to you. As far as we process personal data relating to your health (such as measurements and results) we need your explicit consent as a legal basis for the processing of these personal data. We cannot process or access these personal data without your consent.
    • If you use our products by prescription of a healthcare provider in order to monitor your health in the framework of the healthcare to be provided by this healthcare provider, the legal ground for this personal data processing can be found in the execution of the medical treatment agreement that you have with the healthcare provider and your consent. In this situation, we process your personal data on behalf of the healthcare provider. The healthcare provider is the controller of the processing and Coala Solutions is the processor.

3.5. Newsletter

  • Persons involved. Individuals that have subscribed to our newsletter via our website (not being users of our products).
  • The purpose of the processing. We process your personal data to provide you with our newsletter and information about important events at Coala Solutions.
  • The personal data that is processed. Name and e-mail address.
  • Legal grounds for the processing. The legal ground for personal data processing for this purpose is your consent, as long as you are not a user of our products. You can withdraw your consent at any time by sending an e-mail to info@coalasolutions.com. Any mailing from us also includes the possibility of unsubscribing.

3.6. Direct marketing

  • Persons involved. Users of the Coala App, the Coala Heart Monitor and the Coala Care platform and employees of healthcare providers.
  • The purpose of the processing. We process your personal data to provide you with marketing materials, such as our newsletter and information about important events at Coala Solutions, via mail, e-mail or text messages.
  • The personal data that is processed. Name, e-mail address, address, telephone number.
  • Legal grounds for the processing. The legal ground for personal data processing for this purpose is that it is necessary to fulfill our legitimate interest in being able to market our products and services to you. At any time you have the right to object to the processing of personal data for this purpose by contacting us at info@coalasolutions.com. We will always honor your request if your request relates to personal data processing for direct marketing purposes, which means that we will immediately cease the personal data processing for this purpose and you will no longer receive our marketing materials.

3.7. Provide support

  • Persons involved. Users of the Coala App, the Coala Heart Monitor and the Coala Care platform and employees of healthcare providers.
  • The purpose of the processing. We process your personal data to help you if you contact us in support matters, such as if you have questions about our products or services. We use your personal data to identify you, communicate with you, and investigate any complaints or support matters.
  • The personal data that is processed. Names and contact details.
  • Legal grounds for the processing. The legal ground for personal data processing for this purpose is that it is necessary to fulfill our legitimate interest to provide you with support and answer any questions you have for us.

3.8. Improve our services

  • Persons involved. Users of Coala App, Coala Heart Monitor and Coala Care platform.
  • The purpose of the processing. We process personal to obtain information on your use of our products and services in order to improve our products and services and to make them more user-friendly. We use for example user satisfaction and market research or analyze your use of our products and services.
  • The personal data that is processed. Data on your use of the products, such as your name, e-mail address, date of birth, nation configuration, gender, thumb result, chest result and app result. When we use your information for this purpose, we use your data in an aggregated form (i.e. studying overall user patterns using unidentified data), to the extent possible.
  • Legal grounds for the processing. The legal ground for personal data processing for this purpose is that it is necessary to fulfill our legitimate interest in continuously improving our products and services.

3.9. Prevent abuse

  • Persons involved. Users of Coala App, Coala Heart Monitor and Coala Care platform.
  • The purpose of the processing. We process personal data to prevent abuse of our products or services and to investigate abuse. Abuse refers to fraud, junk mail, harassment, attempted illegal login to user accounts and other actions prohibited by our terms or by law.
  • The personal data that is processed. Name, e-mail address, a personal ID, contact details and address.
  • Legal grounds for the processing. The legal ground for personal data processing for this purpose is that it is necessary for our legitimate interest in preventing our products and services from being abused and our legitimate interest in investigating any abuse.

3.10. General communications

  • Persons involved. Our business contacts such as our vendors and shareholders.
  • The purpose of the processing. We process personal data of our business contacts to (maintain) contact with them, reive services from them (if appliable), and for administrative purposes, including financial purposes.
  • The personal data that may be processed. Name, gender, title, age/date of birth, nationality, and place of birth, contact details, organization details financial details, administration number, communication data.
  • Legal grounds for the processing. The legal ground for personal data processing for this purpose is that it is necessary for our legitimate interest to pursue the aforementioned purposes, or necessary for the performance of a contract to which you are a party.

