Privacy Statement Blue Health Intelligence

Blue Health Intelligence handles the data of its clients and users with due care. (Medical) personal data are treated confidentially and are adequately secured. We comply with the applicable laws and regulations in the field of privacy and data protection, including the General Data Protection Regulation (GDPR). This also applies when your data are shared with third parties in the context of care, aftercare, or guidance. Where required, we request your (explicit) consent for the processing of your personal data.

In this privacy statement, we inform you about the personal data we process, for which purposes we do so, and which rights you have. We therefore advise you to read this statement carefully.

1. Responsible for your personal data

The responsible entity and person for the processing of your personal data is:

Tiuri Health B.V. (brand name: Blue Health Intelligence)
Linnaeushof 81h
1098 KS Amsterdam
The Netherlands

Telephone: +31 (0)20-2101572
E-mail: privacy@bluehealth.co

Chamber of Commerce number (KvK): 98047213

Data Protection Officer

Blue Health Intelligence has appointed a Data Protection Officer (DPO). The contact details are:

Peter-Paul de Leeuw
E-mail: peterpaul@bluehealth.co
Telephone: +31 (0)20-2101572

2. Categories of personal data

When you visit our website, use our app, register for a membership, or book a health scan with us, you provide certain data to us. This also occurs in the context of the performance of a (medical) treatment agreement and/or a services agreement. Depending on the service you use, we may process the following categories of personal data:

Identification and contact details

• Name, address, city (name and address details)

• Gender

• Date of birth

• E-mail address

• Telephone number

• Contact and communication preferences

• (If applicable) data of insurance partners

Account and usage data

• Login details for your Blue Health Intelligence account (username, hashed passwords)

• Preferences within the app/portal

• Information about your appointments and membership

• Log files and usage data of the website and app (such as visited pages and functions used)

Technical data

• IP address

• Device and browser information

• Cookie IDs and similar identifiers

Payment and invoicing data

• Payment method

• Transaction data

• Invoice data

Data relating to your healthcare providers

• Data of your general practitioner, medical specialist, or other healthcare providers (if relevant)

Medical and health data (special categories of personal data)

• Medical history (e.g. previous conditions, surgeries)

• Physical characteristics (such as weight, height, BMI, blood pressure, heart rate)

• Lifestyle data (e.g. sleep, physical activity, nutrition, smoking and alcohol use)

• Data relating to your health in a broad sense

• Results of laboratory tests (blood, urine and other biomarker analyses), including but not limited to:

  • Cholesterol and other blood lipids

  • Glucose values and markers for (pre)diabetes

  • Kidney and liver function

  • Hormones, allergies, vitamins (if applicable)

• Results of imaging examinations, such as:

  • Ultrasound or other scans

  • Other imaging materials

• Reports and advice from physicians, including any translations thereof

• Results of cardiological examinations (e.g. ECG recordings, heart rhythm data)

Data from wearables and other devices (if you connect these)

• Activity data (e.g. steps, workouts, heart rate)

• Sleep data

• Other health data from wearables, home measurement devices, or apps that you connect

We are the data controller within the meaning of the GDPR for the above-mentioned data insofar as we determine the purpose and means of the processing.

3. Legal bases for data processing

We process your personal data only if there is a valid legal basis for doing so.

Medical personal data (special categories)

Your medical personal data are in principle processed only on the basis of:

• Your explicit consent (Article 9(2)(a) GDPR), for example when you consent to specific examinations, the use of wearables, or the sharing of data with other healthcare providers; and/or

• The necessity for preventive or curative care in the context of a medical treatment agreement (Article 9(2)(h) GDPR in conjunction with Articles 7:446 et seq. and 7:457 of the Dutch Civil Code), insofar as medical care is provided by or via Blue Health Intelligence.

Other personal data

In addition, we process personal data on the basis of:

• Performance of a contract (Article 6(1)(b) GDPR), for example for:

  • Creating and managing your account

  • Performing your membership

  • Scheduling and carrying out appointments and examinations

  • Handling payments and invoicing

• Your consent (Article 6(1)(a) GDPR), for example when you register for marketing communications (newsletter) or when we use non-essential cookies. You may withdraw your consent at any time; this does not affect the lawfulness of processing prior to withdrawal.

