1. Introduction
This Privacy Policy applies to all personal data processing by Next Step Dynamics AB across:
- nCare: SaaS platform for municipal elderly care management (B2B)
- LevFria: Consumer wellness app for fall risk assessment and strength training (B2C)
- Website: www.nextstepdynamics.com, www.nextstepdynamics.com/levfria, www.nextstepdynamics.com/ncare
- Related services: Email newsletters, community forums, customer support
Note: If you are a municipal customer of nCare, you may have a separate Data Processing Agreement (DPA) with specific terms. This Privacy Policy remains the overarching transparency document.
Next Step Dynamics AB processes personal data under the legal framework:
- General Data Protection Regulation (GDPR) – EU 2016/679
- Swedish Data Protection Act (Dataskyddslagen) – 2018:218
- Patient Data Act (Patientdatalagen) – 2008:355 (for health-related processing)
- Act on Shared Health and Care Documentation (2022:913)
We are committed to:
- Lawful, fair, and transparent processing
- Data minimization (collecting only necessary data)
- Purpose limitation (using data only for stated purposes)
- Accuracy and integrity
- Storage limitation (retention only as long as needed)
- Security and confidentiality
2. What Personal Data We Collect
2.1 Data Collected from All Users (Website Visitors)
- Identity: Name, email address, phone number (if voluntarily provided)
- Contact: Mailing address, job title, organization
- Device: IP address, browser type, device type, operating system
- Engagement: Pages visited, time spent, clicks, referral source
- Cookies: Session identifiers, tracking IDs
2.2 Data from LevFria Users (Early Access & App Users)
- Registration: Full name, email, date of birth (optional), country
- Health Assessments: Fall risk questionnaire responses (DFRI), balance metrics, strength data
- Usage: In-app activity, exercise completion, goal progress
- Communications: Preference for email updates, engagement metrics
2.3 Data from nCare Users and Organizations (B2B)
- Administrator Accounts: Name, email, job title, organization, role
- Care Recipients: Name, date of birth, address, health assessment data (DFRI, MNA, ROAG), care plans
- Care Staff: Name, role, time logs, activity records
- Organizational Data: Municipality name, department, facility details
- Audit Logs: Access logs, data modifications, system events
Important: nCare processes special category data (health data) on behalf of municipal controllers. This is governed by a separate Data Processing Agreement (DPA).
2.4 Data from Email Communications and Support
- Support Requests: Email address, message content, attachments, support history
- Newsletter: Email address, engagement metrics (open rates, clicks)
- Event Registrations: Name, email, organization, interests
3. Purposes of Data Processing
| Service/Context | Purpose | Legal Basis |
|---|---|---|
| Website & Analytics | Understanding user behavior, improving UX | Legitimate Interest |
| Email Marketing | Newsletters, product updates, announcements | Consent (opt-in) |
| Customer Support | Responding to inquiries and technical issues | Contract / Legitimate Interest |
| Account Management | Creating and managing user accounts and profiles | Contract |
| LevFria Health Assessments | Providing wellness recommendations, fall risk insights | Consent + Legitimate Interest |
| nCare Care Management | Delivering municipal elderly care services | Contract + Legal Obligation |
| Security & Fraud Prevention | Detecting and preventing misuse, unauthorized access | Legitimate Interest |
4. Data Retention
| Data Category | Retention Period | Rationale |
|---|---|---|
| Website Analytics & Cookies | 13 months | Understand user trends; GDPR-compliant retention |
| Email Marketing | Active subscription + 30 days post-unsubscribe | Compliance with CAN-SPAM; respect opt-out |
| LevFria User Accounts | Until deletion requested + 90 days (backup) | Service delivery; recovery from accidental deletion |
| nCare Care Recipient Data | Duration of care + 7 years | Healthcare audit trail, legal/tax obligations |
| Support/Inquiry History | 3 years | Service continuity, dispute resolution |
5. Who We Share Your Data With
We do not sell personal data. We share data only with trusted partners under contractual and legal safeguards.
5.1 Service Providers (Data Processors)
| Service Category | Provider Examples | Purpose |
|---|---|---|
| Email & Marketing | Mailchimp, SendGrid | Email delivery, newsletter management |
| Analytics | Google Analytics | User behavior analytics, product insights |
| Cloud Hosting | Google Cloud Platform, AWS | Data storage, app hosting, security |
| Customer Support | Zendesk, Intercom | Ticketing, support communications |
6. Your Data Protection Rights
6.1 Right of Access (GDPR Article 15)
You have the right to request a copy of all personal data we hold about you.
- How to Request: Email dataprotection@nextstepdynamics.com with subject "Data Access Request"
- Timeline: 30 calendar days
- Cost: Free
6.2 Right to Rectification (GDPR Article 16)
You can request correction of inaccurate or incomplete data.
6.3 Right to Erasure – "Right to be Forgotten" (GDPR Article 17)
You can request deletion of your personal data, subject to legal exceptions.
- How to Request: Email dataprotection@nextstepdynamics.com with subject "Deletion Request"
- Timeline: 30 days
6.4 Right to Data Portability (GDPR Article 20)
You can request your data in a structured, machine-readable format (CSV, JSON).
6.5 Right to Object (GDPR Article 21)
You can object to processing based on legitimate interest or for marketing purposes.
6.6 Right to Lodge a Complaint
If you believe we have violated your privacy rights, you can file a complaint with:
Swedish Authority for Privacy Protection (IMY)
Website: www.imy.se
Email: kontakt@imy.se
Telephone: +46 (0)8 657 61 00
7. International Data Transfers
All personal data is primarily processed within the EU/EEA. If data is transferred outside the EU/EEA, we use Standard Contractual Clauses (SCCs) and appropriate safeguards.
8. Data Security
We implement industry-standard security measures:
- Encryption in Transit: HTTPS/TLS 1.2+
- Encryption at Rest: AES-256 for sensitive data
- Access Controls: Role-based access control (RBAC); least privilege principle
- Authentication: Multi-factor authentication (MFA) for staff/admin panels
- Monitoring: Real-time security monitoring, intrusion detection
9. Cookies and Tracking Technologies
We use cookies to improve user experience and analyze website usage. You can manage cookie preferences through your browser settings or our cookie consent banner.
10. Updates to This Privacy Policy
We may update this Privacy Policy to reflect changes in law or our practices. Material changes will be notified via email. Continued use of our services after updates constitutes acceptance of the revised policy.
11. Contact and Support
For privacy-related questions, requests, or complaints:
- Email: dataprotection@nextstepdynamics.com
- Response Time: We aim to respond within 10 business days