Valid for the following versions: 4.1.1 (iOS) and 4.1.1 (Android). Last update: November 25th 2020
The protection of your data and privacy is very important to us. We are aware that health information is very sensitive and needs maximum protection. Therefore we collect as little personal data as possible and secure it with the highest technical standards. In principle, the MindDoc app can be used anonymously. We only collect personal data such as your name or email address, address, and insurance data or a profile photo if you set up an optional personal account to restore your data (e.g. when you change your smartphone).
We, MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany (hereinafter “MindDoc”) collect and process your personal data related to the MindDoc-App (hereinafter also “App”) and are the “data controller” in terms of the General Data Protection Regulation (GDPR).
The protection and confidentiality of your data is very important to us. We therefore only process your data to the extent that
We always separately obtain consent from you for the processing of your health data according to Art. 9 Abs. 2 lit. h of the General Data Protection Regulation (GDPR) . You can give your consent to the processing of this data, by clicking on the respective button. Your consent will be logged by us.
If you have any questions, suggestions or comments, you are welcome to contact our customer support team on email@example.com or our data protection officer: Martin Kuhr. Data Protection Officer of MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany, E-Mail: datenschutz[at]schoen-kliniken.de
Personal data is specifically protected by law. Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
As a matter of principle, we do not collect any data that allows direct identification of your person. To use our app, you do not have to enter any distinctly identifiable data about yourself (e.g. your name, your e-mail address or your home address). However, if you use our app as part of online therapy (only available in Germany) or create an optional personal account (e.g., to access your old data again when you change your smartphone), the use of personal data before you is required.
Nevertheless, strictly confidential handling of all your data is very important to us. Therefore, we treat all data according to the same rules that apply to personal data.
Personal data for the creation of an optional personal account
In order to create an optional personal account that allows you to easily access your history even when you change your smartphone, we collect and process the following personal data in the way you provide it to us:
The legal basis for data processing is Art. 6 Paragraph I lit. b GDPR.
Extended personal data while using MindDoc online therapy (this service and data fields are only available in Germany)
Within the app, you can run through a 14-day screening phase to get an overall assessment of your mental health. During this screening, you will answer various questions and let the app know how you are feeling. Also, you can use further services, e.g. payment offers, which are described in more detail in Section 2 of our GTC. We collect, process, and use the following health data to be able to provide the services for you following Section 2 of our GTC:
The legal basis for data processing is Art. 9 para. II lit. h GDPR.
This is data that tells us what hardware and software you are using to access our app:
The legal basis for data processing is Art. 6 para. I lit. f GDPR.
App usage data
This is data that tells us how you use our app:
The legal basis for data processing is Art. 6 para. I lit. f GDPR and Art. 6 para. I lit. a GDPR for the feedback data.
We collect and store your personal, extended personal, health, technical, and app usage data while you use our app. Furthermore, we transmit your health data in a completely anonymous form to universities MindDoc cooperates within research.
The legal basis for data processing is Art. 9 para. II lit. a GDPR
MindDoc collects, processes, and uses the data mentioned under point 2 to provide the services mentioned in point 2 of our General Terms and Conditions (Art. 1 GDPR). By providing us with your information, we can provide our services.
You are not obliged to provide your personal data (Art. 13 GDPR). The use of our app and related services is voluntary. However, if you do not wish to provide us with the necessary data, we cannot provide the services specified in Section 2 of the GTC for you.
MindDoc transmits your health data in a completely anonymous form to universities for research purposes.
Your data according to point 2 of this data protection declaration will be stored by us as long as this is necessary for the use of our app and the services associated with it. The anonymized data can also be stored indefinitely for research purposes.
We do not pass on your data to third parties, unless we are legally entitled or obliged to do so, or you have given us your consent.
We transmit your health data in the context of research cooperation in a completely anonymous form to university partners.
In the event that we process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or have it processed (see also third-party tools as described in Section 7), this will be done in compliance with the relevant legal requirements. In these cases, we will always take appropriate measures to adequately secure your data (e.g. through standard contractual clauses if they are applicable).
