Supar.Health is committed to protecting your privacy and to handling your personal data, including health-related information, with a high degree of care, confidentiality, and transparency. This Privacy Policy explains how Supar.Health collects, uses, stores, shares, and otherwise processes personal data in connection with the Supar.Health platform, its diagnostic services, and its related digital health infrastructure. It also explains your rights in relation to such processing and the legal framework under which that processing takes place.
This Privacy Policy is intended to reflect and support compliance with applicable European Union and Danish legislation, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Danish Data Protection Act, the Danish Health Act (Sundhedsloven), the Danish rules on medical record keeping, and other applicable legal and regulatory requirements relevant to clinical diagnostics, digital health services, and laboratory operations.
1. Who We Are
Supar.Health ApS, CVR no. 41298790, is a clinical diagnostics provider and digital health platform operator established in Denmark. Supar.Health develops and offers biomarker-based health testing services, including suPAR testing performed using CE-IVD assays, and provides a software platform through which test results, clinical data, and certain health-related information may be viewed, managed, and, where relevant, interpreted in a structured digital environment.
Our registered address is Strandvejen 64, 2900 Hellerup, Denmark. Questions relating to this Privacy Policy or to our processing of personal data may be directed to us using the contact details made available on our website and in our contractual documentation.
Depending on the specific service model and workflow involved, Supar.Health may act either as an independent data controller, for example in relation to operation of its own platform environment and the processing of anonymized data for research and development purposes, or as a data processor acting on behalf of a clinic or other healthcare provider. In certain cases, role allocation may depend on the underlying contractual arrangement and the medical responsibility associated with the service in question.
2. Scope of This Privacy Policy
This Privacy Policy applies to the processing of personal data that takes place when you interact with Supar.Health as a patient, end user, clinic representative, laboratory user, website visitor, or other relevant party in connection with our services. It applies to processing carried out through our website, our software platform, our communications with you, our diagnostic workflows, and any related clinical, technical, scientific, or administrative processes that form part of the Supar.Health service environment.
In some contexts, additional notices, consents, or service-specific privacy terms may be provided, for example in connection with specific research activities, genetic testing, biobank participation, or certain clinic-specific workflows. Where such supplementary notices are provided, they are intended to complement this Privacy Policy and should be read together with it.
3. The Structure of the Supar.Health Service Environment
The Supar.Health platform is designed as a regulated, role-based clinical and digital infrastructure supporting several different categories of users. These typically include individual end users or patients, clinics that offer or interpret testing services and maintain the underlying medical relationship with the patient, laboratories that process biological samples and generate test results, and Supar.Health itself in its capacity as platform provider, product supplier, and in some contexts laboratory operator.
The legal and operational responsibilities of these parties are not identical. In many cases, the clinic with responsibility for the patient relationship, medical interpretation, and record-keeping will act as the primary data controller for the identifiable clinical data processed in connection with a given patient. Laboratories may act either as processors acting on behalf of a clinic or, in certain workflows, as independent controllers where they themselves assume medical responsibility for issuing and reporting results. Supar.Health may also, depending on the service model, act as an independent controller for certain platform-related and anonymized data processing activities, while acting as a processor or infrastructure provider in relation to identifiable clinical information processed on behalf of clinics.
Because of this multi-actor model, access to data within the platform is strictly controlled through user-role governance, permission structures, and technical segregation. A clinic does not gain access to all users of the platform, but only to those patients with whom it has an established relationship and for whom the necessary permissions and legal basis exist. Likewise, laboratories and administrative users are restricted to the information necessary for their specific role and function.
4. Categories of Personal Data We Process
In the course of providing our services, Supar.Health may process a broad range of personal data and health-related information. This may include ordinary personal data such as your name, date of birth, email address, telephone number, address, and, where legally necessary, national identification information such as a CPR number. We may also process information concerning your use of our platform, such as log-in data, system activity, device information, IP address, and other technical information relevant to maintaining platform integrity, security, and functionality.
Where you use our clinical or laboratory services, we may process health-related data including biomarker results, such as suPAR measurements expressed in ng/mL, medical history, symptoms, medication information, lifestyle factors, referral information, clinician notes, and other metadata relevant to the interpretation of your result. We may also process information associated with biological samples, such as sample identifiers, collection details, chain-of-custody information, and processing status.
In addition, we may process communications exchanged with you or with clinics, laboratories, and other authorized parties in connection with support, clinical coordination, quality assurance, or service administration. We also retain records relating to user consents, preferences, and access permissions, including any permissions granted by a patient to a clinic in relation to read and write access to data within the platform.
