Skip to main content

Privacy policy

Scope of this privacy policy

This privacy policy provides information on the processing of personal data in accordance with the EU GDPR in connection with the use of this website and the edupression.com® health application (application). In the application itself, we provide a special data protection declaration under Profile / Data protection exclusively for the use of the health application alone. This privacy policy provides information on the processing of personal data in accordance with the EU GDPR in connection with the use of this website and the edupression.com® health application (application). In the application itself, we provide a special privacy policy under Profile / Data protection exclusively for the use of the health application alone.

Introduction

We at SOFY GmbH, Am Renninger 8, 3400 Klosterneuburg, Austria, info@sofy.group, (hereinafter referred to as “SOFY”, “we” or “us”) have set ourselves the goal of building edupression.com® exclusively on the foundation of evidence-based medicine. People in a difficult time for them should be given the opportunity to experience online self-help and build up competence, in addition to existing forms of therapy such as psychotherapy and psychotropic drugs. Our aim is to be scientific and utilise the highest level of technology. For this reason, the protection of the personal data of our customers (users) and interested parties is of particular concern to us in this sensitive area. We process this data exclusively on the basis of the applicable, strict legal provisions in the European Union and Austria (EU-DSGVO, öDSG 2021, TKG 2021).

Registration and use of edupression.com® health application

In order to be able to use edupression.com® as an online platform and medical product, i.e. on the basis of Art. 6 para. 1 lit b GDPR, users must register (name, password, valid email address). In the mandatory onboarding process (with online instructions for use), users must also confirm that they have no urgent suicidal thoughts or plans.

When registering, they must also expressly consent to the processing of personal data, in particular to the processing of their health data in accordance with Art. 9 para. 2 lit a GDPR. Registration is only permitted for users over the age of 18.

The following data is processed when you use edupression.com®:

  1. Data that users actively enter: Contact details, form entries on the status of knowledge, self-tests, well-being, forums, etc.
  2. Data that can be collected passively via the (mobile) end devices (activities and usage behaviour of the user, gamification data).

This data forms the basis for the technically correct use and effectiveness of edupression.com® products as medical devices.

Communication in the application

The pusher.com service from Messagebird in the Netherlands is integrated for notifications from users or the optional chat function between the connected user and the depression specialist (not for DiGA users). The content and data are transmitted securely in encrypted form.

Health data – use of medical devices

We process the following health data for the purpose of use as medical products. This is necessary to ensure the effectiveness of the product.

edupression.com® psychoeducation (therapy sessions)

  • Data relating to the organisation of the courses (start/end times of the course modules and their parts, time course, learning duration, repetitions, etc.)
  • Data from the depression self-test (questions on complaints regarding various moods, biological functions, feelings and thoughts)
  • Data from brain training on reaction time, concentration and attention
  • Data from interactive fields in the course modules (e.g. term associations, WordRap, personal positive activity list, answers from questionnaires, etc.)
  • Data from the quiz answers given by the user

edupression.com® mood chart

Data from daily mood to form a depression score, affective episodes, impairments, general factors such as sleep, menstruation, alcohol/drugs, stressful events, specific factors such as positive activities, sport, therapy.

Utilisation as a depression specialist

In the course of registration as a depression specialist, personal data is collected for the use of the user account, in particular name, contact details, profession and education. Furthermore, after SOFY agrees to the conclusion of the contract with the depression specialist, the activities of the depression specialist on the platform, such as invitations, as well as access for legitimate interest and for the protection of other users are processed.

The user can voluntarily link up with a depression specialist.

To link users and depression specialists, both must give their explicit consent (invitation and consent). If the two are linked, the depression specialist has access to data from the user’s cockpit via their own account, e.g. course history, activities, mood chart. This provides the depression specialist with information on the period and progress between personalised treatments. Other data that is processed when a user is linked to a depression specialist includes the user’s contact details and data from communication between depression specialists and users. The user can revoke their consent at any time without giving reasons, but it is then not possible to link the user to the depression specialist.

Use within the framework of health insurance

If use is made via an insurance company, data is primarily transmitted to the insurance companies for billing purposes (name, insurance number, date of birth, period of use of edupression.com, selected product).

The aforementioned data processing is generally carried out on the basis of Art. 6 para. 1 lit. b GDPR, but as far as health data is concerned, the data processing is carried out on the basis of Art. 9 para. 2 lit. a GDPR.

The user can revoke his consent at any time without giving reasons, but all personal data will then be deleted, subject to other legal bases.

Registration via health ID (IDP) and writing to the electronic patient file (ePA) in Germany

In Germany, it is legally possible, after all participants in the telematics infrastructure (TI) have taken all measures, to register with edupression® as a DiGA using a health ID as the sole authentication or to log in with it. To do this, users must apply for the health ID from their statutory health insurance provider. When registering or logging in, we receive the health insurance company’s authorisation to use edupression® via a TI interface. In order to use edupression®, it is also necessary for the user to provide and check an email address, as important information is transmitted to users via this channel.
If a health insurance number (KVNr) is also stored in the health ID by the statutory health insurance company, edupression® users can also call up the letter in the ePA once or regularly in the programme itself via “Data export”. A machine-readable file is written to the user’s ePA in accordance with MIO DiGA Toolkit 1.1.0. The following data is transferred: Details of the DiGA including date and duration, user name (if provided voluntarily, but at least the email address), medication details (active ingredient and dose, if entered by the user), various user responses to questionnaires or surveys (in particular PHQ9 or mood chart). A specification of the exported file in terms of interoperability can be found here.

