Leyr Privacy Policy

Effective date: 2025-10-30

The latest version is always available on our website.

Introduction

Leyr was founded with the vision of making healthcare data accessible throughout the ecosystem, benefiting patients, healthcare professionals, and organizations. In our mission to remove unnecessary barriers to data sharing, we are committed to handling data with the utmost care to maintain the trust placed in us.

We are based in Sweden and currently offer our services within the EU/EEA. To provide clarity on how we process data in different parts of our services, we have divided the privacy policy to reflect the different aspects of our offering.

Please read the full details below.

Data Subject's Rights

Access your personal data
Request rectification or erasure of your personal data
Object to the processing of your personal data
Withdraw your consent to the processing of your personal data at any time
File a complaint with the Swedish Authority for Privacy Protection (IMY)

Contact Information

If you have any inquiries or concerns regarding our privacy policy or if you would like to file a complaint under GDPR, the EU ePrivacy Directive, or the EU Digital Services Act, please don't hesitate to contact our Data Protection Officer (DPO) at dpo@leyr.io.

Name and contact details of the Data Controller:

Leyr Health AB Org.nummer 559384-5778 - contact@leyr.io

Privacy Policy for Leyr API in Production

Production Data, including but not limited to Patient Data, is processed solely in accordance with the Data Processing Addendum included in the signed commercial agreement between Leyr and a customer. If you would like a detailed explanation of our complete privacy policy for production data, please feel free to contact us.

Privacy Policy for Leyr Developer Portal (leyr.io/developers)

Personal Data We Process

We collect the following personal data:

Email address used for registration
IP address used for registration

Purpose

We collect personal data for the following purposes:

Providing the Leyr Developer Portal as a service
Tracking the volume of requests made to the Leyr API for performance monitoring and billing purposes
Conducting user research
Improving our services
Communicating any changes in the Leyr Terms of Use or Leyr Privacy Policy
Providing support and troubleshooting to our users
Protecting our services from malicious use and ensuring the security and integrity of our platform

Legal Basis

To create an account and ensure the security of any apps created in the Developer Portal, an email address is required. The email address is also used for password resets and communication regarding any changes in the terms, policies, or services provided.

It is necessary for us to trace volumes of billable transactions in order to accurately charge customers based on existing commercial agreements.

We also believe that supporting, troubleshooting, analyzing, and improving our services is necessary. This includes adopting product development best-practices and involving users in research activities to ensure a user-centric approach.

We also have a legitimate interest in protecting our services from malicious use and ensuring the security and integrity of our platform. This is necessary to maintain the availability and reliability of our services for all users and to comply with our obligations under applicable laws and regulations.

Retention

Email addresses are kept for the following duration:

During the existence of the developer portal account and are immediately erased upon termination of the account.
Indefinitely in an anonymized format for accounts where billed transactions have occurred.
IP addresses are stored for one month following registration. Those that are blacklisted due to malicious behaviour are kept indefinitely.

Protection of Personal Data

We protect personal data as follows:

Encryption: Personal data is encrypted during transit. If supported by the underlying subprocessor, personal data is also encrypted at rest.
Data minimization: We only process a minimal amount of personal data. We allow the use of non-personal email addresses and do not ask for any other personal identifiers.
Access minimization: Access to personal data is only permitted for Leyr employees who need it.

Processors and Third Countries

We use the following Processors for processing personal data:

Name of Subprocessor	Description of Processing	Data being processed	Location of Processing	Corporate Location	Covered by EU-U.S. Data Privacy Framework
Microsoft (Microsoft Azure)	hosting of leyr.io, database service	e-mail	Norway, EU	US	Yes
Intuit Inc. (Mailchimp)	e-mail distribution tool for updates	e-mail	US	US	Yes

As of 2023-07-10, an adequacy decision regarding the US was made by the European Commission. See what this means on either IMY's or EC's website: SV EN

Cookies and Similar Technologies

A cookie is a text file stored by your browser. We use a persistent first-party cookie to keep you logged in, enhancing your user experience by eliminating the need to log in with each visit. You actively consent to this by selecting "Remember me (requires cookie)" upon login. You can withdraw consent at any time by deleting the cookie in your browser settings, where you can also manage cookie retention.

For website analytics, we utilize Plausible.io, an open-source privacy-friendly tool. As of November 2023, Plausible.io describes their technology in the following manner:

All the site measurement is carried out absolutely anonymously. Cookies are not used and no personal data is collected. There are no persistent identifiers. No cross-site or cross-device tracking either. Your site data is not used for any other purposes. All visitor data is exclusively processed with servers owned and operated by European companies and it never leaves the EU.

This means that we do not collect any personal data for website analytics.

Automated Decision-Making, Including Profiling

We don't use automated decision-making or profiling.

Privacy Policy for Leyr Calendar (patients)

Personal Data We Process

We collect the following personal data:

Name and surname
Social security number
Email address
Phone number
Any personal data left as free text comments in conjunction with your booking

Purpose

We collect personal data for the following purposes:

Allow you to book an appointment with a healthcare provider

Please note that the healthcare provider with whom you book your appointment may process your personal data further to abide by legal and regulatory requirements, or to contact you about your appointment.

Legal Basis

To book an appointment with a healthcare provider, they need to know for which patient the appointment is for. Legal requirements state that health data related to a patient must be stored in that patient's record. In addition, we ask for your consent before your data is processed to book an appointment.

