layout.layout.t1
Trusted medical quality
Privacy Policy – zample.com/nl
Legal

Privacy Policy

Last updated: May 12, 2026

We highly value your privacy and are actively committed to protecting your personal data when you use our services. In this privacy policy, we explain how we process, use, and protect your personal data, and what rights you have as a data subject.

1. General

This privacy policy describes how we, Zample B.V., registered with the Dutch Chamber of Commerce under number 42033790, VAT number NL869402444B01, with its registered office and principal place of business at Sportlaan 524, 2566 ME The Hague, the Netherlands ("Zample B.V.", "us", "our", "we"), process your personal data when you use our services (the "Services").

Zample B.V. is a healthcare provider within the meaning of the Dutch Healthcare Quality, Complaints and Disputes Act (Wkkgz) and acts as the controller for the processing of your personal data within the healthcare services offered through our website and platform. On April 18, 2026, Zample B.V. notified the CIBG as a new healthcare provider in accordance with the Dutch Healthcare Providers Entry Act (Wtza). Following the assessment by the CIBG (reference Tza 145101), Zample B.V. was determined not to fall under the licensing requirement. The notification obligation has been fulfilled.

Domain structure: zample.nl is the Dutch referral domain and redirects visitors to zample.com/nl. The primary domain on which the services are provided is zample.com. This privacy policy applies to the processing of personal data in connection with the use of zample.nl and zample.com/nl.

The Dutch services are available through zample.com/nl. All processing activities related to both zample.nl and zample.com/nl are governed by this privacy policy.

Zample B.V. offers diagnostic and reporting services on the Dutch market.

We offer a digital health platform that enables consumers to independently request, book, and coordinate laboratory diagnostics, including blood tests and other diagnostic examinations, and reports reviewed by a licensed physician. Through the zample™ results service, customers can access and review health data online.

The technical platform and results service zample™ (app.zample.com) is operated by Zample AB, a company incorporated under Swedish law. Zample AB acts as a processor on behalf of Zample B.V. within the meaning of Article 4(8) GDPR and processes personal data solely on behalf of and according to the written instructions of Zample B.V.

1.1 Pre-launch (waitlist)

zample.nl is currently in a pre-launch phase. During this phase, services cannot yet be purchased. You may register for the waitlist via zample.nl, and we process your email address in order to inform you once our services become available through zample.com/nl.

1.2 Launch phase (healthcare services)

Once the Dutch services are launched via zample.com/nl, Zample B.V. will act as a healthcare provider. At that point, we will process personal data (including health data) in order to provide healthcare services in accordance with applicable laws and professional obligations.

1.3 Results and the zample™ platform

Once our services have launched, results may be made digitally available through zample™ (the platform). Access to your results requires an account. You may log in using your email address and password, or through Google Sign-In. Information regarding the account and platform is included in the relevant platform policies.

2. Controller and contact details

Zample B.V. is the controller responsible for processing your personal data in connection with the Services.

Explanation: Zample B.V. has appointed a GDPR responsible person who internally oversees compliance with privacy legislation. Ultimate responsibility for the processing of personal data remains with Zample B.V. as the controller. Zample B.V. will assess in due course whether the appointment of an independent Data Protection Officer (DPO) pursuant to Article 37 GDPR is required or desirable.

3. Purposes of processing, retention periods, and legal basis

We process personal data that you provide to us in connection with purchases, activation of referrals, use of zample™, conducting examinations, reporting, and communication with our customer service. In addition, we process technical data when you visit our website.

3.1 Waitlist (pre-launch)

Purpose: managing the waitlist and informing you once zample.nl has launched and purchases become possible.

Legal basis: Article 6(1)(a) GDPR (consent).

Retention period: until launch and six (6) months thereafter, or until you withdraw your consent or unsubscribe (whichever occurs first). We retain minimal records of consent and withdrawal in order to demonstrate compliance.

3.2 Processing purchases and administering orders

We process data such as your name, date of birth, contact details, and purchase history in order to administer orders and payments. Payments are processed through Stripe (Stripe Payments Europe Ltd, Dublin), a certified payment service provider. Stripe processes your payment data (such as card information) directly and in accordance with the PCI-DSS standard; Zample B.V. does not store complete payment details. The available payment methods are: iDEAL, bank transfer (SEPA), credit card, PayPal, Klarna, Apple Pay, and Google Pay.

Platform access and Google Sign-In: to access your account and results, you may log in using your email address and password, or via Google Sign-In. When using Google Sign-In, Zample B.V. receives limited profile data from Google (name and email address) solely for identification and login purposes.

No reimbursement by health insurance: the services of Zample B.V. are exclusively direct-to-consumer services. Costs are not reimbursed by the Dutch basic health insurance scheme (Zvw), supplementary health insurance, or any other health insurer. We do not process insurance claim data with health insurers.

Legal basis: Article 6(1)(b) GDPR (performance of a contract). For the processing of the Dutch citizen service number (BSN): Article 6(1)(c) GDPR in conjunction with the Wabvpz.

Retention period: as long as necessary for the performance of the agreement; thereafter at least seven (7) years pursuant to Article 52 of the Dutch State Taxes Act and Book 2 of the Dutch Civil Code.

