Privacy and Security Policy

The protection of your data and privacy is very important to us. We are aware that health information is very sensitive and needs maximum protection. Therefore we collect as little personal data as possible and secure it with the highest technical standards. In principle, the MindDoc app can be used anonymously. We only collect personal data such as your name or email address, address, and insurance data or a profile photo if you set up an optional personal account to restore your data (e.g. when you change your smartphone).

The following privacy policy explains how we proceed with data protection. Feel free to contact us if you have any other questions: feedback@minddoc.de

  • 1. General information

    We, MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany (hereinafter “MindDoc”) collect and process your personal data related to the MindDoc-App (hereinafter also “App”) and are the “data controller” in terms of the General Data Protection Regulation (GDPR).

    The protection and confidentiality of your data is very important to us. We therefore only process your data to the extent that

    • It is necessary to provide the MindDoc services you are requesting
    • you have given your consent to the processing, or
    • we are otherwise authorized to do so under the data protection laws.

    We always separately obtain consent from you for the processing of your health data. You can give your consent to the processing of this data, by clicking on the respective button. Your consent will be logged by us.

    If you have any questions, suggestions or comments, you are welcome to contact our customer support team on feedback@minddoc.de or our data protection officer:  Martin Kuhr. Data Protection Officer of MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany, E-Mail: datenschutz[at]schoen-kliniken.de 

  • 2. What information we collect

    Personal data is specifically protected by law. Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

    As a matter of principle, we do not collect any data that allows direct identification of your person. To use our app, you do not have to enter any distinctly identifiable data about yourself (e.g. your name, your e-mail address or your home address).  However, if you use our app as part of online therapy (only available in Germany) or create an optional personal account (e.g., to access your old data again when you change your smartphone), the use of personal data before you is required.

    Nevertheless, strictly confidential handling of all your data is very important to us. Therefore, we treat all data according to the same rules that apply to personal data.

    Personal data for the creation of an optional personal account

    In order to create an optional personal account that allows you to easily access your history even when you change your smartphone, we collect and process the following personal data in the way you provide it to us:

    • Name
    • first name
    • Profile photo (optional)
    • e-mail address

    The legal basis for data processing is Art. 6 Paragraph I lit. b GDPR.

    Extended personal data while using MindDoc online therapy (this service and data fields are only available in Germany) 

    • Postal address
    • Insurance provider
    • Insured person number
    • Phone number

    Health-related data 

    Within the app, you can run through a 14-day screening phase to get an overall assessment of your mental health. During this screening, you will answer various questions and let the app know how you are feeling. Also, you can use further services, e.g. payment offers, which are described in more detail in Section 2 of our GTC. We collect, process, and use the following health data to be able to provide the services for you following Section 2 of our GTC:

    • Data from the daily screening questions and further tags and notes
      • Questions related to depressive symptoms
      • Questions about other psychological and somatic complaints and symptoms
      • Questions about your living conditions, leisure activities, and biography
      • Evaluations of the above-mentioned data regarding severity and type of symptoms as well as correlations between answers based on psychological theories
      • Your entries on a scale of smileys with which you can regularly document your mood.
      • Text-based note entries created by you, which are transmitted in encrypted form and stored with us.
      • If you explicitly agree to this within the app, we store data from your Apple Health (iOS) or Google Fit (Android) application. These are primarily the number of steps per day and other indications of your physical activity. We use this data to provide our services within MindDoc, in particular, to report back to you any connections between psychological factors and your physical activity. MindDoc does not send data to Apple Health or Google Fit.
    • Data from the psychological exercises
      • Text-based entries for the exercises
      • The photos you uploaded during the exercises

    The legal basis for data processing is Art. 9 para. II lit. h GDPR.


    Technical Data

    This is data that tells us what hardware and software you are using to access our app:

    • Data about the mobile platform (iOS/Android)
    • The version of the app
    • Device model
    • System version
    • “Identifier for Advertising in Apple” for iOS devices
    • “Advertising ID” for Android devices

    The legal basis for data processing is Art. 6 para. I lit. f GDPR.


    App usage data

    This is data that tells us how you use our app:

    • How often was the app opened?
    • Which areas were clicked in the app?
    • App settings used (language settings, notifications)
    • Feedback data (incl. e-mail service)

    The legal basis for data processing is Art. 6 para. I lit. f GDPR and Art. 6 para. I lit. a GDPR for the feedback data.

