Privacy Policy for Elsa and www.elsa.science

Here at Elsa Science AB ("Elsa" or "we"), we respect your privacy and undertake to protect your personal data in accordance with the General Data Protection Regulation ("GDPR") and all other applicable privacy legislation. It is important that you feel confident in our processing of your personal data and we have therefore gathered together some information in this privacy policy which explains how we process and use your personal data.

The privacy policy is aimed at users of the service that Elsa provides through our Elsa application ("the App") and via our website www.elsa.science ("the Website"). Elsa is the data controller for the processing of all personal data that you submit when using Elsa’s service either via the app or website. For a more detailed description of our service, please refer to our terms of service.

We promise that Elsa will never sell, transfer or otherwise make your personal data available to a third party without your express consent or in any manner which is not expressly stated in this privacy policy. If you feel that anything is unclear or if you have any objections to the way in which we process your personal data, please feel free to contact our data protection officer via email at DPO@elsa.science.


1. CONTACT DETAILS FOR THE PERSONAL DATA CONTROLLER

Elsa Science AB
Company Reg No. 559105-5479
℅ Ocean observations Box 7302
103 90 Stockholm

Email: hello@elsa.science

Data protection officer: Pelle Almquist
Email: DPO@elsa.science

2. WHAT INFORMATION DO WE COLLECT ABOUT YOU?

Whenever you create an account with Elsa, we collect basic personal data about you such as your name, date of birth and email address. Sensitive data collected via the app includes details on your diagnoses and medications, depending on the questions that Elsa asks. We also collect other data that you share with us through your use of the service; for example, data that you provide by uploading and/or contributing content and information. If you respond to questions and log your habits, then the following types of personal data will also be collected and processed: pain, tiredness, medication, well-being, exercise, diet, smoking, weight, treatment targets and any other notes that you may provide to us through your use of the App. If you allow Elsa to collect sensitive data via Apple HealthKit and/or Google Fit, then data about your daily activity and movement will also be processed.

When you use the app, certain pieces of information will be collected automatically, such as information about your use of the service, location data, information about network and device performance, language settings and information about your identification and operating system, as well as other items of technical information concerning your device such as the model and make of the smartphone you are using. We may also use cookies and similar technologies in order to collect such data. More information about the use of cookies can be found in section nine below.

3. THE PURPOSE AND LEGAL BASIS FOR DATA PROCESSING

Use and provision of the service

Elsa processes the personal data that it collects on you in order to provide you with the service, to administer your account and in order to communicate with you regarding your use of the service. Such processing concerns basic personal data and is necessary in order for Elsa to fulfil its agreement regarding the service with you (see terms of service). Sensitive personal data is processed following collection of your express consent for this.

Development of the service

Elsa analyses your use of the service in order to improve the service for users and to develop new products and services. Such processing is only undertaken if a balancing test indicates that Elsa’s interest in developing and improving the service and new products outweighs the data subject’s interest in protecting their data.

Research

In order for Elsa to be able to contribute to research, personal data may also be processed for research purposes in order to help further understand how different habits can affect disease activity and symptoms, etc. Personal details will only be processed for research purposes following the collection of your express consent for this.

Marketing

Personal details may be processed for marketing purposes in order to market the service and other services or products, either within or outside of the service itself, including functions and content in the service and other products and services that are provided via the service. Such processing is only undertaken if a balancing test shows that Elsa’s interest in marketing outweighs the data subject’s right to have their privacy protected. Note that you are entitled to object to Elsa’s processing of your personal details for marketing purposes at any time (see more information in the section entitled "Your Rights").

Aggregated information

Elsa may anonymise your personal data so that it can no longer be connected back to you. Anonymisation occurs automatically without any kind of human input. The anonymised information is then aggregated together with anonymised information from other users – this is called aggregated information. The aggregated information is then used to improve the service by drawing various different conclusions. Information is only anonymised if a balancing test shows that Elsa’s interest in anonymising and using the anonymised information outweighs the data subject’s right to have their privacy protected. The aggregated information may even be used for research purposes in order to study how habits can affect disease activity and conditions (read more in the research section above).     

4. FOR HOW LONG DO WE STORE YOUR PERSONAL DATA?

Elsa stores your personal data for as long as you have a user account for the service. When you close your account, Elsa will then delete the sensitive data that you have submitted through your use of the service. If you request that your personal data be deleted, we will proceed to permanently destroy your personal details (see section seven). Personal data that is used for research purposes is stored for as long as it is necessary to fulfil the purpose for data processing.

5. RECIPIENTS OF YOUR PERSONAL DATA

In order for us to operate Elsa in the best possible way, we need to share your personal data with external service providers so that they can perform certain tasks on our behalf. These service providers process user data and help us to deliver the service, and they do this in accordance with the present privacy policy and the specific purposes that are described in section three above. Examples of service providers that we work with include Amazon Web Services (servers), Heroku Inc (service platforms), Google Analytics, Firebase (data about how the service is used) and Mixpanel (in order to further develop Elsa). If a third party processes personal data on our behalf (e.g. Heroku or Mixpanel), they are bound by data processing agreements and by security and confidentiality requirements which conform with GDPR and applicable privacy legislation. Note that we are responsible at all times for your personal data and other information — and that no third-party service can acquire any additional rights other than the ones provided for by the present privacy policy.

