Privacy Policy

Privacy Policy — Cue Life DK ApS

1) Controller and Scope

This Privacy Policy describes how Cue Life DK ApS, CVR 45653110, Aurehøjvej 12, 2900 Hellerup, Denmark (hereinafter “we”, “our”, or “us”) processes, uses, and discloses your personal data as data controller when you use our platform and when we provide consultation, examination, diagnosis, and treatment.

Processing is carried out in accordance with applicable law, including:

  • EU General Data Protection Regulation (GDPR),
  • Danish Data Protection Act,
  • Danish Authorization Act (Autorisationsloven), Chapter 6,
  • Order on Healthcare Professional Records (Journalføringsbekendtgørelsen),
  • Danish Health Act (Sundhedsloven), incl. Chapter 9, and related executive orders.

2) Data Processing in a Clinical and Digital Context

In connection with our consultation, examination, diagnosis, and treatment of you as a patient — including digital health services delivered via our platform — we collect and process a range of personal data about you as the data controller. We are obligated to do this under the Danish Authorization Act Chapter 6 and the Record Keeping Order.

3) Types of Personal Data We Process

A. General Categories of Personal Data

To the extent relevant to you and your treatment:

  • Identification and contact details: name, address, email address, phone number, personal identification number (CPR), gender.
  • Relationship details: family relationships, social relationships.
  • Employment and education: work relationships and education.
  • Administrative/financial: payment data (e.g., partial card tokens as processed by our payment provider), appointment data, communications metadata.

B. Special Categories of Personal Data (“Sensitive Personal Data”)

  • Health information (e.g., medical records, anamnesis, test results, X-ray images, scans, laboratory data, prescriptions, treatment notes, clinician assessments, vital signs).
  • Sexual orientation (only insofar as clinically relevant to treatment).
  • Race or ethnic origin (only if directly relevant to treatment).
  • Religious beliefs (only if directly relevant to treatment).

C. Digital Health and Wearable/Tracking Data (where applicable)

  • Biomarkers, lifestyle data, progress tracking, and care-plan adherence as part of men’s health optimization programs.

4) Purposes of Processing

We process your personal data for the following purposes:

  1. Examination, diagnosis, and treatment of you as a patient.
  2. Preparation of medical certificates and clinical documentation.
  3. Preparation of reports for use by authorities, insurance companies, etc.
  4. Communication with or referral to other healthcare professionals, doctors, hospitals, or laboratories, including receiving and transmitting necessary patient information (e.g., booked appointments, diagnoses, treatment plans).
  5. Conducting video consultations (telemedicine).
  6. Possible use of image material for diagnosis (e.g., photographs for dermatology).
  7. Medication prescriptions, including issuing prescriptions via FMK (Fælles Medicinkort / Shared Medication Record).
  8. Reporting to clinical quality databases (e.g., RKKP).
  9. Requisition of laboratory tests to Danish hospital or partner laboratories.
  10. Billing purposes, including disclosures in connection with public or regional reimbursement and private billing.
  11. Compliance with applicable law (GDPR, Data Protection Act, healthcare legislation), including:
    • Documentation obligations,
    • Compliance with basic principles and legal bases for processing,
    • Implementation and maintenance of technical and organizational security measures (access controls, encryption where appropriate, logging, least privilege, MFA),
    • Preventing unauthorized access, malware, denial-of-service, and damage to systems,
    • Investigating suspected or actual security breaches and notifying authorities/individuals where required.
  12. Handling inquiries and complaints from data subjects and others.
  13. Handling inspections and inquiries from supervisory authorities.
  14. Handling disputes with registered individuals and third parties.
  15. Operation of our digital men’s health platform, including personalization, adherence support, and health-tracking features directly tied to care delivery.

5) Voluntariness

When we collect personal data directly from you, providing data is voluntary. However, if you do not provide relevant data, we may be unable to examine, diagnose, or treat you, or to deliver specific platform features.

6) Sources of Personal Data

We may obtain data:

  • Directly from you (onboarding questionnaires, consultations, uploads).
  • From other healthcare professionals and authorities in Denmark (e.g., hospitals, EMR systems) where permitted/required by law or based on your consent. We process received data in accordance with this Privacy Policy.

7) Disclosures and Recipients

To the extent necessary for your specific examination, diagnosis, or treatment — or where required by law — your personal data may be disclosed to:

  • Other healthcare professionals in Denmark (for referrals, second opinions, continuity of care).
  • Clinical quality databases (RKKP), the Danish Patient Safety Authority, the Danish Health Data Authority (incl. medications, vaccinations, adverse events, and deaths), police and courts, social authorities, and Labor Market Insurance (Arbejdsmarkedets Erhvervssikring) insofar as there is an obligation to do so under applicable law.
  • Referral recipients within Denmark: when referring patients, necessary data is sent to the receiving healthcare professional.
  • Danish laboratories: when ordering or reporting laboratory tests, samples and related data are sent to the relevant laboratory.
  • Regional billing offices: when reporting data in connection with billing for patient treatment, data is sent to the relevant regional billing offices.
  • Danish pharmacies & FMK: when issuing prescriptions, data is sent to Danish pharmacies and, where applicable, to authorities via FMK.
  • Relatives or insurance companies: only where legally permitted and typically only with your prior consent.
  • Payment processors and IT service providers acting as our data processors (see Section 10).

