Personal Data Policy (Privacy Policy)

Data Controller and Contact Information

Hemi Health B.V.
Omval 407, 1096HR
Amsterdam
Contact: hallo@hemihealth.com

At Hemi, we are dedicated to protecting the personal data you provide to us. In this privacy policy, you can read about which information we collect, what we use the information for, how we protect it, and which rights you have as a result of our processing.

In which situations do we collect and process your personal data?

  • When you book an appointment with us.
  • When you create a user account and use our mobile application.
  • When we prepare and carry out your treatment, either physically or online.
  • When we need to share your treatment plan with your doctor.
  • When we administer your payment.
  • When you sign up for our newsletter.
  • When we respond to your general inquiries via e.g. email, social media, etc.
  • When you visit our website and cookies are placed on your device.

Which personal data do we collect, for what purposes, and on what legal basis?

Booking an appointment

When booking an appointment with us, we collect ordinary personal data such as name, email address, phone number, time of treatment, and your citizen service number (BSN). Booking takes place either via our website, through our mobile app, or via phone calls to our support staff.

The legal basis for processing ordinary personal data is Article 6(1)(b) of the GDPR. The legal basis for processing your citizen service number (BSN) is Article 6(1)(c) and Article 9(2)(h) of the GDPR, in conjunction with applicable Dutch healthcare legislation, which requires that patient medical records include the BSN for identification purposes.

User registration and use of our mobile application

When creating a user account and using our mobile application, we collect ordinary personal data such as name, email address, gender, date of birth, and phone number. The data is collected so we can identify you in connection with treatments, and so you can log in again if, for example, you forget your password. The legal basis for processing this data is your consent, cf. GDPR Article 6(1)(a).

We also collect sensitive personal data in the form of health data in the mobile application. This is done to enable you to use our migraine diary, and the legal basis for processing this health data is likewise your consent, cf. GDPR Article 9(2)(a).

You may withdraw your consent at any time by writing to hallo@hemihealth.com

Preparation and provision of treatment

When preparing and providing your treatment, either physically or online, we process the personal data necessary to provide you with the best possible treatment. This includes ordinary personal data such as name, email address, phone number, gender, date of birth, and other ordinary personal data that may be relevant to the treatment.

We only request information that is relevant to your course of treatment, and our staff are subject to a statutory duty of confidentiality pursuant to the Dutch Medical Treatment Contracts Act (WGBO) and the professional duty of confidentiality (beroepsgeheim). The legal basis for processing ordinary personal data is GDPR Article 6(1)(b).

In addition to ordinary personal data, we also collect health data, such as the types of medication you use, duration of conditions, types of headaches, etc. Our practitioners use the information you have registered in our mobile application, which includes general health information, specific migraine information, and data entered in the migraine diary, if you have used it.

The information is used collectively to analyze your condition so that a more precise diagnosis can be made and the most effective treatment possible can be recommended. The legal basis for processing health data for treatment purposes is GDPR Article 9(2)(h) concerning medical diagnosis and treatment.

During treatment, your citizen service number (BSN) is recorded in order to maintain medical records as required by Dutch law. The legal basis for this processing is Article 6(1)(c) and Article 9(2)(h) of the GDPR, in conjunction with the Dutch Medical Treatment Contracts Act (WGBO) and the Dutch Healthcare Quality, Complaints and Disputes Act (Wkkgz).

Sharing treatment plans with your doctor

When sharing your treatment plan with your doctor, ordinary personal data such as name, phone number, email address, and BSN number, as well as sensitive personal data in the form of health data, are disclosed to your general practitioner.

This may occur either because you share the information yourself via the migraine diary in our mobile application, or because you provide consent pursuant to GDPR Articles 6(1)(a) and 9(2)(a) for Hemi to share information with your doctor. The purpose of the disclosure is to give your doctor insight that can assist with more accurate diagnosis and thus more effective treatment.

You may withdraw your consent at any time by writing to hallo@hemihealth.com.

Payment administration

When administering your payment, we process ordinary personal data such as name, address, phone number, and payment details. The data is processed and recorded in order to receive your payment and to comply with our statutory accounting and record-keeping obligations under Dutch law. The legal basis for this processing is Article 6(1)(b) of the GDPR and Article 6(1)(c) of the GDPR.

Newsletter subscription

When you sign up for our newsletter, we collect your email address. This is done so we can send messages about, for example, news, webinars, tips, and similar content.

