Privacy Policy

PRIVACY POLICY

27 April 2026
  1. This Privacy Policy containsinformation on the processing of data by BM1 sp. z o.o., with its registeredoffice at ul. Jacka Malczewskiego 29, 26-600 Radom, entered in the Register ofEntrepreneurs kept by the District Court Lublin-East in Lublin with itsregistered seat in Świdnik, 6th Commercial Division of the National CourtRegister under KRS number 001136184, REGON 540066742, NIP 7963032569.
  2. The Privacy Policy is madeavailable in order to provide persons whose Personal Data are processed by theController with the broadest possible information on the scope of processeddata, methods and rules of processing and the rights of such persons. The basiclegal act concerning protection of Personal Data is Regulation (EU) 2016/679 ofthe European Parliament and of the Council of 27 April 2016, the General DataProtection Regulation.
  3. Each User using theApplication accepts this Policy and acknowledges the manner in which theController collects, stores, uses and protects Personal Data. If the Userrefuses to provide certain Personal Data, it may not be possible to conclude anAgreement with the Controller or for the Controller to provide the offeredServices.
I. GLOSSARY

The following terms have the meanings set out below:

Controller - BM1 sp. z o.o., ul. Jacka Malczewskiego 29, 26-600Radom, entered in the Register of Entrepreneurs under KRS number 001136184,REGON 540066742, NIP 7963032569.

Cookies - text files placed by a server on the device on which theBrowser or Application operates. Cookies are IT data, in particular text filesstored on the User’s end device and intended for use of the Application andPlatform.

Personal Data - any information relating to an identified oridentifiable natural person, including by reference to an identifier such as aname, identification number, location data, online identifier or one or morefactors specific to the physical, physiological, genetic, mental, economic,cultural or social identity of that person.

Browser - software used to display websites, including the Platform,such as Microsoft Edge, Chrome, Firefox or Safari.

Third Country - a country outside the European Economic Area.

Profiling - any form of automated processing of Personal Dataconsisting of using Personal Data to evaluate certain personal aspects relatingto a natural person, in particular to analyse or predict aspects concerningwork performance, economic situation, health, personal preferences, interests,reliability, behaviour, location or movements.

Privacy Policy or Policy - this document containing information onthe scope, methods and rules of processing data of Users using the Applicationor Platform and on the rights of such persons.

Processing - any operation or set of operations performed onPersonal Data or sets of Personal Data, whether or not by automated means,including collection, recording, organisation, structuring, storage,adaptation, alteration, retrieval, consultation, use, disclosure,dissemination, alignment, combination, restriction, erasure or destruction.

GDPR - Regulation (EU) 2016/679 of the European Parliament and ofthe Council of 27 April 2016.

Terms - the Terms and Conditions of the Sympa Health Platform andApplication.

User - the end user using the Application or Platform.

Terms not defined above have the meaning assigned to them in theTerms.

II. PERSONAL DATA: SOURCES, LEGAL BASES, PURPOSES, PRINCIPLES AND RETENTION
  1. Personal Data may be processedfor the purposes, on the legal bases and for the retention periods set outbelow:

    a) directly from Users, including during use of theApplication or Platform, completion of forms, communication with the Controllerby telephone, e-mail or any other method, and when submitting complaints;

    b) automatically through Cookies and other tracking tools, to the extent the Userhas consented to this;

    c) through functions of the User’s Device, in relation to the current location ofthe Device, if the User has given separate prior consent to location access anduses a function requiring such access.
  2. Personal Data may be processed for the purposes, on the legal bases and for the retention periods set out in Table 1.
  3. The Controller will process thefollowing Personal Data of the User, depending on the Services used:

    a) for account registration: name, telephonenumber, data from other applications or devices monitoring psychophysical parameters where the User connects them with the Application or Platform andconsents to such access;

    b) data entered by the User into the Application or Platform, including dataconcerning health, wellbeing, symptoms, cycle, pain, physical activity, sleep,diet, eating habits, mood, psychological wellbeing and other similarinformation;

