This privacy statement describes the types of personal data (i.e. information relating to an identified or identifiable natural person) MYCB1 Group B.V. (“MYCB1” or “we”) stores, uses or otherwise processes and for what purposes and your data subject rights in respect to the processing of such personal information.
This privacy statement applies when you visit our website, interact with us or make use of our products or services. Your privacy is critically important to us and we process your personal data within the meaning of the General Data Protection Regulation 2016/679 (“GDPR”) and relevant national legislation. Please read this privacy statement carefully.
2. Controller identity and contact
MYCB1 Group B.V.
Attn. Ms. S. Wong
1077 ZH Amsterdam
3. Types of personal and health related data
Personal data is any information that relates to an identified or identifiable individual. In many cases, the personal data that you provide to us through our website, apps or services will be apparent from the context in which you provide the information:
Website visits and contact form
When you visit our website, we will automatically store your IP-address, location data, internet browser and device type. We also process data relating to your website visit, such as the website you are coming from, your search queries, and the content you have viewed on our website. These data are used for statistical purposes and to test and improve the user-friendliness of our website.
We make use of Google Analytics on our websites to help us analyse your use of our websites and diagnose technical issues.
The processing of personal data when visiting our website occurs on the legal basis of having a legitimate interest to present MYCB1 online with a well-functioning website. We have made the consideration that the interest of a well-functioning website outweighs the very limited infringement made by processing the abovementioned personal data.
If you want to request a quotation for one of our products or services, or contact us with any other question, we will process the following types of personal data in order to respond to your inquiry or request:
- (business) Address details
- (business) Email address
The legal basis for processing this personal information is consent.
When you, as a client, engage us to provide products or services to you, we will collect and process personal data in order to prepare, execute and/or deliver these products or services:
- Name and address details
- Contact details such as (mobile) telephone number and email address
The legal basis for processing these personal data types can be found in (the preparation of) a contractual relationship between MYCB1 and the client.
Care coordination and treatment reminders
When we have a contractual relationship with you we may also process your personal information to occasionally contact you about treatment options, expired prescriptions, the availability of alternative medications or to inform you of other medications that may benefit your health.
Statistical or scientific research
We may use aggregated data resulting from your personal data including health related information for statistical or scientific research purposes. In such event we shall at all times remove or anonymise the personal data in order to ensure that it is not possible to identify you.
The legal basis for processing the aggregated data is considered the necessity for statistical or scientific research.
Aletta Mobile App
MYCB1 has developed a mobile app for use by patients (e.g. users of our products) in order to improve the quality of medical prescriptions and monitor effectiveness of such prescriptions and doses.
When you sign up for making use of the App, we collect and process the following personal data for the purpose of creating a personal profile in the App:
- Email address
- Mobile telephone number (two-factor authentication)
- Birth date
In addition the App will process the following sensitive personal data:
- Medical dose
- (daily / periodic) personal health/fitness situation based on self-reporting health questions in accordance with EQ-5D.
The legal basis for processing the personal data listed above is based on explicit consent. These data are being processed and disclosed to the patient user’s health care professional for the purpose of treatment and/or healthcare operations.
When you register and opt-in for our newsletter, or have ordered products or services from us, we will occasionally keep you informed about our products and services and/or relevant developments in that regard. You may unsubscribe from the newsletter at any time via the ‘unsubscribe’-link in the relevant email.
If you apply or wish to apply for a job with us, we may collect and process the following types of personal data:
- Name and address details
- Contact details such as (mobile) telephone number and email address
- Birth date
- Job application details such as education and career data
- Any other data provided voluntarily
When you apply for a job with us, we will retain the data in relation to the job application up to 4 weeks after the end of the application procedure or, with your consent (e.g. to consider you for other vacancies), for a maximum of 12 months after the end of the application procedure.
The legal basis for processing the above mentioned personal data is the investigation or conclusion of a potential working relationship.
4. With whom we share personal and medical information
We will never sell your personal data to third parties. In principle, your personal data will not be shared with third parties, unless in the following events:
Medical prescription delivery / healthcare providers
We may disclose your health related information to healthcare professionals to provide, coordinate and manage the delivery of medical prescriptions or services. We only share personal data with health care providers directly authorized by you to receive such data.
For example, our pharmacist may disclose medical information about you to your physician in order to coordinate the prescribing and delivery of your medications.
We may disclose personal data about you when necessary: (i) to comply with applicable law, or rules imposed by payment method in connection with use of that payment method; (ii) to protect our products, services, rights and property of MYCB1, you or others; and (iii) to respond to requests from courts, law enforcement agencies, regulatory agencies or other public and government authorities. If the law within your jurisdiction offers you additional protections against the improper use or disclosure of personal information, we will adhere to such regulations.
