Data Privacy

PLEASE READ THIS PRIVACY NOTICE CAREFULLY.

This data protection declaration clarifies the type, scope, and purpose of the processing (including the collection, processing and use as well as obtaining of consent) of Personal Data within our online offer and the websites, functions, and content connected with it (hereinafter jointly referred to as “online offer” or “website“, “platforms”). This Data Protection Declaration applies in a technology-neutral way, regardless of the domains, systems, platforms, and devices (e.g., desktop or mobile) on which the online offer is executed.

We are committed to protecting your privacy as a user (referred to as “User“, “customer”, “you“, “your” or “Data subject(s)“), and we take our responsibility regarding the security of your Personal Data (defined below) very seriously.

 

Who is responsible for processing your Personal Data?

For the purposes of data privacy laws, principles, and regulations that may apply to the customer, SolaVieve Technologies GmbH (referred to as “SolaVieve“, “Academly”, “we“, “us” or “our“) is the “data controller” for all Personal Data that are collected from our customers and used by SolaVieve.

 

What Personal Data do we collect (including by automated means)?

We process users’ data in compliance with the General Data Protection Regulation (“GDPR”). This means that users’ data will only be processed if a legal basis is available under Art 6 GDPR, especially if it is required by law, if consent is given, or if the data is necessary for the provision of our contractual services (whether online or offline) or are necessary for us to pursue our legitimate interests.

We may ask for and collect your Personal Data (either directly through your use of the Platform or when you communicate with us in any other way, or indirectly through our third parties) in a number of ways to provide you with the services that you request. We may also collect information from you automatically when you visit our Platform – for more information, please refer to our Cookie Policy. 

 

Personal Data

“Personal Data” are defined under Art 4 (1) of the General Data Protection Regulation, as the information that can be used to identify you directly or indirectly as an individual, in order to provide you with the service.  This includes, but is not limited to, information such as your name, date of birth, phone number, social media name, email address, IP address, location data, time zone, browser data, device data, language settings, details of services you have purchased, payment details, information about your access to our website, current App version, and other online identifiers that may help us to improve or personalize our services. In particular, we will collect information about your interactions, like what notifications you opened, to provide more personalized experience to our users.  

Please note that we will also ask you to provide us your accurate physical address in order to connect you with the appropriate practitioners in a lawful manner.

 

Health Data

We collect certain health information, not just limited to analyzing your health literacy but also to detect what topics may interest you on Academly, subject to Article 9 of the GDPR on the restriction of processing of sensitive information in the course of providing you our Services. Prior to collecting this type of information, we will obtain your explicit consent to allow processing. 

You may withdraw your consent at any time using the privacy settings or by sending an email to the Data Protection Officer. However, be aware that by ceasing to input new data we may not be able to provide you with some services, and this does not affect the lawfulness of processing or storage of previously collected data before the withdrawal of consent, unless you request the erasure of such data. There will be a temporary data retention period of 3 months for us to process your data to a necessary extent. After that, we may ask for your consent to extend the data retention period, so that we can always keep you in touch when we have some new updates or contents that may be of your interest.  

 

Why and how do we use your Personal Data?

In addition to the uses expressly mentioned in this Data Protection Declaration, users’ data will be processed for the following purposes, based on contractual necessity, consent of the user, or in pursuit of our legitimate interests:

  1. To provide, execute, maintain, optimize, and safeguard our services and user benefits, as well as to maintain the security of our platforms. System data will be collected to maintain the functionality and security of our apps. This includes providing you our latest update of our App if your current App version is no longer compatible with our services.
  2. Transfer and/or sharing of users’ data. We do not “sell” users’ data to any third parties within the meaning of the CCPA, please refer to our Additional Terms. We only share it if necessary for billing purposes or for other purposes if this is necessary to fulfill our contractual obligations to the user, for instance by providing the address to practitioners to connect the users with the appropriate practitioner .
  3. To perform our legal obligations under national law or Union law, or for prevention of crime.
  4. For the purpose of marketing our products and services, sometimes through third party websites or APIs
  5. For communication purposes. This includes contact information you use to contact us (contact form and/or email) to enable us to process the inquiry and follow-up questions. 
  6. For statistical purposes to improve our services. For example, for confirmation of the age of majority of the users.
  7. To provide a more personalized experience to users pursuant to our contract. We may collect metadata emitted by your device, your demographic data and health data to enrich your user profile in all of our products. We may use these data interchangeably across our platforms in order to provide you more personalized experience  during your Health Assessment, Virtual Coaching Session and Practitioner Session etc. We will ask for your explicit consent in accordance with Art. (9)(2)(a) of the GDPR before we collect or further process some sensitive data, such as health data. 

