DBC Health Privacy Policy 

​Updated: Nov 14, 2024, v.2.4

DBC Health (Apptive Health in the US) is an application intended for self-initiated risk stratification of problems related to musculoskeletal system, information sharing, digital coaching and care, care management, quality monitoring, and communication related to care.


This Privacy Policy Statement outlines how we use and process the information we collect from people and organizations registered in the DBC Health information system. We also describe the purposes and objectives of personal data processing.


Data protection is a top priority for us. When processing personal data, we observe with the EU’s General Data Protection Regulation (GDPR) as well as other relevant legislation and guidelines that apply to our operations, such as national data protection regulations and patient legislation.



1.   General definitions

1.1. Definitions according to the EU’s General Data Protection Regulation


“Personal data” means any information related to an identified or identifiable natural person, referred to as a “data subject” below. A natural person is considered to be identifiable when they can be identified directly or indirectly based on particular identification information, such as name, personal identity code, location information or network identification information, or based on one or more characteristic physical, genetic, psychological, financial, cultural or social factors.


“Health information” means personal data related to a natural person’s physical or mental health, including information on the provision of health services, which indicates the person’s state of health.


“Profiling” means the automatic processing of any personal data where the personal data is used to assess certain personal properties of a natural person. For this Privacy Policy Statement in particular, this means the analysis or anticipation of characteristics related to the natural person’s health and behavior.


1.2. Definitions according to this Privacy Policy Statement


“Application” means the DBC HEALTH (or APPTIVE HEALTH) application, including the mobile application and a potential web application, as well as the related server system in the background where the personal data is processed.


“Data subject” means a person who is registered for the application and/or whose personal data is otherwise processed within the application.


“User” means a person using the application either concerning themselves, on behalf of another person, for instance, as the legal guardian of a minor, or as an invited user whom a primary user has authorized to access the application.


“Data controller” means the organization identified in section 2.1 of this Privacy Policy Statement. The data controller defines the purposes and means of personal data processing. The data controller is the organisation that is responsible for the service provided to the data subject with the help of the application.


“Application provider” means for the purpose of this Privacy Policy Statement the organisation in the name of which the application is made available in application stores, such as Apple App Store or Google Play Store, or on a website.


“Sending Organization” means the health organization sending User or Data subject to Services linked to the use of this Application or the Organization acting as a payer of these services e.g., Insurance company or Employer.  


“Pseudonymized data” refers to information that only the Data controller can associate with a particular person. The Application Provider only deals with pseudonymized information and cannot associate this information with an individual. For the sake of clarity, only the Data controller can process personal data with customers identification information.




2. Data controller and the data controller’s contact information

2.1. Data controller and the data controller’s contact information


It is the data controller’s responsibility to define the purposes and means of personal data processing for the application.

The data controller is the organization as the customer of which a data subject is registered or a user register for the application.


The contact information of the data controller can be found within the application after logging into it. This information can be found in the Account menu under Contact.


Data subject (end user) may later authorize other Data controllers to use his/ her own data.



2.2. Application provider and application service supplier and their contact information


The application provider / data processor is responsible for presenting the application in application stores and, potentially, for local user support.



2.3. Registered Groups


The collected data pertains to the following groups of data subjects, which include:



For each group, the following personal information may be collected:










3. Name of the register


Register for the DBC HEALTH (or APPTIVE HEALTH) application.



4. Purpose of personal data processing and the legal grounds for the processing


The processing of personal data serves the following purposes:

Providing the data controller with care-related information pertaining to the data subject, which is either automatically transmitted to the data controller by the application or manually entered by the user into the application and subsequently submitted to the data controller.

Upon inviting a data subject to become a user of the application, the data controller may process the data subject's identifying information, such as their name and personal identity code, as well as their contact information, such as telephone number and/or email address. This processing of personal data is grounded in the establishment of a customer relationship and the legitimate interests of the data controller. The personal identity code is processed to fulfill the rights and obligations of both the data subject and the data controller, such as verifying the identity of the data subject.

The processing of personal data required by the application following registration is based on the explicit consent of the data subject. Additionally, the data controller may process other personal data not falling within the specific personal data categories of the data subject, such as health information, for statistical purposes, based on legitimate interest.

