Privacy and Security Policy

We, MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany (hereinafter “Moodpath”) collect and process your personal data related to the Moodpath App (hereinafter also “App”) and are the “data collector” in terms of the General Data Protection Regulation (GDPR).

The protection and confidentiality of your data is very important to us. We therefore only process your data to the extent that

• It is necessary to provide the Moodpath services you are requesting
• you have given your consent to the processing, or
• we are otherwise authorized to do so under the data protection laws.

We always separately obtain consent from you for the processing of your health data. You can give your consent to the processing of this data, by clicking on the respective button. Your consent will be logged by us.

If you have any questions, suggestions or comments, you are welcome to contact our data protection officer:  Martin Kuhr. Data Protection Officer of MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany, E-Mail: datenschutz[at]schoen-kliniken.de 

Personal data is specifically protected by law. Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

As a matter of principle, we do not collect any data that allows direct identification of your person. To use our app, you do not have to enter any distinctly identifiable data about yourself (e.g. your name, your e-mail address or your home address).  Because of this, we assume that, under general circumstances, we do not process any of your personal data. Nevertheless, strictly confidential handling of all your data is very important to us. Therefore, we treat all data according to the same rules that apply to personal data.

Health-related data 

Within the app, you can run through a 14-day screening phase to get an assessment of whether you are suffering from depression. During this screening, you will answer various questions and let the app know how you are feeling. Also, you can use further services, e.g. payment offers, which are described in more detail in Section 2 of our GTC. We collect, process and use the following health data to be able to provide the services for you following Section 2 of our GTC:

• Data from the Moodpath screening
  • Questions related to depressive symptoms
  • Questions about other psychological and somatic complaints and symptoms
  • Questions about your living conditions, leisure activities and biography
  • Evaluations of the above-mentioned data regarding severity and type of symptoms as well as correlations between answers based on psychological theories
• Tracking data
  • Your entries on a scale of smileys with which you can regularly document your mood.
  • Text-based note entries created by you, which are transmitted in encrypted form and stored with us.
  • If you explicitly agree to this within the app, we store data from your Apple Health (iOS) or Google Fit (Android) application. These are primarily the number of steps per day and other indications of your physical activity. We use this data to provide our services within Moodpath, in particular, to report back to you any connections between psychological factors and your physical activity. Moodpath does not send data to Apple Health or Google Fit.
• Data from the psychological exercises
  • Text-based entries for the exercises
  • The photos you uploaded during the exercises

Technical Data

This is data that tells us what hardware and software you are using to access our app:

• Data about the mobile platform (iOS/Android)
• The version of the app
• Device model
• System version
• “Identifier for Advertising in Apple” for iOS devices
• “Advertising ID” for Android devices

App usage data

This is data that tells us how you use our app:

• How often was the app opened?
• Which areas were clicked in the app?
• App settings used (language settings, notifications)
• Feedback data (incl. e-mail service).

We collect and store your health, technical and app usage data while you use our app. Furthermore, we transmit your health data in a completely anonymous form to universities Moodpath cooperates with in research. An updated list of these universities can be found here: https://www.mymoodpath.com/en/science/

Moodpath collects, processes and uses the data mentioned under point 2 to provide the services mentioned in point 2 of our General Terms and Conditions (Art. 1 GDPR). By providing us with your information, we can provide our services.

You are not obliged to provide your personal data (Art. 13 GDPR). The use of our app and related services is voluntary. However, if you do not wish to provide us with the necessary data, we cannot provide the services specified in Section 2 of the GTC for you.

Moodpath transmits your health data in a completely anonymous form to the universities mentioned above (point 3) for research purposes.

Your data according to point 2 of this data protection declaration will be stored by us as long as this is necessary for the use of our app and the services associated with it. The anonymized data can also be stored indefinitely for research purposes.

We do not pass on your data to third parties, unless we are legally entitled or obliged to do so, or you have given us your consent.

We transmit your health data in the context of research cooperation in a completely anonymous form to the above-mentioned universities (Sec. 3).

Your personal data may be transferred to third parties in the United States while using their third-party tools as described in section 7 below. In these cases, we will always take appropriate measures to protect your data appropriately. The transfer to the USA is subject to an adequacy decision of the EU Commission (Art. 45 GDPR), as all third-parties participate in the EU-US Privacy Shield. For more information, visit www.privacy shield.gov.

We do not store your data on your device to ensure maximum security and to ensure the smooth functioning of the app. We store your data on servers of our IT service providers in Frankfurt am Main, who process your data on our behalf and on the legal basis of Art. 28 GDPR and are obliged to comply with the legal provisions on data protection and data security. In addition, in case you lose your phone or want to use Moodpath on several devices in parallel, we will store an encrypted ID on Apple’s and Google’s servers with which only our app can communicate.

We take precautions to protect your data and to prevent misuse.

