Privacy Policy

1. General

Stand: 30.04.2021

Please read this policy carefully before using Bloom’s services. 

When visiting Bloom Diagnostics AG/GmbH (“Bloom”, “us”,”our” or  “we”) website at www.bloomdiagnostics.com (our “Website”), using our Bloom System (mobile application: “Bloom” -our “App”, Bloom Lab and Bloom Test) or using any other of our offered services (the “Services”), it may be possible that we will need to process your personal data. 

The protection and privacy of your personal data is very important to us and we are legally obliged to ensure it. We process your data exclusively on the basis of statutory provisions  (GDPR, DSG, TKG 2003 (Telecommunications Act), HIPAA (Health Insurance Portability and Accountability Act)). Below we will inform you about the processing of your personal data by us and the rights you are entitled to under the General Data Protection Regulations (GDPR).

Responsible for data processing (data controller) is Bloom, which consists of:


Bloom Diagnostics AG
Susenbergstrasse 185
8044 Zürich, Switzerland
Company number: CHE-270.811.476

 

Bloom Diagnostics GmbH
(daughter company of AG)
Börseplatz 6 / 2 / 19-20
1010 Wien, Austria
Company number: 
FN 421045 i

General contact email address: 
office@bloomdiagnostics.com 
Tel.: +43 1 929 72 96 

For all complaints, questions and suggestions on data protection, we are always at your disposal. Our data protection officer can be contacted via: 
privacy@bloomdiagnostics.com 
Tel.: +43 1 929 72 96 
We process both the data that you announce to us and the data that we receive through your use of our online presence.

2. Data strategy

Data will always be treated with confidentiality and only for the intended purpose, whilst always protecting the user’s/customer’s identity and privacy. To achieve these goals different security measures are in place. This includes e.g. pseudonymization, anonymization, data silos, as well as different organizational and administrative measures to protect all data. We will only process your personal data for the purpose for which data was collected, or for a purpose that we reasonably believe is compatible with the original purpose. Where we intend to further process your personal data for a purpose other than for which it was collected, Bloom Diagnostics will notify you prior to that processing and if necessary, ask for your consent. Please note, that processing of your personal data without your knowledge or consent will only happen if required by law.

 

3. Processing of personal data that you provide

We will only process your data in a GDPR-compliant way., The details depending on the respective activity are listed below. The following sections will describe in detail to you for which purposes and on what legal basis we process data, as well as if it is shared with any third parties. This should give you full transparency, as we never want to process data without your knowledge.

If you contact us (e.g. by email, contact form, telephone), the processing of your data to carry out (pre)contractual measures to fulfill your request will take place. Your request and/or any data gathered during aiding you with your request, feedback or complaint, as well as the media of contact can be stored and processed, if it helps to solve current issues and prevent future issues,  can benefit customers as well as on legal basis of legitimate interests for Bloom Diagnostics. 

When we receive certain complaints we are obliged to notify competent authorities of the corresponding country (e.g. Austria - BASG) via their provided platform as a part of our legal obligation for medical device incident reporting. For this purpose some of your information might be shared with them on the legal basis of a legal obligation.

Personal data will be kept for as long as necessary to achieve its purposes but in no event longer than 

our account remains active 
Data is no longer needed for a specific purpose 
It is required by law your request for deletion is accepted. 

Personal data that we process falls under one of the following categories: 

Name/Company 
Gender 
Date of birth 
Contact Information: e.g.email address, phone number
Address/Shipping Information 
Bank information 
Medical information: symptoms of your illness, potential causes of your illness/symptoms, your medical history, any allergies you have, or further information required of your current health status (only processed when using Bloom System) 
Browser data, server logs, cookies, IP addresses  etc. 

Not all data above is processed for all purposes listed. This depends on the purpose of processing, but we aim to use only the  minimal required data necessary for the intended operation.

3.1 Data processing in the context of contacting us

If you contact us (e.g. by email, contact form, telephone), the processing of your data to carry out (pre)contractual measures to fulfill your request will take place. Your request and/or any data gathered during aiding you with your request, feedback or complaint, as well as the media of contact can be stored and processed, if it helps to solve current issues and prevent future issues,  can benefit customers as well as on legal basis of legitimate interests for Bloom Diagnostics. When we receive certain complaints we are obliged to notify competent authorities of the corresponding country (e.g. Austria - BASG) via their provided platform as a part of our legal obligation for medical device incident reporting. For this purpose some of your information might be shared with them on the legal basis of a legal obligation.

