The protection of your data and privacy is very important to us. We are aware that health information is very sensitive and needs maximum protection. Therefore we collect as little personal data as possible and secure it with the highest technical standards. In principle, the MindDoc app can be used anonymously. We only collect personal data such as your name or email address, address, and insurance data or a profile photo if you set up an optional personal account to restore your data (e.g. when you change your smartphone).
We, MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany (hereinafter “MindDoc”) collect and process your personal data related to the MindDoc-App (hereinafter also “App”) and are the “data controller” in terms of the General Data Protection Regulation (GDPR).
The protection and confidentiality of your data is very important to us. We therefore only process your data to the extent that
We always separately obtain consent from you for the processing of your health data. You can give your consent to the processing of this data, by clicking on the respective button. Your consent will be logged by us.
If you have any questions, suggestions or comments, you are welcome to contact our customer support team on firstname.lastname@example.org or our data protection officer: Martin Kuhr. Data Protection Officer of MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany, E-Mail: datenschutz[at]schoen-kliniken.de
Personal data is specifically protected by law. Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
As a matter of principle, we do not collect any data that allows direct identification of your person. To use our app, you do not have to enter any distinctly identifiable data about yourself (e.g. your name, your e-mail address or your home address). However, if you use our app as part of online therapy (only available in Germany) or create an optional personal account (e.g., to access your old data again when you change your smartphone), the use of personal data before you is required.
Nevertheless, strictly confidential handling of all your data is very important to us. Therefore, we treat all data according to the same rules that apply to personal data.
Personal data for the creation of an optional personal account
In order to create an optional personal account that allows you to easily access your history even when you change your smartphone, we collect and process the following personal data in the way you provide it to us:
The legal basis for data processing is Art. 6 Paragraph I lit. b GDPR.
Extended personal data while using MindDoc online therapy (this service and data fields are only available in Germany)
Within the app, you can run through a 14-day screening phase to get an overall assessment of your mental health. During this screening, you will answer various questions and let the app know how you are feeling. Also, you can use further services, e.g. payment offers, which are described in more detail in Section 2 of our GTC. We collect, process, and use the following health data to be able to provide the services for you following Section 2 of our GTC:
The legal basis for data processing is Art. 9 para. II lit. h GDPR.
This is data that tells us what hardware and software you are using to access our app:
The legal basis for data processing is Art. 6 para. I lit. f GDPR.
App usage data
This is data that tells us how you use our app:
The legal basis for data processing is Art. 6 para. I lit. f GDPR and Art. 6 para. I lit. a GDPR for the feedback data.
We collect and store your personal, extended personal, health, technical, and app usage data while you use our app. Furthermore, we transmit your health data in a completely anonymous form to universities MindDoc cooperates within research.
The legal basis for data processing is Art. 9 para. II lit. a GDPR
MindDoc collects, processes, and uses the data mentioned under point 2 to provide the services mentioned in point 2 of our General Terms and Conditions (Art. 1 GDPR). By providing us with your information, we can provide our services.
You are not obliged to provide your personal data (Art. 13 GDPR). The use of our app and related services is voluntary. However, if you do not wish to provide us with the necessary data, we cannot provide the services specified in Section 2 of the GTC for you.
MindDoc transmits your health data in a completely anonymous form to universities for research purposes.
Your data according to point 2 of this data protection declaration will be stored by us as long as this is necessary for the use of our app and the services associated with it. The anonymized data can also be stored indefinitely for research purposes.
We do not pass on your data to third parties, unless we are legally entitled or obliged to do so, or you have given us your consent.
We transmit your health data in the context of research cooperation in a completely anonymous form to university partners.
In the event that we process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or have it processed (see also third-party tools as described in Section 7), this will be done in compliance with the relevant legal requirements. In these cases, we will always take appropriate measures to adequately secure your data (e.g. through standard contractual clauses).
We do not store your data on your device to ensure maximum security and to ensure the smooth functioning of the app. We store your data on servers of our IT service providers in Frankfurt am Main, who process your data on our behalf and on the legal basis of Art. 28 GDPR and are obliged to comply with the legal provisions on data protection and data security.
We take precautions to protect your data and to prevent misuse.
The app communicates with our server via encrypted connections using SSL (Secure Socket Layer), which prevents third parties from accessing your data without authorization. Both servers and databases are behind firewalls to restrict access.
