Integritetspolicy

PRIVACY POLICY FOR THE PROCESSING OF PERSONAL DATA


1. PARTIES AND RESPONSIBILITY FOR THE PROCESSING OF YOUR PERSONAL DATA

Curest AB (”Curest”, ”we”, ”us” or ”our”), reg no 559233-4162, address Aurorum 1C, Luleå, develops
digital rehabilitation tools for neck and head related injuries, hereinafter the ”Service”.

In this Privacy Policy, you can read about how Curest may process your personal data when you visit
our website at curest.se and/or purchase or use the Service or interact with us in any other way.

Curest as data controller and data processor

Curest is in some cases the data controller and in other cases the data processor for the processing of
your personal data.

When a company processes personal data and does so on its own initiative, determining the
purposes and means of the processing of personal data, it acts as a “controller”. Curest typically acts
as a controller when processing business contact data and personal data on its website.

When a company processes personal data on behalf of another company and according to its
instructions, it acts as a “processor”. Curest acts as a processor when providing the Service to its
customers. A customer is typically a health care provider that uses our Service to provide
rehabilitation services to its patients.
Whenever not specified in the text, the processing of personal data referred to is as a personal data
controller.

When Curest acts as data processor, you need to contact the data controller (often your health
provider) to find out how they process your personal data.

2. WHAT PERSONAL DATA DO WE COLLECT?

We collect personal data when you:
1. register for an email list or newsletter,
2. request any other information from us or otherwise contact us through our website, via
email or our social media accounts,
3. voluntarily participate in surveys,
4. visit curest.se
5. place an order for the Service,
6. register a user account for the Service on our portal at portal.curest.se, and
7. use the service.

Such personal data will often include your name, country, email address, IP address, other necessary
contact details and other information that you voluntarily provide to us. The personal data
processed in our Service will consist of personal data entered into and used in the Service by our
customers and their users, such as training statistics and registration of time and date for each
exercise.
We may also collect certain personal data from you automatically via cookies; for example, standard
information about internet logs and information about visitor behavior (see more under ”Cookies”
below).

3. PURPOSE, LEGAL GROUND AND STORAGE PERIOD

We will only use your personal data for the purposes, and on the basis of the legal grounds, as set
out below. We will not use your personal data for anything that is incompatible with the purposes
below. Furthermore, we will only use your personal data for the period specified as the ”Storage
Period”. Once such a period has passed, your data will be deleted.

When you sign up for our mailing list or newsletter

Purpose: When you sign up for a mailing list or newsletter, we will process your data to provide such
communication. Before we start processing your personal data for this purpose, we will ask for your
consent. The request will be clear and specific and give you a description of the purpose of our data
processing.
You have the right to withdraw your consent at any time, which means that we will delete the
personal data that you have provided or that has been collected by us under the consent. Please
send a request for your personal data to be deleted to legal@curest.se.
Legal ground: Your consent.

Storage period: We delete your data when you request this, when you unsubscribe from our mailing
lists or newsletters, or when the subscription ends in any other way.

When you request information from us or contact us in any other way

Purpose: When you request information from us or contact us in any other way, we will process
personal data such as name, email and other contact details to provide the services you request or to
answer your inquiries.

Legal ground: Our legitimate interests in maintaining good customer relationships and answering your inquiries.

Storage Period: We will delete your personal data within a reasonable time after you have contacted
us or after receiving your request for information. You can always contact us if you want such personal
data to be deleted in which case we will delete it within a reasonable time from your
notification.

When you participate in one of our surveys

Purpose: When you participate in surveys, we will process your personal data to analyze the
answers/results and improve our services based on such responses/results. Before we start
processing your personal data for this purpose, we will ask for your consent. Such a request will be
clear and specific and give you a description of the purpose of our data processing.

You have the right to withdraw your consent at any time, which means that we will delete the
personal data that you have provided or that has been collected by us under the consent. Please
send a request for your personal data to be deleted to legal@curest.se.

Legal ground: Your consent.

