Download Omply

PRIVACY POLICY OF THE CUSTOMER REGISTER

This is the register and privacy statement of Omply Finland Oy in accordance with the EU General Data Protection Regulation (GDPR). Prepared on 29 May 2026.

Data controller

Omply Finland Oy

Sokasaarentie 93,

87800 Kajaani

Business ID: 3568963-7

Contact person for matters concerning the register

Data Protection Officer

Petri Tapala

privacy@omply.com

Name of the register

The customer register of Omply Finland Oy.

Purpose and basis of processing

Personal data is processed on the basis of a contract-based customer relationship (the app user), another relevant connection, or the data subject’s consent.

Personal data is processed in order to provide the products and services available in the Omply app. Personal data may be used to maintain, manage and develop customer relationships, for analysis, statistics, the production of services and the sale of products, and the offering and development of these.

The legal bases for processing are consent, performance of a contract, legitimate interest (marketing, providing our services, defending rights, preventing misuse), and compliance with a legal obligation (e.g. the Accounting Act (1336/1997)).

The customer data contained in the register may be used for the data controller’s direct advertising or other direct marketing, or other comparable addressed communications, as well as for targeting online marketing.

Description of the categories of data subjects
  1. App users (consumers)
  2. App users (healthcare service providers)
  3. Marketing mailing list
Data content of the personnel register

Please note that the data controller for your health information is always the healthcare professional with whom you are dealing. With respect to that data, Omply acts only as a data processor. That data is encrypted and Omply has no access to it — meaning Omply cannot see your health information.

The following data may be processed in Omply’s personnel register:

  • Basic data of the data subject: name, personal identity code, postal address, email address, phone number, gender, nationality, language of communication;
  • Identification data (online banking / mobile certificate);
  • Information about the service provider used by the app user: contact person’s name, postal address, email address, phone number;
  • Mobile device data: the user’s contact information, physical address, phone number, device identifier, performance data, other diagnostic data, precise location, name, other usage data, product interaction, user ID, email address;
  • Log data:
    • the service provider’s geographic location at country-level accuracy
    • login and usage times
    • app usage and event logs
    • the time, duration and technical connection details of appointments
    • error, malfunction and performance logs
    • information about any events that are contrary to, or deviate from, the terms of use
  • Information concerning licences to practise a profession;
  • The name and business ID of the employer company;
  • Information about direct-marketing permissions and prohibitions;
  • Information related to payments and invoicing;
  • Information about email communication related to customer service situations.

Cookies and other similar technologies:

The Omply app uses cookies and other similar technologies, which may result in personal data being transferred to a third party. Click here for more information (https://omply.com/privacy-policy/).

Regular sources of data for the personnel register

Personal data is collected when you register for and use the Omply app.

Data may also be collected from:

  • strong-authentication service providers,
  • payment service providers,
  • employers or partner organisations,
  • the mobile device and operating system,
  • technical log and analytics data related to use of the app,
  • the professional-rights registers of healthcare professionals.

Personal data may also be collected and updated from the Population Information System, the Trade Register, credit-information registers, and other comparable public and private registers.

Regular disclosures of data

Personal data may be disclosed to the following parties:

  • healthcare professionals and service providers,
  • authentication and payment service providers,
  • cloud and infrastructure service suppliers,
  • analytics and communications service suppliers,
  • authorities in situations required by law,
  • customer service and technical support partners,
  • companies belonging to the same group (the Omply group).
Transfer of data outside the EU or the European Economic Area

As a rule, personal data is not transferred outside the EU or the European Economic Area. The Omply app makes use of technology developed by third parties, in which case personal data may be transferred outside the EU/EEA area (click the link in the “Cookies and other similar technologies” section above for more information).

Retention period or retention criteria for personal data

We retain personal data for as long as it is necessary. Unnecessary personal data is anonymised or deleted. Retention periods for data are listed below:

DataBasis for processingRetention period
User data (consumers)Fulfilment of contractual obligationsFor the duration of app use + one month. The user is asked whether they wish to delete their account if it has been continuously unused for 24 months.
User data (healthcare professionals)Fulfilment of contractual obligationsFor the duration of the contractual relationship + 24 months
Customer support dataFulfilment of contractual obligations24 months from the customer service event
Marketing dataLegitimate interest (marketing)Five years
Data subject’s name and personal identity codeLegitimate interest (prevention of misuse)Three years from when Omply closed the account due to misuse
Data concerning disputesLegitimate interest (defence of rights)Three months from the final conclusion of the dispute
Accounting data (vouchers for the financial period, correspondence concerning business transactions)Compliance with a legal obligationSix years after the end of the financial period
Accounting data (financial statements, annual report, chart of accounts, data reported to the Incomes Register)Compliance with a legal obligationTen years after the end of the financial period
Log dataCompliance with a legal obligation, fulfilment of contractual obligations, legitimate interest (prevention of misuse)Twelve months
Conversations and other information exchanged with a healthcare professional in the app (note: the healthcare professional acts as the data controller)Fulfilment of contractual obligationsFor the duration of the session
Rights of the data subject

The data subject has the right to inspect the personal data stored about them in the register. Inspection requests must be submitted to privacy@omply.com.

The data subject has the right to request the correction of inaccurate data concerning them.

In certain situations, the data subject also has the right to have the personal data concerning them deleted from the register, and to request its transfer to another data controller.

Electronic direct marketing may be directed at the data subject provided that the data subject has given their consent to it. The data subject has the right to withdraw their consent at any time.

Any disagreements are resolved primarily by negotiating with the data subject. The data subject also has the right to refer a matter concerning the processing of personal data to the data protection authority for investigation. The contact details of the data protection authority can be found on the website of the Data Protection Ombudsman, www.tietosuoja.fi.

Principles of protection of the personnel register

Good data-management practice and the duty of care and protection required by data protection legislation are observed in the processing of personal data.

In the processing, the necessary technical and organisational measures are implemented to protect personal data from unauthorised access and from accidental or unlawful destruction, alteration, disclosure, transfer, or other unlawful processing.

Access to personal data is granted only to those persons for whom it is necessary to process personal data in their work duties.

Digitally stored and processed data is held in databases protected by firewalls, passwords and other technical means. Files in paper form are kept in locked premises.