Privacy Policy

First Wellness Testing Group AB Privacy Policy
Version 2.0 - January 2026

1 Introduction

Please be aware that FWT does NOT provide healthcare, medical diagnosis or medical

treatment. The information we provide to you is for general information only an d does not

replace professional consultation with a doctor or other healthcare professional.

Please review this privacy policy thoroughly, as it contains important information about :

• what Personal Data we collect and how we use your Personal Data

• for what purpose s and on what legal bases we collect, stor e and process your

• with whom we share it

• how long we keep it

• what rights y ou have under data protection laws

• how you can contact us and/or the supervisory authorities

We process your Personal Data in accordance with the EU General Data Protection

Regulation (GDPR) and the Swedish Act containing supplementary provisions to the

GDPR (20 18:218) and related Swedish legislation . For users in the United Kingdom, we

also comply with the UK General Data Protection Regulation (UK GDPR) and the UK Data

Protection Act 2018.

In this Privacy Policy, references to “GDPR” should be understood as referring to the EU

GDPR for users in the EU/EEA and to the UK GDPR for users in the United Kingdom as

applicable.

2 When does this notice apply?

This Priva cy Policy applies when we process your Personal Data in connection with your

use of our services, for example :

a) Visit any of our websites , including https://firstwellnesstesting.com , and any other

websites that we own and operate.

b) Visit and purchase products via our web shop

c) Register on our website(s) to receive any of the services that FWT offers and that

you request .

d) Access the results reported by the laboratory through our online portal .

Please note that our sites may contain links to third -party websites and services, each of

which has its own privacy policies . This Policy does NOT apply to websites or services

that we do not control, even if there may be links to these services in any of our websites.

Those are subject to their ow n priva cy policies and we recommend that you read those

policies carefully before using them.

3 Why do we collect Personal Data and how we use it?

Under GDPR, we must have a legal basis for each processing purpose. Below, we

describe our main purposes with examples and legal basis

4 Who is responsible for your data?

described in this Privacy Policy . This means that we determine the purposes and means

of processing your Personal Data .

If you have any questions about how we process your Personal Data that is not included

in this notice, you can contact us at: privacy@firstwellnesstesting.com

5 What is “Personal Data ”?

Personal Data refers to any information that can identify you, directly or indirectly,

including your name, and contact details, address, date of birth, email address and

telephone number, device information (e.g. IP address) , payment details, data related to

your use of our websites or online services , test identifiers and test results.

In some cases, we may also process your personal identity number, if clearly necessary

and justified for the purpose of the processing, in line with Swedish supplementary rules.

6 Information We collect

The Personal Data we collect and use includes both information that you knowingly and

actively provide to us when ordering or using any of our services and promotions and any

information automatically sent by your devices in the course of accessing our products

and services.

We collect only personal data that is necessary, relevant and proportionate for the

purposes described in this Privacy Policy and do not request information that is not

required for the provision of our services.

When you use our website (s), we may collect the following Personal Data when you

• Name and contact information : we collect your first and last name, email address

and telephone number. When necessary for the provision of the services, we may

collect your home and/or work address.

• Account and login information : Login credentials for our booking system

(Rexbooker ) or online portal . Communication preferences (e.g. newsletter opt -in).

• Order and service information: products and services you purchase, delivery

information, information related to your use of our self -testing services, information

you provide in forms, emails or through support .

• Test-related information: unique test identifiers/codes , test results and related

information provided by the laboratory. This information is considered “health data”

under GDPR and we apply additional safeguards.

• Information automatically collected. Some information such as IP address

and/or browser and device characteristics is collected automatically when you use

our website and/or our booking system Rexbooker. This information does not

reveal your specific identity, but may include device and usage information, such

as your IP address, browser and device characteristics, operating system,

language preferences, country /region (approximate location based on your IP) ,

information about how and when your use of our website(s) and services (pages

visited, time on page, clicks, etc) and other technical information and error logs .