4. How do we obtain your personal data?

We obtain personal data in various ways:

  • Provided by you. Some personal data we receive straight from you. Examples include personal data in e-mails to us or personal data you insert in the Coala App.
  • Automatically obtained. Some personal data we obtain automatically via the use of the Coala Heart Monitor. Examples include ECG recording data and heart sound recording data. Some personal data we obtain via the use of our website or applications. Further information on the latter is included in our Cookie Statement to be found on our website www.coalasolutions.com.
  • Obtained via healthcare provider. Some personal data we obtain from healthcare providers. Examples include names of employees of the healthcare provider, comments about a patient or comments about specific measurements.
  • Obtained via third parties, involved by a healthcare provider. Some personal data we obtain from third parties that are involved by a healthcare provider. This happens for example when your healthcare provider involves third parties to collaborate with your healthcare provider in executing the health care. For example, a healthcare provider may involve a third party to develop an application to be used by patients of the healthcare provider by prescription of the healthcare provider in order to monitor health in the framework of the healthcare to be provided by this healthcare provider. Such a third party may involve Coala Solutions as a sub-contractor in developing the application or performing other services. Coala Solutions may obtain personal data in the framework of such a sub-contract from or via that third party. Coala Solutions will in such a situation act as sub-processor of the third party (processor) involved and will enter into a sub-processor agreement with the third party on how to process personal data and the security measures taken for those cases.
  • Obtained via other third parties. If you are a business contact, we could also obtain personal data about you from other persons or external parties. Examples include your colleagues or other parties who are involved with our mutual relationship and public registers of company directors and participating interests.

5. Who do we share your personal data with?

We will not share your personal data with any third party except as described below.

  • Hjärtupplysningen. If you subscribe to a Coala Premium subscription, you have the opportunity to receive healthcare counseling integrated with our app via Hjärtupplysningen. To be able to use these services, we need to share your information with Hjärtupplysningen, an external, independent healthcare provider offering healthcare advice based on your Coala results. As a Coala Premium subscriber, you give Hjärtupplysningen the consent to access your data via safe authentication when you call them.
  • Healthcare providers. If the Coala Heart Monitor is provided to you by prescription of a healthcare provider in order to monitor your health in the framework of the healthcare to be provided by this healthcare provider, the results of the monitoring are also provided to the connected healthcare provider in the web-based Coala Care platform, to be stored in your medical journal and to be used for communication with you.
  • Third parties, involved by healthcare providers. We may share personal data with third parties that are involved by a  healthcare provider. This happens when your healthcare provider involves third parties to collaborate with the healthcare provider in executing the health care. For example, a healthcare provider may involve a third party to develop an application to be used by patients of the healthcare provider. Such a third party may involve Coala Solutions as a sub-contractor in developing the application or performing other services. Coala Solutions may share personal data in the framework of such a sub-contract with that third party.
  • Our suppliers. We may use third parties to handle one or more aspects of the business, including processing or handling of personal data. We may share personal data with these third parties to provide services on our behalf, such as sending market communications to you, storing our data, and other IT services. When we use suppliers according to this paragraph, we enter into personal data processing agreements and take other appropriate steps to ensure that your personal data is processed in a manner that complies with applicable laws and regulations and this Privacy Statement.
  • Mergers or acquisitions. We may transfer or transmit your personal data to a buyer or potential buyer upon the merger or acquisition of all or part of our business or assets. Upon such transfer, we will take reasonable steps to ensure that the receiving party processes your information in a manner that complies with this Privacy Statement.
  • Government institutions. We can share your personal data with government institutions, such as the police, tax authorities or other authorities when we are required to do so by law.

6. To which countries will we transfer your personal data?

Parties involved in the processing of personal data originating from the EU may be located in a different country. In case these parties are situated outside the EEA, the transfer is legitimized in the manner described below. See this link for an overview of the EEA countries.

We do not transfer your personal data which is processed by the Coala Heart Monitor, the Coala App and the Coala Care platform to recipients outside the EEA. However, in the context of our other processing activities, it may at times be necessary to transfer personal data recipients outside the EEA, to achieve our processing purposes.

