Privacy Notice for Elsa’s web-based application

Effective Date: February 6th, 2024

Here at Elsa Science AB ("Elsa" or "we"), we respect your privacy and undertake to protect your personal data in accordance with the General Data Protection Regulation ("GDPR"), the Health Insurance Portability and Accountability Act (“HIPAA”), and other applicable privacy legislation (e.g. California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”)). It is important that you feel confident in our processing of your personal data and we have therefore gathered together some information in this privacy policy which explains how we process and use your personal data.

The privacy policy is aimed at users of the service that Elsa provides through our Elsa application ("the App"). Elsa is the data controller for the processing of all personal data that you submit when using the app. For a more detailed description of our service, please refer to our Terms of Service.

We promise that Elsa will never sell, transfer or otherwise make your personal data available to a third party without your express consent,in any manner which is not expressly stated in this privacy policy. If you feel that anything is unclear or if you have any objections to the way in which we process your personal data, please feel free to contact our data protection officer via email at DPO@elsa.science.

1. CONTACT DETAILS FOR THE PERSONAL DATA CONTROLLER
Elsa Science AB
Company Reg No. 559105-5479
Luntmakargatan 26
111 37 Stockholm
Sweden

hello@elsa.science

Data Protection Officer:
Sally Robertson
DPO@elsa.science

2. WHAT INFORMATION DO WE COLLECT ABOUT YOU?
For the Elsa App to be able to serve you in the way it is designed to, we need to collect your personal information, which may include information that identifies, relates to, describes, references, can be associated with, or could reasonably be linked, directly or indirectly, with you and/or your device. We might collect personal information directly from you, from your device when you use our app, from third parties that you permit to share your information or from third parties that share public information about you. The rest of this privacy notice explains what and how in more detail.

Whenever you create an account with Elsa, we collect basic personal data about you, such as your name, date of birth and email address. You also have the possibility to let us collect your health data, such as your medical diagnoses, so that we can help you monitor and improve your health. If you respond to questions and log your habits, then the following types of personal data will also be collected and processed: pain, tiredness, medication, well-being, exercise, diet, smoking, sleep, weight, treatment targets and any other notes that you may provide to us through your use of the App. If you allow Elsa to collect health data via Apple HealthKit and/or Google Fit, then data about your daily activity and movement will also be processed.

Lastly, when you use the app, certain pieces of information will be collected automatically, such as information about your use of the service, location data, information about network and device performance, language settings and information about your identification and operating system, as well as other items of technical information concerning your device such as the model and make of the smartphone you are using. We may also use cookies and similar technologies in order to collect such data. More information about the use of cookies can be found in section 9. Cookies.

3. THE PURPOSE AND LEGAL BASIS FOR DATA PROCESSING

Use and provision of the service
Elsa processes the personal data that we collect about you in order to provide you with the service, to administer your account and in order to communicate with you regarding your use of the service. Such processing concerns basic personal data and is necessary in order for Elsa to fulfil its agreement regarding the service with you (see Terms of Service). The legal basis is the performance of the contract. Health data is processed if you choose to share it with us during your usage of the app.

Development of the service
Elsa analyses your use of the service in order to improve the service for users and to develop new products and services. Such processing is only undertaken if a balancing test indicates that Elsa’s interest in developing and improving the service and new products outweighs the data subject’s interest in protecting their data.

Research
In order for Elsa to be able to contribute to research, personal data may also be processed for research purposes in order to help further understand how different habits can affect disease activity and symptoms, etc. Personal details will only be processed for research purposes following the collection of your express consent for this.

Marketing
Personal details may be processed for marketing purposes in order to market the service and other services or products similar to this one, either within or outside of the service itself, including functions and content in the service and other products and services that are provided via the service. Such processing is only undertaken if a balancing test shows that Elsa’s interest in marketing outweighs the data subject’s right to have their privacy protected. Note that you are entitled to object to Elsa’s processing of your personal details for marketing purposes at any time (see more information in the section 7. Your Rights).

Aggregated information
Elsa may anonymise your personal data so that it can no longer be connected back to you. Anonymisation occurs automatically without any kind of human input. Your anonymised information is grouped together with anonymised information from other users – this is called aggregated information. The aggregated information can then be used to improve the service by drawing various different conclusions on a group level. Information is only anonymised if a balancing test shows that Elsa’s interest in anonymising and using the anonymised information outweighs the data subject’s right to have their privacy protected.

The aggregated information may also be used for research purposes in order to study how habits can affect disease activity and conditions (see the section on Research above).     

4. FOR HOW LONG DO WE STORE YOUR PERSONAL DATA?
Elsa stores your personal data for as long as you have a user account for the service. If you close your account, Elsa will permanently delete all the personal data that was collected through your use of the service. An anonymised/aggregated version of your data can not be deleted because it can no longer be linked back to you or in any way separated for other users’ data (see the section on Aggregated information above).

Personal data that is used for research purposes is stored for as long as it is necessary to fulfil the purpose for data processing, which is always indicated in a separate privacy notice you receive before potentially joining research studies  (see the section on Research above).

Elsa might make an exception to the above if required to do so by law or compelled by a court, government or administrative agency of competent jurisdiction. 

5. DISCLOSURE OF YOUR PERSONAL DATA
In order for us to operate Elsa in the best possible way, we need to share your personal data with external service providers so that they can perform certain tasks on our behalf. These service providers process user data and help us to deliver the service, and they do this in accordance with the present privacy policy and the specific purposes that are described in section three above.

