Privacy Policy - Abilitate

This Privacy Policy describes our policies and procedures for collecting, using and disclosing your personal information when you use the website, are interested in our services or use are already our customer. It informs you about your data protection rights and how the law protects you.

1.Information about tech2people and Abilitate – therapy companion

1.1. tech2people GmbH, c/o Kerbler Holding Parkring 12/1/23, A-1010 Vienna, E-mail: abilitate@tech2people.at (“t2p” or “we”) is a company headquartered in the European Union (“EU”).

1.2. Abilitate – therapy companion is a specialised software solution for therapists provided by t2p (“abilitate”). It will be made available as a web application via the abilitate webpage, https://abilitate.at/. The software administers all the data stored by the you or the entity you represent, your/its employees or agents.

1.3.This Privacy Policy applies to the services and the associated processing of personal data in the context of the provision of abilitate, including the web application offered via the abilitate webpage and the various subdomains (“our website” or “web presence”).

1.4. t2p process personal data relating to or obtained in connection with the operation, support or use of the services (e.g. user account information) as the data controller. However, where t2p processes personal data on your behalf in connection with the services provided, you are the data controller and t2p the data processor.

1.5. The provision of the services is governed by the abilitate – Terms of Service, available under the following link: https://abilitate.at/terms-of-service/.

1.6. Processing of personal data on your behalf is governed by the abilitate – Data Processing Agreement, available under the following link: https://abilitate.at/data-processing-agreement/.

1.7. We may develop new or offer additional services from time to time. They will also be subject to this Privacy Policy, unless stated otherwise.

1.8. For enquiries relating to data protection and the exercise of your rights (see Sec 4), please contact our Data Protection Point of Contact:

Data Protection Officer at dpo@tech2people.at with CC: abilitate@tech2people.at

2. Summary of our processing activities

2.1. The following summary provides an overview of the data processing activities carried out in the context of the provision of abilitate. More detailed information can be found in the sections indicated below.

When you visit our website without creating a user account, only limited personal data will be processed to provide you with the website itself (Sec 5). In case you create a user account further personal data will be processed (Sec 6).
We process personal data to provide our services (Sec 7) and for research and development (Sec 8).
Your personal data will be used for statistical analysis that helps us to improve our website and improve your website experience (Sec 10).
Your personal data may be disclosed to third parties that might be located outside your country of residence (Sec 11).

2.2. For your rights with regard to the processing of your personal data see Sec 4.

3. Definitions

3.1. Personal data: means any information relating to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier.

3.2. Processing: means any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or any kind of disclosure or other use.

3.3. Data controller: means the person or entity that determines alone or jointly with others the purposes and means of the processing of personal data.

3.4. Data processor: means the person or entity that processes personal data on behalf of the data controller.

4. Your personal data rights and controls

4.1. If your personal data is collected on the basis of consent pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, you have the right to withdraw your consent at any time without giving reasons. The consequence of the withdrawal is that we may no longer continue the data processing on the basis of this consent in the future. However, the withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal. If you wish to exercise your right, please contact our Data Protection Points of Contact (Sec 1).

4.2. Insofar as your personal data is collected on the basis of legitimate interests pursuant to Article 6(1)(f) GDPR, you have the right to object to the processing of your personal data in accordance with Article 21 GDPR, provided that there are grounds for doing so which arise from your particular situation. If your objection is directed against direct advertising, you have a general right of objection; a statement of reasons is not required for these cases. If you wish to exercise your right, please contact our Data Protection Points of Contact (Sec 1).

4.3. As a data subject of the processing of personal data, you have the right to:

request information about your personal data processed by us in accordance with Article 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
demand the correction of incorrect or incomplete personal data stored by us without delay in accordance with Article 16 GDPR;
request the erasure of your personal data stored by us pursuant to Article 17 GDPR, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
request the restriction of the processing of your personal data in accordance with Article 18 GDPR, insofar as you dispute the accuracy of the data, the processing is unlawful, we no longer require the data and you object to their deletion because you require them for the establishment, exercise or defence of legal claims. You also have the right under Article 18 GDPR if you have objected to the processing in accordance with Article 21 GDPR;
receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller in accordance with Article 20 GDPR; and
complain to a supervisory authority in accordance with Article 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office. In Austria, the supervisory authority is the (Austrian) Data Protection Authority, Barichgasse 40-42, 1030 Vienna, telephone: +43 1 52 152-0, e-mail: dsb@dsb.gv.at, website: https://dsb.gv.at.