Furthermore, subject to the data subject's separate consent, the data controller and/or application provider may process personal data for research or marketing purposes.

The data controller is obligated to transfer and store Personal Data and Health Information in appropriately applicable Electronic Health Records in accordance with legal requirements.



5. Information content of the register


The register contains the following information on the data subject and user.


The following information is stored for the data subject:


In addition, the following information is stored for the user:



6. Retention period for personal data


Personal data is stored in the application for as long as it is necessary for the service provided by the data controller with the help of the application. Even after that, certain information will be stored as required by legislation, such as log information and archival requirements prescribed by law.

In addition, the application supplier may store pseudonymized data even after the retention period mentioned above. Pseudonymized data is intended to be used for constructing and maintaining a profiling model as described in section 11, and for statistical purposes to develop the application and service.



7. Regular sources of data


Sources of the data that is stored in the application include:

Depending on the data controller, registration for a user of the application takes place either (1) through strong identification or (2) through a unique activation code with restrictions on time and the number of uses created for the user on the data controller’s initiative, together with the user’s telephone number or email address and a password set by the user or (3) using any other identification method. The created user ID and password will later be used for logging into the application if the user logs out of the application. It is the user’s responsibility to ensure that the user ID and password cannot be used by unauthorized persons.



8. Regular disclosure of data


The information entered and sent by the user in the application is transmitted to the data controller whose customer the data subject is. From that point onwards, the data controller takes care of processing the data according to its own principles.

As a part of supplying the application (such as in delivering the application to users, maintaining it, monitoring its functioning, information security and lawfulness, identifying a person and in the information exchange and messaging channels), the application provider also uses the following types of third-party services, during the use of which it processes a part of items considered personal data as follows:

When the user contacts the data controller, application provider or any other dedicated customer support in a problem situation, the user can be offered technical user support by the application provider in which case the need to identify the user arises. In this connection, data belonging to the user’s personal data may have to be processed by the support staff of the application provider or dedicated customer support based on data provided by the user as a part of the troubleshooting process, as necessary. 



9. Transferring data outside the EU or the European Economic Area


As described in section 8, personal data collected by the service is mainly stored on servers located within the area of the European Union (EU); however, some of the personal data is also processed outside the EU and the European Economic Area by external organizations. 

The transfer of data outside the EU and the European Economic Area as a part of the use of the service is based on prerequisites provided for in the EU’s General Data Protection Regulation (2016/679), such as a sufficient level of data protection in the target country (through the Privacy Shield mechanism, see https://www.privacyshield.gov), and standard contractual clauses approved by the European Commission. 

Using Apple services with iOS devices, such as receiving push notifications through the Apple Push Notification service (APNs) and using the Apple Maps service, is based on the user’s consent.



10. Principles of protecting the register


We use the necessary technical, physical, administrative, contractual, and organizational security measures to protect the personal data from unauthorized access, as well as accidental or unlawful erasure, changing, disclosure, transmission or other illegal processing of the data.

The personal data can only be accessed with the personal user ID of an authorized employee or a professional participating in the provision of care. There are several levels of access rights, and each user is granted an access right that is sufficient for carrying out their task but as restricted as possible. The data subject has the right to inspect the personal data stored in the service. The data subject can agree on this, for instance, with the data controller during a meeting.


11. Profiling


Profiling performed by the application is intended to support the best possible success of the service received by the data subject. For instance, the application may seek to recognize whether the data subject belongs to any of the following risk groups:

Based on a profile, the application or data controller may target the data subject with special attention, such as reminders. This data processing will not result in automatic decisions that would have legal effects concerning the data subject; decisions concerning the data subject (such as decisions on procedures) are always made by a natural person, such a professional employed by the data controller. In case of No Risk or Low Risk classification in application based Self-Assessment, proactive progressive exercise programs and general information about MSK issues may be shared automatically.

When a user engages with a digital proactive training program, they understand that the program is specifically tailored based on their individual responses within the DBC Health application. They also recognize that if they need assistance, the DBC Health application includes a Customer Assistance Request (CAR) feature, enabling them to easily connect with an expert whenever necessary.