    c) User-reported data necessary to provide selected Services, in particular dataconcerning endometriosis symptoms, their course and frequency, wellbeing,physical activity, sleep, diet, habits, psychophysical parameters obtained fromthe Device or other applications and other data provided to monitor wellbeingor present wellbeing recommendations;

    d) the current location of the User’s Device where the User has given priorconsent to location access and uses a function requiring such processing;

    e) data necessary to monitor health, wellbeing, diet and physical activity andother data necessary to present suggestions for improving the User’s quality of life;

    f) data necessary to issue invoices or other settlement documents and to fulfiltax, accounting and bookkeeping obligations;

    g) records of correspondence with the Controller, data necessary to fulfil GDPR obligations, visit and usage data, complaint data, withdrawal statements,newsletter e-mail address and data provided during account updates or frompublic registers.
  4. For visit data, whererequired and where consent has been obtained, the Controller may collect dataconcerning devices and networks used to access the Services, including IPaddress, login data, browser type and version, plug-ins, operating system,advertising identifier, visit information, referral URL and visit time, inparticular through Cookies.
  5. When the User usescommunication channels, including contact forms, the Controller processes datanecessary to communicate with the User, respond to enquiries or fulfilrequests, such as name, e-mail address and Personal Data included in themessage.
  6. For marketing, based onlegitimate interest, third-party legitimate interest or consent, informationmay be processed to adapt advertising and content to the User’s preferences,including behavioural advertising. This may include IP address, login data, browserdata, operating system, advertising identifier, visit information, searched orviewed products, download errors, time spent on pages, interactions with otherpages and contact details provided by the User.
  7. For analytics, statisticsand adapting content and functions of the Application and Platform, informationabout the User’s activity and preferences may be collected.
  8. The Controller does notstore confidential data such as credit or debit card numbers or online bankingaccess data. Providing Personal Data is voluntary, but necessary to provideServices. The required scope of data is indicated in the Terms and before therelevant Service begins
III. RECIPIENTS OF PERSONAL DATA
  1. In connection with the Services, Personal Datamay be disclosed to:

    a) business partners of the Controller where a dataprocessing agreement has been concluded;

    b) service providers, including technical, hosting, analytics, payment, accountingand legal service providers;

    c) persons cooperating with the Controller in relation to the Application orPlatform on the basis of authorisations or data processing agreements;

    d) public authorities, including the prosecutor’s office or police, where requiredby law;

    e) Amazon Web Services Ireland Limited, One Burlington Plaza, Burlington Road,Dublin 4, Ireland, and/or Contabo, Aschauer Str. 32a, 81549 Munich, Germany,for server hosting, on the basis of an agreement with the Controller.
  2. Data may be transferredto external recipients where necessary to use external services, performagreements, properly perform a contract, conduct analytics and statistics,optimise the Application or Platform, contact the User, present an offer,comply with law, defend claims or where there is a threat to life, health,property or safety.
  3. Where required by law andwith the User’s consent, the Controller may create combinations of informationconcerning the User, including Personal Data and data obtained through Cookies,and may use them for the purposes described in this Policy.
IV. PROCESSING IN THIRD COUNTRIES
  1. Because the Controlleruses IT solution and system providers within the Platform and Application,Users’ Personal Data may be transferred outside the European Economic Area.
  2. The Controller carefullyselects entities with which it cooperates and always aims to ensure appropriatedata protection. Entities cooperating with the Controller are expected toguarantee a level of protection required by European law.
  3. An entity processingPersonal Data outside the European Economic Area is Google LLC, 1600Amphitheatre Parkway, Mountain View, California 94043, USA, which providesGoogle Analytics for analysing User traffic in the Application.
  4. Transfers outside the EEAare made on the basis of appropriate safeguards. Where there is an adequacydecision, the transfer may be based on that decision. Where there is noadequacy decision, the Controller will apply appropriate safeguards, inparticular standard contractual clauses adopted by the European Commission oran authorised supervisory authority and approved by the Commission, and willinform Users where applicable.
V. USER RIGHTS
  1. Users whose Personal Data are processed have the following rights, subject to the conditions set out in the GDPR:

