Privacy Policy HealthNation

Health Networks Sp. z o.o.

§1. Data Confidentiality and Privacy Protection

This Privacy Policy sets out the rules for processing personal data of Users of the application and services related to the Health Nation platform, in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR").

The purpose of this document is to provide transparent information about what data is processed, for what purpose, on what legal basis, and what rights are available to the data subjects.

§2. Data Controller

The controller of your personal data is: Health Networks Sp. z o.o.,

ul. Kapelanka 12, 30-347, Kraków, E-mail: kontakt@wellbeingpolska.pl

Correspondence contact: Customer Service Department, ul. Kapelanka 12, 30-347, Kraków

§3. Scope of Processed Data

The Controller processes, in particular, the following categories of data:

  • Identification and contact data: first and last name, e-mail address, phone number
  • User account and login data: data provided during account registration (e-mail address or phone number), technical data related to authentication and account security
  • Communication data: content of inquiries sent through contact forms or other communication channels
  • Marketing data: data related to newsletter subscription, communication preferences
  • Technical and analytical data: IP address, device identifiers, data on the use of the application and website, cookies
  • Well-being and physical activity data (Health Connect): e.g., step count, heart rate, calories -- only after explicit consent has been given

Personal data is processed for the following purposes:

  • Provision of services and application functionalities -- Art. 6(1)(b) GDPR (contract)
  • Handling inquiries and contacting the User -- Art. 6(1)(f) GDPR
  • Newsletter and marketing activities -- Art. 6(1)(a) GDPR (consent)
  • Analytics and improvement of service quality -- Art. 6(1)(f) GDPR
  • Fulfillment of legal obligations -- Art. 6(1)(c) GDPR
  • Health data (Health Connect) -- Art. 9(2)(a) GDPR (explicit consent)

The legitimate interest of the Controller includes, in particular: ensuring the security of services, conducting statistical analyses, improving application functionality, and marketing of the Controller's own services.

In cases where the processing is based on the legitimate interest of the Controller, the Controller assesses on a case-by-case basis whether such interest does not infringe upon the rights or freedoms of the User. The User has the right to object to data processing based on Art. 6(1)(f) GDPR.

§5. Obligation to Provide Data

The provision of personal data is voluntary; however:

  • failure to provide contact data may prevent a response to the inquiry,
  • failure to provide registration data will prevent the creation of an account,
  • failure to provide data required by law may prevent the Controller from fulfilling its legal obligations.

Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal.

The provision of personal data necessary for creating an account and using the application's functionalities is a condition for entering into a contract for the provision of services by electronic means. The provision of other data, in particular for marketing or analytical purposes, is voluntary.

§6. Health Connect Data (Special Category Data)

Data concerning health and physical activity is processed solely on the basis of the User's explicit consent.

Such data is used exclusively for application features (e.g., group challenges) and is not sold or disclosed to third parties.

The User may withdraw consent at any time.

§7. Data Recipients

Personal data may be transferred to:

  • data processors acting on behalf of the Controller (IT, hosting, analytics, mailing),
  • public authorities -- where required by law.

§8. Transfer of Data Outside the EU/EEA

Data may be transferred outside the EU/EEA in connection with the use of tools such as Google, Apple, or Microsoft.

The transfer is carried out on the basis of Standard Contractual Clauses of the European Commission (Art. 46 GDPR).

The User may obtain a copy of the safeguards by contacting the Controller.

§9. Data Retention Period

  • Contact form data: up to 24 months from the last contact
  • Newsletter data: until consent is withdrawn
  • Accounting and tax data: 5 years
  • Data for potential claims: 6 years

§10. Rights of the Data Subject

The User has the right to:

  • access their data,
  • rectification of data,
  • erasure of data,
  • restriction of processing,
  • data portability,
  • object to processing,
  • withdraw consent.

The User also has the right to lodge a complaint with the supervisory authority competent for personal data protection matters, i.e., the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warszawa.

§11. Profiling and Automated Decisions

Profiling consists of analysing selected information regarding the User's activity in the application in order to tailor the content of marketing communications or improve service functionality. Profiling does not produce legal effects concerning the User nor does it similarly significantly affect the User.

The User has the right to object to profiling.

§12. Cookies

The following types of cookies are used:

  • essential,
  • analytical,
  • marketing.

Analytical and marketing cookies are used solely on the basis of consent.

Consent for the use of analytical and marketing cookies is collected through an appropriate Consent Management Platform (CMP). The User may change cookie settings or withdraw consent at any time through browser settings or the tool provided on the website.

§13. Data Security

The Controller implements appropriate technical and organisational measures in accordance with Art. 32 GDPR, including, in particular, access control, encryption of data transmission (including data transmitted via chat) using the TLS protocol, system monitoring, and security incident management procedures.

§14. Changes to the Privacy Policy

The Policy may be updated. The current version is published in the application or on the website.

§15. Entry into Force

This Policy enters into force on 01.03.2026.