Privacy and Security Policy

We, MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany (hereinafter “MindDoc”) collect and process your personal data related to the MindDoc-App (hereinafter also “App”) and are the “data controller” in terms of the General Data Protection Regulation (GDPR).

The protection and confidentiality of your data is very important to us. We therefore only process your data to the extent that

• It is necessary to provide the MindDoc services you are requesting
• you have given your consent to the processing, or
• we are otherwise authorized to do so under the data protection laws.

We always separately obtain consent from you for the processing of your health data according to Art. 9 Abs. 2 lit. h of the General Data Protection Regulation (GDPR) . You can give your consent to the processing of this data, by clicking on the respective button. Your consent will be logged by us.

If you have any questions, suggestions or comments, you are welcome to contact our customer support team on feedback@minddoc.de or our data protection officer:  Martin Kuhr. Data Protection Officer of MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany, E-Mail: datenschutz[at]schoen-kliniken.de 

Personal data is specifically protected by law. Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

As a matter of principle, we do not collect any data that allows direct identification of your person. To use our app, you do not have to enter any distinctly identifiable data about yourself (e.g. your name, your e-mail address or your home address).  However, if you use our app as part of online therapy (only available in Germany) or create an optional personal account (e.g., to access your old data again when you change your smartphone), the use of personal data before you is required.

Nevertheless, strictly confidential handling of all your data is very important to us. Therefore, we treat all data according to the same rules that apply to personal data.

Personal data for the creation of an optional personal account

In order to create an optional personal account that allows you to easily access your history even when you change your smartphone, we collect and process the following personal data in the way you provide it to us:

• Name
• first name
• Profile photo (optional)
• e-mail address

The legal basis for data processing is Art. 6 Paragraph I lit. b GDPR.

Extended personal data while using MindDoc online therapy (this service and data fields are only available in Germany) 

• Postal address
• Insurance provider
• Insured person number
• Phone number

Health-related data 

Within the app, you can run through a 14-day screening phase to get an overall assessment of your mental health. During this screening, you will answer various questions and let the app know how you are feeling. Also, you can use further services, e.g. payment offers, which are described in more detail in Section 2 of our GTC. We collect, process, and use the following health data to be able to provide the services for you following Section 2 of our GTC:

• Data from the daily screening questions and further tags and notes
  • Questions related to depressive symptoms
  • Questions about other psychological and somatic complaints and symptoms
  • Questions about your living conditions, leisure activities, and biography
  • Evaluations of the above-mentioned data regarding severity and type of symptoms as well as correlations between answers based on psychological theories
  • Your entries on a scale of smileys with which you can regularly document your mood.
  • Text-based note entries created by you, which are transmitted in encrypted form and stored with us.
  • If you explicitly agree to this within the app, we store data from your Apple Health (iOS) or Google Fit (Android) application. These are primarily the number of steps per day and other indications of your physical activity. We use this data to provide our services within MindDoc, in particular, to report back to you any connections between psychological factors and your physical activity. MindDoc does not send data to Apple Health or Google Fit.
• Data from the psychological exercises
  • Text-based entries for the exercises
  • The photos you uploaded during the exercises

The legal basis for data processing is Art. 9 para. II lit. h GDPR.

Technical Data

This is data that tells us what hardware and software you are using to access our app:

• Data about the mobile platform (iOS/Android)
• The version of the app
• Device model
• System version
• Vendor IDs (i.e., Android ID, Identifier for Vendor IDFV for iOS)

The legal basis for data processing is Art. 6 para. I lit. f GDPR.

App usage data

This is data that tells us how you use our app:

• How often was the app opened?
• Which areas were clicked in the app?
• App settings used (language settings, notifications)
• Feedback data (incl. e-mail service)

The legal basis for data processing is Art. 6 para. I lit. f GDPR and Art. 6 para. I lit. a GDPR for the feedback data.

We collect and store your personal, extended personal, health, technical, and app usage data while you use our app. Furthermore, we transmit your health data in a completely anonymous form to universities MindDoc cooperates within research.

The legal basis for data processing is Art. 9 para. II lit. a GDPR

MindDoc collects, processes, and uses the data mentioned under point 2 to provide the services mentioned in point 2 of our General Terms and Conditions (Art. 1 GDPR). By providing us with your information, we can provide our services.

You are not obliged to provide your personal data (Art. 13 GDPR). The use of our app and related services is voluntary. However, if you do not wish to provide us with the necessary data, we cannot provide the services specified in Section 2 of the GTC for you.

MindDoc transmits your health data in a completely anonymous form to universities for research purposes.

Your data according to point 2 of this data protection declaration will be stored by us as long as this is necessary for the use of our app and the services associated with it. The anonymized data can also be stored indefinitely for research purposes.

We do not pass on your data to third parties, unless we are legally entitled or obliged to do so, or you have given us your consent.

We transmit your health data in the context of research cooperation in a completely anonymous form to university partners.

In the event that we process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or have it processed (see also third-party tools as described in Section 7), this will be done in compliance with the relevant legal requirements. In these cases, we will always take appropriate measures to adequately secure your data (e.g. through standard contractual clauses if they are applicable).

We do not store your data on your device to ensure maximum security and to ensure the smooth functioning of the app. We store your data on servers of our IT service providers in Frankfurt am Main, who process your data on our behalf and on the legal basis of Art. 28 GDPR and are obliged to comply with the legal provisions on data protection and data security. We also apply our own key management to ensure that not even the hosting provider has the possibility to access the data.

We take precautions to protect your data and to prevent misuse.

The app communicates with our server via encrypted connections using TLS 1.3 (Transport Layer Security) and HTTPS, which prevents third parties from accessing your data without authorization. Both servers and databases are behind firewalls to restrict access.

