1.Information about tech2people and Abilitate – therapy companion
1.1. tech2people GmbH, c/o Kerbler Holding Parkring 12/1/23, A-1010 Vienna, E-mail: firstname.lastname@example.org (“t2p” or “we”) is a company headquartered in the European Union (“EU”).
1.2. Abilitate – therapy companion is a specialised software solution for therapists provided by t2p (“abilitate”). It will be made available as a web application via the abilitate webpage, https://abilitate.at/. The software administers all the data stored by the you or the entity you represent, your/its employees or agents.
1.4. t2p process personal data relating to or obtained in connection with the operation, support or use of the services (e.g. user account information) as the data controller. However, where t2p processes personal data on your behalf in connection with the services provided, you are the data controller and t2p the data processor.
1.5. The provision of the services is governed by the abilitate – Terms of Service, available under the following link: https://abilitate.at/terms-of-service/.
1.6. Processing of personal data on your behalf is governed by the abilitate – Data Processing Agreement, available under the following link: https://abilitate.at/data-processing-agreement/.
1.8. For enquiries relating to data protection and the exercise of your rights (see Sec 4), please contact our Data Protection Point of Contact:
2. Summary of our processing activities
2.1. The following summary provides an overview of the data processing activities carried out in the context of the provision of abilitate. More detailed information can be found in the sections indicated below.
- When you visit our website without creating a user account, only limited personal data will be processed to provide you with the website itself (Sec 5). In case you create a user account further personal data will be processed (Sec 6).
- We process personal data to provide our services (Sec 7) and for research and development (Sec 8).
- Your personal data will be used for statistical analysis that helps us to improve our website and improve your website experience (Sec 10).
- Your personal data may be disclosed to third parties that might be located outside your country of residence (Sec 11).
2.2. For your rights with regard to the processing of your personal data see Sec 4.
3.1. Personal data: means any information relating to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier.
3.2. Processing: means any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or any kind of disclosure or other use.
3.3. Data controller: means the person or entity that determines alone or jointly with others the purposes and means of the processing of personal data.
3.4. Data processor: means the person or entity that processes personal data on behalf of the data controller.
4. Your personal data rights and controls
4.1. If your personal data is collected on the basis of consent pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, you have the right to withdraw your consent at any time without giving reasons. The consequence of the withdrawal is that we may no longer continue the data processing on the basis of this consent in the future. However, the withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal. If you wish to exercise your right, please contact our Data Protection Points of Contact (Sec 1).
4.2. Insofar as your personal data is collected on the basis of legitimate interests pursuant to Article 6(1)(f) GDPR, you have the right to object to the processing of your personal data in accordance with Article 21 GDPR, provided that there are grounds for doing so which arise from your particular situation. If your objection is directed against direct advertising, you have a general right of objection; a statement of reasons is not required for these cases. If you wish to exercise your right, please contact our Data Protection Points of Contact (Sec 1).
4.3. As a data subject of the processing of personal data, you have the right to:
- request information about your personal data processed by us in accordance with Article 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
- demand the correction of incorrect or incomplete personal data stored by us without delay in accordance with Article 16 GDPR;
- request the erasure of your personal data stored by us pursuant to Article 17 GDPR, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
- request the restriction of the processing of your personal data in accordance with Article 18 GDPR, insofar as you dispute the accuracy of the data, the processing is unlawful, we no longer require the data and you object to their deletion because you require them for the establishment, exercise or defence of legal claims. You also have the right under Article 18 GDPR if you have objected to the processing in accordance with Article 21 GDPR;
- receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller in accordance with Article 20 GDPR; and
- complain to a supervisory authority in accordance with Article 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office. In Austria, the supervisory authority is the (Austrian) Data Protection Authority, Barichgasse 40-42, 1030 Vienna, telephone: +43 1 52 152-0, e-mail: email@example.com, website: https://dsb.gv.at.
To exercise your rights as a data subject, with the exception of the right to lodge a complaint with the supervisory authority, please contact our Data Protection Points of Contact (Sec 1).
5. Provision and use of our web presence
5.1. When you visit our website without creating a user account and without providing us with personal data in any other form, we may automatically collect additional information about you which will contain personal data only in limited cases and which is automatically recognised by our server.
5.2.The following information is collected and stored until automated deletion:
- IP address of the requesting computer;
- device type, name and IDs;
- the date and time of access;
- name and URL of the retrieved file;
- the web page from which access is made (referrer URL);
- the browser used and, if applicable, the operating system of your computer, as well as the name of your access provider.
5.3. We use such information to assist us in providing an effective service (e.g. to adapt our website to the needs of your device or to allow you to log in to our website) and to collect broad demographic information for anonymised, aggregated use.
5.4. The personal data automatically collected is necessary for us to provide our website and for our legitimate interest to guarantee the website’s stability and security. The collection of broad demographic information is necessary for optimisation of our website. Legal basis for the processing is Article 6(1)(f) GDPR.
5.5. As soon as the data is no longer necessary for the display of our website, it will be deleted. We delete this data after 30 days at the latest. The collection of data for the provision of our website and the storage of data in log files is necessary for the operation of our web presence. Consequently, there is no possibility of objection on the part of the user. Further storage may take place in individual cases, e.g. if this is required by law (Sec 13).
6. User account
6.1. To use abilitate you must first create a user account with us. We store and process the following categories of User data:
- Information provided by you in the sign-up form or account page such as your name, user name, company name, email address, profile picture, profession, country and preferences;
- Information related to an account sign-in facility such as log-in and password details;
- Information related to the services you use, such as identifier associated with user account, version of abilitate and subscription plan (see abilitate – Terms of Service, Sec 1); and
- Communications sent by you via email, website communication forms or other means.
The information required to provide the service is labelled as such. All other information is provided on voluntary basis.
6.2. If you register for or log into abilitate using another service, the provider that authentication service will send your information to us (Sec 11). This information helps create your account with us.
6.3. We process User data to create your account that identifies you at sign-in and enables you to use our services, administer you account and communicate with us. The legal basis for this processing is our contractual relationships with you, Article 6(1)(b) GDPR.
6.4. User data is deleted automatically after the termination of abilitate – Terms of Service (Sec 1) or an account deletion request is made. You can send your request to firstname.lastname@example.org. If such a request is received, we will keeps your data for another 60 days. Data is permanently deleted after the retention period in accordance with abilitate – Terms of Service. Further storage may take place in individual cases, e.g. if this is required by law (Sec 13).
7. Provision of our services
7.1. We may process personal data collected, generated or provided by you (or on your behalf) in connection with abilitate and our services as specified in the abilitate – Terms of Service as a data controller or as a data processor (Sec 1).
7.2. We process following categories of personal data relating to or obtained in connection with the operation, support or use of the services as a data controller.
- Service Generated Data. Telemetry data (applications and browser information about the deployment of services and related systems environment and technical information), services and product usage data (e.g. settings, device IDs), diagnostic data, and similar data that we collect or generate in connection with your use of and interaction with the services.
- User Content Metadata. Metrics and information about your content and the context of your use of the services, including when and what data, content, files, documents, or other materials that you generate or provide (e.g. by upload) in connection with abilitate and our services.
- Support data: Personal data provided through support channels, including for example user account, SEN (Support Entitlement Number), and any personal data contained within a summary of the problem experienced or information needed to resolve the support case.
- Payment and Purchase Data: name; date of birth; company name; payment method type (e.g. credit or debit card); if using a debit or credit card, the card type, expiration date, and certain digits of your card number (Note: For security, we never store your full card number); billing address; ZIP/postal code; email address; mobile phone number; and details of your purchase and payment history.
We process these categories of personal data for the following purposes, namely in order to
- provide our services as specified in the abilitate – Terms of Service, including to set up and personalise your account.
- invoice you and process your payment.
- secure and monitor the services in real-time.
- diagnose, troubleshoot and fix issues.
- provide customer support and assistance to as requested from time to time.
- customer relationship management and related correspondence
- facilitate security, fraud prevention, performance monitoring, business continuity and disaster recovery.
- comply with financial reporting and other legal obligations.
- maintain, develop, and improve the services and support, including for research and development purposes.
- evaluate and develop new features and technologies for our services.
- inform internal business analysis and product strategy.
The legal basis for this processing is our contractual relationships with you, Article 6(1)(b) GDPR, compliance with our legal obligations, Article 6(1)(c) GDPR, and our legitimate business interests such as fraud prevention, IT security and improving our services, Article 6(1)(f) GDPR.
We may process personal data for the purposes described above for the duration of the contractual relationship with you, and for as long as we have a legitimate need to retain the personal data for the purposes for which it was collected. Further storage may take place in individual cases, e.g. if this is required by law (Sec 13).
