Welcome to the Medicinsk Optik Portal! We are pleased that you are using our Services (“Services”). Data protection and data security when using our Services are very important to us. We would therefore like to inform you which of your personal data we collect and for what purposes it is used.
This Privacy Policy describes our privacy practices in plain language, keeping legal and technical jargon to a minimum, to make sure you understand the information provided.
WHAT IS PERSONAL DATA?
Personal Data is any information relating to an individual who can be identified or is identifiable, either directly from that information or indirectly when combined with other information. This includes special category data, such as information about your health.
WHAT LAW APPLIES?
We will only use your Personal Data in accordance with applicable data protection laws, including the Swedish Data Protection Act (DPA) and the EU’s General Data Protection Regulation (“GDPR”).
WHO IS RESPONSIBLE?
We are Medicinsk Optik (“we”, “us”), and our registered address is Kungsportsavenyen 33, 411 36 Göteborg, Sweden.
If you have any questions or concerns about how we use your Personal Data, please contact us at kontakt@medicinskoptik.se and we will do our best to address your concerns.
DATA WE COLLECT AND WHY
All Personal Data we obtain from you will only be processed for the purposes described below. We only collect Personal Data if:
- you have given your explicit consent;
- the data is necessary to fulfill a contract or for pre-contractual measures;
- the data is necessary to fulfill a legal obligation; or
- the data is necessary to protect our company’s legitimate interests.
Account Creation
During account sign-up, we ask you to provide your first and last name, email address, and a password. This information is necessary to create and manage your secure account and to fulfill our contractual obligations to you.
Health Assessment Data (Special Category Data)
The core function of our portal is to allow you to request assessments from a medical doctor who can then make recommendations. To use this Service, you will be asked to answer a series of 56 questions that require the input of your personal data and a significant amount of special category health data.
Purpose: We process this sensitive data to provide you with a health assessment, generate a diagnostic report, and allow our medical professionals to make recommendations.
Legal Basis: We process this special category data only with your explicit consent (Article 9(2)(a) GDPR), which you provide before starting the assessment.
Internal Governance: The secure and confidential handling of this data is further governed by our internal Patient Data Policy. This dedicated policy outlines our strict internal procedures for data security, access control, and lifecycle management to ensure the utmost integrity and confidentiality of your health information, reflecting the high standard of care required for medical data.
Booking Appointments (Calendly)
We offer you the ability to book appointments with our specialists through our integrated Calendly booking feature. When you book an appointment, Calendly, acting as our data processor, will collect your name, email address, and information related to your appointment time. This is necessary to schedule your consultation and fulfill our contract with you.
Contacting Us and Support Tickets
When you contact us, including by creating a support ticket, we collect the data you submit, such as your name, email address, and your message, to process your inquiry and respond to you. Our employees may access data you knowingly share with us to provide technical support. The legal basis is our obligation to fulfill our contract and our legitimate interest in processing your request.
DATA SHARING AND THIRD-PARTY PROCESSORSY
In certain cases, it is necessary to transmit your Personal Data to provide our Services. We only share data with trusted third-party service providers (processors) and have Data Processing Agreements (DPAs) in place with each of them, as required by Article 28 of the GDPR.
Our key processors for this portal include:
- Hosting: Hetzner provides the secure hosting infrastructure for our portal.
- Email Communications: typystack.io is used as an email service provider to send you affirmations and communications related to your account.
- Portal Analytics: Hotjar is used to help us understand how users interact with our portal through session recordings and heatmaps, allowing us to improve the service.
- Content Hosting: LifliQue is a platform used for hosting educational slides accessible to you within the portal.
- Appointment Scheduling: Calendly is used to facilitate the booking of consultations.
- Payment for Services: We offer several methods for payment. For all third-party services, we do not have access to or store your sensitive payment details.
- Online Payments (Stripe): We use Stripe to process secure online payments. We have no access to any credit card or payment information you submit directly to Stripe.
- Mobile Payments (Swish): We accept payments via the Swish mobile payment system. Your transaction is handled securely through the Swish platform and your bank.
- Bank Transfer: You may pay via direct bank transfer. Your payment is processed securely by the respective banking institutions involved in the transfer.
- In-Person Payments: Payments can be made directly at our clinic during your consultation.
Our formal relationships with these processors are governed by legally binding contracts, which are further detailed in our Processing Addendum. This document ensures that your data is treated with the same high level of protection by our partners as it is by us and that they act only on our instructions.
AI CHATBOT
Our portal includes a free-text AI chatbot to assist you. Given the medical context, inquiries may involve personal and special category health data. We have assessed the risks associated with this tool in accordance with the emerging EU AI Act. We are transparent about your interaction with an AI system and have implemented data governance and risk management practices to protect any sensitive data it may process.
DATA SECURITY
The security of your data is our highest priority. Our services use SSL/TLS encryption to protect the transmission of all confidential content. We have implemented comprehensive technical and organizational measures, including robust encryption for data at rest and in transit, and need-to-know access controls to ensure the most complete protection of your Personal Data. This is particularly critical for the unencrypted email transmission of sensitive data identified in our recent audit, a practice which has been rectified. In the event of a data breach, we will notify all affected individuals whose Personal Data may have been compromised as expeditiously as possible after the breach is discovered.
DATA RETENTION
We process and store your Personal Data only for the period required to achieve the processing purpose or as long as a legal retention period exists. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the purposes for which we process it, and applicable legal requirements. Once the purpose has been achieved or the period has expired, the data is securely deleted. For health data, this means we retain the data for as long as your account is active and in accordance with legal requirements for medical records.
YOUR RIGHTS AND PRIVILEGES
You have extensive and clearly defined rights regarding your Personal Data. We are committed to ensuring you can exercise them easily and effectively.
- The Right to Access:
- The Right to Rectification:
- The Right to Erasure (‘Right to be Forgotten’):
- The Right to Restrict Processing:
- The Right to Object to Processing:
- The Right to Data Portability:
Withdrawing Your Consent
Where we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
This is especially important for the special category health data we collect in the assessment. You can withdraw your consent for this processing at any time by contacting us at kontakt@medicinskoptik.se or by using the “Delete Account” function in your profile.
Please note that withdrawing your consent for the processing of your health data is a significant action. It will mean we can no longer provide you with our assessment, diagnostic, and recommendation Services, as this data is fundamental to their operation. Upon withdrawal, we will delete your special category data in line with our data retention policies and any overriding legal obligations for medical record-keeping.
COMPLAINT TO A SUPERVISORY AUTHORITY
You have the right to complain about our processing of Personal Data to a supervisory authority. The supervisory authority in Sweden is:
Swedish Authority for Privacy Protection
Integritetsskyddsmyndigheten (IMY)
Box 8114
104 20 Stockholm
Sweden
(https://www.imy.se/en/)
We would, however, appreciate the chance to deal with your concerns before you approach the IMY.
CHANGES
The first version of this policy was issued on 10 June 2025 and is the current version. Any prior versions are invalid, and if we make changes to this policy, we will revise the effective date.