PeakPath Privacy Policy
Background
At Nudge Labs AB ("PeakPath", "we" or "us"), we protect your privacy and strive towards always maintaining a high level of data protection.
This privacy notice describes how we collect and use Personal data that is provided to us via our website www.peakpath.com or our application PeakPath, and when our services are used. It also describes your rights and how you can exercise them.
If you have any questions, you are always welcome to contact us at dpo@peakpath.com
Throughout this privacy notice, the term "processing" is used, which includes all operations involving Personal data, including without limitation, collection, handling, storage, sharing, access, use, transfer and deletion of Personal data.
"Applicable legislation" means applicable laws, ordinances and regulations, including regulations issued by relevant supervisory authorities, concerning the protection of the fundamental rights and freedoms of natural persons and in particular the right to the protection of their Personal data applicable to the processing in question; including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR") as well as laws, ordinances and regulations supplementing the GDPR.
"Personal data" shall have the meaning ascribed to it under the GDPR and means any information relating to an identifiable or identified natural person.
Who is the data controller for the personal data we collect?
Nudge Labs AB, company registration number 559308-7652, Döbelnsgatan 31, 113 58 Stockholm, is the data controller for the company's processing of Personal data.
From where do we collect personal data?
We collect Personal data from:
You, that you either provide to us yourself or that we collect from your wearable device, or through the use of our products, coach interactions or website visits.
Your employer, such as your email address, the name of your employer and organisational belonging.
When and why do we process personal data?
Administer the user of our services
We process your Personal data in order to manage the customer relationship with your employer and which is necessary to provide you with our services.
Categories of Personal data
Identity information
Contact information
Legal basis
Legitimate interest
The processing is necessary to provide our services
Retention period
Personal data is retained until you choose to terminate your account
Analyze personal data provided in the app, including notifying your employer of the results regarding your work environment
We process your Personal as provided or generated when you use our services.
We share the results regarding your health data with your employer only in an anonymized and aggregated form.
Personally Identifiable Information, e.g. contact information or identity information is never shared with the employer, and is only used during the processing step to separate data by employer, departments, roles and/or office.
Categories of Personal data
Contact information
Identity information
Health information
Legal basis
Consent.
We process your personal data on the basis of your consent.
We process sensitive Personal data, e.g. information about health, on the basis of your explicit consent.
Retention period
Personal data regarding health is stored for five (5) years.
If you withdraw your consent (i.e. de-register from our services) all personally identifiable information pertaining to you will be deleted within 30 days.
Manage and respond to questions and potential complaints
If you contact us, e.g. via our digital channels, we will process your Personal data that you provide us with to communicate with you and respond to and investigate any questions and/or complaints that you may have (including technical support).
Categories of Personal data
Identity information
Contact information
Your communication
Health information
Legal basis
Legitimate interest.
The processing is necessary to fulfill our legitimate interest in managing and responding to your submitted questions and/or complaints.
Retention period
Personal data e.g. health data is retained until the customer service matter has been completed. Data necessary to document communications regarding contractual obligations or infractions may be retained for the legally mandated period for accounting purposes.
Evaluate, develop and improve our services
We will process your Personal data as we generate data for the purpose of improving our services. Based on the information we collect, we analyze the data on an aggregated level using deidentified or pseudonymized data, without any connection to you as an individual (e.g. improve the user interface to simplify the flow of information or to highlight functions that are often used by customers).
Categories of Personal data
Our communications
Feedback to us
Application usage
Health information
Legal basis
Legitimate interest.
The processing is necessary to fulfill our legitimate interest in evaluating, developing and improving our services, products and systems.
Retention period
Reports at an aggregate level that do not contain any Personal data and statistics are stored for an indefinite period.
Evaluate and monitor the use of our application or website
We will process your Personal data when customizing services to become more performant and effective. In order to analyze and better understand how you use our application or website, we further process your Personal data, which we e.g. as collected via cookies, application performance monitoring or similar technologies.
Categories of Personal data
Identity information
Geographical information
Application usage
Legal basis
Legitimate interest.
The processing is necessary to fulfill our legitimate interest in evaluating and monitoring the use of our application or website.
Retention period
Reports at an aggregate level that do not contain any Personal data and statistics are stored for an indefinite period.
Provide you with tailored marketing
Application
PeakPath will not share your Personal health data with partners.
Website
We process your Personal data to provide you with tailored marketing that we deem to be of interest to you. We do this by the use of e.g. cookies, and similar techniques, which help us and our partners to display relevant ads on various websites based on your visit and click history.
