1. Acceptance of Agreement

This Supar.Health Platform Agreement (the "Agreement") is a legally binding contract between you (the "End User" or "you") and Supar.Health ApS (CVR/VAT: 41298758), located at Strandvejen 64, 2900 Hellerup, Denmark (referred to as "Supar.Health", "we", "us", or "our"). By registering an account, accessing, or using the Supar.Health software platform (including any related applications, APIs, or services, collectively the "Platform"), you acknowledge that you have read, understood, and agree to be bound by the terms of this EULA. If you do not agree to these terms, you must not use the Platform. Use of the Platform is expressly conditioned on acceptance of this Agreement.

2. Scope of License

Subject to your compliance with this Agreement, Supar.Health grants you a personal, limited, non-exclusive, non-transferable, non-sublicensable license to install (if applicable) and use the Platform for your personal health-related purposes. This license is provided solely for you to interact with Supar.Health's diagnostics software and personal digital biobank services as intended by us, and no ownership rights are transferred to you. All rights not explicitly granted to you are reserved by Supar.Health. The Platform is licensed, not sold, to you for use only under this EULA, and Supar.Health retains ownership of all copies of the Platform software.

3. Permitted Uses and Restrictions

You may use the Platform and its content only for lawful purposes and in accordance with this Agreement. Permitted Uses: You may input your personal and health data, view your diagnostic results and analyses, and utilize the Platform's features for health optimization and personal wellness management. Restrictions: You agree not to, and not to permit any third party to: Reverse Engineering: Copy, modify, adapt, translate, reverse engineer, decompile, or disassemble any aspect of the Platform, except as permitted by applicable law. Unauthorized Access: Circumvent or attempt to circumvent any technical restrictions or security measures of the Platform; access the Platform by any means other than the interface provided; or attempt to gain unauthorized access to any portion of the Platform, other users' data, or any of our systems. Commercial Use or Resale: Use the Platform for any commercial or clinical diagnostic laboratory service for third parties, or resell, rent, lease, or distribute the Platform or any of its content to any third party without our prior written consent. Prohibited Data Use: Use any data or output from the Platform (especially any Research Use Only (RUO) outputs as defined below) for any purpose that is unlawful, or in violation of any applicable medical or data protection regulations. In particular, RUO outputs are not to be used as the sole basis for medical decisions or patient treatment. Harmful Activities: Use the Platform in any manner that could damage, disable, overburden, or impair our services or interfere with any other party's use. You shall not introduce any malware, viruses, or harmful code into the Platform, or use the Platform to transmit any malicious or unsolicited advertising or messages. Any violation of these restrictions is grounds for immediate termination of your license to use the Platform.

4. Intellectual Property Rights

All content, software, algorithms, designs, user interfaces, trade secrets, and materials provided on or through the Platform are the intellectual property of Supar.Health or its licensors and are protected by copyright, trademark, and other applicable intellectual property laws. This includes, but is not limited to, the compilation of all databases, analyses, and reports generated by the Platform, as well as the Supar.Health name, logo, and all related product and service names. You acknowledge that Supar.Health (and its suppliers, where applicable) retain all right, title, and interest in and to the Platform and any content provided through it, including all related intellectual property rights. Nothing in this Agreement shall be construed as transferring any ownership rights to you. You are only granted a limited license to use the Platform's functionality and to view or download your personal results or reports for your own use, in accordance with this EULA. You must not remove, alter, or obscure any proprietary notices (including copyright and trademark notices) on any portion of the Platform or outputs you download or print from it.

5. User Data and Privacy

Use of the Platform involves the collection and processing of your personal information, including sensitive health and genetic data, in order to provide you with our diagnostics and biobank services. You retain any rights you have under law to the data you provide to us; however, by using the Platform, you grant Supar.Health a license to use, process, store, and analyze your data for the purposes of delivering the services and features as described in this Agreement and in our Privacy Policy (see Section 2 of this Agreement). This license to your data is non-exclusive and is limited to what is necessary for us to perform our services and operate the Platform, including providing you with diagnostic results, personalized health analyses, and recommendations. You represent and warrant that any data you provide is accurate to the best of your knowledge, and that you have the lawful right to provide such data for processing. If you provide any data relating to a third party (for example, if you are managing an account for a family member), you must have the authority or consent to provide such data to us. All personal data will be handled in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act. Details of how we collect, use, protect, and share your data, as well as your rights, are provided in the Privacy Policy section of this Agreement. By accepting this EULA, you also agree to the terms of the Privacy Policy. If you do not agree with our data practices, do not use the Platform. We may ask for specific consents from you within the Platform for certain data processing activities (for example, participation in research or storage of biological samples), and you have the right to accept or decline such requests as described in the Privacy Policy.

6. Research Use Only Outputs

Supar.Health's Platform provides two layers of information to users: (a) Accredited Clinical Diagnostics, which are validated test results and analyses performed in accredited laboratories or under clinically approved protocols; and (b) Research Use Only (RUO) Outputs, which consist of experimental or investigational analyses, interpretations, or health indicators provided for informational and research purposes. RUO Outputs are not intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease and are not a substitute for professional medical advice or treatment. You acknowledge that RUO outputs are provided without the same level of validation or regulatory oversight as our clinical diagnostic services. While we strive for scientific rigor in all our analyses, any recommendations or insights labeled as "RUO" are to be used at your own discretion for personal education and wellness exploration only. Supar.Health will clearly categorize outputs within the Platform to indicate whether they are clinically validated diagnostics or RUO-only results. You agree not to interpret or use RUO outputs as medical diagnoses. Always consult a qualified healthcare professional before making any health or medical decisions based on information from the Platform, especially information from the RUO layer.

