Personal data processing principles

We are Hedepy s.r.o., the limited liability company with ID: 09206281, VAT ID: CZ09206281, having its registered office: V tišině 474/3, Bubeneč, 160 00 Prague, the Czech Republic, e-mail: podpora@hedepy.cz, registered in the Czech Commercial Register maintained by the Municipal Court in Prague under file no. C 332559 (“Hedepy” or “we”). We operate a platform available at www.hedepy.cz (the “Website”). Via the Website clients may book a session with a therapist. Therapist may use the Website in order to connect with the clients. Visitors may visit the website and browse information about mental health. We have prepared this Privacy Policy in order to inform all of them how we process their data.

To sum up, for purpose of this Privacy Policy:

  • client is a person who use the Website for booking and taking sessions with therapists;
  • therapist is an entrepreneur using the Website in order to connect with their clients;
  • visitor is a user who browses the Website.

We process their personal data in accordance with the applicable laws, in particular, the Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation) (the “Regulation “).

Why do we process your data as a data controller?

We are the data controller of your personal data, that means we decide what are the purposes and methods of processing personal data.

We will process your personal data for the purposes set out below and for the below stated processing period.

We would like to assure you, that while processing your personal data we do not use any automatic individual decision-making on the part of Hedepy within the meaning of Article 22 of the Regulation. This means the situations where the processing of personal data takes place exclusively automatically (without human intervention) and has legal consequences for you, e.g., through automatic information systems, web programs and other software.

 

A. Clients. If you book and take a session via the Platform as a client:

We process the following data:

  • Your contact details: first and last name (if provided), phone number and e-mail address;
  • Billing and banking details (if you pay for the session by yourself): personal data appearing in invoices, information about payments and their status, information on the method of payment;
  • Other information about you: other information and personal data related to the contract we enter into together and the communication with each other;
  • Information about your feedback to the therapists;
  • Information about the evaluation of therapists if you provide it;
  • Information from the booking system – session dates, cancellation of sessions, communication between clients and therapists (except the therapy sessions or chat consultation itself), results from self-assessment tests available via the Website, etc.;
  • Information about your employer if you use our services as an employee benefit.

For the avoidance of doubt, we would like to point out that:

(a) Hedepy does not have an access to videoconferencing with your therapist, nor do we receive any information about you from the therapist, only confirmation that the session has taken place/has not taken place (therefore only your therapist is the controller of the personal data provided during the session); and

(b) Hedepy does not have an access to your credit card information if you pay any amount via the Website (the administrator is ComGate Payments a.s. or Stripe, Inc.) – we only get information about whether the payment has been made/not been made).

Depending on whether you order the services for yourself or draw as an employee benefit, Hedepy may be the provider or agent of the services offered (consultations) – you can find more information in the client’s terms and conditions available on the Website. However, in the context of processing of personal data, Hedepy and the individual therapist are always the independent controllers of your personal data related to the provision of services, only whether we register your employer (for the purpose of verifying your e-mail address) and whether we register documents for your payments in the accounting records.    

As we mentioned above, Hedepy, as a personal data controller, does not process any of the client’s sensitive data, e.g., information about your health or recommended sessions, sexual orientation or treatment. The relationship between you as the client and the therapist is a confidential relationship and all sensitive information is processed/may only be processed by the therapist, who is bound by the Code of the European Association of Psychotherapists as well as by strict contractual confidentiality. In the event that you and the therapist decide to record the session, our company does not and will not have access to the recording.

We process your data as described in this table:

Legal basis of the processingPurpose of processingPeriod of data processingData processed
CONTRACT
Performance of a contract or pre-contractual negotiations
GDPR Article 6 (1) b)
Providing of our services, arranging of the agreement with the therapistUnless otherwise specified below, we will only process data about you in the reservation system for as long as you have an active client account. We will automatically delete your personal data 3 years after your last log into the account. In this case, your account will be erased. Of course, at your request, we will delete the account at any time immediatelyFor this purpose, we process the following data specified above: your contact details; billing and payment details; information from the booking system; information about your employer if you use our services as an employee benefit
LEGAL REGULATIONS
It is our legal obligation
GDPR Article 6 (1) c)
Compliance with all our legal obligations (e.g. obligations under accounting or tax legislation)For the duration of the relevant legal obligation, for example, some personal data relating to tax matters must be retained for 10 years.For this purpose, we process the following data specified above: your contact details; billing and payment details; other information.
LEGITIMATE INTEREST
It is our legitimate interest
GDPR Article 6 (1) f)
Enforcing contractual claims and legal obligationsWe may process your personal data that we may need to defend our legal claims for a time that corresponds to the longest possible limitation period provided for by lawFor this purpose, we process the following data specified above: your contact details; billing and payment details; other information; information about our communication and feedback; information about evaluation of therapists if you provide it; information from the booking system; information about your employer if you use our services as an employee benefit; information about your visit to the Website
Improving the quality of our services, including surveying your satisfaction with our services and therapistsWe process your data as long as you have an active client account. We will automatically delete your personal data 3 years after your last log in into the account. In this case, your account will be erased.For this purpose, we process the following data specified above: your contact details; other information; information about our communication and feedback; information about evaluation of therapists if you provide it; information from the booking system; information about your employer if you use our services as an employee benefit; information about your visit to the Website
Direct marketingWe may send you our newsletters for 3 years since your last session, or until you object to this processing, e.g. by unsubscribing from our commercial communicationsFor this purpose, we process the following data specified above: contact details