 

How do we protect your Personal Data (including retention periods)

  • Security

We follow strict security procedures in the storage and disclosure of your Personal Data. These procedures are designed to protect your Personal Data against misuse, unauthorised access, modification or disclosure, and accidental loss, destruction, or damage. We take technical and organizational measures (TOMs) including but not limited to authentication of the user via email confirmation, setting up a firewall, use of a virus scanner against potential malware, and data backup on a weekly basis to safeguard your Personal Data. Please refer to our IT security guideline or send us an inquiry if you have any questions about our security measures.

 

  • Location of storing users’ data

We use Google Cloud to store all our data for processing purposes. Their data centers are located in the United States or other regions that may require transfer of data from the EU to other third countries. Google provides third-party ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701 and SOC 2/3 reports to comply with the GDPR requirements and provide services, such as conducting risk assessment and to determine whether appropriate technical and organisational measures are in place. After the invalidation of the Privacy Shield in CJEU case C-311/18, Google Cloud now uses Standard Contractual Clauses or Model Contract Clauses (MCCs) for compliance with privacy regulations including the GDPR.  We have signed the Data Privacy Agreement with Google and store our data in our own Google Cloud Platform. For details, please refer to Google Cloud’s official website

However, please note that the data that we share with third parties is automatically stored at the third parties’ server, but only in order to provide you necessary services according to our contract. We will not “sell” nor share your data with third parties for marketing purposes and will keep your Personal Data within our own servers.

 

  • Retention of your Personal Data 

We will not retain your data for longer than is necessary to fulfil the purposes for which it is being processed. To determine the appropriate retention period, we consider the amount, nature and sensitivity of the Personal Data, the purposes for which we process it, and whether we can achieve those purposes through other means.

We also consider the periods for which we might need to retain Personal Data in order to meet our legal obligations, to deal with complaints and queries, and to protect our legal rights in the event of a legal claim being made. This will normally be a period of three months which is necessary for us to fulfill our contractual obligations and pursue our legitimate interest when you sign up with or use our services. You can choose to opt-in the data retention period when using our services, so that we can keep you in touch and notify you of the latest updates of our services. After that, we will ask you for your consent to extend the data retention period on a regular basis.

In general, this means that we are likely to keep your Personal Data for as long as your User Account is active. Following closure of your User Account or erasure of your Personal Data, we may still retain a limited portion of your Personal Data so that we can maintain a continuous relationship with you in case we are in contact with you again, and to comply with our internal processes and legal obligations.

When we no longer need your Personal Data, we will securely delete or destroy it. We will only use the least amount of data necessary for processing to fulfill one or more specific purpose(s) in accordance with the data minimization principle pursuant to Art. 5(1)(c) GDPR., If we can anonymise or pseudonymise your Personal Data to the extent it can no longer be associated with you or identify you, whether directly or indirectly, then we may use that information without sending further notice to you.

 

  • Your rights and choices

As a person affected by the processing of Personal Data, you have the following rights:

  1. You have the right to obtain confirmation as to whether Personal Data concerning you is being processed. If this is the case, you have the right to be informed about the Personal Data and to receive the information specified in Art. 15 GDPR.
  2. You have the right to ask the data controller to correct incorrect Personal Data concerning you without undue delay and, if necessary, to complete incomplete Personal Data (Art. 16 GDPR).
  3. You have the right to request the controller to delete personal data concerning you immediately if one of the reasons listed in Art. 17 GDPR applies, e.g., if the data is no longer needed for the purposes for which it was collected (right to deletion).
  4. You have the right to request the controller to restrict processing if one of the conditions listed in Art. 18 GDPR is met, e.g., if you have lodged an objection to processing, for the duration of the controller’s examination.
  5. You have the right to enjoy data portability to receive Personal Data concerning yourself, where the Personal Data is collected and processed on the basis of consent, or where the Personal Data is necessary for the performance of the contract, or when the processing is carried out by automated means. The Personal Data provided must be in machine-readable and interoperable format (Art. 20 (1) GDPR). You can also request your Personal Data to be transmitted directly from one controller to another, where technically feasible (Art. 20 (2) GDPR). 
  6. You have the right to object to the processing of Personal Data concerning you at any time for reasons arising from your particular situation. The controller will then no longer process the Personal Data unless he can demonstrate compelling reasons for processing that are worthy of protection and outweigh your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend legal claims (Art. 21 GDPR).

 

In order to exercise your rights listed above, you can send us a data subject request to our Data Protection Officer listed in Section 9, and we will process your request within 1 month of receiving it.