7. No Medical or Emergency Use

The Platform and any outputs (whether clinical or RUO) are provided for informational and health optimization purposes. They are not intended to be relied upon as the sole basis for health care decisions​aetas.dk​aetas.dk. While Supar.Health's accredited diagnostic services strive to provide accurate and actionable health data, the Platform does not provide medical treatment or medical advice in itself. No content on the Platform constitutes professional medical advice, diagnosis, treatment, or the practice of medicine. The Platform is not a substitute for consultation with a qualified healthcare provider. You should seek the advice of your physician or other qualified health provider with any questions you have regarding a medical condition or before starting any new diet, exercise, or treatment program. Never disregard professional medical advice or delay in seeking it because of something you have read or accessed on the Platform​aetas.dk. The Platform is not designed or intended for use in emergencies or life-threatening situations. In case of a medical emergency or any situation where you believe you or another person requires immediate medical attention, call emergency services or your doctor immediately. Supar.Health is not liable for any outcomes if you attempt to use the Platform for urgent medical needs that should be handled by emergency medical professionals.

8. Updates and Changes to the Platform

Supar.Health may from time to time develop patches, bug fixes, updates, upgrades, new versions, or other modifications to improve or alter the functionality of the Platform. We reserve the right to deploy and install such updates electronically to your device or account, with or without prior notification, to ensure the continued performance, security, and stability of the Platform. All updates shall be deemed part of the Platform and subject to the terms of this Agreement. Depending on your device settings, you may need to install updates manually. Failure to promptly install updates may impair the Platform's functionality or security, which is at your own risk. We also reserve the right to modify or discontinue, temporarily or permanently, the Platform or any service or feature provided through the Platform, with notice to you when reasonably feasible. You agree that Supar.Health shall not be liable to you or any third party for any modification, suspension, or discontinuation of the Platform or any part thereof. If you are a paid user and a discontinuation substantially affects the service you have paid for, you may be entitled to a refund for the unused portion of any fees, as described in the Terms of Use section of this Agreement.

9. Term and Termination

This EULA is effective from the moment you accept it (or first use the Platform, which will be deemed acceptance of these terms) and will remain in effect until terminated by either you or Supar.Health. You may terminate this Agreement at any time by ceasing all use of the Platform and, if applicable, uninstalling any Supar.Health software from your devices. Supar.Health may terminate this EULA or suspend your access to the Platform immediately and without notice if you fail to comply with any term of this Agreement, if you violate any applicable law or regulation in connection with your use of the Platform, or if your use of the Platform poses a security or legal risk to us or other users. Upon termination, the license granted to you will end and you must stop all use of the Platform. We may also delete or deactivate your account and all associated data in accordance with our data retention policies (as outlined in the Privacy Policy), except to the extent we are required by law to retain certain data (for example, medical records retention requirements). Any provisions of this Agreement which by their nature should survive termination (including, but not limited to, provisions regarding intellectual property ownership, disclaimers of warranties, limitation of liability, and governing law) shall survive the termination of this EULA.

10. Disclaimer of Warranties

Use at Your Own Risk: The Platform and all services and content provided through it are provided on an "as is" and "as available" basis. To the maximum extent permitted by law, Supar.Health and its affiliates, suppliers, and partners disclaim all warranties, conditions, and representations of any kind, either express, implied, or statutory, regarding the Platform. This includes, but is not limited to, any implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, accuracy, quiet enjoyment, title, or non-infringement. We do not warrant that the Platform's functions will meet your requirements, achieve any intended results, be compatible or work with any system or device, or that operation of the Platform will be uninterrupted or error-free. No Guarantee of Results: Supar.Health makes no guarantee of the accuracy, completeness, timeliness, or reliability of any results or information you obtain through the Platform. While we employ rigorous scientific and clinical standards for our accredited diagnostics, and state-of-the-art research methods for RUO outputs, we cannot guarantee that the Platform will be error-free or that any particular result will be achieved or expected outcomes obtained. Healthcare and biological data analysis are complex processes and may occasionally produce erroneous or inconclusive results. You acknowledge that any reliance on the data or outputs from the Platform is done at your own discretion and risk. Not a Medical Device (for RUO): Except for those parts of the Platform that deliver accredited diagnostic results, the Platform as a whole is not certified as a medical device. Any tool, algorithm, or recommendation provided in the RUO layer is not subject to medical device regulation and is provided without warranty of fitness for clinical use. If applicable law requires any warranties with respect to the Platform, all such warranties are limited in duration to ninety (90) days or the minimum duration permitted by law, whichever is shorter.

11. Limitation of Liability

To the extent not prohibited by law, in no event shall Supar.Health, its directors, officers, employees, agents, or partners be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or any loss of profits, data, use, goodwill, or other intangible losses, arising out of or related to your use of (or inability to use) the Platform, whether based on warranty, contract, tort (including negligence), or any other legal theory, even if Supar.Health has been advised of the possibility of such damages. Maximum Liability: To the extent permitted by applicable law, Supar.Health's total cumulative liability for any claims arising out of or relating to this Agreement or your use of the Platform shall not exceed the amount actually paid by you to Supar.Health for use of the Platform or any services in the six (6) months immediately preceding the event giving rise to liability. If you have paid no such amount, Supar.Health's total liability shall be zero. Exceptions: Nothing in this Agreement is intended to exclude or limit liability that cannot be excluded under law. In particular, no provision of this Agreement shall operate so as to exclude or limit Supar.Health's liability for (i) death or personal injury caused by our negligence, or (ii) our fraud or fraudulent misrepresentation, or (iii) any other liability which cannot be excluded or limited under applicable law. However, in any such case, our liability will be limited to the fullest extent permitted by applicable law. You acknowledge that the fees, if any, charged for the Platform reflect this allocation of risk and the limitation of liability specified herein, and that Supar.Health would not be able to provide the Platform on an economically feasible basis without such limitations.