To exercise your rights as a data subject, with the exception of the right to lodge a complaint with the supervisory authority, please contact our Data Protection Points of Contact (Sec 1).

5. Provision and use of our web presence

5.1. When you visit our website without creating a user account and without providing us with personal data in any other form, we may automatically collect additional information about you which will contain personal data only in limited cases and which is automatically recognised by our server.

5.2.The following information is collected and stored until automated deletion:

IP address of the requesting computer;
device type, name and IDs;
the date and time of access;
name and URL of the retrieved file;
the web page from which access is made (referrer URL);
the browser used and, if applicable, the operating system of your computer, as well as the name of your access provider.

5.3. We use such information to assist us in providing an effective service (e.g. to adapt our website to the needs of your device or to allow you to log in to our website) and to collect broad demographic information for anonymised, aggregated use.

5.4. The personal data automatically collected is necessary for us to provide our website and for our legitimate interest to guarantee the website’s stability and security. The collection of broad demographic information is necessary for optimisation of our website. Legal basis for the processing is Article 6(1)(f) GDPR.

5.5. As soon as the data is no longer necessary for the display of our website, it will be deleted. We delete this data after 30 days at the latest. The collection of data for the provision of our website and the storage of data in log files is necessary for the operation of our web presence. Consequently, there is no possibility of objection on the part of the user. Further storage may take place in individual cases, e.g. if this is required by law (Sec 13).

6. User account

6.1. To use abilitate you must first create a user account with us. We store and process the following categories of User data:

Information provided by you in the sign-up form or account page such as your name, user name, company name, email address, profile picture, profession, country and preferences;
Information related to an account sign-in facility such as log-in and password details;
Information related to the services you use, such as identifier associated with user account, version of abilitate and subscription plan (see abilitate – Terms of Service, Sec 1); and
Communications sent by you via email, website communication forms or other means.

The information required to provide the service is labelled as such. All other information is provided on voluntary basis.

6.2. If you register for or log into abilitate using another service, the provider that authentication service will send your information to us (Sec 11). This information helps create your account with us.

6.3. We process User data to create your account that identifies you at sign-in and enables you to use our services, administer you account and communicate with us. The legal basis for this processing is our contractual relationships with you, Article 6(1)(b) GDPR.

6.4. User data is deleted automatically after the termination of abilitate – Terms of Service (Sec 1) or an account deletion request is made. You can send your request to abilitate@tech2people.at. If such a request is received, we will keeps your data for another 60 days. Data is permanently deleted after the retention period in accordance with abilitate – Terms of Service. Further storage may take place in individual cases, e.g. if this is required by law (Sec 13).

7. Provision of our services

7.1. We may process personal data collected, generated or provided by you (or on your behalf) in connection with abilitate and our services as specified in the abilitate – Terms of Service as a data controller or as a data processor (Sec 1).

7.2. We process following categories of personal data relating to or obtained in connection with the operation, support or use of the services as a data controller.

Service Generated Data. Telemetry data (applications and browser information about the deployment of services and related systems environment and technical information), services and product usage data (e.g. settings, device IDs), diagnostic data, and similar data that we collect or generate in connection with your use of and interaction with the services.
User Content Metadata. Metrics and information about your content and the context of your use of the services, including when and what data, content, files, documents, or other materials that you generate or provide (e.g. by upload) in connection with abilitate and our services.
Support data: Personal data provided through support channels, including for example user account, SEN (Support Entitlement Number), and any personal data contained within a summary of the problem experienced or information needed to resolve the support case.
Payment and Purchase Data: name; date of birth; company name; payment method type (e.g. credit or debit card); if using a debit or credit card, the card type, expiration date, and certain digits of your card number (Note: For security, we never store your full card number); billing address; ZIP/postal code; email address; mobile phone number; and details of your purchase and payment history.

We process these categories of personal data for the following purposes, namely in order to

provide our services as specified in the abilitate – Terms of Service, including to set up and personalise your account.
invoice you and process your payment.
secure and monitor the services in real-time.
diagnose, troubleshoot and fix issues.
provide customer support and assistance to as requested from time to time.
customer relationship management and related correspondence
facilitate security, fraud prevention, performance monitoring, business continuity and disaster recovery.
comply with financial reporting and other legal obligations.
maintain, develop, and improve the services and support, including for research and development purposes.
evaluate and develop new features and technologies for our services.
inform internal business analysis and product strategy.

The legal basis for this processing is our contractual relationships with you, Article 6(1)(b) GDPR, compliance with our legal obligations, Article 6(1)(c) GDPR, and our legitimate business interests such as fraud prevention, IT security and improving our services, Article 6(1)(f) GDPR.

