Privacy & Cookie Policy

Last update: 16 June 2026
Your health data is among the most sensitive information about you, and protecting it is central to how NOMAE works. This policy explains what we collect, why, on what legal basis, how long we keep it, and the rights you have. It applies to our website and to the care we provide. Your use of the Services is also subject to our Terms & Conditions.

11. Controller and scope

NOMAE, operated by Nordic Hormone Concepts ApS, CVR 43969137, Amaliegade 4, 1256 Copenhagen K, Denmark is the data controller for the personal data we process about you as a patient and user — when you use our platform and when we provide consultation, examination, diagnosis and treatment. Email: lisbet@onethirtylabs.com · Phone: +45 52 60 77 77

2. Data protection contact

For any question about how we handle your data, contact Lisbet Mensa-Annan at lisbet@onethirtylabs.com.

3. Clinical and digital context

When we assess, diagnose and treat you — including through digital health services — we collect and process personal data as data controller. We are obliged to do so under the Danish Authorization Act (Autorisationsloven, Chapter 6) and the record-keeping regulation (Journalføringsbekendtgørelsen).

4. What data we collect

YGeneral personal data: name, contact details, date of birth, Danish personal identification number (CPR) where required for treatment and record-keeping, gender, and account, appointment and payment information (e.g. card tokens held by our payment provider).

Special-category (health) data: medical history, symptoms, reproductive and hormonal history, blood-test and biomarker results, continuous glucose monitoring data, body-composition measurements, prescriptions, treatment records and clinician notes. Other special categories (such as ethnic origin or sexual orientation) are processed only where directly relevant to your care.

Digital and tracking data: biomarkers, lifestyle and progress data, and care-plan adherence, where these form part of your programme.

Technical data: IP address and usage data collected automatically when you visit our website (see Section 16, Cookies).

55. Purposes of processing

We process your data to: examine, diagnose and treat you; prepare clinical documentation and, where relevant, certificates and reports; communicate with and refer you to other healthcare providers; conduct video consultations; issue prescriptions via FMK; requisition laboratory tests; report to clinical quality databases where required; manage membership, bookings and billing; handle inquiries, complaints, supervisory inspections and disputes; operate and personalise our digital platform in connection with your care; and comply with our legal obligations, including security and breach-handling duties.

66. Legal bases

  • Clinical care and safety: GDPR Art. 6(1)(c) (legal obligation) and 6(1)(d) (vital interests) for general data; Art. 9(2)(h) (provision of health care) and 9(2)(c) (vital interests) for health data; together with Autorisationsloven (Chapter 6), the Record Keeping Order, and the Danish Health Act (Sundhedsloven, Chapter 9).
  • Disclosures not mandated by Chapter 9 of the Health Act are made only with your prior consent under Sundhedsloven §§ 42a–42e.
  • Membership, bookings and billing: Art. 6(1)(b) (contract) and 6(1)(c) (statutory reporting) where applicable.
  • Prescriptions via FMK: under Sundhedsloven § 157 and the prescription rules.
  • Disclosures to insurers or relatives: only with your consent under Art. 6(1)(a) and 9(2)(a) (and Sundhedsloven § 43 for relatives; § 45 for deceased patients).
  • Marketing emails and non-essential cookies: your consent, Art. 6(1)(a).

Where processing is based on consent, you may withdraw it at any time; withdrawal does not affect the lawfulness of processing carried out beforehand. We do not use your health data for marketing.

7. Voluntariness

Providing your data is voluntary, but if you do not provide the data relevant to your care, we may be unable to examine, diagnose or treat you, or to deliver specific features.

8. Sources of data

We obtain data directly from you (forms, consultations, messages, uploads), generated during your care (clinician notes, test results), and — where permitted or required by law, or with your consent — from other healthcare providers and authorities in Denmark.

9. Disclosures and recipients

To the extent necessary for your care or required by law, your data may be disclosed to: other healthcare professionals in Denmark (referrals, second opinions, continuity of care); clinical quality databases (RKKP), the Danish Patient Safety Authority, and the Danish Health Data Authority (Sundhedsdatastyrelsen) where there is a legal obligation; partner laboratories; Danish pharmacies and FMK for prescriptions; regional billing offices; and police, courts or social authorities where legally required. Disclosures to relatives or insurance companies are made only with your prior consent. Our processors (Section 10) act on our behalf under data-processing agreements. We do not sell your data or share health data with advertising platforms.

10. Processors and infrastructure

Your data may be processed and stored by data processors acting on our instructions under data-processing agreements — for example hosting, database, laboratory-integration, video-consultation, payment, scheduling and email providers. Some processors may use their own sub-processors (e.g. for cloud hosting), bound by equivalent GDPR obligations.

11. Transfers outside the EEA

We aim to keep your data within the EU/EEA. Where a processor or recipient is outside the EEA, transfers occur only to countries with an adequacy decision, under appropriate safeguards (such as the EU Standard Contractual Clauses with supplementary measures where required), or under an applicable derogation (Art. 49 GDPR) where strictly necessary.

12. 1Retention

We keep data only as long as necessary and as the law requires. Under § 15 of the Record Keeping Order, patient records are retained for at least 10 years after the last entry. In special cases (complaints, compensation claims, audits) data may be kept longer — until the matter is finally closed — to establish, exercise or defend legal claims. Accounting records are kept for the period required by accounting law (generally 5 years).

13. Your rights

Under the GDPR and Danish law you have the right of access (Art. 15), rectification (Art. 16), erasure in certain cases (Art. 17), restriction (Art. 18), data portability (Art. 20), and to object (Art. 21). Where processing is based on consent, you may withdraw it at any time.

Healthcare limitation. Under § 14 of the Record Keeping Order, entries in patient records may not be deleted; only corrections or additions may be made, to preserve clinical integrity and legal documentation. This limits the right to erasure for clinical records.

14. Security

We maintain appropriate technical and organisational measures, including role-based access on a least-privilege basis, multi-factor authentication for administrative access where appropriate, encryption in transit (and at rest where relevant), logging and audit trails for access to clinical records, monitoring, and incident-response procedures. We notify breaches to authorities and affected individuals in line with GDPR Articles 33–34.

15. Automated decision-making and profiling

We do not make automated decisions producing legal or similarly significant effects within the meaning of GDPR Art. 22. Any scores or algorithmic insights used to support your care are reviewed by a clinician and form part of the medical assessment — they do not replace clinical judgment.

16. Cookies

Our website uses cookies. Strictly necessary cookies make the site work and do not require consent. Analytics and other non-essential cookies are used only with your consent, given via our cookie banner and changeable or withdrawable at any time through the cookie settings.

17. Complaints

If you are unhappy with how we handle your data, you may complain to the Danish Data Protection Agency (Datatilsynet), www.datatilsynet.dk. We would appreciate the chance to address your concern first.

18. Updates and contact

We may update this policy; the version published here is the current one. Material changes will be communicated to members. Contact: Nordic Hormone Concepts ApS, Palæegade 2 , 1261 Copenhagen K, Denmark.  Email: lisbet@onethirtylabs.com  ·  Phone: +45 52 60 77 77