When using the Services, you entrust us with your personal data and other data that can identify or is associated with you. We take the responsibility to protect and maintain your privacy seriously.
This Privacy Policy forms part of the Contract between yourself and us. Capitalised terms used and not defined have the meanings outlined in the General Terms of Service.
We want to provide you with the most pleasant and personalised experience within the Services. This Policy is intended to explain clearly and transparently how and why we process your personal data when you use the Services and your options and rights in relation to your data.
1. What data do we process?
a. Data you provide
Upon registration. When you sign-up or update your account, we process personal identification data such as your first and last name, email address and phone number, password (in encrypted form) and profile picture.If you choose to register an account using your Google account, read the section "Data provided by our business partners."
By using the Services. We process data about how you use and interact with the Services. We do this to understand which features you use most often and how we can improve the Services.
We automatically collect and process data about how you access the Services, the devices you use to do so, and data provided using cookies or similar technologies. For example: when and from which device you last accessed the Services. Among other things, this helps us provide personalised services and protects you and us against attempts to misuse the Services.
You can learn more about cookies and how we use them in our Cookie Policy.
We process the data provided when you send us feedback, report a problem to us regarding the Services, or participate in forums, discussions, comment sections or other media functions within the Services. For example, when you post a comment on our blog or social media pages. Please note that comment sections are public; as a result, the information you include may be read, collected and used by others. Of course, you can always ask us to delete the data you have published in this way, and we will let you know if we can comply with your request.
When making a payment. When you pay to use the Services, we process the data you provide to issue your invoice, and our payment processor processes your payment instrument information.
When you contact us. We process the data you provide when you contact us to provide support by phone, email or through the Services.
We also process the data you provide when you participate in a competition, promotion or when you choose to answer a survey.
b. Data provided by our business partners
We may receive data about you from third parties with whom we conduct business (for example, from social media platforms, advertising agencies, statistical data providers or your employer). The data we may receive from third parties is subject to the agreements you already have with them. Specifically, they receive your data when you visit or use the products and services they make available. Data may include your email address, gender, age and other demographic data. We constantly make reasonable efforts to ensure that these individuals have all the necessary rights to collect and transfer your data.
We may also collect and process data about you from public sources, such as press articles or public registers and databases.
To provide you with a personalised experience of the Services, we may simultaneously combine and use data provided by you and others.
2. What is the legal basis for data processing?
We only process data in accordance with legal provisions.
Execution of the Contract
We process your data to provide you with the Services and comply with our obligations under the Contract.
For example, we need to be able to process personal data such as your name and email address for us to be able to grant you access to the Services.
Legitimate interest
There are situations where we process your data to pursue our legitimate interests or those of third parties. In these cases, we will implement appropriate security and privacy protection measures.
For example, we will process your personal data to:
– maintain and improve the security of the Services or prevent, detect and remedy security incidents, acts of fraud, abuse or improper use of the Services;
– provide and improve the Services, as well as develop new services and products;
– understand how you use the Services and customise them to provide you with a more pleasant experience;
- carry out research activities in the public interest.
Fulfilling legal obligations
It is our duty to protect the privacy of your data against abusive requests by public authorities or private entities and to contest such unlawful requests. However, we have a legal obligation to cooperate with public authorities and private entities when we have reasonable grounds to believe their request is justified. For example, we process your data to respond to a complaint or to comply with a request from competent authorities.
Your consent
We request your consent regarding the processing of data for specific purposes.
For example, when we ask whether you want to receive messages for direct marketing purposes or when we organise voluntary surveys, your personal data and the answers you provide are processed based on consent.
Remember that you can withdraw your consent to data processing at any time.
3. For what purpose do we process the data?
Provision of Services
We process your data to be able to provide and customise the Services, such as:
– to be able to grant you access to the Services based on the account created or to be able to store, organise and share your data when you ask us to do so;
– to understand, diagnose and fix problems you have with the Services or to prevent and investigate a possible security problem.
Service development and analysis
We process your data to understand how you use the Services and the features you use most often. We may use the data we collect in an anonymised and aggregated form (so that you cannot be identified) to test the integrity and security of our systems, to support research, analysis, improvement of the Services and development of new products, services or functions.
Investigating acts of fraud and crime
We may process your personal data to confirm your identity and prevent fraud.
For example, to detect, investigate and report irregularities of use that could be considered illegal activities, we may retain the data and disclose it to the competent authorities to investigate the facts.
Communication with you
We use your personal data to communicate by email or otherwise about your use of the Services or to respond to you when you contact us. We may contact you about changes we make related to the Services. Such communications are considered part of the Services. We cannot provide the Services to you if you object to them.
Legal Compliance and Legal Actions
We process your personal data to respond to any complaints or requests from you or competent authorities, to keep administrative and accounting records as required by law and to be able to defend ourselves or file a legal claim or action.
