HELM Longevity
← Back to the homepage

Privacy Policy

Last updated: 17 May 2026

This policy describes how Helm Collective AB processes your personal data when you book an appointment, are a patient, or visit helmlongevity.com. We are a private healthcare provider registered with the Swedish Health and Social Care Inspectorate (IVO) on 10 May 2026, and we provide healthcare in accordance with:

  • The EU General Data Protection Regulation (GDPR, 2016/679)
  • The Swedish Data Protection Act (2018:218)
  • The Swedish Patient Data Act (2008:355)
  • The Swedish Patient Safety Act (2010:659)
  • The Swedish Health and Medical Services Act (2017:30)
  • The National Board of Health and Welfare's regulations and general advice on medical records and the processing of personal data in healthcare (HSLF-FS 2016:40)

Data controller and healthcare provider

Helm Collective AB
Organization number: 559581-6660
Business address: Saltholmsgatan 3, 426 76 Västra Frölunda, Sweden
Email: dataskydd@helmlongevity.se
Operations manager under the Swedish Health and Medical Services Act: Dr Nathalie Ylitalo Helm, licensed physician
Planned opening: May 2026

Data Protection Officer

Helm Collective AB has assessed that the size of the operation does not make it mandatory to appoint a Data Protection Officer (DPO) under Article 37 GDPR. Data protection matters are handled directly by the operations manager via the contact details above. If the operation grows, the need for a DPO will be reassessed.

What data we process and why

When you book an appointment

Booking takes place via EasyPractice. We need your name, Swedish personal identity number, contact details (email, phone), and the service you have booked.

  • Purpose: to administer your visit, identify you as a patient, and reach you when needed.
  • Legal basis: performance of a contract (GDPR art. 6.1.b) and legal obligation under the Swedish Patient Data Act (GDPR art. 6.1.c).
  • Personal identity number: processed under Chapter 3, Section 10 of the Swedish Data Protection Act for secure identification within healthcare.

When you are a patient

We keep a patient record under the Swedish Patient Data Act and HSLF-FS 2016:40. The record contains the health questionnaire, medical history, lab results, examination findings, diagnoses, prescribed measures, and health plan.

  • Legal basis for health data: GDPR art. 9.2.h (processing necessary for preventive healthcare, medical diagnosis, and care) in combination with the Swedish Patient Data Act.
  • Internal confidentiality: Only personnel who need the data for their work with you may access your record (Chapter 4, Section 1 of the Swedish Patient Data Act).
  • Access logging: All access to your record is logged. On request, you have the right to receive a log of who has accessed your data (Chapter 4, Section 3 of the Swedish Patient Data Act).

Coordinated medical records

Helm Collective AB does not participate in coordinated medical records under Chapter 6 of the Swedish Patient Data Act and is not connected to the National Patient Overview (NPÖ). Your medical record data is therefore not available to other healthcare providers via NPÖ. If you want data from your visit with us to be shared with another healthcare provider, this is done through a copy of the record note, forwarded either by you or by us.

When you visit the website

We use cookies on helmlongevity.com. Strictly necessary cookies are required for the website to function. With your consent, we also use analytics cookies from Google Analytics 4 (Google Ireland Limited) to measure visits and improve the content. IP anonymization is enabled. You can change or withdraw your consent at any time via the cookie banner in the footer. A full description of all cookies is available in our cookie policy. Server logs contain anonymized data such as IP address and browser type for a short period for security purposes.

When you subscribe to the newsletter

If you subscribe to the Insights newsletter, we process your email address and, if you provide it, your first name. The purpose is to send editorial content about longevity, women's health, and functional medicine, along with occasional clinic updates. The legal basis is consent (GDPR art. 6.1.a). You can unsubscribe at any time via the link at the bottom of each email or by writing to info@helmlongevity.se. We do not share the data with third parties for marketing purposes. The newsletter is handled via MailerLite, see below.

Automated decision-making and profiling

We do not make legally binding decisions about you through solely automated processing within the meaning of Article 22 GDPR. Interpretation of lab results and biomarkers is always performed by licensed personnel.

Who has access to the data

We share your data with the following parties, who help us run the operation. Data processor agreements are in place where required.

