Privacy Statement for the Coronafree app

Please review Giddir’s Privacy Policy carefully before you start using the Coronafree application.

You can read more about Giddr's general privacy practices in the full Privacy Policy. Please read the summary below for the important considerations.


Please note that you control your data, it is always your choice what you want to share. Coronafree will never collect anything without your knowledge or consent. For the Coronafree app to function correctly, the app will ask for some information about you. Please know that using this app is a free choice, and you can always opt out of using Coronafree if you do not agree with sharing the information that's asked of you.


The Coronafree app will:

  • Ask for permission to collect your first name & Last name, person number, and date of birth. The purpose is to be able to verify your identity and connect what data belongs to you. Health Certificates are generated from the personal information you consent to be used for this purpose

  • Ask you to share your passport number with the app if you wish. The only purpose for this is that when traveling, most countries require that a Covid-19 health certificate contain a passport number. You can always change or remove your passport number if you wish to

  • Ask you to share contact information with the app if you wish (Email or Phone number). The purpose of this is that it can be necessary if your care provider needs to contacts you regarding your visit or test

  • Ask for permission to access your camera when using the scanning feature. The only purpose for this is to be able to scan QR codes. Please note that no images, video, or audio is collected or stored from you


The Coronafree app will not:

  • Track your location or movement

  • Track people with positive Covid-19 results

  • Share your information with anyone that you don't choose to share it with

  • Collect your physical living address


It is always your choice to share your credential with a verifying organization (e.g., airports, events), who may scan your credentials QR code to verify it. Different organizations may have explicit requirements for visitors to provide a health certificate in order to enter their locations. Please make sure you understand their policies and privacy practices. Note that Coronafree will never share, transfer, or otherwise make your certificate accessible to any verifier. The only time any verifying party will be able to see your certificate is when you choose to share it.

Our Global Privacy Policy

Last Updated: 2021-03-19

Giddir AB. and its affiliates (collectively “Giddir”, “we”, "our", and “us”) Highly value your privacy. We offer Services that enable stakeholders in the health care sector and their patients to efficiently and securely process and exchange health care information.


This policy outlines the categories of data we collect through our products and Services (collectively, our “Services”) and via our online presence, which includes our main websites &, as well as Services and websites that we enable internet users to access, such as, but not limited to Coronafree Clinic (collectively, our “Sites”). This policy also details how we use Personal Data, with whom we share it, your rights, and how you can contact us about our practices. Our policy does not apply to any third-party websites, products, or Services, that may be associated with us. We advise you to always consider the privacy practices of those third parties carefully.



Giddir collects data about you from various sources to be able to provide our Services and to manage our Sites. “You” may be a visitor to one of our sites, a Customer of one or more of our Services (“Customer” or “Giddir customer”), or an End-user to one of our Customers (“End-user”). If you are an End-user, Giddir might not always collect data directly from you. Your agreement with the relevant Giddir Customer should define how that Customer shares your data with Giddir, and if you have questions about this sharing, then you should direct those questions to that Giddir Customer.


Data we collect

Personal data is any information that correlates to an identified or identifiable individual. Giddir is committed to Privacy By Design and data minimization, we will never ask you to provide any personal information unless it is essential in order to provide a Service you wish to use. The data that you provide directly to us via our Sites and/or Services will always be apparent from the context in which it is asked to be provided. All data we collect is with explicit consent from you as a user. In particular;


  • When you log in and register your account or an account you manage for a person the first time. Depending on which one of our services you wish to use, personal data such as First name & Last name, email address, phone number, person number, date of birth, signature, employment role, and alternative personal IDs like a passport number may be collected.

  • When you take a test that is sent to one of the clinical laboratories we work with, data such as test result, patient ID, location, time & date, clinic, and the treating doctor may be collected.

  • When upon your request to import data from a third-party system to us, we may collect the data included in the file, image, code, text, document, audio, or any other data format we have collected upon your request or that you've submitted from a third-party system.

When you send and/or respond to any Giddir emails or surveys we may collect information such as your email address, name, and any other information you choose to include in the body of your email or responses directed at us. If you contact us by phone, we may collect the phone number you used to call us with. If you contact us as a Giddir Customer, you may be asked to provide additional information in order for us to verify your identity. All personal data we collect is always processed and stored within the European Union when required by law.

Data we collect automatically via our Sites.

Our Sites use cookies and other technologies to operate effectively. These technologies collect information about your use of our Sites, such as but not limited to IP address, browser, device type, and screen resolution. For more information, we ask you to view our Cookie Policy.


How we use personal data

We always rely upon various legal grounds to ensure that our use of your data complies with applicable laws, such as but not limited to GDPR. We use personal data in order to provide our various Services where connecting information to an identifiable individual is required. 

Disclosure of Personal Data

Giddir will never sell, rent, and/or distribute personal data to marketers or unaffiliated third parties. We only share your personal data with trusted and authorized entities and Service providers that provide Services on our behalf. Giddir will never share your data unless it is essential in order to provide a Service that you wish to use, and will only share data that is essential. 


Minors & Managed accounts

Our services that require the collection of personal data are not meant for individuals under the age of thirteen (13). We request that no personal data is submitted from individuals under that age. If you are a parent to a minor or a legal guardian to an individual incapable of using our services on their own, some of our services provide a "Managed account" function. This function allows you to manage that individual's account and data on their behalf. The data will be subject to the same protection and rights as all other data under this Privacy Policy.