Transfers outside the EEA. The transfer of your personal data to a third party outside the EEA can in the first place be legitimized based on an adequacy decision of the European Commission, in which it is decided that the (part within the) third country in question ensures an adequate level of data protection. See this link for a summary of the applicable adequacy decisions.

If your personal data is transferred to a country outside the EEA for which there is no adequacy decision, we agree on the applicability of the relevant version of the Standard Contractual Clauses with the relevant party. This is a standard contract to safeguard the protection of your personal data, which is approved by the European Commission, in which the parties fill out the appendices. See this link for the various framework Standard Contractual Clauses. Where appropriate, additional safeguards are taken.

In specific situations, we can also rely on the derogations from article 49 GDPR to legitimize the data transfer. This means that we may transfer your personal data: (i) with your explicit consent, (ii) if this is necessary for the performance of a contract that has been concluded with you or has been concluded in your interest, or (iii) if this is necessary or the establishment, exercise or defense of legal claims. Lastly, in exceptional cases, we may also transfer personal data if the data transfer is necessary for our compelling legitimate interests and is not overridden by your interests or rights and freedoms.

You can contact us via info@coalasolutions.com if you want additional information about the way in which we legitimize the transfer of your personal data to countries outside the EEA.

7. How do we secure your personal data?

Protecting your privacy and personal data is very important to us. Therefore, Coala Solutions has implemented appropriate technical and organizational measures to protect and secure personal data, in order to prevent violations of the confidentiality, integrity and availability of data, taking into account that the processing involves a large volume of special categories of personal data (being personal data relating to health).

Coala Solutions has implemented an appropriate written security policy for the processing of personal data. We take appropriate safeguards and enforce security standards to protect your personal data from unauthorized access, unauthorized disclosure and addiction. We always encrypt your personal data. We store your personal data on files available only to our employees, our agents and our service providers who need the information for their service and are bound to confidentiality obligations. We use technical tools such as firewalls, passwords, encryption, two-factor authentication, etc. and we ensure that our employees are educated in the importance of maintaining security and confidentiality in relation to the personal data we process. We have furthermore taken appropriate measures relating to onboarding of employees, access to personal data, incident reporting and continuity (back-up and restoring of data).

Coala Solutions will comply with the requirements of ISO270001, as far as required under the applicable rules that apply to the processing of personal data by Coala Solutions.

8. How long do we retain your personal data?

We do not keep your personal data for longer than what is necessary in relation to the purposes for which we process the personal data.

This means, for example, with respect to users of Coala Solutions that we will keep your personal data as long as you are a registered user of Coala Solutions in order to enable you to use our products and to enable us to provide services to you. We will retain your personal data for at least twelve months after your subscription has been terminated if you have a Coala Basic subscription and for at least three years after your subscription has been terminated if you have a Coala Premium subscription. This will enable you to access and use your heart data during a reasonable period after termination of your subscription and will enable us for example to provide you with support and use your data for improvement of our services or marketing (unless you have objected to that).

In certain situations, we process your personal data for a longer period of time than what is necessary for the purpose of the processing. This may be the case in the following situations:

  • Retention obligation.To comply with a minimum retention period or other legal obligation to which we are subject based on applicable EU law or the law of an EU member state.
  • Procedure. Your personal data is necessary in relation to a legal procedure.
  • Freedom of expression.When further processing of your personal data is necessary in order to exercise the right to freedom of expression and information.
  • Other. For example when needed for reasons of payment or fulfillment of our commitments.

By exercising your privacy rights you may request Coala Solutions to delete your personal data or restrict the processing. We refer to paragraph 9 below for further information on your rights.

9. Your privacy rights

9.1. What are your rights?

In relation to the processing of your personal data by Coala Solutions, you have the following privacy rights.

