1. General information
MX Labs OÜ (hereinafter: “MX Labs”, “us”, “our,” or “we”) protects the privacy rights of its users (“users or “you”).

This Privacy Policy (hereinafter: “Policy”) sets out the general rules for our processing of users’ data that users provide to us or that we collect in connection with the use of our Shen Health application (hereinafter: “Application” or “service”). We shall refer to all data and other information that you provide to us or that we collect as “Data”.

Suppose any of these Data allow us to know your identity. In that case, they shall be treated as personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”).

Please do not install or use the Application if you have any doubts about our Policy or if you do not agree with this Privacy Policy.

2. Who processes your personal data?
MX Labs OÜ is an exclusive data controller. Our contact details:

a) Estonia: Lõõtsa tn 5, 11415 Tallinn;

b) Poland: ul. Gwiaździsta 66, 54-413 Wrocław.

Email: office@mxlabs.ai

To maintain the highest level of privacy, we are supported by the Data Protection Officer:

Stalmach Szczeszek Kancelaria sp.j., contact person: Piotr Szczeszek

E-mail: dpo@stsk.pl

3. Why are we processing your Data?

Your Data shall be processed only for the following purposes:

a) performance of the contract for the provision of services if you use our Application under the conditions set out in the Terms and Conditions of the Application or to take any action before concluding the contract;

b) providing test results to selected external entities providing medical services;

c) marketing communications regarding MX Labs’ products and partner’s products;

d) providing, maintaining, and improving services, providing access to them; understanding user preferences to increase the comfort or benefits of using the Services;

e) determination, investigation, and defense against claims.

4. What Data are we processing, and how do we collect it?

If you want to use the Application, you must register an account. Therefore, you provide us with and process your basic contact details: e-mail address, name, and surname.

Providing data is voluntary but necessary to register in the Application. If the required data is provided, it will be possible to complete the registration process and set up an individual account in the Application.

We may also process data related to an order from a third party for a paid subscription to the application, in what variant, for what period, and information about unsubscribing.

In connection with the use of the Application, we will collect and process your health data, including data for assessment of your lifestyle, physical examination, mental health, cardiovascular health assessment, diabetes risk assessment, hypertension risk assessment, obesity risk assessment, heart disease risk assessment, stroke risk assessment, respiratory health assessment, insomnia assessment, as well as BMI and hydration calculators, medication management and test results. Providing this data is voluntary, but necessary to use certain functionalities of the Application. If some data are provided, it will be possible to use these functionalities.

In the remaining scope, the Data will be processed only as standard data collected from users of the software or online services in accordance with the functions and technical specifications of this software or services known to you, in particular automatically from you, your device, and other services you use. Such data may include hardware and type of hardware components, data and analytics about the use of our services; the type of device and operating system you are using; general geographic location (e.g., country or city level location) based on your IP address; quality indicators of the performance of our services on your device); qualitative and quantitative indicators of the performance of our services on your device. The data mentioned above collected automatically are necessary for us to provide services. You should not install or use our services if you do not want such data collected. If you have already done so, please see the Notice of Your Rights in section 8 below. In addition, we may establish separate rules for data collection, including the use of cookies or similar technologies, particularly in the cookie policy for individual services.

Typically, this data is not personal, but it may be considered confidential if it identifies you with other information. In this case, we shall apply to them all the principles and legal grounds for the processing of personal data set out in this Policy.

5. Google Health Connect information

We may also establish connections with Google Health Connect, to enable us to access Personal Data about your health and activity when you want to sync health or fitness data with Health Connect. We only ask for the permissions it needs. Imported Personal Data includes, but is not limited to, active calories, burned records, blood glucose records, blood pressure records, distance records, floors climbed records, heartrate records, heart rate variability, RMMSD record, height record, hydration record, oxygen saturation records, respiratory rate record, sleep session record, sleep stage record, steps record, weight record, and other health data. We will only process this data to provide or improve the application’s use case or features. We must not use this data for any other purpose, including sending it to advertising platforms, data brokers or information vendors.

The use of information received from Health Connect will adhere to the Health Connect Permissions policy, including the Limited Use requirements. User data is not encrypted, but their collection is minimal (see following points). We maintain all data security standards, in particular we have implemented organisational and technical measures to protect personal data against unauthorised or unlawful access, destruction, loss, alteration or disclosure.

