Lifeyear

Privacy Policy

Effective Date: Jan 1, 2026

Lifeyear OÜ ("we", "our", "us") is committed to maintaining the privacy and security of all personal data processed through our Services. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Lifeyear mobile application, Specialist Dashboard, or our website (www.lifeyear.com) (collectively referred to as the "Services").

This Privacy Policy has been prepared in accordance with multiple legislations, including Articles 13 and 14 of Regulation (EU) 2016/679 (General Data Protection Regulation), the UK GDPR, and the Data Protection Act 2018. Unless stated otherwise, this Privacy Policy relates solely to our Services and the processing of personal data we carry out.

Who We Are

  • Data Controller (Owner): Lifeyear OÜ
  • Company Number: 16035006
  • Registered Office: Valukoja tn 10, 11415 Tallinn, Estonia
  • Contact Email: info@lifeyear.com

Lifeyear OÜ determines the purposes and means of processing personal data collected through the Lifeyear mobile application, Specialist Dashboard, and website.

If you have concerns about how your data is handled, you can raise them with the Estonian Data Protection Inspectorate (AKI) at www.aki.ee or, if you are in the UK, the Information Commissioner's Office (ICO) at www.ico.org.uk.

Definitions

  • Personal Data (or Data): Any information that directly or indirectly identifies a natural person.
  • Special Category Data: Data concerning health, wellbeing, or other sensitive personal information.
  • Usage Data: Information automatically collected through the Services, such as device identifiers, IP addresses, and usage activity.
  • User: The individual using the Services.
  • Data Subject: The natural person to whom the personal data relates.
  • Data Processor: A party that processes personal data on behalf of the Controller.
  • Data Controller (or Owner): The entity determining the purposes and means of processing (here: Lifeyear OÜ).
  • Service: The mobile application, Specialist Dashboard, or website through which personal data is collected and processed.

Types of Data Collected

Among the types of personal data we collect, by ourselves or through third parties, are:

  • Contact information such as first name, last name, email address, and role or speciality.
  • Health and wellbeing data such as daily wellbeing scores, symptoms, medication notes, activity levels, and free text observations entered by users or health professionals.
  • Account information such as username, login credentials, and authentication details.
  • Device and technical data such as IP address, browser type, device model, and usage patterns.
  • Analytics data collected through Firebase and similar technologies to improve app functionality. We configure analytics tools so that no health content or identifiable wellbeing data is transmitted through analytics events, and all identifiers are minimised or pseudonymised in accordance with our DPIA.
  • Information provided through support requests, surveys, or communication channels.

Personal data may be freely provided by the user, or collected automatically when using the Services. Unless stated otherwise, all data requested by the Services is mandatory, and failure to provide it may make it impossible to use certain features.

Methods of Processing

We take appropriate security and organisational measures to prevent unauthorised access, disclosure, modification, or destruction of personal data. Processing is carried out using secure IT systems, in accordance with documented internal policies and procedures.

Access to personal data is restricted to authorised employees and approved third-party processors who act under contractual and confidentiality obligations. Users can view data they enter on the current day within the app. Historical entries are not visible in-app but can be accessed, rectified, or erased by submitting a request under your data protection rights.

Legal Basis for Processing

We may process personal data where one or more of the following conditions apply:

  • Consent: you have given clear consent for one or more specific purposes.
  • Explicit Consent: required for processing special category health or wellbeing data.
  • Legal Obligation: to comply with legal or regulatory duties.
  • Legitimate Interests: where necessary for the operation, maintenance, or improvement of the Services and where such interests are not overridden by your rights.

Where consent is relied upon, it can be withdrawn at any time by contacting us at info@lifeyear.com. If you withdraw consent, certain health related features of the Lifeyear application may become unavailable. Previously submitted information will be managed in line with our retention and deletion procedures.

Purposes of Processing

Your personal data is collected and processed to enable us to:

  • Provide access to and operate the Lifeyear mobile application and Specialist Dashboard.
  • Facilitate secure communication between users and authorised health specialists.
  • Respond to enquiries, support requests, and technical issues.
  • Maintain system security, integrity, and performance.
  • Improve and develop the functionality and quality of our Services.
  • Comply with legal and regulatory obligations.
  • Conduct anonymised or aggregated analytics for service improvement.
  • Prevent misuse or fraudulent activity.