7.3. Where you use our services to process personal data, we process the personal data that you generate or provide (e.g. by upload) on your behalf as a data processor in accordance with the your instructions and the abilitate – Data Processing Agreement (Sec 1).
8. Research and development
8.1. We use analytics techniques to better understand how our services and software are being used, and to improve and further develop them. In addition to technological development, we also conduct fundamental and applied research to better understand the needs of the therapists and their patients and to generate research insights and recommendations.
8.2. For these research and development purposes we may process
- personal data processed in connection with abilitate and our services as specified in the abilitate – Terms of Service (Sec 1), with the exception of User Data (Sec 6) and Payment and Purchase Data (Sec 7);
- Survey data: personal data you provide when you respond to a survey or take part in user research.
8.3. We will aggregate and process the data on a de-identified or anonymized basis where possible. The Anonymized and Aggregated Data may be used and shared with third parties in accordance with applicable law, including to analyse, develop, improve, support, and operate the services and software provided by us, including to generate research insights, industry benchmarks or best practices guidance, recommendations, or similar reports.
8.4. Following legal bases apply (alternatively or cumulatively) to the processing of personal data for research and development purposes:
- Our legitimate interest in conducting research and development activities, Article 6(1)(f) GDPR.
- Research and experimental development activities in accordance with § 2d Austrian Research Organisation Act (FOG).
- Research and development which is not intended to achieve results relating to a data subject, whereby the data processed is publicly accessible, has been lawfully collected by us for other purposes, or pseudonymised and we are not able to identify the data subject in a lawful manner, in accordance with § 7(1) Austrian Data Protection Act.
- Approval of the data protection authority in accordance with § 7(3) Austrian Data Protection Act.
- Express consent given by you or obtained by you from the data subject in accordance with Article 6(1)(a) GDPR and Article 9(1)(a) GDPR.
8.5. Personal data may be stored for longer periods than absolutely necessary insofar as the personal data is processed solely for scientific or historical research purposes or statistical purposes and appropriate technical and organisational measures are implemented (e.g. pseudonymisation, protected separate storage), Article 5(1)(e) in conjunction with Article 89 GDPR. Row data may be stored for least 10 years to demonstrate compliance with good scientific practice in accordance with § 2d Austrian Research Organisation Act (FOG).
9. Automated decision making
We do not use your personal data for automated decision making which produces legal effects concerning you or similarly significantly affects you.
10. Web tracking, analysis and related tools
10.1. Our websites use a variety of technologies to provide you with an optimal user experience, in particular cookies, scripts and embedded content (hereinafter referred to as “technologies”). They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (persistent cookies). Session cookies are automatically deleted at the end of your visit. Persistent cookies remain stored on your device until you delete them yourself or or your web browser automatically deletes them.
We also use scripts on our websites to provide other functionality, such as statistical analysis of our websites or protection against bots. In some cases, cookies and scripts from third parties may also be stored on your device when you visit our site (e.g. third party cookies). These enable us or you to use certain third party services (e.g. cookies for audience measurement or third party content integration). We also integrate third-party content to provide you with a variety of services on our websites (e.g. videos, streams, etc.).
These technologies have different functions. Many technologies are technically necessary to enable certain features of the website (e.g. display of videos). Other technologies are used to evaluate user behaviour or to display advertising. Technically necessary technologies are stored on the basis of Article 6(1)(f) of the GDPR, unless another legal basis is specified. The website operator has a legitimate interest to use these technologies in order to provide its services in a technically flawless and optimised manner.
For technologies that are not technically necessary consent will be obtained, Article 6(1)(a) GDPR). Where consent to store cookies has been requested, such cookies will only be stored on the basis of such consent. You can update your preferences via the “Your privacy choices / Manage cookies” link in the page footer.
Please note that we have no control over the scope of personal data collected by the relevant provider, nor do we know the purpose of the processing or how long your personal data will be retained. Your personal data will be transferred to and processed within and outside the EU and the European Economic Area (EEA) (Sec 11). It is possible that the relevant providers may disclose your personal data to their business partners, third parties or authorities.
10.2. We use consent management technologies for our online activities so that we can comply with our legal and (verification) obligations. Opt-in and opt-out data, the referrer URL, user agent, user settings, consent ID, time of consent, consent type, template version and banner language are processed. Consent data is stored for 3 years. The cookies used for this are valid for one session. The legal basis for this data processing is Art 6(1)(c) GDPR.
