1. What is this Privacy Notice about
We take the protection of your privacy seriously. The following privacy policy describes how we collect, use, disclose and otherwise process personal information, and explains the rights and choices available to individuals with respect to their information.
We gather and process your personal data carefully and exclusively for the purposes described in this privacy policy and only to the extent necessary within the framework of applicable legal provisions. We store your personal data exclusively to the extent and for the duration necessary to provide our services, or as required by law. In close cooperation with our hosting providers, we make every effort to ensure that databases are protected from unauthorized access, loss, misuse, and falsification.
We have aligned this privacy notice with both the European General Data Protection Regulation (GDPR) and the Swiss Data Protection Act (DPA). If the data protection declaration refers to "personal data" in accordance with the GDPR, this also includes "personal data" in accordance with the DPA. The same applies to other legally defined terms. However, the extent to which the DPA or the GDPR is applicable depends on the individual case.
In some situations, we may have a separate agreement or relationship with you with respect to a specific type of processing of your data, such as if you participate in a special program. These situations may also be governed by specific terms, privacy notices, or consent forms that provide additional information about how we will use your data.
2. Who is responsible for the processing of your personal data?
For the data processing, the following company is the «controller», i.e., the party that is primarily responsible to ensure compliance with data protection laws (also «we»): Lealy AG, Rütistrasse 28, 8032 Zürich.
If you have any questions regarding data protection, please feel free to contact us at the following address:data-protection@lealy.health
3. How do we collect personal data?
We collect personal data:
- directly from individuals interacting with us;
- through our website and online services, including our online coaching services;
- from government agencies or public records (e.g. debt enforcement registers);-
- from third party service providers, including healthcare professionals, involved in our coaching in the area of long-term habit-change for weight reduction (e.g. physicians advising you during the course of our coaching, laboratories), data brokers or business partners; and
- from industry and patient groups and associations.
4. What types of personal data do we collect and process?
The types of personal information we collect include:
- health and medical information (such as medical insurance details, information about physical and mental health conditions and diagnoses, treatments for medical conditions, genetic information, family medical history, and medications an individual may take, including the dosage, timing, and frequency) we collect in connection with coaching you in the area of long-term habit-change for weight reduction;
- personal and business contact information and preferences (such as name, job title and employer name, email address, mailing address, phone number);
- biographical and demographic information (such as date of birth, age, gender, marital status, and information regarding any parents or legal guardians);
- payment-related information we need to pay for professional services, such as consulting, individuals may provide to us (such as tax identification number and financial account information);
- other information you provide to us (such as in emails, on phone calls, through our websites or mobile applications, or in other correspondence, such as market research surveys, with us or our service providers or business partners); and
- if you are a third party with whom we have or are contemplating a contractual relationship, such as a health care professional, we collect publicly-available information related to your practice, such as license information, disciplinary history, prior litigation and regulatory proceedings, and other due diligence related information.
5. What are the processing purposes and legal basis?
We use the personal data that we collect for coaching on long-term habit-change for weight reduction.
We also use the data for the purpose of processing and concluding contracts with our customers and business partners.
In addition, we also process personal data from you and other persons to the extent permitted and deemed appropriate by us, in which we (and sometimes third parties) have a relevant legitimate interest, insofar as legal grounds are required by the applicable data protection laws, for the following purposes:
- providing information about offers, services, websites and other platforms where we have an online presence;
- communicating with third parties and processing their queries;examining and optimizing needs analysis procedures for the purpose of directly addressing customers, as well as collecting personal data from publicly accessible sources for the purpose of customer acquisition;
- advertising and providing information about our services and offers (including conducting events and sending the annual report) if you have not refused permission for the use of your data (if we send you advertising as a current customer, you may refuse permission at any time and we will place you on a list to block the sending of further advertising);
- safeguarding our operations, in particular our IT, our websites and other platforms;
- conducting online meetings;
- sending you meeting reminders, nudges and similar motivational information; and
- sending you our newsletters with recipes and other information.
We may aggregate and/or anonymize any personal data, including health data, that we collect, such that the information no longer identifies any identified or identifiable natural person. We may use, disclose, and otherwise process such information for our own legitimate business purposes or for third parties – including historical and statistical analysis and business planning and/or research purposes – without restriction.