• Legitimate interest (Article 6(1)(f) GDPR), for example for:

  • Improving and securing our systems and services

  • Evaluating our services and conducting limited customer satisfaction surveys

  • Informing existing clients about similar services, updates, or changes to our services (within the legal framework)

In all cases, we do not process more data than necessary for the relevant purpose.

4. Purposes of data processing

We use your personal data for, among other things, the following purposes:

• Creating and managing your Blue Health Intelligence account

• Registering and guiding you as a client, member, or user

• Logging into your personal environment (app and/or web portal)

• Maintaining and managing your medical record

• Planning, performing, and following up on appointments and examinations

• Mediating and cooperating with (external) healthcare providers and diagnostic centers

• Processing and analyzing the results of (medical) examinations

• Processing data from wearables and other devices that you connect

• Providing advice and reports to you (and, if applicable, to your general practitioner or specialist with your consent or based on the treatment relationship)

• Maintaining results from previous examinations for longitudinal comparison

• Sending messages regarding your account, appointments, or important changes to our services

• Performing or arranging other services requested by you

• Improving, testing, and optimizing our systems, app, and services

• Providing translations of medical reports (if necessary)

• Conducting (anonymized or pseudonymized) analyses for quality and research purposes

• Complying with legal obligations, such as tax retention requirements and healthcare legislation

• Sending newsletters and other marketing communications (if permitted)

5. Disclosure of your personal data to third parties

We provide your personal data to third parties only if this:

• Is necessary for the performance of the agreement (including medical treatment);

• Is necessary to comply with a legal obligation; or

• Takes place on the basis of your (explicit) consent.

Examples of categories of recipients include:

• Laboratories and diagnostic centers

• External medical specialists and other healthcare providers

• IT service providers and software suppliers (e.g. for hosting systems and the app)

• Hosting and cloud providers

• Providers of electronic communication and mail services

• Providers of analysis and monitoring tools (e.g. web/app analytics)

• Financial service providers and payment providers

• Translation agencies (for medical translations)

• (If applicable) employers or other contractual parties, exclusively with your consent or on the basis of a specific legal ground

With parties that process personal data on our behalf, we conclude a data processing agreement, in which appropriate safeguards for your privacy are laid down.

6. Retention periods

We do not retain your data longer than necessary for the purposes for which they were collected, unless a longer retention period is legally required or permitted.

Medical records and health data

Insofar as we process your personal data in the context of a medical treatment agreement, we generally retain the medical record for 20 years after the last contact, in accordance with the statutory retention period under the Dutch Medical Treatment Contracts Act (WGBO), unless a different period applies or longer retention is necessary (for example due to claims or legal obligations).

This includes, among other things:

• Name and address details

• Contact details

• Medical history

• Examination results and findings

• Imaging materials

• Reports from physicians and other healthcare providers

Financial data

Invoices and financial transactions are retained for 7 years pursuant to tax legislation.

Marketing and communication data

Data used for newsletters or other marketing communications are in principle retained for up to 2 years after you were last a client or 2 years after you gave consent, unless you unsubscribe earlier or object.

After the retention periods expire, your data will be deleted, anonymized, or pseudonymized, unless retention is still necessary, for example due to an ongoing dispute.

7. Security measures

We take appropriate technical and organizational measures to protect your personal data against loss or any form of unlawful processing, including:

• Access to personal data is limited to authorized employees and healthcare providers via personal accounts with passwords and (where applicable) additional security steps

• Data are stored in secured systems with access control

• We use encrypted (secure) connections (e.g. SSL/TLS) when transmitting personal data via our website and app

• We apply internal procedures and access guidelines to prevent misuse and unauthorized access

• Where necessary, we maintain log files of access to medical information

• Important systems are periodically tested and assessed for security

Despite all efforts, no method of data transmission or storage can be guaranteed to be 100% secure. In the event of a data breach, we will act in accordance with the GDPR and, where required, report it to the Dutch Data Protection Authority and the affected individuals.

