Privacy

1. Our Privacy Principles:

• We fulfil the requirements of the General Data Protection Regulation 2016/679 (GDPR) and the Privacy and Electronic Communications Directive 2002/58/EC (E-Privacy Directive) of the European Union
• We fulfil the requirements of the Act on the Protection of Privacy in Working Life 759/2004 of the Finnish law
• You as an end-user have control over your personal data: You decide, how much of your personal details you want to share with others. You can transfer your personal data from our digital tools in machine readable format (“data portability”). You can remove your personal data from our digital tools (“right to erasure”).
• We only collect and process personal data that is necessary for providing our products and services.
• We provide aggregate level reporting to our customers. These reports are only shown, when sample sizes are large enough to not enable identifying individuals. Some of the reports contain personal data, when used e.g. for rewarding as a part of activity campaigns. In these cases, the end-user has been informed about the reporting practices in the service description, the end-user has given consent to the reporting, and can opt out of the reporting at any point.
• We anonymize and aggregate data created in our services and carry out the processing steps required for anonymization and aggregation
• While maintaining anonymity, we may process and use all data thus generated for purposes, such as research to create new knowledge in wellbeing and factors impacting it, statistical evaluations, industry comparisons, benchmarking, product improvements, new product developments and other comparable purposes.
• Anonymized or aggregated data shall no longer be considered personal data and shall not be covered by the obligation to disclose or delete data. We shall be entitled to use and store such data for its own purposes beyond the end of the contract
• We might work with research partners such as universities. Results of our research might be made public
• We do not sell, rent, loan or give out your name, email address, or other personal data to anyone. However, if the service provider or all of its assets would be acquired, customer information might be transferred to the acquiring party.
• Your personal data may be transferred across international borders to server locations supporting the service. Details of hosting solutions used are covered in Product-specific Privacy Statements.
• No security system is impenetrable and security risks exist in any system. However, we make consistent efforts to keep your information secure.
• We may use cookies in order to provide a better service, related to Authentication, Security, User Preferences, Performance, Analytics, Research, and Advertising. Details of our Cookie usage practices are covered in Product-specific Privacy Statements.
• Changes to our Privacy Policy will be published on our web site.
• Should you have any privacy related questions or suggestions, please contact us at privacy@hintsa.com.

 

2. Privacy principles for Hintsa Performance’s coaching services

• Hintsa Performance offers coaching programmes for individuals and teams
• Before starting any of our coaching programmes, participants are required to give a consent for collecting and processing personal data. Personal data is collected and processed in accordance with the consent and shared only to your nominated coach and supporting team of specialists.
• During our coaching programmes, we may collect wellbeing data through Hintsa Surveys. The privacy policy for these surveys is provided in section 4 of this document.
• Our Applications may be used as a part of our coaching programmes.
• The coaching programme may include a medical check or other medical services. All medical and patient data created is collected and processed in patient health records of medical service providers. Nominated representatives of Hintsa Performance may during your coaching program have access to briefings based on your medical data in accordance with your consent.
• We utilise digital services by external service providers for running our coaching services. These service providers work as data processors on our behalf and have committed to privacy and personal data processing compliant with the GDPR:
  • Calendly: booking coaching services
  • Asana: project management and operational tasks
  • Sharepoint: storage of notes and other programme data
  • Firstbeat: wellbeing diagnostics
  • Typeform: feedback surveys
  • Zoom / MS Teams: video calls
  • PostHog: Hintsa app usage data

Personal data collection in Hintsa Performance’s coaching services:

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

• The register is maintained by: Hintsa Performance Oy (Ltd), contact: privacy@hintsa.com
• Register name: Hintsa Coaching customer register
• Purpose of use: The register is used for providing coaching services and for managing customer relations between Hintsa Performance Ltd and its customers and end-users.
• Register information is not used for direct marketing without the user’s consent.

Register content:

• The register consists of registers we have collected in different services used for providing our coaching services (Hintsa Surveys, Hintsa Applications, Calendly,  Sharepoint, Asana).
• Register content and register protection principles for each of Hintsa Performance’s services (Hintsa Surveys, Hintsa Applications) are listed in personal data collection registers of these services, included in the Hintsa Performance Privacy Policy.
• Register content and register protection principles for external services that we use for providing coaching services:
  • Sharepoint:
    • Register content: Name, notes from coaching programme
    • Register protection principles:
  • Asana:
    • Register content: Name, notes from coaching programme
    • Register protection principles: https://asana.com/security-standards
  •  Calendly:
    • Register content: Name, email, booked time for coach meeting. Possibly business unit, location, reason for booking the meeting
    • Register protection principles: https://calendly.com/security
  • Zoom/MS Teams:
    • Register content: Name, email
    • Register protection principles: https://zoom.us/privacy, https://learn.microsoft.com/en-us/microsoftteams/teams-privacy
• Information sources: Information provided by user her/himself or generated by the services.