In some situations, we have a separate agreement with or relationship with you regarding a specific type of processing of your personal data, such as when you participate in a special coaching program. These situations may be subject to specific terms, privacy notices or consent forms that provide additional information about our use of your personal data. If you have given us consent to process your personal data for specific purposes (e.g. when you register for our webinar or when you register to receive newsletters or submit other requests via online forms on our website), we process your personal data within the scope of and based on this consent, unless another legal basis or other legitimate grounds exist.
Consent that has been given can be revoked at any time but has no effect on any data processing that has already been carried out.
6. Transfer of data to thirdparties
We observe the principle of proportionality in our data transfers. Our employees process your data as part of their work activities.
We may disclose your data to other companies if we utilize services from these companies. This also includes external service providers.
In certain cases, data may also be disclosed to third parties for processing under their own or joint controllership, e.g. to
- your physician and/or other healthcare professionals involved in our coaching in the area of long-term habit-change for weight reduction;health insurers for billing purposes and in connection with our coaching in the area of long-term habit-change for weight reduction;domestic and foreign authorities, official bodies or courts in the event of proceedings or a request for surrender;
- acquirers or parties interested in acquiring business divisions, companies or other parts of our company; and
- other parties in potential or actual legal proceedings.
Where necessary, contracts are concluded with recipients of your data in accordance with data protection regulations.
Depending on the applicable law, data may only be transferred on the basis of legal grounds. In this case, our processing is based on a necessity to prepare for and perform agreements, to safeguard legitimate interests of us or third parties, e.g. statistical evaluations or for marketing purposes, that it is required or permitted by law, or that you have provided separate consent.
7. International Data Transfers
The recipients of data are not all located in Switzerland, in particular certain service providers (especially in IT). These providers may have locations within the EU or the EEA. These providers may have locations within the EU or the EEA, but also in other countries worldwide, e.g. in the U.S. We may also share data with authorities abroad if we are legally compelled to do so or, for example in relation with a sale of assets or with legal proceedings.
Not all of these countries have adequate data protection. We therefore use appropriate safeguards, in particular the EU standard contractual clauses (including, where necessary, the amendments required by the Swiss Federal Data Protection and Information Commissioner). In certain cases, we may share data abroad without such safeguards, as otherwise permitted under applicable data protection law, e.g., with your consent or where the disclosure is necessary for the performance of the contract, for the establishment, exercise or enforcement of legal claims or for overriding public interests.
8. How do we process personal data on our website?
For technical reasons, every time you use our website, some data is collected that is temporarily stored in log files (log data), in particular the IP address of the device, in-formation about the internet service provider and the operating system of your de-vice, information about the referring URL, information about the browser used, date and time of access, and content accessed when visiting the website. We use this data to provide our website, to ensure security and stability, to optimize our website and for statistical purposes.
Our website also uses cookies. These are small files that your browser saves on your device. This allows us to separate individual visitors from others, but usually without identifying visitors. Cookies may also include information about content accessed and the duration of the visit. Certain cookies («session cookies») are deleted when the browser is closed. Others («persistent cookies») are stored for a certain period so that we can recognize recurring visitors.
We may also use other technologies, such as pixels or browser fingerprints. Pixels are invisible images that are loaded from a server and transmit certain information through a coded link. Fingerprints are information about the configuration of your device that make your device distinguishable from others.
You can configure your browser in the settings so that it blocks certain cookies or deletes cookies and other stored data. You can find out more about this in the help pages of your browser (usually under the keyword «Privacy»).
Cookies and other technologies may also be used by third parties that provide services to us. These may be located outside of Switzerland and the EEA (for more information, see Section 7). For example, we use analytics services so that we can optimize and personalize our website. Cookies and similar technologies from third-party providers also enable them to target you with individualized advertising on our websites or on other websites as well as on social networks that also work with this third party and to measure how effective advertisements are (e.g., whether you arrived at our website via an advertisement and what actions you then take on our website. The relevant third-party vendors may record website usage for this purpose and combine their records with other information from other websites. They can record user behavior across multiple websites and devices to provide us with statistical data. The providers may also use this information for their own purposes, e.g. for personalized advertising on their own website or other websites. If a user is registered with the provider, the provider can assign the usage data to the relevant person.
