Privacy Policy
Glucomodicum (Sofio.health) (also referred to as “we”, “us”, or “our”) is committed to protecting your privacy and complying with applicable data protection and privacy laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Please note that while Glucomodicum develops and sells consumer health products, this website is informational only and does not offer direct product sales or user registration. This Privacy Policy (“Policy”) is designed to help you to understand what kind of information we collect in connection with our website, products, and services and how we process and use such information.
Throughout this Policy the term “personal data” means information relating to an identified or identifiable individual (i.e. a natural person). You acknowledge and agree that your personal data collected may be used in accordance with this Policy by and for one or more Glucomodicum group companies, which will be regarded, individually or jointly, as data controllers in respect of such data.
Where a consent from you to the processing of personal data described in this Policy is required under the applicable law, such consent will be obtained by appropriate mechanism such as ticking a box stating your consent, choosing technical settings for a service or website, or other statement or conduct clearly indicating your acceptance to the processing, depending on the product, website, service or application you are using.
1. CONTROLLER OF YOUR PERSONAL DATA AND CONTACT DETAILS
The data controller responsible for the purposes of the applicable data protection laws is:
GlucoModicum Oy
Business ID: 2900506-7
Address: Toinen Linja 7, 6th floor, 00530 Helsinki, Finland
Website: https://glucomodicum.com
Email: info@glucomodicum.com
Phone: +358 50 552 1000
2. DATA PROTECTION CONTACT
We have designated a data protection contact person for all data protection related matters:
Data Protection Contact
Email: sar@glucomodicum.com
Address: GlucoModicum Oy, Toinen Linja 7, 6th floor, 00530 Helsinki, Finland
3. PERSONAL DATA WE COLLECT
We collect your personal data typically when you interact with us or our website. Below are examples of the categories of the data:
3.1 Technical Information
For the most part, you may visit our websites or use our products or services without having to identify yourself. However, certain technical information is normally collected as a standard part of your use of our services. Such information includes, for example, your IP-address, access times, the website you linked from, pages you visit, the links you use, the ad banners and other content you viewed, information about your devices and other such technical information your browser provides us with or as may be otherwise collected in connection with certain products and services. When you use our services or otherwise interact with us over telecommunications networks, certain additional information, such as your mobile subscription number, may be transmitted to us by the telecommunications operator as a standard part of that communication. Please also see the section “Use of Cookies and Web Beacons” below.
3.2 Information You Provide Us
We may also collect other information you provide, such as your consents, preferences and feedback, information you provide us with. Please note that certain non-identifiable information collected from you may become personally identifiable when you provide us with your personal data.
3.3 Mandatory Personal Data
Mandatory personal data, the provision of which is necessary, for example, for the performance of contractual or legal obligations, the conduct of clinical studies, the provision of services, the organization of events, responding to inquiries, and recruitment consist of name, email, phone number and potentially your address.
3.4 Sources of Personal Data
We collect personal data from the following sources:
3.5 Categories of Personal Data Processed
The categories of personal data we may process include:
4. PURPOSES OF PROCESSING, LEGAL BASIS AND RETENTION PERIODS
Glucomodicum processes your personal data for the purposes described in this Policy and/or any additional service specific privacy information. Please note that one or more purposes may apply simultaneously.
