Privacy Policy

    "Dr Kiwi" Application and "Keep It Healthy" Platform

    This Privacy Policy constitutes an inseparable and integral part of the Terms of Service for electronic services (hereinafter referred to as the "Terms") and comprehensively defines the rules for collecting, rigorously processing and protecting personal data of Users using the provided infrastructure.

    The Controller's operations are based on the EU principle of Privacy by Design and Data Minimisation. This means that already at the initial stage of software architecture development, advanced technological solutions have been implemented that guarantee the highest degree of confidentiality, with particular regard to legal restrictions relating to special categories of data, including health data and biometric data.

    1. Identity of the Data Controller

    The sole Controller of Users' personal data, the entity determining the purposes and means of their processing, is:

    Keep It Healthy Sp. z o.o. z siedzibą przy ul. Władysława Korotyńskiego 28, 02-123 Warszawa, wpisaną do KRS pod numerem 0001057283, NIP: 7011164571, REGON: 526390927

    (hereinafter referred to as: "Controller" or "Company").

    All matters related to personal data protection, exercise of Users' statutory rights or notification of potential security incidents are treated with special priority. Communication in the above scope with the qualified Data Protection Officer (DPO) appointed by the Controller is possible via the dedicated email address: kontakt@keepithealthy.pl.

    2. Scope and Purposes of Data Processing

    The Controller collects and processes only the data that is considered absolutely necessary for the proper and secure provision of advanced Services defined in the Terms. The Platform is dedicated exclusively to persons with full legal capacity. The Controller does not take deliberate actions to obtain data from minors. In the event of learning about processing data of a person under 18 years of age, such account is immediately deleted.

    Providing personal data by the User is entirely voluntary. However, it should be noted that failure to provide information classified as mandatory (including in particular the email address necessary to create an Account and medical documentation required for analysis) will objectively and directly prevent the Controller from establishing an obligation and properly providing analytical Services. The processed data sets are categorized as follows:

    A. Identification and Technical Data (Ordinary Data)

    Scope: Email address, access password stored exclusively as a secure cryptographic hash (one-way encryption), first name or pseudonym (if voluntarily provided by the User), authentication history (login dates and times), unique end-device identifiers, and current subscription status.

    Purpose: Authorization, registration and maintaining the security of the User's Account, providing ongoing technical support, processing account access recovery, and formally handling complaints.

    Legal basis: Necessity for the performance of a contract for the provision of electronic services or to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) GDPR).

    B. Health Data (Special Categories of Data – Art. 9 GDPR)

    Scope: Precise anthropometric parameters (including height, body weight, BMI, age, biological sex determining the application of appropriate reference norms), information about diet and lifestyle habits, digitized images of laboratory test results (PDF/JPG files), and specific numerical variables extracted from them.

    Purpose: Conducting automated, multidimensional analysis aimed at generating a summary report and educational supplementation recommendations to support the User's individual health goals.

    Legal basis: Explicit, informed, voluntary and prior consent of the User (so-called active opt-in), obtained each time before initiating the analysis process for new documents (Art. 9(2)(a) GDPR).

    C. Data Processed for Defense or Pursuit of Claims and Fulfillment of Legal Obligations

    Scope: System records confirming the fact and time of consent (so-called consent logs), data necessary for proper verification of the User's identity, complete records of complaint activity, as well as data regarding completed financial transactions and settlements.

    Purpose: Securing the possibility of pursuing economic claims by the Controller or defending against claims raised by the User, as well as meticulous maintenance of mandatory accounting, bookkeeping and tax documentation.

    Legal basis: The Controller's legitimate interest in protecting its property rights (Art. 6(1)(f) GDPR) and the absolute legal obligation of the Controller arising from generally applicable tax law provisions (Art. 6(1)(c) GDPR).

    D. Server Logs (Operational Data)

    Scope: IP addresses, precise time of request arrival and response dispatch by server infrastructure, type and version of web browser software, identified HTTP transaction errors, URLs of browsed resources, and infrastructure load parameters.

    Purpose: Global administration of IT systems, software performance optimization, diagnosing critical technical anomalies, and above all – detecting potential security breaches, preventing fraud and repelling organized cyberattacks (including DDoS).

    Legal basis: The Controller's legitimate interest in guaranteeing the reliability and integrity of IT infrastructure (Art. 6(1)(f) GDPR).

