Activate Health

Privacy Policy

Effective date: 01.03.2021

We are Activate Health OÜ, a private limited company, incorporated under the laws of Estonia, registration code 16035006, registered address Valukoja tn 10, 11415, Tallinn, Estonia (hereinafter “Activate Health”, “we”, “us” or “our”). Activate Health operates the website www.activate.ee and its subdomains (hereinafter the “Web Site”), and the software, databases, interfaces, associated media, documentation, updates, new releases and other components or materials incorporated therein or integrated therewith (hereinafter collectively the “Platform”).

This privacy policy document (hereinafter “Privacy Policy”) describes our privacy practices and how we process Personal Data.

If you have any questions about how we process your Personal Data or if you wish to submit an application for exercising your rights related to processing your Personal Data, please contact us through the contact information provided in the section “Contacts” below.

  1. Terms

    1. “Agreement” - Legally binding contract between the Customer and Activate Health for using the Platform and Services on the terms of Activate Health Terms of Service.
    2. “Coach” - Health and wellbeing specialist, such as nutrition counselor, sleep counselor, personal trainer, mental well-being counselor or other counselor connected to the Platform and with whom the Customer may share his/her data to seek counselling.
    3. “Customer” - Person (natural person or legal person) who uses Activate Health Services and has thereby entered into service agreement with us in accordance with Activate Health Terms of Service.
    4. “Data Controller” - Natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In the context of this Privacy Policy, Data Controller means Activate Health.
    5. “Data Processor” - Natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.
    6. “Data Subject” - Natural person whose Personal Data is processed by Activate Health. In the context of this Privacy Policy, “data subject”, “Customer” and “you” refer to the same.
    7. “GDPR” - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
    8. “Personal data” - Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular on the basis of such a record as the name, personal identification code, place of location information or network identifier, or on the basis of one or more physical, physiological, genetic, mental, economic, cultural or social identities.
    9. “Processing” - Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    10. “Service” or “Services” - Any service made available by Activate Health via the Platform pursuant to our Terms of Service.
    11. “Special category data” - Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. In the context of this Privacy Policy, Special category data mostly refers to health data.
    12. “Terms of Service” - Activate Health Terms of Service, available at www.activate.ee
  2. Why we Process Personal Data and what Personal Data do we Process as a Data Controller?

    1. When the Customer has opted to use our Platform and Services, we need to process your Personal Data to enable the Services via our Platform.
    2. Upon the provision of the Services, we process Personal Data that is submitted to us directly by the Customers in the course of using our Platform and Services. Such data includes the following data:
      1. general personal information: name (first name, last name); date of birth, personal identification code or address;
      2. contact details: e-mail address; phone number;
      3. account related details: login details and password used for creating account via Platform;
      4. work and health related details: information about your organisation, information about your occupation / type of work you do); health and well-being goals and information about your health as disclosed by you;
      5. payment data: if the use by the Services by you is subject to any fees, then payment data related to the use of the Services;
      6. technical information: technical information collected in the course of your use of the Services such as the operating system of your device (iOS/Android) and other data collected via cookies (please see the Cookies section below).
  3. What is the legal basis for Processing Customer Personal Data?

    1. We may process Personal Data to provide Services to the Customer in accordance with Activate Health Terms of Service. Legal basis for such data processing is GDPR Article 6-1-(b), i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
    2. We may process Personal Data based on the consent granted by the Customer. Legal basis for such data processing is GDPR Article 6-1-(a). In those situations, we process Personal Data on the terms as provided in the consent that has been granted to us by each Customer. For example, we may rely on the consent as a legal basis when processing Special category data.
    3. We may process Personal Data when processing is necessary for compliance with a legal obligation to which we are subject, for example for accounting purposes under applicable accounting legislation or when Personal Data is requested from us on the basis of valid request by competent authorities, such as on the basis of valid court order issued by the court. Legal basis for such data processing is GDPR Article 6-1-(c).
    4. In certain specific situations we may also process Personal Data where processing of Personal Data is necessary for the purpose of our legitimate interests pursued by us. Legal basis for such data processing is GDPR Article 6-1-(f). In such a case we shall ensure that processing is proportionate and that we have carried out legitimate interest impact assessment. For example, for the purpose of our legitimate interest we analyse how our Services and Platform are used by our Customers so we can provide better service.
  4. How long is Personal Data retained?