If you sign up for the newsletter in connection with booking an appointment, your email address is collected based on your consent, cf. GDPR Article 6(1)(a). If you sign up via the front page of our website, the legal basis for processing is GDPR Article 6(1)(f).

You can withdraw your consent at any time either via the link in each newsletter or by writing to hallo@hemihealth.com.

General inquiries

For general inquiries, e.g. via email, social media, and similar channels, we typically collect your email address, name, the content of the inquiry, and any other details you provide. The data is necessary in order for us to respond to your inquiry, and since we have a legitimate interest in doing so, the processing is based on GDPR Article 6(1)(f).

If you provide us with health data related to, for example, your course of treatment, such data is processed pursuant to GDPR Article 9(2)(h).

Website and mobile application – cookies

When visiting our website and using our mobile application, we use cookies to collect information such as your IP address, browser type, operating system, and pages visited on our website. We use this information to analyze and improve our website and mobile application.

Analytical/marketing cookies are only placed and used for analysis/marketing purposes if you give your consent. You can read more about our use of cookies further down on this page.

You may withdraw your consent at any time. For cookies on the website, this can be done by scrolling down to our cookie policy and clicking “Change your consent.” For cookies in the mobile application, please contact hallo@hemihealth.com.

Which third parties do we share data with?

We use external third parties to deliver a range of IT systems, such as our email system, medical records system, booking system, invoicing system, and website operations. In addition, we use a number of suppliers to provide services that enable us to operate and develop the applications we make available to both you and our employees. These include hosting providers, services for sending SMS messages and emails, online consultations, MitID login, etc.

As mentioned above, we may also disclose data to other healthcare professionals, such as general practitioners, if necessary in relation to an ongoing course of treatment.

Several of the third parties we use act as data processors in accordance with GDPR Article 4(8). We have therefore entered into data processing agreements with them to ensure that your personal data is processed securely, properly, and in accordance with the law.

We are very attentive to ensuring that personal data processing takes place within the EU/EEA wherever possible. In cases where a data processor may transfer your personal data to a third country, appropriate safeguards are in place to ensure the protection of your data. These safeguards will typically consist of the data processor having committed to complying with the EU Standard Contractual Clauses pursuant to GDPR Article 46(2)(c). Alternatively, transfers may be made to companies that are considered safe by the European Commission pursuant to GDPR Article 45.

How long do we store your data?

We generally ensure that your data is deleted when we no longer have a purpose for storing it.

  • Pursuant to the Dutch Medical Treatment Contracts Act (WGBO), we are required to retain patient medical records for at least 20 years after the last entry in the record. After this period, the records will generally be deleted, unless longer retention is necessary, for example in the event of a complaint, disciplinary, or compensation case. In such cases, the data will be deleted once the case has been concluded or when the applicable statutory limitation period has expired under Dutch law.
  • Information related to our customer relationship is deleted after the current year + 5 years, as retention for this period is required pursuant to Section 12(1) of the Bookkeeping Act.
  • Job application data such as CVs, educational information, applications, etc. is stored for up to 3 years after the recruitment process has ended.
  • Information collected via cookies when you visit our website is stored for the period specified in our cookie policy below. Documentation of your consent is stored for up to 2 years after consent is given.
  • If you have subscribed to our newsletter, we store your name and email address until you unsubscribe.

Your rights

You have the right to:

  • Access the personal data that Hemi processes about you.
  • Request deletion of the personal data that Hemi processes about you.
  • Request correction of the personal data that Hemi processes about you.
  • Object to Hemi’s processing of your personal data.
  • Request restriction of the processing of your personal data.
  • Receive your personal data in a structured, commonly used, and machine-readable format.

Please note that your right to erasure may be limited by our statutory obligations under Dutch healthcare legislation. Under these obligations, we are not permitted to delete information from medical records, but only to correct or supplement it.

Complaints

You may lodge a complaint about how we handle your data. If you have a complaint, we will be happy to resolve it for you. You may also submit your complaint to the Dutch Data Protection Authority.

Visit the AP website: Go to the Autoriteit Persoonsgegevens website to find the specific channel for complaints and tips.

You can send your complaint to hallo@hemihealth.com. We will process your complaint within 30 days. We may ask you to identify yourself. In that case, we will request your data to verify that you are the person whose data it is.