4.1 Detailed Processing Purposes, Legal Bases and Retention Periods
|
Processing Purpose |
Legal Basis (GDPR Article 6) |
Retention Period |
|
Provision of products and services – Processing and fulfilling inquiries, responding to product-related questions, supporting our distribution network, providing customer service, ensuring functionality and security of our website, identifying you, preventing fraud |
Performance of contract (Art. 6(1)(b)) and Legitimate interest (Art. 6(1)(f)) |
Duration of business relationship + 3 years, or as required by applicable accounting and tax laws (typically 6-10 years for invoicing data) |
|
Development of products and services – Improving and developing our offerings, using aggregate and statistical information |
Legitimate interest (Art. 6(1)(f)) |
Aggregate/anonymized data: indefinitely. Identifiable data: 2 years or until you object |
|
Business communications – Communicating about our services, sending relevant business information |
Legitimate interest (Art. 6(1)(f)) for B2B contacts (distributors, healthcare professionals, business partners) acting in their professional capacity, or Consent (Art. 6(1)(a)) for consumer enquiries |
B2B contacts: Until opt-out or 3 years from last business interaction. Consumer enquiries: Until opt-out or 2 years from last interaction |
|
Clinical and usability studies – Conducting research, collecting study data, analyzing results |
Explicit consent (Art. 6(1)(a) and Art. 9(2)(a) for health data) or Legitimate interest (Art. 6(1)(f)) where appropriate |
As specified in study protocol and informed consent form, typically 15-25 years for clinical study data to comply with regulatory requirements |
|
Recruitment – Processing job applications, assessing candidates |
Consent (Art. 6(1)(a)) or Legitimate interest (Art. 6(1)(f)) |
Unsuccessful candidates: 2 years. Successful candidates: transferred to employee records |
|
Legal compliance – Complying with legal obligations, responding to legal requests, defending legal claims |
Legal obligation (Art. 6(1)(c)) and Legitimate interest (Art. 6(1)(f)) |
As required by applicable laws, typically 6-10 years for accounting/tax data |
|
Website analytics – Understanding how our services are used, improving user experience |
Legitimate interest (Art. 6(1)(f)) or Consent (Art. 6(1)(a)) where required for cookies |
Analytics data: 26 months |
|
Security and fraud prevention – Protecting our systems, preventing misuse |
Legitimate interest (Art. 6(1)(f)) |
Security logs: 12 months. Fraud investigation data: until resolved + 3 years |
4.2 Provision of Products and Services
We may process and use your personal data to respond to your inquiries, provide information about our products and services, support our authorized distributors and retail partners, fulfill your requests such as customer service, or as otherwise may be necessary to perform or enforce any contract between you and Glucomodicum. We may also process and use your personal data to ensure the functionality and security of our products and services, to identify you, and to prevent and detect fraud and other misuses.
The legal basis for this processing is performance of contract (Article 6(1)(b) GDPR) where the processing is necessary to fulfill our contractual obligations to you or to take steps at your request prior to entering into a contract, and legitimate interest (Article 6(1)(f) GDPR) for security and fraud prevention purposes.
4.3 Development of Products and Services
We may process and use your personal data to develop our products and/or services. However, for the most part we only use aggregate and statistical information in the development of our products and services, and not data directly identifiable to you. We may also process and use your personal data to personalize our offerings and to provide you with service more relevant to you, for example, to make recommendations and to display customized content and advertising.
The legal basis for this processing is our legitimate interest (Article 6(1)(f) GDPR) in improving our products and services and providing you with a better user experience.
4.4 Business Communications
We may process and use your personal data to communicate with you about our services, products or promotions. We may process and use your personal data for business communications in accordance with applicable laws, for example, to conduct market research and to communicate our products, services or promotions to you. However, Glucomodicum does not disclose your personal data to third parties for their marketing purposes without your prior consent.
The legal basis for business communications is:
You have the right to object to such communications at any time (see Section 8 below).
4.5 Clinical and Usability Studies
For clinical study and usability study volunteers, the legal basis for processing personal data (including health data where applicable) is:
Where legitimate interest is the basis for processing, our legitimate interests include scientific research, advancing medical knowledge, and improving healthcare products.
4.6 General Legal Bases Summary
The legal bases applicable to our processing activities under Article 6(1) GDPR are:
For special categories of personal data (e.g., health data in clinical studies), we rely on:
In case of clinical study and usability study volunteers, candidates, or employees, the legal basis for processing of personal data is consent. Consent as a basis for the processing of personal data described in this data protection statement is obtained using an appropriate method, such as ticking a box indicating your consent, making a choice in the technical settings of the service or website or another clear statement or action indicating your consent, depending on the website or service you use or your role in our studies. In principle, such consent is always as easily revocable as it has been given. See below for a mechanism for withdrawing your consent.
If the processing of personal data for clinical study or usability study volunteers cannot be based on consent (for example due to vulnerable position of research subject), the legal basis for processing is legitimate interest if permitted by the results of a balance test. Where the legitimate interest of the controller is the basis for processing, legitimate interests include scientific research, customer relationship management, customer communications, events, business planning, reporting, analytics and risk management, and recruitment as well as other uses that are in our legitimate interest under applicable law. You may at any time prohibit the processing of your personal data for direct marketing and profiling purposes.