This information does not usually identify you directly on its own , but it may do so

when combined with other information and it may be associated with you r account

or test if you log in. We primarily use it to maintain the security and operation of our

websites and system s, for our internal analytics and reporting purposes and to

improve our services and user experience. We limit such collection to what is

necessary to ensure the functionality, security and performance of our systems and

do not use this information for profiling or marketing purposes without your consent

where required by law.

7 Children

We do not knowingly collect Personal Data from children under 18 years of age without

the consent of a parent or legal guardian where required by law.

If we become aware that we have collected Personal Data from a child in a way that it is

not lawful, we will promptly delete that data and, where appropriate, contact the child’s

parent or legal guardian.

When we rely on consent for processing children’s Personal Data , we take into account

the child’s age and maturity and follow applicable EU and Swedish data protection rules .

In particular for children living in Sweden, children aged 13 or older may give their own

consent for online information society services , where consent is the relevant legal basis .

For younger children we seek consent from a parent or legal guardian.

8 Your Rights and Contro l over your Personal Data

Under the General Data Protection Regulation (GDPR) you have a number of important

rights in relation to your Personal Data . These include the right to:

• Access: you have the right to obtain confirmation as to whether we process data

about you and receive a copy of that data

• Transparency: fair processing of information and transparency over how we

process your Personal Data .

• Rectification : you can have inaccurate or incomplete Personal Data corrected

• Erasure: you can request the deletion of your Personal Data in certain situations

• Restriction: you can request that we limit the processing in certain circumstances

• Data Portab ility: receive Personal Data you have provided to us in a structured,

commonly used and machine -readable format and have it transmitted to another

controller where technically feasible.

• Object : object to our processing based on legitimate interests, and always to

processing for direct marketing.

• Withdraw consent : where processing is based on consent, you may withdraw it

at any time. This will not affect the lawfulness of processing before the withdrawal.

• Not to be subject to certain automated decision -making, including profiling,

that produces legal effects or similarly significantly affects you, unless conditions

in GDPR are met.

If you believe that we have breached a relevant data protection law and wish to make a

complaint, please contact us using the details below and provide us with full details of the

alleged breach. We will promptly investigate your complaint and respond to y ou, in writing,

setting out the outcome of our investigation and the steps we will take to deal with your

complaint. You also have the right to contact a regulatory body or data protection authority

in relation to your complaint.

To exercise your rights, please contact us at privacy@firstwellnesstesting.com . We may

need to ask for reasonable information to verify your identity before fulfilling your request.

If you are located in Sweden, y ou also have the right to lodge a complaint with the

Swedish Authority for Privacy Protection (IMY) if you believe we process your Personal

Data in breach of applicable law (see section 13 below)

If you are located in the United Kingdom , the UK General Data Protection Regulation and

the UK Data Protection ACT 2018 also apply. You may lodge a complaint with the

Information Commissioner’s Office (ICO) or with your local supervisory authority.

9 Security of your Personal Data

We aim to protect your Personal Data through a combination of organizational and

technical security measures . Our information security management system is certified

according to ISO /IEC 27001, which means that we work in a structured and risk -based

way with information security, including regular risk assessments, controls and continuous

improvements.

Personal Data is stored on secure servers with access limited to authorised personnel

who need the information for their work . Those processing your information will do so only

in an authorised manner and are subject to a duty of confidentiality.

Where appropriate, we apply pseudonymisation techniques, including the use of unique

test codes, to reduce the linkability of test results to identifiable individuals. Access to re -

identification keys is restricted to authorised personnel only.

You are also responsible for maintaining the confidentiality of your account credentials. If

you create a password to access our services, you must keep it secure and not share it

with others. If you suspect unauthorised access to your account, please contact us

immediately.

We apply appropriate technical measures (e.g. access control, encryption where

appropriate, multi -factor login and backups ) to reduce the risk of unauthorised access,

loss, destruction or alteration of Personal Data .

We maintain internal policies, procedures and training designed to ensure that staff handle

Personal Data in accordance with applicable laws, I SO/IEC 27001 requirements and our

internal rules.

We also have procedures in place to detect, assess and manage suspected Personal

Data breaches and will notify you and the relevant supervisory authority where we are

legally required to do so.

