Privacy Statement

Véora Group B.V., operating under the name Véora, offers a digital care programme for weight management with GLP-1 medication. We take your privacy seriously and handle your data with care. This privacy statement explains which personal data we process, why we do so, how we protect it and what rights you have.

This privacy statement has been drafted in accordance with the General Data Protection Regulation (GDPR), the Dutch GDPR Implementation Act (UAVG), the Dutch Medical Treatment Contracts Act (WGBO), the Dutch Healthcare Quality, Complaints and Disputes Act (Wkkgz) and other applicable Dutch and European legislation.

The statement applies to all visitors of joinveora.com, to all users of our service and to all patients in our treatment programme. It covers the medical intake, the treatment, the patient dashboard and all related communication.

1.1 Data controller

Véora Group B.V. is the data controller within the meaning of Article 4(7) GDPR for the processing of personal data through our service.

1.2 Data protection officer

Because we process special categories of health data on a large scale as a core activity, we have appointed a Data Protection Officer (DPO) pursuant to Article 37(1)(c) GDPR. The DPO monitors our compliance with privacy law and acts as a point of contact for you and for the Dutch Data Protection Authority.

Personal data are all data that can be directly or indirectly traced back to a living person. Examples include your name, address, email address, phone number, date of birth, IP address and health data.

Data concerning your health are special categories of personal data within the meaning of Article 9 GDPR. Stricter rules apply to processing such data. We may only process them on a specific legal basis, such as the provision of healthcare under the responsibility of a BIG-registered physician bound by medical professional secrecy.

For every processing of your personal data we rely on a legal basis from the GDPR. Below we list the main legal bases we use. For each processing activity in chapter 4 we indicate which legal basis applies.

Article 6 GDPR — general personal data

• Performance of a contract (Article 6(1)(b)) — to provide our service, manage your account, your subscription and the related communication.
• Legal obligation (Article 6(1)(c)) — for example tax records, statutory reporting duties and complying with requests from competent authorities.
• Legitimate interest (Article 6(1)(f)) — for example necessary analytics, fraud prevention, security, product improvement and limited direct communication with existing customers.
• Consent (Article 6(1)(a)) — for non-essential cookies and marketing to non-customers. You may withdraw consent at any time.

Article 9 GDPR — special categories of health data

• Provision of healthcare under the responsibility of a health professional (Article 9(2)(h) in conjunction with the WGBO and Wkkgz) — this is the primary legal basis for processing your medical data as part of treatment. The BIG-registered physician involved is bound by medical professional secrecy.
• Explicit consent (Article 9(2)(a)) — if we offer optional processing activities outside of direct care in the future (for example voluntary research participation or a patient community), we will obtain separate explicit consent for those. No such processing takes place at this time.
• Establishment, exercise or defence of legal claims (Article 9(2)(f)) — in the exceptional event that this is necessary to defend our legal interests.

This chapter describes per processing activity which data we process, for which purpose, on which legal basis, from which sources the data originate and with whom we share them. This structure follows Articles 13 and 14 GDPR.

4.1 When you visit our website

Categories of personal data

• IP address, browser type, operating system and device characteristics
• Pages visited, session duration, referral source
• Technical data via cookies and similar technologies

Processing

• Providing and optimising the website
• Product and usage analytics via Google Analytics 4, loaded through Google Tag Manager (only after your consent)
• Error tracking and security

4.2 When you create an account and complete the medical intake

Categories of personal data

• Name, email address, phone number, date of birth, biological sex
• Login credentials (password stored only in hashed form)
• Height, weight, BMI and target weight
• Medical history, current medication and known allergies
• Any previous experience with GLP-1 medication
• Lifestyle information such as diet, exercise and sleep
• Answers to the intake questionnaire
• If you came to us via a referral link, a referral cookie (veora_ref) that only stores the invitation code so that credit can be allocated correctly

Processing

• Collecting and storing intake data
• Presenting the file to a BIG-registered physician for review
• Recording the review in the medical file
• Communicating the outcome to you

4.3 When you take out a subscription and pay

Categories of personal data

• Name, contact details, invoicing details
• Type of payment method (iDEAL including Wero, credit card, SEPA mandate)
• Transaction references and payment history

