Lifeyear OÜ – Privacy Policy

(Patient Mobile Application – Estonia)

Effective Date: 13 February 2026

Statement

Lifeyear OÜ is committed to protecting the privacy and security of personal data processed through the Lifeyear patient mobile application (the “App”). This Privacy Policy explains what information Lifeyear OÜ collects, how it is used, with whom it may be shared where necessary, and how personal data is protected when using the App.

This Privacy Policy has been prepared in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (General Data Protection Regulation; GDPR) and applicable Estonian data protection law. Unless stated otherwise, this Privacy Policy applies solely to the App and the processing of personal data carried out through it.

Who Is Responsible for Processing Personal Data

  • Data Controller: Lifeyear OÜ
  • Company number: 16035006
  • Registered office: Valukoja tn 10, 11415 Tallinn, Estonia
  • Contact email: info@lifeyear.com

Lifeyear OÜ determines the purposes and means of processing personal data carried out through the App.

In the context of clinical care or research, a healthcare provider may process the user’s personal data in accordance with applicable agreements and data protection requirements.

If questions or concerns arise regarding the processing of personal data, the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon; AKI) may be contacted at www.aki.ee.

Definitions

  • Personal Data: Any information that directly or indirectly identifies a natural person.
  • Special Category Data: Data concerning health, wellbeing, or other sensitive personal information (for example, symptoms or wellbeing scores).
  • Usage Data: Information automatically collected through the App, such as device identifiers, IP addresses, and usage activity.
  • User: The individual using the App.
  • Processor: A natural or legal person or organisation that processes personal data on behalf of the Controller.
  • App: The Lifeyear patient mobile application through which personal data is collected and processed.
  • Processing: Any operation performed on personal data, including collection, storage, viewing, analysis, sharing, or deletion.

Categories of Personal Data Collected

Lifeyear OÜ may collect the following categories of personal data, either directly from the user or through third parties:

  • Contact data, such as first name, last name, email address;
  • Health and wellbeing data such as daily wellbeing assessments, symptoms, medication-related notes, activity data, and free-text observations;
  • Account data, such as username, login credentials, and authentication information;
  • Device and technical data such as IP address, device type, operating system, App version, and usage patterns;
  • Analytics data (e.g., via Firebase), used to improve App functionality; analytics do not include health or wellbeing data attributable to a specific user, and identifiers are minimised or pseudonymised in accordance with Lifeyear OÜ’s Data Protection Impact Assessment (DPIA);
  • Information provided by the user when contacting support, responding to surveys, or through other communication channels.

Personal data may be provided voluntarily by the user or collected automatically when using the App. Unless stated otherwise, data required for the functioning of the App is mandatory, and failure to provide it may make certain features unavailable.

Legal Basis of Processing

Personal data is processed only where a lawful basis exists under the GDPR.

Lifeyear OÜ may process personal data on the following legal bases:

  • Consent: the user has given clear consent for one or more specific purposes;
  • Explicit consent: required for processing special category data, including health and wellbeing data;
  • Legal obligation: where processing is necessary to comply with applicable laws;
  • Legitimate interests: where processing is necessary for the operation, maintenance or development of the App, provided that such interests do not override the user’s rights.

Where processing is based on consent, the user may withdraw consent at any time by contacting info@lifeyear.com. Withdrawal of consent may result in certain health-related features becoming unavailable.

Purposes of Processing

Personal data is collected and processed in order to:

  • Ensure access to and proper functioning of the App;
  • Enable the user to record and review health and wellbeing data;
  • Enable the secure transmission and availability of the user’s health data to their healthcare team;
  • Respond to user enquiries and provide support;
  • Ensure the security, integrity and reliability of the App and related systems;
  • Develop and improve the functionality and quality of the App;
  • Comply with applicable legal and regulatory obligations;
  • Conduct anonymised or aggregated analytics for service improvement;
  • Prevent misuse or fraud.

Place of Processing

Personal data is processed at Lifeyear OÜ’s operating locations in Estonia and by trusted processors located within the European Economic Area (EEA) and the United Kingdom (UK). If personal data is transferred outside the EEA or the UK, such transfer takes place in accordance with the requirements of the GDPR.

Third Parties and Processors

Personal data may be shared with carefully selected processors to support the operation of the App, in accordance with applicable data protection requirements, including:

  • Amazon Web Services (AWS): cloud hosting and infrastructure, using EEA and UK regions where available;
  • MongoDB Atlas: secure database hosting, using EEA and UK regions where available;
  • Google Firebase: push notifications, crash reporting, and performance monitoring, using EEA and UK regions where available.

Retention of Personal Data

Personal data is retained only for as long as necessary:

  • Personal and health data while the user account remains active;
  • Support-related data for up to 12 months;
  • Backups for up to 30 days;
  • Legal or compliance data as required by applicable law.

Users have the right at any time to request deletion of their user account and associated personal data. Once the purpose of processing has ended, personal data is deleted or anonymised, unless retention is required by law.

Retention and deletion of data collected in the context of clinical care or research are governed by the relevant healthcare provider or research conditions.

Security Measures

Appropriate technical and organisational measures are implemented to protect personal data, including:

  • Encryption in transit and at rest;
  • Role-based access control and two-factor authentication;
  • Logging and monitoring of system access;
  • Regular security reviews and testing;
  • Data minimisation and access limitation.

User Rights

Under GDPR, users have the right to:

  • Withdraw consent at any time;
  • Access their personal data;
  • Request correction of inaccurate or incomplete data;
  • Request deletion of personal data;
  • Restrict or object to certain processing;
  • Request data portability;
  • Lodge a complaint with the Estonian Data Protection Inspectorate.

Requests can be made by contacting info@lifeyear.com and will be handled within one month.

Exercising these rights will not affect the care or support provided through the App.

Personal Data Breaches

If a personal data breach is likely to result in a risk to the rights or freedoms of users, Lifeyear OÜ will notify the Estonian Data Protection Inspectorate and affected users in accordance with GDPR.

Children

The App is not intended for children under 16 years of age.

If it becomes apparent that personal data has been collected from a child without valid parental consent, Lifeyear OÜ will delete such data without undue delay.

Changes to This Privacy Policy

This Privacy Policy may be updated from time to time. The current version is available on the Lifeyear website and, where applicable, on other Lifeyear platforms together with the effective date.

Change History

13 February 2026: Clarified the role of healthcare providers, updated the wording concerning the place of processing of personal data, added reference to the United Kingdom, clarified the regional configuration of hosting and database services, updated data retention principles, and clarified the availability of the Privacy Policy.

Contact Information

Lifeyear OÜ

Valukoja tn 10, 11415 Tallinn, Estonia

Email: info@lifeyear.com

If the response is not satisfactory, the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon; AKI) may be contacted at www.aki.ee.