Privacy Policy

    "Dr Kiwi" Application and "Keep It Healthy" Platform

    This Privacy Policy constitutes an inseparable and integral part of the Terms of Service for electronic services (hereinafter referred to as the "Terms") and comprehensively defines the rules for collecting, rigorously processing and protecting personal data of Users using the provided infrastructure.

    The Controller's operations are based on the EU principle of Privacy by Design and Data Minimisation. This means that already at the initial stage of software architecture development, advanced technological solutions have been implemented that guarantee the highest degree of confidentiality, with particular regard to legal restrictions relating to special categories of data, including health data and biometric data.

    1. Identity of the Data Controller

    The sole Controller of Users' personal data, the entity determining the purposes and means of their processing, is:

    Keep It Healthy Sp. z o.o. z siedzibą przy ul. Władysława Korotyńskiego 28, 02-123 Warszawa, wpisaną do KRS pod numerem 0001057283, NIP: 7011164571, REGON: 526390927

    (hereinafter referred to as: "Controller" or "Company").

    All matters related to personal data protection, exercise of Users' statutory rights or notification of potential security incidents are treated with special priority. Communication in the above scope with the qualified Data Protection Officer (DPO) appointed by the Controller is possible via the dedicated email address: kontakt@keepithealthy.pl.

    2. Scope and Purposes of Data Processing

    The Controller collects and processes only the data that is considered absolutely necessary for the proper and secure provision of advanced Services defined in the Terms. The Platform is dedicated exclusively to persons with full legal capacity. The Controller does not take deliberate actions to obtain data from minors. In the event of learning about processing data of a person under 18 years of age, such account is immediately deleted.

    Providing personal data by the User is entirely voluntary. However, it should be noted that failure to provide information classified as mandatory (including in particular the email address necessary to create an Account and medical documentation required for analysis) will objectively and directly prevent the Controller from establishing an obligation and properly providing analytical Services. The processed data sets are categorized as follows:

    A. Identification and Technical Data (Ordinary Data)

    Scope: Email address, access password stored exclusively as a secure cryptographic hash (one-way encryption), first name or pseudonym (if voluntarily provided by the User), authentication history (login dates and times), unique end-device identifiers, and current subscription status.

    Purpose: Authorization, registration and maintaining the security of the User's Account, providing ongoing technical support, processing account access recovery, and formally handling complaints.

    Legal basis: Necessity for the performance of a contract for the provision of electronic services or to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) GDPR).

    B. Health Data (Special Categories of Data – Art. 9 GDPR)

    Scope: Precise anthropometric parameters (including height, body weight, BMI, age, biological sex determining the application of appropriate reference norms), information about diet and lifestyle habits, digitized images of laboratory test results (PDF/JPG files), and specific numerical variables extracted from them.

    Purpose: Conducting automated, multidimensional analysis aimed at generating a summary report and educational supplementation recommendations to support the User's individual health goals.

    Legal basis: Explicit, informed, voluntary and prior consent of the User (so-called active opt-in), obtained each time before initiating the analysis process for new documents (Art. 9(2)(a) GDPR).

    C. Data Processed for Defense or Pursuit of Claims and Fulfillment of Legal Obligations

    Scope: System records confirming the fact and time of consent (so-called consent logs), data necessary for proper verification of the User's identity, complete records of complaint activity, as well as data regarding completed financial transactions and settlements.

    Purpose: Securing the possibility of pursuing economic claims by the Controller or defending against claims raised by the User, as well as meticulous maintenance of mandatory accounting, bookkeeping and tax documentation.

    Legal basis: The Controller's legitimate interest in protecting its property rights (Art. 6(1)(f) GDPR) and the absolute legal obligation of the Controller arising from generally applicable tax law provisions (Art. 6(1)(c) GDPR).

    D. Server Logs (Operational Data)

    Scope: IP addresses, precise time of request arrival and response dispatch by server infrastructure, type and version of web browser software, identified HTTP transaction errors, URLs of browsed resources, and infrastructure load parameters.

    Purpose: Global administration of IT systems, software performance optimization, diagnosing critical technical anomalies, and above all – detecting potential security breaches, preventing fraud and repelling organized cyberattacks (including DDoS).

    Legal basis: The Controller's legitimate interest in guaranteeing the reliability and integrity of IT infrastructure (Art. 6(1)(f) GDPR).

    3. Automated Decision-Making and Profiling

    Within the Platform, in order to provide innovative Services, the Controller implements advanced algorithms on a large scale. These algorithms subject the test results and physiological parameters entered by the User to multi-threaded analysis, and then, using cross-referencing mechanisms with publicly available registries (e.g., the Chief Sanitary Inspector's Registry), generate personalized reports and profile appropriate supplementation recommendations.

