Privacy Policy / Data Protection Notice for Vitacam Clinic

Revision 1.2 – 10th of October 2025.

This notice applies to all use of the Vitacam Clinic smartphone app (‘the app’), available for Android (Google Play) and iOS (App Store).

The primary reason for the revision 1.2 update of the Privacy Policy is a change of ownership for the Vitacam medical device and related business, which has changed from NE Device SW Oy to Evondos Oy. This change shall not have an impact to the provided services.

Please note that if there is a change to the Privacy policy of any kind including the purpose of data collection, your consent for the Data Protection Notice will be asked again.

The company complies with General Data Protection Regulation 2016/679.

The basis for handling personal data within the app and any related circumstances depends on your usage:

1) License to use Vitacam Clinic obtained via your healthcare related facility, the regulations for processing personal data for health or social care apply:

Personal data submitted through the use of the app is processed by Evondos Oy (‘the company’) as the ‘data processor’ on behalf of your health or social care provider who is the ‘data controller.’

GDPR 2017 Article 6 1E
The lawful basis we rely on to process this personal data is article 6(1)(e) of the GDPR, which allows the processing of personal data when necessary to perform a duty of care.

GDPR 2017 Article 9 Paragraph 2H
To lawfully process special category data, it is necessary to identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9. This covers the provision of health or social care or treatment. In addition, the company complies with regulations on privacy and data protection in the national jurisdiction applying to the data controller.

The intended purpose of Vitacam is to measure and monitor the vital signs, including respiratory rate and heart rate, of a single patient/client or group of patients/clients, by analysing a video feed on a cloud server, obtained from a mobile camera. The software is intended for professional healthcare use as a measuring and monitoring tool that provides inputs for clinical decision making.

2) As an individual person or representative of a company, given the permission by the company, to e.g. do an assessment, try or demo the app:

Personal data submitted through the use of the app is controlled by Evondos Oy (‘the company’) as the ‘data controller’ as the company is responsible for processing, handling and storing it in a secure and GDPR compliant manner.

GDPR 2017 Article 6 1A
The lawful basis we rely on to process this personal data is article 6(1)(a) of the GDPR, which allows the processing of personal data with a given consent from the user. To be able to use the application, you will need to consent to the processing of your personal data for the described use. If you utilize the application to measure vital signs of another person, you must ensure he/she is aware of the data protection notice and gives a consent for the processing of personal data.

GDPR 2017 Article 9 Paragraph 2A
To lawfully process special category data, it is necessary to identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9. This instantiates the explicit consent from the person, whose personal data will be processed. In addition, the company complies with regulations on privacy and data protection in the national jurisdiction applying to the data controller.

The intended purpose of Vitacam is to measure and monitor the vital signs, including respiratory rate and heart rate, of a single patient/client or group of patients/clients, by analyzing a video feed obtained from a mobile camera on a cloud server. The software is intended for professional healthcare use a measuring and monitoring tool that provides inputs for clinical decision making. The software can be given for assessment purposes for individual persons and/or representative of a 3rd party company. Still, no data is shared between the different user categories of the application – results or data provided by another user is not accessible or visible by any means to the other but remains at the company and end-user.

Within the scope of using the Vitacam app for its intended purpose, personal data is collected, processed, and stored permanently or temporarily as follows:

Log-in events are recorded on the server when the user logs in on the app. Log-in credentials are never stored on the app.

A new user cannot register on the app but must be added by an admin.

The user can record a video of him-/herself on the app. This recording is temporarily stored on the app until it has been uploaded to the server or over 24 hours has passed since recording, in which case it is deleted provided the app is active or upon launching it.

The server returns, and mobile app receives, the respiratory rate and heart rate of the end-user obtained from the processed video. Additionally, the application returns as wellbeing feature heart rate variability and regularity related analysis results.

The video is processed on a server instance maintained by the company, and in case of professional use, approved by the data controller, in accordance with both national and European data protection regulations. It is deleted programmatically immediately upon processing and cannot be viewed by any human.

The measurements are stored on a server and deleted according to the data controller’s policy. The time of storing the data is up to 10 years.

On transit from the app to cloud server instance, the data is encrypted over SSL/TLS 1.3 with AES-256 NSA-level encryption. The utilized server instance is running within EU (Finland, Hamina) Google Cloud server, and all data within the cloud is encrypted with AES-256 advanced encryption standard both during transit and in storage.

