Status: February 2021
With the following data protection declaration, we want to inform you about the processing of your personal data when you visit our website https://my7steps.org and use the My7steps platform. In addition, we are obliged to provide the following notice:
The use of this platform takes place in a potentially insecure environment. Digital health applications such as this are associated with security risks that cannot be fully addressed by the manufacturer of the digital health application.
This being said, we would like to inform you as follows:
1. Name and contact details of the data controller and the company data protection officer.
Responsible for data processing is:
Ipso Healthcare GmbH
(hereinafter referred to as “We”)
2. Name and contact details of the data protection officer
You can reach our data protection officer at the address mentioned in 1.,
for the attention of the data protection officer,
or by e-mail firstname.lastname@example.org.
3. collection, storage and deletion of personal data as well as type and purpose of their use
a) When visiting the website:
When you call up our website https://my7steps.org, information is automatically sent to the server of our website by the browser used on your end device. This information is temporarily stored in a so-called log file. The following information is collected without your intervention and stored until automatic deletion:
- IP address of the requesting computer,
- Date and time of access,
- name and URL of the file accessed,
- website from which access was made (referrer URL),
- the browser used and, if applicable, the operating system of your computer as well as the name of your access provider.
The aforementioned data is processed by us for the following purposes:
- Ensuring a smooth connection set-up of the website,
- Ensuring a comfortable use of our website,
- evaluating system security and stability, and
- for other administrative purposes.
The legal basis for the data processing is Art. 6 para. 1 p. 1 lit. f GDPR (General Data Protection Regulation). Our legitimate interest follows from the data collection purposes listed above. In no case do we use the collected data for the purpose of drawing conclusions about your person.
b) Registration to use the platform
In order for you to be able to use the platform to its full extent, we must ensure that you meet certain requirements. We ask for these before the actual registration process. We store the answers temporarily (until you leave the website) to your IP address. The legal basis for this processing is your voluntarily given consent according to Art. 9 para. 2 lit. a i.V.m. Art. 6 para. 1 p. 1 lit. a GDPR, which you grant by clicking on the corresponding checkbox (“GDPR consent”).
If you meet the access requirements, you will need a user account. In order to be able to create such an account for you, we need the following information (“user data”):
A valid telephone number and / or a valid email address.
- Your name,
- Your native language,
- the time zone in which you are located;
- Your gender,
- Your country of residence,
- A password chosen by you.
In addition, we require details of the billing method you wish to use (“billing details”), if you choose a paid package. This includes the following details:
- First name, last name,
- House number,
If billing via your health insurance is possible, we need information on whether you are privately or legally insured, or whether you would like to pay for the treatment yourself, as well as the name of your health insurance company, if applicable.
- The name of your health insurance company,
- Your insurance number,
- Your date of birth,
- A prescription ID,
- Your payment information.
All information is stored in your user account and processed exclusively for the provision of the platform. We process your billing data exclusively for billing with your health insurance company or with you as a self-payer (see below, point 4.).
The legal basis for the processing is Art. 9 para. 2 lit. h) in conjunction with. Art. 6 para. 1 lit. b) GDPR, § 22 para. 1 no. 1 lit. b BDSG (Federal Data Protection Act). The processing of your data to create a user account is necessary to fulfil the treatment contract with you.
c) When using the platform
As a registered user, you will receive access to the Platform via our website. In order for you to be able to register for the platform (“login”), we process the date and time of your login in addition to your access data (depending on which variant you choose telephone number, email address, your activation code if applicable, as well as your PIN code).
On the platform, you have the opportunity to answer questions about your state of mind, for example, via a question catalogue. The results are saved to your user profile and processed by our counsellors according to the treatment order (see section 4.). In your profile, under the menu item “Account settings”, you have the possibility to view or change your personal details at any time.
The legal basis for the processing is Art. 9 para. 2 lit. h) in conjunction with. Art. 6 para. 1 lit. b) GDPR, § 22 para. 1 no. 1 lit. b BDSG. The processing of your data to create a user account is necessary to fulfil the treatment contract with you.
d) When arranging a callback (info call).
You have the possibility to arrange a call-back request via our website. In order to be able to guarantee a callback, we need the following information from you:
- Day and time of the callback,
- Callback number,
- Your language preference for the information call.
We request this data with the callback request form. We process your answers to handle your request. The legal basis for this processing is your voluntarily given consent in accordance with Art. 9 Para. 2 lit. a in conjunction with Art. 6 Para. 1 Sentence 1. Art. 6 para. 1 p. 1 lit. a GDPR, which you grant by clicking on the corresponding checkbox (“GDPR consent”).
e) When contacting us
You have the option of contacting us via our website. In order to process your request, we need the following information from you:
- E-mail address,
- Reason for your enquiry,
- Comment or message,
- Browser, if applicable,
- Error message, if applicable.
We request this data with the contact form. We process your answers exclusively for the purpose of processing your enquiry. The legal basis for this processing is your voluntarily given consent pursuant to Art. 9 para. 2 lit. a in conjunction with Art. 6 para. 1 p. 1 lit. a GDPR. Art. 6 para. 1 p. 1 lit. a GDPR, which you grant by clicking on the corresponding checkbox (“GDPR consent”).
f) Deletion of data:
As a matter of principle, your data stored with us will only be stored for as long as it is needed to process the corresponding enquiries. After that, we delete the data immediately. We only deviate from this in exceptional cases, insofar as legal retention periods exist; for example, within the scope of civil law claims.
