Privacy Statement TNO RDCP
Privacy Statement TNO RDCP App
Orikami B.V. – Nijmegen – December 2025
This Privacy Statement explains how personal data is processed when you use the TNO RDCP app (the “App”) and related cloud service (the “Service”).
1. Who is responsible (controller/processor roles)
The App is provided by Orikami B.V., Ridderstraat 29, 6511 TM Nijmegen, The Netherlands (“Orikami”, “we”).
The App is used in the context of a project (care and/or research) organised by the organisation that invited you (the “Orikami Customer”).
Depending on the project, different parties are responsible under the GDPR:
Orikami Customer as controller (most projects):
In most cases, the Orikami Customer determines the purposes and means of processing your personal data (e.g., care monitoring or a research study). In those cases, the Orikami Customer is the data controller and Orikami acts as a data processor on behalf of the Orikami Customer.Orikami as controller (our own studies):
In some cases, Orikami organises and runs a study itself. In those cases, Orikami is the data controller for that study and you will be provided with study-specific information.Orikami as controller (service operation & security):
Independently of the project, Orikami processes certain data as needed to operate, secure and support the Service (e.g., account administration, security logging, support handling).
Orikami Group B.V. is Orikami’s parent company and does not perform processing activities for the App/Service.
2. Legal bases
Which legal basis applies depends on the controller and the purpose:
Projects where the Orikami Customer is controller: the applicable legal basis (e.g., healthcare provision, scientific research, consent where required) is determined and explained by the Orikami Customer in their patient information / study information and privacy statement(s).
Service operation & security (Orikami as controller): we process personal data as necessary to provide, secure and maintain the Service and handle support requests.
Product improvement (separate consent): if you provide separate consent in the App, Orikami may use certain data for product monitoring and improvement. You can withdraw this consent at any time (see section 9). Refusing this consent does not affect your ability to use the core App functions.
3. What personal data is processed (and why)
The exact data depends on the project(s) you participate in and which features you enable.
A) Account and security data (authentication and secure access)
For authentication and account security, we process:
e-mail address and password (password stored in encrypted/hashed form);
invitation/verification dates and the dates on which you accepted in-app notices (e.g., this Privacy Statement);
recent login history (including timestamps and IP address);
last login date and last password change date;
technical information needed for authentication (e.g., device/app context).
B) Health and app data (care/research and app functionality)
To provide you and/or your caregivers/researchers insight and to run the selected tests, we may process:
answers to questionnaires (e.g., concentration, stress, memory, pain, mood, energy, daily functioning);
sensor data collected during tests and test results (depending on project configuration), such as accelerometer and gyroscope data;
location/GPS data only if required for a specific test (e.g., walking tests) and only to the extent needed;
personal notes/free text you enter (if enabled within your project);
device information (e.g., smartphone type);
usage information about how often and which features you use.
C) Health platform integrations (Apple Health/HealthKit and Android Health Connect)
If you choose to connect Apple Health/HealthKit and/or Android Health Connect, we process the data types you explicitly permit via your device permissions and/or the App (for example step count data if a step-count experiment is enabled).
You can change or withdraw permissions at any time in your device settings. If a feature depends on a certain data type (e.g., step counter), that feature may not work without that permission.
D) Optional profile information (only if you provide it)
If you complete your profile page, we may process:
your name (for support and personalisation);
profile/medical details you provide, where needed for interpretation of results and reference values.
We do not use automated decision-making producing legal effects or similarly significant effects solely based on automated processing.
4. Sharing your data
A) Sharing within a project (caregivers and/or researchers)
We provide access to your data to caregivers and/or researchers who are part of the project you participate in, as configured by the Orikami Customer and in line with the consent choices you make per project in the App.
Caregivers and/or researchers may store your data in their own systems (e.g., Electronic Patient Records) under their own privacy statements and responsibilities.
B) Service providers (subprocessors)
We use IT service providers to host and operate the Service (subprocessors). A list of subprocessors is provided below / is available [insert link or “on request”].
We have data processing agreements in place with our subprocessors.
5. Where is your data stored and international transfers
We aim to store and process data within the European Economic Area (EEA). Some service providers are headquartered outside the EEA (e.g., in the United States). Where access from outside the EEA or other transfer scenarios qualify as an international transfer, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) and/or (where applicable) the EU–U.S. Data Privacy Framework for certified organisations. European Commission+1
We assess transfer risks and, where needed, apply supplementary measures in line with EDPB guidance. EDPB+1
PostHog Cloud EU: our PostHog Cloud EU instance is hosted in the AWS eu-central-1 region (Frankfurt, Germany) according to PostHog’s documentation. posthog.com
6. Data retention
We keep your data for a minimum of five (5) years after your last usage or after termination of your account, unless:
a different period is required by the Orikami Customer for a specific care pathway or study, or
applicable law requires a different period, or
for Orikami-run studies: the retention period defined in the study documentation applies.
At the end of the applicable retention period, data will be erased or anonymised where appropriate.
7. Security
We take appropriate technical and organisational measures to protect personal data, including access controls and encryption in transit and at rest. Access within Orikami is restricted to authorised personnel on a need-to-know basis.
8. Your data protection rights
You have rights under data protection law, including access, rectification, erasure, restriction, objection, and data portability (under conditions).
Requests are generally handled free of charge; a reasonable fee may only apply where permitted by law (e.g., additional copies or manifestly unfounded/excessive requests).
9. Withdrawal of consent
If processing is based on your consent (e.g., project sharing choices, or Orikami’s product improvement consent), you can withdraw consent at any time via the App (where available) and/or by contacting support@orikami.nl. Withdrawal does not affect processing already performed before withdrawal.
10. How to contact us / exercising rights
If your request relates to a project where the Orikami Customer is the controller, we may refer you to the Orikami Customer.
Contact:
Email: support@orikami.nl
Phone: +31(0)243010100
To verify identity, we may ask for necessary and proportionate information. If you provide a copy of an ID document, please cover your photo, MRZ, passport number and BSN.
If you are not satisfied, you can contact the relevant supervisory authority.
11. Changes to this Privacy Statement
This Privacy Statement may be changed from time to time. Changes will be announced via the App and/or via http://orikami.ai .