Allgemeine Informationen
1. General information
Shen.AI OÜ (hereinafter: “Shen.AI”, “us”, “our” or “we”) protects the privacy rights of its
users (“users or “you”).
This Privacy Policy (hereinafter: “Policy”) sets out the general rules for our processing of
users’ data that users provide to us or that we collect in connection with the use of our Shen
Health application (hereinafter: “Application” or “service”). We shall refer to all data and
other information that you provide to us or that we collect as “Data”.
Suppose any of these Data allow us to know your identity. In that case, they shall be treated as
personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and
of the Council of 27 April 2016 on the protection of natural persons concerning the processing
of personal data and on the free movement of such data, and repealing Directive 95/46/EC
(hereinafter: “GDPR”).
Please do not install or use the Application if you have any doubts about our Policy or if you
do not agree with this Privacy Policy.
Definitions
For the purposes of this Privacy Policy:
● Services – any products or services provided by Shen.AI, including our website,
software, applications, and related functionalities.
● Facial Images – still or moving images of a user’s face acquired via a device camera,
which are processed solely in real time into anonymised structured biosignal data; no
complete facial images in form of video are stored or further processed. Facial images
are processed solely to extract physiological signals and are not used for biometric
identification or verification of users.
● Biosignal Data – numerical health measurements (e.g., heart rate, breathing rate)
extracted from facial videos. This data: cannot recreate user’s face.
● Facial Texture Analysis – temporary detection of skin color changes and
micro-movements only to calculate health metrics (e.g., blood flow).
● Personal Data – any Data relating to an identified or identifiable natural person, as
defined in the GDPR.
2. Who processes your personal data?
Shen.AI OÜ is an exclusive data controller.
1
Our contact details:
● Estonia: Lõõtsa tn 8a, 11415 Tallinn;
● Poland: ul. Gwiaździsta 66, 54-413 Wrocław;
E-mail: office@shen.ai
To maintain the highest level of privacy we are supported by a professional Data Protection
Specialist: Jarosław Wojcieszek, to be contacted at: dpo@shen.ai.
3. Why are we processing your Data?
Your Data shall be processed only for the following purposes:
● Provision and development of the Services
○ Analysis of health-related data and facial images (including skin texture and
physiological signs) measured in real time via smartphone, tablet, or other
camera-equipped device
○ Non-biomedical research for the development of Shen.AI technology used in such
analyses
● Performance of a contract
○ Delivering Services under agreed terms and conditions
○ Taking steps at your request (e.g., inquiries, comments, or questions) before entering
into a contract, within pre-sales, or in customer service
● Provision, maintenance and improvement of the Services
○ Ensuring access to Services
○ Understanding user preferences to enhance experience and benefits
○ Conducting statistical analysis of users’ preferences and behavior
● Communication and marketing
○ Informing you about promotions, rewards, and upcoming events
○ Sharing news about products and services offered by us or selected partners
○ Other direct marketing activities
For the purpose of legitimate interests of the Controller that include the need to continually
raise quality, functionality, and safety of our Services, increase accessibility availability and
the number of users of our service and also establishment, exercise or defence of legal claims.
4. What Data are we processing, and how do we collect it?
2
If you want to use the Application, you must register an account. Therefore, you provide us
with and process your basic contact details: e-mail address, name, and surname.
Providing data is voluntary but necessary to register in the Application. If the required data is
provided, it will be possible to complete the registration process and set up an individual
account in the Application.
We may also process data related to an order from a third party for a paid subscription to the
application, in what variant, for what period, and information about unsubscribing.
In connection with the use of the Application, we will collect and process your health data
including facial images and biosignal data for assessment of your lifestyle, physical
examination, mental health, cardiovascular health assessment, diabetes risk assessment,
hypertension risk assessment, obesity risk assessment, heart disease risk assessment, stroke
risk assessment, respiratory health assessment, insomnia assessment, as well as BMI and
hydration calculators, medication management and test results. No biometric templates are
created, stored, or used for identification purposes. Providing this data is voluntary, but
necessary to use certain functionalities of the Application. If some data are provided, it will be
possible to use these functionalities.
In the remaining scope, the Data will be processed only as standard data collected from users
of the software or online services in accordance with the functions and technical
specifications of this software or services known to you, in particular automatically from you,
your device, and other services you use. Such data may include hardware and type of
hardware components, data and analytics about the use of our services; the type of device and
operating system you are using; general geographic location (e.g., country or city level
location) based on your IP address; quality indicators of the performance of our services on
your device); qualitative and quantitative indicators of the performance of our services on
your device. The data mentioned above collected automatically are necessary for us to
provide services. You should not install or use our services if you do not want such data
collected. If you have already done so, please see the Notice of Your Rights in section 8
below. In addition, we may establish separate rules for data collection, including the use of
cookies or similar technologies, particularly in the cookie policy for individual services.
Typically, this data is not personal, but it may be considered confidential if it identifies you
with other information. In this case, we shall apply to them all the principles and legal
grounds for the processing of personal data set out in this Policy.
5. Google Health Connect information
We may also establish connections with Google Health Connect, to enable us to access
Personal Data about your health and activity when you want to sync health or fitness data with
Health Connect. We only ask for the permissions it needs. Imported Personal Data includes,
but is not limited to, active calories, burned records, blood glucose records, blood pressure
records, distance records, floors climbed records, heartrate records, heart rate variability,
RMMSD record, height record, hydration record, oxygen saturation records, respiratory rate
3
record, sleep session record, sleep stage record, steps record, weight record, and other health
data. We will only process this data to provide or improve the application’s use case or
features. We must not use this data for any other purpose, including sending it to advertising
platforms, data brokers or information vendors.
