Previct is a dependency treatment tool that supports the successful treatment of many substance and gambling addictions within public and private healthcare. Previct consists of a digital Application, a medical device and a portal for healthcare providers. The patient (“you”), will use the medical device when measuring your sobriety and the application when communicating with your treating physician.
We, Kontigo Care AB (reg. no. 556956-2795 and registered address Påvel Snickares Gränd 12, 753 20 Uppsala, Sweden) follow the instructions from your healthcare provider and treating physician and act as the data processor. If you have questions or concerns, please contact your treating physician.
Last updated; 6 July, 2022
Table of Contents
- Who is responsible for your personal data?
- Kontigo’s and your healthcare provider’s collection and use of personal data
- Sharing your personal data only when strictly necessary
- Transfer of personal data to third countries
- Data storage and Retention period
- Your Rights
- Changes and updates
- Questions or concerns
2. Who is responsible for your personal data?
- 2.2 Kontigo Care is the owner and provider of the mobile application Previct (the “Application”), the medical device to measure sobriety and the platform for healthcare providers (together the ”Service”). We act on your healthcare providers instruction as a data processor of the personal data necessary for your healthcare. Our processing includes operation, support and troubleshooting of the Service, supporting the healthcare provider in quality assurance of the healthcare provided and improvements of the services as well as compliance and information security. We are Kontigo Care AB with reg. no. 556956-2795 and registered address Påvel Snickares Gränd 12, 753 20 Uppsala (“Kontigo Care”, “We”, “Us”).
3. Kontigo’s and your healthcare provider’s collection and use of personal data
- 3.1 We handle your personal data as necessary to provide your healthcare provider with data to provide healthcare services to you.
- 3.2 Contact information to administer your account
- 3.2.1 We collect information that your healthcare provider has provided to us, including but not limited to user data, name, e-mail, social security number
- 3.3 Technical data to optimise the Service and Application’s performance
- 3.3.1 When you use our Services information about the mobile device that you use to access our Service, including the hardware model, operating system and version, unique device identifiers, IP-address, and mobile network information is collected in order to adapt and optimise user experience of the Application. Device-ID of the alcohol medical device is captured to ensure relevant linkage between user and result.
- 3.4 Health data and location data to support your treating physician to provide you with healthcare
- 3.4.1 When you follow your treating physician’s treatment plan and complete the steps in the Application, health data such as profile picture in relation to measurement of sobriety and secure identification, self-evaluation of healthcare status and mental status, completed assignments, communication between user/patient and treating physician. If your treatment plan includes obligation to check-in into treatment meetings, the Application may collect your GPS coordinates at check-in.
- 3.4.2 Note that it is the treating physician that may choose to include certain information, such as individual social security number, it is not collected by default. Note that the treating physician does not make notes in Previct, and that all record-keeping takes place in the healthcare provider’s ordinary medical record system. Your healthcare provider process your patient data to provide you with healthcare based on article 6.1. c and article 9.2 GDPR and Patient Data Act (2008:355).
- 3.5 Continuously improve the service
- 3.5.1 Your healthcare provider has instructed us to continuously improve our Services including user experience as part of the healthcare provider’s quality improvement work in order to continuously increase safety, medical quality, efficiency and availability of the Services. The processing necessary to improve the Service is based on the healthcare provider’s rights to process personal data in connection with quality assurance and improvement of care (article 6.1. f GDPR and Patient Data Act 2008:355).
- 3.6 Manage your support requests
- 3.6.1 When you communicate with the healthcare provider or us, we may reply to your questions to resolve an issue or troubleshoot a technical error through our support channels including telephone or email. Your healthcare provider and us use your data based on carrying out your treatment plan, based on the healthcare provider’s right to process personal data in relation to administration of its healthcare operations (article 9.2 h GDPR and Patient Data Act 2008:355). Use of your personal data for support matters is based on the healthcare provider’s right to fulfil its legal obligations under mandatory legislation in the healthcare industry (article 6.1 c GDPR).
- 3.7 We, Kontigo, process this personal data for the purposes described in section 3.2 – 3.6 in accordance with the data processing agreement we have in place with your healthcare provider.
- 3.8 To fulfil our legal obligations
- 3.8.1 Kontigo Care and the healthcare provider may process your personal data and health data on the basis of legal obligation (article 6.1 c GDPR) to follow obligations in law, rulings and awards or government decisions. We will process and save your data to the extent it is necessary to fulfil our legal obligations and requirements in law.
- 3.9 Administration in relation to mergers, acquisitions and other reorganisations
- 3.9.1 If Kontigo Care or the healthcare provider ceases to exist through liquidation or bankruptcy, we will delete your personal data to the extent they are not needed to fulfil legal requirements.
- 3.9.2 If Kontigo Care or the healthcare provider is acquired, merged or split as part of a reorganisation, the new entity will continue to use your personal data in accordance with this policy, unless new information is provided to you. The healthcare provider and we may then continue to process your data on the basis of our legitimate interest (article 6.1 f GDPR) and to fulfil our legal obligations (article 6.1 c GDPR). The healthcare provider will process your health data on the basis of providing you with healthcare (article 9.2 h GDPR) and to be able to establish, assert or defend legal claims (article 9.2 f GDPR).
