Comes into effect on September 13, 2022.
Dephion Group B.V. (“Dephion”, “we” or “us”), as the mother company of Habtic Corporation B.V. and Habtic BNL B.V., and the developer and owner of the product Habtic, understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who visits our websites, downloads and uses our product.
1. About this Policy.
This policy describes how we collect, use, disclose and process your personal data at Dephion and Habtic. We are committed to only collect and use your personal data in ways that are described here, and in conformity with our obligations and your rights under the General Data Protection Regulation (“GDPR”).
From time to time, we may develop or offer new or additional services. These are also subject to this policy unless otherwise stated at launch.
2. Information about us.
Habtic is owned by Habtic Corporation B.V., who in turn is controlled by Dephion Group B.V. (your Data Controller). Dephion is a private limited company registered in The Netherlands under company number 78723914, with its registered and main postal address at Mijnweg 3, 6167AC, Geleen.
3. What are your rights?
Under the GDPR you have the following rights:
c. The right to have your personal data rectified if any of such personal data held by Habtic is inaccurate or incomplete. You must know that you can edit your information, mainly your username and e-mail, at any point. You can also delete or amend any data that you share to Habtic. Please know that this function cannot be performed by contacting Habtic.
d. The right to be forgotten, this is, the right to have all your personal data deleted or erased. Please know that this function cannot be performed by contacting Habtic. However, you can delete the data you share with us at any point or delete your account and your personal data will be erased.
However, there are situations where Habtic cannot delete your data, such as when it is still necessary to process the data for the purpose for which we collected it, or when our interest in using the data outweighs your interest in having it deleted. This can happen, for example, when we need the data to protect our services against fraud, when Habtic has a legal obligation to keep the data, or when Habtic needs the data to establish, exercise or defend legal claims (e.g., if there is an unresolved issue regarding your account).
e. The right to restrict the processing of your personal data. As said before, you can stop using the application and delete all data accumulated at any point.
f. The right to object to Habtic using your personal data for a particular purpose or purposes. The right to object only applies in certain circumstances. Whether it applies depends on the purposes for processing and the lawful basis for processing. You have the absolute right to object to the processing of their personal data if it is for direct marketing purposes. However, it is not our intention to send you marketing emails and we do not plan to do so in the future. You can also object if the legal ground for processing your personal data is Habtic’s legitimate interest, or those of a third party.
g. The right to data portability. This means that you can download your data directly from Habtic, without our intervention. You have this right when the legal ground for such processing is consent or the execution of an agreement, which is the case.
h. The right to not be subject to a decision based solely on an automated decision-making process (decisions without human intervention), including profiling, if that decision would have legal or similar significant consequences for you. Habtic does not use such automated decision-making while providing their services.
i. The right to lodge a complaint. If you have any questions or concerns, we encourage you and provide you with sufficient information on how to contact the Dutch Supervisory Authority or your local data protection authority. Please see this directory for contact details: https://edpb.europa.eu/about-edpb/board/members_en. If you are in Switzerland, please visit this FDPIC site for contact details: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html. If you are in the United Kingdom, please see this site for contact details: https://ico.org.uk/global/contact-us/.
j. The right to withdraw your consent. You can do this if Habtic processes your personal data based on consent. If you wish to withdraw your consent, you can customize the relevant feature on Habtic (e.g., Cookies) or contact us.
4. What data do we collect about you?
In general, we collect information when you register for an account, participate in interactive features on our websites, respond to your coach in one of our applications, request customer support, or otherwise communicate with us. The data you may provide includes your name, email, and whatever information you provide to our digital coaches as answers to their questions. Some users may also provide health-related information in connection with providing feedback or other messages to us, and we process that information consistent with the purpose for which it was provided.
• User Data: to sign in, we will only ask for your e-mail and your username. Please note that your username can be a pseudonym and we encourage you to use one. We take your privacy seriously and want to preserve your ‘anonymity’ as much as we can. We will not ask for your address, phone number, date of birth, sex, country, height, weight, etc.