We also process personal data based on business agreements. Therefore, the agreement as a basis for processing consists of our general terms and conditions and data protection policy, as well as any special terms or other agreement applicable to the individual case in question. These are pursuant to our legitimate interest and/or the user’s consent.
5. RECIPIENTS AND DISCLOSURE OF PERSONAL DATA
We may disclose your personal data to third parties solely as stated below in this Policy, or as obligated by mandatory law.
5.1 Service Providers and Processors
We may transfer your personal data to authorized third parties who process personal data on behalf of Glucomodicum for the purposes described in this Policy, such as e.g., technical, logistics, marketing and other service providers. Such parties are not permitted to use your personal data for any other purposes than for what your personal data was collected, and we require them to act consistently with applicable laws and this Policy as well as to use appropriate security measures to protect your personal data.
Categories of recipients include:
All processors are bound by data processing agreements that comply with Article 28 GDPR.
5.2 International Transfers
Our products and services may be provided using resources and servers located in various countries around the world. Therefore your personal data may be transferred outside the country where you use our services, including to countries outside the European Economic Area (EEA) or the United Kingdom, where the level of data protection may not be deemed adequate by the European Commission or the UK authorities.
In such cases we take steps to ensure that adequate protection for your personal data is provided as required by applicable laws. For international transfers of your personal data, we rely on one or more of the following safeguards:
You may request further information about the safeguards we have implemented for international transfers by contacting us using the contact details in Section 2.
5.3 Other Disclosures
We may disclose and otherwise process your personal data in accordance with applicable laws to defend Glucomodicum’ legitimate interests, for example, in civil or criminal legal proceedings.
We may also disclose your personal data:
5.4 Mergers and Acquisitions
If we decide to sell, buy, merge or otherwise reorganize our businesses in certain countries, this may involve us disclosing personal data to prospective or actual purchasers and their advisers, or receiving personal data from sellers and their advisers, for the purposes of such transactions.
6. DATA QUALITY, ACCURACY AND RETENTION
We take reasonable steps to keep the personal data we possess accurate and up-to-date and to delete out of date or otherwise incorrect or unnecessary personal data. We encourage you to inform us of any changes to your personal data so that we can maintain its accuracy.
We store your personal data only for a period necessary for the purpose in question or as long as required by applicable laws. Specific retention periods for different categories of personal data are set out in Section 4.1 above.
When the retention period expires, we will delete or anonymize your personal data, unless we are required to retain it for legal, accounting, or regulatory purposes.
You may request deletion of your personal data at any time, subject to our legal obligations and legitimate interests (see Section 8 below).
7. DATA SECURITY
Glucomodicum implements appropriate technical and organizational security measures to prevent and minimize risks associated with providing and processing personal data. Such security measures include, where appropriate, the use of firewalls, secure server facilities, encryption, implementing proper access rights management systems and processes, careful selection of processors, sufficient training of Glucomodicum’ personnel involved in the processing, and other necessary measures to provide appropriate protection for your personal data against unauthorized use or disclosure. Where appropriate, we may also take back-up copies and use other such means to prevent accidental damage or destruction of your personal data.
Our security measures are designed to ensure:
We regularly test, assess and evaluate the effectiveness of our technical and organizational measures to ensure ongoing security of processing, in accordance with Article 32 GDPR.
8. USE OF COOKIES AND WEB BEACONS
We may collect your personal data for various purposes as described in our cookie policy, using technologies such as cookies, pixels, beacons and similar technologies to collect information about your device. Each of our sites, applications and services is subject to our cookie policy.
For more information, read our cookie policy, which is available on the company’s website. You can also edit cookie-related settings and manage your cookie consent in cookie settings on the company’s website or in the settings of your internet browser. You may edit your cookie preferences from the link on the bottom of the website. More detailed information about cookies is described in the cookie banner of our website.
Cookies are small text files that are stored in your browser. Some cookies are activated automatically because the online service needs them to function properly. We also use cookies to track the use of the service and to provide you with targeted content and relevant advertising.
