InoHealth Privacy Notice
InoHealth AG (Blegistrasse 7, 6340 Baar, Switzerland) (hereinafter referred to as “we” or “InoHealth”) is a Swiss corporation established under the laws of Switzerland. InoHealth is subject to Swiss law and any applicable foreign data protection law and adheres to all other applicable laws and regulations to be considered in its activity.
At InoHealth, we naturally value your privacy highly, and adhere to the applicable privacy laws when collecting and processing your data. With this privacy notice, InoHealth informs you how we collect, process and disclose personal data. This is not an exhaustive description; other privacy notices or general terms and conditions and similar documents may govern specific matters. Personal data is understood to be all information that relates to a specific or identifiable individual.
1. Controller and contact person
The controller of the data processing described in this privacy notice is InoHealth, unless we have informed you otherwise in certain cases. You can contact us with any data protection-related concerns using the following contact details:
InoHealth AG
Blegistrasse 7
6340 Baar
Switzerland
contact@inohealth.com
Data Protection Officer contact details:
You can contact our Data Protection Officer by sending an e-mail to: dataprivacy@inohealth.com
Representative in the European Union:
The representative within the meaning of the GDPR and other national data protection laws of the EU member states as well as other data protection provisions is:
Swiss Infosec (Deutschland) GmbH
Unter den Linden 24
10117 Berlin
Germany
inohealth.dataprivacy@swissinfosec.de
2. Collection and processing of personal data
We primarily process the personal data that we receive in the course of our business activities. This includes data from: clients, visitors to our website, users of the InoHealth platform, suppliers, other business partners and job applicants. We may obtain this data through direct communication,participation in meetings or events, the application process, or through the use of our websites, platform, apps, and other services.
Please also consider the contractual terms for individual services. These may contain additional information on our data processing activities. For information on the collection and processing of personal data when using our websites, platform and social media presences, particularly in connection with cookies and similar technologies, please also refer to our cookie banner.
The categories of personal data that we process may include, in particular, the following information:
— Personal and contact information, such as name, address, contact details, e-mail address, gender, date of birth, ethnicity, language, nationality, username, identification information, image, family and relatives, interests, professional functions and activities;
— Information about related third parties such as contact persons, recipients of services, or representatives;
— Information related to contracts and services, such as contract information, services offered and performed, inquiries related to services and contracts;
— Information related to communication, such as data exchanged in or in relation to your contact with us by any means (including different online forms), preferred communication channel, messages sent and received, communication and information relating to your inquiries;
— Health-related information, such as health status, laboratory and biological data (e.g. blood biomarkers), physical measurements (height, weight, grip strength, blood pressure etc.), responses to health-related / medical questionnaires (e.g. family health history, medical history, medications, allergies, lifestyle), genetic information and information derived from DNA analysis;
— Financial information, such as payment history, payment information, invoices, creditworthiness data, debt and bankruptcy information, any recorded restrictions on the ability to act;
— Information from public registers and other public sources, such as information from the commercial register, media, internet, other publications;
— Information related to marketing and surveys, such as newsletter opt-ins and opt-outs, invitations and participation in surveys and events and special activities, personal preferences and interests, consulting protocols;
— Information related to the use of our website or platform, such as browsing data, IP address and other online identifiers, date and time of visits, duration of visits, pages visited, referrer URL (i.e. the Internet address of the website from which you accessed our website, if applicable with the search term used), browser type and version, operating system used, amount of data sent in bytes, and the search term used, location data, pages and content accessed, functions used, information about the use of our online platforms (e.g., whether you are registered with InoHealth platform), information about your status within the InoHealth platform (e.g. inactivity or blocking of your account), date and time of registrations.
— Demographic Information (Special Category Data): we ask individual users to provide demographic details, including ethnic background, to help ensure our services are fair, inclusive, and scientifically valid across diverse populations. This data supports population-level analyses to enhance the accuracy and equity of our health-related insights. Providing this information is entirely voluntary and will not affect your access to services. Where collected, this data is handled with strict confidentiality and used only in aggregated or anonymized form unless otherwise stated and consented to.