We may process personal data for the purposes described above for the duration of the contractual relationship with you, and for as long as we have a legitimate need to retain the personal data for the purposes for which it was collected. Further storage may take place in individual cases, e.g. if this is required by law (Sec 13).

7.3. Where you use our services to process personal data, we process the personal data that you generate or provide (e.g. by upload) on your behalf as a data processor in accordance with the your instructions and the abilitate – Data Processing Agreement (Sec 1).

7.4. We will process personal data for the purposes specified in this Privacy Policy. In addition, we may process personal data for “further” or “compatible” purposes (within the meaning of Articles 5(1)(b) and 6(4) GDPR, where applicable), or seek your consent or ask you to obtain consent from data subjects for other types of data processing.

8. Research and development

8.1. We use analytics techniques to better understand how our services and software are being used, and to improve and further develop them. In addition to technological development, we also conduct fundamental and applied research to better understand the needs of the therapists and their patients and to generate research insights and recommendations.

8.2. For these research and development purposes we may process

personal data processed in connection with abilitate and our services as specified in the abilitate – Terms of Service (Sec 1), with the exception of User Data (Sec 6) and Payment and Purchase Data (Sec 7);
Survey data: personal data you provide when you respond to a survey or take part in user research.

8.3. We will aggregate and process the data on a de-identified or anonymized basis where possible. The Anonymized and Aggregated Data may be used and shared with third parties in accordance with applicable law, including to analyse, develop, improve, support, and operate the services and software provided by us, including to generate research insights, industry benchmarks or best practices guidance, recommendations, or similar reports.

8.4. Following legal bases apply (alternatively or cumulatively) to the processing of personal data for research and development purposes:

Our legitimate interest in conducting research and development activities, Article 6(1)(f) GDPR.
Research and experimental development activities in accordance with § 2d Austrian Research Organisation Act (FOG).
Research and development which is not intended to achieve results relating to a data subject, whereby the data processed is publicly accessible, has been lawfully collected by us for other purposes, or pseudonymised and we are not able to identify the data subject in a lawful manner, in accordance with § 7(1) Austrian Data Protection Act.
Approval of the data protection authority in accordance with § 7(3) Austrian Data Protection Act.
Express consent given by you or obtained by you from the data subject in accordance with Article 6(1)(a) GDPR and Article 9(1)(a) GDPR.

8.5. Personal data may be stored for longer periods than absolutely necessary insofar as the personal data is processed solely for scientific or historical research purposes or statistical purposes and appropriate technical and organisational measures are implemented (e.g. pseudonymisation, protected separate storage), Article 5(1)(e) in conjunction with Article 89 GDPR. Row data may be stored for least 10 years to demonstrate compliance with good scientific practice in accordance with § 2d Austrian Research Organisation Act (FOG).

9. Automated decision making

We do not use your personal data for automated decision making which produces legal effects concerning you or similarly significantly affects you.

10. Web tracking, analysis and related tools

10.1. Our websites use a variety of technologies to provide you with an optimal user experience, in particular cookies, scripts and embedded content (hereinafter referred to as “technologies”). They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (persistent cookies). Session cookies are automatically deleted at the end of your visit. Persistent cookies remain stored on your device until you delete them yourself or or your web browser automatically deletes them.

We also use scripts on our websites to provide other functionality, such as statistical analysis of our websites or protection against bots. In some cases, cookies and scripts from third parties may also be stored on your device when you visit our site (e.g. third party cookies). These enable us or you to use certain third party services (e.g. cookies for audience measurement or third party content integration). We also integrate third-party content to provide you with a variety of services on our websites (e.g. videos, streams, etc.).

These technologies have different functions. Many technologies are technically necessary to enable certain features of the website (e.g. display of videos). Other technologies are used to evaluate user behaviour or to display advertising. Technically necessary technologies are stored on the basis of Article 6(1)(f) of the GDPR, unless another legal basis is specified. The website operator has a legitimate interest to use these technologies in order to provide its services in a technically flawless and optimised manner.

For technologies that are not technically necessary consent will be obtained, Article 6(1)(a) GDPR). Where consent to store cookies has been requested, such cookies will only be stored on the basis of such consent. You can update your preferences via the “Your privacy choices / Manage cookies” link in the page footer.

Please note that we have no control over the scope of personal data collected by the relevant provider, nor do we know the purpose of the processing or how long your personal data will be retained. Your personal data will be transferred to and processed within and outside the EU and the European Economic Area (EEA) (Sec 11). It is possible that the relevant providers may disclose your personal data to their business partners, third parties or authorities.

10.2. We use consent management technologies for our online activities so that we can comply with our legal and (verification) obligations. Opt-in and opt-out data, the referrer URL, user agent, user settings, consent ID, time of consent, consent type, template version and banner language are processed. Consent data is stored for 3 years. The cookies used for this are valid for one session. The legal basis for this data processing is Art 6(1)(c) GDPR.

10.3. You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of our websites may be limited. You can find out about this option for the most commonly used browsers via the following links:

Microsoft Internet Explorer and Microsoft Edge: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
Mozilla Firefox: https://support.mozilla.org/de/kb/Cookies-blockieren
Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE. Platform%3D%20Desktop&hl=en
Safari: https://support.apple.com/de-de/guide/safari/sfri11471/mac

10.4. Further information about the processing of your personal data, your rights and settings concerning privacy are offered by the relevant provider:

Hotjar. Hotjar is a behaviour and analytics software provided by Hotjar LTD, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141 Malta.

We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.

For further details, please see the ‘about Hotjar’ section of Hotjar’s support site, available under the following link: https://help.hotjar.com/hc/en-us/sections/115003204947 and Hotjar’s privacy policy, available under the following link: https://www.hotjar.com/ legal/policies/privacy/.

Google Analytics. This website uses Google Analytics, a web analysis service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). We use Google Analytics to analyse and improve the user experience on our website. Data are processed on the basis of your consent (Article 6(1)(a) GDPR), which you expressly gave by setting your cookie preferences. As a consequence of using Google Analytics, data are transferred to the USA, or the transfer of data to the USA cannot be ruled out. For more information on how data are processed by Google Analytics, please see Google’s privacy policy at https://policies.google.com/privacy?hl=en or https://support.google.com/ analytics/answer/6004245?hl=en.

Matomo. Our website uses Matomo, an open-source software for the statistical analysis of visitor traffic. Matomo is offered by “InnoCraft Ltd”, a New Zealand company (NZBN 6106769) headquartered at: 7 Waterloo Quay PO625, 6140 Wellington, New Zealand. Its EU Representative is ePrivacy Holding GmbH, Große Bleichen 21, 20354 Hamburg, Germany. Data are processed on the basis of your consent (Article 6(1)(a) GDPR). Your declaration of consent is given via the cookie banner on our website. For more information on how data are processed by Matomo, please see Matomo’s privacy policy at https://matomo.org/privacy-policy/.

YouTube Video. To optimise our website, components from YouTube are integrated on our website (“YouTube plugin”). The processing of personal data when using YouTube is carried out by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as the responsible party. Further information on YouTube is available at https://www.youtube.com/yt/about/de/. When you visit a website that contains a YouTube video, the corresponding video is loaded from YouTube. By visiting the website, YouTube receives the information that you have accessed the corresponding subpage of our website. In addition, the above-mentioned basic data such as IP address and time stamp are transmitted. We have no influence on this data transmission. The legal basis for the display of the videos is Art 6(1)(a) GDPR, i.e. the integration only takes place with your consent. The information collected is stored on Google servers, including in the USA. Further information on the handling of user data can be found in YouTube’s privacy settings at https://www.youtube.com/intl/en_us/howyoutubeworks/user-settings/privacy/, at YouTube Help under the “Privacy basics in YouTube apps”, available at https://support.google.com/youtube/answer/10364219?hl=en&sjid=9991405588 780478899-EU, and in Google’s privacy policy at or https://policies.google.com/privacy?hl=en&gl=de. Information on a possible opt-out can be found at https://adssettings.google.com/authenticated.

11. Sharing of personal data with third parties

11.1. When passing on your personal data, we always ensure the highest possible level of security and therefore only work with carefully selected and contractually obligated service providers and contractual and cooperation partners.

11.2. Your personal data may be transferred to the following Categories of recipients:

Hosting platform and other IT service providers. We work with technical service providers and IT tool providers to deliver our services to you. These service providers include, for example, external IT service providers that enable the hosting of our website and user communication, as well as providers of various IT tools and software as a service. For more information on the processing of personal data by these service providers, please refer to their privacy policies:
- Microsoft Azure. Azure is a cloud computing platform run by Microsoft, which offers access, management, and development of applications and services through global data centers. For more information on how data are processed, please see Privacy in Azure: https://azure.microsoft.com/en-us/explore/trusted-cloud/privacy.
- Auth0. Auth0 is an authentication service provided by Okta UK Limited, 20 Farringdon Road ECIM 3HE, United Kingdom. For further details, please see Auth0 Data Processing support site, available under the following link: https://auth0.com/docs/secure/data-privacy-and-compliance/data-processing, the Okta privacy policy, available under the following link: https://www.okta.com/privacy-policy
- Payment partners. We offer various payment options, such as payment in advance, payment by credit card and payment by PayPal. To process payments, we pass on your payment information to the credit institution or payment service provider commissioned with the payment. These companies may only use your data for order processing and not for any other purposes. For more information on the processing of personal data by these service providers, please refer to their privacy policies:
- PayPal Privacy Statement: https://www.paypal.com/de/legalhub/privacy-full.