Privacy Principles for Hintsa Applications

• Hintsa Applications are mobile applications we utilise in our holistic wellbeing coaching programmes. We collect and process personal data in order to guide and visualise your habit creation journey. Please note that we process sensitive personal data about you such as data on your sleep, mood, or physical activity
• Hintsa Applications digital services are by default and design a private service: your personal information is shared only to your nominated coach, whom you have approved to this role.
• We store the information collected during the registration process, such as your email address, in order to be able to provide the service. We also store your wellbeing related data and potentially other information created at the service.
• When using a coach as a part of services, you give consent for the coach to see all the information you have stored in Hintsa Applications, excluding personal diary entries made under the “Journal” view unless you have shared the diary entry with your coach.
• Data created by users in Hintsa Applications may be used for creating aggregate and anonymous workplace statistics visible to workplace admins and other employer representatives. Workplace admins and other employer representatives do not have access to user data on the level of individual wellbeing events, statistics of individual users, or detailed profile information. Workplace admins will in most cases know the names and email addresses of individual users, as the users are in most cases invited by the admin.

 

3. Personal data collection of Hintsa Applications:

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

• The register is maintained by: Hintsa Performance Oy (Ltd), contact: privacy@hintsa.com
• Register name: Hintsa Applications customer register
• Purpose of use: The register is used for providing coaching services and for managing customer relations between Hintsa Performance Ltd and its customers and service end-users.
• Register information is not used for direct marketing.

Register content:

• The user’s personal information (name)
• Unique customer ID
• The user’s contact information (email, phone number)
• Information about the user’s progress in the coaching programme
• Status of education content consumption provided in the service (completed, not completed, progress)
• Status of daily tasks given in the service (completed, not completed, inputted data)
• Answers to wellbeing related and other assessments in the service
• The user’s wellbeing targets
• The user’s exercise log information and other wellbeing and other data entered to the service by the user, including journal entries created by the user
• Wellbeing data from wearable devices connected to Hintsa Applications by the user, e.g. exercise data, daily step count, sleep data, resting heart rate
• Wellness data from health hubs such as Apple HealthKit and Google Fit connected to Hintsa Application by the user, e.g. exercise data, daily step count, sleep data, resting heart rate
• Photos uploaded to the service by the user
• The user’s messaging history in the service
• The user’s employer
• The user’s coach in the service, notes written by the coach
• The user’s team mates in the service
• The user’s mobile device type and OS version
• Header information from email messages sent to the user from the service
• Information sources: Information provided by user her/himself or generated by the Hintsa Application or generated by 3rd party services integrated to Hintsa Application by the user.
• Personal data from is stored five years after the end of the programme in order to have the data available for a possible continuation. Following your deletion of your account, it may take up to 90 days to fully delete your personal information and system logs from our systems. Stored data is reviewed annually.
• Register protection principles: The data is stored on servers located inside the EU, run by Amazon Web Services, Inc (AWS). The application is deployed onto a Virtual Private Cloud (VPC) in AWS. The configuration addresses security by limiting outside access to minimum, applying firewalling for each server instance and deploying services to subnets that have limited access to each other and to outside networks.

 

4. Hintsa Surveys

4.1 Hintsa wellbeing assesment

Hintsa Wellbeing Assesment’s Privacy Principles:

• Hintsa Wellbeing Assesment surveys for the purpose of providing a holistic assessment of an individual person’s status across different elements of wellbeing. We collect and process health and personal data with the active consent of the individual in order to provide an individual report based on survey answers. Consent for personal data processing can be removed at any time by contacting us at privacy@hintsa.com. Individual users’ survey results are always private and are never shared with anyone, with the following exceptions:
  • If you are taking part in Hintsa coaching programmes, your designated coach and possibly other designated specialists will see your data.
  • If you are taking part in Hintsa coaching programmes via your employer, your results may be included in aggregate level, anonymous reporting for the employer. However, your data cannot be identified from the aggregate level reports and we never share any individual level data from the survey to the employer.
  • Hintsa’s analytics and admin team will have access to your data and process your data in order to create the aggregate reports and improve the services. This is valid also if you are taking the free version of our survey (https://www.hintsa.com/assessment/). However, this access is not used for the purpose of analysing or monitoring your personal data. All members of the team are bound by confidentiality agreements.