• Usage Data: data retrieved from your participation in interactive features, or on our website, the answers you provide to our coaches, your requests to customer support, and your general communication with us. Usage data also comprehends: content you consume, videos watched, searches, streaming history, your library, browsing history, interaction with other users, and conclusions we make about your use of Habtic. Usage data includes information we generate about you based on other information we have collected. For example, we use information about your activity to help determine the likelihood of you continuing to use our services in the future, or the chance of success of your current endeavours, or to personalise the content we make available to you. Finally, usage data also comprehends information collected via Cookies. Each website and application will notify you separately of which cookies are being collected.
• Technical Data: your device ID, hardware model, app version, access times and dates, IP addresses, network connection type, carrier and region, provider, browser type, language, operating system.
• Location Data: your general non-precise location. We need it to comply with the geographic requirements and to deliver contents that are relevant to you.
• Sensor Data: motion or orientation-generated data from mobile sensors of your device (e.g. accelerometer or gyroscope).
• Third-party sources from which we collect your data: you can give us API access to your information as it’s stored on a third-party account. We never store the information ourselves, we just query it to calculate our own metrics, such as “is the user sedentary”. No other use us made of this data, it is not stored in our users’ data, and we make no further use of the external services. However, you must know that if you grant us access, we can draw lifestyle information from a range of services such as Fitbit, Apple Health, and Google Fit. This only ever happens with your consent, and you are always in control of our access to your data.
5. For what do we use your personal data?
Under the GDPR (Art. 6), processing shall be lawful only if and to the extent that at least one of the following legal grounds applies:
a. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c. processing is necessary for compliance with a legal obligation to which the controller is subject;
d. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
On the other hand, our purposes for processing your personal data are the following:
1. To provide the Habtic Service/Product. This comprehends personalising and tailoring User experience, supplying products and services, personalising and tailoring products and services, communicating with Users,
2. To understand, diagnose, analyse and fix problems with the service.
3. To evaluate and develop new features, technologies and improvements to the Habtic service.
5. For other marketing purposes not required by law (e.g., when Habtic uses personal data to tailor advertisements for Users).
6. To comply with a legal obligation incumbent on us. This could be a law of the country where User is located, Dutch law or EU law applicable to Habtic.
7. To comply with a law enforcement request (e.g., legal request from competent Court).
8. To fulfil contractual obligations with third parties.
9. To establish, exercise or defend legal claims.
10. To perform business planning, reporting and forecasting.
11. To conduct research and surveys.
12. Providing clients with metrics and dashboards regarding their employee’s performance while using Habtic. It is important to state that such metrics are provided in the form of aggregated and de-identified data. No personal data of Users is shared with Clients.
Following the letter of each legal ground (a; b; c;…) and the number of each purpose (1; 2; 3;…) as stated above, the following table provides an overview of our purpose for processing your personal data, our legal justification for any purpose and the categories of personal data that we use for any purpose (as explained in Section 4 of this Policy).
Purpose (1 to 12) Legal Ground (a to f) Categories of data
1 Consent; Performance of a contract; and, Legitimate interest. User data, Usage data, Technical data, Location data, Sensor data.
2 Performance of a contract. User data, Usage data, Technical data, Location data.
3 Legitimate interest. User data, Usage data, Technical data, Location data, Sensor data.
4 Consent User data, Usage data, Technical data, Location data, Sensor data, Survey and research data.
5 Legitimate interest. User data, Usage data, Technical data, Location data, Sensor data, Survey and research data.
6 Compliance with a legal obligation. User data, Usage data, Technical data, Location data, Sensor data, Survey and research data.
7 Compliance with a legal obligation; and, Legitimate interest. User data, Usage data, Technical data, Location data, Sensor data, Survey and research data.
8 Legitimate interest. User data, Usage data, Technical data, Location data, Sensor data.
9 Legitimate interest. User data, Usage data, Technical data, Location data, Sensor data, Survey and research data.
10 Legitimate interest. User data, Usage data, Technical data, Location data, Sensor data.
11 Legitimate interest. User data, Usage data, Technical data, Location data, Sensor data, Survey and research data.
12 Performance of a contract. User data, Usage data, Technical data, Location data, Sensor data.
6. Sharing your personal data.
There is no such thing as public profiles that other users may see within Habtic, so there is no publicly available information about you. Habtic is also not designed for you to share information on third-party services (such as social media).
