Privacy Policy

Last updated: 10.04.2024

1. Privacy Policy

1. This Privacy Policy describes how Migrevention (registration code 14936768) processes User personal data when you use the Migrevention Application or receive Migrevention Healthcare Services. It also describes Migrevention website www.migrevention.com cookie policy.
2. In case User receives healthcare services from another Healthcare Provider, who uses Migrevention Patient Manager, then the privacy policy of the relevant Healthcare Provider shall also apply. Here is a list of Healthcare Providers who use Migrevention Patient Manager: https://migrevention.com/healthcare-providers.
3. Please read this Privacy Policy and Healthcare Providers` privacy policy carefully, and if you have any questions regarding the processing of your personal data or if you wish to exercise your rights related to the processing of your personal data, or if you wish to make requests, please contact us using the contact details provided in section 2.1. If you have questions in relation to the data processing during the health care provision then you should contact your Healthcare Provider.
4. If you do not agree with the terms stated in this Privacy Policy, you must refrain from using the Migrevention Application, connecting the Migrevention Application to the Migrevention Patient Manager, or receiving Healthcare Services from Migrevention.
5. The following terms are used in this Privacy Policy with the following meanings:
   User - An individual who uses the Migrevention Application to maintain their health data, monitor their health condition, alleviate illness, and manage their health or who connects their Migrevention Application to the Migrevention Patient Manager or to whom the Migrevention Healthcare Specialist provides Migrevention Healthcare Services through the Migrevention Application.
   Migrevention Application - Migrevention Headache App is a mobile application available for free or for a fee from Google Play or the Apple App Store, depending on the package chosen by the User. The Application is marketed as a Class I medical device and has the following purpose: Migrevention Headache App is intended to be used by patients with primary headaches for improving adherence, facilitating headaches self-management and preventing the development of medication overuse headache (MOH). The device consists of an analytical and visualizing digital diary for self-monitoring headache episodes, including their frequency, intensity, possible triggers, and medication overuse alarm that warns the user of acute or symptomatic headache medication overuse (MO), based on the calculations of the patient's self-reported medication intake data and relying on the limits and guide values of acute or symptomatic headache medication overuse (MO), provided in the International Classification of Headache Disorders (ICHD-3). The Device enables users self-generated headache diary and medications intake data to be remotely accessed by the monitoring healthcare professional and asynchronous communication via chat function with the monitoring healthcare professional who is using Migrevention Patient Manager.
   Migrevention Patient Manager - Software solution developed by Migrevention and licensed to the Healthcare Provider that allows the Healthcare Provider to access data entered by Users and healthcare professionals, and allows the healthcare professional to communicate asynchronously with the User. Healthcare Provider can access the User data and provide services to a specific User via Migrevention Patient Manager only if the User has agreed to establish a connection between its Migrevention Application and Migrevention Patient Manager.
   Healthcare Provider - Healthcare Provider, who uses Migrevention Patient Manager during the provision of healthcare services to the User. The list of connected Healthcare Providers is regularly updated and provided here: https://migrevention.com/healthcare-providers.
   Migrevention Healthcare Specialist - Nurse or neurologist, operating in Migrevention, registered in the Health Board's register of healthcare workers, and providing Migrevention Healthcare Services to the User.
   Patient Portal - A national health information system accessible at: https://www.digilugu.ee/login. The responsible data processor for the patient portal is the Ministry of Social Affairs, and the authorized data processor is the Health and Welfare Information Systems Centre. Through the patient portal, the User can view their health data, i.e., medical documents prepared by healthcare service providers and sent to the health information system, check the validity of their health certificate, appoint representatives for various activities (e.g., prescription retrieval), submit declarations of intent, check who and when accessed their health data by name. For more information about the patient portal, visit: https://www.tehik.ee/tervise-infosusteem. For questions related to the patient portal, please contact the User Support of the Health and Welfare Information Systems Centre by phone at +372 794 3943 (7.00-22.00) or by email at abi@tehik.ee.
   Migrevention Healthcare Service - Healthcare service provided by the Migrevention Healthcare Specialist in the format of an online chat or video consultation in the field of outpatient neurology (headache counseling) through the Application. The terms of Migrevention Healthcare Services are stipulated in the Migrevention terms of use.

2. Migrevention´s role as data controller and/or data processor

1. Migrevention OÜ (registration code: 14936768) is the data controller in two occasions: a) when providing digital service of making Migrevention Application accessible to User and b) providing Migrevention Healthcare Services to the User. You can contact Migrevention by sending an email to info@migrevention.com or by regular mail to Räägu 10b-1, 10620 Tallinn.
2. When the User is accepting the connection between the Migrevention Application and the Migrevention Patient Manager and trilateral service provision continues (whereby Migrevention is making the Patient Manager available to the Healthcare Provider), then Migrevention becomes a data processor of the personal data (including health data) entered by the Healthcare Provider (data controller) to the Patient Manager and/or processed during the asynchronous chat via Application. Migrevention continues however to be the data controller relating to the Migrevention Application.