5. Purposes of Processing
Supar.Health processes personal data only for specified and legitimate purposes and only to the extent necessary in relation to those purposes. The central purpose of processing is the provision of clinical diagnostic services and supporting digital infrastructure. This includes receiving and registering requests for testing, processing samples, generating laboratory results, presenting results through the platform, facilitating clinical reporting, and enabling authorized healthcare professionals to interpret and act upon the results where relevant.
Personal data is also processed to maintain secure user accounts, support the functioning of the platform, administer clinic and laboratory workflows, provide customer and technical support, monitor quality, ensure traceability and auditability, and comply with legal and regulatory requirements applicable to healthcare, diagnostics, and medical documentation.
In addition, Supar.Health may process data for scientific, analytical, and developmental purposes, including the improvement of diagnostic methods, the development of software functionality, the validation of reporting engines, the refinement of bioinformatic models, and broader research and innovation activities related to chronic inflammation, biomarker interpretation, and precision health. Where such activities involve personal data, they are carried out only under an appropriate legal basis and with applicable safeguards. Where such activities rely on data that has been anonymized in a manner that removes the possibility of direct or indirect identification, such data may be used on an ongoing basis for research, statistical, technical, and commercial development purposes.
6. Legal Basis for Processing
Supar.Health only processes personal data where a valid legal basis exists under the GDPR and, where relevant, applicable Danish healthcare law. In the context of core diagnostic services, personal data is generally processed because such processing is necessary in order to perform a contract or requested service, and because the processing of health data is necessary for the purposes of preventive medicine, medical diagnosis, the provision of healthcare, or the management of healthcare systems and services, in accordance with Article 6(1)(b) and Article 9(2)(h) of the GDPR, together with the relevant provisions of Danish law.
Certain forms of processing are also carried out because they are necessary in order to comply with legal obligations, including obligations relating to medical record keeping, traceability, quality assurance, and reporting to public authorities where required. In addition, some processing may be based on Supar.Health’s legitimate interests, for example in maintaining the security, integrity, and functionality of the platform, conducting internal quality control, preventing misuse, and improving service performance, provided always that such interests are balanced against the rights and freedoms of the individuals concerned.
Where optional services or secondary uses are involved, such as certain research activities, marketing communications, genetic testing, biobank participation, or specific forms of AI or model training involving personal data, processing will be based on consent or on another specific legal basis where appropriate. Any such consent must be specific, informed, voluntary, and capable of withdrawal at any time, without affecting the lawfulness of prior processing carried out before that withdrawal.
7. Identifiable, Pseudonymized, and Anonymized Data
A fundamental part of the Supar.Health data governance model is the distinction between identifiable data, pseudonymized data, and anonymized data. Identifiable data refers to information that directly identifies you or that can readily be linked to you, such as your name, contact details, personal identifier, or linked clinical record. Pseudonymized data refers to data in which direct identifiers have been replaced by codes or indirect identifiers, but where re-identification remains possible through the use of additional information. Under the GDPR, pseudonymized data remains personal data and is treated accordingly.
Anonymized data, by contrast, refers to data that has been irreversibly processed in such a way that no individual can be identified directly or indirectly by Supar.Health or by any other party using means reasonably likely to be used. Only where this threshold has been met is the data considered no longer to constitute personal data under European data protection law.
Supar.Health may use anonymized data derived from platform use, biomarker testing, associated metadata, and system-level analysis for research, statistical evaluation, product development, clinical validation, artificial intelligence development, bioinformatic model training, platform optimization, and commercial purposes, including collaboration and licensing activities. Such use is contingent upon the data having been transformed into a genuinely anonymous form. Supar.Health does not claim ownership of your personal data as such; however, where data has been rendered anonymous in accordance with applicable law, Supar.Health may retain and use that anonymous data independently and on an ongoing basis.
8. Control of Identifiable Data Within the Platform
The Supar.Health platform is designed to allow patients to maintain meaningful control over identifiable personal data within their own digital health environment, subject always to legal and clinical constraints. A patient may, for example, be associated with one or more clinics and may have the ability to determine whether a given clinic is permitted to read from or write to the patient’s record within the platform. This permission structure supports a controlled and role-based sharing model that is intended to reflect both patient autonomy and the need for medically responsible access.