Collaboration with scientific partners and sharing of anonymous data – Health application

Users can optionally give their consent to the anonymisation of data for further development, to ensure technical functionality and user-friendliness (in accordance with the German GDPR). This consent can be revoked at any time without giving reasons. We work together with recognised medical and scientific research institutions in the development and further development of our products. Data required for scientific purposes is only transmitted in anonymised form so that the researchers cannot draw any conclusions about the individual user.

Our common goal is to further develop edupression.com® so that our users receive the best possible support and guidance during their illness.

Spam and bot protection Website and health application

To protect the website and health application, we work together with the captcha.eu service from Austria. In this way, we ensure the maintenance of operations (GDPR Art. 6 lit. c) and process technical data including IP, session times, etc. for this purpose. See also privacy policy captcha.eu: https://www.captcha.eu/de/datenschutz/

WhatIsMyBrowser to check the current browser version (health application)

As we are legally obliged as DiGA to ensure that users always use the latest version of the browser, we use the WhatIsMyBrowser service of the Australian company Long Way Research Corporation Pty Ltd. The technical data that is returned to the website operator by the respective browser when a website is opened is processed via an interface (IP, http header with browser details (user agent), cookie settings, Java and/or Flash support…). The IP address is not fully processed, i.e. pseudonymised, by omitting the last two digits. This allows the WhatIsMyBrowser service to provide us with pseudonymised feedback as to whether the user of the web application is currently using a current browser version. WhatIsMyBrowser uses the visitor’s browser data to update and continuously develop the database; the IP address is completely separated beforehand so that no conclusions can be drawn about the visitor. Further information on the privacy policy of WhatIsMyBrowser: https://www.whatismybrowser.com/about/legal/

Playing videos with Vimeo on website and health application

We use the video portal Vimeo from Vimeo.com, Inc. to play videos in our application and website. The videos are embedded and only use the technically necessary data to play and control the respective video. This is ensured by the “hide from Vimeo” setting for all videos played. Vimeo.com, Inc. acts as a processor; we have concluded standard contractual clauses with Vimeo.com, Inc. for this purpose. You can find the data protection information for Vimeo here: https://vimeo.com/privacy.

Contact via the website or in general

If you would like to contact us, you can do so via the web form, for example, or by sending an email to info@sofy.group or by telephone. We process your email address, telephone number and the content of your message and communication for the purpose of processing your enquiry and in the event of follow-up questions and store them for up to six months on the basis of Art. 6 para. 1 lit. b GDPR.

As far as health data is concerned, this will only be processed with your express consent in accordance with Art 9 para 2 lit a GDPR.

For communication with us in the health application, we provide an option directly via the application in the Feedback/Request menu. This data will also be deleted in the event of cancellation requests.

Use of the prescription service

In order to be able to use the free and voluntary prescription service via our website, users must give their informed consent to the processing of personal data in the course of the service. The processing includes the following data, including special category data (health data) in accordance with Art. 9 para. 1 GDPR Name, email, telephone number, prescription, prescription data and doctor/therapist. The data is transmitted to SOFY GmbH, stored and checked for completeness. It is then forwarded to the user’s health insurance company on behalf of the user.
For statistical purposes, the data is anonymised without it ever being possible to draw any conclusions about the user. Consent can be revoked by the user at any time without giving reasons for the future (email: datenschutz@edupression.com).

Optional query as part of the prescription service and the medical device

As part of the prescription service and in the medical product system, users can optionally enter the name of the practitioner, the speciality and/or their postcode. This can be helpful when enquiring in the direction of the practitioner and can, for example, help to establish contact more quickly. In addition, it is important to know in which regions of Germany edupression® is used in order to obtain information on the supply situation in accordance with the requirements of the medical device regulations (e.g. post-market surveillance).

Online payment transactions

This section does not apply to DiGA users from Germany, as these are billed directly via the health insurance companies.
For the processing of online payment transactions, thus on the basis of Art 6 para 1 lit b GDPR, we only transfer the most necessary personal data to the payment service provider (Stripe Inc. or PayPal (Europe) S.à r.l. et Cie, S.C.A.): Name, order purpose, amount. This data is passed on in encrypted form and is only used to process the payment. Privacy policy stripe.com https://stripe.com/en-at/privacy
If users use PayPal, they have already agreed to PayPal’s terms and conditions: https://www.paypal.com/at/webapps/mpp/ua/privacy-full?locale.x=de_AT.