    3. Automated Decision-Making and Profiling

    Within the Platform, in order to provide innovative Services, the Controller implements advanced algorithms on a large scale. These algorithms subject the test results and physiological parameters entered by the User to multi-threaded analysis, and then, using cross-referencing mechanisms with publicly available registries (e.g., the Chief Sanitary Inspector's Registry), generate personalized reports and profile appropriate supplementation recommendations.

    The Controller categorically stipulates and declares that the process described above does not lead to decisions made about the User based solely on automated processing that would produce legal effects concerning them or similarly significantly affect them, in accordance with Art. 22 GDPR. The Platform does not apply mechanisms for refusing services, does not automatically differentiate prices, and does not assess insurance capacity based on aggregated data. Generated summaries and suggestions have exclusively informational and educational status. The decision on their possible implementation into daily routine rests solely with the User and should be absolutely preceded by appropriate medical consultation. The algorithm performs an analytical, not a decision-making function. Nevertheless, the User retains the inalienable right to demand human intervention from the Controller, to express their own position on the matter, and to challenge the accuracy of AI recommendations through formal contact with the Data Protection Officer.

    4. Ephemeral Processing Principle (Stateless Processing)

    In pursuit of ensuring the highest, market-unprecedented level of security for sensitive data (i.e., digitized document scans), the Controller has implemented a rigorous and innovative ephemeral processing protocol, defined accordingly in § 7 of the Terms:

    1. A file uploaded by the User (e.g., a PDF document or JPG image) is loaded via an encrypted TLS 1.3 transmission channel exclusively into the volatile random access memory (RAM) of a strictly isolated server environment.
    2. A dedicated AI module (OCR) performs immediate extraction of numerical values from the source file into plain text. All information passed to language models undergoes prior, rigorous anonymization (including removal of first name, last name, and PESEL number), which eliminates the risk of processing medical documentation in connection with the User's identity by third parties.
    3. Immediately after generating the text analytical report, the User's original file is irreversibly destroyed (permanently deleted from all buffers, cache, and machine registers).

    The implementation of the above system architecture results in the complete abandonment of permanent storage of Users' original medical documents on the Controller's permanent media. Thus, in the extremely unlikely event of a breach of cloud infrastructure integrity, a potential attacker will not gain access to physical document images, due to their non-existence in the system.

    5. Data Sharing and Transfer to Third Countries (Outside the EEA)

    The Controller is fully aware of the particular sensitivity of information in the MedTech sector. For this reason, it guarantees that it does not sell, lend, or share health data with third parties for marketing, advertising, or research purposes. Data processing may be entrusted only to a narrow, strictly verified circle of recipients:

    • Certified providers of advanced IT and technological solutions, including cloud operators (including AWS, Google Cloud), bound to the Controller by rigorous Data Processing Agreements (DPA) and holding ISO/IEC 27001 compliance certification.
    • Trusted entities providing analytical services (operating on fully anonymized databases obtained through aggregated cookies).
    • External law firms and auditors – only to the extent necessary to obtain professional legal services and protection against unjustified claims.
    • Competent state authorities (including law enforcement and judicial authorities) – exclusively in situations where the obligation to disclose data arises directly from mandatory provisions of common law.

    The overriding principle of the Controller's policy is to locate server infrastructure within the territory of the European Union, which means no transfer of personal data to third countries (outside the European Economic Area). However, if technological requirements (e.g., the need to ensure redundancy and high availability through global public cloud providers) necessitate such a transfer, it will be carried out exclusively on the basis of Standard Contractual Clauses (SCC) approved by a European Commission decision or to jurisdictions for which the Commission has issued a binding adequacy decision.

    6. Cookies and Analytical Tools

    The Platform automatically, continuously, and transparently collects information stored in cookies. These are small text fragments stored on the User's end device that do not enable direct identification of their identity, and their primary function is to optimize navigation processes.

