Privacy policy

Date: August 30, 2023

General 

The MindAhead app is a behavioral therapy app for people with mild cognitive impairment or mild dementia to improve patients’ disease progression and quality of life. It supports people with cognitive impairment through evidence-based content and behavioral activation. The MindAhead app is a CE-marked medical device. 

We take the protection of your personal data very seriously and treat it confidentially and in accordance with the statutory data protection regulations and this privacy policy.

This Privacy Policy applies to the MindAhead App (the “App”).

This Privacy Policy describes the types of personal information we collect and how we use it.

Personal data is any data by which you can be personally identified. 

Health data is any data that relates to an individual’s physical or mental health, including the provision of health care services, and provides information about the individual’s health status.

We point out that data transmission on the Internet can have security gaps. A complete protection of data against access by third parties is not possible. Please also ensure that you alone have access to your end device and use trusted networks. Security problems that might otherwise occur cannot be fully remedied by us.

Responsible entity

The data controller is the

MindAhead UG
Mühlenstraße 8a
14167 Berlin
VAT: DE354565795
E-mail: info@mindahead.de
Website: https://mindahead.info/
Phone: +4917684526865

Data Protection Officer

We have appointed a data protection officer who can be contacted at the following address: 

Legal name: Chino Srl
Legal representative: Jovan Stevovic
VAT: IT 02356930228
Address: Via Segantini 28, 38068 Rovereto, Trentino, Italy
Phone: +39 347 503 9682
E-mail: dpo@mindahead.de

General storage period of personal data and health data

Unless otherwise stated or specified within this privacy policy, the personal data collected by this app will be stored until you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies. If there is a legal obligation to retain data or another legally recognized reason for data storage (e.g. legitimate interest), the relevant personal data and health data will not be deleted until the respective purpose for storage no longer applies. 

Legal basis for the storage of personal data and health data

The processing of personal data and health data is only permitted if there is an effective legal basis for the processing of this data. If we process your data, this is regularly done on the basis of your consent pursuant to Art. 6 (1) a DSGVO and Section 25 (1) TTDSG, for the purpose of contract performance pursuant to Art. 6 (1) b DSGVO (e.g., when using in-app purchases or the use of other paid app functions) or on the basis of legitimate interests pursuant to Art. 6 (1) f DSGVO, which are always weighed against your interests (e.g., in the context of advertising measures).  The respective legal bases are mentioned in a separate place in this privacy policy, if applicable.

Encryption

This app uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as requests that you send to us as the operator or communication between users. This encryption prevents unauthorized third parties from reading the data you transmit. 

Changes to this privacy policy

We reserve the right to change this privacy policy at any time in compliance with legal requirements.

Your legal data protection rights

The GDPR grants certain rights to data subjects whose personal data is processed by us, about which we would like to inform you here: 

  • Right to information (Art. 15 DSGVO, § 34 BDSG)
  • Right to deletion (Art. 17 DSGVO, § 35 BDSG). )
  • Right of rectification (Art. 16 DSGVO, § 34 BDSG)
  • Right to restriction of processing (Art. 18 DSGVO)
  • Right to communication and notification in the context of rectification, erasure or restriction vis-à-vis recipients (Art. 19 DSGVO)
  • Right to data portability (Article 20 GDPR)
  • Right to withdraw consent (Art. 7 (3) DSGVO)
  • Right of objection (Art. 21 DSGVO)
  • Right not to be subject to automated decision-making in individual cases or profiling (Article 22 GDPR)

To exercise your rights described here, you can contact us at any time. You have the right to complain to the data protection supervisory authority responsible for us. In Berlin – where our headquarters are located- this is the Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin. Alternatively, you can also contact the data protection authority of your place of residence, which will then forward your concern to the competent authority.

Data processing operations within the scope of the app are only possible with your consent. Before the start of data processing, we explicitly obtain your consent. You can revoke this consent at any time via the settings of the app or by e-mail. An informal message to info@mindahead.de is sufficient. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.

Information about your right to object according to Art. 21 DSGVO

If the data processing is based on Art. 6 (1) (1) lit) DSGVO, you have the right to object to the processing of personal data concerning you at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. The respective legal bases on which processing is based can be found in this privacy policy. If they object, we will no longer process the personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override their interests, rights and freedoms, or for the assertion, exercise or defense of legal claims. 

