This data protection declaration clarifies the type, scope, and purpose of the processing (including the collection, processing and use as well as obtaining of consent) of Personal Data within our online offer and the websites, functions, and content connected with it (hereinafter jointly referred to as "online offer" or"website" or "platform"). This Data Protection Declaration applies in a technology-neutral way, regardless of the domains, systems, platforms, and devices (e.g., desktop or mobile) on which the online offer is executed.
We are committed to protecting your privacy as a user (referred to as "User ", "customer", "you ", "your " or "Data subject(s) "), and we take our responsibility regarding the security of your Personal Data (defined below) very serious
1.Who is responsible for processing your Personal Data?
For the purposes of data privacy laws, principles, and regulations that may apply to the customer, SolaVieve Technologies GmbH (referred to as "SolaVieve ", "we ", "us " or "our ") is the "data controller" for all Personal Data that are collected from our customers and used by SolaVieve.
2. What Personal Data do we collect (including by automated means)?
We process users’ data in compliance with the General Data Protection Regulation ("GDPR"). This means that users’ data will only be processed if a legal basis is available under Art 6 GDPR, especially if it is required by law, if consent is given, or if the data is necessary for the provision of our contractual services (whether online or offline) or are necessary for us to pursue our legitimate interests.
a) Personal Data
"Personal Data" is defined under Art 4 (1) of the General Data Protection Regulation as the information that can be used to identify you directly or indirectly as an individual. This includes, but is not limited to, information such as your name, date of birth, email address, location data, time zone, browser data, device data, language settings, information about your access to our website, and other online identifiers that can help us to improve or personalize our services. In particular, we will collect information about your interactions, like what notifications you opened, to provide a more personalized user experience.
There will be a temporary data retention, refer to 4 (c) of this Declaration for more information
b) Health Data
We collect certain health information, not just limited to analyzing your health literacy but also to detect what topics may interest you on Academly, subject to Article 9 of the GDPR on the restriction of processing of sensitive information in the course of providing you our Services. Prior to collecting this type of information, we will obtain your explicit consent to allow processing.
You may withdraw your consent at any time using the privacy settings or by sending an email to the Data Protection Officer. However, be aware that by ceasing to input new data we may not be able to provide you with some services, and this does not affect the lawfulness of processing or storage of previously collected data before the withdrawal of consent, unless you request the erasure of such data.
For the general data retention period, refer to 4 (c) of this Declaration for more information. The health data we collected from Academly will subsequently be used in Holisticly and WQ™ to match you with the right practitioners and redirect you to some articles that may be of your interest. We rely on your explicit consent in processing sensitive health data under Article 9(2)(a) of the GDPR. Also, your health data is processed in order to provide you with our services. In case you want to revoke consent to the processing of your data, you can exercise your right to erasure anytime under the GDPR. For details, please refer to your Data Subject Rights (refer to section 5).
3. Why and how do we use your Personal Data?
In addition to the uses expressly mentioned in this Data Protection Declaration, users’ data will be processed for the following purposes, based on contractual necessity, consent of the user, or in pursuit of our legitimate interests:
a) To provide, execute, maintain, optimize, and safeguard our services and user benefits, as well as to maintain the security of our platforms. System data will be collected to maintain the functionality and security of our apps. This includes providing you our latest update of our App if your current App version is no longer compatible with our services.
b) Transfer and/or sharing of users’ data. We do not "sell" users’ data to any third parties within the meaning of the CCPA, please refer to our Additional Terms. We only share it if necessary for billing purposes or for other purposes if this is necessary to fulfill our contractual obligations to the user, for instance by providing the address to practitioners to connect the users with the appropriate practitioner .
c) To perform our legal obligations under national law or Union law, or for prevention of crime.
d) For the purpose of marketing our products and services, sometimes through third party websites or APIs
e) For communication purposes. This includes contact information you use to contact us (contact form and/or email) to enable us to process the inquiry and follow-up questions.
f) For statistical purposes to improve our services. For example, for confirmation of the age of the majority of the users.
g) To inquire you about your experience and to be able to improve our services.
h) To provide a more personalized experience to users pursuant to our contract. We may collect metadata emitted by your device, your demographic data and health data to enrich your user profile in all of our products. We may use these data interchangeably across our platforms in order to provide you more personalized experience during your Health Assessment, Virtual Coaching Session and Practitioner Session etc. We will ask for your explicit consent in accordance with Art. (9)(2)(a) of the GDPR before we collect or further process some sensitive data, such as health data.
