Privacy Policy

Version 1.0 – Last updated on 21 November 2025

We consider it important that your personal data is handled with care and that you are well informed about how we process your personal data. This privacy statement describes how we handle personal data.

1 General

HealthConnected B.V. (“HealthConnected” or “we” / “us” / “our”) is a Dutch company, with its registered office at Helderseweg 54F, 1817 BB Alkmaar, the Netherlands.

Our business activities take place in the Netherlands and we store our data on servers in the European Economic Area (EEA).

HealthConnected has developed the HealthApp platform (“HealthApp”). More information about our platform and applications can be found on this website: https://healthapp.nl. You can use the HealthApp via your general practitioner (GP).

HealthConnected provides the HealthApp on behalf of the GP. This web page is intended to facilitate access to the HealthApp.

At the moment you visit this web page, HealthConnected processes some personal data for its own purposes. For these processing activities, HealthConnected is the data controller.

In this privacy statement, we explain which personal data we process about you for our own purposes.

2 What is personal data?

“Personal data” means any information relating to an identified or identifiable natural person (the “data subject”), according to the definition in the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, hereinafter: “GDPR”).

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The data protection principles of the GDPR do not apply to anonymous data, namely data that does not relate to an identified or identifiable natural person, or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. Anonymised data may concern aggregated data (which cannot be traced back to an identifiable natural person or be linked to personal data).

Aggregated, anonymous data helps us further develop our services and applications. This Privacy Statement does not limit or restrict our collection and use of such “aggregated” information.

3 When, why and how do we process your data?

Personal data can be collected and processed by us in a number of ways.

3.1 When you visit and use our web page https://healthapp.nl

We do not collect or process IP addresses and no tracking takes place. We only collect non-traceable data in order to gain insight into the use of our web page.

To collect non-traceable data, we use Simple Analytics. This is a company based in Europe, with a modern and privacy-friendly view on the collection of website visitor information. More information about Simple Analytics can be found here: https://www.simpleanalytics.com/nl.

A further explanation of what is and is not collected and processed can be found here:
https://docs.simpleanalytics.com/what-we-collect?ref=healthconnected.nl.

We also use necessary functional cookies that are stored on your device. No personal data is stored in this context. An overview of the cookies we use can be found on our website.

If you wish to block, delete or be warned about cookies, please consult the instructions or help screen of your browser or mobile device for more information on these functions. However, if a browser or mobile device is set not to accept cookies, or if you refuse a cookie, some parts of our website may not function properly. For example, you may not be able to use certain features of our website.

More specific information about our use of cookies can be found in our Cookie Policy. More information about how to change your browser’s cookie settings can be found at www.allaboutcookies.org.

3.2 When you contact us via our web page or request that we contact you

You can contact us or ask us to contact you regarding questions, requests, (support) requests, comments or complaints.

When you contact us via the web page, we collect the information you enter, including your name, contact details, the reason for contacting us and any other information you choose to provide.

We use this data to respond to your question, comment or complaint.

In this context, this data may also be used by us in connection with our legitimate interests in following up on communications.

We also use the above data in our legitimate interest to manage our internal administration, for training purposes and for our legitimate interest in being able to improve our services.

The data is treated confidentially. If you communicate information to us that relates to your relationship with your GP, we delete this information. We do not further process this data and we do not forward it to your GP (even if we were to know who your GP is).

3.3 Other purposes

If necessary, we may also process your data as described above for our legitimate interest in protecting our (legal) rights, for example in connection with legal claims, and when we have a legal obligation to process your data.

4 How long do we retain your data?

Data that is processed during your visit to our web page (see section 3.1) is retained for as long as we reasonably need it for the purposes mentioned. Data processed from cookies is retained for the duration indicated on our website.

We retain your data relating to questions, comments or (support) requests that you have submitted to us (see section 3.2) for as long as is reasonably necessary to achieve the purpose, with a period of no less than two years.

If we retain data to protect our rights (see section 3.3), we retain this data until the relevant dispute has been definitively resolved.

If your data must be retained in order to comply with applicable law, the retention period may be longer.

5 With whom do we share data?

Except in the cases mentioned below, we will not share your data with third parties unless we have obtained your prior consent. We do not sell or trade personal data about visitors to the web page to third parties.

Apart from this, we will not share your data with third parties unless we have your prior consent, when this is necessary in connection with the purposes mentioned above or with legal claims, or when we are legally obliged to do so.

Sharing with (sub)processors

In order to provide our website and products and services, we use third parties. Where necessary, we share your data with our service providers and professional advisers (such as IT suppliers or CRM providers). We have concluded agreements with our service providers to protect your personal data (the so-called (sub)processor agreements).

In other cases, we will not share your data with third parties unless we have previously obtained your consent, this is necessary in connection with the purposes mentioned above, legal claims, or we are legally obliged to do so.

Sharing with your consent

We may also share personal data with third parties when you give us permission to do so on your behalf.

6 Protection of personal data

We will ensure that we take appropriate technical and organisational security measures for the processing of personal data. We follow generally accepted standards for the protection of personal data, both during transmission and once we have received the personal data, such as ISO27001 and NEN7510.