3.3 Provision of healthcare services

We process health data such as health declarations, results, examination findings, reports, and medical assessments in order to provide healthcare services, document and register information in the medical record, and follow up on healthcare where necessary.

Legal basis: Article 6(1)(c) GDPR (legal obligation) and Article 9(2)(h) GDPR (provision of healthcare), in conjunction with the Wgbo, Wkkgz, and Wabvpz.

Retention period: medical record data is retained pursuant to Article 7:454 of the Dutch Civil Code (Wgbo) for twenty (20) years after the latest modification, or longer if reasonably necessary in accordance with good healthcare practice.

3.4 Communication and support

Legal basis: Article 6(1)(b) GDPR (contract) and Article 6(1)(f) GDPR (legitimate interest in providing customer support).

Retention period: support requests are retained for up to twenty-four (24) months after completion, unless longer retention is legally required or the data forms part of the medical record.

3.5 Marketing, review invitations, and market research

If you actively provide consent, we may process your contact details in order to send marketing communications via email and SMS and to send invitations for reviews and customer or market research surveys. You may withdraw your consent at any time.

Legal basis: Article 6(1)(a) GDPR (consent). Electronic direct marketing is also subject to Article 11.7 of the Dutch Telecommunications Act.

3.6 Employer-funded health checks and group reporting

If a health check is funded by your employer, we may provide the employer with a report containing aggregated results exclusively at group level. The report does not contain individual results or identifiable personal data. In accordance with the Dutch Working Conditions Act and the guidelines of the Dutch Data Protection Authority, employers never receive individual employee health data.

3.7 Website, analytics, and improvement

Legal basis: Article 6(1)(f) GDPR (legitimate interest). Non-essential cookies are only used following your consent in accordance with Article 11.7a of the Dutch Telecommunications Act.

Retention period: log data is retained for a maximum of twelve (12) months, unless longer retention is required for security investigations or legal obligations.

3.8 Compliance with legal obligations

Legal basis: Article 6(1)(c) GDPR and, where applicable, Article 9(2)(h) GDPR (Wgbo, Wkkgz, Wabvpz, GDPR/UAVG, tax legislation).

4. With whom do we share your personal data?

Your personal data is only shared with recipients insofar as necessary to provide our services or where we are legally obliged to do so. Only authorized personnel who require the data for their work have access to special categories of personal data.

4.1 Processor: Zample AB

The zample™ platform and results service are technically provided by Zample AB (Sweden). Zample AB processes personal data solely on behalf of Zample B.V. on the basis of a data processing agreement in accordance with Article 28 GDPR.

This agreement sets out, among other things: the subject matter and duration of the processing, the nature and purpose of the processing, the categories of personal data and data subjects, security measures, obligations regarding subprocessors, the procedure in the event of data breaches, and the audit rights of Zample B.V.

The data processing agreement is signed before the commencement of processing. Processing by Zample AB takes place within the EEA; processing in Sweden does not constitute a transfer to a third country within the meaning of Chapter V GDPR.

4.2 Other partners and suppliers

We may share personal data with the following categories of recipients:

  • laboratories, clinics, and healthcare providers that perform sample collection, analyses, and examinations;
  • physicians and medical consultants who review results and verify reports;
  • IT and hosting providers for systems, data storage, and technical infrastructure;
  • providers of communication services (SMS and email distribution);
  • payment service providers: Stripe Payments Europe Ltd (Dublin) for transaction processing;
  • Google Ireland Ltd for Google Sign-In;
  • professional advisers (accountants and legal advisers) bound by confidentiality obligations;
  • providers of review and customer research services (such as Trustpilot).

When external suppliers process personal data on our behalf, this takes place under a data processing agreement in accordance with Article 28 GDPR. All processing activities are maintained in the processing register of Zample B.V. pursuant to Article 30 GDPR.

Certain recipients, such as laboratories and other healthcare providers, may act as independent controllers for processing activities carried out within the scope of their own operations.

4.3 Authorities

We may provide personal data to authorities (including the Dutch Health and Youth Care Inspectorate, the Dutch Data Protection Authority, and the Dutch Tax Administration) when we are legally obliged to do so or pursuant to an authorized decision.

4.4 Transfer of the business

In the event of a restructuring, merger, or transfer of the business, personal data may be transferred to the acquiring party in accordance with applicable data protection legislation.

5. How do we protect your personal data?

We implement appropriate technical and organizational security measures in accordance with Article 32 GDPR to protect your personal data. As a healthcare provider, we align with the applicable standards for information security in healthcare, including NEN 7510, NEN 7512, and NEN 7513.

Our security measures include, among other things:

  • role-based and task-oriented access control;
  • encryption of personal data during transmission and storage, where appropriate;
  • secure login and authentication mechanisms;
  • protection through firewalls, intrusion prevention, and continuous monitoring;
  • regular backups and data recovery procedures;
  • internal policies, training, and confidentiality obligations for personnel;
  • periodic testing and evaluation of our security measures.