Access and Modification of Personal Data
Access to your personal data within our platform is strictly limited to authorized personnel who require it to perform their duties in support of your care, account management, or service delivery. Depending on the context, this may include viewing or editing details such as contact information, demographic attributes (e.g., DOB), or health-related data.
Any such access or modification is governed by role-based permissions, logged appropriately, and limited to what is necessary for the intended purpose. Sensitive attributes, such as ethnicity or sex assigned at birth, are only modified under specific conditions, and we may implement confirmation prompts or notify you when such updates occur.
We take care to ensure your data is handled responsibly, and all modifications are made in accordance with applicable data protection laws, including the GDPR.
3. Purposes of the data processing and legal bases
We may process personal data, for the following purposes and, if necessary under applicable data protection law, on the basis of the following legal bases:
— For the performance of the contract and service provision: We may process personal data in connection with the execution and performance of contracts with our clients and our business partners, in particular in connection with service provision within the InoHealth platform.
— To fulfill legal obligations: We may process personal data in order to comply with our legal and regulatory obligations, which may include the documentation of compliance with legal and regulatory requirements.
— To safeguard legitimate interests: We may process personal data if this is necessary to protect the legitimate interests of us or of third parties or to protect legitimate public interests, as follows:
◦ To provide our services and to improve the quality of and further develop our services and offerings;
◦ To measure, analyze and understand use of our services, market and industry trends and preferences of our actual and potential clients and other business partners;
◦ For advertising and marketing purpose, such as to send newsletters (provided that you have not objected to the use of your data for this purpose), organize events;
◦ For market and opinion research, media monitoring;
◦ To ensure the continuity, security and efficiency of our business operations, including our IT, data, websites, apps and other applications;
◦ To protect our physical assets and premises, control access to buildings and sites, protect employees and other individuals and assets owned by or entrusted to us;
◦ In view of possible corporate transactions and the disclosure of personal data related thereto;
◦ To manage our business in compliance with legal and regulatory obligations as well as internal regulations of InoHealth.
— Based on your consent: If you have given us consent to process your personal data for specific purposes (for example, when you register to receive newsletters, participate in research, consent to have sample analyzed and reports disclosed), we process your personal data within the scope of and based on this consent, unless we have another legal basis and we require such a basis. Consent given can be revoked at any time, but this has no effect on data processing that has already taken place
4. Use of our website
4.1 Contacting Us
You can contact us via email or through various online forms available on our website. Most of our online forms are created and managed using HubSpot, a service provided by HubSpot Inc., 25 First Street, Cambridge, MA 02141 USA (see section 5.5 for more details). In some cases, we may also use the WordPress plugin WPForms, provided by WPForms LLC, 2701 Okeechobee Blvd, Ste 400, West Palm Beach, FL 33409, USA. Regarding the use of HubSpot please see section 5.5 below. When you reach out to us using an online form, the information you provide - including your contact details - will be stored for the purpose of handling your request (e.g., registration on a waiting list, inquiries about our services) and for any necessary follow-up. This also applies to inquiries submitted by post.
We will not share your information with unauthorized third parties without your consent.
You have the right to object to this data processing at any time. To do so, please send an email to the address listed in Section 1 with the subject line “Request to Stop Data Processing.” We will review your request accordingly.
Your personal data will be deleted once your request has been resolved. This is the case when it is evident from the circumstances that the matter has been fully clarified and no legal retention obligations apply.
4.2 Marketing communication
We use cookies and other tracking technology in our marketing communications (e.g. Newsletter) which helps us to appraise whether marketing e-mails have been opened, replied or forwarded and links followed, etc.
4.3 Job Applications
If you apply for a position with us, we will process the personal data you provide during the application process via the application form or upload. This includes your personal details, education, work experience, skills, contact information like email and phone number, and all documents and additional information submitted such as your CV and certificates. This data is processed exclusively in the context of your application. It may also be used for statistical purposes (e.g., reporting), in which case no conclusions about individuals are possible.
We may also process information from third parties (e.g., references, criminal records, professional networks). If you provide data about other individuals (e.g., referees), please ensure you have their permission and that the data is accurate.