12. Indemnification

You agree to indemnify, defend, and hold harmless Supar.Health and its officers, directors, employees, and agents from and against any and all losses, liabilities, claims, demands, damages, or expenses (including reasonable attorneys' fees and costs) arising out of or related to: (a) your use or misuse of the Platform; (b) your violation of this Agreement or any law or regulation; (c) your infringement or violation of any intellectual property, privacy, or other rights of any third party; or (d) any claim that Supar.Health is obligated to provide remedy or payment of any kind to you or any third party arising from your use of data or outputs (especially RUO outputs) from the Platform for medical decisions (which is prohibited as stated above). Supar.Health reserves the right, at your expense, to assume the exclusive defense and control of any matter subject to indemnification by you. You agree to cooperate with our defense of such claim. You will not settle any such claim without our prior written consent. This indemnification obligation will survive any termination of your relationship with Supar.Health or use of the Platform.

13. Governing Law and Jurisdiction

This Agreement, and any disputes arising out of or related to this Agreement or the use of the Platform, shall be governed by and construed in accordance with the laws of Denmark, without regard to its conflict of laws principles. The application of the United Nations Convention on Contracts for the International Sale of Goods is expressly excluded. You agree that any dispute or claim arising from this Agreement shall be subject to the exclusive jurisdiction of the courts of Denmark. Supar.Health and you each consent to the personal jurisdiction of the Danish courts. Notwithstanding the foregoing, Supar.Health shall be allowed to apply for injunctive remedies (or an equivalent type of urgent legal relief) in any jurisdiction.

14. Severability

If any provision of this Agreement is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, that provision shall be enforced to the maximum extent permissible, and the remaining provisions of this Agreement will remain in full force and effect. The invalid or unenforceable provision shall be deemed modified in such a way as to make it valid, legal, and enforceable while preserving its original intent to the extent possible.

15. No Waiver

No failure or delay by Supar.Health in exercising any right or remedy under this Agreement shall operate as a waiver of that right or remedy, nor shall any single or partial exercise of any right or remedy preclude any other or further exercise of any right or remedy. A waiver on one occasion shall not be deemed a waiver of any future right or remedy. Any waiver by Supar.Health of any provision of this Agreement will be effective only if in writing and signed by an authorized representative of Supar.Health.

16. Entire Agreement

This Agreement (including the Privacy Policy and Terms of Use in Sections 2 and 3 below, which are incorporated by reference) constitutes the entire agreement between you and Supar.Health concerning the Platform and supersedes all prior or contemporaneous understandings regarding this subject matter. Any additional or different terms in any purchase order or other written or oral response by you shall be void and of no effect unless expressly agreed to in writing by Supar.Health. No amendment to or modification of this Agreement will be binding unless (i) in writing and signed by an authorized representative of Supar.Health, or (ii) we provide an updated version of this Agreement and you accept it (for example, by clicking "I Agree" or continuing to use the Platform after the new terms take effect). The section titles in this Agreement are for convenience only and have no legal or contractual effect. By using the Supar.Health Platform, you acknowledge that you have read this EULA, understand it, and agree to be bound by its terms and conditions.

Privacy Policy
Last Updated: April 27, 2025

Supar.Health is committed to protecting your privacy and handling your personal and health information with the utmost care and transparency. In this Privacy Policy, we describe how we collect, use, disclose, and protect your personal data when you use the Supar.Health Platform, and explain your rights in relation to that data. This policy reflects our compliance with the EU General Data Protection Regulation (GDPR), the Danish Data Protection Regulation (Databeskyttelsesforordningen), the Danish Health Act (Sundhedsloven), and the Danish Journalføringsbekendtgørelse (Medical Record Keeping Order), among other applicable laws.

1. Who We Are

Supar.Health ApS (CVR: 41298758) is a private diagnostics software company and personal digital biobank provider. We focus on precision medicine, preventive care, and health optimization through minimally-invasive testing and advanced data analysis. We perform accredited clinical laboratory analyses and provide research-oriented wellness insights for individuals, companies, and healthcare organizations. Our registered address is Strandvejen 64, 2900 Hellerup, Denmark. For any questions regarding this Privacy Policy or your data, you can contact us via the contact information on our website or through the contact details provided in this Agreement.

2. Scope of this Privacy Policy

This Privacy Policy applies to the processing of personal data that occurs when you interact with Supar.Health's Platform, including but not limited to: visiting our website (and related online services), creating a Supar.Health account, undergoing any health tests or diagnostics through Supar.Health, using any mobile or web applications we provide, and contacting us with inquiries. It covers data collected in connection with Supar.Health's diagnostic services, research-use services, and any related clinical or scientific activities. Please note that in some cases we may provide additional privacy notices or consents for specific services or research projects. Those additional notices supplement this general Privacy Policy. By using the Platform or by providing us your personal data in relation to our services, you acknowledge that your data will be processed as described in this Privacy Policy.

3. What Data We Collect and How We Use It

Personal and Health Data for Services: Supar.Health collects and processes a range of personal and health information about you as part of offering our diagnostics and biobank services. When you contact us or become a customer, we will collect identifying and contact information such as your name, email address, phone number, postal address, date of birth, and biological sex/gender. If you reside in Denmark, we may also collect your CPR number (personal identification number) where necessary for healthcare record-keeping or integration with national health systems​aetas.dk. We collect this information to identify you accurately and to comply with legal requirements in providing medical services. When you purchase a test, treatment, or analysis from Supar.Health, we collect information related to that service, which may include details of the specific tests or inquiries, underlying health information you provide, relevant medical history, current medications or diagnoses, and any other information needed to perform the requested analysis or consultation​aetas.dk. For example, if you complete health questionnaires or provide lifestyle information within the Platform, this data will be recorded in your profile to inform our analysis. Electronic Health Records and Biobank Data: When you become a client of Supar.Health, we will create an encrypted electronic health record in our system for you​aetas.dk. We use this record to store your personal data and results from any diagnostics or analyses. Our clinical staff and authorized specialists will record information about any samples collected (e.g., blood, saliva) and the results of laboratory analyses performed on those samples. We also document any consultations or communications we have with you regarding your results or health. This information is used to provide you with the best possible clinical health advice and personalized recommendations. It also allows us to track your health data over time to observe changes and trends. Health Optimization and Recommendations: Supar.Health operates a personal digital biobank, meaning that we aggregate and analyze data from you, other consenting clients, and relevant population health databases to generate evidence-based personal health recommendations​aetas.dk. Your data, combined with large-scale clinical research and population data, enables us to leverage the latest scientific findings in real-time and translate them into insights about your health​aetas.dk. For example, we might compare your biomarker results with established ranges or research studies to give you guidance on improving specific health metrics. By using our services, you agree that we may use your anonymized or aggregated data for these real-time research and analytics purposes to benefit you and all users of the Platform. This is a key part of our service: using cutting-edge research to inform your health optimization plan. Website Usage Data and Cookies: When you visit our website or use our app, we may automatically collect certain technical information, such as your IP address, device type, browser type, and browsing behavior (e.g., pages viewed). We use cookies and similar tracking technologies to gather usage statistics (for example, counting visitors and understanding which parts of our website are of most interest)​aetas.dk. This helps us improve our website and Platform interface. Cookies may also be used to remember your preferences. You can find more details in our Cookie Policy. You have the option to manage cookie preferences in your browser settings. Communication Data: If you communicate with us via email, contact form, phone, or in-platform chat, we will collect the information you provide during those communications. This may include inquiries about our services, customer support requests, or feedback. We will use this information to respond to you, to keep records of our communications (which may be necessary for medical documentation in some cases), and to improve our customer service. Newsletter and Marketing: If you subscribe to our newsletter or opt in to receive promotional communications, we will collect your name and email for the purpose of sending you health tips, updates, or offers. We only send such communications with your consent, and you can opt out at any time by clicking "unsubscribe" in any email or contacting us. The legal basis for processing your data for newsletter purposes is your consent (GDPR Art. 6(1)(a))​aetas.dk. We process and store all personal and health data securely and in compliance with GDPR, the Danish Health Act, and the Medical Record Keeping Order​aetas.dk. All uses of your data are limited to what is necessary to fulfill the purposes stated at the time of collection or as outlined in this Privacy Policy.

4. Legal Basis for Processing

We only process your personal data when we have a legal basis under the GDPR and applicable law to do so. Depending on the context, one or more of the following legal bases may apply: Consent (GDPR Article 6(1)(a)): We rely on your consent for certain processing activities. For example, sending you newsletters or performing a genetic analysis requires your consent​aetas.dk. Where we process special categories of data (such as health or genetic data), we may also rely on your explicit consent (GDPR Art. 9(2)(a)), unless another legal basis applies. You have the right to withdraw your consent at any time (see Section 11 on Your Rights), which will not affect the lawfulness of processing based on consent before its withdrawal​aetas.dk. Contractual Necessity (GDPR Article 6(1)(b)): When you purchase services from us, we process your personal data as necessary to perform our contract with you. For instance, using your information to schedule a test, perform an analysis, and deliver results is based on the agreement for services. Legal Obligation (GDPR Article 6(1)(c)): Some data processing is required to comply with our legal obligations as a healthcare provider. For example, maintaining a patient medical record is mandated by law, and reporting certain results to public health authorities is obligatory. The Danish Health Act and Journalføringsbekendtgørelse require that we document and retain certain health information. When we transfer mandatory data to entities like the Danish Patient Safety Authority or Statens Serum Institut, this is under a legal obligation​aetas.dk. Similarly, the Health Act §15(1) provides that we must obtain consent for treatments, and we comply with that requirement​aetas.dk. Legitimate Interests (GDPR Article 6(1)(f)): We process some data under the legitimate interest basis. This applies, for example, to the necessary collection of data for conducting biological analyses and providing health advice, which is in our legitimate interest as a healthcare service provider​aetas.dk. Our legitimate interests include conducting our business in providing you with health testing and advisory services, ensuring the quality and accuracy of our processes, improving our services through scientific research, and communicating with you as a customer​aetas.dk. When using this basis, we always consider your rights and interests and ensure they do not override our interests. We have conducted a legitimate interest assessment to weigh these factors​aetas.dk: (a) We cannot provide our services without processing your data (e.g., we must analyze your sample to give a result)​aetas.dk. (b) We have an interest in securely documenting your data to comply with healthcare regulations and to provide continuity of care​aetas.dk.In contexts where special category data (health data) is processed under legitimate interests, we ensure an additional condition under GDPR Art. 9(2) is met (such as Art. 9(2)(h) for medical diagnosis and treatment, or 9(2)(i) for public health, or 9(2)(j) for research, as applicable). Public Interest in Healthcare (GDPR Article 9(2)(i)): In certain cases, processing of health data is necessary for reasons of public interest in the area of public health. For example, if there is a requirement to report notifiable diseases or adverse events to health authorities, we would process relevant data under this basis​aetas.dk. For genetic data or other highly sensitive data, we typically use explicit consent or the medical diagnosis and treatment basis (GDPR Art. 9(2)(h) in conjunction with national law) to process such data, unless another exception applies. We will always identify the applicable legal basis for our processing and will inform you of this through this Privacy Policy or at the point of data collection. Where processing is based on your consent, you will be presented with a clear consent form or option, and you can decline if you wish. If you have any questions about the legal basis of specific processing, you can contact us for more information.

5. Special Categories of Data and Consent (Health, Genetic, Biometric Data)

Supar.Health deals with sensitive personal data, including health information, laboratory results, and genetic data. Under GDPR, these are considered "special category" data that require additional protection. We handle these data types as follows: Health Data: This includes information such as your medical history, symptoms, diagnoses, treatment plans, biomarker levels, imaging results, etc., that you or your healthcare providers provide to us, as well as data we generate through tests (blood test results, etc.). We process health data to deliver our diagnostics services and health recommendations. The legal bases include medical diagnosis and treatment (GDPR Art. 9(2)(h) together with Danish Health Act consent provisions) and/or your explicit consent where required. Under the Danish Health Act, by engaging our services, you provide an informed consent to our processing of your health information for diagnostic and treatment purposes (Sundhedsloven §15(1))​aetas.dk. Genetic Data: For any genetic analysis or DNA test that we offer, a separate explicit consent will always be obtained from you before proceeding​aetas.dk. Genetic information can reveal sensitive insights not just about you but also about your biological relatives. We take this seriously. Before you undergo a genetic test with Supar.Health, we will provide you with detailed information about the nature and implications of the test. You will be asked to sign a specific genetic consent form (either electronically or on paper) that outlines: The purpose of the genetic test and what kind of information it can reveal. Potential consequences or implications of the results for you and possibly your family members​aetas.dk. Ethical considerations, including whether you wish to receive information on incidental or secondary findings (genetic findings unrelated to the primary purpose of the test, which could be significant for your health)​aetas.dk. Your right to opt out or change your mind. Even after giving consent, you may withdraw from a genetic test before it is conducted, or decline to be informed about certain categories of results, to the extent possible. We want you to carefully consider these points before proceeding with genetic analyses. If you have any uncertainties, we encourage you to speak with one of our clinicians or a genetic counselor. If you do not consent to a genetic test, you can still use other aspects of our Platform; genetic testing is entirely voluntary. If you do consent and later change your mind, let us know promptly. Once a genetic analysis is performed and results are delivered, they become part of your health record, but you remain in control of how they are used beyond your care (such as for research – which would require separate consent). Biometric Data: If we collect any biometric identifiers or use biometric technology (for example, if we collected a fingerprint, or used facial recognition for identity verification, or analyzed biometric patterns in health data), we would do so only with your knowledge and, if required by law, your explicit consent. As of the latest update of this policy, Supar.Health does not utilize any fingerprinting or facial recognition features. We will update you if this changes and ensure compliance with any biometric data laws.

6. Categories of Personal Data Processed

We summarize here the categories of personal data Supar.Health processes: Identification Data: Name, date of birth, gender, address, phone number, email, national identification number (e.g., CPR in Denmark), passport or ID details (if needed for verification). Contact Data: Contact details such as email, phone, physical address, and emergency contact (if you provide one). Health Data: Medical history, symptoms, diagnoses, medications, allergies, lifestyle information (e.g., smoking status, exercise habits, diet), family medical history (if you provide it), and any other health information you or your doctor provide to us. Laboratory Data: Results of blood tests, urine tests, saliva tests, imaging, or any other diagnostic tests we perform or coordinate for you. This includes numerical results, interpretations, and any diagnostic conclusions. Genetic Data: Raw genetic data (such as DNA sequences or genotyping results) and interpreted genetic information, when you have consented to genetic testing. Biological Samples: While physical samples (blood, saliva, etc.) are not "data" per se, we assign identifiers to your samples and track information such as sample type, collection date, and processing status. This is linked to your personal data in our system. Usage Data: As mentioned, technical data about how you access our Platform, IP address, login timestamps, activity logs within the application (e.g., which sections you viewed), and cookie data. Communication Data: Contents of inquiries, communications, or feedback you send us, and notes about our responses. Transactional Data: Records of services you have purchased, dates of tests or consultations, payment method (but note: we do not store full payment card numbers—payments are handled by secure payment processors), invoice amounts, and relevant transaction IDs. Consents and Preferences: Records of any consents you have given (e.g., consent for genetic testing, consent for research use of data, marketing preferences) and records of any withdrawals of consent. We ensure that access to special categories of data (health, genetic) is restricted to personnel with a need-to-know (such as healthcare professionals and lab analysts involved in your care, or data analysts working under strict confidentiality and data protection conditions).

7. How We Handle Biological Samples

As part of providing diagnostics, Supar.Health (often in partnership with accredited laboratories) may collect biological samples from you, such as blood, urine, saliva, or other specimen types. This section explains how we handle those samples: Sample Analysis: Your samples will be used only for the specific tests and analyses that you have ordered or consented to. For example, if you have ordered a blood panel and a DNA test, your blood sample will be split or allocated as needed to perform those tests, either in our facilities or sent to specialized partner laboratories. Accredited Processing: Any clinical diagnostic tests on your samples are performed in accredited labs under strict quality control standards. For RUO analyses, samples may be processed in research labs or using experimental protocols, but with due scientific care. Sample Retention: In general, once the necessary analyses are completed, samples are disposed of safely(biohazard destruction) according to medical guidelines​aetas.dk. However, in some cases we may retain portions of your sample for a short period in case re-testing is required or for quality assurance. For example, if a result is borderline or an instrument calibration issue is suspected, we may re-run the test on the stored sample. These retained samples are stored securely and are labeled with a code (not your name directly) to protect your identity. Re-testing and Errors: If there is an issue with your sample or test (such as a technical error or an inconclusive result), we may use a retained portion of your sample to re-run the test without additional charge to you​aetas.dk. If the sample quantity is insufficient or has degraded, we may ask you to provide a new sample (see Section 10 of the Terms of Use on Resampling). We will inform you if re-collection is needed and explain the issue. Research Use of Samples: Supar.Health may conduct internal research to improve our services or contribute to scientific knowledge. We will not use your identifiable biological samples for research without your explicit consent.** In certain cases, we might ask you, separately from this Agreement, whether you are willing to allow your leftover sample to be kept in our biobank for ongoing or future scientific studies​aetas.dk. You have a free choice in this matter. If you do not provide a separate research consent, your samples will not be used for any purpose other than your own diagnostics and will be destroyed as described. If you do consent, the samples may be stored in our research biobank under coded identifiers, and you may be asked to sign a specific Biobank Consent Form detailing the scope of the research, any potential risks, and your rights. You can decline or withdraw such consent at any time without affecting your core diagnostic services. Sample Transfers: Sometimes, to perform certain specialized tests, we might need to send a part of your sample to partner laboratories or hospitals (for example, a specific genetic test or a histopathology analysis at a specialized facility). We ensure that any transfer of samples is done securely, with the sample de-identified as much as possible and accompanied by only the information necessary for analysis (typically a sample ID and relevant clinical information, not your full personal details). All partner labs are bound by confidentiality and data protection agreements. By using our services, you understand that your biological samples will be handled as described, and you agree to these practices. We maintain documentation of the chain-of-custody for all samples and comply with any applicable laws regarding human biological material.

8. Disclosure of Your Data to Third Parties

Supar.Health treats your personal and health data as confidential. We do not sell your personal data to third parties. We only share your data in the following circumstances, and always with appropriate safeguards: Healthcare Providers: If a licensed physician or healthcare professional is involved in your testing process (for instance, a doctor who reviews and validates your test results, or your own general practitioner if we refer results to them), we will share the necessary portions of your data with that provider. For example, if a doctor affiliated with Supar.Health oversees your blood test, they will have access to your identity and lab results to fulfill their medical duties. We may also, with your consent or as required by law, send a copy of your results to your personal doctor or include it in the national electronic health record system (e.g., "sundhedsjournalen" in Denmark)​aetas.dk. Laboratories and Technical Partners: We work with accredited laboratories and technical service providers to perform analyses. This includes external labs for specialized tests, sequencing facilities for genetic data, and platform hosting providers. These parties are bound by data processing agreements to ensure they only use your data for the purposes we specify and provide adequate protection. For example, if we send your blood sample to a partner lab for analysis, we provide only the data required for the test (often just a patient ID, gender, age, and relevant clinical info)​aetas.dk. The lab returns results to us, and they are obligated not to use your sample or data for any other purpose. Service Providers: We use third-party service providers for certain business operations, which might include IT hosting and maintenance, cloud storage, email and communication tools, analytics services, payment processors, etc. These providers may process personal data on our behalf as data processors. We only use reputable providers that have committed to compliance with GDPR or equivalent standards. For example, our cloud database is hosted in a secure environment with encryption, and the provider cannot access your data except for maintaining the service under strict controls​aetas.dk. Research Collaborators: If you have given explicit consent to participate in research studies, we might share some of your data (often in an anonymized or pseudonymized form) with research institutions or collaborators. For instance, we might collaborate with a university on studying a new health marker. In such cases, we would strip direct identifiers from your data before sharing, and ensure the research partner agrees not to attempt to re-identify you. Any external research publication would only contain aggregated results. We will inform you about the specifics of any research project and obtain your consent, as noted earlier. Regulatory and Public Health Authorities: We may be required by law to report certain information to health authorities. For example, under Danish law, certain communicable diseases or test results (like notifiable disease findings) must be reported to Statens Serum Institut or other public health bodies. Additionally, we may need to provide data to the Danish Patient Safety Authority (Styrelsen for Patientsikkerhed) as part of mandatory reporting or if they are auditing our clinic​aetas.dk. Such disclosures will only be done under proper legal authority. We will document these transfers as required by law. Legal Compliance and Protection: If required by law, court order, or governmental regulation, we may disclose your information to law enforcement, courts, or regulatory authorities. We will only do so to the extent we are compelled, and when possible, we will inform you of such disclosure. Additionally, if it's necessary to disclose data to protect our rights or the rights, property, or safety of our employees, clients, or others (for example, to prevent fraud or cybercrime), we may do so after careful consideration of your privacy rights. Third Country Transfers: Some of our partners and service providers may be located outside of the European Union (EU) or European Economic Area (EEA). In particular, we might utilize laboratories or cloud services in countries such as England, the United States, or Switzerland​aetas.dk. When transferring personal data internationally, we take steps to ensure an adequate level of protection: For countries like the UK (England) and Switzerland, the European Commission has determined that these countries offer data protection standards essentially equivalent to the EU, so your data is protected under those countries' laws​aetas.dk. For the United States, we will only transfer data to organizations that are certified under the EU-U.S. Data Privacy Framework or which have signed standard contractual clauses (SCCs) or otherwise provided adequate safeguards in line with GDPR​aetas.dk. We verify that any U.S. partner processes health data in compliance with GDPR standards or HIPAA (for medical data) as applicable​aetas.dk. In all cases, we maintain agreements with recipients to enforce confidentiality and data security. You can request a copy of the relevant data transfer safeguards (such as SCCs or certification details) by contacting us​aetas.dk. Data Processors: Note that when we use data processors (e.g., cloud hosting, IT support), they may technically have access to data for maintenance, but they are not allowed to view or use it except as needed for the task and are under strict contractual confidentiality. We ensure all personnel and contractors at Supar.Health and our partners who handle personal data are trained in privacy and bound to secrecy. Aside from the above, Supar.Health will not disclose your identity or personal health information to any third party without your consent. Any sharing for marketing purposes would never include sensitive health data and would require your opt-in consent.