Promotion and commercial offers (marketing)
We offer you the opportunity to use the Services free of charge, within certain limits. This is made possible by our users choosing to pay subscriptions to access certain features of the Services. We will use your data to inform you of products, services and offers that may interest you. With your consent, we may send you promotional or advertising messages to the email address attached to your account or directly within the Services. If you do not want to receive such messages from us, you can object at any time by accessing the "unsubscribe" link included in the messages.
4. What are your rights
The right to be informed
This Policy is intended to inform you about how we process your data. You can also ask us questions about the processing of your data at any time.
The right of access, modification and rectification
You can always request access, modification or rectification of your personal data if you believe it is wrong or incomplete. Please note that you may need to provide us with proof that the new data provided is accurate.
To protect your privacy, we will take commercially reasonable steps to verify your identity when you ask us to access, modify or rectify your data.
The right to data deletion
You can request that we delete your personal data at any time if:
– the personal data is no longer necessary to fulfil the purposes for which they were collected or processed;
– you have withdrawn your consent based on which the processing takes place;
– you objected to the processing of personal data;
– we processed your personal data illegally;
– we have a legal obligation to delete the data.
Please note that we may have to refuse your data deletion request. For example, even if you withdraw your consent or object to data processing, another legal basis (such as compliance with legal obligations) may compel us to continue processing your data.
The right to object to the processing of personal data for marketing purposes
You can request that we stop processing your personal data for marketing purposes at any time. You can exercise this right by using the "unsubscribe" link in marketing messages.
Please note that you will still receive communications related to the Services (such as changes to the Contract or emails that are part of the Service's features).
The right to object to the processing of personal data based on our legitimate interests or those of third parties
You can request at any time that we stop processing your personal data based on our legitimate interest or that of a third party. Please note that the processing of your data may continue under another legal basis that may prevail (such as the fulfilment of a legal obligation).
Also, if you object to the processing of your personal data necessary to provide the Services, we will have to close your account or restrict your access to certain features of the Services to satisfy your request.
The right to request the restriction of the processing of personal data
You can request the restriction of the processing of your personal data at any time if:
– you ask us to investigate whether the personal data is accurate;
– the processing of personal data is illegal, but you do not want us to delete the data;
– we no longer need the personal data, but you ask us to keep it for you to use in a legal action;
– you have objected to processing your personal data (according to the rights above), but we need to check whether another legal basis prevails over your rights.
The right to portability of personal data
You can request at any time that we transfer your personal data that we process. If we have the necessary means and this is not prohibited by law or by the disposition of the competent authorities, we will transfer your data in a structured, currently used and automatically processable format.
The right to withdraw your consent to the processing of personal data
You can withdraw your consent to processing your personal data at any time. The withdrawal of consent does not affect the legality of the processing carried out beforehand.
5. How to exercise your rights
You may exercise the rights described above through the Services or by emailing us atsupport@wellnessentially.com. You can also find complete information on contacting usby mail on our Contact page.
For security reasons, we will need to verify your identity to respond to your request (for example, we may ask you to provide us with an identity document).
If you are still dissatisfied with how we have handled your personal data, you can always file a complaint with the National Supervisory Authority for the Processing of Personal Data.
6. How we share your data
We transfer your data in the following ways:
a. Within the Services
We may share or make your personal data publicly available within the Services for you to access certain features of the Services. For example, we may share your name or other personally identifiable information if you choose to appear on leaderboards or engage with other public-facing features of the Services.
If you are an End User, the person or organization that invited you to use the Services may modify or restrict access to your data.
b. To third parties
We do not and will never sell your data.
Third-Party Providers. We contract third-party providers to enable us to provide and improve the Services. These third parties have access to your data based on your consent or another legal basis, which they process only for the purposes indicated by us. We constantly assess whether these third parties have implemented and maintained adequate technical and organizational measures regarding data security and privacy. You can find the complete list and the role of each of them on our Third Party Providers page.
These include:
– companies that provide us with the technical, organizational and analytical infrastructure necessary to provide you with the Services, such as our data storage and hosting, IT services and customer support providers;
– Stripe(our payment processor): Stripe acts as a data controller concerning your payment instrument. Please see Stripe's Privacy Policy for more information on processing this data.
– Hotjar: We use Hotjar to better understand our users’ needs and optimise this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymised user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf. For further details, please see the ‘about Hotjar’ section ofHotjar’s support site.You always have the option to request that Hotjar not collect data about your activity when you visit a site that has implemented its services. You can do this by visiting the Hotjar Opt-out page and clicking the “Disable Hotjar” button or by enabling your browser's Do Not Track (DNT) feature."
