Information about the processing of personal data by Braive
Privacy Statement
The contents of this Privacy Statement: This Privacy Statement details the processing of your personal data by Braive. It explains how we collect, store and use your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and other, to us, applicable data protection law (as amended from time to time).
Why this Statement: Braive AS is established in Norway and Braive AB in Sweden and accordingly subject to GDPR. Under the GDPR the controller (see below) of personal data is required to provide certain information about its processing of personal data. We, thus, wish to inform you about the processing of your personal data by these two entities, to the extent that is collected and processed by us, all as further detailed in this Privacy Statement.
Applicability: The Privacy Statement applies to the processing of personal data by Braive as a result of:
Collectively the services offered by Braive are called the ‘Braive Service‘ in this Privacy Statement . From time to time, we may develop new, or offer additional, services. They’ll also be subject to this Privacy Statement, unless stated otherwise when we introduce them
Cookies Statement: Information on how we use cookies and how to manage your cookie preferences is to be found in our separate Cookies Statement [here] (cookies are small files saved on your phone, tablet or computer when you visit a website).
Other resources: Information about your personal data is provided right here in this Privacy Statement.
Additional information: In addition to this Privacy Statement and its contents Braive may from time to time provide you with additional information regarding certain processing of your personal data in a specific context. Such additional information supplements and should be read together with this Privacy Statement.
This Privacy Statement is not the Braive Terms of Service, which is a separate document. The Braive Terms of Service is the agreement between you and Braive for using any Braive Service. Among other things, it describes the rules of Braive which you must follow.
Controller. Who the controller of your personal data collected and processed by Braive is will depend on your access to the Braive Service. In short, by Braive we mean the company Braive AS and it is the controller, unless as provided as follows we mean Braive AB.
Braive AS (Norwegian company, contact details below) is a controller in the following situations:
Visitor – personal data collected and processed when you visit our website(s), not logging in
Unguided User – personal data collected and processed when you register and use Braive Service as a logged in user, but have not connected to a therapist in the Braive Service via a Health Care Provider.
Guided User – personal data collected and processed when you register and use Braive Service as a logged in user, and are connected to a therapist in the Braive Service via a Health Care Provider, and your enrolment is due to an agreement between Braive AS and your Health Care Provider.
Unguided User, after having been a guided one – if you have been a Guided User and you, after being disconnected from a therapist, choose to continue to use the Braive service, Braive will continue to be the controller.
Braive AB (Swedish company, contact details below) is controller in the following situation:
Unguided User – personal data collected and processed when you register and use Braive Service but have not enrolled with a therapist in the Braive Service via Partner Entity.
Guided User –personal data collected and processed when you register and use Braive Service and are enrolled with a therapist in the Braive Service, and your enrollment is due to an agreement between Braive AB and your Health Care Provider.
Unguided User, after having been a guided one – if you have been a Guided User and you, after being disconnected from a therapist, choose to continue to use the Braive service, Braive will continue to be the controller.
You can get access to Braive’s platform as a self-paying individual, or through a Partner Entity and/or a Health Care provider.
Accessing the Service as an unguided user through a Partner Entity. Examples of Partner Entities include employers, insurance companies and/or other partnerships where you, as an employee or customer of the Partner Entity, can access the Braive service free of charge. For example, Braive signs an agreement with an insurance company and as long as you, as an insurance customer, remain an unguided user on the platform via your insurance, Braive[AS12] is the controller.
Controller to Controller with Health Care Providers. When you are a Guided User you will have a therapist to interact with through the Braive Service. Therapists access Braive’s platform through an agreement between the Health Care Provider, for which the therapist works, and Braive AS or AB (determined above). Such Health Care Provider and Braive are both to be regarded as controllers for your personal data processed in the Braive Service to the extent that the therapist is the creator of such personal data, or to the extent the therapist initiates any activity in which you share any personal data with the therapist.
Your designated Health Care Provider/therapist will have access to your personal data in the Braive Service for as long as you remain a Guided User (see hereabout in more detail below as regards to which data).