Please note that in some employment relationships it is not allowed to use the Internet for private purposes during working hours or from your workplace. Some employers monitor unauthorized Internet activity in the workplace. Even if you are otherwise connected in multiple network environments, you must be aware that there is always a risk of unwanted access.

MindDoc sometimes commissions third-party providers to provide services for the analysis and evaluation of user behavior (e.g. crash reporting) or to provide important basic technical services (e.g. push notifications). If these service providers process personal data, we conclude an agreement with them for order processing in accordance with Article 28 DS-GVO, which obliges these service providers to comply with legal standards with regard to data protection and data security. This means that the processors are bound by our instructions and are regularly monitored by us.
In detail we use the following tools and providers

a. Google Firebase

We are using Firebase (https://www.firebase.com/), a framework from Google’s subsidiary Firebase, based in San Francisco, CA, USA, through which we track and manage the following real-time features. We use all possibilities to deactivate or make anonymous (IP address) the collection of personal data such as advertising or vendor ID. With these measures, only a pseudonymized FireBase Instance ID (FireBase Token),  is processed by Google in an European data center (Europe West-3 in Frankfurt a. Main). No other personal data is processed by Firebase:

• We use Firebase Crashlytics to track app crashes as they occur and to prevent future crashes. Information about the functionality of Crashlytics and the collected device data: https://firebase.google.com/support/privacy#crash-stored-info
• We use Firebase Remote Config to allow us to change the app on the devices on which it is installed without having to completely reinstall the app in the respective App Store.
• We use FireBase Cloud Messaging as a service for the secure and reliable sending of mobile notifications (so-called Push Notifications), which inform the user about a new event (e.g. a new questionnaire block, a new insight).
• We use FireBase Analytics to collect general data about the usage of the app.

Firebase’s privacy policy is available at https://www.firebase.com/terms/privacy-policy.html and information about the specific data used in the mentioned services can be found here: https://firebase.google.com/support/privacy#data_processing_information 

The legal basis for the use of Firebase is our legitimate interest in maintaining Moodpath permanently and evaluating its performance according to article 6 paragraph 1 lit f. GDPR.

b. Branch Metrics (only for MindDoc users in the United States of America/USA)

Our app uses Branch Metrics which is operated by Branch Metrics Inc. 2443 Ash Street, Palo Alto, CA 94306, USA. This service is an open-source solution, which enables the generation of targeted smart links to content within an app for statistical analysis and for marketing activities. This can be achieved by using appropriate software development kits (SDKs) for web, iOS, and Android operating systems. In the context of providing the service and its functions, Branch Metrics collects personal data (IP address and derived location data, the local IP address of the device at Android, vendor ID). This data is collected and encrypted for this purpose only. Activation of the service is only carried out after active consent by the user and can be revoked.

The legal basis for this is Article 6 Paragraph 1 lit. A GDPR.

How can I prevent this? You can deactivate this collection for your device via this link https://branch.app.link/device-opt-out or generally restrict the use of certain data in your Android or iOS device.

As a user of our app, you have the following privacy rights, depending on the circumstances of the specific case:

1. Information (Art. 15 DS-GVO): to receive information about your personal data processed by us;
2. Correction (Art. 16 DS-GVO): Immediate correction of incorrect personal data concerning you;
3. Dletion (Art. 17 DS-GVO): The deletion of your personal data under the conditions specified therein;
4. Restriction of processing (Art. 18 DS-GVO): to demand the restriction of the processing of your personal data under the conditions stated therein;
5. Transferability of data (Art. 20 DS-GVO): to receive the personal data relating to you which you have provided to us in a structured, common and machine-readable format and to transfer this data to another responsible party without hindrance from us; you also have the right, where appropriate, to demand that we transfer the personal data directly to another responsible party, insofar as this is technically feasible;
6. Objection to unreasonable data processing (Art. 21 DS-GVO): If we process your data on the basis of legitimate interest, you may object to this data processing at any time; this would also apply to profiling based on these provisions. We will then no longer process your data unless we can demonstrate compelling reasons for processing which are worthy of protection and which outweigh your interests, rights, and freedoms, or unless the processing serves to assert, exercise, or defend legal claims. You can object to the processing of your data for the purpose of direct advertising at any time without giving reasons;
7. Refusal and revocation of consent: To refuse consent or – without affecting the lawfulness of the data processing carried out before the revocation – to revoke your consent to the processing of your personal data at any time;
8. Right of complaint: You have the right to complain to a data protection supervisory authority about the processing of your personal data by us.

The processing of your data is necessary for the conclusion or fulfillment of your contract with us to use the MindDoc app and in the case of the creation of the optional account. In addition, this is required when using the optional offer of the MindDoc Online Therapy service (https://www.minddoc.de), which is independent of our GTC. If you do not provide us with this information, we will not be able to provide the services mentioned on our GTC.

If you want to make use of one of these rights, you can delete your data directly in the app in the section “Settings → Data & Security”. Of course, you can transfer your data beforehand using an automatic export function. Alternatively, you can send us an e-mail from the address registered with us to feedback@minddoc.de or write to us stating your personal identification number (UID – you can find this in the settings section at the bottom of the profile page). We will then check this immediately and contact you.

We reserve the right to change this data protection declaration in compliance with data protection regulations. The current version can be found here or at another accessible location in our app.

If you have any questions, suggestions or comments, you are welcome to contact our customer support team at feedback@minddoc.de or our data protection officer:  Martin Kuhr. Data Protection Officer of MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany, E-Mail: datenschutz[at]schoen-kliniken.de