To apply for a job, applicants must fill out the application form, attach their CV, and respond to the required questions. This information is necessary to process the application and ensure secure handling of applicant data. The candidate can request the deletion of your application data at any time.
Our applicant portal is provided by Bamboo HR, LLC located at 42 Future Way, Draper, UT 84020, USA. Your provided data and application documents are stored on Bamboo servers. To ensure the protection of your personal data, we have concluded a data processing agreement with BambooHR LLC, including EU Standard Contractual Clauses (SCC), obligating them to implement appropriate technical and organizational measures. BambooHR does not use your data for its own purposes. BambooHR is also certified under the Swiss-U.S. and EU-.US. Privacy Framework. For more information about BambooHR’s processing and privacy settings, please refer to BambooHR General Privacy Notice.
If your data is transferred to countries without an adequate level of data protection, BambooHR provides appropriate safeguards, according to the data processing agreement including SCC.
Your application data is stored separately from other user data and is not merged with it.
You may object to the processing of your data and withdraw your application at any time. Please send your objection to the contact person in the job posting or to the e-mail address provided in Section 1 above with the subject line “Request to Stop Job Application.”
If we enter into an employment contract with you, the data will be stored in accordance with legal regulations. If the application process ends without employment, the data is stored for another 6 months for documentation purposes and then deleted, unless you have consented to have your data retained for future applications. You may withdraw your consent at any time by sending an e-mail to the e-mail address provided in Section 1 above.
5. Cookies, tracking and other technologies related to the use of our website
We may use cookies and similar technologies on our websites that allow us to store information on your device or access information stored on your device. This allows us to better understand user behavior, e.g. to provide our services in a technically error-free, secure, user-friendly and demand-oriented manner.
5.1 Cookies
These are small text files that are stored in the cookie file on your computer's hard drive when you visit our website. Through the use of cookies, your browser receives an identifier and shows it on request to.
Some of the cookies we use are so-called session cookies. These save your entries while you navigate on the website within the same session. Session cookies are automatically deleted after your visit to our website. Permanent cookies, on the other hand, remain stored on your device for several sessions and allow us to recognize your browser the next time you visit the website (and, for example, to perform an automatic log-in or to display the website in your preferred language and according to your preferences). We use permanent cookies to remember your preferences (e.g., language, autologin), to help us understand how you use our services and content, and to provide you with customized offers and advertisements (which may also occur on other companies’ websites; however, we do not tell them who you are, if we even know, because they only see that the same user is on their website who was on a particular page on ours). Some of the cookies are set by us, and some are set by contractors with whom we work. If you block cookies, certain functionalities (such as language selection) may no longer work. Permanent cookies are deleted when their expiration date is reached or if you delete them beforehand.
Most browsers are set to accept cookies by default. You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, generally disable cookies for certain cases and activate the automatic deletion of cookies when closing your browser. If you disable cookies, you may no longer be able to use all the functions of this website. The procedure for disabling of cookies depends on the browser you are using. You can find information on this in the settings menu of your browser.
Apart from technically necessary cookies, we only use cookies if you have given us your consent to do so. You can revoke any consent given at any time by changing your cookie settings.
5.2 Social media plug-ins or social share plug-ins
You can recognize plug-ins by the corresponding network logo or the "Like" or "Share" buttons on our website. By clicking on the plug-in, you can share content from our website on social networks. The plug-in reports to the social network that your IP address is visiting our website. This can happen even if you are not logged into the social network or are not a member of the social network. If you are logged into the social network, the social network can assign your surfing behavior directly to your profile there.
The social network is responsible for the processing of your personal data transmitted with the plug-in and the data protection provisions of the respective social network apply. We do not obtain precise knowledge of the content and scope of the transmitted data and its use by the social network and do not exercise any influence on it. As a rule, this involves the following data: website visited, data transmitted by your browser (IP address, browser type and version, operating system, time) and your identification number in the social network, provided you are registered there as a user.
If you share content via a plug-in, you are not authorized to speak on our behalf. These are your own expressions, for which we are not responsible and liable.
