Privacy Policy

Privacy Policy – BitHabit

Updated: 9.4.2024
The purpose of this document is to inform you about the processing and collection of personal data by Wellpro Impact Solutions Oy, business ID 3227015-2, (hereinafter “the Company”), in connection with the BitHabit service (hereinafter “the Service”) operated by the Company. Personal data means any information that allows an individual person to be identified. This Privacy Policy primarily relates to the Service. Information about the Company’s processing of personal data in other contexts is available at: https://wellpro.fi/.

1. Controller and processors

In connection with the Service, the Company acts as a data controller, i.e. it defines the personal data to be collected for the Service and the purposes of processing. The Company uses the following processors to process personal data related to the Service under separate written processing agreements with the processors:
  • Data centre/web platform provider, currently Skillwell Oy (based in Jyväskylä)
  • The BitHabit activation service operates in the European data centres of Amazon Web Services (AWS).
  • Entering survey data into the Service, currently Typeform S.L. (based in Barcelona)
  • Newsletter/SMS provider, currently SendinBlue SAS (based in Paris)
  • CRM service provider, currently Monday.com Ltd. (based in Tel Aviv)
  • Signature service, currently Oneflow (based in Stockholm)
  • Web site services, currently Planeetta Internet Oy (based in Helsinki)
  • Billing service provider for Business-to-Business customers, currently Fennoa Oy (based in Alavus)
For consumer customers, billing service providers such as Stribe, PayPal, Mastercard, Visa, etc. operate as independent data controllers, whose own privacy practices are described on their websites, among others.

2. Categories of personal data and legal grounds for processing

Personal data is processed in the Service in accordance with the EU General Data Protection Regulation (hereinafter “GDPR”) and applicable national data protection legislation. The provision of personal data is necessary to use the Service. Exception: using only the BitHabit survey service does not require you to provide any personal data, see. on 3. For research purposes, this exception does not apply.
Category of personal data Purpose of processing Lawful ground for processing Deletion of personal data
Names of users, contact details Setting up the service, managing your account, responding to support requests Implementation of the agreement (GDPR Article 6(1)(b)) 12 months after the customer’s account has become inactive, or when it is no longer necessary to retain them for the original purposes or other lawful processing.
Feedback surveys on the functionality of the software Legitimate interest of the company (GDPR Article 6(1)(f)) 12 months after the customer’s account has become inactive, or when it is no longer necessary to retain them for the original purposes or other lawful processing.
Background information: age, gender, occupation, mother tongue, education level, health information (current and past illnesses, physical activity limitations), alcohol/drug use, eating habits, exercise habits, possible stressful life changes, satisfaction with own life, social activity, planned retirement age, motivation to continue working Health and lifestyle background information provided at the time of accessing the Service; this background information is compared with information obtained during the Service to inform the user of any change in his or her health or lifestyle. Consent (GDPR Article 6(1)(a)) 12 months after the customer’s account has become inactive, or when it is no longer necessary to retain them for the original purposes or other lawful processing.
Self-reported information: work stress, possible sleep problems, taking up exercise, tracking food intake, self-perceived changes in cognition, changes in cognition observed by loved ones, changes in satisfaction with personal life, changes in social activity, open field for comments, which may include other personal data Documenting health and lifestyle changes Consent (GDPR Article 6(1)(a)) 12 months after the customer’s account has become inactive, or when it is no longer necessary to retain them for the original purposes or other lawful processing.
Activation actions recorded by the User in the Service: physical activity, social encounters, nutritional actions, mental or cognitive actions. Recording health and lifestyle-related actions Consent (GDPR Article 6(1)(a)) 12 months after the customer’s account has become inactive, or when it is no longer necessary to retain them for the original purposes or other lawful processing.
Statistics and graphical models generated from the data entered by the User in the Service. Statistics on health and lifestyle changes and tracking of activation activities, so that the user can monitor whether health plans are being implemented Consent (GDPR Article 6(1)(a)) 12 months after the customer’s account has become inactive, or when it is no longer necessary to retain them for the original purposes or other lawful processing.