Processing

• Processing of your payment via a licensed payment provider
• Management and renewal of your subscription
• Invoicing and bookkeeping

4.4 When we deliver your treatment

Categories of personal data

• Full medical file (medical history, medication, lab results where applicable)
• Weight progress and well-being
• Prescribed medication and dose changes
• Consult notes and treatment plan
• Communication between you and the healthcare provider

Processing

• Creating and maintaining your medical file
• Prescribing medication and adjusting the dose
• Coordinating dispensing and refills with the pharmacy
• Monitoring progress, side effects and treatment outcomes
• Follow-up via email or message

4.5 When we verify your identity

Identification of the patient is legally required for the prescription of prescription medication. We rely on a specialised processor for this.

Categories of personal data

• Type of identity document (passport, ID card, driving licence)
• Verification status and reference code
• Time of verification

4.6 When you contact our customer service

Categories of personal data

• Name, contact details
• The content of your question or message
• Relevant account data and, if applicable, health data that you provide yourself

4.7 When we safeguard quality of care and patient safety

Under the Wkkgz we are required to maintain a system of quality monitoring and incident reporting, and to make a complaints procedure with a complaints officer available.

Processing

• Registration and analysis of incidents and near-misses (VIM)
• Registration of suspected adverse effects and reporting to Lareb where applicable
• Handling of complaints by our complaints officer
• Quality reviews and audits

4.8 When we inform you about our services (marketing)

We contact you only in the following cases and under the following conditions:

Existing customers

• We may inform you by email about similar services we offer, on the basis of Article 11.7 Dutch Telecommunications Act and Article 6(1)(f) GDPR (legitimate interest).
• Every email contains a clear unsubscribe link. You can also unsubscribe via support@joinveora.com.

Non-customers

• We only approach you with your prior, explicit consent (Article 6(1)(a) GDPR).
• You can withdraw your consent at any time.

4.9 When we improve and evaluate our service

We use data about the use of our website and app to maintain our service, fix bugs and improve the user experience. We prefer to use anonymised or aggregated data for this purpose.

4.10 When we comply with legal obligations

Categories of personal data

• Data needed for tax and accounting records
• Data needed to exercise your rights under the GDPR
• Data whose provision is required by a competent authority

We share your data only with parties that are necessary for the delivery of our service or under a legal obligation. We distinguish two categories of recipients.

5.1 Processors

Processors process personal data exclusively on our instructions. We have a data processing agreement under Article 28 GDPR with all processors.

The consent mechanism runs through Klaro!, an open-source JavaScript library that operates entirely within your browser. No personal data are sent to Klaro or its developers; for that reason Klaro is not a processor within the meaning of the GDPR.

5.2 Independent data controllers

Some parties we work with determine the purposes and means of processing themselves. For that processing they act as independent data controllers. Their own privacy statement applies to the data they receive.

• Treating physician — BIG-registered, responsible for the medical assessment and the medical file, bound by medical professional secrecy.
• ThuisApotheek — independently responsible for handling, preparing and dispensing your prescription medication and for the required registrations.
• Mollie — responsible as a licensed European payment institution for payment processing.
• iDenfy — responsible for processing your identity document during the verification process.
• Government bodies and supervisors — such as the Tax Administration, IGJ and the Dutch Data Protection Authority, where we are legally required to share data.
• Our professional liability insurer — only in the case of a claim or incident.

We aim to process your data within the European Economic Area (EEA). Several of our processors are companies that are (also) established in the United States or have a parent company there. For the medical data at the core of our service we deliberately choose processing within the EEA (Supabase, data centre in Frankfurt). For analytics data via Google Analytics 4 and for several processors with a US parent company, transfers outside the EEA take place on the basis of Standard Contractual Clauses, where applicable supplemented by certification under the EU-US Data Privacy Framework.

Where transfers outside the EEA take place, we ensure the level of protection through one or more of the following safeguards:

• An adequacy decision of the European Commission for the country concerned, where applicable.
• Certification of the processor under the EU-US Data Privacy Framework (DPF).
• Supplementary Standard Contractual Clauses (SCCs) as adopted by the European Commission.
• A Transfer Impact Assessment for each transfer and appropriate additional measures (such as encryption at rest and in transit).