Two of the most important third-party providers are Google and Meta. You can find more information about these below. Other third-party providers generally process personal and other data in a similar way.
Google Analytics and Google Firebase
On many of our websites, we use Google Analytics, an analytics service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA, USA) and Google Ireland Ltd (Google Building Gordon House, Barrow St, Dublin 4, Ireland; both together "Google", whereby Google Ireland Ltd. is responsible for the processing of personal data). Google uses cookies and similar technologies to collect certain information about the behavior of individual users on or on the website in question and the end device used (tablet, PC, smartphone, etc.) (e.g. how often you have opened our website, how many purchases have been made or what interests you have, as well as data about the end device you use, such as the operating system). You will find further information on this under this link.
Google provides us with reports and in this sense can be regarded as our processor. However, Google also processes certain data for its own purposes. Google may be able to draw conclusions about the identity of visitors to the websites based on the data collected and therefore create personal profiles and link the data obtained with any existing Google accounts of these persons. You can find information on Google Analytics data protection here, and if you have a Google account yourself, you can find more information here.
Meta Pixel
Our websites may also use the so-called "Meta pixel" and similar technologies from Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland ("Meta"). We use these technologies to display the adverts placed by us only to users on Meta's platforms (e.g. Instagram or Facebook) and on those with Meta (so-called "audience network") who have shown an interest in us or whose characteristics correspond to those that we transmit to Meta for this purpose (e.g. interest in certain topics or products that can be seen from the websites visited; "custom audiences"). We can also use these technologies to track the effectiveness of adverts for statistical and market research purposes by seeing whether users have been redirected to our website after clicking on an advert (so-called "conversion measurement").
We are jointly responsible with Meta for the exchange of data that Meta collects or receives via the pixel or comparable functions, for the display of advertising information that corresponds to the interests of users, the improvement of ad delivery and personalization of functions and content (but not further processing). We have therefore concluded a corresponding additional agreement with Meta. Users can therefore address requests for information and other data subject requests in connection with joint responsibility directly to Meta.
Microsoft Clarity
Microsoft Clarity is a tool that helps us to improve the user-friendliness of our website. To do this, Microsoft Clarity records selected user sessions and provides us with measurement values that indicate any usability problems. Microsoft Clarity collects user data such as access times, IP addresses and cursor and scroll movements. Some of this is personal data. We have concluded an order processing contract with Microsoft. We also use HTML attributes to mask input fields that collect sensitive user data. Further information on Microsoft Clarity can be found in the Microsoft Privacy Statement and the Microsoft Clarity Terms of Use.
Google reCAPTCHA
We sometimes use Google reCAPTCHA on our websites. These are third-party services that may be located in any country in the world (in the case of Google reCAPTCHA, it is Google LLC in the USA). We use Google reCAPTCHA to protect online forms on our website. Data processing is based on your consent. The purpose of reCAPTCHA is to check whether a human or an automated program is entering data on our websites (e.g. in a contact form). reCAPTCHA analyses the behavior of the website visitor on the basis of various characteristics. Cookies are also used for this purpose and are set by the service provider. The analysis starts automatically as soon as the visitor opens the website and runs entirely in the background. Website visitors are not informed that an analysis is taking place.For the analysis, Google can evaluate all the information on these form pages (including the IP address, how long the visitor stays on the website and the user’s mouse movements). The data collected during the analysis is forwarded to Google. The use of the reCAPTCHA service is in accordance with Google’s Privacy Policy and Terms of Service. For more information, see the website to Google reCAPTCHA.
Circle.so
We use circle.so to provide you with an online community platform where you can find information about the program, take part in coaching, interact with other users, and share content.Circle.so is a service provided by Circle Software, Inc., a company based in the USA. When you use our community platform, some of your personal data will be transmitted to circle.so, such as your name, your e-mail address, your profile picture, and your activities on the platform. Circle.so processes this data on our behalf and in accordance with our instructions to ensure the functionality and security of the platform. Circle.so may also use this data for its own purposes, such as improving the service or compiling aggregated statistics. For more information about circle.so's privacy practices, please see their privacy policy.