We do not store your data on your device to ensure maximum security and to ensure the smooth functioning of the app. We store your data on servers of our IT service providers in Frankfurt am Main, who process your data on our behalf and on the legal basis of Art. 28 GDPR and are obliged to comply with the legal provisions on data protection and data security. We also apply our own key management to ensure that not even the hosting provider has the possibility to access the data.
We take precautions to protect your data and to prevent misuse.
The app communicates with our server via encrypted connections using TLS 1.3 (Transport Layer Security) and HTTPS, which prevents third parties from accessing your data without authorization. Both servers and databases are behind firewalls to restrict access.
Please note that in some employment relationships it is not allowed to use the Internet for private purposes during working hours or from your workplace. Some employers monitor unauthorized Internet activity in the workplace. Even if you are otherwise connected in multiple network environments, you must be aware that there is always a risk of unwanted access.
MindDoc sometimes commissions third-party providers to provide services for the analysis and evaluation of user behavior (e.g. crash reporting) or to provide important basic technical services (e.g. push notifications). If these service providers process personal data, we conclude an agreement with them for order processing in accordance with Article 28 DS-GVO, which obliges these service providers to comply with legal standards with regard to data protection and data security. This means that the processors are bound by our instructions and are regularly monitored by us.
In detail we use the following tools and providers
a. Google Firebase
We are using Firebase (https://www.firebase.com/), a framework from Google’s subsidiary Firebase, based in San Francisco, CA, USA, through which we track and manage the following real-time features. We use all possibilities to deactivate or make anonymous (IP address) the collection of personal data such as advertising or vendor ID. With these measures, only a pseudonymized FireBase Instance ID (FireBase Token), is processed by Google in an European data center (Europe West-3 in Frankfurt a. Main). No other personal data is processed by Firebase:
The legal basis for the use of Firebase is our legitimate interest in maintaining Moodpath permanently and evaluating its performance according to article 6 paragraph 1 lit f. GDPR.
b. Branch Metrics (only for MindDoc users in the United States of America/USA)
Our app uses Branch Metrics which is operated by Branch Metrics Inc. 2443 Ash Street, Palo Alto, CA 94306, USA. This service is an open-source solution, which enables the generation of targeted smart links to content within an app for statistical analysis and for marketing activities. This can be achieved by using appropriate software development kits (SDKs) for web, iOS, and Android operating systems. In the context of providing the service and its functions, Branch Metrics collects personal data (IP address and derived location data, the local IP address of the device at Android, vendor ID). This data is collected and encrypted for this purpose only. Activation of the service is only carried out after active consent by the user and can be revoked.
The legal basis for this is Article 6 Paragraph 1 lit. A GDPR.
How can I prevent this? You can deactivate this collection for your device via this link https://branch.app.link/device-opt-out or generally restrict the use of certain data in your Android or iOS device.
As a user of our app, you have the following privacy rights, depending on the circumstances of the specific case:
The processing of your data is necessary for the conclusion or fulfillment of your contract with us to use the MindDoc app and in the case of the creation of the optional account. In addition, this is required when using the optional offer of the MindDoc Online Therapy service (https://www.minddoc.de), which is independent of our GTC. If you do not provide us with this information, we will not be able to provide the services mentioned on our GTC.
If you want to make use of one of these rights, you can delete your data directly in the app in the section “Settings → Data & Security”. Of course, you can transfer your data beforehand using an automatic export function. Alternatively, you can send us an e-mail from the address registered with us to firstname.lastname@example.org or write to us stating your personal identification number (UID – you can find this in the settings section at the bottom of the profile page). We will then check this immediately and contact you.
We reserve the right to change this data protection declaration in compliance with data protection regulations. The current version can be found here or at another accessible location in our app.
If you have any questions, suggestions or comments, you are welcome to contact our customer support team at email@example.com or our data protection officer: Martin Kuhr. Data Protection Officer of MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany, E-Mail: datenschutz[at]schoen-kliniken.de