8. Third-party websites and services

Our website and app may contain links to websites or services of third parties (for example other healthcare providers, knowledge platforms, or partners).

When you visit such websites or services, the privacy statements and terms of those third parties apply. We recommend that you carefully read those statements before using such services. We are not responsible for how these third parties handle your data.

9. Cookies and (web) analytics

Our website and app use cookies and similar technologies.

Cookies are small text files or pieces of code that are placed on your device when you visit our website or use our app. Through cookies we can:

• Ensure proper functioning of the website and app (necessary cookies)

• Remember your preferences

• Analyze and improve the use of the website and app

• (If permitted) show you more relevant content and advertisements

The information collected through cookies may include, among other things, the date and time of your visit, pages viewed, and how you use our website or app.

Analytics and tracking tools (e.g. Google Analytics)

Blue Health Intelligence may use analytics tools such as Google Analytics or similar services to gain insight into the use of the website and app. The data collected (including in some cases IP addresses) are anonymized or pseudonymized as much as possible. Where required, we ask for your consent before placing non-essential cookies.

Further information about the specific cookies and tools we use and how you can manage your cookie preferences can be found in a separate cookie statement (if available).

10. Newsletter and marketing communications

Based on your consent

If you have subscribed to the newsletter via our website, app, or otherwise, you will periodically receive information by e-mail from Blue Health Intelligence about our services, examinations, events, promotions, and client stories. This is based on your consent (Article 6(1)(a) GDPR).

The content of the newsletter may be tailored to your interests and previous contact moments with Blue Health Intelligence. This personalization is based on the information you share with us (e.g. preferred topics) and, where applicable, limited usage data.

You may withdraw your consent at any time by clicking the unsubscribe link in the newsletter or by contacting us.

Existing clients

If you have purchased a service or examination from Blue Health Intelligence, we may, on the basis of our legitimate interest (Article 6(1)(f) GDPR in conjunction with Article 11.7(4) of the Dutch Telecommunications Act), send you e-mails about similar services or relevant developments. You may object at any time by using the unsubscribe option in the e-mail or by contacting us by e-mail.

If you wish to object to the processing of your personal data for marketing purposes, you may send an e-mail to: privacy@bluehealth.co

11. Your rights

As a data subject, you have various rights under the GDPR. You may, among other things, request:

• Access to your personal data

• Rectification (correction) or completion of incorrect or incomplete data

• Erasure of your personal data (insofar as permitted under statutory retention obligations)

• Restriction of the processing of your personal data

• Transfer of your data (data portability) to you or another party

• Objection to certain processing activities, for example the use of your data for marketing purposes based on legitimate interest

You may also withdraw any consent you have given at any time. This does not have retroactive effect on processing that has already taken place.

You may submit your request or objection by sending an e-mail to: privacy@bluehealth.co or dpo@bluehealth.co. Blue Health Intelligence will respond to your request as soon as possible, but no later than within four weeks. In some cases, we may request additional information to verify your identity.

12. Complaint to the Dutch Data Protection Authority

If you are not satisfied with the way Blue Health Intelligence handles your personal data, we hope that you will first discuss this with us so that we can seek a solution together.

In addition, you always have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), the Dutch supervisory authority for privacy matters. The contact details and procedure can be found on the website of the Autoriteit Persoonsgegevens.

13. Changes to this privacy statement

We may amend this privacy statement from time to time, for example if our services change or if laws and regulations are updated. The most recent version is always available on our website.

We recommend that you review this statement regularly so that you remain informed of any changes. In the event of significant changes, we will actively inform you where possible.

14. Contact

If you have any questions or comments about this privacy statement or about the processing of your personal data by Blue Health Intelligence, please contact us via:

Tiuri Health B.V. (brand name: Blue Health Intelligence)
Linnaeushof 81h
1098 KS Amsterdam
The Netherlands

Telephone: +31 (0)20-2101572
E-mail: privacy@bluehealth.co
Chamber of Commerce number (KvK): 98047213

Disclaimer – prevailing language

This English version of the Privacy Statement has been provided for informational purposes only.
In the event of any discrepancy or interpretation difference between the English version and the Dutch version, the Dutch version shall always prevail and be legally binding.