3. Information from the BitHabit survey service

In connection with the BitHabit survey service, the Company processes many of the data mentioned in section 2, which are personal data in themselves, but are not associated with any individual user and are therefore not covered by personal data legislation. No personally identifiable information, such as name or contact information, is collected in connection with the use of the BitHabit Survey Service, and no information from the BitHabit Survey Service is aggregated with information collected by the Service that includes personally identifiable information.

4. Specific categories of personal data

The Company processes a wide range of special categories of personal data (“sensitive personal data”) in connection with the Service, in particular related to users’ health, exercise habits, and social life. The Company’s basis for derogating from the prohibition on processing sensitive personal data under Article 9 of the GDPR is the express consent of users, which is obtained from users when they access the Service. In practice, it is not possible to use the Service without this explicit consent, as the personal data entered into the Service is for the most part sensitive personal data.

5. Information security

The Company protects personal data with reasonable, appropriate safeguards to prevent accidental data leaks, unauthorized processing of personal data, and erroneous or unauthorized destruction, use, alteration or disclosure of personal data. The company has implemented appropriate technical and organisational measures to secure personal data. The above measures, such as limiting access to personal data by Company personnel and processors, and the storage and processing of personal data in encrypted form, are calibrated taking into account the harmfulness and likelihood of potential data leaks, the sensitivity of the personal data processed, the circumstances in which it is stored, and developments in security technology.

6. Rights of the data subject

Under the GDPR, the data subject has the following rights in relation to personal data, as further explained in Articles 15-21 of the GDPR:
  • Right to withdraw consent: to the extent that processing is based on users’ consent, users have the right to withdraw their consent at any time and request that their data be removed from the Service.
  • Access to data: data subjects have the right to request confirmation of whether their personal data are processed by the Company or its processors and to obtain access to their data.
  • Right to rectification: the data subject has the right to request the controller to correct any inaccurate or incomplete personal data processed in connection with the Service.
  • Right to erasure: data subjects have the right to request the erasure of personal data concerning them if it is no longer necessary for the purposes for which it was collected or processed, if they object to the processing and there are no compelling legal grounds for the processing, if the processing is unlawful, or if the personal data must be erased in order to comply with a legal obligation.
  • Right to restriction of processing: the data subject has the right to request the restriction of the processing of personal data concerning him or her where the accuracy of the personal data is contested, where the processing is unlawful or where the controller no longer needs the personal data concerned but the data subject has legitimate grounds for objecting to the erasure of the personal data, or where the data subject objects to the processing and it has not yet been established whether there is a legal basis for the processing.
  • Right to object: data subjects have the right to object to the processing of their personal data to the extent that the data are processed pursuant to Article 6(1)(f) of the GDPR, in which case the controller must prove that there is a compelling legal ground for the processing in order to continue to process the personal data concerned.
  • Right to complain: data subjects have the right to complain about the processing of personal data in connection with the Service to the competent data protection authority. The competent data protection authority in Finland is the Data Protection Ombudsman (tietosuoja@om.fi).

7. Data transfers outside the EU/EEA

The Company’s servers are currently located in Finland, and the Company’s processors’ servers are for the most part located either in the EU/EEA, or in countries with an equivalent level of data protection as decided by the EU Commission. Data collected or processed in connection with the Service will only be transferred or processed outside the EU or EEA on a transfer basis in accordance with Article 46 of the GDPR, for example, pursuant to an equivalence decision issued by the European Commission or standard clauses adopted by the European Commission. To the extent that transfers are made pursuant to standard clauses, data subjects have the right to see the description of the personal data to be transferred attached to the standard clauses.

8. Changes to data protection practices

These privacy policies may be amended from time to time by uploading an updated version of the document to the Service or otherwise making it available to data subjects, after which the updated version will apply. In the event of material changes to the privacy practices, the Company will also endeavour to inform you by other means, such as email.
— Document ends —