We minimise the transfer of special categories of health data outside the EEA.

You can request an overview of current transfers and the specific safeguards in place from our DPO.

We do not keep your data for longer than necessary for the purposes for which we process them, unless the law prescribes a longer retention period. The main periods:

We take appropriate technical and organisational measures to protect your data against loss, unauthorised access, alteration or disclosure. These measures include, among others:

• Encryption of data at rest and in transit (TLS 1.3, encrypted storage).
• Role-based access (patient, physician, administrator) following the principle of least privilege.
• Row-level security on the database, so that a patient can only see their own data.
• Two-factor authentication for all staff with access to medical data.
• Logging and monitoring of access to special categories of personal data.
• Periodic security reviews, penetration tests and dependency scans.
• Data processing agreements with all processors, including security requirements.
• An incident response procedure with a defined notification route to the DPO and, where necessary, to the Dutch Data Protection Authority and to data subjects.
• Privacy and security training for staff.

We regularly review our measures and adjust them where necessary.

Our website uses cookies and similar technologies. Under the Dutch Telecommunications Act we distinguish between strictly necessary cookies (which do not require consent) and all other cookies (which require explicit consent).

We use Klaro!, an open-source JavaScript library that operates entirely within your browser, to manage your cookie consent. You can change or withdraw your preferences at any time via the Cookie settings link at the bottom of every page.

A complete overview of all cookies and similar technologies that we use, with the name, provider, purpose, category and retention period of each cookie, can be found in our separate cookie statement at joinveora.com/cookies.

We do not currently take automated decisions within the meaning of Article 22 GDPR that have legal effects on you or significantly affect you. All medical assessments and treatment decisions are made by a BIG-registered physician.

We use profiling to a limited extent to improve our service and to communicate about similar services to existing customers (for example segmentation based on stage in the programme). This profiling has no legal effects, and you can object at any time via support@joinveora.com.

Under the GDPR you have the following rights regarding your personal data. You can exercise these rights by sending an email to support@joinveora.com or to the DPO. We respond within one month. We may extend this period by two months for complex or numerous requests (Article 12(3) GDPR); we will inform you of any extension and the reason.

• Right of access (Article 15 GDPR) — you can request a copy of the personal data we process about you, together with additional information about the processing.
• Right to rectification (Article 16 GDPR) — you can have inaccurate data corrected and incomplete data completed.
• Right to erasure (Article 17 GDPR) — under certain conditions you can request deletion. This right is limited by our statutory record-keeping duty under the WGBO.
• Right to restriction (Article 18 GDPR) — under certain conditions you can request a temporary restriction of processing.
• Right to data portability (Article 20 GDPR) — you can receive the data you have provided to us in a structured, commonly used and machine-readable format and forward it to another service provider.
• Right to object (Article 21 GDPR) — you can object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent (Article 7 GDPR) — where processing is based on your consent, you can withdraw it at any time. The lawfulness of processing before withdrawal remains intact.

To prevent misuse, we may ask you to identify yourself before we carry out your request. We do not charge for the exercise of your rights, except for manifestly unfounded or excessive requests (Article 12(5) GDPR).

Are you not satisfied with how we handle your personal data? Please let us know first via support@joinveora.com or via our DPO. We take every complaint seriously and aim for an appropriate resolution.

If you cannot reach a solution with us, you can file a complaint with the Dutch supervisory authority:

For complaints about the care itself (not about the processing of your data), please refer to our separate complaints procedure under the Wkkgz, available on our website. You can first turn to our complaints officer there. If this does not lead to a resolution, you can turn to the Disputes Commission to which we are affiliated.

We may update this privacy statement from time to time, for example when our service changes, when we engage new processors or when laws or regulations change. The most recent version is always available at joinveora.com/privacy, with version number and date.

For material changes we will actively inform you by email and, where relevant, by a clear notice on the website. For changes that materially affect your rights, we will allow a reasonable transition period.

For all questions, requests and comments about this privacy statement or about the processing of your personal data, you can contact us: