We value your personal privacy.
In this privacy policy, we describe how your personal data is processed when you use our health and wellness services. We also describe the rights you have as a registered individual.
IMR Institutet för Människor i Rörelse AB (“IMR,” “we,” “our,” or “us”) is a service provider offering proactive health solutions to companies, aiming to improve people’s health and performance through physical activity. We primarily process your personal data to enable you to use our digital services as a participant, to evaluate and advise you on your health, and to improve and further develop our services.
IMR is the data controller for the personal data processing described in this privacy policy. If you have any questions about the processing, you can contact IMR. Our contact details are provided at the end of this privacy policy.
In addition to this privacy policy, we may, in some cases, provide additional information regarding specific personal data processing. Such information will apply in addition to what is stated in this privacy policy.
To provide our digital services to you, you need to provide the personal data described in this privacy policy. Otherwise, we may not be able to offer all services to you.
1. When we process your personal data
We process your personal data mainly in three situations:
- Website usage
- Evaluation and health advice
- Information mailings
Below, we describe in more detail how we process personal data in these three situations and the rights you have under GDPR.
2. Our use of your personal data
We send the user’s personID and companyID from our database to Smartlook to enable the analysis of user behavior. It is important to note that these identification numbers are anonymous and cannot be directly linked to specific individuals or companies without additional information. To identify specific users or companies, access to our database and the supplementary information stored there is required. We ensure that this data is only used to improve and optimize our app, and we take all necessary measures to protect users’ privacy and security.
3. Website usage
When you use our website, we process personal data about you. This personal data is obtained, provided that you have consented, through cookies that are used to facilitate the use of our website and to improve it.
When you, as a participant, use our digital services, we also process personal data about you according to section B below.
4. Evaluation and health advice
We process personal data about you in connection with the meetings and tests you participate in with us and when you use our digital services. The personal data is processed to evaluate and provide you with reliable advice and insights about your current and future health and to give you access to our digital services.
Below are the categories of personal data we process when evaluating your health and when you use our digital services, the purposes for which we process the personal data, and the legal basis for such processing.
| Categories of personal data | Purpose | Legal basis |
| 1. Contact and identity information. For example, name, date of birth, gender, email address, home address, phone number, and photograph. |
To administer your user account. For example, to give you access to our digital services (e.g., to verify your identity, remember your settings, and exercises assigned to you) and manage your bookings. To invoice your employer. If you use our services through your employer, we may, in connection with invoicing, process information about your name and the fact that you have used our services. |
Legitimate interest. Our legitimate interest is to provide and charge for our services. |
| 2. Employment information. For example, profession and employer. | ||
| 3. Data from points 1–2 above. |
Evaluation and advice. For example, to evaluate and provide advice on your health and physical activity.
|
Legitimate interest. Our legitimate interest is to provide our services. |
| 4. Health data. For example, general health condition, work and exercise capacity, and stress levels. |
Evaluation and advice. For example, to evaluate and provide advice on your health and physical activity, including profiling (see below for more information on profiling).
|
Consent. We base our processing on your consent. |
| 5. Correspondence. For example, personal data contained in written or verbal correspondence with you. |
Evaluation and advice. For example, to evaluate and provide advice on your health and physical activity.
|
Legitimate interest. Our legitimate interest is to provide our services. |
| 6. Data from points 1–5 above. | To anonymize personal data for development, operational and quality monitoring, and research. For example, to improve services (e.g., health advice and our digital services), develop new services (e.g., additional features and standalone services), analyze user behaviors, and create statistics on the physical health development of the Swedish population. | Legitimate interest. Our legitimate interest is to anonymize your personal data and use the anonymized data to develop our services and promote and contribute to health research. If the processing involves health data, we base the processing on your consent. In such cases, we will inform you and obtain your consent before processing. |
| 7. Data from points 1–5 above. | To protect ourselves against or file legal claims. For example, if you file legal claims against us or we file claims against you. | If the processing is necessary to fulfill the agreement (e.g., if we believe you are not complying with the agreement) between you and us, we rely on that as the legal basis. If the claim is unrelated to the agreement, we rely on a legitimate interest, where our legitimate interest is to defend against or file legal claims. If the claim involves processing health data, we rely on it being necessary to establish, exercise, or defend legal claims. |
How we obtain personal data
We obtain personal data from you and from the information, including results from physical tests, that your IMR coach reports from your meeting with us.
Recipients of personal data
Personal data is shared with our Bank-ID provider, IMR’s IT providers (such as hosting providers), and IMR coaches. Personal data may also be shared with authorities, if required by law. If IMR or a part of IMR is acquired by or merges with another company, personal data may also be shared with such companies.
If you use our services through your employer, we may share information about your use of our services with your employer. Additionally, we provide aggregated results to your employer. We also provide aggregated personal data to research institutes. This data is anonymized and cannot be traced back to you.
Storage period
Personal data is stored until the earliest of the following occurs: (i) you contact us to request anonymization of your personal data, (ii) six months after your employer terminates its collaboration with IMR, or (iii) 12 months after your last participation in a meeting with us. After that, personal data will be anonymized or deleted. Personal data that we must process to comply with the Accounting Act will be processed until the seventh year following the end of the calendar year in which the fiscal year ended. Personal data processed to protect us against or file legal claims will be processed until the statute of limitations expires, typically ten years from when the claim arose.