Retention period

Giddir will only retain your personal information for as long as it’s required to fulfill the purposes for which the information is processed, as needed to provide you services, or for other valid reasons to retain your personal information (for example to comply with our legal obligations, resolve disputes, or enforce our agreements).

Business transactions 

If Giddir is subject to, a transaction that will change the structure of our organization, for example in the case of a reconstitution, merger, acquisition, change of control, transfer, joint venture, or any other disposition of our assets or stock, your data may be shared with third parties in consolidation with that transaction. Any entity which acquires a part of, or the entirety of our business will maintain the right to continue to use your data. However, that right only extends to the manner described in this Privacy Policy unless you give your explicit consent to a new policy.


Our entities 

Your data may be shared with other Giddir entities in order to provide our Services, for internal administration, and customer support purposes. Data access is always limited to authorized and essential Giddir entities. 


Service providers

We share your data with a restricted number of our Service providers. We have providers that perform Services on our behalf, such as identity verification services, website hosting, data analysis, information technology, related infrastructure, customer service, email delivery, and auditing services. These Service Providers may need to access some personal data to perform their Services. We will always authorize such providers and only grant access or disclose data when it's necessary to perform Services on our behalf or when it's legally required. All providers performing Services on our behalf are always required to contractually commit to protect the confidentiality and integrity of all personal data processed on our behalf. All our Service providers are located and process their data within the European Union and are in compliance with applicable laws and regulations to the best of our knowledge. We conduct audits of our Service providers' compliance with laws and regulations regularly to ensure the integrity of data. If any of our Service providers become incompliant with any applicable law or regulation, we will cease our relations and cut off all data communication with that Service provider immediately. 


Business partners

We may share personal data with third-party business partners when it is essential to provide Services to our users. Examples of third parties to whom we may disclose personal data for this purpose are clinical laboratories and health care providers when processing, analyzing and validating test results on behalf of a patient. When we share data with these third-party Business partners, we never disclose more data than required to perform a Service. All our business partners are contractually obligated to protect the confidentiality and integrity of all personal data to the same extent as we are. Continued and/or deliberate failure to comply with applicable laws or regulations from any of our Business partners, will result in Giddir immediately ending its relationship with that Business partner.


Your data protection rights

Depending on where you reside and applicable laws in that area, you may have the following rights concerning the data we control about you:


  • The right to request confirmation from Giddir whether we are processing any personal data relating to you. And if so, the right to request a copy of that data being processed;

  • The right to request that Giddir corrects or updates any personal data on you that is inaccurate, incomplete, or outdated. Please note that you are solely responsible for the accuracy of any information submitted or edited by you, relating to your personal data or data relating to a person whose account you manage.

  • The right to request that Giddir delete any or all personal data on you in the circumstances where it is required by law;

  • The right to request that Giddir limit the use of any personal data on you in certain circumstances where it is required by law; and

  • The right to request Giddir to export the personal data we hold on you to another company, where technically feasible.


Where the processing of your Personal Data is based on your given consent, you will always have the right to revoke your consent at any given time. On grounds relating to your distinct circumstances, you may also have the right to object to the processing of your data. 


To exercise your data protection rights, you may contact Giddir as specified under the section below "Jurisdiction and contact". We treat every inquiry we receive with a high level of seriousness. Giddir will always comply with your request to the extent demanded by applicable laws and regulations. Please note that we will not be able to respond to inquiries if we no longer hold any personal data on you. If you feel that Giddir has not given you a satisfactory response to your inquire, you may consult with the proper data protection authority in your country. To protect your integrity, we may need to verify your identity before administering your inquiry, such as verifying that the email address from which you send the request matches the one we have in our system. If you are an End-user of a Giddir Customer, we advise you to direct your inquiries directly to that Giddir Customer.


Our commitment to security

Giddir makes reasonable efforts to ensure a high level of security appropriate to the associated risks when processing any personal data. We keep organizational, administrative, and technical measures that are designed to protect the integrity of sensitive data within our organization against unauthorized access, loss, destruction, tampering, or misuse. Sensitive information such as personal data is only accessible to a restricted number of Giddir personnel who need access to perform their duties. Please note that no data storage system or communication can be guaranteed to be 100% secure, unfortunately. If you have reason to believe that your interaction with us has been compromised or is no longer secure (for example, tampering or unauthorized access to your account), please contact us immediately.


Updates to this policy

We may change this Privacy Policy from time to time to reflect new laws and regulations, the introduction of new Services, or general changes to our practices. There will always be a “Last Updated” legend at the top of this Privacy Policy that indicates when the policy was last revised. Any changes enter into effect when we post the revised Privacy Policy on the Services. The latest version of this policy will always be available on our websites.


Jurisdiction and contact

The entity responsible for the collection and processing of data for residents of the European Economic Area (EEA), the UK, and Switzerland is Giddir AB, a company incorporated in Sweden with its office at Nybrogatan 34 102 45 Stockholm Sweden. For questions or to exercise your rights, our Data Protection Officer may be contacted via


If you reside in the EEA and believe we process your information in the scope of the General Data Protection Regulation (GDPR), we advise you to direct your questions and/or complaints to the Office of the Data Protection Commissioner. For residents of the UK, we advise you to direct your questions and/or concerns to the UK Information Commissioner’s Office.


If you have any questions or concerns regarding our Privacy Policy, feel free to contact us via or send physical mail to:



Giddir AB

Nybrogatan 34,

102 45 Stockholm Sweden.