Categories of Personal data
User-generated data
Identity information
Geographical information
Legal basis
Consent
The processing that enables us and our partners to provide you with tailored marketing is based on your consent
Retention period
Your Personal data is retained for a period of 5 years from the time of collection.
Manage and address legal claims
In order to manage and address legal claims, e.g. in connection with a dispute or legal process, we process your personal data (where applicable).
Categories of Personal data
All information necessary to manage and address the legal claim.
Legal basis
Legitimate interest
The processing is necessary to fulfill our legitimate interest in managing and addressing legal claims, e.g. in connection with a dispute or legal process.
The processing of personal identity number is necessary in view of the purpose of the processing.
Retention period
Personal data is retained during the period necessary to manage and address the legal claim.
Fulfil legal obligations
We process your Personal data in order to fulfill other legal obligations to which we are subject, in addition to the legal obligations mentioned above in this privacy notice. Such obligations may e.g. include obligations regarding accounting and bookkeeping as well as requirements pursuant to the Data Protection Regulation.
Categories of Personal data
All information that is necessary to fulfill the respective legal obligation.
Legal basis
Legal obligation
The processing is necessary to fulfill legal obligations to which we are subject.
Retention period
Personal data is retained for the period necessary in order for us to fulfill legal obligations to which we are subject.
Manage and protect systems and services
We process your personal data if necessary in order to manage and protect our IT systems and services, e.g. in connection with logging, troubleshooting, backup, change and problem management in systems and in connection with any IT incidents.
Categories of Personal data
All information listed above
Legal basis
Legitimate interest
The processing is necessary to fulfill our legitimate interest in managing and protecting our IT systems and services.
Retention period
Personal data is retained for the same period as stated in relation to the respective purpose above. Personal data in logs is retained for troubleshooting, audits and incident management for a period of 12 months from the time of the event giving rise to the log.
Recipients who we share personal data with
When necessary, we share Personal data with the recipients specified below. Unless otherwise stated, named recipients are independent data controllers for their own processing of Personal data.
Authorities (e.g. the Police and the Swedish Tax Agency)
Purpose: In order to fulfill any legal obligations to which we are subject, e.g. in connection with requests from authorities or other legal claims.
Legal basis: Legal obligation. The processing is necessary to fulfill legal obligations to which we are subject.
Authorities (incl. courts) and legal representatives
Purpose: In order to fulfill any legal obligations to which we are subject, e.g. in connection with requests from authorities or other legal claims.
Legal basis: Legal obligation. The processing is necessary to fulfill legal obligations to which we are subject.
Buyers, sellers and external advisors/other parties involved
Purpose: To enable business changes, e.g. sale or merger of the business or investments in general.
Legal basis: Legitimate interest. The processing is necessary to fulfill our legitimate interest in conducting and executing business changes.
Service providers
To fulfill the purposes of the processing of Personal data, we share your Personal data with service providers that we have engaged. These suppliers provide services within e.g. IT services (companies that manage necessary operations, technical support and maintenance of our services provided to you and our IT systems). The service providers we have engaged are only allowed to process your Personal data in accordance with our explicit instructions and may not use your data for their own purposes. They are also required by law and agreement to take the appropriate technical and organizational security measures in order to protect your information.
Health data is only shared in either deidentified or pseudonymized form.
Appropriate safeguards for the transfer of Personal data to third countries
If PeakPath transfers or discloses your Personal data to a recipient in a country outside the EU/EEA area (third country), PeakPath will ensure that appropriate safeguards have been taken (such as the EU Commission's standard contract clauses and other necessary measures) in order to protect Personal data.
Pursuant to applicable data protection legislation, you have the right, upon request, to receive a copy of the documentation demonstrating that the necessary protective measures have been taken in order to protect your Personal data when transferring it to a third country.
If you would like to know more about the processing of your Personal data and if your Personal data is transferred to a third country, please contact us by using the contact information below.
Security
We will ensure that access to your information is adequately protected by having appropriate security measures implemented and, depending on the circumstances, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks. To uphold this warranty, we have also implemented appropriate technical, physical and organizational measures to protect your Personal data from unlawful or accidental destruction, alteration or disclosure, misuse, damage, theft or loss by accident or unauthorized access.
Your rights
Rights in relation to your Personal data
In connection with our processing of your Personal data, you may, under certain conditions, exercise the following rights:
Access
You can request confirmation of whether or not your Personal data is being processed and, if it is being processed, request access to your Personal data and additional information such as the purpose of the processing. You also have the right to receive a copy of the Personal data that is processed. If the request is submitted electronically, the information will also be obtained in a commonly used electronic form unless you request otherwise.