Storage period: We will delete your data within a reasonable time after completion of the analysis.
You can always withdraw your consent in which case we will delete your personal data within a
reasonable time from the withdrawal. When you visit our website at curest.se

Purpose: When you visit our website at curest.se, we will process your personal data to analyze and
develop the website and thereby improve the website.
Legal ground: Our legitimate interest in improving our website. See more under ”Cookies” below.
Storage period: See more under ”Cookies” below.

When you place an order for the Service

Purpose: When placing an order for our Service, we will process personal data such as business
contact information for contact and billing purposes.
Legal ground: The legal ground for our processing is the customer agreement that will be entered
into between us and the customer when placing an order for the Service. The processing of the
personal data is necessary for us to be able to enter into the customer agreement at a later time.
Storage period: If Curest does not delete your personal data earlier in accordance with the customer
agreement, personal data required for placing an order and entering into the customer agreement
will be deleted within six months after termination of the respective customer agreement. The
aforementioned does not apply to the extent Curest is required to retain such personal data (partly
or in full) for a certain period under applicable mandatory law.

When a user account is registered for the Service

Purpose: When a user account is registered for you on the portal at portal.curest.se, we will process
your personal data for the purpose of providing our Service to you in accordance with the customer
agreement. The customer is typically the health care provider that has given you access to the
Service and has registered the user account for you or asked us to register a user account for you. A
user account allows for the Service to connect data to a specific user. The personal data related to
user accounts on the portal are stored in our cloud service.

Legal ground: The legal ground for our processing is the customer agreement that has been entered
into between us and the customer when placing an order for the Service. The processing is necessary
for our delivery of the Service and for the performance of the obligations under the customer
agreement. To the extent the aforementioned purposes can be achieved on the basis of anonymized
data, we might anonymize your personal data and aggregate it with other users’ anonymized data.
When your personal data has been anonymized, it will no longer be considered personal data under
applicable data protection laws and for the purposes of this Privacy Policy.
Storage period: You can delete your account and personal data at any time. If Curest does not delete
your personal data earlier in accordance with the customer agreement, your account and personal
data will be deleted within six months after termination of the respective customer agreement. The
aforementioned does not apply to the extent Curest is required to retain your personal data (partly
or in full) for a certain period under applicable mandatory law.

When you use the Service

Purpose: When using the Service, we will process your personal data as a data processor in
accordance with a data processing agreement that we have entered into with the data controller.
The data controller is the health care provider that has given you access to use the Service. The data
will be processed for the purpose of providing our Service to you in accordance with the customer
agreement.

Legal ground: The legal ground for our processing is the customer agreement and the data
processing agreement that have been entered into between us and the customer when placing an
order for the Service.
Storage period: In accordance with the data processing agreement between us and the data
controller.

Anonymous use of your data

Please note that in some cases Curest may choose to anonymize your personal data and include it
with other users’ anonymized data to produce statistics.

Purpose: To anonymize your personal data to collect and analyze statistics (including analyzing
visitors’ use of our websites by tracking information such as page views, traffic flows, search terms
and click data) in order to improve our website.

Legal basis: Our legitimate interests in creating anonymous user statistics. If your personal data has
been anonymised, it will no longer be considered personal data under applicable data protection
laws.

Please note that the above retention periods do not apply to the extent that Curest is obliged to
retain your personal data (in whole or in part) for a certain period under applicable mandatory law.

4. WHO DO WE SHARE YOUR PERSONAL DATA WITH?

To achieve the purposes, we may share your personal data with our subcontractors. Such
subcontractors provide payment services, CRM system services, cloud and storage services,
advertising services and services for troubleshooting and correction of any defects in our website.
Some of our subcontractors may process your personal data outside the European Economic Area
(EEA). However, a transfer outside the EEA will only occur, if there is a legal ground for the transfer,
e.g. by (i) executing EU standard data protection clauses with the recipient of the personal data, or
(ii) ensuring that the country has an adequate level of protection of personal data, as decided by the
EU Commission, or (iii) for transfers to and processing in the USA, ensuring that the recipient holds
self-certifying registrations under the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks
administered by the U.S. Department of Commerce’s International Trade Administration.