Cookies and similar technologies generally do not provide personal data, but only anonymous traffic data related to your device (e.g., your IP address) and statistical data (e.g., number and type of website visits). However, to the extent that the identifiers collected are classified as personal data by applicable law, we treat them as such. In addition, we sometimes combine non-personal data collected using these technologies with other personal data held by us. When we combine data in this way, we treat the combined data as personal data.
5.3 Social media presence
– On our website, we have set up links to our social media presence on Medium, Instagram, LinkedIn and X (former Twitter). If you click on the corresponding icons of the social networks, you will automatically be redirected to our profile on the respective social network. In order to be able to use the functions of the respective network there, you must partially log in to your user account for the respective network. – When you open a link to one of our social media profiles, a direct connection is established between your browser and the server of the social network in question. This provides the network with the information that you have visited our website with your IP address and accessed the link. If you access a link to a network while logged into your account on the network concerned, the content of our site may be linked to your profile on the network, i.e., the network may link your visit to our website directly to your user account. If you want to prevent this, you should log out before clicking on the relevant links. In any case, an association takes place when you log in to the relevant network after clicking on the link. – If you have your habitual residence in Switzerland or the European Economic Area (EEA), the provider of the social network is based in Ireland, otherwise in the USA. The provider of Medium social network is based in the USA. More detailed information on data processing by the provider of the social media platform can be found in the privacy policy of the respective provider:
Instagram
Meta Platforms Inc. (USA)/Meta Platforms Ireland Ltd. (Ireland): Meta Privacy Policy
LinkedIn
LinkedIn Corporation (USA)/LinkedIn Ireland Unlimited Company (Ireland): LinkedIn Privacy Policy
X (former Twitter)
X Corp. (USA)/Twitter International Company (Ireland): X Privacy Policy
Medium
A Medium Corporation (USA): Medium Privacy Policy
5.4 Google
– On our website, in our applications and in our operations, we use various services (e.g. Google Analytics, Google Workspace, and Google Cloud Platform) of Google LLC, based in the USA, respectively if you have your habitual residence in EEA or Switzerland, Google Ireland Limited, based in Ireland (“Google”).
Google uses technologies such as cookies, web storage in the browser and tracking pixels, which enable an analysis of your use of our website. The information thus generated about your use of our website may be transmitted to a Google server in the USA and stored there.
We use tools provided by Google that Google claims can process personal data in countries where Google or Google’s subcontractors maintain facilities. Google promises an adequate level of data protection in its Data Processing Addendum for Products where Google is a Data Processor by relying on the EU standard contractual clauses. Google is also certified under the Swiss-U.S. and EU-.US. Privacy Framework. For more information about Google’s processing and privacy settings, please refer to Google’s privacy policy respectively Google privacy settings.
– Google Analytics: We use Google Analytics 4 on our website and in our applications, as well as for marketing and advertising purposes. Google Analytics uses cookies that are stored on your end device (laptop, tablet, smartphone or similar) and enable an analysis of your use of our website. This enables us to evaluate the usage behavior on our website and to make our offer more interesting by means of the statistics/reports obtained.
– The information generated by the cookie about your use of our website (including your IP address) is usually transmitted to a Google server in the USA or Ireland and stored there.
– Google Analytics 4 has IP address anonymization enabled by default. This means that your IP address is shortened by Google within Switzerland or the EU/EEA before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
– Google uses this information to evaluate your pseudonymous use of our website, to compile reports on website activity and to provide us with other services related to website and internet use. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data, according to Google. When you visit our website, your user behavior is recorded in the form of events (such as page views, language settings, your “click path”, interaction with the website) as well as other data such as your approximate location (region), technical information about your browser and the end devices you use or the referrer URL, i.e. via which website / advertising material you came to our website.
– As an alternative to objecting to any consent given (by changing your cookie settings), you can prevent the collection of data generated by the cookie and related to your website use (including your IP address) to Google and the processing of this data by Google by downloading and installing the Google Analytics Opt-out Browser Add-on.
– This will set an opt-out cookie that will prevent future collection of your data when you visit our website. To prevent the collection of data by Google Analytics across different devices, you must perform the opt-out on all devices used.