As between the designated Health Care Provider/therapist and Braive, the Health Care Provider has found that Braive and the Braive Service meet its data protection requirements. The parties have entered into an agreement which shall make it possible for the Health Care Provider/therapist to access and use the Braive Service to provide its services to you and, thus, use the Braive Service to interact with you. It is Braive that has undertaken to inform you about the processing of your personal data within the Braive Service and it is Braive you should contact as regards the exercising of the rights you have as a data subject under the GDPR (see below for more information on your rights).
The Braive Service is not the Health Care Provider/therapist medical record keeping system or similar. You should, however, be aware that the Health Care Provider/therapist has legal obligations to keep records of its patients and dealings with its patients, which it will fulfil by other means than the Braive Service. For such processing outside of the Braive Service, the Health Care Provider/therapist is the controller and not Braive. Please, seek information from the Health Care Provider as to its processing of your personal data if you require such information.
Braive is not a processor. Braive is not a processor to a Partner Entity or Health Care Provider/therapist in regard to your personal data processed within the Braive Service. In short, you enter into an agreement with us and under that agreement we provide you with Braive’s treatment programs in the Braive Service. Furthermore, you can determine how your personal data is to be utilised as further set out in this Privacy Statement and your agreement with Braive, not the Partner Entity or Health Care Provider/therapist. The Service will give the Health Care Provider means to communicate with and take part of its patient’s progress in his or her treatment program, but individuals can independently of any Health Care Provider (Unguided User) also use the Braive Service as self-care and this without direct communication with any therapist.
Braive is a processor: For the management of therapists’ data, which includes user ID and their communication with patients, is carried out on behalf of the Health Care Provider, and in such management, Braive acts as a data processor for the Health Care Provider. As between the designated Health Care Provide and Braive, the parties have entered into an agreement which shall make it possible for their therapists to access and use the Braive Service to provide care and to interact with you.
Braive reserves the right to use the data generated as a result of this collaboration in a purposeful manner in relation to, (but not limited to) product development and the production of statistics.
Braive collects personal data in the course of providing the Braive Service to you. It is this personal data that is processed within the Braive Service.
Here are the sources of the data we collect and process (find more on detailed data tables under 4.Purpose and legal basis for processing):
Personal Data you provide to us: We collect the personal data you provide in relation to your use of the Braive Service.
Automatic registration: We automatically collect certain data when you interact with the Braive Service.
Your activity generated results: We collect the personal data that amounts to your results from carrying out the different tests, assignments and assessments provided to you within the Braive Service.
Information from other sources: We receive personal data that relates to you from other sources.
Under the GDPR Braive is, as controller, obliged to inform you of the purpose(s) for which Braive processes personal data of yours and the legal basis for such processing. This information is thus, presented in tables under the headings: Purpose, Personal data and Legal basis.
Please note that by “legitimate interest” we mean the legal basis of a balance of interest as provided under the GDPR article 6.1f. In short, in such cases we have determined processing is necessary for the purposes of the legitimate interests pursued by us (or by a third party), and where such interests are not overridden by the interests or fundamental rights and freedoms of yours which require protection of personal data.
Purpose | Processed personal data (categories) | Legal basis | Data retention |
Personal Data you provide to us | |||
To communicate with you, when you fill in a contact form or similar on our website | The personal data you provide in contact form (e.g. name, contact details) | Legitimate interest. Interest pursued: to communicate with you to offer our services and otherwise attempt to answer your questions. | 3 months |
Your activity generated results | |||
Cookies – When you visit our website(s) we collect cookies – please refer to our cookie Statement and any consent granted in connection thereto. In addition to cookies the following processing may occur if you visit our website(s) | See Cookie Statement | Consent or legitimate interest as further determined in our cookie Statement | The time during which we store cookies depend on which cookie that is placed on your device. Permanent cookies remain on your device until you delete them, or the expiry date passes and you return to our service. Session cookies do not have an expiration date and are stored temporarily on your device during the time you visit our service. Possible session cookies are removed when you close your browser. Read more about our cookies in our cookie Statement. |
The following personal data may be processed when you are an Unguided User.