5. YOUR RIGHTS

You are entitled to the following rights under applicable laws:

The right to access: you may at any time request to access your personal data. Upon request, we will
provide a copy of your personal data in a commonly used electronic form.
The right to rectification: you are entitled to obtain rectification of inaccurate personal data and to
have incomplete personal data completed.

The right to erasure (“right to be forgotten”): under certain circumstances you may request us to
delete your personal data. Please note that this right is not unconditional. Therefore, an attempt to
invoke the right might not lead to an action from us.

The right to object: to certain processing activities conducted by us in relation to your personal data,
such as our processing of your personal data based on our legitimate interest. The right to object also
applies to processing of your personal data for direct marketing purposes.

The right to restriction of processing: you may under certain circumstances request from us to
restrict the processing of your personal data. Please note that this right is not unconditional.
Therefore, an attempt to invoke the right might not lead to an action from us.

The right to data portability: you are entitled to receive your personal data (or have your personal
data directly transmitted to another data controller) in a structured, commonly used and machinereadable format.

You also have the right to lodge a complaint with the supervisory authority, which in Sweden is
Datainspektionen.

6. COOKIES

We use cookies, pixels and other technologies (collectively, “cookies”) on our website to improve
your experience with us.

Cookies are text files placed on your computer to collect standard Internet log information and
visitor behavior information. When you visit our website, we may collect information from you
automatically through cookies. For further information, visit allaboutcookies.org.

We use cookies to (i) recognize your browser, device and location, (ii) store and honor your
preferences and settings, (iii) learn more about your interests and serve you personalized content
and ads which we believe improves your experience with us, (iv) analyze how you use our site and
platform, and (v) provide you with essential features and services.

To illustrate the primary purposes for which we typically set cookies, please see below a general
categorization of cookies we commonly use. Please note that the information these cookies collect
may include personal data.

Essential cookies: These cookies are necessary for the website to function and cannot be switched off
in our systems. They are usually only set in response to actions made by you which amount to a
request for services, such as setting your privacy preferences, logging in or filling in forms. You can
set your browser to block or alert you about these cookies, but some parts of the website will not
work.

Performance cookies: These cookies allow us to count visits and traffic sources so we can measure
and improve the performance of our website. They help us to know which pages are popular and see
how visitors move around the website. If you do not allow these cookies, we will be less able to
optimize the website’s performance.

Functional cookies: These cookies enable the website to provide enhanced functionality and
personalization. They may be set by us or by third-party providers whose services we have added to
our pages. If you do not allow these cookies some services may not function properly.

Targeting cookies: These cookies may be set through our website by our advertising partners. They
may be used by those companies to build a profile of your interests and show you relevant
advertisements on other sites. If you do not allow these cookies, you will experience less targeted
advertising.


Third-party cookies: As mentioned above, some cookies are placed by third parties acting on our
behalf (such as advertising and analytics partners, social media networks and search engines). Third
parties use cookies to (i) deliver content, including ads which we believe are relevant to your
interests, (ii) analyse the effectiveness of the ads, and (iii) perform services on behalf of Curest.


Most browsers allow you to control and manage browser cookies through their settings. Please note
that removing or blocking cookies can impact your user experience and some functionality may no
longer be available.

7. DATA SECURITY

To keep your personal data secure, we apply a number of security measures in line with industry best
practice and we will take any reasonable steps and precautions against security breaches to ensure
safekeeping of your personal data. We shall comply with our internal security guidelines available on
curest.se or such other place as we designate.

8. CONTACT

If you have any questions regarding our handling of your personal data or our use of cookies or if you
wish to invoke any of your rights under applicable privacy laws, please send an email to
legal@curest.se.

9. CHANGES

If we change how we handle your personal data or how we use cookies, we will immediately update
this privacy policy and publish it on the website.