Privacy Policy of the Home Lab Application

This Privacy Policy of the Home Lab Application (hereinafter: “Privacy Policy”) sets out the manner and principles for the processing of personal data necessary for the performance of the services provided through the Home Lab mobile application (hereinafter: the “Application”) by IMOGENA Sp. z o.o. The following terms used in the Privacy Policy of IMOGENA Sp. z o.o. have the following meanings:

Controller – within the meaning of Article 4(7) of the GDPR, it means an entity which, alone or jointly withothers, determines the purposes and means of the processing of personal data; in the case of the Application, the role of the Controller is performed by IMOGENA Sp. z o.o. Home Lab MOBILE APPLICATION or APPLICATION – software in the version for mobile devices (for IOS and Android systems), the purpose of which is to enable the User to order and perform diagnostic tests.

Personal data – in the light of Article 4(1) of the GDPR, it means any information about an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly;

Health data – in the light of Article 4(15) of the GDPR, it means personal data about a natural person’s physical or mental health – including the use of healthcare services – revealing information about the natural person’s state of health;

Account – the User’s account enabling their identification after logging in to the Application by providing a login and password, by means of which the User may use the Services provided through the Application, including in particular ordering diagnostic tests and receiving the results of such tests;

Patient – a natural person for whom IMOGENA Sp. z o.o. provides medical services, acting alone or through a legal representative;

Processing – in the light of Article 4(2) of the GDPR, it means an operation or a set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation).

Service – a service provided electronically by IMOGENA Sp. z o.o. on terms set forth in these Terms of Service;

User – a natural person with full legal capacity ordering specific diagnostic tests using the Home Lab Mobile Application on behalf of themselves or a person under their parental authority/guardianship/custody.

DATA PROCESSING

  1. The Controller of personal data is IMOGENA Sp. z o.o. with its registered office in Poznań, ul. Jeleniogórska 16, 60-179 Poznań, entered in the National Court Register kept by the District Court Poznań - Nowe Miasto and Wilda in Poznań, 8th Commercial Department of the National Court Register under number 0000880206, Tax Identification Number (NIP) 779253064, Business Registry Number (REGON) 388060257, hereinafter referred to as the “Controller”. The contact with the Controller is possible:

    • by post at the following address: IMOGENA Sp. z o.o. ul. Jeleniogórska 16, 60-179 Poznań;
    • via e-mail: biuro@mineola.pl
  2. IMOGENA Sp. z o.o. has appointed a Data Protection Officer whom the User may contact on all matters concerning the processing of the User’s personal data. The Data Protection Officer may be contacted:

    • by post at the following address: Data Protection Officer IMOGENA Sp. z o.o. ul. Jeleniogórska 16, 60-179 Poznań;
    • via e-mail: rodo@jamano.pl
  3. The scope of personal data processed by the Controller depends on the User’s selection of a specific service in the Application. Data acquisition takes place by means of:

    • if the User uses the Application without registering, only the data downloaded from the device from which the User connects to the Application;
    • if the User is a registered user, the User data, i.e. the data provided during registration, in accordance with the provisions of the Terms of Service and this Policy;
    • in the case of ordering the service via the Application, the Patient’s data, i.e. the data provided when ordering the service, i.e. first name, surname, residence address, Personal Identification Number (PESEL), phone number, e-mail address;
    • if the User signs up for the newsletter, their e-mail address and/or phone number.
  4. The provision of personal data is voluntary, although it is a condition for concluding an agreement with IMOGENA Sp. z o.o. in order to set up and operate an account in the Application and to order and receive diagnostic test results. Subscribing to the newsletter is voluntary and does not affect the provision of services by IMOGENA Sp. z o.o.

  5. The use of certain functionalities of the Application may require the User to log in or register and consequently to provide personal data.

