Privaatustingimused

Mentastic Personal Data Processing and Privacy Settings 
v1.0 
Approved and effective from 12.09.2024 

This document (hereinafter “Privacy Settings”) describes the principles of personal data processing for users of the Mentastic application and website (hereinafter “Application”) by HeBA Clinic OÜ and its subsidiaries and affiliates (hereinafter “HeBA”). 

Currently, HeBA Clinic OÜ is the data controller. The Client Data Processing Principles apply to the processing of your personal data when you use our services, contact us, represent or act as a contact person for one of our partners, or visit our website. 

  1. General Principles 
  1. A client, within the meaning of these Privacy Settings, is any person who visits the Mentastic website or uses the Mentastic application and the services provided through it. 
  1. HeBA acts as the data controller of Client’s personal data under the General Data Protection Regulation (hereinafter GDPR) and processes data in accordance with GDPR and Estonian laws, including the Personal Data Protection Act, Health Services Organization Act, and Law of Obligations Act. 
  1. All HeBA employees’ contracts include separate provisions for complying with personal data processing and storage requirements. 
  1. All authorized processors contracted by HeBA under GDPR (mainly companies providing IT services and data hosting) follow applicable laws and these Privacy Settings in their data processing. 
  1. HeBA Clinic OÜ processes personal data for the Mentastic application similarly to other services provided, but additional data related to the use of the application, including data from third-party services like Facebook and Google, is collected and processed. More detailed data processing principles are described below in Section 3. 
  1. When you contact Mentastic (e.g., via email, letter, or phone), we process the personal data you provide (e.g., name, contact information, communication details). We do this based on our legitimate interest in responding to and/or resolving your inquiry, including offering you user support. 
  1. When you visit the Application’s website, we may obtain personal data about you through cookies used on our website. Visitors can find more information about cookies on the website’s Cookie Policy. 
     
  1. Legal Basis and Purposes for Personal Data Processing 
  1. HeBA processes personal data as necessary to fulfill the services, including delivering personalized mental wellbeing support and maintaining app functionality. This processing is essential to perform our contract with the Client.  
  1. For registration purposes, the following data is collected directly from the Client: 
  1. Name 
  1. Email address 
  1. For a personalized experience, the following data is collected directly from the Client: 
  1. Gender 
  1. Date of birth 
  1. Country  
  1. This personal data, provided directly by the Client during registration, is processed to support the personalized functionalities within the app.  
  1. HeBA also  processes the following types of data: 
  1. Client activities within the application and on the website, including history, preferences, settings, and behavior patterns. This data is used to provide a personalized client experience and technical support. 
  1. In addition to the above HeBA processes certain sensitive data, based on Client’s explicit consent. While using the app, the Client can choose to allow the collection and processing of such data for the purpose of improving your mental wellbeing and tailoring the app’s services to your needs. Sensitive data may include: 
  1. Social media account data: Information such as the number of friends/contacts, activity on social media posts/reactions, if the user has provided permission. 
  1. Geolocation data: Collected if the user has enabled this feature. 
  1. Additional Legal Basis for Processing: 
  1. To provide HeBA services (including personal data such as name, email address, and other necessary information for delivering services through the Application); 
  1. To identify and authenticate users via the Application, including data processed through Facebook and Google login services if the user opts to use these for logging in; 
  1. To comply with legal obligations, including ensuring user rights under GDPR; 
  1. Based on the user’s consent (including various data, depending on the specific case to which the user has given consent); 
  1. For statistical analysis of website and app usage (all categories of personal data). Processing is necessary for improving our services; 
  1. To make marketing offers based on user consent, using any or all personal data categories, for personalized marketing communications. 
     
  1. Transfer of Personal Data 
  1. HeBA keeps confidential any data regarding the Client’s personal information disclosed during the provision of services. This confidentiality obligation may be reasonably waived only in cases specified by law. 
  1. HeBA does not disclose personal data to third parties, except in cases required by law or with the Client’s consent. 
  1. When using the Mentastic application, HeBA may share data with service providers offering technical solutions and infrastructure necessary for the application to function (e.g., Google or Meta platforms), provided that data sharing is essential for the application’s features. All third parties are required to comply with applicable laws, including GDPR requirements. 
     
  1. Retention of Personal Data 
  1. HeBA documents and retains personal and health data collected during service provision according to applicable legal requirements for the duration necessary to achieve the processing purpose and as long as required by law. 
  1. Client feedback collected to assess customer satisfaction is retained for 5 years from the date of receipt. 
  1. Accounting documents are retained for 7 years in accordance with the Accounting Act. 
  1. Data collected via Facebook and Google is retained according to the rules for data processing provided by these services and the client’s rights. 
  1. Data collected according to Client consent during beta versions of the application will be deleted at no later than 3 months after the data has been collected. 
     
  1. Protection of Personal Data 
  1. Personal data is stored in a secure private cloud (Microsoft Azure) that meets the security requirements for processing highly sensitive data and is in compliance with GDPR, with appropriate security settings and monitoring in place. 
  1. The identification and authentication of all Clients are carried out according to the Client’s chosen option. Secure industry-standard software is used to verify and manage Clients’ identity and access control. 
  1. Confidentiality obligations are included in the contracts of all HeBA employees and partners. 
  1. Access to personal data is restricted based on the need to provide services. HeBA employees must identify themselves to process personal data. All personal data usage logs are retained. 
     
  1. Client Rights Regarding Personal Data 
  1. Clients have all the rights of a data subject under applicable law regarding the processing of personal data. 
  1. Clients have the following rights regarding the processing of personal data, among others: 
  1. Right of access: The right to ask at any time whether HeBA holds personal data about the client and to receive information on which personal data HeBA processes about them; 
  1. Right to rectification: The right to request HeBA to correct or update personal data if it is inadequate, incomplete, or incorrect; 
  1. Right to object: The right to object to the processing of personal data by HeBA; 
  1. Right to erasure: The right to request the deletion of personal data, such as when processing is based on the client’s consent and the client has withdrawn their consent; 
  1. Right to restrict processing: The right to request HeBA to restrict the processing of personal data, for instance, if HeBA no longer needs the data for processing purposes, or if the client has objected to the processing; 
  1. Right to withdraw consent: The right to withdraw consent for personal data processing at any time; 
  1. Right to data portability: The right to receive personal data provided by the client and processed based on consent or a contract in a structured, commonly used format. 
  1. Right to lodge a complaint: If the client believes their personal data rights have been violated, they have the right to file a complaint with the Data Protection Inspectorate or a court. 
  1. In certain cases, the rights of other data subjects or HeBA’s legal obligations may limit the client’s rights. 
  1. HeBA may refuse to delete data if it is necessary for: 
  1. Complying with obligations arising from European Union or Member State law or for public interest tasks, particularly related to documenting and retaining health service provision; 
  1. Public interest reasons in the field of public health; 
  1. Archiving in the public interest, scientific or statistical purposes; or 
  1. Preparing, filing, or defending legal claims. 
  1. If the data controller for the Mentastic Application changes in the future, we will inform all Clients of such changes in advance and ensure that personal data processing continues in compliance with applicable laws. This Privacy Settings will also be updated in such cases. 
     
  1. Contact 
  1. HeBA’s contact details for data protection inquiries: Evelyn Aaviksoo. 
  1. Business Name: HeBA Clinic OÜ 
  1. Address: Veerenni 38, 10138 Tallinn 
  1. Data Protection Officer: Evelyn Aaviksoo 
  1. Phone: +372 58 87 01 31 
  1. Email: heba@heba.ee