Some examples of security measures are:

We have implemented physical, electronic and managerial procedures designed to prevent unauthorised access to, loss or misuse of personal data as far as possible.
We limit internal access to personal data to employees who need the information to perform their duties. Unauthorised access to or unauthorised use of personal data by an employee is prohibited and is grounds for disciplinary action.
Our employees are contractually bound to confidentiality.
All our employees must provide us with a Certificate of Good Conduct (Verklaring Omtrent Gedrag – VOG) before they can and may work for us.
Our information management systems are configured in such a way that employees who are not authorised to consult certain information or personal data, in principle have no access to that information.
Our (sub)processors are contractually obliged, by means of a processor agreement, to secure the personal data they receive from us.
Your data is transmitted via a secure connection when you, for example, perform an action relating to your GP record. Your data is encrypted during transmission. This means that your data is unreadable if it falls into the wrong hands.

7 What choices do you have regarding the use of your personal data?

Before we share your data with third parties in ways that are not covered by this privacy statement, you will be informed and asked to give your consent at the time such information is collected. You can withdraw this consent at any time.

8 Rights

Right of access and copy

You have the right to:

request which personal data we process about you;
request a copy of your personal data that we process. We may charge a reasonable fee for additional copies;
request information about the purposes of processing, the categories of personal data concerned, the (categories of) recipients of personal data, the retention period, the source of the data and whether we use automated decision-making.

Right to rectification

If the personal data we process about you is incorrect or incomplete, you may ask us to correct or supplement this personal data. If we grant your request, we will, insofar as reasonably possible, inform the parties to whom we provide data pursuant to this privacy statement of the correction.

Right to erasure of data

You may ask us to erase personal data about you. Depending on the purpose of processing, we will comply with this request.

Data that we process on the basis of a legal obligation will only be erased when the processing of this personal data for the relevant purpose is no longer necessary.

Personal data that is processed on the basis of our legitimate interest will be erased if, following a balancing of interests, your interest in erasure outweighs our interest in retention. We will carry out this balancing of interests and share it with you.

Personal data that is processed on the basis of your consent will be erased after you have withdrawn your consent.

If we accidentally process personal data unlawfully, or where a specific law prescribes that we must erase the personal data, we will erase the personal data.

Personal data needed for the handling of a (judicial) procedure or a (legal) dispute with you will only be erased after the final conclusion of the relevant procedure or dispute. If we grant your request, we will, insofar as reasonably possible, inform the parties to whom we provide data of this erasure.

Restriction of processing

You may ask us to restrict the processing of your personal data if you contest the accuracy of the personal data we process, if you believe that we are processing your personal data unlawfully, if we no longer need your personal data or if you have objected to the processing.

You may, for example, request the restriction of processing for the period we need to assess your objection or challenge to a processing activity, or if it is already clear that there is no (longer) a lawful basis for further processing of that personal data, but you still have an interest in us not erasing the personal data yet.

If the processing of personal data is restricted at your request, we may still use the relevant personal data for the handling of a (judicial) procedure or a (legal) dispute with you.

Right to data portability

We can transfer the personal data that is processed automatically for the performance of a contract or on the basis of your consent to you or to another party designated by you. You may make such a request at reasonable intervals. We will comply with your request within 4 weeks of receipt.

Right to object and to withdraw consent

If we process data on the basis of a legitimate interest, you may object to the processing. If we process data on the basis of your consent, you may withdraw that consent. For more information, please refer to the relevant processing purposes above.

Automated individual decision-making

We do not make decisions that are based solely on automated processing.

Exercising your rights

You can send a request to exercise your rights to fg@healthapp.nl.

To prevent misuse, we ask you, in the case of a request for access, rectification or erasure, to provide identification. You can do this by sending a copy of a valid identity document, with your citizen service number (BSN) and photograph obscured.

We aim to process your request, complaint or objection within one month. If no decision can be made within that period, we will inform you of the reasons for the delay and the time at which the decision can be expected. Such time will not be later than three months after receipt of the request.

9 Complaints

If you have a complaint about our processing of your personal data, please contact us. We will be happy to assist you. If we are unable to resolve the matter together, you also have the right to lodge a complaint with the supervisory authority, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). You can contact the Dutch Data Protection Authority via https://autoriteitpersoonsgegevens.nl/.

10 Changes

We reserve the right to amend the provisions of this privacy statement. If we make changes to the privacy statement, we will inform customers of this by email. The amended privacy statement will also be published on our website. We recommend that you periodically review the latest version of the privacy statement.

11 Contact

If you have any questions or comments about this privacy statement, you can contact us by leaving a response on the following (sub)page: https://feedback.healthapp.nl. Your response will be forwarded to our data protection officer.

12 Cookies

Cookie	Provider	Purpose	Category	Retention period	First-/third-party	Data collected
JSESSIONID	Help Center	Maintains the user session so that navigation / staying logged in works and requests are correctly linked to the server.	Strictly necessary	Session (expires when browser is closed)	First party	Pseudonymous session ID (no personal data by itself)
crmcsr	Help Center	CSRF protection: prevents forged requests for forms/actions.	Strictly necessary	Session (expires when browser is closed)	First party	Random security token (no content data)
zalb_81bd8b294f	Help Center	“Sticky” load balancing: temporarily keeps you on the same server node for stability/performance.	Strictly necessary	Session (expires when browser is closed)	First party	Routing/node ID (pseudonymous)
zalb_4a1e652dc2	Help Center	Same as above.	Strictly necessary	Session (expires when browser is closed)	First party	Routing/node ID (pseudonymous)
zalb_03b3d436a7	Help Center	Same as above.	Strictly necessary	Session (expires when browser is closed)	First party	Routing/node ID (pseudonymous)
zd_group_name	Help Center	Routing/cluster assignment for the Help Center (similar to stickiness), to support performance and session consistency.	Strictly necessary	Session (expires when browser is closed)	First party	Cluster/group label (pseudonymous)