B. Therapists. If you use the Website as a therapist:

We process the following data:

  • Your contact details: first and last name, phone number and e-mail address;
  • Billing and banking details: personal data appearing in invoices, information about payments received or issued, information on the method of payment;
  • Your education and experience: personal data regarding your degree and other education, information about the duration of you practice
  • Other information: other information and personal data related to the contract we enter into together and the communications with each other;
  • Information from the booking system – session dates, cancellation of sessions, communication between clients and therapists (except the therapy sessions or chat consultation itself), etc.
Legal basis of the processingPurpose of processingPeriod of data processingData processed
CONTRACT
Performance of a contract or pre-contractual negotiations
GDPR Article 6 (1) b)
Providing of our services, arranging of the agreement with the clientUnless otherwise specified below, if you are a therapist active on the Website, we will only process data about you for duration of our cooperation agreement.For this purpose, we process the following data specified above: your contact details; billing and banking details; other information; information from the booking system
LEGAL REGULATIONS
It is our legal obligation
GDPR Article 6 (1) c)
Compliance with all our legal obligations (e.g. obligations under accounting or tax legislation)For the duration of the relevant legal obligation, for example, some personal data relating to tax matters must be retained for 10 yearsFor this purpose, we process the following data specified above: your contact details; billing and banking details; other information
LEGITIMATE INTEREST
It is our legitimate interest
GDPR Article 6 (1) f)
Enforcing contractual claims and legal obligationsWe may process your personal data that we may need to defend our legal claims for a time that corresponds to the longest possible limitation period provided for by lawFor this purpose, we process the following data specified above: your contact details; billing and banking details; information about your visit to the Website
Direct marketingWe may send you our newsletters for 3 years since your last consultation with the client, or until you object to this processing, e.g. by unsubscribing from our commercial communicationsFor this purpose, we process the following data specified above: contact details

C. Visitors. If you visit the Website without registration:

We process the following data:

  • Your contact details: email;
  • Information about your visit to the Website in accordance with our Cookie Policy.
Legal basis of the processingPurpose of processingPeriod of data processingData processed
CONSENT
Your grant us a consent for processing your data
GDPR Article 6 (1) a)
Sending marketing information (e.g. newsletter) if you grant us consent to the processing of data for this purposeWe may send you our newsletters for 3 years or until you express your opposition to such processing, e.g. by unsubscribing from our commercial communicationsFor this purpose, we process the following data specified above: contact details.
MISCELLANEOUS
You may find more information in our cookie policy
The use of cookies for the purposes of analysis, statistics, advertising or even evaluation of the services providedYou may find more information in our cookie policyYou may find more information in our cookie policy

To whom do we pass on your personal data?

We use the services of Twilio Inc. to ensure a secure connection between the client and the therapist. Our company has chosen an American company for its high system security and its high standard when it comes to data protection, fully in accordance with the Regulatio<n. Twilio Inc. has joined the DPF Program enforced by the U.S. Federal Trade Commission and the U.S. Department of Transportation. By joining this program Twilio Inc. accepted the strict conditions for the processing of personal data under the Regulation and undertook to comply with them. You may check that Twilio Inc. joined the program here.

Furthermore, the payment for individual sessions is organized by ComGate Payments a.s. and Stripe, Inc., which are the controllers of your personal data and only forwards to our company information whether the payment was made/did not go well. They do not pass on any of your payment data to us.

