Personal data policy
Version 1.0 – Last updated: 23. October 2024
Ivital ApS (hereinafter “we”, “us” or “our”) is the data controller for the personal data processed through our stress prevention platform (“Ivital”). This includes all personal data that you as a user enter when creating a profile and using the platform. Your employer has no access to your personal data unless you explicitly consent to it.
1. Data controller
We are the data controller for all personal data processed in connection with your use of Ivital. This includes personal data that you enter when creating your profile and when using the platform. Your employer has no access to your personal data without your explicit consent and all data processing is done directly between you and us.
Therefore, there is no need for a data processing agreement between us and your employer, as Ivital is the independent data controller. The processing of your personal data is done in accordance with GDPR, and you can always contact us if you have any questions about your data.
Ivital ApS
Nordlandsvej 84
8240 Risskov
CVR: 43555332
Phone number.: +45 3131 6394
Email: [email protected]
Website:www.ivital.dk
2. Processing of personal data
Here we provide an overview of the types of personal data we process, the purposes of the processing, the legal basis and retention periods.
2.1 Signing up for Ivital
When you receive an invitation to create an account on Ivital, only your name and email address are passed on from your employer to us. After creation, only we process your personal data. Your employer has no access to the data you enter without your explicit consent.
2.1.1 Purpose
The purpose of the registration is to give you access to the Ivital platform, which your employer pays to make available to you to support your personal stress prevention. We will send you invitations and reminders to create an account. Once you receive the invitation and create your account, only Ivital receives and processes the additional data you enter. Your employer has no access to your personal data without your explicit consent.
2.1.2 Personal data
The personal data we process in connection with your registration to Ivital includes:
- Name (first and last name)
- Email address (work email address)
- Work role
- Region
- Date of birth
- Gender
This information is only used to create your profile in the Ivital platform and manage your access.
2.1.3 Source
Name and email address information is provided by your employer to send you an invitation to create an account on Ivital. Other information, such as your job role, region, date of birth and gender, comes directly from you when you create your profile and use Ivital.
2.1.4 Legal basis
Processing of your personal data is in accordance with GDPR Article 6 (1) (f), our legitimate interest in providing services to you and your employer according to our agreement. When using Ivital, anonymized and aggregated well-being data is sent to your employer as part of overload prevention.
2.1.5 data storage
Your personal data will be stored until you withdraw your consent, delete your account or your access to Ivital is terminated. In case of termination, all personal data will be deleted unless there is a legal obligation to keep it longer. See section 3 for further details on data retention.
2.2 Processing reflection data at Ivital (SOP© and SOIP©)
2.2.1 Purpose
The purpose of processing your reflection data is to:
- Assess your load level and body awareness.
- Generate individualized exercises, guidance and knowledge to support your stress prevention.
- Assess whether you should be recommended to request a wellbeing conversation.
- If you voluntarily give your explicit consent, we can share your latest reflection data with your contact person if you experience high stress.
- Collectively send anonymized and aggregated wellbeing data to your employer that cannot be traced back to you.
2.2.2 Profiling
Ivital uses profiling to analyze your reflection data from SOP© and SOIP© so we can adapt our recommendations to your individual needs. Profiling allows us to assess your level of strain and body awareness based on your responses, which helps identify any needs for wellbeing conversations or additional support.
2.2.2.1 Purpose of profiling
Ensuring you receive relevant, personalized recommendations based on your reflection data and identifying high load.
2.2.2.2.2 Legal basis for profiling
Your explicit consent to the processing of both general personal data (GDPR Article 6 (1) (a)) and special categories of personal data (GDPR Article 9 (2) (a)).
2.2.2.3 Personal data used for profiling
- Answers to reflection forms from SOP© and SOIP©
- Data from The Pressure Scale
- Body awareness levels
2.2.2.4 Source
The personal data about your well-being and strain comes directly from you when you answer the reflection form in Ivital.
2.2.3 Personal data
We process the following general personal data in connection with your use of the Ivital platform:
- Login details (username and password)
- A copy of your consent to sign up and use Ivital
- Your preferred form of communication
- The time of your last reflection
- The time of your last reflection
- Reminders sent to you
- Name (first and last name)
- Email address (work-related email address)
Special categories of personal data (GDPR Article 9):
- Health information, including reflection data from SOP© and SOIP©
- Scores on the pressure and body awareness scales
2.2.4 Source
Personal data comes directly from you when you answer the reflection form in Ivital.