The healthcare provider may use the data collected from the appointment booking to contact you, in order to provide their services to you. Please refer to the healthcare provider's privacy notice for more information about their data processing activities.

Retention

Personal data is only processed in transit to the target Electronic Health Record. Leyr does not store the personal data in our services. Please refer to the healthcare provider's privacy notice for more information about their data retention process.

Protection of Personal Data

We protect personal data in transit as follows:

Encryption: Personal data is encrypted in transit to the respective Electronic Health Records.
Data minimization: We only process a minimal amount of personal data as needed by the respective Electronic Health Records.
Access minimization: Leyr employees cannot access personal data processed in the Calendar.

Processors and Third Countries

We use the following Processors for processing personal data in Leyr Calendar:

Name of Subprocessor	Description of Processing	Data being processed	Location of Processing	Corporate Location	Covered by EU-U.S. Data Privacy Framework
Microsoft (Microsoft Azure)	hosting of leyr.io, database service	e-mail	Norway, EU	US	Yes

As of 2023-07-10, an adequacy decision regarding the US was made by the European Commission. See what this means on either IMY's or EC's website: SV EN

Cookies and Similar Technologies

The Leyr Calendar does not use any cookies.

Automated Decision-Making, Including Profiling

We don't use automated decision-making or profiling.

Privacy Policy for Leyr External Calendar sync (customers)

The following section regards Leyr Calendar customers who activate the External Calendar feature, where appointment times and appointment type, but no other data relating to the appointment, is sent to an external calendar of the customer's choice. The data relating to the external calendar is processed as follows:

Personal data in production, including but not limited to Patient Data, is processed solely in accordance with the Data Processing Addendum included in the signed commercial agreement between Leyr and a customer. If you would like a detailed explanation of our complete privacy policy for production data, please feel free to contact us.

Google Calendar

Google User Data Processed
- Email address
- Calendar data
- Calendar link
How your Google user data is
- accessed: Customers connect their Google calendar to Leyr by completing Google OAuth authentication, embedded in Leyr Developer portal.
- used: Leyr read calendars which are connected. Leyr writes an event to the calendar as an appointment is booked.
- stored: A list of selected calendars and access tokens are stored in Leyr's database in an encrypted format.
- shared: Leyr does not share your Google User Data.
Customers may disconnect Google Calendar through Leyr developer portal at any time. This action automatically clears Google Credentials from Leyr's database.

Privacy Policy for remaining parts of leyr.io

Personal Data We Process

We collect the following personal data:

Email address, upon registration
IP address, upon registration

Purpose

We collect personal data for the following purposes:

Allowing visitors to register for the Leyr Newsletter
Allowing visitors to get in touch with Leyr via the 'Contact Us' form
Protecting our services from fraudulent registrations, spam sign-ups, and malicious use

With a separate explicit consent, we collect data for the following purposes:

Conducting direct marketing of our products and services
Conducting sales dialogue with potential customers

Legal Basis

When registering for the Leyr Newsletter, we acquire a separate explicit consent from the individual providing their email address. Consent can be withdrawn at any time by unsubscribing from the newsletter.

We also believe that we have a legitimate interest in processing the provided email addresses in the 'Contact Us' form to initiate a dialogue with potential customers, which may involve marketing and/or sales activities. As you provide your email address and provide explicit consent for data processing in this form, we have a legal basis to reach out to you.

We have a legitimate interest in protecting our services from abuse, fraud, and malicious activity. Processing IP addresses upon registration helps us identify and prevent fraudulent registrations, spam sign-ups, and other harmful activities.

Retention

Email addresses are kept as follows:

For the duration of the newsletter subscription and deleted immediately upon request to unsubscribe.
Indefinitely for email addresses provided when asking to be contacted by Leyr.
IP addresses are stored for one month upon registration. Those that are blacklisted due to malicious behaviour are kept indefinitely.

Protection of Personal Data

We ensure the protection of personal data through the following measures:

Encryption: Personal data is encrypted during transmission. If the underlying subprocessor supports it, personal data is also encrypted when stored.
Data minimization: We only process the minimum amount of personal data necessary. We allow the use of non-personal email addresses and do not request any other personal identifiers.
Access minimization: Access to personal data is restricted to Leyr employees who need it.

Processors and Third Countries

We use the following Processors for processing personal data:

Name of Subprocessor	Description of Processing	Location of Processing	Corporate Location	Covered by EU-U.S. Data Privacy Framework
Microsoft (Microsoft Azure)	hosting of leyr.io	Norway, EU	US	Yes
Notion Labs, Inc. (Notion)	maintaining list of e-mail addresses for newsletter, and incoming contact requests	US	US	Yes
Intuit Inc. (Mailchimp)	newsletter distribution tool	US	US	Yes

As of 2023-07-10, an adequacy decision regarding the US was made by the European Commission. See what this means on either IMY's or EC's website: SV EN

Cookies and Similar Technologies

Leyr.io does not use cookies.

For website analytics, we use Plausible.io, an open-source privacy-friendly tool:

This means we do not collect any personal data for website analytics.

Automated Decision-Making, Including Profiling

We don't use automated decision-making or profiling.

IT Systems Outside the Scope of Leyr's Privacy Policy

We may link to various external websites, such as LinkedIn and Medium. This privacy policy is not applicable for data collected after you leave leyr.io.