To the extent necessary we share personal data with certain service providers (e.g. hosting companies) subject to contract terms (data processor agreements) that limit their use of the personal data. Based on the underlying data processor agreement we authorise such service providers to process the personal data only to perform their services on our behalf or comply with legal requirements. We require these service providers to contractually commit to protect the security and confidentiality of the personal data involved.
In the context of entering into, or intending to enter into, a transaction that alters the structure of our company, such as a reorganization, merger, sale, joint venture, assignment, transfer, change of control, or other disposition of all or any portion of our business, assets or stock, we may share personal data with third parties in connection with such transaction, insofar the sharing of (part of) the personal data is necessary and with due observance of data protection measures. Any other entity that purchases us or part of our business will have the right to continue to process your personal data subject to the terms of this privacy statement.
Other uses and disclosures
Any other disclosures of your personal and/or health information not explicitly mentioned in this privacy statement will be made only with your prior explicit consent.
Your personal data will generally not be transferred to countries or third parties outside the European Economic Area (EEA). If the transfer of personal data to countries or third parties outside the EEA is required, we will take into account the statutory requirements in relation thereto.
5. Your data subject rights
You have the following rights in connection with your personal data:
- Access: you may request access to the personal data MYCB1 processes of you;
- Rectification: you may request us to rectify or update your personal data if you believe it is inaccurate or incomplete;
- Restriction: you may also request us to restrict or limit the use of certain personal information we process about you;
- Data portability: you may request us to export the personal data that we hold to another company, where technically feasible;
- Erasure: you have the right to request that MYCB1 deletes your personal data in the circumstances provided by the GDPR and applicable law;
- Withdrawal: you also have the right to withdraw any previously provided consent at any time. This may result in the inability to further make use of (part of) our products or services;
- Objection: under certain circumstances, you also have the right to object to the processing of your personal information. This may result in the inability to further make use of (part of) our products or services.
In addition to the foregoing you may also contact us to opt out of receiving electronic communications (such as newsletters) from us. If you no longer want to receive electronic communications from us, you may opt-out via the unsubscribe link included in such emails.
You may direct any requests or complaints regarding the processing of your personal data to us in writing or via email via the contact details as provided in this privacy statement. We will respond to such requests within the applicable statutory timeframes. For data protection purposes, we may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches the email address that we have on file.
For completeness, we also note that you have the right to submit a complaint to us or with the relevant data protection authority in your country. For the Netherlands this is the “Autoriteit Persoonsgegevens”) via: https://autoriteitpersoonsgegevens.nl/en.
6. Protection and retention
We have taken adequate technical and organisational measures to protect your personal information against loss and the unauthorised access or misuse thereof and to provide a level of security appropriate to the risk associated with the processing of the types of personal data that we process.
Such measures include, but are not limited to, the use of firewalls, secured servers, encryption, appropriate systems for access rights and process management and the careful selection of processors. We are also ISO 27001:2017 and NEN 7510:2017 certified. Unfortunately, no online data transmission or storage system is guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (e.g. you feel that the security of your account has been compromised), please contact us immediately.
We retain your personal information no longer than is necessary for the purpose for which we have collected the personal data, or in correspondence with an applicable statutory retention term. You may at all times request the removal of your personal data. We will respond to such request within the applicable timeframe.
7. Links to third party websites or services
The website and/or services of MYCB1 may contain links to third party websites or services. These websites or services are not owned or controlled by MYCB1 and operate independently from us and may have their own privacy statements.
MYCB1 has no control over, and assumes no responsibility for, the content, privacy policies or practices of any third party websites or services. We strongly suggest you review the applicable privacy statements before making use of third party websites or services.
Our websites and services are not directed to minors, including children under the age of 16 years, and we request that they not provide personal information through our websites or services. In some countries, we may impose higher age limits as required by applicable law. We do not sell any personal information of users, visitors, including those under the age of 16 years.
We reserve the right to unilaterally amend this privacy statement in order to ensure the compliance with applicable law and regulations and to reflect our current privacy practices.
Any changes to the processing of personal data will be communicated to you through an appropriate channel (e.g. email or account alerts). It is also recommended that you consult this privacy statement on a regular basis in order to be aware of any potential changes.
If applicable law requires that we obtain your consent or provide notice in a specified manner prior to making any changes to this privacy statement applicable to you, we will provide such required notice in order to obtain your consent.