    a) the right of access to Personal Data;

    b) the right to rectification;

    c) the right to erasure;

    d) the right to restriction of processing;

    e) the right to data portability;

    f) the right to object to processing based on legitimate interest, including direct marketing;

    g) the right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal;

    h) the right to lodge a complaint with thePresident of the Personal Data Protection Office or another competentsupervisory authority.
  2. Requests may be submitted tothe Controller using the contact details indicated in this Policy or in theApplication/Platform. The Controller may verify the identity of the personmaking a request where necessary.
VI. PROFILING AND AUTOMATED PROCESSING
  1. The Controller may useProfiling to adapt content, functions, recommendations, communications oradvertising to the User, to the extent permitted by law and, where required, onthe basis of the User’s consent. The Application may analyse data reported bythe User and other data entered in the Application or Platform in order topresent wellbeing recommendations. Such recommendations are educational andwellbeing-oriented and do not constitute medical advice, diagnosis or treatmentrecommendations.
  2. The Controller does notmake decisions based solely on automated processing that would produce legaleffects concerning the User or similarly significantly affect the User, unlesssuch processing is permitted by law and the User is provided with requiredinformation and safeguards.
VII. DATA SECURITY
  1. The Controller appliestechnical and organisational measures appropriate to the risks and categoriesof data processed, including measures aimed at protecting confidentiality,integrity, availability and resilience of systems and Services. User-reported dataconcerning health are treated as particularly sensitive and are protected usingencryption and access-control mechanisms.
  2. Despite the measurestaken by the Controller, use of the Internet involves risks. Users shouldprotect their Devices and accounts, including by using strong passwords, notsharing login details, using antivirus software where appropriate and keepingsystems up to date.
VIII. COOKIES AND SIMILAR TECHNOLOGIES
  1. The Application andPlatform may use Cookies and similar technologies for technical, analytical,statistical, marketing and functional purposes. Some Cookies are necessary forproper operation of the Services, while others are used only where the User hasconsented, if such consent is required.
  2. The User may manageCookies through browser, device or Application settings. Restricting Cookiesmay affect availability or proper operation of some functions.
IX. NEWSLETTER AND MARKETING COMMUNICATIONS
  1. The Controller mayprovide a free newsletter by e-mail containing information about news in theApplication and Platform, changes to Services and functions, medical-marketnews or other commercial information related to the Controller’s activity.Subscription requires the User’s voluntary consent and use of the e-mailaddress provided by the registered User.
  2. The User may unsubscribefrom the newsletter at any time by deactivating the subscription or usinganother method made available by the Controller.
X. LOCATION
  1. With the User’s consent,the Controller may process the current location of the User’s Device within thePlatform and Application. Location is used to adapt information, notices,content or functions to the User’s lifestyle, whereabouts and needs.
  2. The Controller mayprocess, including temporarily remember, the User’s location only where theUser has given separate prior consent and where the related function requiresthis. Location data may include the current position of the Device, approximatelocation or location saved by the User in the settings of a function. Thesedata are not used for purposes other than those described in this Policy.
  3. Location may be disabledby the User at any time in the Device or Application settings, where therelevant function permits this. Disabling location may affect proper operationof the Platform or Application or make it impossible to use functions requiringlocation access.
  4. Withdrawal of consent toprocess location data does not affect the lawfulness of processing carried outbefore withdrawal.
XI. CHANGES TO THE PRIVACY POLICY
  1. The Controller aims tokeep this Policy up to date. If there are changes in law, case law, supervisoryauthority guidance, codes of practice binding on the Controller, technology,methods, purposes or legal bases of Personal Data processing, the Controllerwill make appropriate changes to this Policy. Users will be informed of changeson the first attempt to log into the Application after the change.

TABLE 1