  • 3. How we process your data

    We collect and store your personal, extended personal, health, technical, and app usage data while you use our app. Furthermore, we transmit your health data in a completely anonymous form to universities MindDoc cooperates within research.

    The legal basis for data processing is Art. 9 para. II lit. a GDPR

  • 4. For what purposes we process your data

    MindDoc collects, processes, and uses the data mentioned under point 2 to provide the services mentioned in point 2 of our General Terms and Conditions (Art. 1 GDPR). By providing us with your information, we can provide our services.

    You are not obliged to provide your personal data (Art. 13 GDPR). The use of our app and related services is voluntary. However, if you do not wish to provide us with the necessary data, we cannot provide the services specified in Section 2 of the GTC for you.

    MindDoc transmits your health data in a completely anonymous form to universities for research purposes.

    Your data according to point 2 of this data protection declaration will be stored by us as long as this is necessary for the use of our app and the services associated with it. The anonymized data can also be stored indefinitely for research purposes.

  • 5. With whom we share your information

    We do not pass on your data to third parties, unless we are legally entitled or obliged to do so, or you have given us your consent.

    We transmit your health data in the context of research cooperation in a completely anonymous form to university partners.

    In the event that we process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or have it processed (see also third-party tools as described in Section 7), this will be done in compliance with the relevant legal requirements. In these cases, we will always take appropriate measures to adequately secure your data (e.g. through standard contractual clauses).

  • 6. Where we store your data and how we protect your data

    We do not store your data on your device to ensure maximum security and to ensure the smooth functioning of the app. We store your data on servers of our IT service providers in Frankfurt am Main, who process your data on our behalf and on the legal basis of Art. 28 GDPR and are obliged to comply with the legal provisions on data protection and data security.

    We take precautions to protect your data and to prevent misuse.

    The app communicates with our server via encrypted connections using SSL (Secure Socket Layer), which prevents third parties from accessing your data without authorization. Both servers and databases are behind firewalls to restrict access.

    Please note that in some employment relationships it is not allowed to use the Internet for private purposes during working hours or from your workplace. Some employers monitor unauthorized Internet activity in the workplace. Even if you are otherwise connected in multiple network environments, you must be aware that there is always a risk of unwanted access.

  • 7. Third-party tools

    MindDoc sometimes commissions third-party providers to provide services for the analysis and evaluation of user behavior. We do this in order to constantly improve and further develop MindDoc. The information provided for this purpose is usually pseudonymized. If these service providers process personal data, we conclude an agreement with them for order processing in accordance with Article 28 GDPR, which obliges these service providers to comply with legal standards with regard to data protection and data security. This means that the processors are bound by our instructions and are regularly monitored by us. The processors whose services are used will not pass this data on to third parties, but will delete it after the fulfilment of the contract and the conclusion of statutory storage periods, unless you have consented to storage beyond this.

    In detail we use the following tools:

    a. Google Firebase

    In the mobile app we use Firebase (https://www.firebase.com/), a framework from Google’s subsidiary Firebase, based in San Francisco, CA, USA, through which we track and manage the following real-time functions

    • We use Firebase Crashlytics to track app crashes as they occur and to prevent future crashes. In the event of an app crash, a report is generated that includes the type and operating system of the device, recent activity in the app, and geolocation in pseudonymous form and sent to Google. For information on the functionality of Crashlytics, please visit https://firebase.google.com/products/crashlytics/.
    • The mobile app uses Firebase Remote Config to allow us to change the app on the devices on which it is installed without having to completely reinstall the app in the respective App Store. To do this, the device information, language, country, and regional settings are transferred to Google in the USA and processed there. Information about the functionality of Remote Config can be found at https://firebase.google.com/products/remote-config/

    For all Firebase services mentioned, only anonymized or pseudonymized user data is transmitted to Firebase (Google). The Firebase privacy policy is available at https://www.firebase.com/terms/privacy-policy.html and information about the specific data used in the mentioned services can be found at https://firebase.google.com/support/privacy

    The legal basis for the use of Firebase is our legitimate interest in maintaining Moodpath permanently and evaluating its performance according to article 6 paragraph 1 GDPR.

    b. Branch Metrics (only for MindDoc users in the United States of America/USA)

    Our app uses Branch Metrics which is operated by Branch Metrics Inc. 2443 Ash Street, Palo Alto, CA 94306, USA. This service is an open-source solution, which allows us to generate smart links to content within an app for statistical analysis and for marketing activities (the latter only in the USA). This can be done with appropriate software development kits (SDKs) for web, iOS, and Android operating systems. In the course of providing the service and its features, Branch Metrics collects data such as operating system and version, timestamp, API key (application identification key), application version, device model, manufacturer and identification number, iOS identification key for advertising, iOS identification key for vendors, Android identification key for advertising, IP address and network status. The above data is collected and encrypted for this purpose only.

