Personal Data Policy for Tandem Health

Tandem Health Personal Data Policy

1. Introduction and Contact Information

1.1 Purpose of the Personal Data Policy

At Tandem Health AB ("Tandem" / "We"), we value your privacy. The purpose of this personal data policy is to inform you as a user or prospect how Tandem Health collects, uses, protects, and manages your personal data.  This personal data policy relates to the processing that Tandem carries out as a data controller. It does not govern the data processing operations that we perform as a data processor within the meaning of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), which are covered by a separate document.

1.2 Data Controller and Data Protection Officer

Tandem Health AB is registered with the Swedish Companies Registration Office with org. no. 559444-6857 and has its head office at Kungsklippan 12, 112 25 Stockholm, Sweden. Tandem is the data controller in accordance with the GDPR for the personal data processing described in this information. At Tandem, we have appointed a Data Protection Officer (DPO) who you can contact if you have any questions about how we process your personal data and/or if you wish to exercise the rights you have over your personal data. You can contact our DPO at dpo@tandemhealth.ai.

2. Processing of Personal Data

In accordance with the principle of ‘data minimization’, we endeavour to collect and use only personal data that is relevant and strictly necessary for the purposes for which it is to be processed.

2.1 What Personal Data We Collect About You

If you are a prospect, Tandem collects the following categories of personal data:
- Identification data: name, surname, position, etc.  
- Contact details: postal address, email address, phone number, etc.

If you are a client, Tandem collects the following categories of personal data:
- Identification data: name, surname, company name, internal number,  
- Contact details: postal address (billing and delivery address), email address, phone number, etc.
- Professional data: personal identification number, HSA ID, VAT identification number, etc.
- Financial information: payment and billing details such as IBAN number, credit card number, etc.
- Other data that you are likely to communicate to us spontaneously, in particular when requesting support.

2.2 Why and on What Legal Basis We Process Your Data

In the course of our relationship, Tandem may process your personal data for the following purposes and on the following legal bases:

Purposes of Processing
Legal Basis for Processing
If you are a Prospect
Sending commercial prospecting by electronic means
Legitimate interest (Article 6(1)(f) GDPR) to promote its products and services.
Organisation / participation in business development and client relationship-building events
Legitimate interest (Article 6(1)(f) GDPR) to develop and enhance customer satisfaction and trust.

If you are a Client:
Management of Customer Support
Performance of a contract (Article 6(1)(b) GDPR)
Management of User Authentication
Performance of a contract (Article 6(1)(b) GDPR).
Preparation and management of contracts
Legitimate interest (Article 6(1)(f) GDPR) to manage its contractual relationships.
Management of invoices
Performance of a contract (Article 6(1)(b) GDPR).
Management of contact requests and mail
Legitimate interest (Article 6(1)(f) GDPR) to manage its correspondence and respond to contact requests.
Aggregated Usage Analysis
Legitimate interest (Article 6(1)(f) GDPR) to develop and improve our services.
Organisation / participation in business development and client relationship-building events
Legitimate interest (Article 6(1)(f) GDPR) to develop and enhance customer satisfaction and trust.

Management of potential pre-litigation and litigation
Legitimate interest (Article 6(1)(f) GDPR) to protect and defend its legal interests.
Management of requests to exercise rights over personal data
Legal obligation (Article 6(1)(c) GDPR).

3. Storage of Data

Your personal data will be kept in a form that enables you to be identified for no longer than is necessary for the purposes for which it is to be processed. Subject to the existence of legal or regulatory obligations requiring storage for a longer period, your personal data is retained for the periods indicated below:

Data subjects
Data retention period
P  
3 years from the date of your last contact
C‍
5 years from the end of our contractual relationship

4. Recipients of Personal Data

Within Tandem, only persons authorized by virtue of their duties or functions may access the personal data processed, and this strictly within the limits of their respective attributions and the performance of these duties and functions.

Your personal data may be communicated to our data processors (for example, our technical service providers), in strict consideration of the purposes sought and only in the event that it proves necessary for the latter to fulfil their missions. These third-party companies are not authorised to share the information that may be communicated to them or to use it for any other purpose.

Tandem has ensured that its relationship with these third-party companies is set out in each contract so as to ensure an adequate level of security for your data.

