Privacy Statement
Introduction
We at SOFY GmbH, Am Renninger 8, 3400 Klosterneuburg, Austria, info@sofy.group, (hereinafter referred to as “SOFY”, “we” or “us”) have set ourselves the goal of building edupression.com® exclusively on the foundation of evidence-based medicine. People in a difficult time for them should be given the opportunity to experience online self-help and to build up competence, accompanying the existing forms of therapy psychotherapy and psychotropic drugs. Our claim is to be scientific and use the highest technical level. Therefore, the protection of the personal data of our customers (users) and interested parties is of particular concern to us, even in this sensitive area. We process this data exclusively on the basis of the strict legal regulations in force in the European Union and Austria (EU-GDPR, öDSG 2021, TKG 2021 in German).
Registration and use of edupression.com®
In order to use edupression.com® as an online platform and medical product, thus on the basis of Art 6 para. 1 lit b GDPR, users must register (name, password, valid e-mail address). In the obligatory onboarding process (with online instructions for use) the user must also confirm that there are no urgent suicide thoughts or plans.
When registering, they must also expressly consent to the processing of personal data, in particular to the processing of their health data in accordance with Art. 9 Para. 2 lit a GDPR. Users are only permitted to register from the age of 18.
When using the application edupression.com® the following data is processed:
(a) data actively entered by users Contact data, form entries on the status of knowledge, self-tests, well-being, forums, etc.
(b) data that can be passively collected via (mobile) terminals (activities and user behaviour, gamification data)
These data are the basis for the technical correct application and effectiveness of edupression.com® products as medical devices.
Communication in the application
For user notifications or the optional chat function between connected user and depression specialist (not for DiGA users), the service pusher.com from Messagebird in the Netherlands is integrated. The content and data are securely transmitted end-to-end encrypted.
Health data – use of Medical devices
For the purpose of use as medical devices, we process the health data listed below. This is necessary in order to guarantee the effectiveness of the product.
edupression.com® psychoeducation (therapy modules)
Data within the framework of the handling of the courses (start/end times of the course modules and their parts, time course, learning duration, repetitions, etc.)
Data from the self-test for depression (queries on complaints regarding various emotional states, biological functions, feelings and thoughts)
Data from brain training on reaction time, concentration and attention
Data from interactive fields in the course modules (e.g. term associations, WordRap, personal positive activity list, answers from questionnaires, etc.)
Data from the quiz answers given by the user
edupression.com® Mood chart
Data from the daily mood to form a depression score, affective episodes, impairments, general factors such as sleep, menstruation, alcohol/drugs, stressful events, specific factors such as positive activities, sports, therapy.
Use as a depression specialist
In the course of registering as a depression specialist, personal data is collected for the use of the user account, in particular name, contact details, profession and education. Furthermore, after SOFY agrees to the conclusion of the contract with the depression specialist, the activities of the depression specialist on the platform, such as invitations, group formation/activities, as well as accesses out of legitimate interest and for the protection of other users are processed.
The user can voluntarily link up with a depression specialist.
To link the user and the depression specialist, both must explicitly agree (invitation and consent). If the two are linked, the depression specialist can access data from the user’s cockpit via his or her own account, e.g. course, activities, mood chart. This serves to inform the depression specialist about the period and the course between personal treatments. Other data processed in the context of linking a user to a depression specialist are contact data of the user, as well as data from the communication between depression specialists and users. The user can revoke his or her consent at any time without giving reasons, but in this case it is not possible to link the user and the depression specialist.
Use of moderated forums
Name, avatar, date and contributions of the user in the moderated forums protected by login. We explicitly point out that this data and content is visible to other users in the forum.
Use within the scope of health insurance
If use is via an insurance company, data is primarily transmitted to the insurance companies for billing purposes (name, insurance number, date of birth, period of use of edupression.com®, selected product).
The above-mentioned data processing is generally carried out on the basis of Art 6 Paragraph 1 lit b GDPR, but insofar as health data are concerned, data processing is carried out on the basis of Art 9 Paragraph 2 lit a GDPR.