Purpose | Processed personal data (categories) | Legal basis | Data retention |
Personal Data you provide to us | |||
To allow you to register for, log into the Braive Service, control access to your account, and to manage your account and keep it in working order | · Name · Email address · Personal Identity number if you choose BankID to create your account · Confirmation that you agreed to Terms of Service · Your choice of consenting or denying to your pseudonymised data being used for research
| Performance of a Contract | For the duration of your continuous use of the Braive Service, as we need to keep this data for you to be able to continue your use of Braive.
|
To communicate with you, when you fill in a contact form, survey, or similar on the Braive Service | · The personal data you provide in contact form (e.g. name, contact details) | Legitimate interest Interest pursued: to communicate with you to offer our services and otherwise attempt to answer your questions. | For the duration of your continuous use of the Braive Service |
To provide you with all program and toolbox tools of the Braive Service
| · The personal data you choose to provide in the programs and tools, such as journal and sleep data. | Consent (If you do not consent do not enter data!) | For the duration of your continuous use of the Braive Service |
To allow you to control certain aspects of the Braive Service, such as user settings, notifications, language, therapist etc., in your user settings | · Name · Email address · Language · Therapist that you are connected to | Legitimate interest Interest pursued: to allow you use the Braive Service as intended and expected. | For the duration of your continuous use of the Braive Service |
Automatic registration | |||
1) Monitoring of the technical function and to increase the operational security of our web service. 2. Delivery and provision of the website |
Log data on your use of the Braive Service and functions, including: · date, time, log-in history · URL information · online identifiers such as cookie data and IP addresses · information about the devices you use such as: network and device performance, browser type, language setting on device, operating system, Braive application version | Legitimate interest Interest pursued: economic interest in safe and functioning operation of the technical systems through which services are provided. | 30 days |
To anonymise and create statistics: To develop new technical features in and for the Braive Service To understand user behaviour and needs. We may identify and analyse usage trends, including for the purposes of research, and reporting on a non-individual basis. This may include creation of graphs with demographic information and psychometric test results on group levels, derived from Mental Health Check surveys and treatment progress- and outcome data
| Log data on your use of the Braive Service and functions, including: · User ID · date, time, log-in history · URL information · online identifiers such as cookie data and IP addresses · information about the devices you use such as: network and device performance, browser type, language setting on device, operating system, Braive application version | Legitimate interest Interest pursued: user centred and valuable development of the Braive Service | 1 day |
Your activity generated results | |||
To evaluate and develop suggested therapeutic interventions Completing the Mental Health Check | · User ID · Result of the Mental Health Check (severity level, and symptoms showing) | Consent | 1 day |
Information from other sources | |||
To authenticate you when you register for, and log into the Braive Service using BankID, that service will send your information to us. This information is needed to create and identify your account with us through BankID. | · Name · Personal identification number | Performance of a Contract | For the duration of your continuous use of the Braive Service, unless you choose another login method, in which case the personal identification number will be deleted immediately. |
The following personal data may be processed when you are a Guided User.
Purpose | Processed personal data (categories) | Legal basis | Data retention |
Personal Data you provide to us | |||
To allow you to register for, log into the Braive Service, control access to your account, and to manage your account and keep it in working order | · Name · Email address · Personal Identity number if you choose BankID to create your account · Confirmation that you agreed to Terms of Service · Your choice of consenting or denying to your pseudonymised data being used for research
| Performance of a Contract | For the duration of your continuous use of the Braive Service, as we need to keep this data for you to be able to continue your use of Braive.
