Privātuma politika

SĀKUMS Privātuma politika

Applicable to the NIPTIFY medical service (hereinafter: service)


Last updated: March 2026

Below you will find information on how the data controller, Celvia CC AS (hereinafter: Celvia), processes and protects your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and in compliance with the general requirements arising from the legislation of the Republic of Estonia regarding the processing and protection of personal data:

  • Health Services Organisation Act §4 (4) (from the collected data, the data evidencing the provision of outpatient and inpatient health care services shall be retained for 30 years from the confirmation of the data concerning the service provided to the patient) and §3 (7) (documents evidencing a patient safety incident shall be retained for 30 years from the registration of the patient safety incident).
  • Law of Obligations Act Chapter 41 §771 (the limitation period for a patient’s claim for compensation for damage is three years from the time when the patient became aware of the healthcare provider’s breach of obligation and the occurrence of the damage).

Which data do we collect?

We collect the personal data provided when ordering the Niptify service. The data collected may include the following information:

  • Pregnancy week
  • Type of pregnancy (single or multiple)
  • Patient’s first and last name
  • Patient’s personal identification code
  • Information on whether the patient wishes to know the fetal sex and have it reflected in the report
  • Name of the healthcare professional, name of the clinic, and the time of the blood sample collection
  • In some cases, the patient’s email address and phone number
  • Free‑text comments added upon submission of the order (optional)

How is the data processed?

  1. The Ordering environment is an electronic ordering system (Celvia) created for the submission of service orders and hosted by the Information Technology Office of the University of Tartu.
  2. The Medipost service (AS Medisoft) is used by Celvia to receive service orders from medical institutions and to send result reports.
  3. eKliinik (Connected OÜ) is a healthcare information system used for transmitting service orders and result reports to the national Estonian Health Portal.
  4. Illumina BaseSpace (Illumina, Inc) servers are hosted in Frankfurt, Germany. Sequencing data are stored on the Illumina BaseSpace server so that they can be downloaded to the University of Tartu High Performance Computing Center.
  5. The NIPTIFY website, niptify.com, is used for serving international clients. Data collected during ordering (patient contact details, pregnancy information, payment information) are stored temporarily on the niptify.com server located in the European Union (managed by SIA “GoWEB”). The storage of data is temporary and necessary only for the correct processing of the order and for restoring data in case of an error. The data are not stored permanently in this environment.
  6. The patient registry and a copy of the service result report are stored on the Celvia server and are backed up in encrypted form.
  7. DNA sequencing data contain information about the entire genome. These data are analysed and stored at the University of Tartu High Performance Computing Center. The analysis results, together with the personal data submitted during the ordering process, are stored in the Ordering environment managed by Celvia.
  8. GatewayAPI (ONLINECITY.IO ApS) is a communication platform used in certain cases for sending NIPTIFY SMS notifications.
  9. The services of Zone Media OÜ are used for email communication.

With whom do we share your data?

We share your personal data only with trusted cooperation partners who comply with the General Data Protection Regulation (GDPR) and with whom an appropriate agreement has been concluded.

Third parties with whom we may share your personal data:

  • University of Tartu — data storage and analysis | Estonia (EU)
  • Estonian Accreditation Centre — supervision and accreditation | Estonia (EU)
  • Sertio Oy – notified body | Finland (EU)
  • SIA “GoWEB” – cloud hosting (EU)

Your personal data are not transferred outside the European Economic Area, except where appropriate safeguards have been implemented.

Legal bases for the processing of personal data

Celvia processes your personal data solely for the purpose of providing the service and in accordance with applicable legislation. We collect your personal data when a service order is submitted on your behalf (this is done by a healthcare professional) or when Celvia provides the service to you on-site in the laboratory.

The legal bases on which we process your personal data:

  • Consent – we process your personal data when you have given your explicit consent for a specific purpose. You have the right to withdraw your consent at any time.
  • Performance of a contract – we process your personal data when this is necessary for the performance of a contract concluded with you, including the provision of the service, or for taking steps at your request prior to entering into a contract.
  • Legal obligation – we process your personal data when this is necessary for complying with our legal obligations, such as cooperating with law‑enforcement or supervisory authorities, or for the protection and exercise of our rights.

How do we protect your data?

We have implemented appropriate technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. Although we do everything reasonably possible to ensure the security of your data, no method of electronic transmission or storage is entirely without risk. For this reason, we cannot fully exclude the possibility that unauthorised persons may circumvent our security measures. Please be aware that the transmission of data when using our services may always involve a certain level of risk. To better protect your data, we recommend using our services in a secure environment. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and the competent Data Protection Inspectorate within 72 hours, in accordance with the GDPR.

Your rights in relation to the protection of personal data

Under the GDPR, you have the following rights:

  • Right of access. You have the right to request a copy of your personal data.
  • Right to rectification. You have the right to request the correction of inaccurate or incomplete personal data.
  • Right to erasure. You have the right to request the deletion of your personal data when its processing is no longer necessary.
  • Right to restriction of processing. You have the right, under certain conditions, to restrict the processing of your personal data.
  • Right to data portability. You have the right to receive your personal data in a structured and machine‑readable format.
  • Right to object. You have the right to object to the processing of your personal data, including for analytics or marketing purposes.
  • Right to withdraw consent. You have the right to withdraw your consent at any time.

To exercise your rights, please contact us at [email protected]. We will respond to your request within one month. Please note that in certain cases your rights may be limited in accordance with applicable legislation and trade secrets.

Use of cookies

We use cookies to ensure the smooth functioning of our website and to improve your user experience. Cookies classified as ‘necessary’ are stored in your browser because they are essential for the basic functions of the website. In addition, we use third‑party cookies that help us analyse website usage, remember your preferences, and provide you with relevant content and notifications. Such cookies are used only with your prior consent. You can choose to allow or disable cookies in full or in part. Please note that disabling certain cookies may affect the functionality and usability of the website.

Google Analytics

We may use the Google Analytics service to collect information about the use of our website and to analyse the performance of the service. If you do not wish your usage to be tracked, you can opt out by downloading the relevant browser add‑on at: https://tools.google.com/dlpage/gaoptout For more information about Google’s data protection practices, please refer to Google’s Privacy Policy page.

Do we update this Privacy Policy?

We may update these privacy terms from time to time to reflect changes in legislation or developments in our service. The most current version of the Privacy Policy is always available on our website. All updates are indicated by the ‘last updated’ date shown at the beginning of the document.

Contact details

If you have any questions or requests regarding this Privacy Policy, please contact us:

You have the right to lodge a complaint with the Data Protection Inspectorate.