This notice applies to all use of the Vitacam Clinic smartphone app (‘the app’).

Personal data submitted through the use of the app is processed by NE Device SW (‘the company’) as the ‘data processor’, on behalf of a health or social care provider who is the ‘data controller.’

The company complies with General Data Protection Regulation 2016/679.

The regulations for processing personal data for health or social care apply:

GDPR 2017 Article 6 1E
The lawful basis we rely on to process this personal data is article 6(1)(e) of the GDPR, which allows the processing of personal data when necessary to perform a duty of care.

GDPR 2017 Article 9 Paragraph 2H
To lawfully process special category data, it is necessary to identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9. This covers the provision of health or social care or treatment. In addition, the company complies with regulations on privacy and data protection in the national jurisdiction applying to the data controller.

The intended purpose of Vitacam is to measure and monitor the vital signs, including respiratory rate and heart rate, of a single patient/client or group of patients, by analyzing a video feed obtained from a mobile camera on a cloud server. The software is intended for healthcare professionals and professional carers as a measuring and monitoring tool that provides inputs for clinical decision making.

Within the scope of using the Vitacam app for its intended purpose, personal data is collected, processed, and stored permanently or temporarily as follows:

Log-in events are recorded on the server when the user logs in on the app. Log-in credentials are never stored on the app.

A user can only log in to measure residents/clients that are authorised by the data controller. A new user cannot register on the app but must be added by an admin.

The user can record a video of residents/clients on the app. This recording is temporarily stored on the app until it has been uploaded to the server or over 30 minutes has passed since recording, in which case it is deleted from the app.

The video is processed on a server instance, approved by the data controller, in accordance with both national and European data protection regulations. It is deleted programmatically immediately upon processing and cannot be viewed by any human.

The measurements are stored on a server and deleted according to the data controller’s policy.

The server returns respiratory rate and heart rate of the resident/client obtained from the processed video.

The following data or data categories are collected:

User data
username, first name, last name, id, e-mail address (permanent as defined by data controller)

Resident/client biometric data

  • Date & time of video recording, physiological measurements and date & time (permanent as defined by data controller)
  • Videos (temporary – deleted once uploaded to the server, or in case of upload has not been possible, after 30 mins whenever the app is launched)

We promise to follow the following data protection principles:

Processing is lawful, fair and transparent. Our Processing activities have lawful grounds. We always consider your rights before Processing Personal Data. We will provide you information regarding Processing upon request.

Processing is limited to the intended purpose. Our Processing activities fit the purpose for which Personal Data was gathered.

Processing is done with minimal data. We only gather and Process the minimal amount of Personal Data required for any purpose.

Processing is limited with a time period. We will not store your personal data for longer than needed.

We will do our best to ensure the accuracy of data.

We will do our best to ensure the integrity and confidentiality of data.

Both users and residents/clients are considered as Data Subjects with the lawful rights:

Right to information
You have the right to know whether your Personal Data is being processed; what data is gathered, from where it is obtained and why and by whom it is processed.

Right to access
You have the right to access the data collected from/about you when the data is stored in a way, that it can be linked to you. This includes your right to request and obtain a copy of your Personal Data gathered (a “Subject Access Request”). If you would like to know more, please contact our DPO using the details above.

Right to rectification
You have the right to request rectification or erasure of your Personal Data that is inaccurate or incomplete.

Right to erasure
In certain circumstances* you can request for your Personal Data to be erased from our records.

Right to restrict processing
Where certain conditions apply*, you have the right to restrict the Processing of your Personal Data.

Right to object to processing
In certain cases* you have the right to object to Processing of your Personal Data.

Right to object to automated Processing
You have the right to object to automated Processing, including profiling; and not to be subject to a decision based solely on automated Processing. This right you can exercise whenever there is an outcome of the profiling that produces legal effects concerning or significantly affecting you.

Right to data portability
You have the right to obtain your Personal Data in a machine-readable format or if it is feasible, as a direct transfer from one Processor to another.

Right to lodge a complaint
In the event that we refuse your request under the Rights of Access, we will provide you with a reason as to why. If you are not satisfied with the way your request has been handled please contact us.

Right for the help of supervisory authority
You have the right for the help of a supervisory authority and the right for other legal remedies such as claiming damages.

Right to withdraw consent
You have the right withdraw any given consent for Processing of your Personal Data.

*If the right to erase, restrict or object to processing is in conflict with your local legislation in relation to e.g. healthcare and patient record data holding, then legislation will be followed and you will be informed of the outcome

Please note that no data is stored of the residents/clients, which could be linked to any of the stored data.

To exercise your rights, or to get in touch, contact our Data Protection Officer, Mr Miikka Kirveskoski.

If you have any questions or comments on our data protection policy, please contact us at:

NE Device SW Oy
Teknologiantie 7B
90590 Oulu

VAT no. FI26513007

Moyeen Ahmad (CEO)

Revision 1.0 – 29th of December 2022