Liber: Privacy Policy

1. Who we are

UpHill S.A. (hereinafter "UpHill") legal person no.º 513509593, registered at the Commercial Registry Office under the same number, with registered office at Estrada Municipal 506, UBIMedical, 6200-284 Covilhã, hereinafter referred to as "UpHill", is responsible for processing your personal data collected through the "Liber" platform (hereinafter referred to as the "Platform") for the purposes identified below, in particular the data collected so that the user can register and take advantage of the services made available on the Platform.

2. Personal Data Privacy

UpHill guarantees users of this Platform (hereinafter "Users") respect for their privacy, adopting the necessary measures to protect their personal data.

UpHill is aware of its responsibility to collect and process the personal data entrusted to it and to keep it secure, ensuring its total privacy, confidentiality and integrity, in scrupulous compliance with the law, in particular the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter "GDPR"), Law no. 58/2019, which ensures the implementation in the national legal order of the GDPR (hereinafter "LPDP") and any other applicable legislation or regulations on personal data protection and privacy.58/2019 which ensures the implementation of the GDPR in the national legal order (hereinafter "LPDP") and any other applicable legislation or regulations on the protection of personal data and privacy that are in force.

In this context, UpHill intends, among other things, to inform Users of the situations in which their personal data is processed, as well as to inform them of how their personal data is collected, who the recipients are, how their privacy is protected when using the services made available on the Platform ("Services"), as well as their rights in relation to the processing of personal data carried out by UpHill.

3. What is Personal Data?

Personal data means any information of any nature and regardless of its medium, including sound and image, relating to an identified or identifiable natural person. An identifiable person is one who can be identified directly or indirectly, in particular by reference to an identification number or to other specific elements of his or her physical, physiological, mental, economic, cultural or social identity.

Other Important Definitions:

Supervisory authority: an independent public authority set up by a Member State of the European Union with responsibility for monitoring the application of the GDPR in order to defend the fundamental rights and freedoms of natural persons with regard to processing and to facilitate the free movement of data within the European Union. In Portugal, the supervisory authority is the National Data Protection Commission (hereinafter "CNPD").

Special categories of data: Personal data that may be more sensitive in certain situations. This may concern the data subject's racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information, biometric identifiers, sex life, sexual orientation or health.

Consent: a free, specific, informed and unambiguous expression of will by which the data subject accepts, by means of a declaration or an unambiguous positive act, that the Personal Data concerning him or her will be processed for a specific purpose.

Data Controller: natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, in this case UpHill.

Processor: natural or legal person, public authority, agency or other body that processes Personal Data on behalf of the Controller.

Personal Data Subject: an identified or identifiable natural person whose Personal Data is collected through the Platform.

Processing(s): an operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

4. Responsible for Treatment

UpHill, whose identification and contact details are indicated at the beginning of this Policy (1. Who we are), is responsible for processing Users' personal data for the purposes indicated below.

5. Personal Data Protection Officer (hereinafter "EPDP")

The role of the EPDP is to clarify any doubts or concerns regarding the way your personal data is processed and to ensure that your rights are exercised.

You can contact the UpHill EPDP at the following address: dpo@libercare.com

6. General Principles Applicable to the Processing of Personal Data

When processing Personal Data collected through the Platform, UpHill undertakes to ensure that it is:

Object of lawful, fair and transparent processing in relation to the Data Subject;
Collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
Accurate and up-to-date whenever necessary, with appropriate measures being taken to ensure that inaccurate data, taking into account the purposes for which it is processed, is erased or rectified without delay;
Kept in a form that allows the identification of the Data Subject for no longer than is necessary for the purposes for which the data are processed.
handled in a manner that ensures their security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, and appropriate technical or organisational measures are taken.

7. Purposes, Grounds for Lawfulness and Time Limits for Processing Personal Data

The Personal Data collected through the Platform may be processed by UpHill for the purposes of subscribing to the Services, managing communication with Users, including providing information and clarifying doubts about the conditions and operation of the Services made available by UpHill on the Platform. Accordingly, the data collected through the Platform is processed in accordance with the following grounds of lawfulness and in accordance with the following retention periods:

Data Category: Contact details (email; telephone); identification details (name) and information regarding the request for information or the complaint made.