Please note that in some employment relationships it is not allowed to use the Internet for private purposes during working hours or from your workplace. Some employers monitor unauthorized Internet activity in the workplace. Even if you are otherwise connected in multiple network environments, you must be aware that there is always a risk of unwanted access.
MindDoc sometimes commissions third-party providers to provide services for the analysis and evaluation of user behavior. We do this in order to constantly improve and further develop MindDoc. The information provided for this purpose is usually pseudonymized. If these service providers process personal data, we conclude an agreement with them for order processing in accordance with Article 28 GDPR, which obliges these service providers to comply with legal standards with regard to data protection and data security. This means that the processors are bound by our instructions and are regularly monitored by us. The processors whose services are used will not pass this data on to third parties, but will delete it after the fulfilment of the contract and the conclusion of statutory storage periods, unless you have consented to storage beyond this.
In detail we use the following tools:
a. Google Firebase
In the mobile app we use Firebase (https://www.firebase.com/), a framework from Google’s subsidiary Firebase, based in San Francisco, CA, USA, through which we track and manage the following real-time functions
The legal basis for the use of Firebase is our legitimate interest in maintaining Moodpath permanently and evaluating its performance according to article 6 paragraph 1 GDPR.
b. Branch Metrics (only for MindDoc users in the United States of America/USA)
Our app uses Branch Metrics which is operated by Branch Metrics Inc. 2443 Ash Street, Palo Alto, CA 94306, USA. This service is an open-source solution, which allows us to generate smart links to content within an app for statistical analysis and for marketing activities (the latter only in the USA). This can be done with appropriate software development kits (SDKs) for web, iOS, and Android operating systems. In the course of providing the service and its features, Branch Metrics collects data such as operating system and version, timestamp, API key (application identification key), application version, device model, manufacturer and identification number, iOS identification key for advertising, iOS identification key for vendors, Android identification key for advertising, IP address and network status. The above data is collected and encrypted for this purpose only.
The legal basis for this is Article 6 Paragraph 1 lit. A GDPR.
How can I prevent this? You can deactivate this collection for your device via this link https://branch.app.link/device-opt-out or generally restrict the use of certain data in your Android or iOS device.
c. For sending emails in the context of creating, verifying and managing your personal, optional MindDoc account we use Mailgun (535 Mission St., 14th Floor San Francisco, CA 94105, USA). This provider processes and stores the email address, its content, subject, and other meta data in a high-security data center in Frankfurt am Main and deletes it after a maximum of 5 days.
d. For the hosting of the data as well as our applications, databases, and servers, we use the cloud services of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), which acts as a processor for us and stores data in a high-security data center in Frankfurt am Main and Ireland.
e. To send out Push Notifications, we use services of OneSignal, a U.S. company located at 2850 S Delaware St Suite 201, San Mateo, CA 94403, that processes data of the device to identify your device to send Push Notifications. Please visit https://documentation.onesignal.com/docs/data-collected-by-the-onesignal-sdk to see which data is processed by OneSignal (Note: OneSignal will automatically not collect IP Addresses from all EU Users.)
The legal basis for this is Article 6 Paragraph 1 lit. f GDPR.
As a user of our app, you have the following privacy rights, depending on the circumstances of the specific case:
The processing of your data is necessary for the conclusion or fulfillment of your contract with us to use the MindDoc app and in the case of the creation of the optional account. In addition, this is required when using the optional offer of the MindDoc Online Therapy service (https://www.minddoc.de), which is independent of our GTC. If you do not provide us with this information, we will not be able to provide the services mentioned on our GTC.
If you want to make use of one of these rights, you can delete your data directly in the app in the section “Settings → Data & Security”. Of course, you can transfer your data beforehand using an automatic export function. Alternatively, you can send us an e-mail from the address registered with us to email@example.com or write to us stating your personal identification number (UID – you can find this in the settings section at the bottom of the profile page). We will then check this immediately and contact you.
We reserve the right to change this data protection declaration in compliance with data protection regulations. The current version can be found here or at another accessible location in our app.
If you have any questions, suggestions or comments, you are welcome to contact our customer support team at firstname.lastname@example.org or our data protection officer: Martin Kuhr. Data Protection Officer of MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany, E-Mail: datenschutz[at]schoen-kliniken.de