TYPE OF DATA PROCESSED

  1. The personal data processed is collected by means of forms.

  2. The processed personal data collected by the Collector are:

    1. if the User wishes to obtain information on available tests:

      • the residence address and, if different from the residence address, the address where the material is collected or
      • location provided by the User/Patient through the Application.
    2. if the User/Patient wishes to order a specific test:

      for the User:

      • first name;
      • surname;
      • date of birth;
      • PESEL (Personal Identification Number);
      • the residence address and, if different from the residence address, the address where the material is collected;
      • e-mail address;
      • phone number.

      for the Patient:

      • first name;
      • surname;
      • date of birth;
      • PESEL (Personal Identification Number)
      • the residence address and, if different from the residence address, the address where the material is collected;
      • e-mail address;
      • phone number;
      • health data including results of diagnostic tests performed.
  3. The personal data in question is processed for the following purposes:

    1. the performance of a service agreement (on the basis of Article 6(1)(b) of the GDPR) in connection with the creation and operation of an account on the Application, including in particular the ordering of diagnostic tests and the provision of the results of such tests in electronic form. The Application uses access to the exact location of the User/Patient (or the address indicated by the User/Patient where the test is to be performed) to determine the list of available tests at that location. The application also uses access to the approximate location of the User/Patient (or the address indicated by the User/Patient where the test is to be performed out) to display the area in which the test is to be performed. The Application also uses permanent memory access to temporarily store the Patient’s test results. The Application also uses the QR scanner incorporated in the camera of the mobile device on which the Application is installed, for the purpose of the User/Patient taking a discount on the service, connected with participation in the program (including the loyalty program).
    2. health (on the basis of Article 6(1)(c) and Article 9(2)(h) of the GDPR)
      • medical diagnosis (this purpose includes, in particular, processing related to the process of providing medical (diagnostic) services, including the maintenance of medical records, as well as post-delivery communication in order to assess the Patient’s state of health;
      • provision of healthcare and management of healthcare systems and services (this purpose includes, in particular, processing related to: registering the Patient in the laboratory; performance of the agreement with payers; ensuring continuity of healthcare, including in the process of coordination of provision of services, which may include, among others, confirming an appointment, cancelling an appointment, informing about organisational changes at IMOGENA Sp. z o.o, which have an impact on the provision of the expected service; performance of other activities auxiliary to the provision of health services, as well as activities related to the maintenance of the ICT system; exchange of information on the state of Patient’s health between different medical entities in order to ensure continuity of health care (based on Article 26(3) (1) of the Act on Patient’s Rights and Patient’s Rights Ombudsman); transfer of Patient’s data by IMOGENA Sp. z. o.o. to registers operating pursuant to the Act on Information System in Healthcare within the scope of public registers maintained pursuant to the aforementioned Act);
    3. to keep financial and tax accounts and to archive such data, in particular in connection with the Accounting Act, and to exercise the Users’ rights arising directly from the GDPR on the basis of Article 6(1)(c) of the GDPR;
    4. to send commercial information by electronic means to the provided e-mail address and/or phone number in the form of a newsletter, based on the voluntarily given consent to carry out such activities on the basis of Article 6(1)(a) of the GDPR;
    5. to establish, assert or defend claims on the basis of Article 6(1)(f) and Article 9(2)(f) of the GDPR.

PERSONAL DATA RECIPIENTS

Recipients of the Patient’s personal data are Laboratories performing tests on behalf of the Controller, entities and persons authorised by the Patient or (if applicable) their legal representative; entities providing healthcare services if the Patient’s records are necessary to ensure continuity of healthcare services; public authorities, including the Patients’ Rights Ombudsman, the National Health Fund, bodies of the selfgovernment of medical professions and consultants in healthcare, the Ministry of Health; other entities and persons authorised under applicable law and entities and persons processing data on behalf of the Controller, including entities servicing the Application.

INFORMATION ON THE INTENTION TO TRANSFER PERSONAL DATA TO A THIRD

COUNTRY OR INTERNATIONAL ORGANISATION Personal data is not transferred to a third country or an international organisation.