Purpose:Making a complaint or requesting information (e.g. requests for clarification on the Services).

Legitimacy: UpHill's legitimate interest in responding to complaints and requests for information.

Shelf life: Only for the period necessary to respond to the complaints or requests for clarification made and to fulfil the applicable legal obligations.

Data Category: Contact details (email).

Purpose: Subscription to newsletters and/or other information materials.

Legitimacy: Consent

Shelf life: For 3 years, after which UpHill will send you an e-mail confirming the renewal of your consent.

Data Category: Contact details (email).

Purpose: Sending commercial information (direct marketing), particularly about promotions for the Services.

Legitimacy: Consent

Shelf life: For 3 years, after which UpHill will send you an e-mail confirming the renewal of your consent.

Data Category: Identification data: gender; name; identity document; tax number. Contact details: email address; telephone/mobile; address; demographic data: nationality.

Purpose: To respond to requests for information in legal proceedings or requests from administrative authorities or other third parties, in order to detect and prevent fraud.

Legitimacy: Legal obligations

Shelf life: Only for the period necessary to respond to legal proceedings or requests from administrative authorities or other third parties, to detect and prevent fraud.

Data Category: Identification data: gender; age group; data relating to tastes and preferences and the quality of the Services provided by UpHill.

Purpose: Satisfaction surveys.

Legitimacy: UpHill's legitimate interest in obtaining the User's perspective on its Services and being able to improve the quality of their provision.

Shelf life: Only during the period required for analysis of the subjects subject to enquiry.

Data Category: Identification data: name; contact data: e-mail address; online interaction data: IP address, browser/device identifier, password and username.

Purpose: Register and Login to the Platform to subscribe to the Services.

Legitimacy: UpHill's legitimate interest in providing product information and/or pre-contractual due diligence in the event of a request to subscribe to the provision of the Services.

Shelf life: Personal data is only processed during the subscription of services by Users of the Platform.

Data Category: Identification data, contact data, gender, civil identification, date of birth, national user number, tax identification number, subsystem/insurance identification, IP address, browser/device identifier, data related to the payment of UpHill services and Special Categories of data, in particular, data related to health and well-being (including treatments, examinations, medical appointments, diseases, pathologies of Users associated with the Services provided) in multiple formats, namely text and/or documentary support or image.

Purpose:Contracting and provision of Services through the Platform.

Legitimacy: Pre-contractual and contractual steps for the User to join and use the Services. The processing of data relating to the health of Users or other Special Categories of data is carried out by health professionals, employees of UpHill, for the purposes of health care management, namely preventive medicine, medical diagnosis, provision of health care or treatment and well-being, under Article 9(2)(h) and (3).

Shelf life: Personal data is processed only during the contracting and execution of the provision of the Services contracted by the Users of the Platform or, for a longer period of time, when necessary, for the fulfilment of legal obligations to which UpHill is bound.

Data Category: Identification and contact details (name; date of birth; civil identification number; tax identification number; address; nationality), photograph and photocopy of ID card.

Purpose: Fraud prevention

Legitimacy: Compliance with legal obligations relating to the prevention of money laundering.

Shelf life: Personal data is only processed during the subscription of services by Users of the Platform.

Data Category: Contact details and names of UpHill partner representatives.

Purpose: To fulfil the contract signed between UpHill and its partners and to manage the use made by the beneficiaries of the Services.

Legitimacy: Contract execution

Shelf life: Personal data is only processed during the subscription of services by Users of the Platform and during the contract concluded between UpHill and its partners.

Data Category: Identification data, contact data, IP address, browser/device identifier, data related to the "Liber" services contracted and special categories of data, in particular, data related to health and well-being (including treatments, examinations, medical appointments, illnesses, pathologies of Users associated with the Services provided).

Purpose: Communication of User data, via an application programming interface, between "Liber" partners (health service providers) and UpHill so that they can take advantage of certain contracted services.

Legitimacy: Consent

Shelf life: Personal data is processed only for the time necessary to ensure the transfer and communication of data between UpHill and UpHill's partner health service provider.

Data Category: Statistical data, extracted from the Platform and considered in aggregate form.

Purpose: Development of new algorithmic models.