4. How do we protect your Personal Data (including retention periods)
We follow strict security procedures in the storage and disclosure of your Personal Data. These procedures are designed to protect your Personal Data against misuse, unauthorised access, modification or disclosure, and accidental loss, destruction, or damage. We take technical and organizational measures (TOMs) including but not limited to authentication of the user via email confirmation, setting up a firewall, use of a virus scanner against potential malware, and data backup on a weekly basis to safeguard your Personal Data. Please refer to our IT security guideline or send us an inquiry if you have any questions about our security measures.
b) Location of storing users’ data
We use Google Cloud to store all our data for processing purposes. Their data centers are located in the United States or other regions that may require transfer of data from the EU to other third countries. Google provides third-party ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701 and SOC 2/3 reports to comply with the GDPR requirements and provide services, such as conducting risk assessment and to determine whether appropriate technical and organisational measures are in place. After the invalidation of the Privacy Shield in CJEU case C-311/18, Google Cloud now uses Standard Contractual Clauses or Model Contract Clauses (MCCs) for compliance with privacy regulations including the GDPR. We have signed the Data Privacy Agreement with Google and store our data in our own Google Cloud Platform. For details, please refer toGoogle Cloud s official website.
However, please note that the data that we share with third parties is automatically stored at the third parties’ server, but only in order to provide you necessary services according to our contract. We will not "sell" nor share your data with third parties for marketing purposes and will keep your Personal Data within our own servers.
c) Retention of your Personal Data
We will not retain your data for longer than is necessary to fulfil the purposes for which it is being processed. To determine the appropriate retention period, we consider the amount, nature and sensitivity of the Personal Data, the purposes for which we process it, and whether we can achieve those purposes through other means.
We also consider the periods for which we might need to retain Personal Data in order to meet our legal obligations, to deal with complaints and queries, and to protect our legal rights in the event of a legal claim being made. This will normally be a period of three months which is necessary for us to fulfill our contractual obligations and pursue our legitimate interest when you sign up with or use our services. You can choose to opt-in the data retention period when using our services, so that we can keep you in touch and notify you of the latest updates of our services. After that, we will ask you for your consent to extend the data retention period on a regular basis.
In general, this means that we are likely to keep your Personal Data for as long as your User Account is active. Following closure of your User Account or erasure of your Personal Data, we may still retain a limited portion of your Personal Data so that we can maintain a continuous relationship with you in case we are in contact with you again, and to comply with our internal processes and legal obligations.
When we no longer need your Personal Data, we will securely delete or destroy it. We will only use the least amount of data necessary for processing to fulfill one or more specific purpose(s) in accordance with the data minimization principle pursuant to Art. 5(1)(c) GDPR., If we can anonymise or pseudonymise your Personal Data to the extent it can no longer be associated with you or identify you, whether directly or indirectly, then we may use that information without sending further notice to you.
5. Your rights and choices
As a person affected by the processing of Personal Data, you have the following rights:
1. You have the right to obtain confirmation as to whether Personal Data concerning you is being processed. If this is the case, you have the right to be informed about the Personal Data and to receive the information specified in Art. 15 GDPR.
2. You have the right to ask the data controller to correct incorrect Personal Data concerning you without undue delay and, if necessary, to complete incomplete Personal Data (Art. 16 GDPR).
3. You have the right to request the controller to delete personal data concerning you immediately if one of the reasons listed in Art. 17 GDPR applies, e.g., if the data is no longer needed for the purposes for which it was collected (right to deletion).You have the right to request the controller to delete personal data concerning you immediately if one of the reasons listed in Art. 17 GDPR applies, e.g., if the data is no longer needed for the purposes for which it was collected (right to deletion).
4. You have the right to request the controller to restrict processing if one of the conditions listed in Art. 18 GDPR is met, e.g., if you have lodged an objection to processing, for the duration of the controller’s examination.
5. You have the right to enjoy data portability to receive Personal Data concerning yourself, where the Personal Data is collected and processed on the basis of consent, or where the Personal Data is necessary for the performance of the contract, or when the processing is carried out by automated means. The Personal Data provided must be in machine-readable and interoperable format (Art. 20 (1) GDPR). You can also request your Personal Data to be transmitted directly from one controller to another, where technically feasible (Art. 20 (2) GDPR).
6. You have the right to object to the processing of Personal Data concerning you at any time for reasons arising from your particular situation. The controller will then no longer process the Personal Data unless he can demonstrate compelling reasons for processing that are worthy of protection and outweigh your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend legal claims (Art. 21 GDPR).
In order to exercise your rights listed above, you can send us a data subject request to our Data Protection Officer listed in Section 9, and we will process your request within 1 month of receiving it.