    1. Activate Health does not retain Personal Data longer than it is necessary for the purposes of processing Personal Data or pursuant to applicable law. As a general rule, we apply the following retention periods.
    2. Personal Data related to contracts can be retained during the term of the contract and based on our legitimate interest pursuant to Article 6 (1) (f) of the GDPR until the end of the statutory limitation periods under applicable law. Accordingly, as a general rule Activate Health retains Customer Data collected in relation to the provision of the Services as long as it is necessary for the provision of the Services during the term of the Agreement concluded between Customer and Activate Health and for 3 years after the term of the Agreement. In this regard, as a general rule, if the Customer not used our Platform for 3 years (you have not logged in to your profile on our Platform for 3 years), your profile and all Personal Data therein will be deleted, unless we have a legal basis for retaining your Personal Data for longer time period.
    3. Personal Data collected on the basis of the consent will be retained until the withdrawal of the consent. If you have not withdrawn from your consent, as a general rule Activate Health applies the same retention period to the Personal Data collected on the basis consents as to Personal Data collected to ensure the Services. In this regard, as a general rule, if the Customer has not used our Platform for 3 years (you have not logged in to your profile on our Platform for 3 years), your Personal Data collected on the basis of the Consent will also be deleted.
    4. Personal Data related accounting source documents and accounting journals must be retained in accordance with the relevant accounting laws. Therefore, pursuant to the Accounting Act, we retain accounting documents for 7 years.
  5. For what purposes do we Process your Personal Data?

    1. Activate Health processes Personal Data for the following purposes:
      1. Registration of the Account.
        1. Types of personal data: First name, last name, e-mail address, password selected for the user account
        2. How have we obtained Personal Data: Directly from each data subject.
        3. Retention period: During the term of the Agreement with the data subject under Activate Health Terms of Service. After the termination of the Agreement with the data subject under Activate Health Terms of Service 3 years based on our legitimate interest until the end of the limitation periods under applicable law.
      2. Creating the user profile under the Account
        1. Types of personal data: Profile data (height, weight, birthday, gender); work related data (type of work, size of the organisation); health and well-being goals
        2. How have we obtained Personal Data: Directly from each data subject.
        3. Retention period: During the term of the Agreement with the data subject under Activate Health Terms of Service. After the termination of the Agreement with the data subject under Activate Health Terms of Service 3 years based on our legitimate interest until the end of the limitation periods under applicable law.
      3. Enabling the use of the Services via Platform to the data subject.
        1. Types of personal data: Any information submitted by data subject concerning him/her to us upon the use of the Services via Platform.
        2. How have we obtained Personal Data: Directly from each data subject.
        3. Retention period: During the term of the Agreement with the data subject under Activate Health Terms of Service. After the termination of the Agreement with the data subject under Activate Health Terms of Service 3 years based on our legitimate interest until the end of the limitation periods under applicable law. To the extent that the Personal Data related to Special category data and the consent from the data subject has been obtained, until the withdrawal of the consent or after 3 years have passed since the data subject has last use the Services, whichever occurs sooner
      4. Answering the inquires of the data subject.
        1. Types of personal data: Name, e-mail and other Personal Data that is submitted to us directly by you also if you contact us with a query or question via Platform or via any other channel (by sending an e-mail, for example).
        2. How have we obtained Personal Data: Directly from each data subject.
        3. Retention period: Until the end of the limitation period of the claim related to which the inquiry is submitted. Generally, such term is 3 years.
  6. How can tour Personal Data be accessed by Coaches?

    1. The Platform and the Services enable you to get a wellness and health related consultation from a Coach. For that purpose you may share your Personal Data, that may include Special category data with Coach(es).
    2. You have complete control over who has access to your Personal Data and with whom you share your Personal Data. You can share your Personal Data with Coach(es) by using a “Snapshot” function. You can see the overview of the Coach(es) with whom the Personal Data is shared under the section “Your snapshots”.
    3. If you wish to stop sharing of your Personal Data with the Coach, you can do it as described under the “Snapshot” or by deleting the snapshot by clicking on “Delete snapshot”. If you delete the snapshot or stop sharing the snapshot, the relevant Personal Data about you will no longer be accessible to Coach(es).
    4. If you have any additional questions on how the Coach(es) may access your Personal Data, you may contact us via contact details provided below.
  7. How can we access your Personal Data from third sources?

    1. The Platform and the Services enable you to gather your health and wellness related information originally collected by other service providers, such as Google, Apple, Samsung or other service provider under your profile on the Platform. For that purpose, the Platform and the Services may ask your permission to access the data collected by such other service providers, such as Google, Apple, Samsung or other service providers.
    2. Please note that you shall have complete control the list of third parties from whom the Platform may access the data. Activate Health will never collect or ask your Personal Data independently from any third parties unless you have explicitly requested it, for example by clicking on the “access information” button or similar button.
    3. Please note that when you enable the Platform to connect to such third service provider services and data, terms and conditions of such third party may apply and should read and examine such third party’s terms of use and privacy policies before connecting the Platform with such third party services.
    4. If you have any additional questions on how the Activate Health may access your Personal Data from third sources, you may contact us via contact details provided below.
  8. When do we share your Personal Data?

    1. We may share your Personal Data with certain third parties service providers e.g. IT suppliers or other service providers. We also share your Personal Data with third party payment service providers if your use of our Services is subject to payment and you choose a payment method in the course of your use of the Services. Please note that for processing your payment related data, the payment service provider shall be considered as controller of your data and privacy terms and other terms of conditions of such payment service provider apply.
    2. We may also share your Personal Data with third parties if we are legally required to do so, for example if Personal Data is requested from us by any authority competent to ask such data, for example if the data is asked from us by the court or law enforcement agency.
    3. We may transfer your Personal Data to third countries, i.e. countries outside the EU/EEA area, for the purposes explained in this Privacy Policy. When transferring your Personal Data to third countries, we will ensure that the transfer is subject to appropriate safeguards under GDPR and that your rights are protected, such as the Commission’s model contracts for the transfer of Personal Data to third countries (i.e., the standard contractual clauses). You may request a copy of the safeguards we have put in place with respect to the transfer of Personal Data by contacting us via contact details below.
  9. How do we protect your Personal Data?

