Privacy Statement for Nordhealth.fi service B2B customers and prospects
This privacy statement explains how Nordhealth Oy processes the personal data of B2B customers and potential B2B customers of the Nordhealth.fi Service, including healthcare professionals and representatives and contacts of customer organizations such as clinics.
Last Modified 16.6.2025
Introduction
The following terms are used in this privacy statement:
Customer: therapists and other healthcare professionals, as well as representatives and contacts of customer organizations such as clinics, who are customers of Nordhealth.
End User: Customers of Nordhealth's Customers, such as patients.
End User Data: personal data as defined in the agreement between the Customer and Nordhealth, e.g., patient data.
Service: Nordhealth.fi search and booking service.
Service Users: anyone who visits or uses the Service.
This privacy statement does not apply to End Users. We process End User Data on behalf of our Customers as a data processor. If you are an End User and have questions about how our Customers process your data or wish to exercise your rights regarding this data, you must contact the Customer with whom you have booked an appointment.
The privacy statement for Service Users can be found here.
1. Data Controller
Nordhealth Therapy Oy (3486722-7)
Bulevardi 21
00180 Helsinki Finland
Tel. +358 19 425 1610
(hereinafter "we")
3. What is the purpose and legal basis for processing personal data and what data do we process?
Purpose of Processing | Personal Data | Legal Basis |
|---|---|---|
| Creating and maintaining professional profiles so that healthcare professionals can market themselves and their practices | Basic information*, such as name, healthcare professional registration number, personal identity code Contact information*, such as email address and phone number User profile*, including a photo created based on the customer relationship | Contract |
| Managing the customer relationship: communication with the customer | Basic information*, such as name, healthcare professional registration number, personal identity code Contact information*, such as email address and phone number User profile*, including a photo created based on the customer relationship Information regarding the customer relationship and contract, such as past and current contracts and subscriptions Other voluntarily provided information | Legitimate interest to maintain and develop the customer relationship and satisfaction |
| Managing the customer relationship: customer support (as part of Diarium support) | Basic information*, such as name, healthcare professional registration number, personal identity code Contact information*, such as email address and phone number User profile*, including a photo created based on the customer relationship Call recordings and correspondence Information regarding the customer relationship and contract, such as past and current contracts and subscriptions Other voluntarily provided information | Legitimate interest to maintain and develop the customer relationship and satisfaction |
| Electronic direct marketing, such as email and direct marketing by phone to current customers | User profile Possible prohibitions and consents for direct marketing and electronic direct marketing | Legitimate interest to offer relevant services based on previously used services |
| Contacting potential customers, such as healthcare professionals and clinic representatives or other interested parties who contact us via the online contact form | Name and contact information Correspondence | Legitimate interest to promote a potential customer relationship |
| Electronic direct marketing, such as email and direct marketing by phone to potential customers, such as healthcare professionals and clinic representatives (as part of the Diarium product) | Name and contact information Title Possible prohibitions and consents for direct marketing and electronic direct marketing | Legitimate interest to expand our business offerings and grow our business |
| Developing our services and website | Data collected through cookies and forms, such as IP address, language preference, browser and device type, browsing country, operating system, search terms, search history, visited pages, visit frequency, and information about activity on the page | Legitimate interest to improve and provide better Services and website experience |
| Preventing and correcting technical issues and errors on our services and website | Data collected through cookies and forms, such as IP address, language preference, browser and device type, browsing country, operating system, and information about activity on the page | Legitimate interest to maintain the proper functioning of our Services and website |
| Ensuring the security of our services and preventing misuse | Log data Information collected through cookies, such as IP address, browser and device type, browsing location, operating system | Legitimate interest to maintain the integrity of our Services |
Providing personal data marked with an asterisk is a requirement for our contract and/or customer relationship. Without the necessary information, we cannot provide the product and/or Service.
4. Where do we receive information from?
Our primary source is the information you submit as a Customer. For the purposes described in this privacy statement, personal data may also be collected and updated from publicly available sources and based on information received from authorities or other third parties within the limits of applicable laws and regulations. Such data updates are performed manually or automatically.
5. To whom do we disclose information and do we transfer information outside the EU or EEA?
We do not disclose registry information to external parties. We use subcontractors who process personal data on our behalf. The data is located in the EU, but in case of malfunctions, information such as communication and log data may be transferred outside the EU/EEA to support service providers. If personal data is transferred outside the EU/EEA, we ensure that the transfer is based on the EU Commission's adequacy decision or standard clauses.
6. How do we protect information and how long do we retain it?
Only our employees who have the right to process data as part of their job have the right to use the system containing personal data. The data is technically protected. Access to the data requires sufficient rights. Unauthorized use is also prevented by firewalls and technical protection. Only designated individuals have the right to process and maintain the data. Employees are bound by confidentiality obligations. The information system is securely backed up and can be restored if necessary. Security checks are performed regularly. We store data as required by applicable legislation. We regularly assess the need to store data, taking into account applicable legislation. Additionally, we take reasonable steps to ensure that incompatible, outdated, or incorrect personal data is not stored in the registry, considering the purpose of processing. We promptly correct or delete such data.
7. What are your rights as a data subject?
You have the right to access your personal data and obtain a copy of your personal data, as well as the right to request the correction or, under certain conditions, the deletion of data. To the extent that processing is based on consent, you also have the right to withdraw or change your consent. Withdrawing your consent does not affect the legality of processing that occurred before the withdrawal.
In certain situations, you have the right to transfer data from one system to another or to request the restriction of your data processing.
Due to your specific situation, you also have the right to object to the processing of personal data when the legal basis for processing is a legitimate interest. In connection with your request, you must specify the specific situation on which you base your objection to processing. We may reject an objection request for a significantly important and justified reason or for legal reasons.
We do not use your personal data to make automated decisions, such as profiling, that have legal effects on you or otherwise significantly affect you.
You have the right to file a complaint with the supervisory authority. The supervisory authority in Finland is the Office of the Data Protection Ombudsman: http://www.tietosuoja.fi.
8. When can we update the privacy statement?
We regularly review the compliance of the privacy statement and update it as necessary. The privacy statement may be updated, for example, if our processing activities change, or if applicable data protection laws or guidelines change. We publish the updated version of the privacy statement on our website. If the changes are significant, we will also notify you in other ways, such as by sending an email or posting a notice on our website.
9. Who can you contact?
All contacts and requests regarding this privacy policy should be submitted to the address mentioned in section 1 or the email address mentioned in section 2.
10. Cookies
More information about cookies and their use in the Service can be found in the cookie statement.