3. Processed Data
   Migrevention processes personal data during the Migrevention Application digital service provision and Migrevention Healthcare Service provision based on the following objectives:

1. Data enabling identification: first and last name, personal identification code, date of birth.
2. Contact details: email address, telephone number, contact address, language preference.
3. Healthcare service data: data about the service provider, the time and location of service provision, the content of the service, and its cost.
4. Payment data (in case User purchases digital services for fee): data related to the payment for the service, including, if necessary, bank account details for the purpose of billing for the provided healthcare service.
5. Health data and health behavior data, including patient generated input data entered into the Application: for example, administered medications, records and data related to headache episodes, episode time, duration, intensity, triggers or other factors and  data related to the use of the Application and output data (for example patient diary summaries, trends, alarms in case of medication overuse etc)
6. Health data collected for the preparation and/or provision of Migrevention Healthcare services or within the scope of Migrevention Healthcare Service provision, including information about the User's health condition, medication and prescription data, data related to health behavior, forms and questionnaires filled out within the context of Migrevention Healthcare Service provision, instructions, recommendations, prescriptions, and referrals given by the Migrevention Healthcare Specialist to the User during the Migrevention Healthcare provision. The composition and extent of health data processed by Migrevention in a specific case primarily depend on the User's chosen Migrevention Healthcare Service.
7. Data created and/or entered during the asynchronous communication via chat.
8. Data necessary for customer support and ensuring the quality of the service and the Application: a) responses related to feedback on healthcare services and/or the functioning of the Application; b) consents given by the User to Migrevention; c) metadata, such as your browser information in server logs, including IP address, necessary for resolving technical issues or cyber-attacks; d) relevant data and information collected during post-market surveillance activities of the device, used for risk assessment and improvement of clinical evaluation and user-friendliness of the device.
9. Other data voluntarily disclosed by User to Migrevention, the Application, or within the scope of provided Migrevention Healthcare Services.

4. Purposes of Processing and Legal Bases
   Migrevention processes personal data for the following purposes and legal bases (note that several purposes and/or legal bases may be applicable at the same time)

1. Creation of User Account for Using the Application or Receiving Migrevention Healthcare Services
   To start using the Migrevention Application for its intended purpose or to receive Migrevention Healthcare Services or healthcare services provided by the Healthcare Providers, through the Migrevention Application (including booking services), you need to download the Migrevention Application and create a Migrevention account. To create an account, we ask for your personal data - your name, gender, date of birth, address, email address, and chosen password. We process your data based on the terms of use and/or the Healthcare Services Organization Act.
2. Intended Use of the Application
   For the intended use of the Migrevention Application, you need to provide information related to your headaches, such as the start and end of headache episodes, medications used, headache intensity, triggers, and other observations about your headaches. We receive this input data automatically from the Migrevention Application. We process your input data based on the terms of use to enable the intended use of the Application.
3. Provision of Healthcare Services and Preparation for Service Delivery
   When you approach Migrevention to receive Migrevention Healthcare Services, we process your personal data for the specific provision of Migrevention Healthcare Services to you and/or for preparing and documenting the service provided. In this case, we process your personal data (including health data) based on the Healthcare Services Organization Act and the terms of use. If you cancel an appointment for receiving Migrevention Healthcare Services, Migrevention or the      Migrevention Healthcare Specialist may have already processed your personal data to prepare for the healthcare service delivery.
4. To connect Application and Patient Manager
   When your Healthcare Provider uses the Patient Manager then the User may be requested to connect the Application with the Patient Manager so that Healthcare Provider could access the patient generated input data (i.e. patient diary data) in the Patient Manager and the system could allow the Healthcare Provider to communicate asynchronously with you via Patient Manager. The User always decides whether or not to connect or discontinue the connection. The connection is established based on User consent.
5. To use Patient Manager during healthcare provision

1. After the User has consented to connect the Application with the Patient  and trilateral service provision continues (whereby Migrevention is making the Patient Manager as digital service available to the Healthcare Provider), then Migrevention shall process, as data processor, User´s personal data (including health data) entered by the Healthcare Provider (data controller) to the Patient Manager and/or by the Healthcare Provider or User to the asynchronous communication via Application on the basis of service agreement with Healthcare Provider. Healthcare Provider has legal basis for processing User data by Healthcare Services Organization Act and/or as stipulated in the privacy policy of the Healthcare Provider.
2. For clarity - Migrevention continues to be the data controller for all the data processing relating to the Application also during the trilateral service provision (as described in clause 4.5.1), and the legal basis for such data processing is the terms of use.