    The Controller categorically stipulates and declares that the process described above does not lead to decisions made about the User based solely on automated processing that would produce legal effects concerning them or similarly significantly affect them, in accordance with Art. 22 GDPR. The Platform does not apply mechanisms for refusing services, does not automatically differentiate prices, and does not assess insurance capacity based on aggregated data. Generated summaries and suggestions have exclusively informational and educational status. The decision on their possible implementation into daily routine rests solely with the User and should be absolutely preceded by appropriate medical consultation. The algorithm performs an analytical, not a decision-making function. Nevertheless, the User retains the inalienable right to demand human intervention from the Controller, to express their own position on the matter, and to challenge the accuracy of AI recommendations through formal contact with the Data Protection Officer.

    4. Ephemeral Processing Principle (Stateless Processing)

    In pursuit of ensuring the highest, market-unprecedented level of security for sensitive data (i.e., digitized document scans), the Controller has implemented a rigorous and innovative ephemeral processing protocol, defined accordingly in § 7 of the Terms:

    1. A file uploaded by the User (e.g., a PDF document or JPG image) is loaded via an encrypted TLS 1.3 transmission channel exclusively into the volatile random access memory (RAM) of a strictly isolated server environment.
    2. A dedicated AI module (OCR) performs immediate extraction of numerical values from the source file into plain text. Data processed in an isolated environment is subject to minimization and pseudonymization (including removal of first name, last name, and PESEL number) before being passed to analytical modules, including language models (LLM). This operation constitutes pseudonymization and minimization, not anonymization — data directly identifying the User (such as first name, last name, or PESEL) is not passed to the AI/LLM components, however the extracted test values remain protected health data.
    3. Immediately after generating the text analytical report, the User's original file is irreversibly destroyed (permanently deleted from all buffers, cache, and machine registers).

    The implementation of the above system architecture results in the abandonment of permanent storage of Users' original medical documents (scans/photos) on the Controller's permanent media; original files are deleted after extraction. Ephemeral processing applies exclusively to the original file uploaded by the User. The extracted numerical parameters and generated reports, on the other hand, are stored in the User's account and are subject to the protection and retention rules set out in point 8 of this Policy.

    5. Data Sharing and Transfer to Third Countries (Outside the EEA)

    The Controller is fully aware of the particular sensitivity of information in the MedTech sector. For this reason, it guarantees that it does not sell, lend, or share health data with third parties for marketing, advertising, or research purposes. Data processing may be entrusted only to a narrow, strictly verified circle of recipients:

    • cloud infrastructure and hosting providers (e.g., Google Cloud, AWS) — bound to the Controller by data processing agreements (DPA) and applying recognized security standards (e.g., ISO/IEC 27001);
    • OCR / artificial intelligence service providers supporting the analysis — subject to point 4, they receive only pseudonymized and minimized data (without data directly identifying the User, such as first name, last name, or PESEL);
    • a push notification service provider (OneSignal);
    • an email and transactional communication service provider;
    • a payment operator (handling subscriptions and settlements);
    • analytics and measurement tool providers (e.g., Google Analytics, Meta) — only after the User has given consent;
    • law firms and auditors — to the extent necessary for legal services and audit;
    • authorized state authorities — where the obligation to disclose data arises from the law.

    The current list of data processors (sub-processors) is available at Sub-processors and is kept up to date.

    Some providers (including Google, Meta, OneSignal) are based in the United States, which involves the transfer of data outside the European Economic Area (EEA). The transfer takes place on the basis of: (a) a European Commission adequacy decision — the EU-US Data Privacy Framework (DPF) — for providers certified under the DPF, or (b) Standard Contractual Clauses (SCC) together with a Transfer Impact Assessment and additional safeguards. The Controller strives to locate infrastructure within the European Union and to minimize transfers.

    6. Cookies and Analytical Tools

    The Platform automatically, continuously, and transparently collects information stored in cookies. These are small text fragments stored on the User's end device that as a rule do not serve to directly identify the User, although in combination with other information (e.g., IP address) they may in certain cases constitute personal data, and their primary function is to optimize navigation processes.

    The following categories of cookies are implemented within the Platform structure:

    • Essential cookies (Technical): They condition the correct and secure functioning of the software, maintaining an authenticated session, error-free operation of electronic forms, and the implementation of basic website functions. Deactivation of this category of files is not possible, as it would lead to technical dysfunction of the Platform architecture.
    • Analytical and marketing cookies: They serve to collect and aggregate statistical data illustrating how Users interact with the software (including through Google Analytics, Meta Pixel tools). These solutions facilitate the Controller's measurement of network traffic intensity, evaluation of the effectiveness of educational campaigns, in-depth analysis of User behavior, and continuous optimization of the interface (UI/UX). Their use is not default and always requires prior, voluntary, and explicit consent from the User (obtained through an interactive panel).
    • Preference management: Users are guaranteed full control over the information collection process. At any time, it is possible to block, restrict, or permanently delete selected cookies from the privacy settings of the web browser software or through the integrated preference panel available in the Platform interface.