4. Sharing your personal data only when strictly necessary
- 4.2 We use a hosting partner and a partner to supply the location check-in feature in the Application.
- 4.3 Our partners are bound by our strict data protection requirements and they are not allowed to use personal data they receive for any other purpose.
- 4.4 If we consider it necessary, we may also share your personal data in the following situations:
- a) comply with the law, legal proceedings, government decisions or court orders and provide information to the police and other competent authorities;
- b) be able to fulfil our agreements;
- c) protect our customers and users, for example to prevent attempted fraud or spam, or to facilitate the prevention of death or serious injury; and
- d) manage and maintain the security of our service, including preventing or stopping an attack on our systems or networks.
5. Transfer of personal data to third countries
- 5.1 The data of Previct resides within Sweden. We have designed the system and services with security in mind and have chosen a Swedish cloud service provider.
- 5.2 In limited cases we may transfer data to suppliers outside of the EU/EEA, namely the US, where your rights may not be protected at the equivalent level as the EU. All transfers are made in line with applicable law, e.g. accepted transfer mechanism and supplemental safeguards. The additional safeguards we use are (a) the decision on adequacy available here and (b) EU Standard Contractual Clauses available here.
- 5.3 There is an option for your healthcare provider and treating physician to active feature check-in while at treatment meetings. If considered beneficial to your treatment plan and recovery, you may be prompted to check-in in the Previct App while at treatment meetings. In doing so, you will send your location GPS coordinates in Google Maps to the treating physician and it will be shared with Google. We have taken appropriate security measures to protect your data, with encryption in transit and
6. Data storage and Retention period
- 6.1 We will only retain your personal data for as long as it is necessary to provide you will healthcare according to your treatment plan and to fulfil our legal obligations. For all purposes, see section 3 above. When your treating physician has terminated your treatment plan, your account in our System will be terminated and the data will be automatically anonymised or deleted within 30 days.
7. Your Rights
- 7.1 Under the GDPR you have certain rights to access, correct, restrict and delete your personal data. Since Previct is a tool that your healthcare provider uses for the purpose of giving you healthcare, you may direct your data rights request directly to them.
- 7.2 Kontigo Care cares about your integrity and is committed to complying with data protection legislation. As a developer, we have designed our tool Previct in accordance with the obligations of privacy by design and by default.
- 7.3 Any questions or concerns that are directed to us, but that we determined rightfully belong to your treatment will be directed to your healthcare provider.
- 7.4 If you have concerns or question regarding the functionality of our App you have the following rights:
- a) The right to access. You have the right to request us copies of the personal data we process about you.
- b) The right to rectification. You have the right to request that we correct any information which is inaccurate or incomplete.
- c) The right to erasure. You have the right to request that we erase your personal data, under certain conditions.
- d) The right to restrict processing. You have the right to request that we restrict the processing of your personal data, under certain conditions.
- e) The right to object to processing. You have the right to object to our processing of your personal data, under certain conditions.
- f) The right to data portability. You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
- g) Profiling and automated decision-making. You have the right to object to decisions made through automated processing, including profiling.
- 7.5 We respond to all requests that we receive from individuals who wish to exercise their data protection rights in accordance with applicable data protection laws. You can contact us by sending an email to email@example.com.
- 7.6 You may also file a complaint to the Swedish Authority for Privacy Protection (“IMY”), www.imy.se about our collection and use of your information.
- 7.7 You may also contact our data protection officer via firstname.lastname@example.org
- 8.1 To protect your personal data and the privacy of our users, we have implemented physical, technical and organizational security measures .
- 8.3 When required or appropriate and feasible, we obtain written assurances from third parties that may access your data that they will protect the data with safeguards designed to provide a level of protection equivalent to that adopted by Kontigo Care. If we were to transfer your personal data to third countries, i.e. countries outside the EU / EEA, we will enter into agreements and take other measures in accordance with applicable legal requirements.
- 8.4 To protect the privacy of your personal information, we maintain both technical and organisational safeguards, and we update and test our security regularly. However, an information system is never completely secure. Hence, we cannot guarantee the absolute security of your information. We are not responsible for the security of information you transmit to us over networks that we do not control, including the Internet and wireless networks.
- 9.1 Third Party content
- 9.3 Aggregated data and anonymous data
- 9.3.1 We may de-identify or aggregate information about you and share it freely, so that you can no longer be identified. We may also share information about you with your consent or at your direction or where we are legally entitled to do so.
- 9.4 Children
- 9.4.1 Our services are not intended for children under the age of thirteen. We never knowingly or intentionally collects information about children. If you believe we process information about a child, please notify us at email@example.com and request erasure of personal data.
10. Changes and updates
11. Questions or concerns
Kontigo Care AB
You are also always welcome to contact our Data Protection Officer:
Sharp Cookie Advisors with team lead Sofia Edvardsen firstname.lastname@example.org