At the same time, not all forms of control are absolute. Where a clinic or laboratory is subject to statutory obligations under Danish healthcare law, including obligations relating to journalføring and retention of medical records, certain identifiable data may need to be retained even if a patient requests deletion. In those cases, the right to erasure may be limited by law. Supar.Health will, however, seek in all cases to ensure that personal data is processed only to the extent necessary and that patients are informed clearly about the legal basis and limitations applicable to such processing.
9. Disclosure of Personal Data
Supar.Health treats personal and health-related information as confidential and does not sell identifiable personal data. Personal data may be disclosed only where this is necessary and legally justified. This may include disclosure to clinics, physicians, healthcare professionals, laboratory personnel, technical service providers, hosting providers, software infrastructure providers, payment processors, regulatory authorities, and other parties whose involvement is necessary in order to deliver the service, support a lawful clinical workflow, maintain the platform, or comply with legal obligations.
Where third parties process data on our behalf, we require them to do so under appropriate contractual safeguards, including data processing agreements where applicable, and only in accordance with documented instructions and confidentiality obligations. Where data is shared with a clinic or laboratory acting as an independent controller, that party is responsible for its own lawful processing in accordance with the applicable healthcare and data protection framework.
Where anonymized datasets are used in scientific collaboration, technical development, or commercial partnerships, such disclosure may take place without involving personal data, provided that the data has first been anonymized to the standard required under applicable law.
10. International Data Transfers
Where personal data is transferred outside the European Union or the European Economic Area, Supar.Health will ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. This may include reliance on an adequacy decision issued by the European Commission, the use of the European Commission’s standard contractual clauses, or other legally recognized safeguards. In each case, we seek to ensure that transferred data receives a level of protection essentially equivalent to that guaranteed within the EU.
11. Data Security
Supar.Health applies a combination of technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or unlawful disclosure. These measures include encryption of data in transit and at rest, access control mechanisms based on user roles and necessity, logging and monitoring of data access, secure hosting environments, segregation of environments, incident response procedures, and continuous review of system security.
Because the platform processes health-related information and supports regulated diagnostic workflows, security is treated as a core compliance requirement rather than merely a technical feature. Access to identifiable data is restricted to persons with a legitimate need to know, and internal governance measures are intended to ensure that no user or organizational actor is able to access broader datasets than required for their function.
12. Data Retention
Supar.Health retains personal data only for as long as necessary for the purposes for which it was collected and processed, unless a longer retention period is required by law. In the clinical context, medical records and related diagnostic data may need to be retained for the period mandated by Danish healthcare legislation and associated record-keeping requirements. This means that some data cannot be erased upon request where legal retention duties apply.
Account information and platform-level data may be retained for as long as the user relationship exists and for a reasonable period thereafter where necessary for legal, audit, or operational purposes. Where possible and appropriate, data that is no longer required in identifiable form may be deleted, restricted, or anonymized. Once data has been anonymized in a legally valid and irreversible manner, it may be retained indefinitely for scientific, technical, statistical, and commercial development purposes, because it no longer constitutes personal data.
13. Your Rights
Under the GDPR and applicable Danish law, you have a number of rights in relation to the personal data concerning you. These include the right to obtain access to your data, the right to request rectification of inaccurate information, the right in certain circumstances to request erasure, the right to request restriction of processing, the right to data portability for data processed by automated means on the basis of consent or contract, and the right to object to certain forms of processing based on legitimate interests.
Where processing is based on consent, you also have the right to withdraw that consent at any time. Such withdrawal does not affect the lawfulness of the processing carried out before consent was withdrawn. It should be noted, however, that these rights apply only in relation to personal data. They do not extend to data that has been anonymized in such a way that it can no longer be linked to you.
If you wish to exercise any of your rights, you may contact Supar.Health using the contact details provided on our website or in our contractual documentation. We may request reasonable proof of identity before responding to such requests.
14. Complaints
If you have concerns regarding the way in which Supar.Health processes your personal data, we encourage you to contact us first so that we may seek to resolve the matter promptly and appropriately. You also have the right to lodge a complaint with the Danish Data Protection Agency, Datatilsynet, if you believe that your personal data has been processed in breach of applicable law. Where a matter relates specifically to the provision of healthcare services or medical responsibility, you may also have rights to raise concerns with the relevant Danish health authorities.
15. Changes to This Privacy Policy
Supar.Health may update this Privacy Policy from time to time in order to reflect changes in legal requirements, technical infrastructure, service models, or data processing practices. Where material changes are made, we will take reasonable steps to bring those changes to your attention through the platform, by email, or by other appropriate means. The most recent version of this Privacy Policy will always be made available through our website and platform environment.
V1.260326.1015
Date: 26.03.2026