|
To communicate with you, when you fill in a contact form or similar on the Braive Service | · The personal data you provide in contact form (e.g. name, contact details) | Legitimate interest Interest pursued: to communicate with you to offer our services and otherwise attempt to answer your questions. | For the duration of your continuous use of the Braive Service |
To provide you with all program and toolbox tools of the Braive Service
| · The personal data you choose to provide in the programs and tools, such as journal and sleep data. | Consent (If you do not consent do not enter data!) | For the duration of your continuous use of the Braive Service |
To allow you to control certain aspects of the Braive Service, such as user settings, notifications, language, therapist etc., in your user settings | · Name · Email address · Language · Therapist that you are connected to | Legitimate interest Interest pursued: to allow you use the Braive Service as intended and expected. | For the duration of your continuous use of the Braive Service |
Automatic registration | |||
1) Monitoring of the technical function and to increase the operational security of our web service. 2. Delivery and provision of the website |
Log data on your use of the Braive Service and functions, including: · date, time, log-in history · URL information · online identifiers such as cookie data and IP addresses · information about the devices you use such as: network and device performance, browser type, language setting on device, operating system, Braive application version | Legitimate interest. Interest pursued: economic interest in safe and functioning operation of the technical systems through which services are provided. | 30 days |
To anonymise and create statistics: To develop new technical features in and for the Braive Service To understand user behaviour and needs. We may identify and analyse usage trends, including for the purposes of research, and reporting on a non-individual basis. This may include creation of graphs with demographic information and psychometric test results on group levels, derived from Mental Health Check surveys and treatment progress- and outcome data
| Log data on your use of the Braive Service and functions, including: · User ID · date, time, log-in history · URL information · online identifiers such as cookie data and IP addresses · information about the devices you use such as: network and device performance, browser type, language setting on device, operating system, Braive application version | Legitimate interest Interest pursued: user centred and valuable development of the Braive Service | 1 day |
To enable user-to-therapist communications (if you give your approval to this when using specific features of our Service) | User ID Email during invitation state | Consent | Email stored for 14 days |
Your activity generated results | |||
To create a summary of a session with a therapist for use by you and/or the therapist | Voice Data | Consent (when you consent to audio recording, transcribing and summary of a video call with your therapist) | The voice data will be briefly processed by us, and deleted after the transcription is in place. Braive will use the text transcription of the recorded call to assist the therapist and you by summarising the content of the call with help of AI-models hosted on Braive’s servers. The main types of summaries completed, after your call has been transcribed, are; 1) draft summaries to assist your therapist in the clinical documentation a Health Care Provider is obliged to complete under the Patient Data Laws, as well as 2) to provide the therapist with a draft for a summary about the content of your call including key topics discussed, as well as agreed upon goals and plans for the successive treatment which the therapist will share with you. |
Information from other sources | |||
To enable creation of an account and connection with your Health Care provider and your therapist, in those cases your Health Care provider or Partner Entity has an API setup with the Braive Service. It is always the Health Care Provider/Partner Entity who invites you to be a guided user in Braive. In those cases there is an API set up between the Partner Entity/Health Care provider and Braive, Braive can receive some information from another system of the Partner Entity/Health Care provider, such as email, to be able to send an invite to you.
| Legitimate interest Interest pursued: to allow you use the Braive Service as intended and expected. | 14 days (after this, the invitation will expire, and this sent data will be deleted) |
Braive is always the data processor for the therapists, by processing the information of a therapist employed by a Health Care Provider with an agreement with Braive, in accordance with the contract between the Health Care Provider and Braive.
This section sets out who may receive your personal data that is processed through use of the Braive Service.
We share the following personal data in the Braive Service with your therapist:
When you as a Guided User have a therapist, the therapist is typically an employee, or contractor, of a company, public body, or other legal Entity that, due to the services provided by your therapist thereby is deemed a Health Care Provider.
Subject to your consent, we may share pseudonymised data to researchers for research purposes.
Your personal data may also be shared with IT service provider that process personal data on our behalf (so called processors), that provide and operate the technical infrastructure, including cloud services, that Braive uses for its operations and thereto related development and support services, all so such service providers can provide services to Braive.
We would specifically like to point to the following service providers as examples:
As a principle rule, we, our suppliers and our partners only process your personal data within the EU/EEA. In cases where personal data is processed outside the EU/EEA, such processing is either based on a decision from the EU Commission establishing that the country in question ensures an adequate level of protection or appropriate safeguards that ensure that your rights are protected.
We use the following safeguards, unless the EU Commission establish that the country in question ensures an adequate level of protection:
You can exercise your rights under the Standard Contractual Clauses by contacting us or the third party who processes your personal data.