In principle, we do not share your information with any third-party services. Your data remains your data, and our services can only access it to provide you with further information or guidance.
However, we may share the data illustrated in Section 4, with third parties that provide the technical infrastructure we need to provide Habtic Services or with parties that help protect and secure our systems and services (e.g., reCAPTCHA from Google). We may also share, for instance, your IP address with hosting platforms that host content, videos, articles and podcasts.
Other exceptions are:
• To share data for scientific research, but only in pseudonymised form. Pseudonymized data identifies your data by a code rather than your name or other information that directly identifies you.
• To share data with other companies of the group, to conduct our day-to-day business and to provide you with Habtic Services.
• To share data to comply with a legal obligation, if it is legally required by authorities, or for law enforcement purposes.
• To share data to potential buyers of our company. In that case, we may transfer your data to a successor or an affiliated company as part of that transaction.
Dephion does not have, does not need, and will not in any future implement strategic partnerships with payment, advertising or marketing partners.
Dephion shares aggregated de-identified data of population metrics to our Clients (your employer). This information is withheld if it can be reverse engineered and does not provide an insight on your personal activities in the application. We share performance metrics with our Clients. Information such as the kind of activities performed, level of engagement with different domains of lifestyle, level of participation and understanding of the programme from the population. Sharing those metrics is also part of our agreement with your employer.
7. Storing your data.
We will not retain your personal data for longer than is necessary to provide you with the Habtic service and for Habtic’s legitimate and essential business purposes, such as:
• maintaining the performance of the Habtic service;
• making data-based business decisions about new features and offerings;
• comply with our legal obligations;
• resolve disputes.
However, there is criteria to determine the length of retention periods. Habtic needs to retain data for an appropriate period in order to provide you with a tailored service. For example, Habtic will store streaming history for the lifetime of your account to provide you with the content you like and to make appropriate recommendations based on your habits. At the same time, Habtic may be required to meet legal or contractual obligations to retain or delete data. This may happen if new enforceable regulations enter in force, if a legitimate Court orders to share or delete certain data, or if some data needs to be retained during a trial.
If you discontinue the use of Habtic, but keep your account, you will be encouraged to resume activity through the app. If 6 months have elapsed since that notification and there has still been no use of Habtic from your part, we will deactivate the account and retain the data for additional 12 months, in case of reactivation from your part.
If your employer finishes the agreement with us, you will be notified in the app. Habtic will allow you to complete your current tasks, whether this is a day or multi-month progress, for free. After you are no longer active, your account will be deactivated. Your data will be kept for one year, in case of reactivation with another tenant.
8. Transferring your data to other countries.
Habtic runs on servers hosted in EU and all of your data is stored on EU-located databases. However, in order to provide Habtic services, we may use subcontractors and partners located outside EU. These subcontractors may process your data in countries whose data protection laws are not considered as strict as EU law or the law that applies where you live.
However, in such cases we make sure that the data transfer is in accordance with applicable law and that we provide you with the same level of protection as in EU. In addition to this, we have security technical and organizational measures in place to protect your data. You can see them by accessing our Technical and Organisational Measures.
9. Marketing and advertising.
You will not receive promotional communications from us. With your consent, we send programme push notifications to your mobile device. You can deactivate these messages at any time by changing the notification settings on your mobile device.
10. Keep your data safe.
At Habtic, we are deeply devoted to protecting your personal data. We have taken appropriate steps to do so, and you can read our Technical and Organisational Measures. However, please know that data breaches, either external or internal, are always a -very remote- possibility.
Additional to our efforts, we recommend that you keep your email address safe. If you lose it, we may not be able to recover your account because we do not store your email address, only a hashed copy (that is how serious we take your privacy!). We also recommend using strong passwords and to not share it with anyone, to keep an eye on your hardware device and browser, and to log out if you stop using Habtic on a shared device.
11. Contact us.
You can also write to us to Dephion Group, Mijnweg 3, 6167AC, Geleen.
This means that:
- No data is held that is not required in order to provide the health program to users.
- No individual employee user data will ever be shared with the employer.
- No data will ever be shared with third parties.