We use cookies on our website to make the use of our services easier and technically smoother. Cookies help us obtain information about the number of visitors, the pages visited by visitors, and their browsers and operating systems. With this information, we can better understand the use of our services and our users so that we can better develop our services.
Our services use web analysis tools to collect analytics data and reports about visitors’ use of our website.
8.1 Cookie Categories and Legal Basis
For detailed information about the specific cookies we use, please refer to our separate Cookie Policy available at [lisää linkki].
You can manage your cookie preferences at any time by:
Please note that blocking certain cookies may affect the functionality of our website.
9. AUTOMATED DECISION-MAKING AND PROFILING
Glucomodicum does not use automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. Where we use any automated processing to analyze personal data (for example, for website analytics), such processing is used solely for statistical purposes and does not result in decisions being made about you without human involvement.
10. YOUR RIGHTS AS A DATA SUBJECT
Under the GDPR, you have the following rights regarding your personal data:
10.1 Right of Access (Article 15 GDPR)
You have the right to request information and access to the personal data we have collected from and of you. This includes the right to obtain:
10.2 Right to Rectification (Article 16 GDPR)
You also have the right to request that we replenish, rectify, or delete any incomplete or incorrect personal data we hold on you. You also have the right to have incomplete personal data completed, including by providing a supplementary statement.
10.3 Right to Erasure / “Right to be Forgotten” (Article 17 GDPR)
You have the right to request deletion of your personal data where:
However, we cannot delete such personal data that is necessary for compliance with binding legal obligations or if the personal data must be retained according to applicable laws.
10.4 Right to Restriction of Processing (Article 18 GDPR)
You have the right to request restriction of processing where:
10.5 Right to Data Portability (Article 20 GDPR)
You have the right to request and receive the personal data we have collected on you in a commonly used and machine-readable form, where:
You also have the right to request that we transmit your personal data directly to another controller where technically feasible.
10.6 Right to Object (Article 21 GDPR)
You also have the right to object to processing based on legitimate interest or for scientific/historical research or statistical purposes, on grounds relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
10.7 Right to Withdraw Consent (Article 7(3) GDPR)
Further, where your personal data is processed based on your consent, you have the right to withdraw your consent for such processing at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
How to withdraw consent:
You can withdraw your consent at any time by:
Withdrawing your consent is as easy as giving it. In some cases, withdrawal of consent may mean we can no longer provide certain services to you.
10.8 How to Exercise Your Rights
In case you wish to make use of your rights mentioned above, you may, as appropriate and in accordance with applicable laws, exercise such rights by contacting us through the contact points referred in Section 2 above.
Contact for exercising your rights:
Response time: We will respond to your request without undue delay and in any event within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request.
Please note that Glucomodicum may need to identify you and to ask for additional information in order to be able to fulfill your above requests. Please also note that applicable law may contain restrictions and other provisions that relate to your above rights.
Verification of identity: To protect your privacy and security, we may need to verify your identity before responding to your request. We may request additional information to confirm your identity, particularly for requests involving access to or deletion of personal data.
Free of charge: Exercising your rights is free of charge. However, if your requests are manifestly unfounded or excessive, particularly if they are repetitive, we may charge a reasonable fee or refuse to act on the request.
11. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
In the event you consider Glucomodicum’ processing activities of your personal data to be inconsistent with the applicable data protection laws or that Glucomodicum has not sufficiently ensured the realization of your rights, you may lodge a complaint with the local supervisory authority responsible for data protection matters.
Finnish Data Protection Authority (for data subjects in Finland):
Tietosuojavaltuutetun toimisto
Address: Lintulahdenkuja 4, 00530 Helsinki, Finland
Email: tietosuoja@om.fi
Phone: +358 29 566 6700
Website: https://tietosuoja.fi
You also have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en
12. CHANGES TO THIS PRIVACY POLICY
Glucomodicum may from time to time update and change this Privacy Policy. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the “Last Updated” date below.
If the changes include new purposes of processing or otherwise materially affect your rights, Glucomodicum will give you prior notice of such changes and, where necessary, request your consent.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.
Last Updated: 12.12.2025