Privacy policy Zymego - Introduction
CodeZyme AB ("CodeZyme", "we", "us" and "our"), reg. no. 559171-0438, process personal data as part of the provision of our services, named Zymego. CodeZyme is a Swedish company with customers and operations in various countries primarily within Europe and the UK. Your integrity is important to us, and we take the protection of your personal data and your personal integrity seriously. We therefore strive towards always protecting your personal data in the best possible way in accordance with applicable data protection laws and regulations. Through this privacy policy, we want to inform you about how we process your personal data.
Processing on behalf of a healthcare provider - data processor
CodeZyme processes certain personal data about you on behalf of healthcare providers to make it easier for you to manage and change your booked appointment with the respective healthcare provider. In these situations, the healthcare provider is the data controller for the processing of your personal data and CodeZyme processes data on behalf of the healthcare providers as a data processor. CodeZyme's processing of personal data in such situations is limited to what is necessary to manage appointments on behalf of the healthcare providers. For further information about the processing carried out in such situations, we refer to the respective healthcare providers’ Privacy Policies as the healthcare provider acts as the data controller for such processing. CodeZyme enters into data processing agreements with all its customers (i.e., the healthcare provider) that governs our processing of your personal data on behalf of the healthcare provider. This Privacy Policy informs you of the processing of your personal data that CodeZyme carries out in the capacity of the data controller.
What data do we process about you and why?
CodeZyme, as the Processor, is authorised by the Controller to manage certain types of Personal Data. This includes the unique identifiers for both the patient and the practitioner, the name of the individual, the date and time of the booking, as well as the type of booking. This processing is essential for us to provide our services effectively.
User account
Purpose: To administer your use of Zymego and your account in the service, including notifying you of open appointments in relation to any waiting list you have added yourself to through the service.
Lawful basis: We do this based on the legal basis to fulfil an agreement with you, i.e. the terms of use of Zymego.
Categories of personal data processed: Your name and your contact details.
Retention period: Your data is stored as long as you are a user of Zymego. All personal data of users who have not logged into the service for 24 months will be deleted.
NHS login (England): Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
Marketing
Purpose: To provide you with information concerning new updates and improvements of Zymego and other similar services we offer.
Lawful basis: This processing is based on a so-called balancing of interests. Our legitimate interest in the processing is to be able to inform you about the development of our service offering.
Categories of personal data processed: Your name and your contact details.
Retention period: Your data is stored as long as you are a user of Zymego. All personal data of users who have not logged into the service for 24 months will be deleted.
Providing you with information such as reminders and booking confirmations in relation to healthcare appointments
Purpose: To provide you with booking confirmations and reminders of your healthcare appointments managed or booked through Zymego.
Lawful basis: We process your personal data for these purposes based on the legal basis to fulfil an agreement with you, i.e. the terms of use of Zymego.
Categories of personal data processed: Your name, your contact details and location of your healthcare appointment.
Retention period: Your data is stored as long as you are a user of Zymego or until you withdraw your consent. All personal data of users who have not logged into the service for 24 months will be deleted regardless of whether you have withdrawn your consent.
The provision of your personal data is a contractual requirement to administer your use of Zymego and your account within the service. To the extent that if you do not provide your personal data to us, we cannot provide the Service to you.
Who can access your personal data?
Your personal data will be processed by CodeZyme. CodeZyme may also transfer your personal data to healthcare providers that you interact with through Zymego. Such transfer will take place when you manage a healthcare appointment through Zymego. The transfer to the healthcare provider takes place in order to place and secure your booked appointment. The healthcare provider that receives your personal data for the purpose of handling the booking will process your personal data as a data controller and is thus not a data processor of CodeZyme.
In addition, your personal data may be shared with third parties who process personal data on our behalf, so-called data processors, such as our supplier of IT-services and other system suppliers that may have access to your personal data.
Our data processors are:
- Google Cloud, for cloud computing services.
- Microsoft Azure, for SMS, emails and phone calls.
Transfer of personal data to third countries
As a principal rule, we, our suppliers and our partners strive to process your personal data only within the UK and the EU/EEA.
Processing within the UK
When you use Zymego, your personal data is, as a principal rule, processed within the UK.
Processing within the EU/EEA
When we need to access your personal data for specific purposes, including but not limited to maintenance, issue resolution, product development and support, your personal data will primarily be processed within EU/EEA.
Processing outside the UK or EU/EEA
In cases where personal data is processed outside the UK or EU/EEA, such processing is either based on a decision from the Commission establishing that the country in question ensures an adequate level of protection or appropriate safeguards that ensure that your rights are protected.
If you wish to obtain a copy of the safeguards we have put in place, information on where they have been made available or any other more detailed information in relation to where and how we process and transfer your personal data, please contact us as set out below.
Your rights
Right to access (Article 15 GDPR) and right to rectification of processing (Article 16 GDPR)
You have the right to access information about the personal data we process about you and the right to request the rectification of your personal data. You also have the right to obtain a copy of the personal data processed by us as well as information about our processing of your personal data.
Right to erasure (Article 17 GDPR)
You have the right to obtain erasure of your personal data, if any of the following applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
- you object to the processing pursuant to Article 21.1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21.2 GDPR,
- the personal data have been unlawfully processed, or
- the personal data has to be erased for compliance with a legal obligation in Union or Member State law that applies to us.
Please note that our obligation to erase and inform according to above shall not apply to the extent processing is necessary:
- for exercising the right of freedom of expression and information,
- for compliance with a legal obligation which requires processing by Union or Member State law which applies to us, or
- for the establishment, exercise or defence of legal claims.
Right to restriction of processing (Article 18 GDPR)
You have the right to obtain restriction of the processing of your personal data if any of the following applies:
You have the right to obtain from us restriction of the processing of your personal data if:
- the accuracy of the personal data is contested by you, during a period enabling us to verify the accuracy of the personal data,
- you have objected to processing pursuant to Article 21.1 GDPR pending the verification whether our legitimate grounds override yours,
- the processing is unlawful, and you oppose the erasure of the personal data and instead request the restriction of their use, and
- you need the personal data for the establishment, exercise or defence of legal claims even though we no longer need the personal data for the purposes of the processing.
Right to data portability (Article 20 GDPR)
If you have given your consent, or if we base the processing on a contract with you, you have the right to obtain the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller or to obtain our assistance in transmitting it to another controller where technically feasible.
Right to object (Article 21 GDPR)
When the processing of your personal data is based on a balancing of interest, you also have the right to object at any time to the processing of your personal data. We may refuse such request if we can demonstrate compelling legitimate grounds for such processing that overrides your interests.
Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
If you have any complaints regarding our processing of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office, the Swedish Data Protection Authority or any other competent supervisory authority that supervises the processing of personal data by companies.
Contact us
If you wish to exercise your rights as set out above or otherwise wish to contact us regarding our processing of your personal data, you can do so by contacting us by e-mail support@zymego.com.
Data Protection Officer
This privacy policy was last updated by CodeZyme AB on 14 March 2025.
