I. Legal framework
II. Administrator details
III. The national body competent for the protection of the rights of individuals when processing their personal data
IV. Persons whose personal data we process
V. Purposes of personal data processing
VI. Grounds for the processing of personal data
VII. What information does DIGIBURN collect
VIII. Refusal of the subject to process his personal data
IX. Providing personal data to third parties
X. Measures for protection and access to personal data
XI. Terms for storage of personal data in DIGIBURN
XII. Rights of the person whose personal data we process
XIII. Changes to our privacy policy
Notification for Personal Data Processing
of customers and clients of Digiburn Jsc.
I. Legal framework
We hereby provide information within the meaning of Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Regulation) on the processing of personal data of persons that are customers and clients of DIGIBURN Jsc.
The information has been prepared and is based on the Bulgarian legislation in force in the field of personal data protection, including the binding provisions of the European legislation with direct effect. The basic normative documents regulating the admissibility of processing, the conditions, forms and limits of processing, protection and your rights regarding personal data are the General Data Protection Regulation and the Personal Data Protection Act (PDPA), according to which they should:
- be lawfully processed, in good faith and in a transparent manner;
- be collected only for valid purposes, which we have clearly indicated, and not to be used in any other way that is incompatible with those purposes;
- be appropriate, relevant and limited to what is necessary for the purposes we have set out;
- be accurate and kept up-to-date;
- be stored for no longer than is necessary for the purposes we have specified;
- be properly protected.
II. Administrator details
DIGIBURN JSC. (the “Company”, “we”, “us”) is a commercial company registered in the Commercial Register at the Registry Agency with UIC 206260843, which collects, processes and stores your personal data under the terms of this Privacy Policy. The Company seat and headquarters’ address is at: Sofia 1202, Oborishte region, 47 “Bacho Kiro” Str.
The company is an administrator of personal data within the meaning of the General Regulation and the PDPA. The Data Protection Coordinator (DPC):
Georgi Natchev
tel .: + 359 888 888 248
E-mail address: gdpr@digiburn.health
address: Sofia 1202, Oborishte District, 47, Bacho Kiro
III. The national body competent for the protection of the rights of individuals when processing their personal data
Control over the lawful processing of your personal data is exercised by the Commission for Personal Data Protection (CPDP) – an independent national body that performs the protection of individuals upon the processing of their personal data and upon the exercise of the right of access to this data, as well as overall control for compliance with the law applicable for this matter.
CPDP Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
CPDP’s Information and Contact Center – tel. 02 / 91-53-518,
E-mail: kzld@cpdp.bg
Website: www.cpdp.bg.
IV. Persons whose personal data we process
DIGIBURN collects and process personal data of its customers that are related to the Digiburn Online Questionnaire and Digiburn-App.
The protection and confidentiality of your data is very important to us. We therefore only process your data to the extent that:
- It is necessary to provide the Digiburn services you are requesting
- you have given your consent to the processing, or
- we are otherwise authorized to do so under the data protection laws.
V. Purposes of personal data processing
The personal data collected will be used by the Company only for the purposes it was collected for, unless according to a reasonable discretion they should be used for another reason, and that reason is compatible with the original purpose. If the personal data provided to us is to be used for another purpose, the Company will notify the data subject thereof and explain what the legal basis for such use is.
With respect to the persons referred to in item 4, the Company processes personal data for the following purposes:
- to provide the services mentioned in our General Terms and Conditions (Art. 1 GDPR). By providing us with your information, we can provide our services;
- we may transmit your health data in a completely anonymous form to universities, research bodies or private data research providers, that DIGIBURN cooperates within research;
- when necessary for our legitimate interests (or those of third parties) when prevailing over the interests of personal data subjects;
- for the purposes of security, protection of the Company human resources and property, monitoring and control over the access of employees and third persons in the buildings and premises used by the Company in connection with its activity, as well as the premises where money and valuables are operated with, cashier premises. The company does not use automated decision-making processes, including profiling within the meaning of the Regulation.