Rectification
If you notice that Personal data about you is inaccurate or incomplete, you have the right to have your Personal data rectified.
Object to specific processing
You can object to processing of your Personal data if it is based on a legitimate interest, on grounds relating to your particular situation or if the processing takes place for direct marketing purposes. If we are unable to demonstrate compelling legitimate grounds to continue processing, that override your interests, or if the processing is not necessary to establish, exercise and defend legal claims, we are obliged to cease the processing.
Erasure
You can have your Personal data erased under certain circumstances, e.g.
You withdraw your consent
Your access to the service is terminated (e.g end of employment) in which case your PII will be removed.
Restrict processing
Under certain circumstances, you can request that we restrict the processing of your Personal data to only involve the storage of your Personal data, e.g. when the processing is unlawful but you do not want your Personal data deleted.
Withdraw consent
To the extent that the processing of Personal data is based on your consent, you always have the right to withdraw your consent.
Data portability
You have the right to request a machine-readable copy of the Personal data processed based on your consent or when the processing is necessary to fulfill an agreement with you as well as when Personal data has been obtained from you (data portability), and to request that the information be transferred to another data controller (if possible).
Complaints to the supervisory authority
You are welcome to contact us with questions or complaints regarding the processing of your Personal data. However, you also always have the right to lodge a complaint regarding the processing of your Personal data to the Swedish Authority for Privacy Protection.
Contact us
If you have any questions regarding the processing of your Personal data or if you wish to exercise any of your rights pursuant to applicable data protection legislation, please contact PeakPath by using the contact details below. If needed, we have the right to change and supplement the privacy notice.
The Data Controller is:
Nudge Labs AB
Döbelnsgatan 31
113 58 Stockholm Sweden
Email address: dpo@peakpath.com
Subject access request process
Once the DPO receives a subject access request, PeakPath will respond with a request confirmation receipt.The user might be required to confirm their identity to further process the subject access request.Identity confirmation could include verification of ownership of the email address the data belongs to, or otherwise confirm that the recorded information belongs to the same person submitting the subject access request.Rectification of data and data portability requests require higher degree of confidence in the confirmation.
PeakPath aims to comply with all subject access requests within 30 days.
If a subject access request incurs significant cost to PeakPath the user may be asked to cover the corresponding costs incurred to PeakPath.
Data format of data portability requests will vary depending on the storage format of the data at PeakPath.
Categories of personal data
Below you will find an explanation of the categories of Personal data that we may collect and store about you and examples about what they may contain.
User-generated data
WebsiteClick and visit history, technical data regarding used devices and their settings (e.g. language setting, IP address, browser settings, time zone, operating system, screen resolution and platform), information about how you interacted with us, login method, which pages and how long different pages have been visited, response times, download errors, how to access and leave the service, etc.
ApplicationClick and visit history, technical data regarding used devices and their settings (e.g. language setting, IP address, browser settings, time zone, operating system, screen resolution and platform), login method, which views and how long different views have been visited, response times, etc.
Demographic data
Gender, age
Your communication
Personal data that you provide in your communication with us
Geographical information
Location data from your device that e.g. may be collected via cookies
Health information
Information regarding inter alia your sleep, rest, activity and stress
Identity information
Name, email, the name of your employer
Contact information
Email address and phone number
Results regarding your work environment
Information based on your health information regarding your work environment on an anonymized and aggregated level
Information about feedback
Opinions and comments regarding our services and products, e.g. from surveys and studies
Account information
Username/email address, password
List of subprocessors
Auth0
Purpose: App authentication solution.
Calendly
Purpose: Manage meeting bookings.
Datadog
Purpose: Security information and event management.
Purpose: Cloud infrastructure provider and data processing (Google Cloud Platform), app analytics and push notifications (Google Firebase).
Heroku
Purpose: Cloud infrastructure provider. Data processing.
Hasura
Purpose: Application API provider.
Mailgun
Purpose: Send product emails.
OpenAI
Purpose: Generative AI services provider.
Sendbird
Purpose: Chat API provider.
Terra
Purpose: Integrate data from wearable devices.
Zendesk
Purpose: Customer support ticketing system.
Privacy Policy Version: 2.4.0
Performance coaching powered by biometric data from wearables.
Visit us
Norrsken
Birger Jarlsgatan 57C
113 56 Stockholm
© 2023 PeakPath. All Rights Reserved.