  • EasyPractice, medical records and booking platform. Data processor. The system meets the requirements of the Swedish Patient Data Act and HSLF-FS 2016:40.
  • Synlab, laboratory partner for sample collection and analysis. Synlab is an independent data controller for the analysis it performs.
  • Lola Health UK Ltd and TruDiagnostic LLC (when the Biological Age option is selected). Lola Health is the intermediary supplier for TruDiagnostic in Europe and receives your blood sample (a finger-stick that you collect at home) in the United Kingdom, which the EU has determined provides an adequate level of protection. Lola Health then forwards the sample for epigenetic analysis at TruDiagnostic LLC in Lexington, Kentucky, USA. TruDiagnostic is an independent data controller for the analysis and is CLIA-certified and HIPAA-compliant. For the transfer to the USA, your explicit and informed consent is obtained separately under GDPR art. 49.1.a and art. 9.2.a before the sample is forwarded, since the USA has not been assessed by the EU as providing an adequate level of protection. You can withdraw your consent at any time. More information is available in TruDiagnostic's privacy policy at trudiagnostic.com/privacy-policy.
  • Loopia, web host for helmlongevity.com. Data processor.
  • Google Ireland Limited, web analytics via Google Analytics 4. Data processor. Data may be transferred to the USA under the EU Standard Contractual Clauses (SCC) and Google's supplementary safeguards. Set only if you have given consent via the cookie banner.
  • MailerLite Limited (Ireland), platform for sending the Insights newsletter. Data processor. Processes email address and first name as well as technical user data linked to the newsletter (opens, clicks). Data may be transferred to the USA under the EU Standard Contractual Clauses (SCC). Set only if you have actively signed up.

We do not share any data with third parties for marketing purposes. Data is disclosed to authorities only when we are required by law to do so, for example mandatory reporting under the Swedish Communicable Diseases Act or at the request of IVO.

How long we keep the data

  • Patient record: at least 10 years after the most recent record entry, under Chapter 3, Section 17 of the Swedish Patient Data Act.
  • Booking data: for as long as needed to administer the visit, and thereafter for the time required for invoicing and complaints.
  • Accounting data: until the end of the seventh year after the close of the financial year, under Chapter 7, Section 2 of the Swedish Accounting Act.
  • Cancelled appointments with no patient relationship: deleted within a reasonable period.

Security and personal data breaches

Medical records and patient data are stored with EasyPractice, which applies technical and organizational safeguards adapted for Swedish healthcare. The website uses HTTPS encryption. Never send sensitive health data via email or the contact form. Always use EasyPractice for secure communication.

In the event of a personal data breach that may result in a risk to your rights and freedoms, we report the incident to the Swedish Authority for Privacy Protection within 72 hours (GDPR art. 33). If the breach involves a high risk, we will also inform you directly (GDPR art. 34).

Your rights

  • Access: You have the right to request your medical record and a copy of your personal data (GDPR art. 15, Swedish Patient Data Act, Chapter 8).
  • Rectification: You have the right to have inaccurate data corrected (GDPR art. 16). Medical record data cannot be erased, but inaccuracies can be supplemented or flagged.
  • Erasure: You can request erasure of data that is no longer needed (GDPR art. 17). However, the patient record cannot be erased during the statutory retention period of 10 years.
  • Restriction and objection: You have the right to request restriction of processing (GDPR art. 18) and to object to processing (GDPR art. 21).
  • Data portability: Where processing is based on a contract and carried out by automated means, you have the right to data portability (GDPR art. 20).
  • Access log: You have the right to receive information about who has accessed your medical record (Swedish Patient Data Act, Chapter 8, Section 5).
  • Blocking of medical record: You have the right to request that your medical record data be blocked from access by other healthcare providers in coordinated medical records (Swedish Patient Data Act, Chapter 6, Section 2).

We respond to your request within one month. In the case of complex requests or a large number of requests, the period may be extended by a further two months (GDPR art. 12.3).

Complaints

Complaints about data protection handling: Swedish Authority for Privacy Protection (IMY), Box 8114, 104 20 Stockholm, imy@imy.se.

Complaints about the care provided: Swedish Health and Social Care Inspectorate (IVO) or the Patient Advisory Committee (Patientnämnden) in your region.

Children and minors

If the patient is under 18 years of age, the rights are exercised by the legal guardian to the extent appropriate given the child's age and maturity (Chapter 6, Section 11 of the Swedish Children and Parents Code, and Chapter 8, Section 2 of the Swedish Patient Data Act).

Contact

To exercise your rights or ask questions about the processing of personal data, contact us at:

Email: nathalie@drnathaliehelm.se
Mail: Helm Collective AB, Saltholmsgatan 3, 426 76 Västra Frölunda, Sweden

Changes to this policy

We may update this policy. The date of the most recent update is shown at the top of the page. In the event of material changes, we will notify active patients via EasyPractice.