9. Data Security Measures

Security is paramount at Supar.Health. We employ a comprehensive set of technical and organizational measures to protect your personal and health data against unauthorized access, alteration, disclosure, or destruction​aetas.dk​aetas.dk. These measures include: Encryption: All personal and health data is stored and transferred in encrypted form. We use strong encryption protocols (such as SSL/TLS for data in transit and AES-256 or equivalent for data at rest)​aetas.dk. This means that when your data is in our databases or being transmitted between our app/website and our servers (or to our partners), it is encrypted and unreadable to any unauthorized party. For example, our databases are encrypted such that even if someone were to get physical access to the storage, they could not read the data without the encryption keys. Access Controls: Access to systems containing personal health data is strictly limited. Only authorized personnel (for example, the physician overseeing your results, the laboratory technicians, or the IT administrators for the system) have access to identifiable information, and even then only what they need for their role. We implement role-based access control (RBAC), ensuring each user of our internal system can only access data relevant to their job duties. All access to health records is logged and audited. Confidentiality Training: All Supar.Health employees and contractors who handle personal data are required to sign confidentiality agreements. We provide training on data protection and HIPAA/GDPR compliance. They are educated on the importance of privacy and the legal and ethical duty to protect patient information. Secure Infrastructure: Our Platform is hosted in GDPR-compliant data centers and/or HIPAA-compliant cloud services (for health data). These facilities employ advanced security measures including firewalls, intrusion detection systems, anti-malware scanning, and physical security controls. We regularly update and patch our software and servers to address security vulnerabilities. Data Minimization and Pseudonymization: Where feasible, we pseudonymize data – meaning we replace identifying fields (like name or CPR) with coded identifiers in analytical processes, so that staff working on research or quality control do not see personal identifiers. We also strive to collect only the data that is necessary for the purposes described, and not maintain data longer than needed (see Data Retention below). Email and Communication Security: We remind you that standard email is not always secure. While we have secure portals for sharing sensitive results, if you choose to communicate with us via regular email with personal health information, be aware of the risk. We encourage the use of encrypted email or our secure messaging features for any sensitive information​aetas.dk. We utilize secure email protocols internally and for any transfer of particularly sensitive data. Monitoring and Testing: We monitor our systems for possible vulnerabilities and attacks. Regular security assessments, penetration testing, and audits are conducted to evaluate the effectiveness of our security measures. Any identified risks are promptly addressed. Data Breach Procedures: In the unlikely event of a data breach involving your personal data, we have an incident response plan. We will contain and mitigate the breach, assess the risk to your rights and freedoms, and, if required by law, notify you and relevant authorities (such as the Danish Data Protection Agency, Datatilsynet) within the regulatory timeframes. Your data is never shared with third parties without your consent, except as explained in this Policy, and it is never sold or rented out​aetas.dk. We treat your data as we would want our own data to be treated. By using Supar.Health, you acknowledge that while we work hard to protect your information, no system can be 100% secure. However, we commit to you that we will take all reasonably necessary steps to ensure the safety of your data. If you have any concerns about data security or wish to report a potential security issue, please contact us immediately.

10. Data Retention

We store your personal and health data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with legal or regulatory requirements​aetas.dk. How long we keep specific data can vary based on context: Health Records: Under Danish law (Journalføringsbekendtgørelsen and related health regulations), medical records must be retained for a minimum period (often at least 10 years from the last patient encounter, but this can vary). Therefore, information related to your diagnostics and treatment will typically be stored for at least the legally required retention period. We adhere to such laws, meaning we will not delete medical records earlier than permitted even if you request erasure, in order to comply with legal obligations (GDPR Art. 17(3)(b) – exception to erasure for compliance with legal obligation). Account Information: If you have an online account, your basic registration information is kept for as long as you maintain that account. If you decide to delete your account (and if no overriding legal requirement to retain data exists), we will remove or anonymize personal identifying information, but we may keep non-identifiable aggregate data. Genetic Data: Genetic data, once generated, becomes part of your health record. We will store it securely similarly to other health data. If you withdraw consent for use of genetic data in research, we will cease any research use and, if feasible, remove it from research databases (or completely anonymize it such that it is no longer personal data). Communication Records: Communications with you (emails, chat logs, support tickets) are generally retained as long as your account exists or as needed for customer service follow-up. If they form part of the medical record (e.g., you provided medical info via email), they may be kept under the medical record retention policy. Backup and Archives: We maintain secure backups of our data to ensure service continuity. Backups are encrypted and rotated. There may be residual copies of your data in backups which are beyond immediate use. These are kept only for disaster recovery for limited time and are securely destroyed on schedule. Also, if data is archived (moved offline or to long-term storage) due to legal requirements or historical purposes, it will be protected and isolated. Anonymized Data: In some cases, after the end of the retention period or upon your request, instead of outright deletion, we may anonymize your data (strip it of any identifiers such that it can no longer be linked to you). Anonymized data is no longer considered personal data and may be kept for statistical, research, or service improvement purposes indefinitely, without further notice. Once the retention period expires or the purpose for processing is fulfilled, we will either securely delete your data, anonymize it, or, if required, transfer it to an official archive (for example, in Denmark, certain health records might be transferred to a national archive under the Archive Act)​aetas.dk. For example, after many years, old patient records might be archived in compliance with archival laws. If you wish to know how long specific types of data are retained, or to request deletion, you can contact us (see Your Rights below). We will respond in accordance with Section 11 and applicable laws.