VI. Grounds for the processing of personal data
According to the purpose of the personal data processing the grounds may be different or more than one, but the Company processes the personal data of data subjects in a lawful and transparent manner:
- on the basis of contractual and / or precontractual relations;
- on the grounds of the legitimate interests of the Company, which reasonably prevail over the interests of the data subject;
- on the basis of a legal obligation of the Company;
- consent of the data subject – only in cases where we cannot rely on the legal grounds under items 6.1. – 6.3, for example, if there is a need for further processing for purposes other than those specified in this Information, we will notify you and, where necessary, obtain your consent. Where the lawfulness of the personal data processing is presumed by your consent, you may at any time terminate such processing by notifying us. In this case, we will immediately suspend the processing for which you have withdrawn your consent, and the Company will limit the use of your personal data to the limits specified by the grounds in items 6.1 – 6.3.
VII. What information does DIGIBURN collect
As a matter of principle, DIGIBURN does not collect any data that allows direct identification of a person. To use DIGIBURN app, the consumer does not have to enter any distinctly identifiable data about himself/herself (e.g., name, e-mail address or home address). However, if he/she uses DIGIBURN app as part of online therapy (only available in Bulgaria) or create an optional personal account (e.g., to access again old data when a smartphone is changed), the use of personal data is required.
- Pеrsonal data for the creation of an optional personal account
In order to create an optional personal account that allows you to easily access your history even when you change your smartphone, we collect and process the following personal data in the way you provide it to us:- First Name
- Second name
- Nickname
- e-mail address
- Extended personal data while using Digiburn online therapy (this service and data fields are only available in Bulgaria)
- Postal address
- Insurance provider
- Insured person number
- Phone number
-
- Health-related data
We always separately obtain consent from you for the processing of your health data. You can give your consent to the processing of this data, by clicking on the respective button. Your consent will be logged by us.
Within the app, you can run through a 14-day screening phase to get an overall assessment of your mental health. During this screening, you will answer various questions and let the app know how you are feeling. Also, you can use further services, e.g., payment offers, which are described in more detail in our GTC. We collect, process, and use the following health data to be able to provide the services for you following our GTC:- Data from the daily screening questions and further tags and notes
- Questions related to depressive symptoms
- Questions about other psychological and somatic complaints and symptoms
- Questions about your living conditions, leisure activities, and biography
- Evaluations of the above-mentioned data regarding severity and type of symptoms as well as correlations between answers based on psychological theories.
- Your entries on a scale of smileys with which you can regularly document your mood.
- Text-based note entries created by you, which are transmitted in encrypted form and stored with us.
- If you explicitly agree to this within the app, we store data from your Apple Health (iOS) or Google Fit (Android) application. These are primarily the number of steps per day and other indications of your physical activity. We use this data to provide our services within Digiburn, in particular, to report back to you any connections between psychological factors and your physical activity. Digiburn does not send data to Apple Health or Google Fit.
- Data from the psychological exercises
- Text-based entries for the exercises
- Voice-based recordings
- The photos you uploaded during the exercises.
- Data from the daily screening questions and further tags and notes
- Technical Data
This is data that shows what hardware and software the costumer is using to access DIGIBURN app:- Data about the mobile platform (iOS/Android)
- The version of the app
- Device model
- System version
- “Identifier for Advertising in Apple” for iOS devices
- “Advertising ID” for Android devices
- App usage data
This is data that shows how the costumer uses DIGIBURN app:- How often was the app opened?
- Which areas were clicked in the app?
- App settings used (language settings, notifications)
- Feedback data (incl. e-mail service)
- How we process your data
We collect and store your personal, extended personal, health, technical, and app usage data while you use our app. Furthermore, we may transmit your health data in a completely anonymous form to universities, research bodies or private data research providers, that DIGIBURN cooperates within research.
- Health-related data
VIII. Refusal of the subject to process his personal data
Any refusal to provide personal data may prevent us from fulfilling our obligations, complying with a legal requirement or protecting our legitimate interest in connection with the conclusion or performance of an employment or another equivalent agreement, and, therefore, such refusal may cause the non-conclusion or termination of an agreement.
You are not obliged to provide your personal data (Art. 13 GDPR). The use of our app and related services is voluntary. However, if you do not wish to provide us with the necessary data, we cannot provide the services specified in the GTC for you.
IX. Providing personal data to third parties
- We do not pass on your data to third parties, unless we are legally entitled or obliged to do so, or you have given us your consent.
- DIGIBURN may transmit customer’s health data in the context of research cooperation in a completely anonymous form to university partners, research bodies or private data research providers, that DIGIBURN cooperates within research.