Right of appeal to a supervisory authority

In the event of violations of the GDPR, the data subjects shall have a right of appeal to a supervisory authority. The right of appeal is without prejudice to other administrative or judicial remedies. A list of the supervisory authorities (for the non-public sector) with address can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

Information, deletion and correction

You have the right at any time to free information about your stored personal data and health data, their origin and recipient and the purpose of data processing, as well as a right to correct or delete this data. For this purpose, as well as for further questions on the subject of personal data and health data, you can contact us at any time by e-mail: info@mindahead.de.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. To do this, you can contact us at any time at info@mindahead.de.  

The right to restrict processing exists in the following cases: 

  • If you dispute the accuracy of your personal data stored by us, we usually need time to verify this. For the duration of the review, you have the right to request the restriction of the processing of your personal data. 
  • If the processing of your personal data happened/is happening unlawfully, you may request the restriction of data processing instead of erasure.
  • If we no longer need your personal data, but you need it to exercise, defend or enforce legal claims, you have the right to request restriction of the processing of your personal data instead of deletion.
  • If you have lodged an objection pursuant to Art. 21 (1) DSGVO, a balancing of your and our interests must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data. If you have restricted the processing of your personal data, this data – apart from its storage – may only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the European Union or a Member State. 

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in performance of a contract sent to yourself or to a third party in a common, machine-readable format.

format. If you request that the data be transferred directly to another controller, this will only be done insofar as it is technically feasible. 

Access rights

No other access rights are required to provide our services via the app.

Collection of personal data within the scope of app use and indication of where these are stored

When you use our app, we collect the following personal information from you: 

  • Username and email address (stored on your mobile device)
  • Password (stored on the server)
  • Health data, in detail (are stored on the server):
    • Diagnosis (mild cognitive impairment or mild dementia).
    • Data on physical, cognitive, and social activities and how often they are performed
    • Presence of loneliness
    • Progress in the therapy plan 
    • Results from questionnaires and evaluations

The processing of this personal and health data is necessary to ensure the functionalities of the app.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO, your consent within the meaning of Art. 6 para. 1 lit. a DSGVO or Art. 9 para. 2 lit.a DSGVO and § 25 para. 1 TTDSG and – if a contract has been concluded – the fulfillment of our contractual obligations (Art. 6 para. 1 lit. b DSGVO). 

The storage period for the data collected in this way is regulated as follows: 

As long as the data is required for accounting purposes (e.g. for billing purposes), there is a legal obligation to retain the data for 10 years. According to the Product Liability Act, a retention obligation of 10 years applies to data that guarantee a disclaimer (in our case all medical data).

Download the app

You can download the app from the Google Play Store or the Apple App Store. When downloading apps from the Google Play Store or the Apple App Store, the information required for this purpose is transmitted to Google Ireland Limited or Apple Distribution International in Ireland, i.e. in particular the user name, the e-mail address and the customer number of your Google or Apple account, time of download and unique device ID. We have no influence on this data collection and are not responsible for it.

For more information, see the respective privacy notices of Google (https://policies.google.com/privacy) and Apple (https://www.apple.com/legal/privacy/de-ww/).

Request within the app, by email or phone 

If you contact us (e.g. via contact form within the app, by email or by phone), your request including all resulting personal data (e.g. name, request) will be stored and processed by us for the purpose of processing your request. The processing of this data is based on Art. 6 (1) lit. b DSGVO, provided that your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on your consent (Art. 6 (1) (a) DSGVO) and/or on our legitimate interests (Art. 6 (1) (f) DSGVO), as we have a legitimate interest in the effective processing of requests addressed to us. 

Location of your data

We store the data we collect through the app on servers of: 

Hetzner Online GmbH – Industriestr. 25 – 91710 Gunzenhausen – Germany

Data Analysis

When you access our app, your behavior may be statistically analyzed using certain analysis tools for advertising and market research purposes or to improve our offerings. When using such tools, we take care to comply with data protection regulations. When using external service providers (order processors), we ensure through appropriate contracts with the service providers that the data processing complies with German and European data protection standards. 

Some providers such as Google, Apple, GitHub, Voiceflow and other IT services operate outside the European Union. In this case, we inform you that the data transfer will only take place in the presence of adequate safeguards provided for in the GDPR. In particular, we transfer data on the basis of an adequacy decision approved by the European Commission or, in the absence of an adequacy decision, on the basis of standard contractual clauses and additional security measures.