Right to withdraw
Right of appeal
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of Personal Data concerning you is in breach of our agreement or the GDPR (Art. 77 GDPR). You may exercise this right before a supervisory authority in the Member State in which you are resident, your place of work or the place of the suspected infringement.
Right of objection for direct marketing
In individual cases we process Personal Data in order to carry out direct marketing. In this case you have the right to object at any time to the processing of Personal Data concerning you for the purpose of such advertising (Art. 21 GDPR). If you object to processing for the purposes of direct marketing, the Personal Data will no longer be processed for these purposes.
The objection can be made at any time without any formal requirement using one of the contact options provided in this data protection policy or in our imprint.
6. Links to other third party websites
Our Platform may provide links to other websites for your convenience and information. These websites may operate independently from us. If you visit any website linked to our Platform, you are subject to that website’s own privacy policies. Linked websites may have their own privacy notices or policies, which we strongly suggest you review. With regard to any linked websites that are not owned or controlled by us, we are not responsible for their content, any use of the websites, or the privacy practices of the websites
7. Third Parties
a. APIs (Application Programming Interfaces)
API (Application Programming Interface) is a software intermediary that allows two applications to interact with each other. Every time you use one of our applications, such as Holisticly, for payment or assessing your health status, you are using an API.
We do have integrations of APIs that are necessary for providing our contractual services, including but not limited to Stripe for payment, Sendbird for telemedicine, Timekit for booking and scheduling, Landbot for Virtual Coaching Sessions, and Hubspot for direct marketing activities like collecting email addresses and delivering personalized emails and pop-ups accordingly, which will then be used by email API SendGrid for automated email campaigns and to send other automatic emails, such as confirmation emails or password recovery emails.
If you have any questions on the use of API in our online services, please file an inquiry with our DPO through email address email@example.com .
b. Google- Re/Marketing Services
We use the Google Remarketing application, a retargeting feature used by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
Google Remarketing allows us to display ads for and on our website that are customized according to visitors’ interests so that we only show you ads that may be of interest to you.
Please note that we will not sell your data to third parties, including Google. All data that you provide to us will only be circulated for internal use, such as for our own marketing or remarketing purposes. Third parties cannot use our data, but we may use third-party publishers to display our own ads that may be of interest to you. If you have any questions, please checkGoogle’s Data Protection Declarationor change your privacy settings on our websites.
For these purposes, when Google calls up our website, a code is executed and so-called (re)marketing tags are incorporated into the website. This means that an individual cookie file is stored on your device, which stores information about the websites you visit, the content you access, your browser and your operating system. Your IP address is also recorded. The IP address will not be merged with data from you within other offers from Google. However, Google may combine the above-mentioned information with information from other sources. If the user subsequently visits other websites, the ads tailored to the user’s interests may be displayed.
Your data is always processed pseudonymously by Google Remarketing. This does not apply if you have expressly allowed Google to process your data without using a pseudonym. The information collected by Google Remarketing about users is transmitted to Google and stored on Google’s servers.
Further information on the use of data for marketing purposes by Google can be found on the overview page or the Google Data Protection Declaration:
Data Protection Declaration:https://policies.google.com/privacy
Google uses standard contractual clauses and thus offers a guarantee of compliance with European data protection laws.
The legal basis for the use of Google Remarketing is the consent given by you when you access our website in accordance with Art. 6 (1)(a) GDPR. You can revoke your consent at any time with effect for the future via the cookie settings.
c. Facebook social plugins
All websites operated by SolaVieve Technologies GmbH use social plugins ("Plugins") of the social network facebook.com, which is operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook").
The plugins can be recognized by one of the Facebook logos or are marked with the phrase "Facebook Social Plugin".The list and appearance of the Facebook Social Plugins can be viewed here:
We rely on your consent to the collection of data when using plugins. If you do not agree to the use of data when you visit our website for the first time, the social plugin of the social network facebook.com will not be activated, in order that that data will not be transferred even if you accidentally press the buttons.
If you agree to the processing of your data by the social plugin of Facebook within the scope of the opt-in procedure, the lawfulness of the processing of your data is based on consent obtained in accordance with Art. 6 (1)a GDPR, so that we use your data within the scope of the consent you have given for the purposes of linking to the social network.
If you then call up a website of our Internet presence that contains such a plugin, your browser will only establish a direct connection with the Facebook servers when the user activates the "Facebook" button by clicking on it. The content of the plugin is then transmitted by Facebook to your browser, which integrates it into the website. By activating the plugin, Facebook receives the information that you have accessed the corresponding page of our website. If you are logged in to Facebook, Facebook can assign the visit to your Facebook account. If you interact with the plugins, for example, by pressing the Like button or making a comment, the corresponding information is transmitted directly from your browser to Facebook and stored there. If you are not a member of Facebook, it is still possible for Facebook to find out and save your IP address. For the purpose and scope of data collection and the further processing and use of data by Facebook, as well as your rights and setting options for protecting your privacy, please refer to the Facebook data protection information:https://www.facebook.com/about/privacy.