– An overview of the data use in Google Analytics and the measures taken by Google to protect your data can be found in Google’s Help Center. Further information on the terms of use of Google Analytics and data protection at Google can be found in the Google Analytics Terms of Service and Google’s privacy policy.
- Google Tag Manager: Our websites and our applications use the Google Tag Manager. With the Google Tag Manager, website tags can be managed efficiently. Website tags are placeholders that are stored in the source code of the respective website, e.g. to record the integration of frequently used website elements, such as code for web analytics services. Google Tag Manager does not use cookies and triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager. For more information, see the Google Tag Manager Terms of Service and Google’s Tag Manger Help Center.
5.5 HubSpot
We use HubSpot on our website and in our applications. HubSpot is a software company based in the USA (HubSpot Inc., 25 First Street, Cambridge, MA 02141 USA) with a branch in Ireland: HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland. The HubSpot services are used for marketing automation, lead generation, customer relationship management, user analytics, and optimization of our marketing activities. This includes E-mail marketing, social media publishing & reporting, contact management (e.g., user segmentation & CRM), landing pages, and contact forms.
HubSpot places the cookies to track and associate visitors with their submissions and interactions across sessions and websites by storing a HubSpot unique user token (pseudonymous ID) and timestamps. If you as the visitor of our website later submit a form, the data collected via the HubSpot cookies may be linked to personal data (e.g., name, email) submitted by you.
You can find more information in HubSpot’s privacy policy.
5.6 Vimeo
Our website uses the services of the provider Vimeo Inc., based in the USA ("Vimeo"), to embed videos. When you visit a page that contains a Vimeo video, your browser connects directly to Vimeo's servers. In doing so, Vimeo is informed about which of our web pages you have visited. This happens even if you are not logged into a Vimeo account or do not have one.
When you visit a page on our website that contains a Vimeo video, your browser establishes a direct connection to Vimeo's servers. This allows Vimeo to know which of our web pages you have visited and receives your IP address. This happens even if you are not logged into a Vimeo account or do not have one. If you are simultaneously logged into your Vimeo account, Vimeo can associate this information with your personal user account. You can prevent this association by logging out of your Vimeo account before using our website and deleting the relevant Vimeo cookies.
Vimeo is certified under the Swiss-U.S. and EU-.US. Privacy Framework, ensuring an adequate level of data protection for transfers to the USA. Further information on how Vimeo processes personal data can be found in Vimeo's privacy policy.
6. Disclosure of personal data
We may disclose personal data to the following categories of recipients:
— Affiliated entities and/or business partners;
— Service providers, suppliers and subcontractors, including processors (such as IT service providers);
— Domestic and foreign authorities or courts as well as arbitral tribunals, parties in possible or pending legal proceedings;
— We may share personal data with relevant oversight, accreditation, or regulatory bodies as needed. Any broader data sharing with industry organizations will only occur in anonymized form;
— Other parties in connection with corporate transactions.
Regarding processing of your personal health information please also consider the declaration of consent and InoHealth Platform User Access Terms and Conditions. Disclosure of personal health data is limited to what is necessary and permitted under applicable data protection laws and is only carried out with appropriate safeguards, including your explicit consent where required.
If we transfer personal data to third parties, the respective third party may process personal data in accordance with their own privacy notices and regulations. We take reasonable steps to ensure that such third parties provide adequate data protection safeguards.
7. Disclosure of personal data to other jurisdictions
We may disclose personal data to recipients outside of Switzerland, including to EU/EEA member states, the UK, the US, New Zealand and to any other country of the world, e.g., to countries where our clients or business partners are located.