The use of information received from Health Connect will adhere to the Health Connect
Permissions policy, including the Limited Use requirements. User data is not encrypted, but
their collection is minimal (see following points). We maintain all data security standards, in
particular we have implemented organisational and technical measures to protect personal
data against unauthorised or unlawful access, destruction, loss, alteration or disclosure.
6. Legal basis for personal data processing
Data for the purposes specified in point 3 let. a) Shen.AI OÜ processes the data to the extent
necessary to perform the contract to which you are a party or to take action at your request
before concluding the contract – article 6(1)(b) of the GDPR and when it is necessary for
pursuing the legitimate interests of Shen.AI OÜ and third parties (article 6(1)(f) of the GDPR)
in the case of ordering paid application subscriptions from third parties.
Data for the purposes specified in point 3 let. a), to a greater extent than necessary to perform
the contract, Shen.AI OÜ processes based on consent – Article 6 (1) (a) and Article 9 (2) (a)
of the GDPR.
For the purposes set out in point 3, let. b) Shen.AI OÜ processes the data based on consent to
share data – article 6(1)(a) of the GDPR.
Data for the purposes specified in point 3 let. c) Shen.AI OÜ processes it when it is necessary
for pursuing the legitimate interests of Shen.AI OÜ and third parties – Article 6(1)(f) of the
GDPR. The above-mentioned legitimate interests include improving the availability and
attractiveness of services and constantly increasing the availability and number of users of
Shen.AI OÜ and its partners’ services.
Data for the purposes specified in point 3 let. d) Shen.AI OÜ processes it when it is necessary
for pursuing its legitimate interests – Article 6(1)(f) of the GDPR. The above-mentioned
legitimate interests include continuously improving the quality, functionality, and security of
Shen.AI OÜ services and increasing the availability and number of users.
Data for the purposes specified in point 3 let. e), Shen.AI OÜ processes when it is necessary
for pursuing its legitimate interests – Article 6(1)(f) of the GDPR. The above-mentioned
interests include protecting Shen.AI OÜ’s rights related to possible claims.
7. Who may access your Data?
Within our organization, your Data shall be disclosed only to our personnel who need to know
such data for carrying out their work and shall be subject to strict rules. We may disclose your
4
Data to our affiliates (companies controlled by Shen.AI) and their personnel. We do not have
other recipients of your personal data.
If you agree to this, using the Application, your data, including the results of your tests, that
have been added to the Application, may be transferred to third parties selected by you, which
are separate data administrators.
Shen.AI shall not transfer any personal data to a third country (outside EU) or international
organization. We may use third parties to collect and process personal data on our behalf and
in accordance with our instructions. If such third parties collect data outside the EU, the
personal data shall be immediately transferred to Shen.AI and shall be processed by Shen.AI
only within the territory of the EU. The third party as above shall not have access to them,
data shall not be transferred or given back to them outside the EU in any way.
8. How long are we store your personal data ?
We shall store your personal data in respect to the particular Services only within the Services
period, unless the special terms and conditions for those Services set forth otherwise. If any
personal data shall be processed within our non-biomedical research for development of our
technology the period for which the personal data shall be stored shall be determined by the
research and development period defined in the research procedure. We shall retain personal
data for no longer than is necessary for the purposes for which it was collected, unless a
longer retention period is required or permitted by applicable law or justified by a legitimate
legal interest (e.g. establishment, exercise, or defense of legal claims) or until withdrawal of
your consent if processing is based on your consent or until a justified objection to processing
based on a legitimate interest. No Data shall be processed if you have withdrawn your consent
for particular processing or expressed any objection to such processing. In such an event, the
period for which the personal data shall be stored ends and data shall be erased or
anonymized.
9. Information about your rights
Users whose personal data are processed by Shen.AI OÜ have the following rights:
● to request access to their data,
● to request that their data are corrected,
● to request that their data are erased,
● to request that their data are transferred,
● to request that the processing of their data is limited,
● to not be subject to automated decision-making, including profiling,
● to file an objection to the processing of their data,
● to withdraw consent at any time (without affecting the legality of the processing
performed based on consent before its withdrawal),
5
● to file a complaint with respect to data processing with the appropriate supervisory
body.
Should you have any queries, comments, or requests concerning your rights as above, please
contact the data controller at data@shen.ai.
To speed up the procedure of examining the request, you may clarify your request, e.g., by
indicating what you wish to delete or change or you do not want to receive news or other
commercial information. In the absence of an unequivocal statement as to the scope of
personal data to be erased, We may contact you to confirm the details of your request. We
shall respond to the appeal mentioned above immediately, at the latest within a month, and
should that prove impossible, we shall give the reasons therefor.
Please pay attention, however, that the erasure of all your data may only be technically
possible if such data is connected with your accounts in other services, in particular with
external entities providing medical services.
Also, remember that the Application requires your Data to be processed as described herein.
If you do not accept the processing of your Data, you should cease using the Application. If
you object to processing your Data, request the Data to be erased, or request that we stop
processing your Data. As a result, you may not be (depending on the type of Data and the type
of Services) able to use the Application. Suppose you file an objection to data processing or
withdraw your consent to the processing of specific Data. In that case, you may not be able to
use the full functionality of the Services or may not be able to use the Services at all.
If you consider your rights violated or your personal data processing rules infringed, you can
file a complaint with a relevant supervisory authority. You may complain with any personal
data protection authority in an EU member state.
6