6. DATA TRANSFERS TO THIRD COUNTRIES OUTSIDE OF THE EU/EEA

Elsa endeavours to always process your personal data within the EU/EEA. In cases where your personal data is transferred outside of the EU/EEA and to a country that is not considered to offer an adequate level of protection, we will take appropriate security measures before any such transfer is commenced. Examples of such security measures can include an EU-US Privacy Shield Agreement in the case of transfers to the US or adoption of the EU Commission’s standard clauses.

7. YOUR RIGHTS  

The personal data that Elsa processes about you must be correct. Should it come to light that your data is incomplete or incorrect, you are entitled at any time to request that it be corrected or supplemented. You are also entitled, in certain circumstances, to: i) request that your personal data be deleted, ii) request that processing of your personal data be restricted, iii) object to the processing of your personal data, which includes requesting that it not be processed or used for direct marketing or analytical purposes (even profiling to the extent this is connected to direct marketing) and iv) request that your personal data be transferred to you or to another person in an electronic format.

You are also entitled at any time to request information regarding what personal data Elsa processes on you in its capacity as data controller, and this information shall generally be provided free of charge. Send your request to the email address given in the contact information section of this privacy policy. Register extracts containing details of your personal data are normally sent out within one month of being requested.

If you object to our data processing, then Elsa will no longer be permitted to process your personal data, unless we have a legal basis for processing other than a balancing of interests or unless we can demonstrate overriding legitimate grounds which outweigh the interests, rights or freedoms of the data subject, or if the processing is undertaken for the purpose of determining, practising or defending legal claims. If your objection relates to processing that is undertaken for purposes of direct marketing, then Elsa will no longer be entitled to process your data for this purpose (unless we have a legal basis for processing other than a balancing of interests).

If you have any questions about how Elsa processes your personal data or if you would like to exercise any of the rights described above, please feel free to get in touch with Elsa (see contact details above).

8. YOU CAN WITHDRAW YOUR CONSENT AT ANY TIME

If you have given us consent to process your personal data, you can withdraw your consent at any time (without this affecting the legality of any data processing undertaken before your consent was withdrawn). In such a case, Elsa will no longer be entitled to continue with the data processing in question (unless there is another legal basis for processing). If you would like to withdraw your consent, we ask that you contact us via the contact details given in this privacy policy. Please indicate to what extent you wish to withdraw your consent – i.e. whether you want to withdraw consent for all data processing or only certain kinds.

9. COOKIES, BEACONS AND SIMILAR TECHNOLOGIES

We collect information using technologies such as cookies, beacons and local storage (i.e. on your web browser or device). Within this privacy policy, we use the term ‘cookies’ to refer to all technology, including data and text, that we store on your web browser or device.

What is a cookie?

A cookie is a small text file that is stored on your computer, smartphone or other device whenever you visit a website. Among other things, cookies can help us to recognise you the next time you visit our website, and they also enable us to offer you a more secure and operationally stable service.

Elsa uses the following cookies:

Functional cookies

We use functional cookies in order to enable certain functions within the service and to remember your choices and settings whenever you use the service again.

Analytical cookies

We use analytical cookies to measure demand for our product, to study how it is used and to collect data on how it functions when in operation. The information that we collect is then used to maintain and improve the service.

Third party cookies

We may also allow our partners to use cookies within our services for the same purposes that are described above. Third party suppliers may also use cookies on our behalf in accordance with the purposes that are described above. We use cookies from Google Analytics and Mixpanel to analyse how the service is used.

Most web browsers allow the user to decide how cookies should be managed. You can set your web browser to reject cookies or to remove certain types of cookies. If you decide to block cookies, certain functions within the service may become impaired or removed completely as they require the use of cookies to work. You can find more general information about cookies on the website of the Swedish Post and Telecom Authority (www.pts.se).

10. DATA PROTECTION OFFICER

If you have any questions about our processing of your personal data, this privacy policy or what other factors apply to the protection of your privacy, or if you would like to exercise any of your rights, please contact us at: DPO@elsa.science or Elsa Science AB, ℅ Ocean observations, Box 7302, 103 90, Stockholm.

11. THE RIGHT TO LODGE A COMPLAINT

If you believe that our processing of your personal data is in breach of the GDPR or applicable privacy legislation, you can lodge a complaint with the relevant supervisory authority. In Sweden, this authority is the Swedish Data Protection Authority (Datainspektionen) and their website is: www.datainspektionen.se.

12. NOTIFICATION OF AMENDMENTS

We may make amendments to this privacy policy. If we make significant changes, we will notify users about these changes in the most suitable way with regards to the circumstances; e.g. through a post on our website, via email or via an in-app notification.