Marketing, Advertising, and Analytics Partners. We work with other selected advertising and marketing partners such as social network providers to improve our website and advertising campaigns. You can find further information under Sec 10.
Academic researchers. We share pseudonymised or anonymised data for activities such as statistical analysis and academic studies.
Corporate Affiliates. We shares data with corporate affiliates, such as therapy2people GmbH, where necessary to provide services and e.g. to detect, investigate, and prevent fraud, abuse, and threats to public safety.
Authorities and other third parties. If we are obliged to do so by an official or court decision or if we are entitled to do so, e.g. because this is necessary for the prosecution of criminal offences or for the exercise and enforcement of our rights and claims, we will pass on your data to law enforcement agencies or other third parties if necessary.

11.3. We do not transfer your personal data to third parties for purposes other than those set out in this Privacy Policy. When we transfer personal data, we rely on the following legal basis:

you have given your express consent or obtained the express consent of the data subject in accordance with Article 6(1)(a) GDPR and Article 9(1)(a) GDPR (e.g. social media networks, transfer of any special categories of personal data),
this is legally permissible and necessary for the processing of contractual relationships with you in accordance with Article 6(1)(b) GDPR (e.g. payment service providers),
in the event that there is a legal obligation for the disclosure pursuant to Article 6 (1) c GDPR (e.g. authorities),
the disclosure is necessary to protect legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data in accordance with Article 6(1)(f) GDPR (e.g. exercising and enforcing our rights and claims) or
this is carried out by a service provider (e.g. hosting service provider) acting on our behalf and on our exclusive instructions, which we have carefully selected (Article 28(1) GDPR) and with whom we have concluded a corresponding contract on data processing (Article 28(3) GDPR), which obliges our service provider, among other things, to implement appropriate security measures and grants us comprehensive control powers.

11.4. Service providers and other contractual and cooperation partners may transfer your personal data to third countries. If your data is processed outside the EU or the European Economic Area (EEA), this may result in your data being transferred to a country with a lower data protection standard than in the EU. This may result, for example, in your data being processed by public authorities for control and monitoring purposes, possibly also without the possibility of legal redress.

We implement appropriate safeguards, including the conclusion of EU standard data protection clauses, in the event that personal data is processed outside the EU and no adequacy decision has been taken by the European Commission (see the text of the clauses at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de).

Adequacy decisions of the European Commission are available e.g. for UK, USA, Canada and Switzerland (see a list at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).

12. Security

12.1. We implement appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. We continually update our security measures in line with technological developments.

12.2. You should bear in mind that submission of information over the internet is never entirely secure. We cannot guarantee the security of information you submit via our website whilst it is in transit over the internet and any such submission is at your own risk.

13. Data retention

In the absence of specific retention periods set out in this Privacy Policy, personal data will be retained only for as long as it is needed to fulfil the purpose for which it was collected and, if applicable, as long as required by statutory retention requirements, unless there is a need to continue processing the data for the conclusion or performance of a contract, for scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

14. References to third-party websites (external links)

Our website contains links to external, i.e. third party websites that are not under our control. We do not have any influence on the contents and data protection standards of such linked websites. Therefore, we shall not be held liable for any external links.

15. Changes to this Privacy Policy

15.1. We may make changes to this Privacy Policy from time to time. Changes may be necessary due to the further development of abilitate, it’s features and functionalities, our services or due to changes in legal or regulatory requirements. You can access and print the current version of the Privacy Policy at any time on this page.

15.2. We will notify you of any changes by posting the new version of the Privacy Policy on this page and updating the “last updated” date at the top of the Privacy Policy. We recommend that you check the Privacy Policy regularly for changes. Changes will take effect when they are posted on this page. Your continued use of our services following the changes will constitute your consent to such changes.

15.3. When we make material changes to the Privacy Policy, we’ll provide you with prominent notice as appropriate under the circumstances. For example, we may display a prominent notice within the service or send you an email or device notification.