2.2.5 Legal basis
Your explicit consent to the processing of both general personal data (GDPR Article 6 (1) (a)) and special categories of personal data (GDPR Article 9 (2) (a)).
2.2.6 Anonymized statistics for the employer
We share anonymized and aggregated data with your employer to help improve well-being and working conditions. This data cannot be traced back to individuals. To ensure anonymity, we require a minimum threshold for the number of employees in the respective department or company before data can be shared. This helps protect the privacy of individual employees.
2.2.6.1 Purpose
To give your employer access to anonymized statistics that can be used to improve workplace well-being.
2.2.6.2 Legal basis
Our legitimate interest in providing anonymized statistics to your employer (GDPR Article 6 (1) (f)).
2.2.6.3 Personal data
- Anonymized answers to reflection forms
- Anonymized data on well-being and strain
2.2.6.4 Source
The data comes from your responses to reflection forms and is processed anonymously.
2.2.7 Data storage
See section 3 for information on storage periods.
2.3 Sharing data with managers
2.3.1 Purpose
With your explicit consent, we can share your latest reflection data with your manager. The purpose of this sharing is to allow your manager to offer you the necessary support if high stress is detected.
2.3.2 Personal data
The same personal data mentioned in section 2.2 can be shared with your manager, but only if you explicitly consent to this. The data may include reflection data from SOP© and SOIP©, strain levels and body awareness levels.
2.3.3 Withdrawal of consent
You can withdraw your consent at any time directly in the app under security settings. If you choose to withdraw your consent, your contact person and/or manager will immediately lose access to your data and future data will not be shared.
2.3.4 Legal basis
The processing of your data for sharing with your manager is based on your explicit consent according to GDPR Article 6 (1) (a) for general data and GDPR Article 9 (2) (a) for special categories of data (including health data).
2.4 Feedback function and communication
2.4.1 Purpose:
Ivital has a feedback feature that allows you to send questions or feedback directly to us via the platform. Responses to feedback are sent to the email address you are registered with.
2.4.2 Personal data processed:
- Email address (work-related email address)
- Content of feedback or questions
2.4.3 Source:
Personal data comes directly from you when you send a message or feedback via the platform.
2.4.4 Legal basis:
The processing of your personal data is based on our legitimate interest in handling user inquiries and providing support (GDPR Article 6 (1) (f)).
2.4.5 Data storage:
Your inquiries are stored for as long as necessary to process them and provide support. After that, they are deleted unless there is a legal obligation to keep them longer.
3. Security and storage of data
3.1 Storage of data
Your data is stored securely and deleted within seven days if one of the following situations occurs:
- You delete your account
- Your employer terminates your access to Ivital
- Your access to Ivital will be terminated
When your data is deleted, all personally identifiable data will be removed. However, anonymized data that cannot be traced back to you as an individual may be stored and used for statistical purposes and to improve our services. This data will not contain any information that can identify you.
3.2 Using anonymized data for research and analysis
We may use anonymized data for academic research, reports and benchmarking, without this data being traceable back to you as an individual.
3.2.1 Purpose:
To use anonymized data for research, analysis and reporting in order to improve our services.
3.2.2 Legal basis:
Our legitimate interest in using anonymized data for research purposes (GDPR Article 6 (1) (f)).
3.2.3 Personal data:
- Anonymized data from reflection forms
- Statistics and results based on aggregated data
3.2.4 Source:
The personal data comes from your use of Ivital and is processed anonymously.
3.3 Use of data processors and sub-processors
We use data processors and sub-processors who store and process personal data on our behalf. These processors act solely on our instructions and comply with the necessary security measures under the GDPR.
3.3.1 Cloud services and third-party providers:
In cases where we use cloud services or servers from third-party providers as sub-processors, no separate data processing agreement has been concluded directly with these providers. Their processing of personal data is regulated through their own certifications and obligations under GDPR, ensuring compliance with applicable data protection legislation.
3.3.2 Data processors outside the EU/EEA:
Data processors who process personal data outside the EU/EEA are certified under the EU-U.S. Data Privacy Framework.
3.3.3 Current sub-processors:
- LittleGiants ApS: Development, maintenance and technical support.
- DigitalOcean, LLC: Provision of cloud infrastructure and hosting services. Data is stored in DigitalOcean’s European data centers, guaranteeing storage within the EU.
- MongoDB Atlas: Cloud-based database service that offers secure and scalable data processing. Data is stored in MongoDB’s European data centers, guaranteeing storage within the EU.
- Amazon Web Services EMEA SARL: Cloud platform services. Data is stored in AWS’s European data centers, ensuring storage within the EU.