8) Legal Bases for Processing and Disclosure

A. Clinical Treatment and Safety

  • GDPR Art. 6(1)(c) (legal obligation) and 6(1)(d) (vital interests) for general personal data.
  • GDPR Art. 9(2)(c) (vital interests) and 9(2)(h) (medical diagnosis, provision of health or social care) for special categories (health data).
  • Danish Authorization Act (Chapter 6) and Record Keeping Order (esp. §§ 5–10).
  • Danish Health Act (Chapter 9) for medical secrecy and disclosures permitted/required by law.

B. Disclosures Not Mandated by Chapter 9 of the Health Act

  • If not required under the Health Act, disclosures to other healthcare professionals occur only with your prior consent pursuant to Sundhedsloven §§ 42a–42e.

C. Billing and Payment

  • Data for billing for patient treatment may be forwarded to regional billing offices and to Stripe as payment processor, under GDPR Art. 6(1)(b) (contract) and/or 6(1)(f) (legitimate interests) where applicable, as well as 6(1)(c) for statutory reporting.

D. Prescriptions and Vaccinations (FMK)

  • Medication prescriptions and vaccinations are processed and sent via FMK under Sundhedsloven § 157 and the Order on Prescriptions and Dose Dispensing of Medicines (esp. Chapter 3).

E. Insurance Companies and Relatives (Consent)

  • Data is disclosed to insurance companies only with your prior consent under GDPR Art. 6(1)(a) and 9(2)(a).
  • Data is disclosed to your relatives only with your prior consent under Sundhedsloven § 43.
  • For deceased patients, certain personal data may be disclosed to the closest relatives under Sundhedsloven § 45.

Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal, including disclosures already made based on your consent.

9) Processors and Infrastructure Recipients

Your personal data may processed and stored with the following data processors (acting on our behalf and under our instructions through data processing agreements):

Processor Role and purpose of processing

Vercel
Hosting and secure delivery of our website, web-app and patient portal.

Neon
Managed database hosting and secure storage of administrative and patient data.

Giddir
Laboratory-integration platform used to order tests from, and retrieve results from, Synlab.

Synlab
Accredited laboratory partner performing diagnostic analyses and issuing laboratory reports

Zoom for Healthcare
Video-consultation platform for telemedicine appointments

Stripe
Secure payment processing for patient fees

Cal.com
Appointment scheduling and booking interface

Mailersend.com
Transactional-email delivery service used to send account-related notifications, confirmations, and system messages

MailerLite
Newsletter and email-marketing platform used to manage subscriptions and deliver updates to recipients who have provided consent

Cookiebot (Usercentrics A/S)
Consent-management platform that records and stores users’ cookie preferences and controls lawful activation of cookies on our website

Google Workspace (Gmail, Calendar)
Support communication, Appointment confirmations, scheduling details, and related correspondence.

We minimise the amount of personal data included in outgoing emails and never include clinical or diagnostic information in email content.

Sub-processing and infrastructure

We do not engage any additional processors beyond those listed above.

However, certain processors may use their own sub-processors (for example, for cloud hosting or email delivery). These sub-processors act under the responsibility of the primary processor and are bound by equivalent GDPR-compliant data-protection obligations.

10) Data Transfers Outside the EEA

Where a processor or recipient is located outside the EEA, transfers will occur only:

  • To countries subject to an adequacy decision, or
  • Under appropriate safeguards (e.g., EU Commission Standard Contractual Clauses (SCCs) with supplementary measures where required), or
  • Under applicable derogations (e.g., Art. 49 GDPR where strictly necessary).

11) Retention Periods

We retain personal data only as long as necessary for the purposes set out above and to meet legal obligations.

  • Under § 15 of the Record Keeping Order, patient records are retained for at least 10 years after the last entry in the record.
  • In special cases (e.g., complaints, compensation claims, or audits), data may be retained for longer — until the matter is finally closed — to establish, exercise, or defend legal claims and to comply with statutory requirements.

12) Your Rights

Under GDPR and Danish law, you have the following rights (subject to statutory healthcare limitations):

  • Right of access to your personal data (GDPR Art. 15).
  • Right to rectification of inaccurate data (GDPR Art. 16).
  • Right to erasure in some cases (GDPR Art. 17).
  • Right to restriction of processing (GDPR Art. 18).
  • Right to data portability (GDPR Art. 20) where processing is based on consent or contract and carried out by automated means.
  • Right to object to certain processing (GDPR Art. 21).

Important healthcare limitation: Under § 14 of the Record Keeping Order, deletions are not permitted in patient records; only corrections/additions may be made to preserve clinical integrity and legal documentation.

You may lodge a complaint with the Danish Data Protection Agency (Datatilsynet): www.datatilsynet.dk (http://www.datatilsynet.dk/).

13) Security Measures

We implement and maintain appropriate technical and organizational security measures designed to protect personal data, including (without limitation):

  • Role-based access controls and least-privilege principles,
  • Multi-factor authentication for administrative access where appropriate,
  • Encryption in transit and, where relevant, at rest,
  • Network segmentation and monitoring,
  • Logging and audit trails for clinical record access,
  • Incident response and breach notification procedures in line with GDPR Articles 33–34.

14) Automated Decision-Making / Profiling

We do not engage in automated decision-making producing legal or similarly significant effects on you within the meaning of GDPR Art. 22. Any algorithmic insights used for care optimization are clinician-supervised and form part of the medical assessment process.

15) Contact Information

For questions regarding this Privacy Policy, processing of your personal data, or to exercise your rights, contact:

Cue Life DK ApS

CVR: 45653110

Address: Aurehøjvej 12, 2900 Hellerup, Denmark

Phone: [insert phone number]

Email: legal@cuelife.com

16) Updates to this Policy

We may update this Privacy Policy to reflect legal, technical, or business developments. Material changes will be communicated via our platform or by direct notice where appropriate.