Information about the use of this website and your IP address is transmitted to Facebook servers in the USA and other third countries and also stored on these servers. In addition to your consent, Facebook has stated that it uses the standard contractual clauses of the European Union within its group structure to ensure that the data protection requirements are guaranteed for transfers to third countries (see also: https://de-de.facebook.com/policy.php -> How do we process and transfer data as part of our global services?)
d. Facebook remarketing
The website uses the "Facebook Pixel" remarketing feature of Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook"). This allows users of the Website to see interest-based advertisements when visiting the social network Facebook and continue to use other functions of the websites . In this way, we pursue the interest of displaying advertisements relevant to you in order to make your visit to our website more interesting.
If you agree to the processing of your data within the scope of the opt-in procedure, the lawfulness of the processing of your data is based on consent in accordance with Art. 6(1)(a) GDPR, so that we use your data within the scope of the consent given by you for marketing purposes and for the evaluation of your usage behaviour.
Due to the use of the plugin, your browser establishes a direct connection to the Facebook server. We have no influence on the processing of the data collected by Facebook due to the use of the function. To the best of our knowledge, Facebook receives the information that you have called up the subpage of our website or clicked on the advertisement. Facebook can assign this information to your account if you are registered on Facebook. If you are not registered or not logged in, Facebook may still process your IP address and other identifying information.
Information about the use of this website and your IP address is transmitted to Facebook servers in the USA and other third countries and also stored on these servers. In addition to your consent, Facebook has stated that it uses the standard contractual clauses of the European Union within its group structure to ensure that the data protection requirements are guaranteed for transfers to third countries (see also:facebook data policy-> How do we process and transfer data as part of our global services?)
The platforms use HubSpot services, a marketing, content management, web analytics and search engine optimization service. HubSpot will need your consent in order to provide its services.
HubSpot engages Sub-Processors to Process your Personal Data on behalf of SolaVieve. You can find these sub-processors in Annex 4 here: https://legal.hubspot.com/dpa.
For the purpose of compliance, SolaVieve celebrated a Data Protection Agreement with HubSpot.
To exercise your rights of access, rectification, erasure, restriction of processing, data portability, not to be subject to a decision based solely on automated processing, including profiling, and object, with HubSpot, contact our DPO directly.
The platforms use Hotjar, a web analytics service that reveals to us online behaviour and feedback of website visitors, in order to improve and provide you with a best experience while browsing the platforms. This is a functional service, and we will need your consent in order to use it.
Hotjar processes data exclusively within a member state of the European Union or within a member state of the European Economic Area (EEA). Any transfer to another country requires prior consent from SolaVieve, in which case, we will inform you.
For the purpose of compliance, SolaVieve celebrated a Data Protection Agreement with Hotjar.
To exercise your rights of access, rectification, erasure, restriction of processing, data portability, not to be subject to a decision based solely on automated processing, including profiling, and object, with Hotjar, contact our DPO directly.
g. Goolge Cloud
SolaVieve stores it’s codes, and has its database in Google Cloud, meaning this is an essential tool in order to provide you with our services. Google Cloud has sub processors that you can find in the following link:https://cloud.google.com/terms/subprocessors
For the purpose of compliance, SolaVieve celebrated a Data Protection Agreement with Google.
To exercise your rights of access, rectification, erasure, restriction of processing, data portability, not to be subject to a decision based solely on automated processing, including profiling, and object, with Google Cloud, contact our DPO directly.
SolaVieve uses Automattic, an open source and site-building service, which we need in order to provide you our services and for you to access the platform.
For the purpose of compliance, SolaVieve celebrated a Data Protection Agreement with Automattic.
To exercise your rights of access, rectification, erasure, restriction of processing, data portability, not to be subject to a decision based solely on automated processing, including profiling, and object, with Automattic, contact our DPO directly.
SolaVieve uses Usercentrics, a consent management platform, to manage and be able to prove your consent and withdrawal from the third party services we offer, and from the services. This is an essential tool, as we need it in order to be compliant with GDPR.
Usercentrics shares data with Google Ireland Limited and Auth0 Inc., in order to be able to provide its services.
For the purpose of compliance, SolaVieve celebrated a Data Protection Agreement with Usercentrics.