Legitimacy: UpHill's legitimate interest

Shelf life: Once the data has been aggregated and transformed into a group, it is anonymised and no longer qualifies as personal data under the terms of the law.

8. Under what circumstances do we communicate Users' Personal Data?

8.1 Third parties: UpHill may use other organisations to provide certain services. This service provision may involve access by these entities to Users' personal data. This may be the case with UpHill's suppliers or service providers (e.g. entities that provide support services such as consultancy and data storage professionals).

In such cases, UpHill ensures through contracts and clauses for the Processing of Personal Data that any Subcontracting entity that processes Personal Data in its name and on its behalf provides guarantees for the implementation of appropriate technical and organisational measures, so that the Processing meets the requirements of the GDPR and LPDP or other law applicable to the matter, ensuring the confidentiality and security of the data, including compliance with the rights of the Personal Data Subjects.

UpHill may also transmit Users' Personal Data to third parties, when such communications are necessary (i) in the light of applicable law, (ii) in fulfilment of legal obligations/court orders (e.g., regulatory bodies such as the ERS), (iii) to respond to requests from public or governmental authorities and other administrative authorities, (iv) when it appears necessary in fulfilment of a legal, regulatory or other obligation, as well as (v) to ensure the security of Personal Data Subjects, or otherwise prevent fraudulent conduct.

As a rule, Users' Personal Data is not transferred to third countries (outside the European Union) and is kept on servers located within the European Union. However, the use of certain Subcontractors for the provision of support services involving the Processing of some Personal Data on behalf of UpHill will be limited to third countries for which there is an adequacy decision adopted by the European Commission or, where this is not the case, supported by a binding agreement established in accordance with the standard data protection clauses adopted by the European Commission, accompanied, where justified, by necessary and appropriate measures under applicable law to ensure the protection of the Personal Data subject to such a transfer, strictly complying with the legal provisions set out in the GDPR and LPDP or other applicable legislation relating to such transfers, with Data Subjects being provided with a copy of the appropriate and adequate guarantees from the respective EPDP.

8.2 Health Service Providers: With regard to the User's health data and other Special Categories of data, these will be accessible only to doctors and other clinical health professionals assigned to the provision of their health care, in particular UpHill employees, in accordance with the law, or third parties with whom UpHill has a partnership relationship under a contract, so that Users can, after giving their consent, take advantage of certain health services provided by these entities. Otherwise, when Users' health data and other special categories of data are accessed by non-clinical employees, UpHill will ensure that such employees assume contractual confidentiality obligations towards it and, in certain cases, that such persons will only process Users' data under the responsibility and supervision of a health professional. Among the cases in which technical support has access to the User's health data and other Special Categories of data are the processing of data for the purpose of billing health and wellness services.

9. What are the User's rights as a Personal Data Holder?

UpHill guarantees Users, as Personal Data Holders and at any time, the right to access, rectify, update, limit and erase their Personal Data, the right to object and to withdraw Consent, without this jeopardising the lawfulness of the processing carried out under that Consent, as well as the right to data portability, under the terms and conditions established by law.

Right of access: whenever the User requests access to their personal data collected, they can obtain confirmation about the Processing carried out by UpHill on their Personal Data, namely obtaining the following information:

Reasons why Personal Data is processed;
Types of Personal Data processed;
Entities to whom UpHill may transmit Personal Data;
The retention period for Personal Data or, if this is not possible, the criteria for setting this period;
Rights you enjoy in relation to the Processing of Personal Data.

Right of rectification: whenever the User considers that the Personal Data (objective Personal Data that has been provided by him/her) is incomplete or incorrect, he/she may request that it be rectified or completed.

Right to erasure: the User may request that Personal Data be erased when one of the following situations occurs:

The Personal Data is no longer necessary for the purpose for which it was collected or Processed;
When the Consent on which the Processing is based is withdrawn and there is no other legal basis for it;
When you object to the Processing and there are no overriding legitimate interests justifying such Processing;
When Personal Data has been processed unlawfully; and
When Personal Data has to be erased under a legal obligation.