The user can revoke his or her consent at any time without giving reasons, but then he or she can only use edupression.com® to a very limited extent, for example, no courses can be called up or the mood chart can no longer be used (no more data entry possible)
Registration using a Health ID (IDP) and writing to the electronic patient file (ePA) in Germany
In Germany, once all participants in the telematics infrastructure (TI) have taken all the necessary measures, it is legally possible to register with edupression® as a DiGA using a health ID as the sole authentication or to log in with it. To do this, users must apply for the health ID from their statutory health insurance provider. When registering or logging in, we receive the health insurance company’s authorisation to use edupression® via a TI interface. In order to use edupression®, it is also necessary for the user to provide and check an email address, as important information is transmitted to users via this channel.
If a health insurance number (KVNr) is also stored in the health ID by the statutory health insurance company, edupression® users can also write data in the ePA once or regularly in the programme itself via ‘Data export’. A machine-readable file is written to the user’s ePA in accordance with MIO DiGA Toolkit 1.1.0. The following data is transferred: Details of the DiGA including date and duration, user name (if provided voluntarily, but at least the email address), medication details (active ingredient and dose, if entered by the user), various user responses to questionnaires or surveys (in particular PHQ9 or mood chart). A specification of the exported file in terms of interoperability can be found here (link pdf).
Cooperation with scientific partners and transfer of anonymous data
In the development and further development we work together with recognised medical and scientific research institutions. Data required for scientific purposes are transmitted exclusively in anonymous form, so that researchers cannot draw any conclusions about the individual person of the user.
Our common goal is to develop edupression.com® in such a way that our users receive the best possible support and guidance in their illness.
Contact
If you would like to contact us, you can do so by sending an e-mail to info@sofy.group or by telephone. We process your e-mail address, telephone number and the content of your message and communication for the purpose of processing your enquiry and in the event of follow-up questions and store these for up to six months on the basis of Art 6 Paragraph 1 lit b GDPR.
As far as health data are concerned, they will only be processed with your express consent in accordance with Art 9 Paragraph 2 lit a GDPR.
Use of the prescription service
In order to be able to use the free and voluntary prescription service via our website, users must give their informed consent to the processing of personal data in the course of the service. The processing includes the following data, including special category data (health data) in accordance with Art. 9 para. 1 GDPR: name, e-mail, telephone number, prescription, prescription data and doctor/therapist. The data is transmitted to SOFY GmbH, stored and checked for completeness. It is then forwarded to the user’s health insurance company on behalf of the user.
For statistical purposes, the data is anonymized without it ever being possible to draw any conclusions about the user. Consent can be revoked by the user at any time without giving reasons for the future (e-mail: datenschutz@edupression.com).
Online payment transactions
This section does not apply to DiGA users from Germany, as they are billed directly through health insurance companies. For the processing of online payment transactions, thus on the basis of Art 6 para. 1 lit b GDPR, we only transfer the most necessary personal data to the payment service provider (Stripe Inc. or PayPal (Europe) S.à r.l. et Cie, S.C.A.): Name, order purpose, amount. These data are transmitted in encrypted form and are only used to process the payment; privacy statement stripe.com https://stripe.com/en-at/privacy
If users use PayPal, they have already agreed to the terms of PayPal (https://www.paypal.com/at/webapps/mpp/ua/privacy-full?locale.x=de_AT)
Website – Cookies
Our website uses so-called cookies. These are small text files that are stored on your end device with the help of the browser. They do not cause any damage.
We use cookies to make our offer user-friendly and to ensure that our web service functions technically. Some cookies remain stored on your end device until you delete them. They enable us to recognise your browser on your next visit and, for example, to make our web service available more quickly.
Before we set cookies, which are not technically essential for the provision of the service, we obtain the visitor’s consent by means of cookie pop-ups (opt-in).
If the visitor does not give consent, the functionality of our website and our web shop may be limited.
The edupression.com® program itself runs only with technically necessary cookies from our own server.