 

3.2 Data processing in the context of a (possible) business relationship

The processing of your data takes place to fulfill a (pre)contractual relationship in the context of a business relationship. Your data will be processed for the formal treatment of our business transactions, for the purposes of testing and evaluating, for customer satisfaction, to assess the quality of services used and for the sale of goods and services. This also includes (pre)sale activities, such as demo meetings, presentations and similar for possible customers.This business transaction will only cover the agreed on scope and data will not be used for additional purposes. If you decide against a business relationship but show interest in future products or services we will inform you of those on the basis of legitimate interest. We will then delete your data latest 3 years after your last interest was shown or, if requested by you, earlier. When using our Webshop, we process your data (contact, shipping and payment information) on the legal basis of a contractual relationship. Necessary data is also processed by the webshop provider, payment agency that you have chosen, as well as with our logistic partner in order to properly handle your requested business transaction.

3.3 Data processing for the handling of events

If you participate in our events and for the organization and implementation of events, the processing of your data takes place for the fulfillment of a contractual relationship, our legitimate interests in a smooth handling of the event or your informed consent.  If data shall be shared with third parties prior information would be provided. 

3.4 Data processing for the purpose of direct mail

The processing of your data takes place on the basis of your consent (e.g. newsletter) and purposes in initiating business concerning our own delivery or service offer, as well as keeping you updated about Bloom as a company and its products. 

3.5 Data processing in the context of app usage

When installing the app, the user can create an account, which data will be processed on the legal basis of a contractual relationship. Based on the legal basis of a contractual relationship the user agrees to allow Bloom the processing of medical and health(-related) data. Since that falls under special category data (Art. 9 GDPR) consent is legally required, additionally to the legal basis, to allow processing. We require your consent to use our product, as otherwise no correct and intended use is possible. This includes data from the measurement of a Bloom Test Strip itself and the data put in as part of the questionnaire taken whilst measuring. Other data (not medical/health) that is collected and processed is based on the legal basis of a contractual relationship. The medical data, and other data collected during the report generation, will only be used for the following purposes: 

1. Providing full functionality of our products and services, according to the contract between Bloom Diagnostics and their users. These include a fully personalized analysis and report of a measurement conducted with Bloom Diagnostics’ testing system (App, Lab, Test). 

2. Incorporating improvements to our products and services and increasing user satisfaction using pseudonymized (= direct identifiers replaced to avoid identification) with and aggregated  data. Data is used for research to identify e.g. difficulties of app usage and users’ needs. Additionally, data can provide the basis for factual decision making when it comes to product improvement and help to eliminate bugs. Data can also help to personalize the user experience. If analytical insights shall be shared with 3rd parties, the data is truly anonymous (all identifiers removed, identification not possible) and cannot be traced back to any individual. 

3. Contributing to public health benefits by providing institutions with fully anonymized data insights. Together with measurement results and demographics of the users, health states of social groups can be predicted, for example identifying trends in disease outbreaks, spreads or deficiencies. Research in that direction with the help of Bloom Diagnostics’ collected data can improve forecasting, early diagnosis and targeted treatment. Clusters and risk groups could be characterized and supported with preventive measures. 

To withdraw consent from processing health(-related) data you have to delete your account. Since our products rely on  your data input, we cannot provide this service without permission. Revoking consent is equivalent to deleting your account. 

When using the Android Bloom App, it might ask for your location upon pairing with Bluetooth. This is a requirement from Android, when using Android 6 or 7.  Bloom does not track or process your location.

3.6 Data Storage

The user’s data and the medical reports are stored in encrypted form on the device within the Bloom App and as encrypted, binary data on the AWS (Amazon Web Services) server - the decryption key for the data and the reports is stored in a secure form only in your App. Neither Bloom nor anyone else can decrypt data without permission and support of the user.  

Some information (questionnaire data, test results and device information of a taken test retrieved from the App) will be stored within our analytic stream in a pseudonymized form, so that an individual user cannot be directly identified. It will be used for data analysis for Bloom directly in order to improve our products. This data will not be shared outside of Bloom directly but aggregated data reports might be shared truly anonymized. 

Contact details and other information provided to us (incl. email and physical address) will be stored depending on  the use case on one of the following to allow us easier and proper processing:  G-suite, logistics partner, Hubspot (customer service software) and BMD (finance software).

We will hold your personal data for as long as it is necessary for each dedicated purpose to provide you with our services or otherwise as is required by law or any relevant regulatory body. Data will be deleted otherwise. Once your account is terminated or deactivated, we shall delete the personal data relating to your account.

4. Processing personal data that we receive through your use of our app, website or other services

4.1 Server logs

No personal information is required to use our website. However, our web server still records the data communicated to us by your internet browser (including the IP address of the requesting computer, together with the date, time, the request, which file is requested (name and URL), which amount of data is transmitted to you, a message indicating whether the request was successful, recognition data of the browser used and the operating system used, as well as the website from which the access was made (should access be via a link). 

