Privacy Policy

Version: 3.1.0

Background

At Nudge Labs AB ("PeakPath", "we", "us" or "our"), we protect your privacy. This Privacy Policy describes how we collect, use, and share personal data in connection with our services, website, and application.

In this Privacy Policy, the following definitions apply:

• "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• "Applicable legislation" means Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation, "GDPR"), as well as other applicable national data protection legislation.
• "Personal data" means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Controller

Nudge Labs AB, company registration number 559308-7652, Birger Jarlsgatan 57 C Norrsken House, 113 57 Stockholm, is the data controller for the processing of personal data described in this Privacy Policy.

From where do we collect personal data?

We collect personal data from the following sources:

From you

• Information you provide directly to us (e.g. when creating an account, filling in forms, or contacting us)
• Data from wearable devices that you connect to our service
• Information generated through your use of our products and services
• Information from your interactions with your assigned coach
• Information collected when you visit our website (e.g. cookies and similar technologies)

From your employer

• Your email address
• Your employer name
• Your organizational belonging

When and why do we process personal data?

Administer the use of our services

We process personal data to create and manage your account, provide access to our platform, and deliver the services you or your employer have subscribed to.

Categories of personal data: Identity info, Contact info, Account info, Demographic data.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

Analyze personal data provided through the use of our services

We process health data and other personal data to generate personalized insights, coaching recommendations, and performance reports. This includes analyzing biometric data from wearables such as sleep patterns, heart rate variability, activity levels, and recovery metrics.

Categories of personal data: Health info, User-generated data, Identity info.

Legal basis: Explicit consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR).

To conduct research

We process anonymized and aggregated data to conduct research aimed at improving our understanding of performance, wellbeing, and resilience in professional settings.

Categories of personal data: Health info (anonymized), User-generated data (anonymized).

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Our legitimate interest is to develop and improve our services and contribute to research in the field of occupational health and performance.

To manage wearable distribution

We process personal data to manage the distribution, tracking, and return of wearable devices provided to users as part of our service.

Categories of personal data: Identity info, Contact info, Geographical info.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

Manage and respond to questions and complaints

We process personal data to handle and respond to your inquiries, feedback, and complaints.

Categories of personal data: Identity info, Contact info, Communication.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Our legitimate interest is to maintain good customer service and address user concerns.

Evaluate, develop and improve our services

We process personal data to evaluate, develop, and improve our services, features, and user experience. This may include conducting surveys, analyzing usage patterns, and testing new features.

Categories of personal data: User-generated data, Account info, Feedback.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Our legitimate interest is to continuously improve and develop our services.

Evaluate and monitor the use of our application or website

We process personal data to monitor and analyze how our application and website are used, including traffic patterns, usage statistics, and performance metrics.

Categories of personal data: Account info, User-generated data.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Our legitimate interest is to ensure the proper functioning and security of our services.

Provide you with tailored marketing

We may process personal data to send you marketing communications and provide you with information about our services that may be relevant to you.

Categories of personal data: Identity info, Contact info, Account info.

Legal basis: Consent (Art. 6(1)(a) GDPR) or Legitimate interest (Art. 6(1)(f) GDPR) where applicable.

Manage and address legal claims

We process personal data to establish, exercise, or defend legal claims.

Categories of personal data: All categories as necessary.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Our legitimate interest is to protect our legal rights and interests.

Fulfill legal obligations

We process personal data to comply with applicable laws, regulations, and legal obligations, such as accounting and tax requirements.

Categories of personal data: Identity info, Contact info, Account info.

Legal basis: Legal obligation (Art. 6(1)(c) GDPR).

Manage and protect systems and services

We process personal data to manage, protect, and ensure the security of our IT systems, networks, and services, including preventing unauthorized access, fraud, and other security threats.

Categories of personal data: Account info, User-generated data.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Our legitimate interest is to ensure the security and integrity of our systems and services.

Data retention

We retain personal data for as long as it is necessary to fulfill the purposes for which it was collected. When personal data is no longer needed, it will be deleted or anonymized. If you request deletion of your personal data, we will delete it within 30 days of your request, unless we are required by law to retain it for a longer period.

Recipients

We may share your personal data with the following categories of recipients:

• Authorities: We may disclose personal data to authorities if required by law or regulation.
• Legal representatives: We may share personal data with legal advisors and representatives when necessary to protect our legal interests.
• Buyers, sellers and advisors: In connection with a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred to relevant parties and their advisors.
• Service providers (subprocessors): We share personal data with third-party service providers who process data on our behalf. These providers are bound by data processing agreements and are only permitted to process personal data in accordance with our instructions. See the subprocessor list below.

Third country transfers

Some of our service providers are located outside the EU/EEA. When personal data is transferred to countries outside the EU/EEA, we ensure that appropriate safeguards are in place, primarily through EU Commission standard contract clauses (SCCs) in accordance with Art. 46(2)(c) GDPR, to ensure that your personal data is adequately protected.

Security

We implement appropriate technical, physical, and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures are regularly reviewed and updated to ensure continued effectiveness.

Your rights

Under Applicable legislation, you have the following rights in relation to your personal data:

• Right of access: You have the right to request confirmation as to whether or not your personal data is being processed and, where that is the case, to request access to the personal data.
• Right to rectification: You have the right to request that we correct inaccurate personal data concerning you and to have incomplete personal data completed.
• Right to object: You have the right to object to processing of your personal data which is based on our legitimate interests.
• Right to erasure: You have the right to request that we erase your personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
• Right to restrict processing: You have the right to request the restriction of processing of your personal data under certain circumstances.
• Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
• Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. In Sweden, the supervisory authority is Integritetsskyddsmyndigheten (IMY).

Contact us

If you have any questions about this Privacy Policy or our processing of your personal data, please contact us at:

Nudge Labs AB
Birger Jarlsgatan 57 C Norrsken House
113 58 Stockholm
Email: dpo@peakpath.com

Subject access request process

If you wish to exercise any of your rights as described above, please submit a request to dpo@peakpath.com. We will respond to your request within 30 days of receipt. In order to process your request, we may need to verify your identity. If we are unable to verify your identity, we may request additional information from you.

Categories of personal data

The following categories of personal data may be processed in connection with our services:

• User-generated data: Data generated through your use of our services, such as goals, habits, journal entries, and coaching notes.
• Demographic data: Age, gender, and other demographic information.
• Communication: Records of correspondence and interactions with us, including support tickets and chat messages.
• Geographical info: Location data, such as shipping addresses for wearable devices.
• Health info: Biometric and health-related data from wearable devices, including sleep data, heart rate variability, resting heart rate, activity levels, recovery scores, and stress indicators.
• Identity info: Name, profile picture, and other identifying information.
• Contact info: Email address, phone number, and postal address.
• Work environment results: Aggregated and anonymized workplace wellbeing data.
• Feedback: Survey responses, ratings, and other feedback provided by you.
• Account info: Username, password (hashed), account settings, and preferences.

Subprocessors

We use the following subprocessors to provide our services: