We at SOFY GmbH, Am Renninger 8, 3400 Klosterneuburg, Austria, email@example.com, (hereinafter referred to as “SOFY”, “we” or “us”) have set ourselves the goal of building edupression.com® exclusively on the foundation of evidence-based medicine. People in a difficult time for them should be given the opportunity to experience online self-help and to build up competence, accompanying the existing forms of therapy psychotherapy and psychotropic drugs. Our claim is to be scientific and use the highest technical level. Therefore, the protection of the personal data of our customers (users) and interested parties is of particular concern to us, even in this sensitive area. We process this data exclusively on the basis of the strict legal regulations in force in the European Union and Austria (EU-GDPR, öDSG 2018, TKG 2003 in German).
Registration and use of edupression.com®
In order to use edupression.com® as an online platform and medical product, thus on the basis of Art 6 para. 1 lit b GDPR, users must register (name, password, valid e-mail address). In the obligatory onboarding process (with online instructions for use) the user must also confirm that there are no urgent suicide thoughts or plans.
When registering, they must also expressly consent to the processing of personal data, in particular to the processing of their health data in accordance with Art. 9 Para. 2 lit a GDPR. Users are only permitted to register from the age of 18.
When using edupression.com® the following data is processed:
(a) data actively entered by users Contact data, form entries on the status of knowledge, self-tests, well-being, activities, forums, etc.
(b) data that can be passively collected via (mobile) terminals (motion and acceleration sensors, user behaviour, GPS data)
These data are the basis for the application and effectiveness of edupression.com® products as medical devices.
Communication in the application
For user notifications or the optional chat function between connected user and depression specialist (not for DiGA users), the service pusher.com from Messagebird in the Netherlands is integrated. The content and data are securely transmitted end-to-end encrypted.
Health data – use of Medical devices
For the purpose of use as medical devices, we process the health data listed below. This is necessary in order to guarantee the effectiveness of the product.
edupression.com® psychoeducation (therapy modules)
Data within the framework of the handling of the courses (start/end times of the course modules and their parts, time course, learning duration, repetitions, etc.)
Data from the self-test for depression (queries on complaints regarding various emotional states, biological functions, feelings and thoughts)
Data from brain training on reaction time, concentration and attention
Data from interactive fields in the course modules (e.g. term associations, WordRap, personal positive activity list, answers from questionnaires, etc.)
Data from the quiz answers given by the user
edupression.com® Mood chart
Data from the daily mood to form a depression score, affective episodes, impairments, general factors such as sleep, menstruation, alcohol/drugs, stressful events, specific factors such as positive activities, sports, therapy.
User behaviour – captured by terminal equipment
Data from the sensors of the (mobile) end devices (movement, usage, GPS)
Use as a depression specialist
In the course of registering as a depression specialist, personal data is collected for the use of the user account, in particular name, contact details, profession and education. Furthermore, after SOFY agrees to the conclusion of the contract with the depression specialist, the activities of the depression specialist on the platform, such as invitations, group formation/activities, as well as accesses out of legitimate interest and for the protection of other users are processed.
The user can voluntarily link up with a depression specialist.
To link the user and the depression specialist, both must explicitly agree (invitation and consent). If the two are linked, the depression specialist can access data from the user’s cockpit via his or her own account, e.g. course, activities, mood chart. This serves to inform the depression specialist about the period and the course between personal treatments. Other data processed in the context of linking a user to a depression specialist are contact data of the user, as well as data from the communication between depression specialists and users. The user can revoke his or her consent at any time without giving reasons, but in this case it is not possible to link the user and the depression specialist.
Use of moderated forums
Name, avatar, date and contributions of the user in the moderated forums protected by login. We explicitly point out that this data and content is visible to other users in the forum.
Use within the scope of health insurance
If use is via an insurance company, data is primarily transmitted to the insurance companies for billing purposes (name, insurance number, date of birth, period of use of edupression.com®, selected product).
The above-mentioned data processing is generally carried out on the basis of Art 6 Paragraph 1 lit b GDPR, but insofar as health data are concerned, data processing is carried out on the basis of Art 9 Paragraph 2 lit a GDPR.
The user can revoke his or her consent at any time without giving reasons, but then he or she can only use edupression.com® to a very limited extent, for example, no courses can be called up or the mood chart can no longer be used (no more data entry possible)
Cooperation with scientific partners and transfer of anonymous data
In the development and further development we work together with recognised medical and scientific research institutions. Data required for scientific purposes are transmitted exclusively in anonymous form, so that researchers cannot draw any conclusions about the individual person of the user.
Our common goal is to develop edupression.com® in such a way that our users receive the best possible support and guidance in their illness.
