Privacy Policy | Saura Health

Data Controller and Contact Information

Saura Health Oy, hereinafter Saura, is the data controller and is responsible for processing your personal data.

The Data Protection Officer is Tatu Koivisto (tatu@saura.health)

Processed Data

Health Data:

Laboratory test results
Self-reported health and wellness information
Customer service health-related chat and phone recordings containing health or wellness information
Service usage data, such as ordered tests
Health-related messages and feedback
Payment information, such as billing and payment transactions

Other Personal Data:

Basic and contact information (e.g., name, personal identity code, address, phone number, email address)
Permission data – such as marketing permissions
Web behavior data – such as login information, other data obtained from using our services, including offline web behavior, data collected through website cookies
Customer service chat recordings and phone recordings that do not contain health or wellness information
Communications – such as survey responses and other feedback and messages sent to us that do not contain health or wellness information
Information about your use of our services that does not contain health or wellness information

Sources of Processed Personal Data

The processed personal data includes information obtained from you during ordering, joining the service, or during the customer relationship.

Test results obtained through Saura and produced by the laboratory.

We also receive tracking data about how you use our website and services. Saura may also process derived data that has been derived or inferred based on received information. Our service also connects to identification, verification, credit information, payment intermediary, or other similar service providers and receives related information.

Additionally, user web behavior is tracked and analyzed with Google Analytics, Active Campaign, Giosg, Hotjar, Youtube, Getsitecontrol, Readpeak, Google Ads, Google Tag Manager, and Facebook services, if the user has given consent.

The above-mentioned services are used in website development, customer service organization, and marketing targeting.

Why is Personal Data Processed?

We process health data for the following purposes:

Service Implementation and Development

Customer relationship management – for example, order receipts, service-related notifications including completed laboratory results and customer sampling instructions
Service provision and maintenance, order management and delivery
Identification of registered persons
Event data retention
Organization, implementation, and monitoring of laboratory tests
Subcontractor communication with our contract laboratory
Management of user-entered data
Invoices, collection, refunds to customers
Archiving of contracts and invoices
Development of Saura services and business and related customer service development
Saura's own operations planning, development, statistics, reporting, audits, and other tasks required to implement the controller's rights and obligations
Processing customer feedback, complaints, and dispute management
Processing official investigation requests based on EU or Finnish legislation, e.g., GDPR
Personal data transfers (e.g., business transfers, assignments, or business transactions)
Establishing, presenting, or defending legal claims
Partner reporting (separately agreed with corporate customers as part of the service)
Statistical processing for service development

Service and Marketing Messages

Informing and reminding customers using customer and health data, for example about possible follow-up tests and feedback surveys
Communication related to Saura services and targeted direct marketing (for current and potential future customers)

We may send you service and direct marketing communications related to your previous transactions and purchase history, such as reminders, surveys, offers, or information about Saura services. You can opt out of receiving this communication with each message or by notifying Saura customer service (contact details in section 1).

What is the Legal Basis for Processing Personal Data?

The legal bases for processing personal data include:

Contract: We need to establish a contractual relationship between you and Saura and fulfill our contractual obligations.
Consent: Your given consent. If our processing of personal data is based on your consent, you can withdraw your consent at any time.
Legal obligations: We must comply with legal obligations (legislation, such as accounting legislation requires us to retain certain information for a certain period) and establish, present, or defend Saura's legal claims.
Legitimate interest: Implementation of Saura's legitimate interests. Saura's legitimate interest is based on the customer relationship between Saura and the registered person or other similar significant relationship.

Who Processes My Personal Data and Where Is It Disclosed?

At Saura, personal data is processed for the aforementioned purposes. Saura may outsource personal data processing to external service providers who process personal data on behalf of Saura.

Saura procures laboratory services from Vita Laboratoriot Oy, which processes patient data generated in operations as an independent controller and healthcare unit. The laboratory test results ordered by Saura's customer are also delivered to Saura's web service for the customer to view.

Important for mobile app users:Laboratory test results are viewable exclusively through Saura's web service (saura.health), which is a healthcare information system registered with Valvira (National Supervisory Authority for Welfare and Health). The mobile app serves as an ordering channel and general health tracking tool, but laboratory results are not stored or displayed in the mobile app for data protection reasons.

At Saura, your information and ordered research results are visible in Saura's web service so you can view them and track your progress. Saura retains personal data only as long as necessary to fulfill the purposes described in this privacy policy. Saura primarily retains personal data as long as the customer relationship can be considered to exist between Saura and the registered person, after which personal data is retained after the end of the customer relationship as long as retention is necessary to fulfill Saura's legal obligations or legitimate interests, or for example to establish, present, or defend a legal claim.

Customer data is generally not transferred outside the European Union or European Economic Area. However, Saura may transfer personal data (excluding laboratory test results) to, for example, the United States, in which case the data transfer is primarily based on the European Commission's decision on the adequate level of data protection in the United States, or alternatively on other transfer bases in accordance with data protection legislation.

Your Rights

Right to receive information about personal data processing: You have the right to receive information about personal data processing, for example, for what purposes or how personal data is processed. Saura informs about personal data processing in this privacy policy. You can also contact Saura regarding personal data processing as described in the first section of this privacy policy.

Right to access personal data: You can review your own information through your own Saura reporting page. The service covers the personal information you have provided, as well as test results related to your health and information you have provided. You can also make a written request for inspection of personal data by contacting Saura as described in the first section of this privacy policy.

Right to rectification of data: You can make a written rectification request by email and request the correction of your inaccurate and incorrect personal data.

Right to erasure of data: Your data can be deleted from Saura at your request, unless there is a special reason to deny the deletion request.

Withdrawal of consent: When processing is based on your consent, you can withdraw your consent at any time. You can withdraw your consent through our customer service.

Right to data portability: If the processing of personal data is based on your consent or contract and the processing is carried out automatically, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. If you wish, you can save test results for yourself through the Saura reporting page.

Right to restriction of personal data processing: Under certain conditions, you have the right to have the processing of your personal data restricted, for example, if you contest the accuracy of your data, in which case processing is restricted for the period during which Saura can verify their accuracy.

Right to object to personal data processing: You have the right to object to the processing of your personal data on grounds relating to your particular situation to the extent that processing is based on Saura's legitimate interest. In this case, Saura will no longer process personal data, unless there is a compelling legitimate reason for processing that overrides the data subject's interests, rights, and freedoms, and if it is necessary to establish, present, or defend a legal claim. To the extent that personal data is processed for direct marketing purposes, you have the right to object to processing for such marketing at any time.

Prohibition of electronic direct marketing: You can opt out of receiving marketing messages with each message or by notifying Saura.

Right to lodge a complaint with a supervisory authority: If you believe that the processing of personal data concerning you violates data protection legislation, you have the right to lodge a complaint with the supervisory authority at the Office of the Data Protection Ombudsman.

How is Personal Data Protected?

Data protection and security is of paramount importance to us. All data processing is done with Saura's information system, which is registered with the National Supervisory Authority for Welfare and Health (Valvira).

Laboratory test results can only be accessed by those laboratory testing personnel who must process health data to provide the service and who are bound by statutory or contractual confidentiality obligations. Personal data is processed with personal usernames and according to the authorizations required by work tasks.