We maintain a documented data breach procedure in order to detect, internally assess, handle, and report personal data breaches. The procedure includes the following steps:

  • Detection and internal reporting: employees and processors (including Zample AB) are required to internally report any suspected breach immediately, and no later than 24 hours after discovery, to the GDPR responsible person of Zample B.V.
  • Assessment and documentation: the GDPR responsible person assesses the nature, scope, and risk of the breach and records the findings in the internal incident register.
  • Notification to the Dutch Data Protection Authority: if the breach poses a risk to the rights and freedoms of data subjects, Zample B.V. will report it within 72 hours after becoming aware of it to the Dutch Data Protection Authority (Article 33 GDPR), even if the assessment has not yet been fully completed.
  • Notification to data subjects: if the breach is likely to result in a high risk to your rights and freedoms, affected individuals will be informed directly without undue delay (Article 34 GDPR), with a clear description of the breach, its possible consequences, and the measures taken.
  • Follow-up: after handling the breach, Zample B.V. evaluates the cause of the incident and, where necessary, implements additional technical or organizational measures to prevent recurrence.

Zample AB is contractually obliged to report a breach to Zample B.V. within 24 hours after discovery so that Zample B.V. can comply with the statutory 72-hour notification deadline.

6. Where is your personal data processed?

As a general principle, we process your personal data within the European Economic Area (EEA). Processing by Zample AB takes place in Sweden, also within the EEA.

If, in certain cases, personal data is transferred outside the EEA, we ensure that this takes place through an approved transfer mechanism in accordance with Chapter V GDPR, such as an adequacy decision of the European Commission or Standard Contractual Clauses (SCCs). Where necessary, we carry out a Transfer Impact Assessment (TIA) and implement additional safeguards.

7. Your rights

As a data subject, you may exercise your rights via [email protected]. We will respond no later than one (1) month after receipt of your request. We may request additional information in order to verify your identity.

As a data subject, you have the following rights:

  • Right of access (Article 15 GDPR): you have the right to obtain confirmation as to whether we process your personal data and to access such data.
  • Right to rectification (Article 16 GDPR): you may request correction of inaccurate or incomplete data.
  • Right to erasure (Article 17 GDPR): in certain cases, you may request that your data be erased. This right does not apply where we are legally required to retain the data (for example under the Wgbo, Wkkgz, or tax retention obligations).
  • Right to restriction of processing (Article 18 GDPR): in certain situations, you may request restriction of the processing.
  • Right to data portability (Article 20 GDPR): where processing is based on consent or contract, you may receive your data in a structured, commonly used, and machine-readable format.
  • Right to object (Article 21 GDPR): you may object to processing based on legitimate interest and always object to processing for direct marketing purposes.
  • Right to lodge a complaint: you may lodge a complaint with the Dutch Data Protection Authority, Postbus 93374, 2509 AJ The Hague, the Netherlands (www.autoriteitpersoonsgegevens.nl).

We do not apply fully automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

7.1 Specifically regarding medical records and healthcare complaints

In addition to your GDPR rights, special provisions under the Dutch Medical Treatment Contracts Act (Wgbo) apply to your medical record. You have the right to access and obtain a copy of your medical record (Article 7:456 Dutch Civil Code) and may request destruction of the record (Article 7:455 Dutch Civil Code).

Complaints regarding healthcare services may be submitted through the Wkkgz complaints procedure of Zample B.V., available on zample.com/nl and obtainable via [email protected]. We aim to handle your complaint within six weeks.

If your complaint is not resolved to your satisfaction, you may submit the dispute to the recognized disputes committee with which Zample B.V. is affiliated: [name of recognized disputes committee — to be completed once affiliation has been finalized].

Affiliation with a recognized disputes committee is legally required pursuant to Article 18 Wkkgz and will be completed by Zample B.V. before the commencement of healthcare services.

The Dutch Health and Youth Care Inspectorate (IGJ) supervises compliance with healthcare legislation.

8. Cookies

We use cookies and similar technologies on zample.nl and zample.com/nl in accordance with the GDPR and Article 11.7a of the Dutch Telecommunications Act.

Technically necessary cookies are used to ensure the platform functions correctly and do not require consent. Analytical cookies are only placed after you have provided prior, informed, and specific consent through the consent management module (CookieFirst) on zample.com.

All cookie processing takes place on the primary domain zample.com. You may modify or withdraw your consent at any time.

For more information, please see our Cookie Policy on zample.nl or zample.com/nl.

9. Information security

Zample B.V. operates in accordance with the GDPR, the Dutch GDPR Implementation Act (UAVG), the Wgbo, the Wkkgz, the Wabvpz, and the applicable standards for information security in healthcare (including NEN 7510).

We have initiated the implementation of information security measures in accordance with NEN 7510 and maintain a systematic and risk-based information security policy.

A formal NEN 7510 audit is planned as part of the quality assurance program of Zample B.V. following the launch of the services.

10. Changes to this privacy policy

We may amend this privacy policy where necessary, for example due to changes in legislation or changes to our services.

The most recent version is always available on our website.

If we make material changes that affect the way in which your personal data is processed, we will inform you appropriately before the changes take effect.