To exercise your rights of access, rectification, erasure, restriction of processing, data portability, not to be subject to a decision based solely on automated processing, including profiling, and object, with Usercentrics, contact our DPO directly.
8. Integration of third party services and content
Within our online offer, the contents or services of third-party providers, such as city maps or fonts from other websites, may be integrated. The integration of content from third-party providers always requires that the third-party providers are aware of the IP address of the user, as they would not be able to send the content to the user’s browser without it. The IP address is therefore necessary for the display of this content. Furthermore, the providers of the third-party content may set their own cookies and process the users‘ data for their own purposes. User profiles can be created from the processed data. We will use this content sparingly and with reasonable effort to avoid data loss and will select reliable third-party providers with regard to data security.
The following presentation offers an overview of the third-party providers we use, which are necessary to provide our online services according to our contract:
a. Google Fonts
Google Fonts can be used in different ways. The so-called "Online" mode, which connects to the Google servers as soon as the website is called, is widely used. However, for reasons of data economy and because it is technically difficult to obtain consent, the integration of fonts in "offline" mode is preferable in order to be able to use Google fonts in a legally secure manner. More information about the differences can be found at:
If you decide to use the "online" mode despite the legal risk, you will also find a corresponding text module for this.
For the display of external fonts we use Google Fonts in "offline" mode. This service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). No data is passed on to Google servers.
Plugins of the social network YouTube are used on our website. The operator of Youtube is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
We rely on your consent to the collection of data when using plugins. If you do not agree to the use of data when you first visit our website, the plugin will not be activated by Youtube, so that data will not be transferred even if you accidentally interact with a Youtube plugin.
If you are on a page of our website on which such a plugin is provided, your browser only establishes a direct connection with the servers of YouTube when the user clicks on the relevant button ("Extended data protection mode"). The content of the plugin is then transmitted by YouTube to your browser and integrated by it into the website. By activating the plugin, YouTube receives the information that you have called up the corresponding page of our website. Content is then transmitted from YouTube to your browser and included on the page. YouTube receives the message that you are on the corresponding page of our website. This happens even if you do not have a profile on YouTube or are not logged in. Personal Data (including your IP address) is then automatically forwarded to and stored in a server of YouTube located in the USA.
A direct assignment on the part of YouTube only takes place if you are logged in to YouTube. A corresponding interaction takes place even if you click the corresponding button actively. The result is a publication on your YouTube account and the presentation of such a publication in your contacts.
Please note that YouTube is also used for the hosting of our VC Session videos, which is necessary for the provision of our contractual services. If you have any further questions, please feel free to contact us.
Further details on how YouTube handles your Personal Data can be found on the following webpage:here
9.Updates to this Data Protection Declaration
We reserve the right to change the Data Protection Declaration in order to adapt it to the changing legal requirement or in case of changes in the service and data processing. However, this only applies with regard to declarations on data processing. Insofar as the consent of the users is required or components of the data protection policy contain amendment of the contractual relationship with the users, the changes will only be made with the consent of the users.
If we make changes to the Data Protection Declaration, we will post those changes on our websites and online offers and inform you through the Newsletter as well so you are aware of what has been changed and the purposes of the changes. In addition, we strongly suggest our users check our Data Data Protection Declaration on a regular basis.
All such changes to the Data Protection Declaration are effective immediately when posted to the Platform and apply to all access to and use of the Platform thereafter.
10.How to contact us?
We welcome inquiries, questions, and comments about this Data Protection Declaration and our privacy practices. If we receive a complaint from you about how we have handled your Personal Data, we will investigate and determine what action we should take to resolve the complaint. We will contact you within a reasonable time, normally within 1 month, and may request more information to assist us with our investigation. We aim to resolve all complaints in a timely manner.
If you wish to provide feedback or if you have questions or concerns or wish to exercise your rights related to your Personal Data, please contact us at the following email address: firstname.lastname@example.org,
The above Data Protection Declaration applies only to users living in the European Union within the territorial scope of Art. 3 GDPR. Under the California Consumer Privacy Act (CCPA), California Civil Code Section 1798.100, Californian residents also have the following rights with regard to their Personal Data.
Right of Access: You have a right to request access to the Personal Data we may hold on you for the past twelve months. You may submit up to two requests per year of access to your Personal Data.
Right to Opt-In/Opt-Out of Sale of Personal Data: You have the right to opt-in to the sale of Personal Data we may hold on you to third parties, but please note that we will not sell your data to third parties by default.
Right to Deletion: You also have the right to delete data or restrict processing activities. There may be exceptions to the right to deletion for specific legal reasons which, if applicable, we will set out for you in response to your request.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
Version: 4 October 2021