Website – Cookies

Our website uses so-called cookies. These are small text files that are stored on your end device with the help of the browser. They do not cause any damage.

We use cookies to make our website user-friendly and to ensure that our web service functions technically. Some cookies remain stored on your end device until you delete them. They enable us to recognise your browser on your next visit and, for example, to make our web service available more quickly. Before we set cookies that are not technically necessary for the provision of the service, we obtain consent from the visitor by means of cookie pop-ups (opt-in). If the visitor does not give their consent, the functionality of our website and our web shop may be restricted.

Health application – Cookies

The edupression.com® health application itself only runs with technically necessary cookies from our own server.

Website – Feedback

We use the European service hotjar so that our website visitors can simply send us feedback from the site. The data entered in this way is made available to us in a secure manner.
Users of the edupression.com® programme can provide feedback in our system directly in the application.

Thank you very much for your feedback, this helps us to make the offer even better for everyone!

Email newsletters and transactional emails

We send email newsletters to interested parties and our users (customers), providing information about mental illnesses and our services. The newsletter is sent on the basis of the consent of the interested party in accordance with Art 6 para 1 lit a GDPR and from the contractual relationship as a customer. DiGA patients must register separately for this service via the website. Registration takes place in a so-called double opt-in procedure (after registration, the interested party receives an email asking them to confirm their registration; only after confirmation will the email newsletter be sent). It is possible to unsubscribe at any time simply by clicking on the unsubscribe link in the newsletter. We use Mailjet, an email marketing service in France, as a processor to send the newsletter. Only the following data is transmitted for this purpose: name, title and email address. Usage data (reports) are also collected during dispatch; these are used exclusively for the purpose of improving our newsletter service and thus to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR. If you have given your consent to receive email newsletters in accordance with Article 6(1)(a) GDPR, we will store your data until you withdraw your consent.

Transactional emails: Unlike newsletters, accompanying, personalised communication by means of emails (reminders, information, congratulations…) is an important part of the therapeutic service we offer to our users and is therefore a contractual component of our service (Art. 6 para. 1b).

Recipients of the personal data

The transfer and processing of personal data only takes place insofar as this is necessary for the fulfilment of the contractual relationship or for the implementation of pre-contractual measures (on the basis of Art 6 para 1 lit b GDPR), for the fulfilment of a legal obligation (Art 6 para 1 lit c GDPR), for the protection of legitimate interests (Art 6 para 1 lit f GDPR) or for the assertion, exercise or defence of legal claims (Art 9 para 2 lit f GDPR) or if the user or interested party has given their express consent (Art 6 para 1 lit a or Art 9 para 2 lit a GDPR).

In addition to the processors listed above, the personal data of users and interested parties are transmitted in particular to data centres, IT service providers and accounting service providers.

Furthermore, transmission may be necessary in connection with official enquiries or court orders, among other things.

As a manufacturer or distributor, we are subject to special requirements with regard to monitoring the functionality of the products, particularly due to the obligation under the applicable medical device legislation. Personal data may also be processed on the basis of this regulatory monitoring and reporting system. The legal basis here is Art. 9 (2) i GDPR.

Storage duration

Your personal data is generally stored for as long as is necessary to fulfil contractual obligations and for its intended purpose. The data will then be deleted. Exceptions exist in the case of statutory retention or storage obligations.
Due to the DiGAV interpretation (§4 para.2) by the authority BfArM, the account including all personal data is automatically deleted after expiry (3 months) for users of DiGA in Germany. However, these users can voluntarily agree to retain the account with all data so that there is time to obtain a new DiGA code from the doctor/therapist or health insurance company (follow-up prescription PZN 18458283). After entering the new DiGA code, the application can be continued.

Rights of data subjects

We would like to point out that you can assert your right to information, data portability, correction, restriction, cancellation, objection and deletion of your personal data at any time. Unless there are other legal grounds to the contrary, we will comply with your request in a timely manner. In accordance with the EU GDPR, we will inform all recipients to whom personal data has been disclosed of the rectification or erasure or restriction of processing and, if requested, also the data subject. No automated decisions, including profiling, are carried out with your data. You also have the right to lodge a complaint with the competent authority: Austrian Data Protection Authority (https://www.dsb.gv.at/, Barichgasse 40-42, 1030 Vienna).

Contact us and our data protection officer:

SOFY GmbH c/o Data Protection Officer
Am Renninger 8, 3400 Klosterneuburg, Austria
Email: datenschutz@edupression.com

Data security

We take appropriate technical and organisational security measures within the meaning of Art. 32 GDPR to protect your personal data against accidental or unlawful destruction, loss or alteration and against unauthorised disclosure or access.

For your security, please take all possible measures for IT security – see safety instructions.

Changes to the privacy policy

We reserve the right to amend the privacy policy in order to adapt it to changed legal situations or in the event of changes to the service and data processing. However, this only applies with regard to declarations on data processing. If user consent is required or components of the privacy policy contain provisions of the contractual relationship with the users, the changes will only be made with the consent of the users.

Users are requested to inform themselves regularly about the content of the privacy policy.