For the technical implementation of profiling, the service supplier may save and store pseudonymized data, i.e., data from which identifying factors related to the data subject have been erased and in which the data subject cannot be identified in any manner.

Based on the data subject’s separate consent, the data controller and application provider may store data on the data subject that is used, for instance, for general quality control of care, for the development of the application or the care offered by the data controller, or for research purposes. Such data obtained from the data subject is kept in a separate database in a format that makes it impossible to identify the data subject from the data without separately stored additional data.


12. Rights of the data subject

12.1. The right of the data subject to access their data (right of inspection)


When logging on to the application, the user can always see most of the data the application is collecting.

The data subject also has the right to inspect what other information concerning them has been stored in the application. An inspection request must be made according to section 13 of this Privacy Policy Statement. The right of inspection can be denied with the grounds provided for in the legislation. As a rule, exercising the right of inspection is free of charge, but if the data is requested again for the same time period, the data subject may be charged for the cost incurred.


12.2. The data subject’s right to demand the rectification or erasure of data or restricting its processing


The data subject can update their own basic information in the application. To the extent the data subject can act themselves, they shall, without undue delay after having received the information on an error or detecting the error themselves, on their own initiative rectify, erase, or supplement the data contained in the register that is contrary to the purpose of the application, erroneous, unnecessary, defective or outdated.

To the extent that the data subject cannot rectify the data themselves, a rectification request shall be made according to section 13 of this Privacy Policy Statement.


12.3. The right of the data subject to demand the erasure of their data


The data subject also has the right to demand the data controller to erase their personal data to the extent that it is allowed by the legislation. 

The erasure of data from the application or withdrawing one’s consent to the use of the application will not restrict the data controller’s statutory right to the processing of personal data.


12.4. The right of the data subject to demand restricting the processing


The data subject also has the right to demand the data controller to restrict the processing of their personal data, for instance, in a situation where the data subject is waiting for the data controller’s response to a request to rectify or erase their data.

Restricting the processing is not possible to the extent that the data controller is fulfilling its statutory duty.


12.5. The right of the data subject to transmit their data from one system to another


To the extent that the data subject has entered data into the application themselves and this data is processed based on the data subject’s consent, the data subject has the right to receive such data for themselves, primarily in a machine-readable format. The data subject also has the right to transmit this data to another data controller. Such data includes, for instance, information describing the data subject’s health or prior medical history that the data subject has entered the service.


12.6. The right of the data subject to file a complaint to the supervising authority


The data subject has the right to file a complaint to the competent supervising authority if the data controller has not complied with the relevant data protection regulations in its operations.


12.7. Other rights


If personal data is processed based on the data subject’s consent, the data subject is entitled to withdraw their consent by notifying the data controller of this.


13. Contact


For all questions related to the processing of personal data and in situations related to exercising one’s rights, the data subject shall contact the data controller. The contact information of the data controller can be found in section 2.1.

The request must clearly indicate which data you want to have changed, erased, inspected, or updated, or for which data you want to set processing restrictions. The data controller will act on your request as soon as possible. Please note that rectifying, updating, or erasing certain data may mean that your account needs to be temporarily deactivated, during which time you cannot access the application. In such a case, we will not be liable for any harm caused.

If necessary, the data controller may ask the data subject to further specify their request in writing, and the identity of the data subject may be verified, if necessary, before any other action is taken.



14. Marketing and Promotional Activities


On behalf of the Data Controller personal data may be utilized for marketing and promotional purposes only with the explicit consent of the data subject. Users have the right to refuse marketing communications or to withdraw consent for such use at any time. Procedures for opting out of marketing communications are outlined within the application, and users can also contact the data controller to exercise this right. All marketing activities will comply with applicable laws and regulations regarding data protection and privacy.

For clarification, DBC Global acts as Data Processor and will always manage only group level data or pseudonymized data and.


15. Changes to this Privacy Policy Statement


The Data Processor is entitled to make changes to this Privacy Policy Statement as a part of its own or the application's development activities, or when there are changes in legislation. The updated Privacy Policy Statement will be published within the application. Before continuing the use of the application, the user must read the updated Privacy Policy Statement if the changes made in it have an impact on the processing of personal data or change the principles of personal data processing.