We may disclose personal data to a country without adequate legal data protection, provided that:
— We ensure adequate protection, namely by means of sufficient contractual guarantees such as the standard contractual clauses of the European Commission, or binding corporate rules, or based on certification under the Swiss-U.S. and EU-.US. Privacy Framework. You can obtain a copy of the contractual guarantees from the contact point mentioned above or find out from them where such a copy can be obtained. We reserve the right to redact such copies for data protection reasons or for reasons of confidentiality or to supply only excerpts;
— You give your express consent;
— It is necessary for the execution of a contract with you or of a contract in your interest;
— It is necessary for the fulfillment of a legal obligation;
— It is necessary to safeguard overriding public interests, to establish, exercise or enforce legal claims or to protect the life or physical integrity of you or third parties;
— You have made the personal data generally accessible and do not expressly prohibit processing; or
— The personal data originate from a register provided for by law, which is public or accessible to persons with an interest worthy of protection, insofar as the legal requirements for inspection are met in the individual case.
8. Automated individual decisions
Automated individual decisions are those made entirely without human intervention and have legal consequences for the affected person or significantly impact them in another way. We generally do not use this method, but we will inform you separately if we apply automated individual decisions in specific cases. In such instances, you will have the opportunity to have the decision reviewed by a human if you disagree with it.
9. Duration of the retention of personal data
We process and store personal data as long as it is necessary for the processing purpose for which we collected it (e.g., for the duration of the entire business relationship from the initiation until the termination of a contract). In addition, there may be a contractual or legal obligation to retain or document data for a longer period. It is possible that personal data will be stored for the time during which claims can be asserted against our company and insofar as we are otherwise legally obligated to do so or legitimate business interests require this (e.g. for evidence and documentation purposes). We thus store contract-related personal data in principle for the duration of the contractual relationship and for ten years beyond the termination of the contractual relationship.
If the personal data is no longer required for the fulfillment of the processing purpose, it will be deleted or anonymized as far as possible. Subject to an express written agreement, we are under no obligation to you to retain personal data for a specific period of time.
10. Data security
We take appropriate technical and organizational security measures to protect your personal data from unauthorized access and misuse, such as the issuance of warnings, training, IT and network security solutions, access controls and restrictions, encryption of data media and transmissions, pseudonymization, controls.
11. Rights of the data subject
Under applicable data protection law, you may have the following rights:
— A right to be informed upon your request of our processing of your personal data;
— A right to correction, deletion or destruction of your personal data;
— A right to objection to the processing of your personal data;
— A right to revoke your consent if the processing of your personal data is based on your consent. The revocation is possible at any time and is effective for the future. The revocation does not affect the lawfulness of the data processing that took place until the revocation.
— A right to receive your personal data in certain cases and in an electronic format that allows your further use;
— A right to information regarding any automated individual decision-making in which we may engage, insofar as this is required by law.
To exercise your rights, you may contact us at the contact point mentioned above. The exercise of your rights generally requires that you can prove your identity (e.g., by sending us a copy of your valid ID). We also draw your attention to the fact that by deleting your personal data, services are no longer available or can no longer be used, in whole or in part, and that the exercise of these rights may conflict with contractual agreements and this may have consequences such as the premature termination of the contract or cost consequences. We will inform you in advance if this is not already contractually regulated. We reserve the right to restrict your rights where permitted by applicable law.
You may have the right to enforce your claims in court or to file a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).
12. Obligations of the data subject
In the context of our contractual relationship, you must provide the personal data that is required for the establishment and implementation of a contractual relationship and the fulfillment of the associated contractual obligations (you do not usually have a legal obligation to provide us with data). Without this data, we will generally not be able to enter into or perform a contract with you (or the entity or person you represent) or provide our services to you within the InoHealth platform. Also, our website cannot be used if certain traffic-securing information (such as IP address) is not disclosed.
If you provide us with personal data of other persons (e.g. data of work colleagues), you must ensure that these persons are aware of this privacy notice and you may only share their personal data with us if you are allowed to do so and if this personal data is correct.
Please note that the internet is generally not a secure environment because it is an open network that can be accessed by anyone. Therefore, we also appeal to your personal responsibility with regard to the handling of your personal data. To the extent permitted by law, we exclude liability for the security of data that you transmit to us via the internet (e.g., by e-mail) or other insecure electronic channels and for any direct or indirect damage. We ask you to choose other communication channels, should this appear necessary or reasonable for security reasons.
13. Modification of the privacy notice
InoHealth may amend this privacy notice at any time without prior notice. The current version published on our website (1.0) shall apply.