Hanah Logo
AboutProductManifestoContact

The ecosystem for
women's health data

Laag

Privacy Notice

Last Updated: 19 May 2026 | Version: 1.0

1. Introduction and Identity of the Controller

Hanah Ecosystem (hereinafter "we," "us," or "our"), with its registered address at Da Costakade 119c 1053WS, is the data controller responsible for your personal data as described in this Privacy Notice.

Hanah Ecosystem operates a privacy-first data exchange for women's health, enabling secure, consent-based data collaboration across femtech applications, healthcare providers, and research institutions.

This Privacy Notice explains how we collect, use, disclose, retain, and protect your personal data, and sets out your rights under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and any applicable national implementing legislation.

2. Controller Contact Details

For any questions, requests, or complaints regarding this Privacy Notice or the processing of your personal data, please contact us at:

3. Scope of This Privacy Notice

This Privacy Notice applies to all personal data we process in connection with:

  • Your use of our website(s) and online services (collectively, the "Services");
  • Your relationship with us as a partner, prospective partner, researcher, healthcare institution, or other collaborator;
  • Your participation in our waitlist or other registration processes; and
  • Any other interaction you may have with us.

This Notice applies regardless of the means by which personal data is collected (online, in person, by telephone, or by correspondence).

4. Personal Data We Collect — Purposes and Legal Bases

In accordance with Articles 13 and 14 GDPR, the sections below set out the categories of personal data we process, the purposes of processing, and the applicable legal basis under Article 6 GDPR (and Article 9 GDPR where applicable).

4.1 Personal Data Collected Directly From You

Identity & Contact Details (e.g. name, email address, country of residence): Collected for website access, waitlist registration, responding to enquiries, and partner on-boarding. Legal basis: Performance of a contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)).

Health Data (Special Category)(e.g. women's health data contributed via partner platforms, with explicit user consent): Used for enabling secure, consent-driven data exchange between platform partners and researchers and improving women's health outcomes. Legal basis: Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)); Scientific research (Art. 9(2)(j)).

Usage Data (e.g. pages visited, features accessed, timestamps, device/browser type): Collected for website security and performance monitoring and troubleshooting. Legal basis: Legitimate interests (Art. 6(1)(f)).

Partner & Business Data (e.g. company name, job title, contact details of partner representatives): Collected for partner relationship management, service delivery, and contract fulfilment. Legal basis: Performance of a contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)).

Communications Data (e.g. content of enquiries, messages, and correspondence): Collected for responding to enquiries and improving our services. Legal basis: Legitimate interests (Art. 6(1)(f)); Performance of a contract (Art. 6(1)(b)).

Marketing Preferences (e.g. opt-in/out records, communication preferences): Collected for sending relevant communications and managing preferences. Legal basis: Consent (Art. 6(1)(a)); Legitimate interests (Art. 6(1)(f)).

4.2 Personal Data Obtained From Third Parties

Where we receive personal data from third-party sources (in accordance with Article 14 GDPR), those sources may include:

  • Partner platforms or applications that integrate with our data exchange infrastructure;
  • Publicly available sources such as professional registers or LinkedIn; and
  • Business partners or referral partners who have collected your data in accordance with their own privacy notices.

Where we obtain personal data from third-party sources, we will provide you with the information required under Article 14 GDPR within one month of obtaining your data, unless doing so proves impossible or would involve disproportionate effort.

4.3 Special Categories of Personal Data (Health Data)

Hanah Ecosystem's core service involves women's health data, which constitutes a special category of personal data under Article 9(1) GDPR. We process such data only:

  • On the basis of explicit, freely given, specific, informed, and unambiguous consent of the data subject (Article 9(2)(a) GDPR);
  • For scientific research purposes with appropriate safeguards (Article 9(2)(j) GDPR); or
  • Where another condition under Article 9(2) GDPR applies, as communicated at the time of collection.

Users retain full control over their health data at all times. Consent may be withdrawn at any time, and data sharing is enforced and stopped in real time upon withdrawal. We apply state-of-the-art encryption and privacy-preserving technologies appropriate to the sensitivity of the data.

4.4 Automated Decision-Making and Profiling

We do not carry out automated decision-making, including profiling, that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

5. Data Protection Principles (Article 5 GDPR)

We are committed to processing your personal data in accordance with the following principles:

  • Lawfulness, fairness and transparency: We process personal data on a valid legal basis, in a fair and transparent manner.
  • Purpose limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
  • Data minimisation: We only collect and process personal data that is adequate, relevant, and limited to what is necessary.
  • Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date.
  • Storage limitation: We retain personal data only for as long as necessary for the purposes for which it was collected (see Section 8).
  • Integrity and confidentiality: We apply appropriate technical and organisational security measures to protect personal data.
  • Accountability: We take responsibility for compliance with the above principles and maintain documentation to demonstrate it.

6. Disclosure of Your Personal Data

We may share your personal data with the following categories of recipients:

6.1 Service Providers and Processors

We engage third-party service providers (acting as data processors on our behalf) to support the delivery of our Services. These may include:

  • IT infrastructure and cloud hosting providers;
  • Encryption and privacy-preserving technology providers;
  • Analytics and performance monitoring tools;
  • Customer relationship management (CRM) and communication platforms; and
  • Security and fraud prevention providers.

All processors are required to process personal data solely on our documented instructions and to maintain appropriate security measures, in accordance with Article 28 GDPR.