As part of Hedepy’s activities, other entities also help us with the processing of personal data, especially in the field of IT support, cloud storage management or web hosting management, specifically, we cooperate with the following entities:

  • Google Ireland Ltd, which is the operator of your Google Account, which you can also use to register for the Website, Google also helps us to process cookies. You may find more information about how Google processes your personal data here
  • Meta Platforms Inc., which operates the social network Facebook and through which you can also register to the Website. Meta Platforms also helps us to process cookiesInformation on how Meta Platforms processes your personal data can be found here.
  • Formagrid Inc., with its registered office at 799 Market St Fl 8 San Francisco, CA 94103, the United States of America which runs the platforms Airtable we use for improving our workflow; 
  • TYPEFORM SL, with its registered office at C/ Can Rabia 3-5, 4th floor, 08017 – Barcelona, Spain which runs the platform Typeform we use for work with data;
  • Freshworks Inc., with its registered office at San Mateo, 2950 S Delaware St Suite 201, the United States of America, which runs the platform Freshdesk we use to improve our customer support;
  • airSlate Inc., with its registered office at 2901 West Coast Highway Newport Beach, CA 92663, the United States of America, which runs the platform SignNow for online signing of documents;
  • Celonis, Inc., with its registered office at One World Trade Center 87th Floor New York, NY 10007, the United States of America, which runs the platform make we use to keep up with our tasks and workflow;
  • SendPulse Inc., with its registered office at 119 W 24th St Fl 4, New York City, New York, 10011, the United States of America, and Mailgun Technologies Inc, with its registered office at 12 E Pecan St.#1135 San Antonio Texas 78205,  the United States of America, which help us with sending our newsletters;
  • DigitalOcean Holdings, Inc., with its registered office at 101 Avenue of the Americas 10th Floor New York, NY 10013, the United States of America, which provides us with cloud solution;
  • ABRA Software a.s., with its registered office at Jeremiášova 1422/7b, Stodůlky, 155 00 Praha 5, the Czech Republic, which provides us with enterprise resource planning (ERP) systems;
  • UnicornsLab s.r.o., with its registered office at Skřivanova 334/4, Ponava, 602 00 Brno, the Czech Republic, which manages our online campaigns; 
  • LCG New Media s.r.o., with its registered office at Pernerova 659/31a, Karlín, 186 00 Praha 8, the Czech Republic which helps us with our marketing activities.

We recommend that you familiarize yourself with the privacy policy before you first connect to a session.

If your employer enables you to use Hedepy, we would like to assure you that we do not pass on any of your personal data to your employer, only aggregated data about the total number of sessions and the total nominal value of the sessions claimed.

Naturally, also your therapist has an access to your personal data and is a sole controller of your data.

How do we protect your personal data?

Our company emphasizes the confidentiality of consultations and the security of your data. We have adopted a high standard of security requirements for systems and cooperating persons. The main measures include:

  • High-level requirements for therapists and their professionalism, including requirements for securing information about you specified in the contract we enter into with therapists;
  • Organizational and technical measures to secure the reservation system and videoconferencing such us verification, anonymization, authorized access only, server security, monitoring, SLAs;
  • Minimalization of the data processed and persons with access to the data;
  • Confidentiality of all the persons who have access to the reservation system.

What are your rights?

Right to complaint: If you believe that despite our best efforts, we are in breach of data protection legislation, you have the possibility to contact the Czech Office for Personal Data Protection, www.uoou.cz, tel. +420 234 665 111, Pplk. Sochora 27, Praha 7, zip code 170 00, the Czech Republic.

Furthermore, you have also the following rights:

  1. In particular, you have the right to seek information: you can ask us, if applicable, what personal data we process and anything related to your personal data and is no longer answered above.
  2. Right to rectification/replenishment: If your email, phone or name has changed, please contact us at the contact below and we will be happy to correct or complete your contact details.
  3. Right of objection to processing: If you believe that we are processing personal data in violation of the protection of your personal data and the statutory conditions of protection of personal data, you can request an explanation, request that we remove the situation thus created, in particular you may request the blocking of personal data or the destruction of personal data.
  4. Right of transmission: you can ask us and we will send you a statement of your personal data in electronic form.
  5. Right to erasure: You may request the erasure of your personal data at any time. We will be happy to comply with you if there are no legal grounds for further processing.

And where can you exercise these rights?

We are happy to be in contact with you and try to resolve your complaints, requests or complaints as quickly as possible.

You can contact us by podpora@hedepy.cz, at our address listed in the header. We are also available on +420 772 123 001 and online chat  https://hedepy.cz/.

This privacy policy takes an effect on the 1st January 2024.