Privacy and Security Policy

We, Aurora Health GmbH, Friedelstraße 27, 12047 Berlin, Germany (hereinafter “Moodpath”) collect and process your personal data related to the Moodpath App (hereinafter also “App”) and are the “data collector” in terms of the General Data Protection Regulation (GDPR).

The protection and confidentiality of your data is very important to us. We therefore only process your data to the extent that

• It is necessary to provide the Moodpath services you are requesting
• you have given your consent to the processing, or
• we are otherwise authorized to do so under the data protection laws.

We always separately obtain a consent from you for the processing of your health data. You can give your consent to the processing of this data, by clicking the on the respective button. Your consent will be logged by us.

If you have any questions, suggestions or comments, you are welcome to contact our data protection officer:  Mike Peter, mpP Group. Data Protection Officer of Aurora Health GmbH, Friedelstraße 27, 12047 Berlin, Phone 06341-6731696, E-Mail: m.peter@mpp-group.de

Personal data is specifically protected by law. Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

As a matter of principle, we do not collect any data that allows a direct identification of your person. To use our app, you do not have to enter any distinctly identifiable data about yourself (e.g. your name, your e-mail address or your home address).  Because of this, we assume that, under general circumstances, we do not process any of your personal data. Nevertheless, a strictly confidential handling of all your data is very important to us. Therefore, we treat all data according to the same rules that apply to personal data.

Health related data 

Within the app you can run through a 14-day screening phase to get an assessment of whether you are suffering from depression. During this screening you will answer various questions and let the app know how you are feeling. In addition, you can use further services, e.g. payment offers, which are described in more detail in Section 2 of our GTC. We collect, process and use the following health data in order to be able to provide the services for you in accordance with Section 2 of our GTC:

• Data from the Moodpath screening
  • Questions related to depressive symptoms
  • Questions about other psychological and somatic complaints and symptoms
  • Evaluations of the above-mentioned data regarding severity and type of symptoms.
• Mood-related data
  • Your information on a scale of smileys with which you can regularly document your mood.
  • Text-based note entries created by you, which are transmitted in encrypted form and stored with us.

Technical Data

This is data that tells us what hardware and software you are using to access our app:

• Data about the mobile platform (iOS/Android)
• Version of the app
• Device model
• System version
• “Identifier for Advertising in Apple” for iOS devices
• “Advertising ID” for Android devices

App usage data

This is data that tells us how you use our app:

• How often was the app opened?
• Which areas were clicked in the app?
• App settings used (language settings, notifications)
• Feedback data (incl. e-mail service).

We collect and store your health, technical and app usage data while you use our app. Furthermore, we transmit your health data in a completely anonymous form to universities Moodpath cooperates with in research. An updated list of these universities can be found here: https://www.mymoodpath.com/en/science/

Moodpath collects, processes and uses the data mentioned under point 2 to provide the services mentioned in point 2 of our General Terms and Conditions (Art. 1 GDPR). By providing us with your information, we can provide our services.

You are not obliged to provide your personal data (Art. 13 GDPR). The use of our app and related services is voluntary. However, if you do not wish to provide us with the necessary data, we cannot provide the services specified in Section 2 of the GTC for you.

Moodpath transmits your health data in a completely anonymous form to the universities mentioned above (point 3) for research purposes.

Your data according to point 2 of this data protection declaration will be stored by us as long as this is necessary for the use of our app and the services associated with it. The anonymized data can also be stored indefinitely for research purposes.

We do not pass on your data to third parties, unless we are legally entitled or obliged to do so, or you have given us your consent.

We transmit your health data in the context of research cooperation in a completely anonymous form to the above-mentioned universities (Sec. 3).

Your personal data may be transferred to third parties in the United States while using their third-party tools as described in section 8 below. In these cases, we will always take appropriate measures to protect your data appropriately. The transfer to the USA is subject to an adequacy decision of the EU Commission (Art. 45 GDPR), as all third-parties participate in the EU-US Privacy Shield. For more information, visit www.privacy shield.gov.

We do not store your data on your device to ensure maximum security and to ensure the smooth functioning of the app. We store your data on servers of our IT service providers in Frankfurt am Main, who process your data on our behalf and on the legal basis of Art. 28 GDPR and are obliged to comply with the legal provisions on data protection and data security. In addition, in case you lose your phone or want to use Moodpath on several devices in parallel, we will store an encrypted ID on Apple’s servers with which only our app can communicate.

We take precautions to protect your data and to prevent misuse.