  • Right of access. You have the right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you (but not necessarily the documents themselves). We will then also provide you with further specifics of our processing of your personal data. For example, the purposes for which we process your personal data, where we got it from, and with whom we share it.
  • Right to rectification. You have the right to request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected. You have this right in case we process personal data about you that: (i) is factually incorrect; (ii) is incomplete or not related to the purpose it was collected for; or (iii) is in any other way used in a manner that is in conflict with applicable law. The right of rectification is not intended for the correction of professional opinions, findings or conclusions that you do not agree with. However, Coala Solutions could in such a case consider adding your opinion about this to the personal data.
  • Right to erasure. You have the right to request the erasure of your personal data. This enables you to ask us to delete or remove personal data where: (i) the personal data are no longer necessary, (ii) you have withdrawn your consent, (iii) you have objected to the processing activities, (iv) the personal data have been unlawfully processed, (v) the personal data have to be erased on the basis of a legal requirement, or (vi) where the personal data have been collected in relation to the offer of information society services.
    However, we do not have to honor your request to the extent that the processing is necessary: (i) for exercising the right of freedom of expression and information, (ii) for compliance with a legal obligation that requires processing, (iii) for reasons of public interest in the area of public health, (iv) for archiving purposes, or (v) for the establishment, exercise or defense of legal claims.
  • Right to restriction of processing. The right to restriction of processing means that Coala Solutions will continue to store personal data at your request but may in principle not do anything further with it. In short, you have this right when Coala Solutions does not have (or no longer has) any legal grounds for the processing of your personal data or if this is open for discussion. This right is specifically applicable in the following situations:
  • Unlawful processing. We may not (or no longer) process certain personal data, but you do not want us to erase the data. For example, because you still want to request the data at a later stage.
  • Personal data no longer required. Coala Solutions no longer needs your personal data for our processing purposes, but you still require the personal data for a legal claim. For example, in case of a dispute.
  • Pending an appeal. You objected against the processing of your personal data by Coala Solutions (see the right to object below). Pending the verification of your appeal, we shall no longer process this personal data at your request.
  • Contesting the accuracy of personal data. You contest the accuracy of certain personal data that we process about you (for example via your right to rectification; see above).  During the period in which we assess your contest, we shall no longer process this personal data at your request.
  • Right to object. You have the right to object to the processing of your personal data where we are relying on legitimate interest as processing ground (see above). Insofar as the processing of your personal data takes place for direct marketing purposes, we will always honor your request. For processing for other purposes, we will also cease and desist processing, unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or that are related to the institution, exercise or substantiation of a legal claim. If such is the case, we will inform you of our compelling interests and the balance of interests made.
  • Right to data portability. You have the right to request the transfer of your personal data to you or to a third party of your choice (right to data portability). We will provide you, or such a third party, with your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies if it concerns processing that is carried out by us by automated means, and only if our processing ground for such processing is your consent or the performance of a contract to which you are a party (see above).
  • Right to lodge a complaint. You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or where an alleged infringement took place. Please be referred to this webpage for an overview of the supervisory authorities and their contact details. However, we would appreciate the chance to deal with your concerns before you approach the supervisory authority, so we would be grateful if you contact us beforehand.

9.2. How to exercise your rights?

You can exercise your privacy rights free of charge, by phone or by e-mail via the contact details displayed at the end of this Privacy Statement. If requests are manifestly unfounded or excessive, in particular, because of the repetitive character, we will either charge you a reasonable fee or refuse to comply with the request. We may request specific information from you to help us confirm your identity before we further respond to your privacy request.

We will provide you with information about the follow-up to the request without undue delay and in principle within one month after receipt of the request. Depending on the complexity of the request and on the number of requests, this period can be extended by another two months. We will notify you of such an extension within one month of receipt of the request. Applicable privacy laws and regulations may allow or require us to refuse your request. If we cannot comply with your request, we will inform you of the reasons why, subject to any legal or regulatory restrictions. 

10. How to contact us?

If you have any questions concerning this Privacy Statement, or data collection in particular, please contact us at info@coalasolutions.com or via:

Coala Solutions AB
Östermalmstorg 1
114 39 Stockholm
Sweden

You may also contact the Data Protection Officer at dataskyddsombudet@coalasolutions.com.

11. Changes to this Privacy Statement

Occasionally, we may need to update or change this Privacy Statement. In case of important changes, we will inform you in an appropriate manner and ask you to take note of the changes made. The latest version of the Privacy Statement is always available on our website www.coalasolutions.com. This Privacy Statement was updated on 06-Sep-2021.