Despite our measures and our ISO/IEC 27001 certification, no system is completely

secure, and the transmission of information via the internet always carries some risk. Any

transmission is at your own risk, but we work continuously to reduce that risk as f ar as

10 Who do we share your Personal Data with?

We only share your Personal Data where we have a legal basis to do so, as described in

section 3, for example performance of a contract, legitimate interest, legal obligation or

your consent . We only share and disclose your information in the following situations:

• Subcontractors, business partners, Consultants and Other Third -Party

Providers : we may share your Personal D ata with certain organisations that

perform services for us or on our behalf and require access to such information to

do that work, or that need to process information on our behalf . This includes , for

example, IT and cloud service providers , booking and scheduling systems,

payment service providers, providers of software that we use for data management

services and laboratories that analyse samples and report test results .

These organisations act as our data processors under Art. 28 GDPR and are

bound by written data processing agreements . They may only process Personal

Data in accordance with our documented instructions and applicable data

protection laws and may not use data for their own purposes.

• Affiliates: We may share your information with our affiliates, in which case we will

require those affiliates to honour this Privacy Policy. Affiliates include our parent

company and its subsidiaries, join venture partners or other companies that we

control or that ar e under c ommon control with us.

• Compliance with laws: We may disclose your information when we are legally

required to do so in order to comply with applicable law, governmental requests,

judicial proceeding, court order, or legal process, such as in response to a court

order or a subpoena (including in resp onse to public authorities to meet national

security or law enforcement requirements).

• Law enforcement, or other authorities: We may disclose your information where

we believe it is necessary to investigate, prevent, or take action regarding potential

violations of our policies, suspected fraud, situations involving potential threats to

the safety of any person and illegal activi ties, or as evidence in litigation in which

we are involved.

• With your consent: We may disclose your Personal Data for any other purpose

with your consent. Except under the conditions explained above, we do not share,

sell, rent or trade any of your Personal Data with third parties for their promotional

We do not sell, rent or trade your Personal Data to third parties for their own marketing

11 International transfers of Personal Data

Our servers and primary operations are located within the EU/EEA . However, some of our

service providers or group companies may be located outside the EU/EEA .

If you are in the European Economic Area (being the European Union member states plus

Norway, Iceland and Liechtenstein (EEA), your Personal Data will only be transferred

outside the EEA, if we can ensure that one of the following applies:

• The European Commission has decided that the country ensures an adequate

level of protection , for example where the European Copmmission has adopted an

adequacy decision in respect of a country or specific framework, such as the EU–

US Data Privacy Framework (DPF) ;

• We use Standard Contractual Clauses (SCCs) adopted by the European

Commission, together with additional safeguards where necessary; or

• Another appropriate safeguard or derogation under GDPR applies.

You may request further information about the safeguards applied to international

transfers, including a copy of relevant contractual safeguards where applicable, by

contacting us at privacy@firstwellnesstesting.com . For users in the United Kingdom,

transfers of Personal Data from the UK to countries outside the UK are made in

accordance with UK data protection law (UK GDPR and Data Protection Act 2018), for

example based on UK adequacy regulations or on appropriate safeguards such as the UK

International Data Transfer Agreement (IDTA) or the UK addendum to EU SCCs.

Data provided by UK users is primarily stored and processed within the EU/EEA or the

UK. If we transfer your Personal Data to a country outside the EU/EEA or the UK, we will

ensure that appropriate safeguards are in place and that your rights are protected.

For more information about EU international transfers and the EU –US Data Privacy

Framework, see the European Commission’s data protection pages. For UK users, further

guidance on international transfers is available from the Information Commissioner’s

Office (ICO) .

12 How long do we keep your Personal Data ?

We keep your Personal Data only for as long as necessary for the purposes described in

this Privacy Policy, unless a longer retention is required or permitted by law (for example

for tax, accounting or for as long as required by applicable laws in Sweden, the UK and

the EU ). When the relevant purpose has been fulfilled, we either delete the data or

irreversibly anonymise it so that it can no longer be linked to you .