4. Passing on of data:
a) Passing on data to the counsellor.
Within the framework of the treatment contract, it is sometimes necessary to pass on some of your data to the counsellor looking after you. These are exclusively trained psychological professionals. They are all subject to professional secrecy and are obliged to maintain confidentiality about your affairs. Your data will only be passed on to your personal counsellor. You will find his or her name in your user account.
In detail, all data required for treatment will be passed on to your counsellor. In particular, this includes the following information:
- Your name,
- Your gender,
- Your date of birth,
- The telephone number stored in the user account,
- The e-mail address stored in the user account,
- The language in which you would like to be treated,
- Your previous answers to the questions asked on the platform.
The legal basis for the transfer of your data to your counsellor is Art. 9 para. 2 lit. h) in conjunction with. Art. 6 para. 1 lit. b) GDPR, § 22 para. 1 no. 1 lit. b BDSG.
b) Disclosure of data to payment service providers (self-payers):
If you conclude a fee-based contract as a self-payer, we offer you payment via Mollie. The provider of this payment service is Mollie B.V, Keizersgracht 313, 1016 EE Amsterdam, The Netherlands (hereinafter “Mollie”). If you select payment via Mollie, the payment data you enter will be transmitted to Mollie as well as the correspondingly selected payment provider (SOFORT Überweisung, Giropay, PayPal, credit card provider Visa, Mastercard).
The legal basis for the transfer of your data to Mollie is based on Art. 6 para. 1 lit. a) GDPR (consent) and Art. 6 para. 1 lit. b) GDPR (processing for the performance of a contract). You have the option to revoke your consent to data processing at any time. A revocation does not affect the validity of past data processing operations.
c) Passing on data to health insurance companies
In order to bill your health insurance for your treatment costs, it may be necessary to pass on some billing and user data to your health insurance company. The transfer of the data required for this purpose is strictly in accordance with Art. 9 para. 2 lit. h) i.V.m. Art. 6 para. 1 lit. b) GDPR, § 22 para. 1 no. 1 lit. b BDSG and §§ 294 ff. SGB V. Sections 294 ff. of the German Social Code, Book V (SGB V) regulate which data we are required to transmit.
Within this framework, we transmit your data exclusively to your health insurance company. For this purpose, we use the information you have entered in your user account. You can therefore see from your user account which health insurance company your data may be transferred to.
Your personal data will not be transferred to third parties for purposes other than those mentioned. Data will only be passed on to third parties if:
You have given your express consent in accordance with Art. 6 para. 1 p. 1 lit. a GDPR,
the disclosure is necessary for the assertion, exercise or defence of legal claims in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
in the event that there is a legal obligation to disclose your data pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR, as well as
this is legally permissible and necessary according to Art. 6 para. 1 p. 1 lit. b GDPR for the processing of contractual relationships with you.
These are primarily so-called session cookies, with the help of which it is registered that you have already visited individual pages of our website. These are automatically deleted after you leave our site. In detail, the following cookies are used on our website:
|Name of the cookie||Duration of function||Third party access||Intended use|
|Session-ID||Session-cookie||no||Identification of the logged-in user|
Most browsers accept cookies automatically. You can configure your browser so that no cookies are stored on your computer or so that a message always appears before a new cookie is created. However, the complete deactivation of cookies may mean that you cannot use all the functions of our website.
The tracking measures listed below and used by us are carried out on the website on the basis of Art. 6 (1) p. 1 lit. f) GDPR. No tracking measures are carried out when using the platform.
With the tracking measures used, we want to ensure a needs-based design and the ongoing optimisation of our website. On the other hand, we use the tracking measures to statistically record the use of our website and to evaluate it for the purpose of optimising our offer for you. These interests are to be regarded as legitimate within the meaning of the aforementioned provision.
The respective data processing purposes and data categories can be found in the corresponding tracking tools.
We use the open source software Matomo to analyse and statistically evaluate the use of the website. No cookies are used for this purpose (see section 5). The information is used to evaluate the use of the website and to enable us to design our website in line with requirements. The information is not passed on to third parties.
Under no circumstances will the IP address be linked to other data relating to the user. The IP addresses are anonymised so that an allocation is not possible (IP masking).
In the following, you can use the tracking opt-out option of Matomo to prevent the analysis of your actions performed on this website.
7. Data Subject Rights:
You have the right:
- In accordance with Art. 15 GDPR, to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details;
- In accordance with Art. 16 GDPR, to demand the immediate correction of inaccurate or incomplete personal data stored by us;
- In accordance with Article 17 of the Regulation, to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims;
- In accordance with Art. 18 GDPR, to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defence of legal claims or you have objected to the processing in accordance with Art. 21 GDPR;
- In accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller;
- In accordance with Art. 7 (3) GDPR, to revoke your consent at any time. This has the consequence that we may no longer continue the data processing based on this consent in the future; and
- In accordance with Art. 77 GDPR, to complain to a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office for this purpose.
9. Right of objection:
Insofar as your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) p. 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, insofar as there are grounds for doing so that arise from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right of objection, which is implemented by us without specifying a particular situation. If you would like to make use of your right of revocation or objection, an email to email@example.com is sufficient.
10 Data security:
We use the widespread SSL procedure (Secure Socket Layer) during your visit to my7steps.de. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is encrypted by the closed key or lock symbol in the status bar of your browser. We also use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.