6. Processing of Payment Data for Service Billing
   We process your payment data for billing purposes based on the terms of use.
7. To provide technical support, resolve complaints and suggestions, ensure service quality, and perform post-market surveillance activities for medical devices.

1. Whenever you need assistance from Migrevention's technical support or if you want to submit a complaint or suggestion regarding the Application or service, we will record your email address along with the information you provide (referred to as a "help desk ticket") to offer you better support and services.
2. Migrevention also keeps records of remote service to ensure the quality of the provided Migrevention Healthcare Service. Data is processed based on the terms of use or legitimate interest.
3. We may also use personal data to continuously monitor the functionality of the Application, eliminate bugs, improve user experience, or enhance its performance. Relevant data collected within the scope of post-market surveillance activities for the Application as a medical device is used to enhance risk assessment, clinical evaluation, and user-friendliness of the device. The legal basis for processing such data is the terms of use and the Medical Devices Regulation (MDR).

8. For data synchronization
   When you synchronize or update your device used for the Migrevention Application, your actions and data entered into the Migrevention Application are uploaded to the Migrevention server. These data are associated with your user account and are stored and used to continue providing the service to you. Each time the device is synchronized, a log of data upload is created, which includes the synchronization date and time, as well as the IP address at the time of synchronization. Data is processed based on the terms of use to ensure the quality of the Migrevention Application and healthcare service.
9. For direct marketing
   We may process your personal data (e-mail address) to respond to your inquiries, comments, and posts on platforms we manage, such as social media, or to send you newsletters informing you about our current and future services. We may send you news and evidence-based information about headaches that we believe may be of interest to you. Your consent is sought to receive the direct marketing newsletter, and we retain this consent. Agreeing to receive the newsletter is voluntary and is not a prerequisite for using the Migrevention Application or receiving healthcare services. If you wish to unsubscribe from our newsletter, please contact Migrevention using the contact details provided in section 2.1.
10. For personalizing the Migrevention Application user experience
    We may provide selected Users with the opportunity to test new enhancements or functionalities before their public release and collect feedback on such updates. Data is processed based on consent.
11. To fulfill legal obligations
    Based on applicable law, Migrevention may be obliged to disclose personal data to a court or law enforcement authorities in accordance with the relevant legal provisions or, for example, when the transmission of personal data is mandatory under the Insurance Activities Act in connection with an inquiry made by an insurance provider. In all such cases, Migrevention will only disclose personal data if it is legally required and in compliance with all applicable principles of data processing, including the principle of minimization.
12. Use of anonymized data for public health or research purposes
    In certain cases, the use of anonymized data may be necessary for public health purposes in the public interest, to protect users and society from serious cross-border health threats, or to ensure high-quality and safety standards in healthcare and medical devices. Additionally, processing may be necessary for research purposes, such as conducting interventional or clinical studies using non-identifiable data collected through the Migrevention Application, as well as conducting non-interventional and retrospective studies. The processing of data for secondary purposes only occurs under the following conditions:

1. the data is in anonymized form,
2. the processing of data is unlikely to cause harm to the data subject,
3. no negative consequences for data subjects result from the secondary processing,
4. protective measures are in place to ensure data confidentiality and integrity,
5. the existence of a legitimate interest is assessed on each occasion, and the data subject's interests or fundamental rights and freedoms do not outweigh the legitimate interest of the data controller (or third party),
6. the secondary use of data is closely related to the primary purposes of use.

5. Retention period

1. Migrevention retains personal data for as long as necessary, in accordance with the purpose of data processing, requirements set forth by applicable laws and data processing agreements with Healthcare Providers.
2. All personal data collected during the use of the Migrevention Application is deleted no later than 3 years after the cessation of using the Application.
3. Accounting data containing personal data is retained for 7 years from the end of the financial year in which the business transaction was recorded in the ledger based on the original document.
4. Migrevention, as a healthcare service provider, retains records proving the provision of healthcare services in accordance with the deadlines specified in the Healthcare Services Organization Act.
5. Feedback collected for user satisfaction evaluation is not stored for more than 3 years from the receipt of the feedback.
6. Metadata (such as your IP address) is processed for as long as necessary to address technical difficulties or browser/server attacks. Metadata is deleted 30 days after being recorded.
7. Data created and/or entered during the asynchronous communication via chat function is retained for no longer than 7 days after the  User has disconnected the Migrevention Application from the Migrevention Patient Manager.