– Google Analytics: Google Analytics is a web analysis service that helps us understand how people visit our websites. For example: from which web page you accessed our website, which pages you accessed and how long you spent on them. The information provided by Google Analytics is available to us in an anonymised form. You can learn more about how you can choose not to collect data about you through Google Analytics in our Cookie Policy.New owner event. In the event of a total or partial change in control or ownership of the Services, we may transfer your data to the new owner. In this case, we will notify you before we transfer your data or before it becomes subject to another privacy policy.
c. To comply with laws, lawful requests, or to prevent hard
In certain situations, we may be required to transfer your data to law enforcement authorities, following their express requests, as required by law.
We may also process and transfer your data when we reasonably believe this is necessary to detect, combat, remediate or respond to fraud, unauthorised use of the Services or violations of our terms and policies. We do this to protect ourselves, you and others during investigations by competent authorities or legal action.
If we terminate your account because you have violated our terms or policies, please be aware that we will need to continue storing your data for the time necessary to prevent and reduce the risk of repeated or new abuse violations.
7. Data transfers
The data we collect may be transferred, stored and processed outside your country of residence or even outside the European Economic Area, in the locations where our third-party providers carry out their operations. We make reasonable efforts to ensure that they have implemented adequate data protection and security measures so that your data benefits from at least the same level of protection as required by European law and the General Data Protection Regulation. We have entered into Data Processing Agreements with each of our third-party providers, which include, among other things, their contractual obligation to implement and maintain appropriate data protection procedures and measures.
When we transfer your data outside the European Economic Area, we do so in consideration of a legal basis and taking into account several legal mechanisms such as the Standard Contractual Clauses approved by the European Commission and the provider's certification under the EU-US Privacy Shield.
8. Data Retention and Account Deletion
In principle, we only store your data for as long as it is necessary to provide the Services, until your account is deleted or until we are able to comply with a request from you to delete your data – whichever comes first. However, we retain specific personal data even after these situations, such as when processing is based on legitimate interest or compliance with a legal obligation.
For example, if we must confirm your identity, we will delete the necessary data no later than 30 days after we have completed this operation, and we retain the data required for invoicing even after the deletion of your account to comply with our accounting obligations.
You can delete your account at any time. However, please note that you will not be able to recover the data contained within it.
9. Modification of this Policy
If we change this Policy, we will post the updated version here. We recommend that you check this page regularly.
Your rights under this Privacy Policy will not be diminished without your consent. Before we make material changes to this Policy, we will send you a notice via the email address attached to your account or through the Services to allow you to review the revised version and express your agreement to the changes before choosing to continue using the Services.
10. Security
Security is a paramount concern, and we take several measures to protect the confidentiality and integrity of your data. Here's an outline of the security procedures we have in place:
- Encryption in Transit:We use HTTPS for all data transfers between your device and our servers to ensure that your information is secure as it moves across the internet. All API data transfers are secured using TLS (Transport Layer Security) to protect against interception and tampering.
- Encryption at Rest:Data stored in our databases are encrypted to protect the information even when it is not being accessed or used. We use strong encryption algorithms to ensure that data is protected from unauthorized access.
- Password Security:User passwords are hashed using bcrypt, a robust hashing algorithm designed to be computationally intensive and slow, thus providing protection against brute-force attacks. Passwords are never stored in plaintext; even our systems do not know your actual password.
- Access Controls: Access to data is restricted based on role-based access control (RBAC) to ensure that only authorized personnel can access sensitive information. Regular audits and reviews are conducted to maintain and enforce strict access policies.
- Regular Audits and Monitoring: We regularly audit our security practices and systems to ensure compliance with industry standards and to identify and mitigate potential vulnerabilities.
- Monitoring and Alerts: Continuous monitoring of our systems for unauthorized access attempts, suspicious activity, and potential vulnerabilities. Real-time alerts are configured to notify security teams of any anomalies, which are promptly investigated.
- Data Backup and Recovery: Regular backups of all critical data are performed to ensure that data can be restored in the event of a data loss incident. Backup data is also encrypted and stored securely, ensuring its confidentiality.
We are committed to safeguarding the confidentiality and security of your data, especially data provided by Google users. To this end, we employ several security procedures:
- HTTPS for Data Transfer: All data transferred between your device and our servers is encrypted using HTTPS. This ensures that data in transit is protected from interception or tampering by unauthorized parties.
- Database Encryption: We use encryption for data at rest in our databases. This means that your data is encrypted when stored on our servers, providing an additional layer of security.
- Data Encryption in Transit: Beyond HTTPS, we also ensure that any internal data transfers within our systems are encrypted. This ensures comprehensive protection of your data at all stages of processing.
These measures reflect our commitment to maintaining the highest standards of data protection and privacy. We continuously monitor our systems and update our security practices to address new threats and ensure compliance with industry best practices.
11. How to contact usThe controller of your personal data isMENTAL HEALTH VENTURES SRL a legal entity established in Romania, identified byCUI 47616652
Concerning your personal data, you can contact us by email atsupport@wellnessentially.com. You can also contact us with any other questions or concerns using the information available on the Contact page.