3.4 Secure storage and backup
We store personal data securely in accordance with applicable data protection legislation. Secure backup solutions are used to protect data against loss and all data is stored within the EU/EEA or in third countries that comply with GDPR data security requirements.
3.5 Security measures and data breaches
We maintain appropriate technical and organizational measures to protect personal data in accordance with GDPR. In the event of a data breach affecting the security of personal data, we will notify the affected parties as soon as possible and without undue delay and take the necessary steps to remedy the situation.
3.5.1 Internal reporting
All data breaches will be documented and recorded internally, and procedures will be put in place immediately to minimize damage and prevent future breaches.
3.5.2 Reporting to regulatory authorities
If the breach poses a risk to the rights and freedoms of the data subjects, we will report the data breach to the Danish Data Protection Agency within 72 hours of discovery.
3.5.3 Notification of the affected individuals
If a data breach is deemed to pose a high risk to the rights and freedoms of the individuals concerned, we will notify the individuals concerned without undue delay and provide information about the measures taken.
4. Disclosure of data
4.1 Disclosure to third parties
We will not disclose your personal data to third parties unless it is necessary to provide our services or to fulfill legal obligations. If it is necessary to disclose data to a third party to provide our services, you will be informed and give your consent unless otherwise required by law.
4.2 Anonymized and aggregated data
We may share anonymized and aggregated data with your employer or other partners to improve our services or to help your employer understand trends in stress prevention. This data cannot be traced back to you as an individual.
4.3 Sharing data with your consent
Personal data will only be shared with your employer or other third parties if you explicitly consent to this. You can withdraw your consent at any time in the app and we will immediately stop sharing your data.
5. Transfer of data to third countries
5.1 Transfer within the EU/EEA
Your personal data is generally processed and stored on servers within the EU/EEA. We ensure that all our data processors and sub-processors comply with applicable data protection legislation.
5.2 Transfer to third countries outside the EU/EEA
In certain cases, we may use sub-processors or cloud services in third countries outside the EU/EEA. If we transfer your data to a third country, we will ensure that appropriate safeguards are in place in the form of the EU Commission’s standard contractual clauses or similar mechanisms that ensure the protection of your personal data.
5.3 Consent to transfer to third countries
We will only transfer your personal data to third countries with your explicit consent, unless it is necessary to fulfill an agreement or to comply with a legal obligation. You will always be informed of any risks involved in the transfer of your data to a third country if there is no adequate data protection in the receiving country.
6. Your rights
You have the following rights in relation to your personal data that we process. To exercise these rights, you can contact us via the contact details provided in section 1.
6.1 Right of access
You have the right to request a copy of the personal data we process about you and information about how we process it.
6.2 Right to rectification
You have the right to have incorrect or incomplete data that we process about you corrected.
6.3 Right to erasure (“right to be forgotten”)
You have the right to request erasure of your personal data if we no longer have a legitimate basis for processing it. Please note that there may be exceptions to this right under the law.
6.4 Right to restriction of processing
You have the right to request that we temporarily restrict the processing of your personal data in the following situations:
- If you believe that the personal data we process is inaccurate and you want us to stop processing until the data has been verified or corrected.
- If you believe our processing is unlawful but you prefer restriction of processing to erasure of data.
6.5 Right to data portability
You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format. Please note that reflection data in our system is unique to Ivital and therefore not directly transferable to other providers.
6.6 Right to object to processing
You have the right to object to the processing of your personal data if the processing is based on our legitimate interests or in connection with direct marketing. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds to continue processing which override your interests and rights.
6.7 Right to object to profiling
You have the right to ask for human intervention if you disagree with automated decision-making based on SOP© or SOIP© profiling.
6.8 Right to complain
If you believe that we process your personal data in violation of GDPR or other relevant data protection rules, you have the right to lodge a complaint with the Danish Data Protection Agency (www.datatilsynet.dk).
7. Changes to the personal data policy
We continuously update this privacy policy to ensure that it is in accordance with current legislation and our processing practices.
7.1 Notification of significant changes
If we make changes to the privacy policy that significantly affect your rights or the way we process your personal data, we will inform you in advance via email and/or through the app before the changes take effect. This ensures that you are fully informed of any changes that may affect your opinion on our processing of your personal data.
7.2 Availability and entry into force
The latest version of the Privacy Policy will always be available in the Ivital app and on our website. Minor changes may be updated without prior notice. The changes will take effect when they are published and by continuing to use our services you accept the updated policy.
Ivital ApS