Because we operate in more than one country and for different types of customers,

retention periods differ depending on the context:

12.1 Test related data

We generally keep identifiable test-related data (for example, your contact details linked

to a test and the test result) for up to ten (10) years from the date of your last test, unless,

a longer or shorter period is required or permitted by law.

o Provide you with access to your previous results

o Handle questions or complaints about a test, and

o Establish, exercise or defend legal claims in connection with the service

Where we no longer need identifiable test data for these purposes , we will anonymise or

delete it.

When your sample is analysed by a partner laboratory, we send only a coded sample and

test information – not your name or contact details. The code that allows us to link the

result to you is stored in our systems only for a limited period as described abo ve and is

then deleted or irreversibly separated from the laboratory record. After that point, neither

we nor the laboratory can identify you from the laboratory’s retained test records.

During the period before deletion of the code, FWT remains your primary point of contact

in relation to the Services we provide and for exercising data protection rights in respect

of processing carried out by FWT. Where a laboratory acts as an independent data

controller for its own statutory obligations, you may also exercise your rights dir ectly with

that laboratory in accordance with this privacy notice.

12.2 Laboratory partners and healthcare specific rules

When your sample is analysed by a labor atory partner, that laboratory may retain data

associated with a coded identifier for a longer period than we do, in line with its own legal

obligations and professional standards.

The laboratory processes coded samp les and related test information on our behalf under

a written processing agreement. The laboratory does not receive your name or contact

details and cannot independently identify you from the coded sample. Retention of coded

laboratory data is governed by co ntractual agreements and applicable legal requirements

that may determine its own retention period s. FWT does not determine or control the

retention periods applied by the laboratory or healthcare provider in respect of such

statutory obligations .

12.3 Marketing data

If you have consented to receive marketing from us (or we send marketing based on

legitimate interest where permitted by law), we will keep your contact details for marketing

purposes until you withdraw your consent or object to marketing.

If you unsubscribe or object, we will stop using your data for marketing but may keep

limited information (for example, your email a ddress on a “Do -not-contact” list) to ensure

we respect your choice.

12.4 Contract, accounting and tax records

We are legally required to keep certain records that may contain Personal Data (for

example, invoices, payment records, contracts and correspondence relating to

transactions) for minimum periods set by accounting and tax laws , typically:

• at least seven (7) years in Sweden, counted from the end of the financial year

• six (6) years in the UK, counted from the end of the relevant financial year or

accounting period , in accordance with applicable UK legislation .

Where necessary, we may also retain limited Personal Data for the duration of applicable

limitation periods to establish, exercise or defend legal claims.

12.5 Anonymised data

We may retain anonymised data (data that can no longer be linked to you) for a longer

period, for example to produce statistics, improve our services or for research and

development. Anonymised data is no longer Personal Data and is not subject to data -

13 How to contact us and how to complain

If you have any questions, concerns or complaints regarding our processing of your

Personal Data , you can contact us at :

Email: privacy@firstwellnesstesting.com

Birger Jarlsgata n 41A

SE- 111 45 Stockholm, Sweden

If you are located in Sweden y ou also have the right to lodge a complaint with the Swedish

Authority for Privacy Protection (IMY) : www.imy.se

The General Data Protection Regulation gives you the right to complain to the supervisory

authority in the EU/EEA country wh ere you habitually work, normally live or where you

consider that the alleged infringement of data protection law has occurred.

If you are located in the United Kingdom, you also have the right to lodge a complaint with

the Information Commissioner’s Office (ICO): www.ico.org.uk

14 Changes to this privacy policy

This Privacy Policy was first p ublished and effective as of 10 May 2022 and last updated

on the 31 January 2026.

We may change this Privacy Policy from time to time, for example to reflect changes in

our processing or in applicable laws. When we make significant changes we will inform

you via our website and, where appropriate, via email or other channels.

The latest version will always be available in our website and will indicate the date of the

last update.

Last updated: 31 January 2026

First Wellness Testing Group AB
Birger Jarlsgatan 41A, 111 45 Stockholm, Sweden
Email: info@firstwellnesstesting.com