- In the event that we process personal data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or have it processed (see also third-party tools as described in Section 7), this will be done in compliance with the relevant legal requirements. In these cases, we will always take appropriate measures to adequately secure your data (e.g. through standard contractual clauses).
- Digiburn sometimes commissions third-party providers to provide services for the analysis and evaluation of user behavior. We do this in order to constantly improve and further develop Digiburn. The information provided for this purpose is usually pseudonymized. If these service providers process personal data, we conclude an agreement with them for order processing in accordance with Article 28 GDPR, which obliges these service providers to comply with legal standards with regard to data protection and data security. This means that the processors are bound by our instructions and are regularly monitored by us. The processors whose services are used will not pass this data on to third parties, but will delete it after the fulfilment of the contract and the conclusion of statutory storage periods, unless you have consented to storage beyond this. More details
X. Measures for protection and access to personal data
The Company has implemented appropriate measures to prevent the accidental loss, use or unauthorized access, alteration or unauthorized disclosure of personal data. Access to personal data is restricted to those employees and third parties who need to obtain this information. They process personal data only on the basis of the Company’s instructions and in accordance with their obligation for confidentiality.
Where we store your data and how we protect your data
DIGIBURN does not store customer’s data on the customer’s device in order to ensure maximum security and to ensure the smooth functioning of the app. DIGIBURN stores customer’s data on servers of its IT service providers in the platform Typeform which process that data on DIGIBURN’s behalf and on the legal basis of Art. 28 GDPR and is obliged to comply with the legal provisions on data protection and data security.
Please note that in some employment relationships it is not allowed to use the Internet for private purposes during working hours or from your workplace. Some employers monitor unauthorized Internet activity in the workplace. Even if you are otherwise connected in multiple network environments, you must be aware that there is always a risk of unwanted access.
XI. Terms for storage of personal data in DIGIBURN
The personal data of customers are stored for a period of 2 (two) years. After the data has expired, the user’s email is deleted, thus achieving complete anonymization of the data subject. After deletion, only the identification number remains in the main database, which in itself can no longer be associated with a specific e-mail address, as well as with a specific data subject.
XII. Rights of the person whose personal data we process
In your capacity of a person under item 4 of this Information, you have the following rights with respect to your personal data:
- you have the right to withdraw your consent whenever the processing of your personal data is based on consent (Article 7 (3) of the General Regulation).
- you have the right to have brief, transparent, understandable and easily accessible information about the processing before it occurs, including the identity of the Company with respect to its capacity of data controller, purpose(s), recipients and how you can exercise your personal data rights (Article 13 of the General Regulation).
- you have the right of access to your personal data (Article 15 of the General Regulation).
- you have the right to ask the Company to correct your personal data (Article 16 of the General Regulation) in case of inaccuracy or incompleteness.
- you have the right to request the destruction / deletion of your personal data (the “right to be forgotten” – Article 17 of the General Regulation).
- you have the right to ask us to restrict the processing of your personal data (Article 18 of the General Regulation).
- you have the right to have your personal data transferred (Article 20 of the General Regulation).
- you have the right to object to the processing of your data (Article 21 of the General Regulation).
- you have the right not to be a subject of automated decision-making processing including profiling, which has legal consequences for you or affects you significantly in similar manner (Article 22 of the General Regulation).
- your rights to file a complaint with the Commission for Personal Data Protection, to seek effective court protection against us if you state that your rights have been infringed, and the right to receive appropriate compensation if it is duly established that the result our guilty act or inaction has caused you damages. You can exercise your rights under item 14 by a written application to the managing director of the Company.
If you want to make use of one of these rights, you can delete your data directly in the app in the section “Settings → Data & Security”. Of course, you can transfer your data beforehand using an automatic export function. Alternatively, you can send us an e-mail from the address registered with us to gdpr@digiburn.health or write to us stating your personal identification number (UID – you can find this in the settings section at the bottom of the profile page). We will then check this immediately and contact you.
XIII. Changes to our privacy policy
We reserve the right to change this data protection declaration in compliance with data protection regulations. The current version can be found here or at another accessible location in our app.
If you have any questions, suggestions or comments, you are welcome to contact our customer support team at gdpr@digiburn.health or our data protection coordinator: Georgi Natchev.