Place of Processing

Personal data is processed at our operating offices and by trusted third party processors located in the United Kingdom and the European Economic Area (EEA). We currently do not transfer personal data outside the UK or EEA. If this changes, we will apply appropriate safeguards such as the UK International Data Transfer Addendum (IDTA) or EU Standard Contractual Clauses (SCCs) to ensure equivalent protection.

Third Parties and Processors

We may share data with carefully selected third parties to deliver our Services, under written data-processing agreements that ensure compliance with applicable law. These include:

  • Amazon Web Services (AWS): secure cloud hosting and infrastructure management.
  • MongoDB Atlas: secure database hosting and storage within the UK region.
  • Google Firebase (Cloud): push notifications, crash reports, and performance analytics within EEA regions where available.

Each processor implements encryption, access control, and technical safeguards consistent with ISO 27001 standards.

We may also share data with regulators, legal authorities, or professional advisers when legally required.

Retention Time and Data Storage

We retain personal data only for as long as necessary to fulfil its purpose, comply with legal requirements, or defend legal claims. Retention periods are as follows:

  • Personal and health data: while the user account remains active.
  • Support and operational records: up to 12 months.
  • Backup data: automatically overwritten within 30 days.
  • Legal or compliance data: retained as required by law.

Once the relevant period expires, personal data is securely deleted or anonymised. After deletion, certain rights (such as access or portability) may no longer apply.

Security Measures

We apply a layered security approach that includes:

  • Encryption in transit and at rest.
  • Two-Factor Authentication (2FA) and Role-Based Access Control (RBAC).
  • Regular vulnerability testing and security audits.
  • Continuous monitoring and logging of system activity.
  • Access limitation and data minimisation.

These measures are reviewed periodically to ensure ongoing effectiveness.

Rights of Users

You may exercise the following rights at any time:

  • Withdraw consent where processing is based on consent.
  • Access your personal data.
  • Request rectification of inaccurate or incomplete data.
  • Request deletion of data ("right to be forgotten").
  • Restrict or object to processing in certain circumstances.
  • Request data portability.
  • Lodge a complaint with a supervisory authority.

Requests can be made to info@lifeyear.com. All requests are free of charge and will be handled as soon as possible and always within one month (extendable by two months for complex cases).

Data Breach Notification

We maintain an Incident Response and Breach Notification Procedure.

If a personal data breach is likely to result in a risk to individuals, we will notify the supervisory authority within 72 hours and inform affected users without undue delay.

Children

Our Services are not directed at children under 13 years of age in the UK or 16 years of age in the EEA.

If we become aware that we have collected data from a child without verified parental consent, we will delete it immediately. We apply the stricter local age requirement based on the user's region to ensure compliance with applicable child data protection laws.

Governance and Accountability

We maintain a structured governance framework to ensure compliance with data protection laws.

Roles and responsibilities include:

  • Data Protection Officer (DPO): oversees compliance and responds to user requests.
  • Engineering and Security Teams: manage system controls, encryption, and audits.
  • Compliance Lead: reviews third-party processors and legal compliance annually.
  • Support Team: facilitates account and deletion requests.

Our policies, controls, and risk assessments are reviewed annually or following any significant change to processing activities. We maintain Records of Processing Activities and formal Data Processing Agreements with all processors, ensuring accountability and demonstrable compliance under the UK and EU GDPR.

Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Updates will be published on our website and within the app, indicating the latest revision date.

You are encouraged to review this page periodically. Continued use of our Services after an update constitutes acceptance of the revised Policy.

Contact Information

Lifeyear OÜ
Valukoja tn 10, 11415 Tallinn, Estonia
Email: info@lifeyear.com

If you are not satisfied with our response, you may contact your data protection authority:

Lifeyear OÜ is committed to protecting your privacy, maintaining transparency, and upholding the highest standards of data protection and security in all aspects of its operations.