6. Legal basis for personal data processing

Data for the purposes specified in point 3 let. a) MX Labs processes the data to the extent necessary to perform the contract to which you are a party or to take action at your request before concluding the contract – article 6(1)(b) of the GDPR and when it is necessary for pursuing the legitimate interests of MX Labs and third parties (article 6(1)(f) of the GDPR) in the case of ordering paid application subscriptions from third parties.

Data for the purposes specified in point 3 let. a), to a greater extent than necessary to perform the contract, MX Labs processes based on consent – Article 6 (1) (a) and Article 9 (2) (a) of the GDPR.

For the purposes set out in point 3, let. b) MX Labs processes the data based on consent to share data –  article 6(1)(a) of the GDPR.

Data for the purposes specified in point 3 let. c) MX Labs processes it when it is necessary for pursuing the legitimate interests of MX Labs and third parties – Article 6(1)(f) of the GDPR. The above-mentioned legitimate interests include improving the availability and attractiveness of services and constantly increasing the availability and number of users of MX Labs and its partners’ services.

Data for the purposes specified in point 3 let. d) MX Labs processes it when it is necessary for pursuing its legitimate interests – Article 6(1)(f) of the GDPR. The above-mentioned legitimate interests include continuously improving the quality, functionality, and security of MX Labs services and increasing the availability and number of users.

Data for the purposes specified in point 3 let. e), MX Labs processes when it is necessary for pursuing its legitimate interests – Article 6(1)(f) of the GDPR. The above-mentioned interests include protecting MX Labs’ rights related to possible claims.

7. Who may access your Data?

Within our organization, your Data shall be disclosed only to our personnel who need to know such data for carrying out their work and shall be subject to strict rules. We may disclose your Data to our affiliates (companies controlled by MX Labs) and their personnel. We do not have other recipients of your data.

If you agree to this, using the Application, your data, including the results of your tests, that have been added to the Application, may be transferred to third parties selected by you, which are separate data administrators.

MX Labs shall not transfer personal data to a third country (outside the EU) or international organization.

8. How long are we store your personal data ?

We shall store your data until you delete your account in the Application.

No data will be processed if you have withdrawn your consent or have objected to such processing. In this case, the period for which personal data will be stored ends immediately, and the data will be deleted or anonymized.

Some data may be processed longer if necessary to establish, exercise or defend claims.

9. Information about your rights

Users whose personal data are processed by MX Labs have the following rights:

a) to request access to their data,

b) to request that their data are corrected,

c) to request that their data are erased,

d) to request that their data are transferred,

e) to request that the processing of their data is limited,

f) to not be subject to automated decision-making, including profiling,

g) to file an objection to the processing of their data,

h) to withdraw consent at any time (without affecting the legality of the processing performed based on consent before its withdrawal),

i) to file a complaint with respect to data processing with the appropriate supervisory body.

Should you have any queries, comments, or requests for your rights as above, please contact the data controller at data@mxlabs.ai or our Data Protection Officer at dpo@stsk.pl.

To speed up the procedure of examining the request, you may clarify your request, e.g., by indicating what you wish to delete or change or you do not want to receive news or other commercial information. In the absence of an unequivocal statement as to the scope of personal data to be erased, We may contact you to confirm the details of your request. We shall respond to the appeal mentioned above immediately, at the latest within a month, and should that prove impossible, we shall give the reasons therefor.

Please pay attention, however, that the erasure of all your data may only be technically possible if such data is connected with your accounts in other services, in particular with external entities providing medical services.

Also, remember that the Application requires your Data to be processed as described herein. If you do not accept the processing of your Data, you should cease using the Application. If you object to processing your Data, request the Data to be erased, or request that we stop processing your Data. As a result, you may not be (depending on the type of Data and the type of Services) able to use the Application. Suppose you file an objection to data processing or withdraw your consent to the processing of specific Data. In that case, you may not be able to use the full functionality of the Services or may not be able to use the Services at all.

If you consider your rights violated or your personal data processing rules infringed, you can file a complaint with a relevant supervisory authority. You may complain with any personal data protection authority in an EU member state.