 

Right to withdraw

The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject will be informed thereof. It is as easy to withdraw as to give consent (Art. 7 GDPR). You can revoke your consent by sending an email to our Data Protection Officer or changing it in your privacy settings. See also our cookie policy.

 

Right of appeal

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of Personal Data concerning you is in breach of our agreement or the GDPR (Art. 77 GDPR). You may exercise this right before a supervisory authority in the Member State in which you are resident, your place of work or the place of the suspected infringement.

 

Right of objection for direct marketing

In individual cases we process Personal Data in order to carry out direct marketing. In this case you have the right to object at any time to the processing of Personal Data concerning you for the purpose of such advertising (Art. 21 GDPR). If you object to processing for the purposes of direct marketing, the Personal Data will no longer be processed for these purposes.

The objection can be made at any time without any formal requirement using one of the contact options provided in this data protection policy or in our imprint.

 

Links to other third party websites

Our Platform may provide links to other websites for your convenience and information. These websites may operate independently from us. 

If you visit any website linked to our Platform, you are subject to that website’s own privacy policies. Linked websites may have their own privacy notices or policies, which we strongly suggest you review. With regard to any linked websites that are not owned or controlled by us, we are not responsible for their content, any use of the websites, or the privacy practices of the websites.

 

Third Parties

  • APIs (Application Programming Interfaces)

API (Application Programming Interface) is a software intermediary that allows two applications to interact with each other. Every time you use one of our applications, such as Holisticly, for payment or assessing your health status, you are using an API.

We do have integrations of APIs that are necessary for providing our contractual services, including but not limited to Stripe for payment, Sendbird for telemedicine, Timekit for booking and scheduling, Landbot for Virtual Coaching Sessions, and Hubspot for direct marketing activities like collecting email addresses and delivering personalized emails and pop-ups accordingly, which will then be used by email API SendGrid  for automated email campaigns and to send other automatic emails, such as confirmation emails or password recovery emails.

If you have any questions on the use of API in our online services, please file an inquiry with our DPO through email address legal@solavieve.com . 

 

  • Google- Re/Marketing Services

We use the Google Remarketing application, a retargeting feature used by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

Google Remarketing allows us to display ads for and on our website that are customized according to visitors’ interests so that we only show you ads that may be of interest to you.

Please note that we will not sell your data to third parties, including Google. All data that you provide to us will only be circulated for internal use, such as for our own marketing or remarketing purposes. Third parties cannot use our data, but we may use third-party publishers to display our own ads that may be of interest to you. If you have any questions, please check Google’s Data Protection Declaration or change your privacy settings on our websites.

For these purposes, when Google calls up our website, a code is executed and so-called (re)marketing tags are incorporated into the website. This means that an individual cookie file is stored on your device, which stores information about the websites you visit, the content you access, your browser and your operating system. Your IP address is also recorded. The IP address will not be merged with data from you within other offers from Google. However, Google may combine the above-mentioned information with information from other sources. If the user subsequently visits other websites, the ads tailored to the user’s interests may be displayed.

Your data is always processed pseudonymously by Google Remarketing. This does not apply if you have expressly allowed Google to process your data without using a pseudonym. The information collected by Google Remarketing about users is transmitted to Google and stored on Google’s servers.

Further information on the use of data for marketing purposes by Google can be found on the overview page or the Google Data Protection Declaration:

Overview page: https://policies.google.com/technologies/ads?hl=de

Data Protection Declaration: https://policies.google.com/privacy

Google uses standard contractual clauses and thus offers a guarantee of compliance  with European data protection law.

The legal basis for the use of Google Remarketing is the consent given by you when you access our website in accordance with Art. 6 (1)(a) GDPR. You can revoke your consent at any time with effect for the future via the cookie settings.

 

  • Google Cloud 

SolaVieve stores it’s codes, and has its database in Google Cloud, meaning this is an essential tool in order to provide you with our services.  Google Cloud has subprocessors, you can find them in the following link: https://cloud.google.com/terms/subprocessors.

For the purpose of compliance, SolaVieve celebrated a Data Protection Agreement with Google. 

To exercise your rights of access, rectification, erasure, restriction of processing, data portability, not to be subject to a decision based solely on automated processing, including profiling, and object, with Google Cloud, contact our DPO directly. 

 

  • Automattic

SolaVieve uses automattic, an open source service, and site-building services which we need in order to provide you our services and for you to access the platform.

For the purpose of compliance, SolaVieve celebrated a Data Protection Agreement with Automattic. 

To exercise your rights of access, rectification, erasure, restriction of processing, data portability, not to be subject to a decision based solely on automated processing, including profiling, and object, with Automattic, contact our DPO directly. 

