Privacy Policy – BitHabit
Updated: 9.4.2024
— Document ends —
The purpose of this document is to inform you about the processing and collection of personal data by Wellpro Impact Solutions Oy, business ID 3227015-2, (hereinafter “the Company”), in connection with the BitHabit service (hereinafter “the Service”) operated by the Company. Personal data means any information that allows an individual person to be identified.
This Privacy Policy primarily relates to the Service. Information about the Company’s processing of personal data in other contexts is available at: https://wellpro.fi/.
1. Controller and processors
In connection with the Service, the Company acts as a data controller, i.e. it defines the personal data to be collected for the Service and the purposes of processing. The Company uses the following processors to process personal data related to the Service under separate written processing agreements with the processors:- Data centre/web platform provider, currently Skillwell Oy (based in Jyväskylä)
- The BitHabit activation service operates in the European data centres of Amazon Web Services (AWS).
- Entering survey data into the Service, currently Typeform S.L. (based in Barcelona)
- Newsletter/SMS provider, currently SendinBlue SAS (based in Paris)
- CRM service provider, currently Monday.com Ltd. (based in Tel Aviv)
- Signature service, currently Oneflow (based in Stockholm)
- Web site services, currently Planeetta Internet Oy (based in Helsinki)
- Billing service provider for Business-to-Business customers, currently Fennoa Oy (based in Alavus)
2. Categories of personal data and legal grounds for processing
Personal data is processed in the Service in accordance with the EU General Data Protection Regulation (hereinafter “GDPR”) and applicable national data protection legislation. The provision of personal data is necessary to use the Service. Exception: using only the BitHabit survey service does not require you to provide any personal data, see. on 3. For research purposes, this exception does not apply.Category of personal data | Purpose of processing | Lawful ground for processing | Deletion of personal data |
---|---|---|---|
Names of users, contact details | Setting up the service, managing your account, responding to support requests | Implementation of the agreement (GDPR Article 6(1)(b)) | 12 months after the customer’s account has become inactive, or when it is no longer necessary to retain them for the original purposes or other lawful processing. |
Feedback surveys on the functionality of the software | Legitimate interest of the company (GDPR Article 6(1)(f)) | 12 months after the customer’s account has become inactive, or when it is no longer necessary to retain them for the original purposes or other lawful processing. | |
Background information: age, gender, occupation, mother tongue, education level, health information (current and past illnesses, physical activity limitations), alcohol/drug use, eating habits, exercise habits, possible stressful life changes, satisfaction with own life, social activity, planned retirement age, motivation to continue working | Health and lifestyle background information provided at the time of accessing the Service; this background information is compared with information obtained during the Service to inform the user of any change in his or her health or lifestyle. | Consent (GDPR Article 6(1)(a)) | 12 months after the customer’s account has become inactive, or when it is no longer necessary to retain them for the original purposes or other lawful processing. |
Self-reported information: work stress, possible sleep problems, taking up exercise, tracking food intake, self-perceived changes in cognition, changes in cognition observed by loved ones, changes in satisfaction with personal life, changes in social activity, open field for comments, which may include other personal data | Documenting health and lifestyle changes | Consent (GDPR Article 6(1)(a)) | 12 months after the customer’s account has become inactive, or when it is no longer necessary to retain them for the original purposes or other lawful processing. |
Activation actions recorded by the User in the Service: physical activity, social encounters, nutritional actions, mental or cognitive actions. | Recording health and lifestyle-related actions | Consent (GDPR Article 6(1)(a)) | 12 months after the customer’s account has become inactive, or when it is no longer necessary to retain them for the original purposes or other lawful processing. |
Statistics and graphical models generated from the data entered by the User in the Service. | Statistics on health and lifestyle changes and tracking of activation activities, so that the user can monitor whether health plans are being implemented | Consent (GDPR Article 6(1)(a)) | 12 months after the customer’s account has become inactive, or when it is no longer necessary to retain them for the original purposes or other lawful processing. |
3. Information from the BitHabit survey service
In connection with the BitHabit survey service, the Company processes many of the data mentioned in section 2, which are personal data in themselves, but are not associated with any individual user and are therefore not covered by personal data legislation. No personally identifiable information, such as name or contact information, is collected in connection with the use of the BitHabit Survey Service, and no information from the BitHabit Survey Service is aggregated with information collected by the Service that includes personally identifiable information.4. Specific categories of personal data
The Company processes a wide range of special categories of personal data (“sensitive personal data”) in connection with the Service, in particular related to users’ health, exercise habits, and social life. The Company’s basis for derogating from the prohibition on processing sensitive personal data under Article 9 of the GDPR is the express consent of users, which is obtained from users when they access the Service. In practice, it is not possible to use the Service without this explicit consent, as the personal data entered into the Service is for the most part sensitive personal data.5. Information security
The Company protects personal data with reasonable, appropriate safeguards to prevent accidental data leaks, unauthorized processing of personal data, and erroneous or unauthorized destruction, use, alteration or disclosure of personal data. The company has implemented appropriate technical and organisational measures to secure personal data. The above measures, such as limiting access to personal data by Company personnel and processors, and the storage and processing of personal data in encrypted form, are calibrated taking into account the harmfulness and likelihood of potential data leaks, the sensitivity of the personal data processed, the circumstances in which it is stored, and developments in security technology.6. Rights of the data subject
Under the GDPR, the data subject has the following rights in relation to personal data, as further explained in Articles 15-21 of the GDPR:- Right to withdraw consent: to the extent that processing is based on users’ consent, users have the right to withdraw their consent at any time and request that their data be removed from the Service.
- Access to data: data subjects have the right to request confirmation of whether their personal data are processed by the Company or its processors and to obtain access to their data.
- Right to rectification: the data subject has the right to request the controller to correct any inaccurate or incomplete personal data processed in connection with the Service.
- Right to erasure: data subjects have the right to request the erasure of personal data concerning them if it is no longer necessary for the purposes for which it was collected or processed, if they object to the processing and there are no compelling legal grounds for the processing, if the processing is unlawful, or if the personal data must be erased in order to comply with a legal obligation.
- Right to restriction of processing: the data subject has the right to request the restriction of the processing of personal data concerning him or her where the accuracy of the personal data is contested, where the processing is unlawful or where the controller no longer needs the personal data concerned but the data subject has legitimate grounds for objecting to the erasure of the personal data, or where the data subject objects to the processing and it has not yet been established whether there is a legal basis for the processing.
- Right to object: data subjects have the right to object to the processing of their personal data to the extent that the data are processed pursuant to Article 6(1)(f) of the GDPR, in which case the controller must prove that there is a compelling legal ground for the processing in order to continue to process the personal data concerned.
- Right to complain: data subjects have the right to complain about the processing of personal data in connection with the Service to the competent data protection authority. The competent data protection authority in Finland is the Data Protection Ombudsman (tietosuoja@om.fi).