Lastly, your personal data may be communicated to authorised third parties, i.e. the legally authorised public authorities.  

5. Transfers of Personal Data to Countries Outside the EU/EEA

Your personal data may be transferred to third countries located outside the European Union. In such cases, we systematically take all appropriate measures to verify and, if necessary, guarantee that the recipients of the data comply with an adequate level of protection equivalent to the European regulations, in particular by signing standard contractual clauses adopted by the European Commission.

6. Your Rights

In accordance with the GDPR, you have the following rights with regard to your personal data:

- Right to Information - You, as the data subject, have the right to receive information about how we process your personal data. We inform you through this policy and by answering your questions.  

- Right to Access - You, as the data subject, have the right to receive confirmation from us if we process your personal data, access the personal data, and certain information about the processing itself (e.g., the purpose of the processing).  

- Right to Rectification - You, as the data subject, have the right to have incorrect personal data about you corrected by us without undue delay, as well as the right to supplement incomplete data.  

- Right to Erasure (Right to be forgotten)- You, as the data subject, have the right to have your personal data erased under certain circumstances. The right to erasure does not apply if the processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation that requires processing under Union or Member State law that we are subject to, or for the establishment, exercise, or defense of legal claims. The right to erasure may, depending on the basis for your request, also be limited if the data is still necessary for the purpose or if there are compelling legitimate grounds for the processing that override your right to erasure under Article 21.1 GDPR. However, the right to erasure always exists in the case of processing for direct marketing purposes upon objection under Article 21.2 GDPR.  

- Right to Restriction of Processing - You, as the data subject, have the right to require the restriction of processing of your personal data. The right to restriction of processing applies if you contest the accuracy of the data if the processing is unlawful, if the data is no longer needed for the purposes but you need them to establish, exercise, or defend legal claims. The right also applies while awaiting verification of which party's reasons outweigh if you have objected to processing in accordance with Article 21.1 GDPR.  

- Right to Object - You, as the data subject, have the right to object to processing based on public interest, the exercise of official authority, or legitimate interest. In such a situation, the processing ceases unless there are compelling legitimate grounds that override your interests or if the purpose of the processing is to establish, exercise, or defend legal claims. Processing for direct marketing ceases if you object to such processing.  

- Right to Data Portability - You, as the data subject, have the right, in certain cases, to receive the data you have provided us and have the data transferred to another data controller. The right exists when we process personal data automatically and based on your consent or on a contract.  

- Rights in Relation to Automated Decision-Making - You, as the data subject, have the right not to be subject to automated decision-making that has legal effects or similarly significantly affects you. The right does not exist if it is necessary for the performance of a contract, is permitted by Union or Member State law that applies to us, or is based on your consent.  

- Right to Lodge a Complaint - You, as the data subject, have the right, according to Article 77 GDPR, to lodge a complaint with a supervisory authority if you believe that the processing is in violation of the regulation. You can find more information and complaint forms on the website of the National Data Protection Authorities.

As mentioned above, should you wish to exercise your rights over your personal data, please contact us:
- By e-mail, at dpo@tandemhealth.ai ;
- By post, to the following address: Tandem Health AB – Attn.: Data Protection Officer - Kungsklippan 12, 112 25 Stockholm, Sweden.

7. Automated Decision-Making

Your personal data will not be subject to automated decision-making that has legal effects or similarly significantly affects your situation.

8. Security Measures

We are committed to ensuring the confidentiality, integrity, availability and security of your personal data. In accordance with the GDPR, we endeavour to implement the appropriate technical and organisational measures to guarantee the level of security that is most appropriate to the risks incurred when processing your personal data. We also take steps to prevent, as far as possible, any loss, accidental destruction, alteration or unauthorised access to your personal data.

9. Updates to the Personal Data Policy

Tandem Health continually works to improve our services. Therefore, we may update this information. When we make changes to the policy, we will publish the updated version on our website and indicate the date of the latest update. For updates of significant importance to the processing of your personal data, we provide information about this through email or a notice on our website in accordance with applicable legislation. Please visit this page regularly to stay informed about how we process your personal data. The information was last updated on September 1st, 2024.

10.  Contact Us

If you do not find answers to your questions in the information in the previous sections, you are warmly welcome to contact our Data Protection Officer at dpo@tandemhealth.ai.