BigMarker
We use BigMarker to offer and host webinars. BigMarker is an online service that allows us to create and host interactive online events. If you participate in one of our webinars, your personal data, such as your name, your e-mail address, your IP address and your interactions during the webinar, will be processed by BigMarker.BigMarker is based in the USA and processes the data in the USA. We have entered into a data processing agreement with BigMarker to ensure that your data is protected in accordance with applicable data protection laws. For more information about BigMarker's privacy practices, please see their privacy policy and Terms of Service.
Typeform
We use Typeform to create and conduct surveys. Typeform is an online service that enables us to design and manage interactive forms. When you participate in our surveys, your answers and personal data are collected and processed by Typeform. You can view Typeform’s terms of use and privacy policy here.Typeform is based in Spain and processes your data in the USA. We have concluded an order processing contract with Typeform to ensure that your data is protected in accordance with the applicable data protection laws.
Outseta
We use Outseta as a CRM (Customer Relationship Management) system to manage and improve our customer relationships. Outseta is a service provider based in the USA that provides us with various functions such as billing, marketing, and customer service. When you visit our website or use our services, some of your personal data will be transmitted to Outseta and processed there. This data includes your name, your e-mail address, your address, your IP address and your usage data.We have concluded an order processing contract with Outseta, which ensures that Outseta protects your data in accordance with the GDPR and only uses it for the purposes specified by us. You can view Outseta's privacy policy and find out about your rights and options. You can find Outseta's General Terms and Conditions.
Webflow
We use Webflow to create and host our website. Webflow processes personal data of website visitors that is collected via our website, such as name, e-mail, IP address and form data. This data is transmitted to Webflow Inc, a company based in the USA. For more information about Webflow and data protection, you can view Webflow's Terms of Service and the Privacy Statement. You can also consult Webflow's EU & Swiss Privacy Policy to learn more about the rights of individuals from the EU and Switzerland. Webflow stores and processes the data on Amazon Cloudfront and Fastly servers, which may be located in different countries.
Mailchimp
We use Mailchimp as a platform for our email newsletter. Mailchimp is a service of The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA. Mailchimp processes the personal data that you provide to us when registering for the newsletter on our behalf and in accordance with our instructions. Mailchimp stores your data on servers in the USA. You can read more about Mailchimp's privacy practices in their privacy policy. You can unsubscribe from our newsletter at any time by clicking on the link at the bottom of each email or by sending us an email.
Calendly
We use Calendly to give you the opportunity to book appointments with us. Calendly is a service provided by Calendly LLC, based in the USA. When you book an appointment via Calendly, you provide us with personal data such as your name and email address. This data is processed by Calendly in the USA. We have concluded a data processing addendum with Calendly that protects your rights as a data subject. You can find out more about Calendly's data protection practices in their privacy policy. By booking an appointment through Calendly, you agree to Calendly's Terms of Use and Privacy Policy.
Stripe
We use Stripe, an online payment service provider, to process payments from you. When you make a payment via our website or links, your personal data, such as your name, e-mail address, credit card number and other payment information, will be transmitted to Stripe. Stripe processes your personal data in accordance with its privacy policy. Stripe processes your personal data in various countries, including the USA, where Stripe Inc. is based.
YouTube
We use YouTube on our website to offer you videos on various topics. YouTube is a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When you play a YouTube video on our website, data is transmitted to YouTube. Google's privacy policy applies. YouTube processes your data in the USA. Further information on data processing by YouTube can be found here.
Elfsight
We use Elfsight to offer you various functions on our website, such as contact forms, testimonials, widgets and more. Elfsight is a service of Elfsight LLC, 1732 1st Ave, New York, NY 10128, USA. If you visit one of our pages that uses Elfsight, your data will be transmitted to Elfsight and processed there. This also applies if you use the functions provided by Elfsight. For more information about Elfsight and how they protect your data, please read Elfsight's Terms of Service and Privacy Statement.