Website Feedback
To allow our website visitors to easily submit feedback to us from the site, we use the European service hotjar. The data entered in this process is provided to us in a protected manner.
Users of the edupression.com® program can provide feedback directly in the application in our system.
Thank you for your feedback, this helps us to make the offer even better for everyone!
E-mail newsletter dispatch
We send e-mail newsletters to interested parties and our users (customers), providing information about mental illness and our services. The mailing is based on the consent of the interested party in accordance with Art 6 para. 1 lit a GDPR and from the contractual relationship as a customer. The registration is carried out in a so-called double opt-in procedure (the interested party receives an e-mail after registration asking him/her to confirm his/her registration, only after confirmation will the e-mail newsletter be sent). Cancellation is possible at any time simply by clicking on the cancellation link in the newsletter. To carry out the dispatch, we use Mailjet an e-mail marketing service in France, as an order processor. For this purpose, only the following data is transferred: name, title and e-mail address. When sending out the newsletter, usage data (reports) are also collected; these serve exclusively to improve our newsletter service and thus to protect our legitimate interests in accordance with Art 6 Paragraph 1 lit f GDPR. If you have given your consent in accordance with Art 6 para. 1 lit a GDPR to receive e-mail newsletters, we will store your data until you revoke your consent.
Unlike newsletters, accompanying personalised communication by e-mail (reminders, information, congratulations…) is an important part of the service we offer to our users and is therefore a contractual component of our service (Art. 6 para. 1b).
Recipients of personal data
The transmission and processing of personal data is generally only carried out to the extent that this is necessary to fulfil the contractual relationship or to carry out pre-contractual measures (on the basis of Art 6 Paragraph 1 lit b GDPR), to fulfil a legal obligation (Art 6 Paragraph 1 lit c GDPR), to safeguard legitimate interests (Art 6 Paragraph 1 lit f GDPR) or to assert, exercise or defend legal claims (Art 9 Paragraph 2 lit f GDPR) or if the user or interested party has given his express consent (Art 6 para. 1 lit a or Art 9 para. 2 lit a GDPR).
In addition to the above-mentioned processors, the personal data of the users or interested parties will be transmitted in particular to computer centres, IT service providers and accounting service providers.
Furthermore, transmission may be necessary in connection with official inquiries or court orders, among other things.
Especially due to the obligation according to the applicable medical device law, we as manufacturer or distributor are subject to special requirements regarding the monitoring of the functionality of the products. Based on this regulatory required monitoring and reporting system, personal data may also be processed. The legal basis here is Art 9 (2) i GDPR.
Storage duration
The storage of your personal data is basically as long as this is necessary for the fulfilment of contractual obligations and for their intended purpose. Afterwards the data will be deleted. Exceptions are made in the case of statutory storage or retention obligations.
Rights of data subjects
We would like to point out that you can assert your right to information, data transferability, correction, restriction, revocation, opposition and deletion of your personal data at any time. If there are no other legal bases against this, we will follow your request in due time. You also have the right to complain to the competent authority: Austrian Data Protection Authority (https://www.dsb.gv.at/, Barichgasse 40-42, 1030 Vienna).
Contact us and our data protection officer:
SOFY GmbH c/o Data protection officer
Am Renninger 8, 3400 Klosterneuburg, Austria
e-mail: datenschutz@edupression.com
Data security
We take appropriate technical and organisational security measures in accordance with Art 32 GDPR to protect your personal data against accidental or unlawful destruction, alteration or loss and against unauthorised disclosure or access.
For your safety, please take all possible measures for IT security on your side – see security instructions.
Amendment of the privacy policy
We reserve the right to change the privacy policy in order to adapt it to changed legal situations or in case of changes in the service and data processing. However, this only applies with regard to declarations on data processing. Insofar as the consent of the users is required or components of the data protection declaration contain regulations of the contractual relationship with the users, the changes will only be made with the consent of the users.
Users are asked to inform themselves regularly about the content of the data protection declaration.