The app communicates with our server via encrypted connections using SSL (Secure Socket Layer), which prevents third parties from accessing your data without authorization. Both servers and databases are behind firewalls to restrict access. Our provider AWS complies with ISO 27018, a code of conduct that focuses on the protection of personal data in the cloud. Please note that in some employment relationships it is not allowed to use the Internet for private purposes during working hours or from your workplace. Some employers monitor unauthorized Internet activity in the workplace. Even if you are otherwise connected in multiple network environments, you must be aware that there is always a risk of unwanted access.

Moodpath partly commissions third party providers to provide services for the analysis and evaluation of user behavior. We do this to continuously improve and develop Moodpath. The information transmitted for this purpose is pseudonymised. In detail we use the following tools:

a. Facebook SDK

We have integrated the Facebook Software Development Kit (SDK). The Facebook SDK is operated by Facebook Inc, Palo Alto, USA (Facebook). It helps to increase the success of Facebook advertising campaigns, for example by not displaying advertising on devices on which it is already installed. The Facebook SDK also allows various evaluations of the app installation and the success of advertising campaigns. In addition, individual activities (events) of the user can be analyzed within the app in order to define the target group for advertising campaigns more precisely and better, for example. For this purpose, we send Facebook pseudonymous data, such as the app ID, and the information that the app has been launched. The advertising ID provided by the operating system of the mobile device serves as the pseudonym.

c. Google Firebase

We use the Google Firebase service to deliver push messages. For this purpose, a device token from Apple or a registration ID from Google is assigned. The sole purpose of their use by us is the provision of push services. These are encrypted, anonymized device IDs.

d. Crashlytics

We work with Crashlytics Inc. “(“Crashlytics”), a service that stores events when users use Moodpath. Crashlytics collects app usage data specifically related to system crashes and bugs. It uses information about the device, the version of the app that is installed, and other information that can help fix bugs, especially regarding the user’s software and hardware. Crashlytics is operated by Google LLC, based in the USA.

e. Tenjin

Moodpath uses the user behavior analysis technology of Tenjin Inc. (“Tenjin”). Tenjin collects installation and event data, such as “App open”. We use this anonymous information to understand how our users interact with the app and to analyze campaigns. For such an analysis Tenjin uses your pseudonymized IDFA or Android ID.

f. Branch Metrics

Our app uses Branch Metrics whose operator is Branch Metrics Inc, 2443 Ash Street, Palo Alto, CA 94306, USA. This service is an open-source solution, which makes it possible with appropriate software development kits (SDKs) for Web, iOS and Android operating systems to generate targeted Smartlinks to contents within an App. Branch Metrics collects information about the provision of the service and its functions. These are encrypted, pseudonymized device IDs.

You can delete your data by clicking on “Delete all saved data” in the settings of the app under “Manage your data”. This will irrevocably delete all your data from our databases.

As a user of our app, you have the following data protection rights, depending on the circumstances of the specific case:

a. Disclosure

To receive information about your personal data processed by us and to request access to your personal data and/or copies of these data. This includes information on the purpose of use, the category of data used, its recipients and authorized persons and, if possible, the planned duration of data storage or, if this is not possible, the criteria for determining this duration;

b. Correction, deletion or limitation of processing

To request the correction, deletion or limitation of the processing of your personal data, e.g. by sending us an e-mail. if (i) the data are incomplete or incorrect, (ii) they are no longer necessary for the purposes for which they were collected, (iii) the consent on which the processing was based has been revoked, or (iv) you have successfully exercised your right to object to data processing; in cases where data is processed by third parties, we will forward your requests for correction, deletion or limitation of the processing to these third parties, unless this proves impossible or involves a disproportionate effort;

c. Opposition to the processing

To object to the processing for reasons arising from your particular situation;

d. Transferability of data

To receive the personal data concerning you that you have provided to us in a structured, current and machine-readable format and to transmit this data to another responsible person without obstruction by us; you may also have the right to request that we transmit the personal data directly to another responsible person, insofar as this is technically feasible;

e. Refusal and revocation of consent

To refuse your consent or – without affecting the legality of data processing prior to the revocation – to revoke your consent to the processing of your personal data at any time;

f. Automatic decisions

To require that you be subject to a decision based exclusively on automated processing only in the exceptional cases provided by law, if that decision has legal effect against you or significantly affects you in a similar manner; should such an automated decision take place in exceptional cases, you have the right to obtain information on the logic involved and the scope of the intended effects;

g. Right of appeal

Communicate with and, if necessary, complain to the data protection supervisory authority.

We reserve the right to change this data protection declaration in compliance with data protection regulations. The current version can be found here or at another accessible location in our app.

If you have any questions, suggestions or comments on the subject of data protection, please do not hesitate to contact our data protection officer. Contact information: Mike Peter, mpP Group. Data Protection Officer of Aurora Health GmbH, Friedelstraße 27, 12047 Berlin, Phone: +49 6341-6731696, E-Mail: m.peter@mpp-group.de