    7. Data Subject Rights and Complaint Procedure to PUODO

    In accordance with the applicable provisions of the General Data Protection Regulation (GDPR), the Controller guarantees full transparency of processing operations and ensures Users the ability to exercise a broad catalog of rights:

    • Right of access to data: The right to obtain from the Controller confirmation of the processing of personal data and to receive a copy in digital form.
    • Right to rectification: The right to request immediate rectification of incorrect information or completion of incomplete information.
    • Right to erasure ("right to be forgotten"): This right is exercised most effectively through the account deletion option in the Platform settings panel, which results in the definitive and irreversible erasure of the User's profile from IT systems.
    • Right to restriction of processing: Applicable in strictly defined legal cases (including during the verification of the correctness of disputed data).
    • Right to data portability: The right to receive the data set in a structured, commonly used, machine-readable format (e.g., CSV, JSON) with the possibility of direct transmission to another entity.
    • Right to object: The right to object at any time to data processing based on the Controller's legitimate interest (Art. 6(1)(f) GDPR), based on reasons related to the particular situation of the data subject.
    • Right to withdraw consent: The User is entitled to free withdrawal at any time of previously expressed consent to the processing of special categories of data, including health data (Art. 9 GDPR). Withdrawal of consent to the processing of health data results in the cessation of analytical functions based on that data and in the deletion of the health data and associated reports. The User's basic account (e.g., email address, settings) may be retained until a separate instruction for its deletion. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
    • Right to breach notification: In the event of a personal data breach involving a high risk to the rights or freedoms of natural persons, the Controller is obligated to inform the User of such an incident without undue delay.

    To exercise the above-mentioned rights, please contact the Data Protection Officer directly at the address indicated in point 1 of this document.

    In the event of a reasonable suspicion that data processing operations carried out by the Controller constitute a violation of data protection law, the User has the inalienable right to file a complaint with the competent supervisory authority. In the Republic of Poland, this function is performed by the President of the Personal Data Protection Office (PUODO), based in Warsaw at ul. Stawki 2.

    8. Personal Data Retention Periods

    The Controller rigorously adheres to the storage limitation principle, according to which data is not subject to indefinite retention. The following predefined time frames apply:

    • Data linked to the User Account: Subject to active processing exclusively for the period of maintaining active Account status within the Platform structure. Upon deletion of the Account, data identifying the User is permanently deleted. Data that the Controller retains after Account deletion is processed exclusively in anonymized form (preventing re-identification) — e.g., aggregated statistics. Exceptions include data necessary to demonstrate completed transactions and potential claims (5-year retention) and consent logs — for the limitation period of claims (as a rule 3 years).
    • Analytical reports: Stored on servers assigned to the Account exclusively for the purpose of providing access to historical data until deleted by the User or until complete Account termination.
    • Server logs and analytical cookies: Subject to automated rotation mechanisms. Their retention is conditioned by technical parameters of external service providers' systems, whereby in principle this period ranges from 30 days to a maximum of 14 months (for advanced analytics and aggregation of annual research statistics).

    9. Privacy Policy Amendment Procedure

    Taking into account the constant progress in the technological development of the "Dr Kiwi" Platform architecture, as well as potential modifications in the structure of European digital legislation, formal procedures for implementing changes to this Privacy Policy have been comprehensively regulated in § 9 of the Terms. The Controller commits to maintaining the highest standards of information transparency. Notifications of all planned, significant amendments implying a change in the scope of Users' rights or obligations will be delivered (e.g., in the form of email notifications or push notifications in the Application interface) with at least a 7-day advance notice before the planned effective date.

    This Policy in the presented wording is effective as of: June 23, 2026.

    10. Change History

    Version of June 23, 2026 — compliance changes: point 4 (clarification of ephemeral processing — only the original file is ephemeral, parameters and reports are retained; description of processing by AI/OCR/LLM as pseudonymization and minimization instead of anonymization); point 5 (full list of categories of recipients, link to the sub-processor register, actual transfers to the USA based on DPF/SCC and TIA); point 6 (softened description of cookies — they may constitute personal data in combination with the IP address); point 7 (separation of withdrawal of health-data consent from Account deletion); point 8 (consistent Account deletion logic). Related changes in the Terms (§ 1, § 4, § 5, § 7, § 9).