INFORMATION ABOUT AUTOMATED DECISION-MAKING, INCLUDING PROFILING

The personal data is not subject to automated decision-making, including profiling.

THE PERIOD FOR WHICH THE PERSONAL DATA WILL BE KEPT

  1. Personal data in respect of the creation and operation of the User’s account will be processed for the duration of the maintenance of the User’s account in the Application and will be deleted thereafter, but the cessation of use of the Application does not imply the deletion of diagnostic test results stored by the Controller.

  2. The results of diagnostic tests will be stored in accordance with legal regulations in force, including in particular the Act of 6 November 2008 on Patients’ Rights and Patients’ Rights Ombudsman. According to the Act, the Patient’s medical records are kept for a period of 20 years from the end of the calendar year in which the last entry was made, with the exception of medical records relating to children under the age of two, which are kept for a period of 22 years.

  3. If the User subscribes to the newsletter, their personal data will be stored for the duration of their subscription until we are informed of withdrawal of consent.

  4. Personal data processed for accounting and tax purposes will be processed for a period of 5 years calculated from the end of the calendar year in which the tax liability arose.

  5. Where personal data has been processed for the purpose of asserting or defending against such claims, it will be processed for this purpose for the period of limitation of claims under the Civil Code.

RIGHTS OF THE USER

In connection with the processing of personal data, the User has the following rights:

  1. the right of access to data – to obtain information on the purpose and manner of data processing, to obtain access to a copy of the data;
  2. the right to rectification – the correction of erroneous, incomplete or outdated personal data, only to the extent that this will not lead to an infringement of the professional autonomy of the health professional who made the entry in the medical records;
  3. the right to erasure of the data after the storage period, unless the obligation to store the personal data arises from the law;
  4. the right to restrict processing – restricting processing to storage only;
  5. the right to data portability – indicating another controller to whom we should transfer the data, if technically possible; however, the right to data portability does not apply to data processed by IMOGENA Sp. z o.o. on the basis of Article 9(2)(h) of the GDPR;
  6. the right to object to their further processing, whereby the right to object to the processing does not apply to personal data processed by IMOGENA Sp. z o.o. on the basis of Article 9(2)(h) of the GDPR;
  7. the right to withdraw consent at any time, whereby the exercise of the right to withdraw consent does not affect the processing that has taken place up to the moment of withdrawal of consent (withdrawal of consent is tantamount to not being able to receive the newsletter);
  8. the right to lodge a complaint with the President of the Data Protection Authority if the User considers it justified that personal data is being processed contrary to the GDPR.

DATA SECURITY

The processing of personal data takes place in accordance with the legal regulations in force. Personal data is processed solely for the purposes set out in this Privacy Policy. Personal data is protected against unauthorised disclosure to unauthorised persons, against unauthorised takeover, against destruction, loss, damage or alteration, and against processing contrary to generally applicable law. The personal data indicated above is relevant to the purpose for which we process it. We never ask the User to provide more information than is necessary for us to provide the Services to the User.

SUBCONTRACTORS

In order to perform services for the User, we entrust some of their personal data to our subcontractors. These entities are obliged to comply with the provisions of the GDPR and to process personal data in a manner consistent with the GDPR, other legal regulations in force and this Privacy Policy.

FIREBASE

In order to better understand User behaviour and optimise the Application, we use Firebase. This means that anonymous user information is sent to Firebase. Other Firebase features are also used, which allow us to detect the cause of errors in the Application and create better user prompts and push information. Firebase is a database that allows information to be embedded on a website in real time. Firebase is a subsidiary of Google and is based in San Francisco, California, USA. Firebase’s Privacy Policy can be found at https://www.firebase.com/terms/privacy-policy.html.

CHANGES TO THE PRIVACY POLICY

  1. IMOGENA Sp. z o.o. reserves the right to amend the content of the Privacy Policy in the event of changes in Polish law or implementation of new technological and IT solutions.
  2. For questions related to the Privacy Policy, please contact: rodo@jamano.pl