    The legal basis for this is Article 6 Paragraph 1 lit. A GDPR.

    How can I prevent this? You can deactivate this collection for your device via this link https://branch.app.link/device-opt-out or generally restrict the use of certain data in your Android or iOS device.

    c. For sending emails in the context of creating, verifying and managing your personal, optional MindDoc account we use Mailgun (535 Mission St., 14th Floor San Francisco, CA 94105, USA). This provider processes and stores the email address, its content, subject, and other meta data in a high-security data center in Frankfurt am Main and deletes it after a maximum of 5 days.

    d. For the hosting of the data as well as our applications, databases, and servers, we use the cloud services of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), which acts as a processor for us and stores data in a high-security data center in Frankfurt am Main and Ireland.

    e. To send out Push Notifications, we use services of OneSignal, a U.S. company located at 2850 S Delaware St Suite 201, San Mateo, CA 94403, that processes data of the device to identify your device to send Push Notifications. Please visit https://documentation.onesignal.com/docs/data-collected-by-the-onesignal-sdk to see which data is processed by OneSignal (Note: OneSignal will automatically not collect IP Addresses from all EU Users.)

    The legal basis for this is Article 6 Paragraph 1 lit. f GDPR.

  • 8. What other rights you have as a user

    As a user of our app, you have the following privacy rights, depending on the circumstances of the specific case:

    1. Information (Art. 15 DS-GVO): to receive information about your personal data processed by us;
    2. Correction (Art. 16 DS-GVO): Immediate correction of incorrect personal data concerning you;
    3. Dletion (Art. 17 DS-GVO): The deletion of your personal data under the conditions specified therein;
    4. Restriction of processing (Art. 18 DS-GVO): to demand the restriction of the processing of your personal data under the conditions stated therein;
    5. Transferability of data (Art. 20 DS-GVO): to receive the personal data relating to you which you have provided to us in a structured, common and machine-readable format and to transfer this data to another responsible party without hindrance from us; you also have the right, where appropriate, to demand that we transfer the personal data directly to another responsible party, insofar as this is technically feasible;
    6. Objection to unreasonable data processing (Art. 21 DS-GVO): If we process your data on the basis of legitimate interest, you may object to this data processing at any time; this would also apply to profiling based on these provisions. We will then no longer process your data unless we can demonstrate compelling reasons for processing which are worthy of protection and which outweigh your interests, rights, and freedoms, or unless the processing serves to assert, exercise, or defend legal claims. You can object to the processing of your data for the purpose of direct advertising at any time without giving reasons;
    7. Refusal and revocation of consent: To refuse consent or – without affecting the lawfulness of the data processing carried out before the revocation – to revoke your consent to the processing of your personal data at any time;
    8. Right of complaint: You have the right to complain to a data protection supervisory authority about the processing of your personal data by us.

    The processing of your data is necessary for the conclusion or fulfillment of your contract with us to use the MindDoc app and in the case of the creation of the optional account. In addition, this is required when using the optional offer of the MindDoc Online Therapy service (https://www.minddoc.de), which is independent of our GTC. If you do not provide us with this information, we will not be able to provide the services mentioned on our GTC.

    If you want to make use of one of these rights, you can delete your data directly in the app in the section “Settings → Data & Security”. Of course, you can transfer your data beforehand using an automatic export function. Alternatively, you can send us an e-mail from the address registered with us to feedback@minddoc.de or write to us stating your personal identification number (UID – you can find this in the settings section at the bottom of the profile page). We will then check this immediately and contact you.

     

  • 9. Changes to our privacy policy

    We reserve the right to change this data protection declaration in compliance with data protection regulations. The current version can be found here or at another accessible location in our app.

    If you have any questions, suggestions or comments, you are welcome to contact our customer support team at feedback@minddoc.de or our data protection officer:  Martin Kuhr. Data Protection Officer of MindDoc Health GmbH, Leopoldstraße 159, 80804 München, Germany, E-Mail: datenschutz[at]schoen-kliniken.de 

Start today.
No sign-up required.

Download MindDoc for free to help guide your way to emotional well-being.