The categories of third parties to whom we disclose your personal information may include: (i) our service providers and advisors, (ii) strategic partners; (iii) analytics providers. Examples of service providers that we work with include Amazon Web Services (used for hosting our production servers), Intercom Inc. (used for customer support), Google Analytics and Firebase (used for storing data about how the service is used). If a third party processes personal data on our behalf (e.g. Amazon or Google), they are bound by data processing agreements established by Elsa and by security and confidentiality requirements which conform with GDPR, HIPAA, and other applicable privacy legislations. Note that Elsa is responsible at all times for your personal data and other information — and that no third-party service can acquire any additional rights other than the ones provided for by the present privacy policy.

Elsa will disclose your personal data outside the scope of these provisions only if required to do so by law or compelled by a court, government or administrative agency of competent jurisdiction. Your personal data may be subject to federal and local laws that require Elsa to disclose this data in certain circumstances.

Elsa also reserves the right to transfer the user databases, together with any personal data contained in them, to any third party acquiring Elsa assets after notice and the opportunity for a user of our service to request that personal data not be transferred. Should Elsa or our assets ever be sold, acquired, merged, liquidated, reorganised, or otherwise transferred, we will place a prominent notice on the homepage of the Elsa website (https://www.elsa.science/). 

6. DATA STORAGE AND TRANSFERS
Elsa endeavours to store and process all user data within the US. The storage and processing are done following high security standards, such as secure transfer protocols and end-to-end encryption.

7. YOUR RIGHTS 
If you have any questions about how Elsa processes your personal data or if you would like to exercise any of the rights described below, please feel free to get in touch with Elsa (see contact details above). You may also use an authorized agent to submit a request about your personal data.

Information/access
You are entitled at any time to request information regarding what personal data Elsa processes on you in its capacity as data controller, and this information shall generally be provided free of charge. The information you request may include:

  • the specific pieces of personal information we have collected about you

  • the categories of personal information we have collected about you

  • the categories of sources of the personal information

  • the categories of personal information that we have disclosed to third parties for a business purpose

  • the categories of recipients to whom this information was disclosed

  • the business or commercial purposes for collecting or sharing the personal information

Send your request to the email address given in the contact information section of this privacy policy. Register extracts containing details of your personal data are normally sent out within one month of being requested.

Rectification/correction
The personal data that Elsa processes about you must be correct, considering the nature and purposes of the processing of the information. Should it come to light that your data is incomplete or incorrect, you are entitled at any time to request that it be corrected or supplemented.

Deletion
You have the right to request deletion of personal information we have collected from you, subject to exceptions mentioned in section 4.

Restriction
You are entitled, in certain circumstances, to:

 i) request that processing of your personal data be restricted to that which is necessary to perform the services reasonably expected by an average user

ii) object to the processing of your personal data, which includes requesting that it not be processed or used for direct marketing or analytical purposes (even profiling to the extent this is connected to direct marketing)

iii) opt-out of sharing personal information to third parties now or in the future

Export/portability
You are entitled to request that your personal data be transferred to you or to another person or data controller in an electronic format.

Objection
If you object to our data processing, then Elsa will no longer be permitted to process your personal data, unless we have a legal basis for processing other than a balancing of interests or unless we can demonstrate overriding legitimate grounds which outweigh the interests, rights or freedoms of the data subject, or if the processing is undertaken for the purpose of determining, practising or defending legal claims.

Lodging a complaint
If you believe that our processing of your personal data is in breach of the GDPR, HIPAA, or another applicable privacy legislation, you can lodge a complaint with the relevant supervisory authority.

Non-discrimination
If you choose to exercise any of these rights, Elsa will not deny you goods or services, or provide different quality of services.

Please note that if exercising these rights limits our ability to process personal information (such as a deletion request), we may no longer be able to provide you with our products and services or engage with you in the same manner.

8. YOU CAN WITHDRAW YOUR CONSENT AT ANY TIME
If you have given us consent to process your personal data, you can withdraw your consent at any time (without this affecting the legality of any data processing undertaken before your consent was withdrawn). In such a case, Elsa will no longer be entitled to continue with the data processing in question (unless there is another legal basis for processing).

If you would like to withdraw your consent, you can do so by either closing your account or by contacting us via the contact details given in this privacy notice. When you write to us, please indicate to what extent you wish to withdraw your consent – i.e. whether you want to withdraw consent for all data processing or only certain kinds.

9. COOKIES
We collect information using token technology in order to recognize you the next time you use the App. Within this privacy policy, we use the term ‘cookies’ to refer to all technology, including tokens, data and text, that we store on your device.

Elsa uses the following cookies:

Functional cookies
We use functional cookies in order to enable certain functions within the service and to remember your choices and settings whenever you use the service again.

Analytical cookies
We use analytical cookies to measure demand for our product, to study how it is used and to collect data on how it functions when in operation. The information that we collect is then used to maintain and improve the service.

Third party cookies
We may also allow our partners to use cookies within our services for the same purposes that are described above. Third party suppliers may also use cookies on our behalf in accordance with the purposes that are described above.

Elsa does not track the users over time and across third-party websites to provide targeted advertising and therefore does not respond to Do Not Track (“DNT”) signals.

10. NOTIFICATION OF AMENDMENTS
We may make amendments to this privacy policy. If we make significant changes, we will notify users about these changes in the most suitable way with regards to the circumstances, e.g. through a post on our website, via email or via an in-app notification.