The processing is based on our legitimate interest to ensure system security, to technically administer the website, and to optimize service quality. 

The server logs are stored for a maximum of 12 months.

4.2 Cookies

We use cookies to make your visit to our website attractive and to allow certain features to be used. Cookies are small text files that the website stores on your computer in order to recognize them (long-term cookies). These may contain information about the use of the website. The information contained in the cookies is used to store the individual selections made by you (for example, the articles stored in a shopping cart) and then to restore them when the respective site is re-visited. We also use cookies for creating non-personalized statistics. Essential cookies are automatically acceptedNon-essential cookies (performance, targeting and functional cookies) are used to enhance site navigation, analyse site usage and assist our marketing efforts (e.g. Google Re-marketing). You can freely choose to accept these cookies, allowing us to process based on your consent. You can always remove cookies stored on your computer at any time by deleting the temporary internet files and you can revoke consent for the collection of cookies.

We use the providers listed below to process data about your use of our website in order to adapt it to your interests in the best possible way. 

We use Google Analytics as our web analytic service to analyse our website. We use IP anonymization, so your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Google will use this information on our behalf to evaluate your use of this website, to compile reports on our website activities and to provide us with other services related to website activity and internet usage. The IP address provided by Google Analytics as part of Google Analytics will not be merged with other Google data. You can prevent the storage of cookies by a corresponding setting of your browser software; however, we point out that in this case you may not be able to use all the functions of the websites in their entirety. Furthermore, you can prevent the collection by Google of the data generated by the cookies and related to your use of the website (including your anonymized IP address) as well as the processing of this data by Google by using the link below (http:///tools.google.com/dlpage/gaoptout?hl=en). Download and install the available browser plugin. Your browser settings for general cookie collection can also be changed individually within the settings. Please check your options for the following browsers: Chrome, Firefox, Safari, Internet Explorer.

For more details about Google Analytics please visit:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

4.3 Device information

When you visit our app or website we will automatically collect device-specific information, such as your hardware model, operating system version, unique device identifiers, browser type and where available your IP address. This information can not be used to identify you as an individual. 

Google Firebase is used to gather app specific information, which allows us to monitor and improve our products. This is only displayed in an aggregated and anonymous form to Bloom Diagnostics. For more details concerning their data privacy, please refer to their Privacy Policy

Additional information might be processed while aiding you when technical issues arise (debugging). This will only happen after you have contacted us, asked for help and consented to further data processing.

5. Processing personal data with the involvement of third parties

Our Website and Apps may include links to websites of unrelated third parties. Such websites are governed by the privacy policies of those other websites which may be different from our policies. We have no control over them or liability for their collection or processing of data.

If we use contractors or data processors and they are asked to process data for us, we ensure their GDPR-compliance using  adequate security and data processing agreements .

6. Your rights and additional information

You have the right to information about the stored data according to Art. 15 GDPR, to correct inaccurate data according to Art. 16 GDPR, to delete data according to Art. 17 GDPR, to restrict the processing of data according to Art. 18 GDPR, to data portability according to Art. 20 GDPR as well as opposition to the unreasonable data processing according to Art 21 GDPR. If you exercise one of your rights, we will aid in any reasonably possible way, to ensure those as quickly as possible. Bloom is also responsible to ensure that all data processors (e.g. Google Firebase) cohere to your request as well. 

If processing takes place on the basis of a declaration of consent, you have the option of revoking it at any time without affecting the lawfulness of the processing carried out on the basis of the consent until the revocation.

You have the right to complain to the supervisory authority: in Austria the data protection authority is responsible.:

Austrian Data Protection Authority
Barichgasse 40 - 42
1030 Vienna
Telephone: +43 1 52 152-0
E-Mail: dsb@dsb.gv.at

The data that we request from you is only the data minimally necessary for each purpose. If data is not provided we are not able to provide the requested service(s). 

Automated decision making including profiling does not happen. If we process your personal information for a purpose other than the one for which we collected this information, we will inform you of this fact and inform you of this other purpose, and if required, gather your consent, except when required by law otherwise

We allow ourselves to adapt our Privacy Policy if needed (e.g. changes of relevant regulations). The version online during the website visit will be the applicable one. Users with an account on our App will be provided with the according information when relevant changes occur.

As our mother company is situated in Switzerland and our daughter company in Austria, your data can be processed in both countries. As Austria is situated in the EU we comply with the GDPR. The European Commission has determined with an adequacy decision based on article 45 of the Regulation (EU) 2016/679 that Switzerland has an adequate level of data protection and can therefore be seen as  equally protective as the GDPR.

Shopping Cart
Your shopping cart is empty.
Total

Tax included and shippingcalculated at checkout.