6. Authorized Data Processors and Third Parties

1. Migrevention does not share your personal data with third parties without your consent, except for supervisory authorities or accountants, auditors, and, if necessary, legal advisors.
2. If the Healthcare Provider uses Migrevention Patient Manager, then the User is given the opportunity to decide whether to establish a connection between the Migrevention Application and Migrevention Patient Manager. Consent shall be asked before establishing the connection. The User shall have the right to terminate the connection at any time. The termination of the connection does not terminate the usage of the Migrevention Application and/or processing of the data in the Migrevention Application.
3. By using the Migrevention Application and the services provided through it, you agree that Migrevention may share your personal data with third parties to ensure the usability of the Application and services. These may include, among others:

1. Specialists dealing with your case or providing healthcare services to you;
2. Migrevention's partners (natural or legal persons), such as IT development and server services, who process data as authorized processors of Migrevention. Contractually, it is ensured that these third parties may not use the data for purposes other than the provision of services according to our established rules and agreements.

4. When providing Migrevention Healthcare Services to the User, Migrevention may transmit health data to the Patient Portal Information System, located at the website https://id.digilugu.ee, with the responsible processor being the Ministry of Social Affairs and the authorized processor being the Estonian eHealth Foundation (registry code 70009770, address Pärnu mnt 132, 11317 Tallinn), if it is necessary for the provision of healthcare services to the User.
5. When providing Migrevention Healthcare Services to the User, Migrevention may, as necessary, transmit and/or receive the user's health data through the Prescription Center, with the responsible processor being the Health Insurance Fund and the authorized processor being the Estonian eHealth Foundation (registry code 70009770, address Pärnu mnt 132, 11317 Tallinn), if it is necessary for the provision of healthcare services to the User.
6. When providing Migrevention Healthcare Services to the User, Migrevention may, as necessary, transmit and/or receive the user's health data through the Image Bank, with the responsible processor being the Ministry of Social Affairs and the authorized processor being the Estonian Health Image Database Foundation (registry code 90007945, address Puusepa 8, 51014 Tartu), if it is necessary for the provision of healthcare services to the User.

7. Security Measures

1. Migrevention processes your personal data securely, utilizing various organizational, physical, and technological methods to ensure security.
2. Migrevention uses the TLS/SSL certificate on every *.migrevention.com domain.

8. Location of Personal Data Processing and Transfers to Third Countries

1. The processing (including storage) of personal data always takes place on servers within the European Union.
2. Migrevention does not share your personal data with third countries.

9. Rights of the Data Subject

1. Subject to limitations imposed by applicable data protection laws, you have the following rights:

1. The right to access your personal data;
2. The right to rectify personal data;
3. The right to erase personal data;
4. The right to obtain a copy of personal data provided by yourself;
5. The right not to be subject to a decision based solely on automated processing of your personal data, including profiling, and the right to object to such processing;
6. The right to withdraw consent for the processing of your personal data;
7. The right to object to the processing of personal data.

2. You have the right to lodge a complaint regarding the processing of personal data to the Data Protection Inspectorate. For more information, please visit: https://www.aki.ee/en.

10. Cookies of Migrevention website

1. To provide the best possible user experience, the Migrevention website (migrevention.com) uses cookies. A cookie is a small text file that is automatically stored on your device after using the Migrevention website.
2. Cookies allow us to provide users with a better user experience. For example, cookies allow us to remember a User's previous visits and choices made within the website.
3. The Migrevention website uses Cookiebot CMP consent management system.
4. The overview of the cookies used by Migrevention on the website are provided here: https://migrevention.com/cookie-declaration.
5. User can delete and/or block cookies stored on your device by adjusting the corresponding settings on the website. If you choose not to allow cookies, the website may not function as expected, and/or some features of the website may not be accessible. For more information on blocking cookies, please visit www.aboutcookies.org.

11. Push notifications, in-app notifications and local notifications in the Migrevention Application

1. Migrevention is using three types of notification methods in the Application: push notifications, in-app notifications and local notifications. The exact type of notification method is chosen pursuant to the urgency of the communication. For example: a) warning of medication-overuse (MOH) and b) alert of risk of developing medication-overuse headaches (MOH) are the high priority (urgent) notifications in the Migrevention Application, as they directly relate to the intended purpose of the Application, and they will be sent as push and in-app notifications to secure the timely delivery.
2. If you have provided us with your permission, then Migrevention may send you push notifications and/or local notifications from time to time, to provide you with service reminders and notifications in regard to Migrevention Application. In-app notifications are part of Migrevention Application functionality and do not require User permission.
3. Note that all notifications are an important element for ensuring that you get the largest possible benefit from the Migrevention Application. If you no longer wish to receive these types of notifications (push and/or local notifications), you may however turn them off.

12. Changes

1. Migrevention regularly reviews the current Privacy Policy and makes changes as necessary. The latest version of the Privacy Policy is always available on the Migrevention website. Migrevention will inform Users of any changes to the Privacy Policy and ask for their consent to continue processing personal data under the conditions stated in the Privacy Policy.
2. If you do not agree to the changes in the Privacy Policy, you must stop using the Migrevention Application and the provided services.