11. Controller and scope
NOMAE, operated by Nordic Hormone Concepts ApS, CVR 43969137, Amaliegade 4, 1256 Copenhagen K, Denmark is the data controller for the personal data we process about you as a patient and user — when you use our platform and when we provide consultation, examination, diagnosis and treatment. Email: lisbet@onethirtylabs.com · Phone: +45 52 60 77 77
2. Data protection contact
For any question about how we handle your data, contact Lisbet Mensa-Annan at lisbet@onethirtylabs.com.
3. Clinical and digital context
When we assess, diagnose and treat you — including through digital health services — we collect and process personal data as data controller. We are obliged to do so under the Danish Authorization Act (Autorisationsloven, Chapter 6) and the record-keeping regulation (Journalføringsbekendtgørelsen).
4. What data we collect
YGeneral personal data: name, contact details, date of birth, Danish personal identification number (CPR) where required for treatment and record-keeping, gender, and account, appointment and payment information (e.g. card tokens held by our payment provider).
Special-category (health) data: medical history, symptoms, reproductive and hormonal history, blood-test and biomarker results, continuous glucose monitoring data, body-composition measurements, prescriptions, treatment records and clinician notes. Other special categories (such as ethnic origin or sexual orientation) are processed only where directly relevant to your care.
Digital and tracking data: biomarkers, lifestyle and progress data, and care-plan adherence, where these form part of your programme.
Technical data: IP address and usage data collected automatically when you visit our website (see Section 16, Cookies).
55. Purposes of processing
We process your data to: examine, diagnose and treat you; prepare clinical documentation and, where relevant, certificates and reports; communicate with and refer you to other healthcare providers; conduct video consultations; issue prescriptions via FMK; requisition laboratory tests; report to clinical quality databases where required; manage membership, bookings and billing; handle inquiries, complaints, supervisory inspections and disputes; operate and personalise our digital platform in connection with your care; and comply with our legal obligations, including security and breach-handling duties.
66. Legal bases
Where processing is based on consent, you may withdraw it at any time; withdrawal does not affect the lawfulness of processing carried out beforehand. We do not use your health data for marketing.
7. Voluntariness
Providing your data is voluntary, but if you do not provide the data relevant to your care, we may be unable to examine, diagnose or treat you, or to deliver specific features.
8. Sources of data
We obtain data directly from you (forms, consultations, messages, uploads), generated during your care (clinician notes, test results), and — where permitted or required by law, or with your consent — from other healthcare providers and authorities in Denmark.
9. Disclosures and recipients
To the extent necessary for your care or required by law, your data may be disclosed to: other healthcare professionals in Denmark (referrals, second opinions, continuity of care); clinical quality databases (RKKP), the Danish Patient Safety Authority, and the Danish Health Data Authority (Sundhedsdatastyrelsen) where there is a legal obligation; partner laboratories; Danish pharmacies and FMK for prescriptions; regional billing offices; and police, courts or social authorities where legally required. Disclosures to relatives or insurance companies are made only with your prior consent. Our processors (Section 10) act on our behalf under data-processing agreements. We do not sell your data or share health data with advertising platforms.
10. Processors and infrastructure
Your data may be processed and stored by data processors acting on our instructions under data-processing agreements — for example hosting, database, laboratory-integration, video-consultation, payment, scheduling and email providers. Some processors may use their own sub-processors (e.g. for cloud hosting), bound by equivalent GDPR obligations.
11. Transfers outside the EEA
We aim to keep your data within the EU/EEA. Where a processor or recipient is outside the EEA, transfers occur only to countries with an adequacy decision, under appropriate safeguards (such as the EU Standard Contractual Clauses with supplementary measures where required), or under an applicable derogation (Art. 49 GDPR) where strictly necessary.
12. 1Retention
We keep data only as long as necessary and as the law requires. Under § 15 of the Record Keeping Order, patient records are retained for at least 10 years after the last entry. In special cases (complaints, compensation claims, audits) data may be kept longer — until the matter is finally closed — to establish, exercise or defend legal claims. Accounting records are kept for the period required by accounting law (generally 5 years).
13. Your rights
Under the GDPR and Danish law you have the right of access (Art. 15), rectification (Art. 16), erasure in certain cases (Art. 17), restriction (Art. 18), data portability (Art. 20), and to object (Art. 21). Where processing is based on consent, you may withdraw it at any time.
Healthcare limitation. Under § 14 of the Record Keeping Order, entries in patient records may not be deleted; only corrections or additions may be made, to preserve clinical integrity and legal documentation. This limits the right to erasure for clinical records.
14. Security
We maintain appropriate technical and organisational measures, including role-based access on a least-privilege basis, multi-factor authentication for administrative access where appropriate, encryption in transit (and at rest where relevant), logging and audit trails for access to clinical records, monitoring, and incident-response procedures. We notify breaches to authorities and affected individuals in line with GDPR Articles 33–34.
15. Automated decision-making and profiling
We do not make automated decisions producing legal or similarly significant effects within the meaning of GDPR Art. 22. Any scores or algorithmic insights used to support your care are reviewed by a clinician and form part of the medical assessment — they do not replace clinical judgment.
16. Cookies
Our website uses cookies. Strictly necessary cookies make the site work and do not require consent. Analytics and other non-essential cookies are used only with your consent, given via our cookie banner and changeable or withdrawable at any time through the cookie settings.
17. Complaints
If you are unhappy with how we handle your data, you may complain to the Danish Data Protection Agency (Datatilsynet), www.datatilsynet.dk. We would appreciate the chance to address your concern first.
18. Updates and contact
We may update this policy; the version published here is the current one. Material changes will be communicated to members. Contact: Nordic Hormone Concepts ApS, Palæegade 2 , 1261 Copenhagen K, Denmark. Email: lisbet@onethirtylabs.com · Phone: +45 52 60 77 77