We’re committed to protecting our users’ personal data. We do our best to put in place appropriate technical and organisational measures to help protect the security of your personal data. However, be aware that no system is ever completely secure.
We have put various safeguards in place to guard against unauthorised access and unnecessary retention of personal data in our systems. These include pseudonymisation, encryption, access, and retention policies.
To protect your user account, we encourage you to:
If other individuals have access to your Braive account, then they can access personal data, controls and the Braive Service available in your account. For example, you might have allowed someone to use your account on a shared device.
It’s your responsibility to only allow individuals to use your account where you’re comfortable sharing this personal data with them.
Below follows a description of the rights you have in relation to our processing of your personal data. You are welcome to contact us to exercise your rights (see contact information below).
Right to access: You are entitled to request information about the personal data we process about you and how the personal data is being processed. You also have the right to request a copy of the personal data we process about you.
Right to rectification: You have the right to have inaccurate information corrected and the right to have incomplete personal data completed. You can edit your profile data in your user settings and you can delete or change notes you have made in activities in the Braive Service.
Right to erasure (right to be forgotten): You have the right to deletion of your personal data. This right applies in the following circumstances:
– The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
– You withdraw your consent on which the processing is based on and we have no other legal basis for the processing.
– You object to the processing and there are no overriding legitimate grounds for the processing.
– The personal data have been unlawfully processed.
– The personal data must be erased for compliance with a legal obligation.
Contact us via our support and ask us to have your account erased. Please note if you make the request for your account to be erased, Braive will complete a full erasure of the account, meaning all data Braive has connected to your account will be erased and that this action is irreversible.
Right to restriction of processing: You have the right to have processing restricted in certain circumstances, such as the accuracy of the personal data is contested or you have objected to processing pending the verification whether the legitimate grounds for processing override your objection.
Right to object to processing:
(i) You may object to our processing of your personal data for marketing purposes. We will then cease to process your personal data for such purpose.
(ii) You have the right to at any time object to the processing of your personal data that we process on the legitimate interest legal basis on grounds relating to your particular situation.
We may then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of yours or for the establishment, exercise or defence of legal claims.
Right to data portability: To the extent we base our processing on consent as legal basis as well as when the legal basis for processing is to fulfil an agreement with you, you have the right to obtain personal data you have provided us with in a structured, commonly used and machine-readable format and have the right to transmit such to another controller, or get our assistance to transmit the data to another controller when technically feasible.
Right to submit a complaint to supervisory authorities: If you have any complaints regarding our processing of your personal data, you have the right to make a complaint to the supervisory authorities. For Braive AB it is the Swedish Authority for Privacy Protection (IMY) (www.imy.se) and for Braive AS it is the Norwegian Data Protection Authority (Datatilsynet) (https://www.datatilsynet.no/en/).
Right to withdraw your consent: You may at any time withdraw a consent you have given us, either as a whole or partly.
If you are under 16 years of age you can only use the Braive Service if your parents/guardians have approved the use and consented to processing of your personal data. If you are under the age of 16 do not use the Braive Service before contacting us so that we can secure your parents/guardians approval and consent
If you are between 16 and 18 Braive may require that your parents/guardians approve and consent to your use of the Braive Service.
If you’re a parent of a child under the Age Limit and become aware that your child has provided personal data to Braive, contact us.
If you are a parent of a person under 18 and discover your child has an account with Braive you may contact us for a discussion on how to proceed.
If we learn that a user is under 16 or between 16 and 18 we reserve the right to delete the relevant Braive account and delete any data related thereto.
We may occasionally make changes to this Privacy Statement.
When we make changes to this Privacy Statement, we’ll provide you with notice as appropriate under the circumstances. For example, we may display a prominent notice within the Braive Service or send you an email or device notification.
If you would like to contact us with regards to our processing of your personal data, you are welcome to contact us, Braive AS and Braive AB, through the contact details found on our contact page: https://braive.com/contact-us/ .
You can also contact our appointed Data Protection Officer: Henrik Haaland Jahren [email protected].
© All rights reserved 2024 Braive AS