10.3. You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of our websites may be limited. You can find out about this option for the most commonly used browsers via the following links:
- Microsoft Internet Explorer and Microsoft Edge: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
- Mozilla Firefox: https://support.mozilla.org/de/kb/Cookies-blockieren
- Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE. Platform%3D%20Desktop&hl=en
- Safari: https://support.apple.com/de-de/guide/safari/sfri11471/mac
10.4. Further information about the processing of your personal data, your rights and settings concerning privacy are offered by the relevant provider:
- Hotjar. Hotjar is a behaviour and analytics software provided by Hotjar LTD, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141 Malta.
11. Sharing of personal data with third parties
11.1. When passing on your personal data, we always ensure the highest possible level of security and therefore only work with carefully selected and contractually obligated service providers and contractual and cooperation partners.
11.2. Your personal data may be transferred to the following Categories of recipients:
- Hosting platform and other IT service providers. We work with technical service providers and IT tool providers to deliver our services to you. These service providers include, for example, external IT service providers that enable the hosting of our website and user communication, as well as providers of various IT tools and software as a service. For more information on the processing of personal data by these service providers, please refer to their privacy policies:
- Microsoft Azure. Azure is a cloud computing platform run by Microsoft, which offers access, management, and development of applications and services through global data centers. For more information on how data are processed, please see Privacy in Azure: https://azure.microsoft.com/en-us/explore/trusted-cloud/privacy.
- Payment partners. We offer various payment options, such as payment in advance, payment by credit card and payment by PayPal. To process payments, we pass on your payment information to the credit institution or payment service provider commissioned with the payment. These companies may only use your data for order processing and not for any other purposes. For more information on the processing of personal data by these service providers, please refer to their privacy policies:
- PayPal Privacy Statement: https://www.paypal.com/de/legalhub/privacy-full.
- Marketing, Advertising, and Analytics Partners. We work with other selected advertising and marketing partners such as social network providers to improve our website and advertising campaigns. You can find further information under Sec 10.
- Academic researchers. We share pseudonymised or anonymised data for activities such as statistical analysis and academic studies.
- Corporate Affiliates. We shares data with corporate affiliates, such as therapy2people GmbH, where necessary to provide services and e.g. to detect, investigate, and prevent fraud, abuse, and threats to public safety.
- Authorities and other third parties. If we are obliged to do so by an official or court decision or if we are entitled to do so, e.g. because this is necessary for the prosecution of criminal offences or for the exercise and enforcement of our rights and claims, we will pass on your data to law enforcement agencies or other third parties if necessary.
- you have given your express consent or obtained the express consent of the data subject in accordance with Article 6(1)(a) GDPR and Article 9(1)(a) GDPR (e.g. social media networks, transfer of any special categories of personal data),
- this is legally permissible and necessary for the processing of contractual relationships with you in accordance with Article 6(1)(b) GDPR (e.g. payment service providers),
- in the event that there is a legal obligation for the disclosure pursuant to Article 6 (1) c GDPR (e.g. authorities),
- the disclosure is necessary to protect legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data in accordance with Article 6(1)(f) GDPR (e.g. exercising and enforcing our rights and claims) or
- this is carried out by a service provider (e.g. hosting service provider) acting on our behalf and on our exclusive instructions, which we have carefully selected (Article 28(1) GDPR) and with whom we have concluded a corresponding contract on data processing (Article 28(3) GDPR), which obliges our service provider, among other things, to implement appropriate security measures and grants us comprehensive control powers.
11.4. Service providers and other contractual and cooperation partners may transfer your personal data to third countries. If your data is processed outside the EU or the European Economic Area (EEA), this may result in your data being transferred to a country with a lower data protection standard than in the EU. This may result, for example, in your data being processed by public authorities for control and monitoring purposes, possibly also without the possibility of legal redress.
We implement appropriate safeguards, including the conclusion of EU standard data protection clauses, in the event that personal data is processed outside the EU and no adequacy decision has been taken by the European Commission (see the text of the clauses at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de).
Adequacy decisions of the European Commission are available e.g. for UK, USA, Canada and Switzerland (see a list at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).
12.1. We implement appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. We continually update our security measures in line with technological developments.
12.2. You should bear in mind that submission of information over the internet is never entirely secure. We cannot guarantee the security of information you submit via our website whilst it is in transit over the internet and any such submission is at your own risk.
13. Data retention
14. References to third-party websites (external links)
Our website contains links to external, i.e. third party websites that are not under our control. We do not have any influence on the contents and data protection standards of such linked websites. Therefore, we shall not be held liable for any external links.
All rights reserved