    1. To protect your Personal Data from unauthorized access, unlawful processing or disclosure, accidental loss, modification or destruction, we use appropriate technical and organisational measures that comply with applicable laws. These measures include but are not limited to the implementation of appropriate computer security systems, protection of paper and electronic format files by technical and logical means, controlling and limiting access to documents and buildings.
  10. Cookies

    1. Our Platform and Services use cookies. This section incorporates our cookie policy (the Cookie Policy) that applies when you use Platform.
    2. Cookies are small data files stored on your hard drive by a website. Cookies help us monitor and improve the functionality and usage of our Platform and your experience on Platform. We can use cookies to see which areas and features are popular and to count visits to our Platform to recognize you as a returning visitor and to tailor your experience of the Platform according to your preferences. We may also use cookies for targeting or advertising purposes.
    3. We use following type of cookies on our Platform:
      1. Strictly necessary cookies, that are essential in order to enable you to navigate and use the features of the Platform.
      2. Functional cookies, that record information about choices you have made that allow us to tailor Platform to your needs. Functionality cookies remember choices you make. Functional cookie used by us stores email after login, so that if you log in to the platform with multiple emails we can suggest you to merge different platform accounts, which should simplify your processes.
      3. Statistics cookies, that record information about the way our Platform is used, to acquire knowledge on how often our Platform is visited, where on our Platform our visitors spend the most time, how often they interact with a page or part of a page, this allows us to make the structure, navigation, and content of our Platform as user-friendly as possible.
      4. Advertising cookies, that allow advertisers to track your use of the Portal to target advertising and content that might interest you the most.
    4. The specific cookies that Platform uses are the following:
      1. VISITOR_INFO1_LIVE
        1. Description: This cookie is set by YouTube. Used to track the information of the embedded YouTube videos on a website.
        2. Duration: 5 months 27 days
        3. Type: Advertisement
      2. _ga
        1. Description: This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
        2. Duration: 2 years
        3. Type: Analytics
      3. _gid
        1. Description: This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
        2. Duration: 1 day
        3. Type: Analytics
      4. _gat_gtag_UA_130275624_1
        1. Description: Google uses this cookie to distinguish users.
        2. Duration: 1 minute
        3. Type: Analytics
      5. CONSENT
        1. Description: This cookie is set by YouTube and used to collect consents.
        2. Duration: 16 years 9 months 24 days 10 hours
        3. Type: Analytics
      6. YSC
        1. Description: This cookie is set by YouTube and is used to track the views of embedded videos.
        2. Duration: Session
        3. Type: Performance
    5. You can delete or block cookies on Platform through your browser settings at any time. However, some cookies might be necessary for the functionality of Platform. Therefore, you understand that when blocking or deleting the cookies some features of Platform might not function correctly.
    6. For more general information about cookies including the difference between session and persistent cookies please see www.allaboutcookies.org.
    7. In case you have any question concerning Cookie Policy, you may contact us via contact details provided below.
  11. Your rights

    1. Activate Health is dedicated ensuring that all data subject rights arising under applicable law are always guaranteed to you. In particular, any data subject has:
      1. the right to access the Personal Data that Activate Health processes about you;
      2. the right to request that Activate Health rectifies any inaccurate Personal Data about you;
      3. the right to request Activate Health to erase your Personal Data and/or restricts of processing of your Personal Data if we do not have valid legal basis for processing;
      4. the right to receive your processed Personal Data in a structured, commonly used and machinereadable format and have the right to transmit your Personal Data to another controller;
      5. the right to object to the processing of your Personal Data.
    2. If you believe that your rights have been infringed, you may contact and lodge a complaint to the supervisory authority applicable for your jurisdiction (Data Protection Inspectorate in Estonia address Tatari 39, Tallinn 10134, info@aki.ee or other competent authority in your jurisdiction. List of national Data Protection Authorities in EU is available at https://edpb.europa.eu/aboutedpb/board/members_en).
  12. Governing law and juristiction

    1. This Privacy Policy shall be governed by the laws of the Republic of Estonia. Any disputes arising from these Privacy Policy shall be settled in the Harju County Court in the Republic of Estonia, unless you have a right to turn to the court of your residence pursuant to statutory law.
  13. Contacts

    1. If you have any questions about this Privacy Policy or Cookie Policy or if you have any concerns about how we use your personal data or if you want to exercise your rights as described above, you may contact us via e-mail or in writing using the following contact information:
      1. Activate Health OÜ
      2. e-mail: info@activate.ee
      3. address: Valukoja tn 10, 11415, Tallinn, Estonia