The right to erasure does not apply where the Processing is necessary for the following purposes:

Exercise of freedom of expression and information;
Compliance with a legal obligation requiring Treatment;
As already explained, statistical and scientific research purposes insofar as the exercise of the right to erasure would seriously jeopardise the achievement of the purposes of such Processing; or
Declaration, exercise or defence of a right in legal proceedings.

Right to restriction of Processing: the restriction of Processing allows the User to request UpHill to restrict access to certain Personal Data, or to suspend certain activities of the same. Specifically, the User may request the restriction of the Processing of Personal Data in the following cases:

If you contest the accuracy of the Personal Data, for a period of time that allows UpHill to verify such accuracy;
If UpHill no longer needs the Personal Data for a particular Processing purpose;
If you have objected to the processing, unless it is established that UpHill's legitimate interests prevail over those of the User.

Right to portability: Users can request to receive the Personal Data they have provided in a structured, commonly used and machine-readable format. They also have the right to request that it be transmitted to another Data Controller, provided that this is technically possible. The right to portability applies to the following cases:

Where the Processing is based on express Consent or on the performance of the contract entered into with UpHill to avail of the Services; and
When the Processing in question is carried out by automated means.

Right to object: The User has the right to object to Processing in the following situations:

When the Processing is based on the legitimate interest of the Data Controller;
When the Processing is carried out for purposes other than those for which the data was collected, but which are compatible with them;
When the Processing is carried out for direct marketing purposes;
When the Processing is carried out for statistical, scientific research or historical purposes.

In such cases, UpHill will no longer process the Personal Data unless it has legitimate reasons for doing so and these reasons override the interests of the Users.

Right to withdraw Consent: In cases where the Processing is based on Consent, the User may withdraw Consent at any time.

Right to lodge complaints with the Supervisory Authority:

If the User wishes to lodge a complaint regarding matters relating to the Processing of Personal Data, they may do so with the CNPD, the competent Supervisory Authority in Portugal.

For more information, visit www.cnpd.pt.

Any request by UpHill to exercise rights or make a complaint regarding the processing of data will be analysed in detail and responded to within 30 (thirty) days, without prejudice to an extension in the event of manifest complexity of the situation submitted.

10. How can Users exercise their rights as Data Subjects?

To deal with matters relating to the protection of Personal Data collected on the Platform, you should contact UpHill at dpo@libercare.com .

11. What measures does UpHill take to ensure the security of Users' Personal Data?

Personal Data is stored on highly secure servers at hosting providers established in the European Union that fulfil the strictest international requirements. The databases in which they are stored are encrypted and virtually inaccessible except through the Platform interface.

The hosting services to which UpHill subcontracts the provision of services guarantee the strictest security requirements, not only in terms of Internet access, but also from the point of view of physical access, in terms of the servers and the premises where they are installed. On the other hand, a series of technical and organisational audits are carried out on a regular basis to ensure scrupulous compliance with the appropriate information security measures. Data is encrypted in transit (TLS 1.2 SHA256-RSA) and in storage (AES256). There is integration with single sign-on systems (to avoid own credentials). Daily backups are encrypted and stored in a separate location. On the other hand, there is constant monitoring of threats and attempted attacks, infrastructure and code vulnerabilities.

In addition, UpHill is ISO27001:2022 certified (in particular by the British Standards Institution). ISO 27001 is an internationally recognised standard for Information Security Management Systems (ISMS) and provides a systematic approach to managing confidential information, guaranteeing the confidentiality, integrity and availability of processed and stored information, including personal data. ISO 27001's best practice approach ensures that organisations maintain a high level of information security.

12. Cookie Policy

UpHill uses cookies on the Platform to improve the user experience and enable certain operations to be carried out securely. Please consult the information on the Cookies Policy.

13. Changes to the Privacy Policy

UpHill reserves the right to change this Privacy Policy at any time. In the event of a change to the Privacy Policy, the date of the last change, available at the bottom of this page, will also be updated. If the change is substantial, a notice will be placed on the Platform.

14. Applicable law and jurisdiction

The Privacy Policy, as well as the collection, processing or transmission of User Data, are governed by the provisions of the GDPR, the LPDP and any applicable regulations in Portugal.

In the event of any dispute relating to the provisions of this Policy, the courts of the District of Lisbon shall have jurisdiction.

Update date: 14/02/2024