The app communicates with our server via encrypted connections using SSL (Secure Socket Layer), which prevents third parties from accessing your data without authorization. Both servers and databases are behind firewalls to restrict access. Our provider, Google Cloud, is an ISO 27001, ISO 27017 and ISO 27018 certified hosting provider, which is audited and certified by the internationally recognized auditing company Ernst & Young. The European ISO 27001 certification complies with the requirements of the German Federal Office for Information Security (BSI). The European ISO 27017 certification is an international standard for securing Cloud Services (Cloud Security), which was established by ISO 27018 in particular with regard to the protection of personal data (Cloud Privacy) is supplemented.

Please note that in some employment relationships it is not allowed to use the Internet for private purposes during working hours or from your workplace. Some employers monitor unauthorized Internet activity in the workplace. Even if you are otherwise connected in multiple network environments, you must be aware that there is always a risk of unwanted access.

Moodpath partly commissions third party providers to provide services for the analysis and evaluation of user behavior. We do this to continuously improve and develop Moodpath. The information transmitted for this purpose is pseudonymized. In detail we use the following tools:

Google Firebase

• In the Mobile App, we use Firebase (https://www.firebase.com/), a framework maintained by the Google subsidiary Firebase residing in San Francisco, CA, USA, through which we track and administer the following real-time functions––
  1. Tracking of basic user events for Firebase;
  2. Tracking of app crashes and their reasons through Firebase Crashlytics;
  3. Configuration of app settings through Firebase Remote Config; and

  For all mentioned Firebase services, only anonymized or pseudonymized user data is transmitted to Firebase (Google). Firebase’s privacy policy is available under https://www.firebase.com/terms/privacy-policy.html.

• We use Firebase Crashlytics to track app crashes as they occur and to prevent future ones. In case of an app crash, a report is created that contains the type and OS of the device, your last activities in the app, and your geolocation in pseudonymous form, and that is sent to Google. Information on the functionality of Crashlytics is available under https://firebase.google.com/products/crashlytics/
• The Mobile App uses Firebase Remote Config to allow us to alter the app on the devices it is installed on without you having to completely reinstall the app in the respective app store. To do so, your device information, your language and country, and regional settings are transmitted to Google in the USA and processed there. Information on the functionality of Remote Config is available under https://firebase.google.com/products/remote-config/
• The legal basis for the use of Firebase is our legitimate interest in keeping Moodpath stable and evaluating its performance according to art. 6 para 1 lit. f GDPR.

Branch Metrics

Our app uses Branch Metrics whose operator is Branch Metrics Inc, 2443 Ash Street, Palo Alto, CA 94306, USA. This service is an open-source solution, which makes it possible with appropriate software development kits (SDKs) for Web, iOS and Android operating systems to generate targeted Smartlinks to contents within an App. Branch Metrics collects information about the provision of the service and its functions. These are encrypted pseudonymized device IDs.

You can delete your data by clicking on “Delete all saved data” in the settings of the app under “Manage your data”. This will irrevocably delete all your data from our databases.

As a user of our app, you have the following data protection rights, depending on the circumstances of the specific case:

a. Disclosure

To receive information about your personal data processed by us and to request access to your personal data and/or copies of these data. This includes information on the purpose of use, the category of data used, its recipients and authorized persons and, if possible, the planned duration of data storage or, if this is not possible, the criteria for determining this duration;

b. Correction, deletion or limitation of processing

To request the correction, deletion or limitation of the processing of your personal data, e.g. by sending us an e-mail. if (i) the data are incomplete or incorrect, (ii) they are no longer necessary for the purposes for which they were collected, (iii) the consent on which the processing was based has been revoked, or (iv) you have successfully exercised your right to object to data processing; in cases where data is processed by third parties, we will forward your requests for correction, deletion or limitation of the processing to these third parties, unless this proves impossible or involves a disproportionate effort;

c. Opposition to the processing

To object to the processing for reasons arising from your particular situation;

d. Transferability of data

To receive the personal data concerning you that you have provided to us in a structured, current and machine-readable format and to transmit this data to another responsible person without obstruction by us; you may also have the right to request that we transmit the personal data directly to another responsible person, insofar as this is technically feasible;

e. Refusal and revocation of consent

To refuse your consent or – without affecting the legality of data processing before the revocation – to revoke your consent to the processing of your personal data at any time;

f. Automatic decisions

To require that you be subject to a decision based exclusively on automated processing only in the exceptional cases provided by law if that decision has legal effect against you or significantly similarly affects you; should such an automated decision take place in exceptional cases, you have the right to obtain information on the logic involved and the scope of the intended effects;

g. Right of appeal

Communicate with and, if necessary, complain to the data protection supervisory authority.

We reserve the right to change this data protection declaration in compliance with data protection regulations. The current version can be found here or at another accessible location in our app.

If you have any questions, suggestions or comments, you are welcome to contact our data protection officer:  Martin Kuhr. Data Protection Officer of MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany, E-Mail: datenschutz[at]schoen-kliniken.de