 

Integration of third party services and content

Within our online offer, the contents or services of third-party providers, such as city maps or fonts from other websites, may be integrated. The integration of content from third-party providers always requires that the third-party providers are aware of the IP address of the user, as they would not be able to send the content to the user’s browser without the IP address. The IP address is therefore necessary for the display of this content. Furthermore, the providers of the third-party content may set their own cookies and process the users‘ data for their own purposes. User profiles can be created from the processed data. We will use this content as sparingly and with reasonable effort to avoid data loss and will select reliable third-party providers with regard to data security.

The following presentation offers an overview of the third-party providers we use, which are necessary to provide our online services according to our contract:

 

  • Google Fonts

Google Fonts can be used in different ways. The so-called “Online” mode, which connects to the Google servers as soon as the website is called, is widely used. However, for reasons of data economy and because it is technically difficult to obtain consent, the integration of fonts in “offline” mode is preferable in order to be able to use Google fonts in a legally secure manner. More information about the differences can be found at: 

https://developers.google.com/fonts/faq2#what_does_using_the_google_fonts_api_mean_for_the_privacy_of_my_users

If you decide to use the “online” mode despite the legal risk, you will also find a corresponding text module for this.

For the display of external fonts we use Google Fonts in “offline” mode. This service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). No data is passed on to Google servers.

 

  • Youtube

Plugins of the social network YouTube are used on our website. The operator of Youtube is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

We rely on your consent to the collection of data when using plugins. If you do not agree to the use of data when you first visit our website, the plugin will not be activated by Youtube, so that data will not be transferred even if you accidentally interact with a Youtube plugin.

If you are on a page of our website on which such a plugin is provided, your browser only establishes a direct connection with the servers of YouTube when the user clicks on the relevant button (“Extended data protection mode”). The content of the plugin is then transmitted by YouTube to your browser and integrated by it into the website. By activating the plugin, YouTube receives the information that you have called up the corresponding page of our website. Content is then transmitted from YouTube to your browser and included on the page. YouTube receives the message that you are on the corresponding page of our website. This happens even if you do not have a profile on YouTube or are not logged in. Personal Data (including your IP address) is then automatically forwarded to and stored in a server of YouTube located in the USA.

A direct assignment on the part of YouTube only takes place if you are logged in to YouTube. A corresponding interaction takes place even if you click the corresponding button actively. The result is a publication on your YouTube account and the presentation of such a publication in your contacts. 

Please note that YouTube is also used for the hosting of our VC Session videos, which is necessary for the provision of our contractual services. If you have any further questions, please feel free to contact us.

Further details on how YouTube handles your Personal Data can be found on the following webpage: https://policies.google.com/privacy?hl=de&gl=de 



Updates to this Data Protection Declaration

We reserve the right to change the Data Protection Declaration in order to adapt it to the changing legal requirement or in case of changes in the service and data processing. However, this only applies with regard to declarations on data processing. Insofar as the consent of the users is required or components of the data protection policy contain amendment of the contractual relationship with the users, the changes will only be made with the consent of the users.

If we make changes to the Data Protection Declaration, we will post those changes on our websites and online offers and inform you through the Newsletter as well so you are aware of what has been changed and the purposes of the changes. In addition, we strongly suggest our users check our Data Data Protection Declaration on a regular basis.

All such changes to the Data Protection Declaration are effective immediately when posted to the Platform and apply to all access to and use of the Platform thereafter.

 

How to contact us?

We welcome inquiries, questions, and comments about this Data Protection Declaration and our privacy practices. If we receive a complaint from you about how we have handled your Personal Data, we will investigate and determine what action we should take to resolve the complaint. We will contact you within a reasonable time, normally within 1 month, and may request more information to assist us with our investigation. We aim to resolve all complaints in a timely manner.

If you wish to provide feedback or if you have questions or concerns or wish to exercise your rights related to your Personal Data, please contact us at the following email address: legal@solavieve.com, 

 

Additional Terms 

The above Data Protection Declaration applies only to users living in the European Union within the territorial scope of Art. 3 GDPR. Under the California Consumer Privacy Act (CCPA), California Civil Code Section 1798.100, Californian residents also have the following rights with regard to their Personal Data. 

Right of Access: You have a right to request access to the Personal Data we may hold on you for the past twelve months. You may submit up to two requests per year of access to your Personal Data.

Right to Opt-In/Opt-Out of Sale of Personal Data: You have the right to opt-in to the sale of Personal Data  we may hold on you to third parties, but please note that we will not sell your data to third parties by default.

Right to Deletion: You also have the right to delete data or restrict processing activities. There may be exceptions to the right to deletion for specific legal reasons which, if applicable, we will set out for you in response to your request.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.