    The following categories of cookies are implemented within the Platform structure:

    • Essential cookies (Technical): They condition the correct and secure functioning of the software, maintaining an authenticated session, error-free operation of electronic forms, and the implementation of basic website functions. Deactivation of this category of files is not possible, as it would lead to technical dysfunction of the Platform architecture.
    • Analytical and marketing cookies: They serve to aggregate anonymized statistical data illustrating how Users interact with the software (including through Google Analytics, Meta Pixel tools). These solutions facilitate the Controller's measurement of network traffic intensity, evaluation of the effectiveness of educational campaigns, in-depth analysis of User behavior, and continuous optimization of the interface (UI/UX). Their use is not default and always requires prior, voluntary, and explicit consent from the User (obtained through an interactive panel).
    • Preference management: Users are guaranteed full control over the information collection process. At any time, it is possible to block, restrict, or permanently delete selected cookies from the privacy settings of the web browser software or through the integrated preference panel available in the Platform interface.

    7. Data Subject Rights and Complaint Procedure to PUODO

    In accordance with the applicable provisions of the General Data Protection Regulation (GDPR), the Controller guarantees full transparency of processing operations and ensures Users the ability to exercise a broad catalog of rights:

    • Right of access to data: The right to obtain from the Controller confirmation of the processing of personal data and to receive a copy in digital form.
    • Right to rectification: The right to request immediate rectification of incorrect information or completion of incomplete information.
    • Right to erasure ("right to be forgotten"): This right is exercised most effectively through the account deletion option in the Platform settings panel, which results in the definitive and irreversible erasure of the User's profile from IT systems.
    • Right to restriction of processing: Applicable in strictly defined legal cases (including during the verification of the correctness of disputed data).
    • Right to data portability: The right to receive the data set in a structured, commonly used, machine-readable format (e.g., CSV, JSON) with the possibility of direct transmission to another entity.
    • Right to object: The right to object at any time to data processing based on the Controller's legitimate interest (Art. 6(1)(f) GDPR), based on reasons related to the particular situation of the data subject.
    • Right to withdraw consent: The User is entitled to free withdrawal at any time of previously expressed consent to the processing of special categories of data, including health data (Art. 9 GDPR). However, given the integral technological connection of the Platform's functions with the analysis of such information, withdrawal of consent results in the objective impossibility of continuing to provide analytical Services and entails automatic deletion of the User's Account. It should be noted that withdrawal of consent does not affect the legality of processing carried out before its effective revocation.
    • Right to breach notification: In the event of a personal data breach involving a high risk to the rights or freedoms of natural persons, the Controller is obligated to inform the User of such an incident without undue delay.

    To exercise the above-mentioned rights, please contact the Data Protection Officer directly at the address indicated in point 1 of this document.

    In the event of a reasonable suspicion that data processing operations carried out by the Controller constitute a violation of data protection law, the User has the inalienable right to file a complaint with the competent supervisory authority. In the Republic of Poland, this function is performed by the President of the Personal Data Protection Office (PUODO), based in Warsaw at ul. Stawki 2.

    8. Personal Data Retention Periods

    The Controller rigorously adheres to the storage limitation principle, according to which data is not subject to indefinite retention. The following predefined time frames apply:

    • Data linked to the User Account: Subject to active processing exclusively for the period of maintaining active Account status within the Platform structure. Upon effective deletion of the Account (regardless of whether by User instruction or at the Controller's initiative), data undergoes immediate, permanent anonymization. The catalog of exceptions to this rule is limited to data strictly necessary to demonstrate the history of completed transactions and potential financial claims (standard retention period of 5 years), as well as records confirming the granting of consents (consent logs). These records are archived for the limitation period of potential civil claims (generally 3 years), as required by the accountability principle established in GDPR.
    • Analytical reports: Stored on servers assigned to the Account exclusively for the purpose of providing access to historical data until deleted by the User or until complete Account termination.
    • Server logs and analytical cookies: Subject to automated rotation mechanisms. Their retention is conditioned by technical parameters of external service providers' systems, whereby in principle this period ranges from 30 days to a maximum of 14 months (for advanced analytics and aggregation of annual research statistics).

    9. Privacy Policy Amendment Procedure

    Taking into account the constant progress in the technological development of the "Dr Kiwi" Platform architecture, as well as potential modifications in the structure of European digital legislation, formal procedures for implementing changes to this Privacy Policy have been comprehensively regulated in § 9 of the Terms. The Controller commits to maintaining the highest standards of information transparency. Notifications of all planned, significant amendments implying a change in the scope of Users' rights or obligations will be delivered (e.g., in the form of email notifications or push notifications in the Application interface) with at least a 7-day advance notice before the planned effective date.

    This Policy in the presented wording is effective as of: February 1, 2026.