Privacy Policy
We prioritize your personal privacy and actively work to ensure the protection of your personal data when you use our services. Our privacy policy below clearly describes how we process, use, and protect your personal data as well as the rights you have as a data subject.
Protected personal dataFor privacy and security reasons, we cannot offer the Services to individuals with protected personal data (confidentiality marking, protected population registration, or fictitious personal data). Please contact us at info@testmottagningen.se if you are unsure.
1. General
This privacy policy describes how we, Testmottagningen Sweden AB, reg. no. 556983-2750 (“Testmottagningen”, “us”, “our”, “we”), process your personal data when you use our services (the “Services”). Testmottagningen Sweden AB was previously named 19Plus AB (same registration number).
Testmottagningen Sweden AB is a healthcare provider and the data controller for the processing of your personal data within healthcare services. Results from diagnostic services, communication with physicians, and patient data are handled via the results service Zample (app.zample.com), which is operated by Zample AB. Zample AB processes personal data as a data processor on behalf of Testmottagningen when the data is used within healthcare services. For processing that Zample AB performs as an independent data controller (e.g., certain account-related data), please refer to Zample AB’s privacy policy in the results service.
Testmottagningen.se is an e-commerce platform offering healthcare services such as mediation of sampling, laboratory analyses, medical examinations (including imaging diagnostics), as well as issuance of test results and medical statements (via zample™) with physician assessment and, where necessary, follow-up consultations.
The results service zample™ presents test results and outcomes from connected laboratories and collaborating healthcare providers and enables you as a user to access your health data over time.
2. Data controller and Data Protection Officer
Testmottagningen Sweden AB is the data controller for the processing of your personal data.
We have appointed a Data Protection Officer (DPO) in accordance with the General Data Protection Regulation (GDPR). If you have questions about how we process your personal data or wish to exercise your rights, you are welcome to contact our Data Protection Officer via dpo@testmottagningen.se or by post: Testmottagningen Sweden AB, Attn: Data Protection Officer, Själagårdsgatan 9, SE-111 31 Stockholm.
3. Purposes of processing, retention period and legal basis
We process personal data that you provide to us in connection with purchases, activation of referrals and use of zample™, completion of examinations, or contact with our customer service. We also process technical information when you visit our website.
Processing purchases and administering orders
We process data such as name, personal identity number or coordination number (where applicable), contact details and purchase history in order to administer orders and payments.
When a referral is activated, we process personal identity number or coordination number as well as contact details in order to link the referral and test results to the correct individual and enable service communication/support via zample™.
If you purchase a service that is to be used by someone else, we process your data related to the purchase (e.g. payment and receipt). To use the service, a zample™ account is required. When the referral is activated, we process data about the person who will undergo the examination in accordance with the section “Providing healthcare services”.
Legal basis: Article 6(1)(b) GDPR (performance of a contract).
The data is stored as long as necessary to administer your order and fulfill the contract. Thereafter, data is stored to the extent required under the Accounting Act or other applicable legislation. Data covered by the Accounting Act is stored for at least seven (7) years after the end of the financial year in which the transaction was carried out.
For storage of account data in zample™, please refer to Zample AB’s privacy policy.
Providing healthcare services
We process health data such as health declarations, test results, examination results and medical assessments in order to provide healthcare, document and maintain medical records, and, where necessary, follow up care. We may also offer the possibility to book and carry out medical consultations with a licensed physician, for example for follow-up of test results or advice. Data processed in connection with such consultations, including medical records and communication, is handled in accordance with applicable healthcare legislation and the Patient Data Act.
Legal basis: Article 6(1)(c) GDPR (legal obligation) and Article 9(2)(h) GDPR (provision of healthcare). Where applicable, processing is also based on Article 6(1)(b) GDPR (contract).
Medical records are stored for at least ten (10) years from the date of the last entry in accordance with the Patient Data Act.
Communication and support
We process contact details in order to communicate with you, send information about your orders, in case of medically deviating results or events, and to manage support cases.
Communication relating to your order, referral and test results constitutes service communication. Marketing is only sent if you have provided separate consent in accordance with the section “Marketing, review invitations and market surveys”.
Legal basis: Article 6(1)(b) GDPR (contract) and Article 6(1)(f) GDPR (legitimate interest in providing customer service).
Support cases are stored for up to 24 months after the case has been closed, unless longer storage is required by law or if the data forms part of medical records.
Marketing, review invitations and market surveys
If you actively consent, we may process your contact details (e.g. email address and phone number) in order to send marketing via email and SMS, as well as invitations to reviews and customer or market surveys. You may withdraw your consent at any time via settings in your zample™ account and/or via the unsubscribe link in our communications or by contacting us.
Depending on how the communication is carried out, we may either send invitations ourselves or use third-party providers for this purpose (e.g. Trustpilot for review invitations). In cases where third-party providers are used, we may share your name and email address in order to enable the communication. In other cases, communication is sent directly from us without sharing personal data with third parties.
Legal basis: Article 6(1)(a) GDPR (consent).
The data is processed for this purpose until you withdraw your consent. We may also retain information about your consent (e.g. time and choice) as long as necessary to demonstrate that consent has been given.
Employer-funded health checks and group-level reporting
If a health check is funded by your employer, we process personal data in order to administer the order and deliver the service. In such cases, we may receive your contact details (e.g. email address) from your employer in order to provide you with access to the service and enable completion of the health check.
We may provide the employer with a report containing aggregated results at group level, such as proportions and trends related to health risks based on test results, as well as overall results from supplementary question areas such as sleep, stress and well-being. The report does not contain individual test results or other data that identifies individuals.
The report may, where groups are sufficiently large, be filtered at department level. To reduce the risk of indirect identification, we apply privacy-protective methods in reporting, such as minimum group sizes and limitation or suppression of results in smaller groups. If a group is too small to ensure anonymity, certain results may be omitted entirely.
The employer does not have access to individual test results, medical assessments or other data that can be linked to an individual.
Participation in the health check does not mean that your employer gains access to your individual health data.
Legal basis: Article 6(1)(b) GDPR (performance of a contract) for administration and delivery of the service. Processing of health data is based on Article 9(2)(h) GDPR (provision of healthcare) and Article 6(1)(c) GDPR (legal obligation) to the extent required for medical records and healthcare obligations.
Group-level reports are stored as long as necessary for the purpose and in accordance with the agreement with the employer, after which they are deleted.
Website, analytics and improvement
When you visit our website, technical information such as IP address, device information and log data is processed in order to ensure functionality, security and prevent misuse of the service.
Legal basis: Article 6(1)(f) GDPR (legitimate interest).
Log data is normally stored for up to twelve (12) months, unless longer storage is required to investigate security incidents or comply with legal obligations.
Non-essential cookies and analytics tools are only used after you have provided consent in accordance with Article 6(1)(a) GDPR. Data processed through cookies is stored in accordance with the retention periods specified in our cookie policy. You may withdraw your consent at any time via our consent module.
Compliance with legal obligations
We process personal data when required by law, for example under the Patient Data Act, the Accounting Act, data protection legislation or authority decisions.
Legal basis: Article 6(1)(c) GDPR and, where applicable, Article 9(2)(h) GDPR.
Updated 2026-05-05