6.2 Partner Platforms and Research Institutions

Where you have given explicit consent, your health data may be shared with specific partner platforms, healthcare institutions, or research bodies through the Hanah data exchange infrastructure. Such sharing is governed by data processing agreements and subject to your ongoing consent, which you may withdraw at any time.

6.3 Legal and Regulatory Disclosure

We may disclose personal data to courts, regulators, law enforcement agencies, or other public authorities where required or permitted by law, including to comply with a legal obligation under Article 6(1)(c) GDPR.

6.4 Professional Advisors

We may share personal data with professional advisors (such as lawyers, auditors, and insurers) where necessary for the protection or exercise of legal claims, or for the purpose of obtaining professional advice.

We do not sell your personal data to third parties.

7. International Transfers of Personal Data

Where we transfer your personal data outside the European Economic Area (EEA), we ensure that such transfers are subject to appropriate safeguards in accordance with Chapter V GDPR. These may include:

  • An adequacy decision by the European Commission confirming an equivalent level of protection in the destination country (Article 45 GDPR); or
  • Standard Contractual Clauses (SCCs) as approved by the European Commission (Article 46(2)(c) GDPR).

Copies of applicable transfer mechanisms can be obtained by contacting us using the details in Section 2.

8. Retention of Personal Data

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy applicable legal, accounting, or reporting requirements. The following indicative retention periods apply:

  • Contact Data: 1 year after last interaction or account closure — Contractual obligations; legal claims
  • Partner & Business Data: Duration of partnership + 5 years — Legal claims; contractual obligations
  • Financial & Transaction Data: 7 years from date of transaction — Legal/tax/accounting obligations (Art. 6(1)(c))
  • Communications Data: 2 years from resolution — Legal claims; quality assurance
  • Marketing Data: Until consent withdrawn or 2 years from last interaction — Consent-based; legitimate interests
  • Technical & Usage Data: 3 months from collection — Security and performance monitoring

Where personal data is no longer required, it is securely deleted or anonymised in accordance with our data retention and disposal procedures. Given the sensitivity of health data, we apply enhanced deletion procedures, including cryptographic erasure where technically applicable.

9. Your Rights as a Data Subject

In accordance with Articles 15–22 GDPR, you have the following rights in relation to your personal data:

9.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation as to whether we process personal data concerning you and, if so, to receive a copy of that data together with supplementary information about how it is processed.

9.2 Right to Rectification (Article 16 GDPR)

You have the right to obtain the rectification of inaccurate personal data and to have incomplete personal data completed without undue delay.

9.3 Right to Erasure "Right to Be Forgotten" (Article 17 GDPR)

You have the right to obtain the erasure of your personal data without undue delay where one of the grounds in Article 17(1) GDPR applies. In relation to health data, withdrawal of consent will ordinarily result in the deletion or anonymisation of your data.

9.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to obtain restriction of processing in certain circumstances, including where you contest the accuracy of the data or object to processing, pending verification.

9.5 Right to Data Portability (Article 20 GDPR)

Where processing is based on your consent or the performance of a contract and is carried out by automated means, you have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format.

9.6 Right to Object (Article 21 GDPR)

You have the right to object at any time to the processing of your personal data where such processing is based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing without delay.

9.7 Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. For health data, withdrawal of consent will result in the immediate cessation of any ongoing data sharing.

9.8 How to Exercise Your Rights

To exercise any of the above rights, please submit a request to us at info@hanahecosystem.io. We will respond within one month of receipt. Where requests are complex or numerous, we may extend this period by a further two months, in which case we will notify you and explain the reasons for the delay in accordance with Article 12 GDPR.

We will not charge a fee for handling your request unless the request is manifestly unfounded or excessive. We may need to verify your identity before processing your request.

9.9 Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

A list of EU supervisory authorities can be found at: https://edpb.europa.eu/about-edpb/board/members_en

The supervisory authority in the Netherlands (where Hanah Ecosystem is based) is the Autoriteit Persoonsgegevens (AP), reachable at www.autoriteitpersoonsgegevens.nl.

10. Security of Personal Data

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, in accordance with Article 32 GDPR. Given the sensitivity of women's health data, these include:

  • State-of-the-art encryption of personal data in transit and at rest;
  • Privacy-preserving and cryptographic technologies (including zero-knowledge methods where applicable);
  • Pseudonymisation of personal data where appropriate;
  • Strict access controls and role-based authorisation;
  • Regular testing, assessment, and evaluation of our security measures;
  • Staff training and awareness programmes; and
  • Incident response and breach notification procedures.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR.

11. Cookies and Similar Technologies

This website does not use cookies or similar tracking technologies. No data is collected through cookies, pixels, or other tracking mechanisms on hanahecosystem.io. Should this change in the future, we will update this Notice and, where required, obtain your prior consent.

12. Children's Privacy

Our Services are directed at healthcare professionals, researchers, and corporate partners, and are not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, please contact us immediately at info@hanahecosystem.io so that we can take appropriate steps.

13. Links to Third-Party Websites

Our website may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control those third-party websites and are not responsible for their privacy practices. We encourage you to review the privacy notice of every website you visit.

14. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Where we make material changes, we will notify you in advance by email or prominent notice on www.hanahecosystem.io, and where required by applicable law, seek your consent. The date of the latest update will always be displayed at the top of this Notice.

We encourage you to review this Privacy Notice periodically.

15. Governing Law

This Privacy Notice is governed by and construed in accordance with the laws of the Netherlands and the EU, including the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Dutch GDPR Implementation Act (Uitvoeringswet AVG).

© 2026 Hanah Ecosystem
This website does not use cookies.
© 2026 Hanah EcosystemThis website does not use cookies.