11. Your Rights as a Data Subject

Under GDPR and applicable Danish law, you have several important rights regarding the personal data we hold about you​aetas.dk​aetas.dk. Supar.Health is committed to upholding these rights. They include: Right of Access: You have the right to request confirmation as to whether we are processing your personal data, and if so, to request a copy of the data, as well as information about how we use it​aetas.dk. This is often called a "Subject Access Request." We will provide you with a copy of your personal data undergoing processing, typically free of charge (except where requests are manifestly unfounded or excessive, especially if repetitive, in which case a reasonable fee may be charged or we may refuse). Right to Rectification: If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request correction or completion​aetas.dk. For example, if your name is misspelled in our system or an address is outdated, we will update it. Right to Erasure: You have the right to request that we delete your personal data in certain circumstances​aetas.dk. This is sometimes known as the "right to be forgotten." It is not absolute – for instance, we cannot delete data that we are legally required to keep (such as medical records within the mandatory retention period)​aetas.dk. But if you withdraw consent or if you object to processing and we have no overriding legitimate grounds, or if we unlawfully processed data, you can request deletion. We will inform you of the outcome and delete data where we can. Note that due to legal obligations, we might refuse deletion of certain health data, but we can anonymize or lock the data to only be used for the required purpose. Right to Restrict Processing: You can ask us to restrict (i.e., pause) the processing of your data under certain conditions​aetas.dk. For example, if you contest the accuracy of data, or if you object to processing and we are evaluating that objection, or if processing is unlawful but you prefer restriction over deletion, we will mark the data so it is only stored and not further processed until resolved. If processing is restricted, we will inform you before lifting the restriction. Right to Data Portability: For data you have provided to us, which we process by automated means based on your consent or a contract, you have the right to request that we provide it to you in a structured, commonly used, machine-readable format​aetas.dk. You also have the right to request that we transmit that data directly to another data controller, where technically feasible. In practical terms, this means you can ask for a digital file of your results and personal information that you gave us, which you could then, for instance, upload to another health service. We will facilitate this as much as possible (for example, providing CSV or JSON exports of your data). Right to Object: You have the right to object to our processing of your personal data when that processing is based on legitimate interests (or public interest) and you have particular grounds for your objection​aetas.dk. You also have an absolute right to object if your data is processed for direct marketing purposes (we will always honor opt-out of marketing). If you raise an objection, we will evaluate it. For processing based on legitimate interests, we will stop processing unless we have compelling legitimate grounds that override your interests, rights, and freedoms, or if we need to continue processing for the establishment, exercise, or defense of legal claims. In the context of research use of your data, note that GDPR provides an exemption such that the right to object might not apply if the processing is necessary for scientific research purposes and would seriously impair the research objectives – however, in our practice, your consent is primary for research use, and you can withdraw it. Right not to be subject to Automated Decision-Making: Supar.Health does not make any decisions about you that have legal or similarly significant effects solely by automated means (without human involvement)​aetas.dk. In the event we use algorithms or AI to evaluate health data, any significant health-related decisions (like a diagnosis or treatment recommendation) involve a qualified professional's review. If in future we implement automated decision systems, you would have the right to request human intervention, to express your point of view, and to contest the decision​aetas.dk. Right to Withdraw Consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time​aetas.dk. This will not affect the lawfulness of processing that was carried out before withdrawal. For example, you can withdraw consent for receiving newsletters, and we will stop sending them. If you withdraw consent for a genetic test before it's done, we will cancel the test (note: if the test is already complete and results delivered, see right to erasure regarding handling of those results). To withdraw consent, you can contact us via email or through the account settings where available​aetas.dk. Right to Lodge a Complaint: If you have concerns about how we are handling your data, you have the right to lodge a complaint with a supervisory authority. Supar.Health is based in Denmark, so our lead supervisory authority is the Danish Data Protection Agency (Datatilsynet). Their contact information can be found on their official website. We encourage you to contact us first, so we can try to resolve your issue directly, but you are free to contact the authority at any time​aetas.dk. If your complaint relates to healthcare services, you may also have the right to complain to the Danish Patient Safety Authority or other relevant health oversight body. To exercise any of your rights, please contact us (you can reach out via email or telephone as provided on our website, or via secure message). We may need to verify your identity to process certain requests (for example, ask you to confirm some identifying information). We will respond to your request as soon as possible, and within one month at most, as mandated by GDPR (this can be extended by two further months if necessary due to complexity, but we would inform you of the need for extension). Please note that these rights may be subject to certain legal exceptions. We will explain if any exception applies when responding to your request. For instance, as mentioned, if you request deletion, but we have to keep data to comply with a legal obligation, we will inform you of that fact and, if possible, offer to restrict its use instead. Your trust is extremely important to us. We will do our utmost to honor your rights and handle any requests or complaints fairly and transparently.

12. Complaints and Contact Information

Supar.Health aims to address any concerns you have regarding your privacy or the handling of your personal data. If you have a complaint, question, or feedback about our data practices, please contact us so we can assist you. You can reach us by: Email: [Insert contact email, e.g., privacy@supar.health] Phone: [Insert contact phone number, if available] Mail: Supar.Health ApS, Strandvejen 64, 2900 Hellerup, Denmark. When you contact us with a privacy-related complaint, please provide as much detail as possible about your issue. We will take your complaint seriously, investigate, and respond to you. We may ask you for additional information to clarify the matter or to verify your identity, especially if it involves a request to exercise your data subject rights. If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you have the right to file a complaint with the Datatilsynet (Danish Data Protection Authority). You can find their contact details on their official website (typically: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark, email: dt@datatilsynet.dk, phone: +45 33 19 32 00). Similarly, if your concern relates to how we handled your care as a medical service, you may contact the Danish Patient Safety Authority (Styrelsen for Patientsikkerhed) or other relevant body. However, we sincerely hope to resolve any issue in direct communication with you.

13. Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make significant changes, we will notify you through the Platform (for example, via a notice on our website or a notification through the app) and/or via email, if appropriate. The "Last Updated" date at the top of this Policy indicates when the latest changes were made. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. If we make changes that materially affect your rights or how we use your data, we will seek re-confirmation of your consent if required. Continued use of the Platform after a Policy update constitutes your acknowledgment of the update. If you do not agree with any changes, you should stop using the Platform and can request us to deactivate your account and/or delete your data (subject to the restrictions noted above).