Processing within the EU/EEA
Personal data is processed within the EU/EEA.
Profiling
When you use IMR’s health evaluation and advice services, we process your personal data for profiling to assess your health. This means that we use automated processing of your personal data to evaluate certain personal characteristics from a health perspective. The evaluation is based on the information you have provided, such as your health status and test results. If you have any questions about our use of profiling, please feel free to contact us.
5. Information mailings
We process personal data about you to send information regarding the services you use. Your personal data is processed to ensure that you receive relevant and tailored information. You can request at any time that we stop sending information to you, in whole or in part, by contacting us (see Section 8).
Below are the categories of personal data we process for information mailings, the purposes for processing the personal data, and the legal basis for such processing.
| Categories of personal data | Purpose | Legal basis |
| 1. Contact and identity information. For example, name, gender, email address, home address, and phone number. | Information mailings. For example, to send general information (e.g., newsletters) and tailored mailings to you (e.g., to inspire your physical activity). |
Legitimate interest. Our legitimate interest is to send relevant and, in some cases, tailored information. If the processing involves health data, we base the processing on your consent. In such cases, we will inform you and obtain your consent before processing.
|
| 2. Employment information. For example, profession and employer. | ||
| 3. Health data. For example, general health condition, work and exercise capacity, and stress levels. |
How we obtain personal data
See Section B above.
Recipients of personal data
Personal data is shared with companies handling information mailings and IMR’s IT providers (such as hosting providers). If IMR or a part of IMR is acquired by or merges with another company, personal data may also be shared with such companies.
Storage period
Personal data is stored in accordance with Section B. If you object to the processing for information mailings, your personal data will no longer be used for this purpose.
Processing within the EU/EEA
Personal data is processed within the EU/EEA.
Profiling
When you use IMR’s services, we process your personal data for profiling to send tailored information mailings to you. This means that we use automated processing of your personal data to evaluate certain personal characteristics from a health perspective. The evaluation is based on the information you have provided, such as your health status and test results. If you have any questions about our use of profiling, please feel free to contact us.
6. Anonymization
Your privacy is important to us, and we always strive to limit our processing of your personal data. To the extent possible and without compromising the provision of our digital services to you, we anonymize your personal data. For example, we only send aggregated personal data, i.e., anonymized and untraceable data, to your employer and, in some cases, research institutes. When anonymization is not possible, for example, when certain information must be provided specifically to you, we strive to ensure that the personal data cannot be traced back to you.
7. Security
We take appropriate security measures to protect your personal data from unauthorized access, use, modification, and distribution. For example, processing occurs in facilities with good physical security and in IT systems with strong IT security. When other companies process personal data on our behalf, we ensure they are bound by data processing agreements. We also impose security and confidentiality requirements in accordance with applicable laws.
8. Your rights
As a data subject, you have certain rights regarding how your personal data may be processed. These include:
- Right to be informed. You can request information about what personal data we process about you at any time.
- Right to request access. You can request a copy of your personal data that we process.
- Right to request rectification. You can request that we correct incorrect or incomplete information about you.
- Right to request erasure. You can request the deletion of your personal data under the following circumstances:
- The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
- You object to the processing, and there are no overriding legitimate grounds for processing.
- The personal data is processed unlawfully.
- The personal data must be erased to comply with a legal obligation.
In some cases, we may be unable to immediately delete certain personal data due to legal requirements or to establish, exercise, or defend legal claims.
- Right to request restriction of processing. You can request that the processing of certain personal data be limited to specific purposes. This right applies under the following circumstances:
- You contest the accuracy of the personal data, for a period that allows us to verify its accuracy.
- The processing is unlawful, and you oppose the deletion of the personal data.
- We no longer need the personal data for processing purposes, but you need it to establish, exercise, or defend legal claims.
- While waiting to verify whether our legitimate grounds for processing outweigh your legitimate grounds in connection with your objection to the processing.
- Right to object to processing. You can object to our processing of any of your personal data. If you object to processing, we may no longer process the personal data in question, unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights, and freedoms, or if the processing is for the establishment, exercise, or defense of legal claims.
- Right to data portability. In some cases, you can request to retrieve and use your personal data elsewhere. This right applies if we process the personal data you have provided, and the processing is based on a contract with you or your consent and is carried out automatically.
- Right to withdraw your consent. See Section 6.
- Right to file complaints with supervisory authorities. See Section 7.
You can exercise any of your rights at any time by contacting us at support@imr.se.
9. Right to withdraw consent
If you have given your consent to certain processing, you have the right to withdraw your consent at any time. A withdrawal does not affect the lawfulness of processing carried out before the withdrawal. Upon withdrawal, we are no longer entitled to continue the processing in question unless another legal basis for the processing exists.
You can withdraw your consent by contacting us at support@imr.se.
10. Right to file complaints
If you believe that we are processing your personal data in violation of GDPR or applicable data protection legislation, you can file a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten).
11. Contact information
If you have any questions or comments about how we process personal data, please contact us at support@imr.se.
IMR Institutet för Människor i Rörelse AB
Organization number: 559146-4838
Birger Jarlsgatan 57
113 56 Stockholm
This privacy policy is updated from time to time. The privacy policy was last updated in February 2024.