Google Workspace
In order to correspond with you and to store data that you provide to us via our website or other channels, we use the services of Google Workspace, which are offered by Google Cloud EMEA Ltd, 70 Sir John Rogerson's Quay, Dublin 2, Ireland, in addition to the other services mentioned in this privacy policy. Your data will be processed on servers in the EU. Insofar as personal data is transferred to a third country outside the European Economic Area for which there is no adequacy decision, this is done on the basis of EU standard contractual clauses in accordance with Art. 44, Art. 46 para. 2 c) GDPR. You can find the EU standard contractual clauses here. Further information about Google Workspace and data protection can be found in Google's privacy policy.
Plug-ins
We also use plug-ins on our websites for social networks such as Facebook, Instagram and google analytics, which are clearly indicated (usually with a corresponding icon). We have configured these elements to be disabled by default. If you activate them (by clicking on them), the operator of the corresponding social network registers that you are on our website and where you are and can use this information for its own purposes. The processing of your personal data by the operator is therefore the responsibility of the operator in accordance with its own data protection provisions. We do not receive any information about you from the operator.
9. How do we process data via social media?
We operate our own presences on social networks and other platforms. If you communicate with us there or comment on or redistribute content, we collect information for this purpose, which we use primarily for communication with you, for marketing purposes and for statistical evaluations. Please note that the provider of the platform also collects and uses data (e.g. on user behavior) itself, possibly together with other data known to it (e.g. for marketing purposes or to personalize the platform content). Insofar as we are jointly responsible with the provider, we enter into a corresponding agreement, about which you can obtain information from the provider.
10. How long do we process personal data?
We process your personal data as long as it is necessary for the purpose of processing (in the case of contracts, usually for the duration of the contractual relationship), as long as we have a legitimate interest in storing it (e.g. if in order to enforce legal claims, for archiving and or to ensure IT security) and as long as data is subject to a statutory retention obligation (for certain data, for example, a ten-year retention period ap-plies). After these periods have expired, we delete or anonymize your personal data.
11. Data security
We take appropriate technological and organizational security precautions to protect your personal data against unauthorized access and misuse, such as issuing instructions, training, IT and network security solutions, access controls and restrictions, encrypting data carriers and transmissions, pseudonymization and checks.
We communicate with you, as well as with medical professionals and other third parties, by unencrypted e-mail. Email communication without end-to-end encryption is not absolutely secure (e.g. if an email account is hacked). Information transmitted in this way therefore could be misused by third parties.
12. Duty to provide personal data
Within the scope of our business relationship, you must provide those items of personal information required to be able to commence and carry out a business relationship and fulfil the associated contractual obligations (you usually are not obliged by law to provide us with data). However, without this data we are generally not able to conclude a contract with you (or with the office or person that you are representing), to process it nor to fulfil our legal tasks.
13. Profiling and automated decision-making
Personal data is not subject to any automated decision-making. We do not conduct profiling with personal data.
14. What are your rights?
Within the scope of the applicable data protection law and to the extent required by the law (e.g. in the case of the GDPR), you have the right to information, amendment, deletion, the right to restrict the processing of data and otherwise to refuse permission to our processing of the data (especially, in relation with direct marketing) as well as the publication of certain personal data for the purpose of transfer to another office (known as data portability).
Please note, however, that we reserve the right to enforce the restrictions required by law, for example in cases where we are obliged to store or process certain data, have an overriding interest to do so (to the extent that we may call on it) or require it to assert claims. We will inform you in advance if this incurs any costs for you. We have provided information about your option to revoke your consent under Section 4. Please note that exercising your rights can conflict with contractual agreements, which can have consequences, such as the premature termination of a contract or incurred costs. In such cases, we will inform you in advance where this is not already contractually or legally regulated.
The exercise of such rights generally requires that you clearly prove your identity (e.g. with a copy of an ID card, if your identity cannot otherwise be clearly verified). To assert your rights, you can contact us via the address provided under Section 2.
Furthermore, every person affected has the right to legally enforce their claims or to submit a complaint with the responsible data protection authority. The responsible data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).
15. Amendments
We may amend this privacy policy without prior notice at any time. The version published on our website is the version currently applicable. Where appropriate, we will update you about amendments via email or in another suitable manner.