The following data or data categories are collected:

User data, collected in ‘enrolling as Vitacam Clinic user’ phase with a separate contract
Minimal data is stored:

  • Professional use:
    • Username for login, password related hash (can only be used for checking it)
    • Healthcare facility/company (permanent as defined by data controller)
    • An id of the end-user, which can be used to uniquely identify the person by the data controller (healthcare facility/organisation, service provider)
  • Trial, pilot, assessment and/or personal use
    • Username for login
    • first name, last name, e-mail address of the trial/pilot organizer or of an individual person in case he/she has requested for access

In trials and pilots, anonymized usernames are used to protect the identity of the end-users, while measurement related video recordings are not used to identify persons and are handled only programmatically.

Resident/client biometric data

  • Date & time of video recording, physiological measurements resulted by the video analysis (namely pulse and respiration rate, heart rhythm and regularity) (permanent storing as defined by data controller)
  • Recorded videos with the app: temporary
    • deleted once uploaded and processed, or in case of a) upload has not been possible, after 24h whenever the app is launched, b) in case of processing has not been possible and upload has been done, within 24 hours of the upload.
  • None of the data is shared with a 3rd party.

We promise to follow the following data protection principles:

Processing is lawful, fair and transparent. Our Processing activities have lawful grounds. We always consider your rights before Processing Personal Data. We will provide you information regarding Processing upon request.

Processing is limited to the intended purpose. Our Processing activities fit the purpose for which Personal Data was gathered.

Processing is done with minimal data. We only gather and Process the minimal amount of Personal Data required for any purpose.

Processing is limited with a time period. We will not store your personal data for longer than needed.

We will do our best to ensure the accuracy of data.

We will do our best to ensure the integrity and confidentiality of data.

Both users and residents/clients are considered as Data Subjects with the lawful rights:

Right to information
You have the right to know whether your Personal Data is being processed; what data is gathered, from where it is obtained and why and by whom it is processed.

Right to access
You have the right to access the data collected from/about you when the data is stored in a way, that it can be linked to you. This includes your right to request and obtain a copy of your Personal Data gathered (a “Subject Access Request”). If you would like to know more, please contact our DPO using the details above.

Right to rectification
You have the right to request rectification or erasure of your Personal Data that is inaccurate or incomplete.

Right to erasure
In certain circumstances* you can request for your Personal Data to be erased from our records.

Right to restrict processing
Where certain conditions apply*, you have the right to restrict the Processing of your Personal Data.

Right to object to processing
In certain cases* you have the right to object to Processing of your Personal Data.

Right to object to automated Processing
You have the right to object to automated Processing, including profiling; and not to be subject to a decision based solely on automated Processing. This right you can exercise whenever there is an outcome of the profiling that produces legal effects concerning or significantly affecting you.

Right to data portability
You have the right to obtain your Personal Data in a machine-readable format or if it is feasible, as a direct transfer from one Processor to another.

Right to lodge a complaint
In the event that we refuse your request under the Rights of Access, we will provide you with a reason as to why. If you are not satisfied with the way your request has been handled please contact us.

Right for the help of supervisory authority
You have the right for the help of a supervisory authority and the right for other legal remedies such as claiming damages.

Right to withdraw consent
You have the right withdraw any given consent for Processing and Controlling of your Personal Data. *

*If the right to erase, restrict or object to processing is in conflict with your local legislation in relation to e.g. healthcare and patient record data holding, then legislation will be followed and you will be informed of the outcome

To exercise your rights, or to get in touch, contact our Data Protection Officer, Mr Ville Haavisto. We will get back to you as soon as possible or by latest within a month.

Please note that if you follow any links from the Privacy policy and/or the app, the Privacy Policy does not extend to third parties and you are advised to make yourself aware of the related 3rd party site/platform privacy policy.

If you are made aware of a child or a minor accessing the app and potentially providing personal data without parental consent, please contact the Data Protection Officer for data removal as soon as possible (by latest within a month) and potential further required actions.

If you have any questions or comments on our data protection policy, or want to get in touch with the Data Protection Officer, please contact us.

Name of the register

Evondos Oy Vitacam Clinic personal data register

Data processor / controller (depending on the usage)

Evondos Oy
Business ID FI21758208
Salorankatu 5–7
24240 Salo
Finland

Data Controller’s representative for this register

Miikka Kirveskoski

miikka.kirveskoski@evondos.com

Contact details of the data protection officer

Ville Haavisto
ville.haavisto@evondos.com