If you would like to contact us, you can do so by sending an e-mail to firstname.lastname@example.org or by telephone. We process your e-mail address, telephone number and the content of your message and communication for the purpose of processing your enquiry and in the event of follow-up questions and store these for up to six months on the basis of Art 6 Paragraph 1 lit b GDPR.
As far as health data are concerned, they will only be processed with your express consent in accordance with Art 9 Paragraph 2 lit a GDPR.
Online payment transactions
For the processing of online payment transactions, thus on the basis of Art 6 para. 1 lit b GDPR, we only transfer the most necessary personal data to the payment service provider (Stripe Inc. or PayPal (Europe) S.à r.l. et Cie, S.C.A.): Name, order purpose, amount. These data are transmitted in encrypted form and are only used to process the payment.
As a US-American company Stripe Inc. is certified according to the US-Privacy Shield data protection law, see also data protection declaration stripe.com https://stripe.com/en-at/privacy).
If users use PayPal, they have already agreed to the terms of PayPal (https://www.paypal.com/at/webapps/mpp/ua/privacy-full?locale.x=de_AT)
Website – Cookies
Our website uses so-called cookies. These are small text files that are stored on your end device with the help of the browser. They do not cause any damage.
Before we set cookies, which are not technically essential for the provision of the service, we obtain the visitor’s consent by means of cookie pop-ups (opt-in).
If the visitor does not give consent, the functionality of our website and our web shop may be limited.
E-mail newsletter dispatch
We send e-mail newsletters to interested parties and our users (customers), providing information about mental illness and our services. The mailing is based on the consent of the interested party in accordance with Art 6 para. 1 lit a GDPR and from the contractual relationship as a customer. The registration is carried out in a so-called double opt-in procedure (the interested party receives an e-mail after registration asking him/her to confirm his/her registration, only after confirmation will the e-mail newsletter be sent). Cancellation is possible at any time simply by clicking on the cancellation link in the newsletter. To carry out the dispatch, we use an e-mail marketing service in France, as an order processor. For this purpose, only the following data is transferred: name, title and e-mail address. When sending out the newsletter, usage data (reports) are also collected; these serve exclusively to improve our newsletter service and thus to protect our legitimate interests in accordance with Art 6 Paragraph 1 lit f GDPR. If you have given your consent in accordance with Art 6 para. 1 lit a GDPR to receive e-mail newsletters, we will store your data until you revoke your consent.
Unlike newsletters, accompanying personalised communication by e-mail (reminders, information, congratulations…) is an important part of the service we offer to our users and is therefore a contractual component of our service (Art. 6 para. 1b).
Recipients of personal data
The transmission and processing of personal data is generally only carried out to the extent that this is necessary to fulfil the contractual relationship or to carry out pre-contractual measures (on the basis of Art 6 Paragraph 1 lit b GDPR), to fulfil a legal obligation (Art 6 Paragraph 1 lit c GDPR), to safeguard legitimate interests (Art 6 Paragraph 1 lit f GDPR) or to assert, exercise or defend legal claims (Art 9 Paragraph 2 lit f GDPR) or if the user or interested party has given his express consent (Art 6 para. 1 lit a or Art 9 para. 2 lit a GDPR).
In addition to the above-mentioned processors, the personal data of the users or interested parties will be transmitted in particular to computer centres, IT service providers and accounting service providers.
Furthermore, transmission may be necessary in connection with official inquiries or court orders, among other things.
Especially due to the obligation according to the applicable medical device law, we as manufacturer or distributor are subject to special requirements regarding the monitoring of the functionality of the products. Based on this regulatory required monitoring and reporting system, personal data may also be processed. The legal basis here is Art 9 (2) i GDPR.
The storage of your personal data is basically as long as this is necessary for the fulfilment of contractual obligations and for their intended purpose. Afterwards the data will be deleted. Exceptions are made in the case of statutory storage or retention obligations.
Rights of data subjects
We would like to point out that you can assert your right to information, data transferability, correction, restriction, revocation, opposition and deletion of your personal data at any time. If there are no other legal bases against this, we will follow your request in due time. You also have the right to complain to the competent authority: Austrian Data Protection Authority (https://www.dsb.gv.at/, Barichgasse 40-42,1030 Vienna).
Contact us and our data protection officer:
SOFY GmbH c/o Data protection officer
Am Renninger 8, 3400 Klosterneuburg, Austria
We take appropriate technical and organisational security measures in accordance with Art 32 GDPR to protect your personal data against accidental or unlawful destruction, alteration or loss and against unauthorised disclosure or access.
For your safety, please take all possible measures for IT security on your side – see security instructions.
Users are asked to inform themselves regularly about the content of the data protection declaration.
Our vision at edupression.com® is to create a place, where all depressed people feel they are in good hands - empowering them to beat depression!