Privacy policy

Last updated February 5, 2025

Hereunder, you will find the information on how data controller Celvia CC AS (hereinafter: Celvia) processes and protects your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR).

Celvia is a biotechnology company focused on research and product development in personal medicine, and human reproductive medicine. Celvia is located in Teaduspargi 13, 50411, Tartu, Estonia, Celvia’s service laboratory has medical laboratory licence no L05235 from The Health Board of Estonia. 

Celvia offers an NIPTIFY screening test (hereinafter: Service) that is a CE-IVD-validated and registered in vitro medical diagnostic device. The test can be distributed all over the European Union. Celvia has ISO 15189:2012 accreditation.

In order to provide you with the Service, Celvia must process your personal data, including your health and biometric data. If you do not agree with our Privacy Policy, please do not use the Service.

1. WHAT INFORMATION DO WE COLLECT?

We collect personal information that you provide when placing an order for Service:

• Pregnancy week
• Pregnancy type (single or multiple)
• Name and surname
• National identification code
• Phone number
• Email
• If we should report the sex of the fetus
• Package delivery location 
• The clinic name where to give the blood sample
• Optional comments that can be added during the placing of the order

Please be advised that you are accountable for ensuring the accuracy of the personal information that you submit to us. 

We do not store payment data. All payment data for the Service is handled and stored by Montonio Finance UAB. You may find their privacy notice link(s) here: https://montonio.com/legal/privacy-policy/.

The Service generates based on the provided blood sample sensitive health and genetic information:

• Whole-genome sequencing data containing DNA sequencing reads extracted from the blood sample. This data is securely stored and analysed in the University of Tartu High-Performance Computing Centre.
• The analysis results that are based on the processing of whole-genome sequencing data. These results with the personal information provided by you are stored in under University of Tartu Information Technology Office hosted secure platform managed by Celvia. The same platform is used to make results available for you. Also the personal information provided by you is processed by https://buy.niptify.com

2. WHO DO WE SHARE YOUR DATA WITH?

We only share your personal data with trusted third parties who comply with the GDPR and have signed a Data Processing Agreement with us.

Third parties with whom we share your personal data:

• University of Tartu – Data storage and analysis | Estonia (EU) 
• Contabo Data Center – Secure cloud hosting | Düsseldorf, Germany (EU)
• Montonio Finance UAB – Payment processing | Lithuania (EU)

We do not transfer your personal data outside the European Economic Area (EEA) unless appropriate safeguards are in place.

3. WHAT INFORMATION DO WE AUTOMATICALLY COLLECT?

We automatically collect certain information when you visit, use, or navigate the Service. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Service, and for our internal analytics and reporting purposes.

The information we collect includes:

• Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Service and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called “crash dumps”), and hardware settings).
• Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Services. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information.

4. LEGAL BASES FOR PROCESSING

Celvia processes your personal data only for providing Service and in accordance with applicable law. We collect your personal data when you contact us to request a service or use our Service.

We rely on the following legal bases to process your personal information:

• Consent – We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time. 
• Performance of a Contract – We may process your personal information when we believe it is necessary to fulfil our contractual obligations to you, including providing our Service or at your request prior to entering into a contract with you.
• Legal Obligations – We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, or exercise or defend our legal rights.

5. THE USAGE OF COOKIES 

We use cookies to help you navigate efficiently and perform certain functions. The cookies that are categorized as “Necessary” are stored on your browser as they are essential for enabling the basic functionalities of the site.

We also use third-party cookies that help us analyze how you use this website, store your preferences, and provide the content and advertisements that are relevant to you. These cookies will only be stored in your browser with your prior consent.

You can choose to enable or disable some or all of these cookies but disabling some of them may affect your browsing experience.

Google Analytics

We may share your information with Google Analytics to monitor and analyze the use of the Service website. To opt out of being tracked by Google Analytics across the Services, visit https://tools.google.com/dlpage/gaoptout. For more information on Google’s privacy practices, please refer to the Google Privacy & Terms page.

6. HOW LONG DO WE KEEP YOUR INFORMATION?

We do not retain your personal data longer than necessary for the purposes for which it was collected or as required by applicable law. We apply the following retention periods when storing personal data:

• Personal data related to healthcare services documentation must be retained in accordance with “Tervishoiuteenuste korraldamise seadus” and “Tervishoiuteenuste osutamise dokumenteerimise tingimused ja kord” along with other relevant legislation. As a result, documentation related to the provision of healthcare services may be retained for up to 30 years. 
• Logs of healthcare service information systems are retained for 5 years in accordance with § 3¹ of the “Tervishoiuteenuste osutamise dokumenteerimise tingimused ja kord”. The logs include information about the content of data processing, the authorized processor (who processed the data), and the date and time of processing. Accordingly, data processing logs are retained for 5 years.
• Personal data related to accounting records and financial documents must be retained in accordance with relevant accounting laws. Therefore, Celvia retains accounting documents for 7 years.

7. HOW DO WE KEEP YOUR INFORMATION SAFE?

We have implemented technical and organizational security measures aimed at protecting your personal information. While we strive to safeguard your data, no method of electronic transmission or storage is completely secure. As a result, we cannot guarantee that unauthorized third parties, will not bypass our security. Although we make every effort to protect your personal information, transmitting data to and from our Services entails inherent risks. To enhance security, we recommend accessing our Services only within a secure environment.

If a personal data breach occurs that poses a high risk to your rights, we will notify you and the relevant Data Protection Authority within 72 hours, as required by the GDPR.

8. DO WE MAKE UPDATES TO THIS POLICY?

We may update this Privacy Policy to reflect legal changes. The latest version will always be available on our website. Any changes will be reflected by the “Revised” date at the top of the notice.

9. YOUR DATA PROTECTION RIGHTS

Under the GDPR you have the right to: 

• Access Your Data – Request a copy of your personal data
• Correct Your Data – Update incorrect or incomplete information
• Delete Your Data – Request data erasure if processing is no longer necessary
• Restrict Processing – Limit how we use your data under certain conditions
• Data Portability – Receive your data in a strcuctured, machine readable format
• Object to Processing – Obt out of processing for analytics or marketing
• Withdraw Consent – Stop any processing based on consent 

To exercise your rights, please email us at [email protected], we will respond within one month. Please be advised that these rights may be limited in some circumstances by applicable law. 

10. CONTACT INFORMATION

If you have any questions or requests regarding our Privacy Policy, contact us at:

• Email: [email protected] 
• Postal Address: Teaduspargi 13, 50411, Tartu, Estonia

You also have the right to file a complaint with the Estonian Data Protection Inspectorate (AKI).