Personal data collection in Hintsa Wellbeing Assessment

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

• The register is maintained by: Hintsa Performance Oy (Ltd), contact: privacy@hintsa.com
• Register name: Hintsa Wellbeing Assesment
• Purpose of use: The register is used for providing the Hintsa Wellbeing Assesments.

Register content:

• The user’s personal information (name)
• The user’s contact information (email)
• The user’s organisational identifiers (employer)
• Answers to surveys inputted by the user
• Reporting showed to the user
• Email messages sent to the user (message header)
• Information sources: Information provided by the user her/himself

Register protection principles: In order to provide Hintsa individual wellbeing surveys, we use external service providers for data collection and data hosting. Our external service providers include Typeform S.L., SurveyLegend AB, Momentive Europe UC (Surveymonkey), PostHog and Hubspot, Inc. for the data collection and Amazon Web Services, Inc (AWS) and Google Cloud servers for the hosting. Our service providers fulfil the requirements of the General Data Protection Regulation (GDPR) and/or EU-US Data Privacy Framework.

 

5. Privacy Principles for the Hintsa.com marketing site

Upon certain interactions with Hintsa.com (e.g. subscribing to our newsletter), you give consent for your personal details to be added to the Hintsa marketing register, which may contain the following personal data, submitted by the user her/himself:

• Name
• E-mail address
• Mobile phone number
• Age and gender
• Job level and position
• Company name and industry
• User submitted interests for newsletter subscription preferences

In addition to self-submitted data, we use analytics and marketing automation tools, which collect data on users’ browsing information, such as traffic sources, browser and devices used, time spent in Hintsa Performance’s website, pages visited, geographic location etc.

We collect personal data mainly at the point of subscription, but also later during the customer relationship. Hintsa Performance’s website uses cookies, web beacons and other similar methods in order to improve user experience, to develop our websites and services further, and for targeting content and communications. Cookies are small pieces of data sent from a website and stored on the user’s computer by the user’s web browser. Cookies can be blocked from your browser’s settings. Our pages may also include other third-party components, such as lead trackers.

We process personal data for the uses of customer relationship management and marketing with the consent of the visitor, without disclosing customer personal data to any third party. We maintain a register on newsletter subscribers and other users of our website’s functionality. Newsletters are sent to subscribers by email based on the marketing register’s information.

Hintsa Performance’s website runs a marketing automation system that is used for improving the general user experience of our website and its content, and for creating target segments for marketing.

We place cookies, when a visitor first arrives to our website, in order to learn, how visitors consume content in the site. A visitor’s personal data remains anonymous to Hintsa Performance until:

1. Visitor subscribes to Hintsa Performance’s newsletter or other material

A user’s personal data may be linked to the cookie, when a visitor subscribes to a newsletter, white paper etc. Submitted information is stored in the Hintsa marketing register.

1. Visitor arrives at the website from an email marketing message sent by Hintsa Performance

A user’s personal information may be linked to a cookie, when the user arrives at the website via an email marketing message sent by Hintsa Performance. The source for e-mail marketing messages is Hintsa Performance’s marketing register. A user, whose cookie is linked to personal data, may receive email marketing that is personalised based on her/his website visitor history. In case a user wishes to unassociated from their previous browsing history, they can do so by clearing their browser cookies.

You have the legal right to inspect the data we have collected concerning you. You also have the right to request the correction or deletion of incorrect, defective, unnecessary or outdated personal data.

Your data can be removed from the Hintsa marketing register based on a personal request. Requests for register-related matters shall be submitted in writing to the postal address Hintsa Performance Oy, Kansakoulukatu 3, 00100 Helsinki. Newsletter subscribers can unsubscribe directly from the newsletter.

 

6. Privacy Principles for Hintsa’s support

We run a support portal to enable customer service for our services (support@hintsa.com). The support portal enables creation of support tickets, we create a personal data register of people, who have sent these tickets, to enable customer service delivery.

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

• The register is maintained by: Hintsa Performance Oy (Ltd), contact: privacy@hintsa.com
• Register name: Hintsa Support customer register
• Purpose of use: The register is used for providing customer service

Register content:

• The user’s personal information (name)
• The user’s contact information (email)
• Mobile device and OS of the user (Android, iOS, web)
• Messaging history between the user and customer service
• Articles visited in the support portal by the user
• Possible Android log file sent to customer service by the user
• Information sources: Information provided by user her/himself
• Register protection principles: We run our support portals with the FreshDesk service provided by Freshworks Inc. Freshworks acts as a personal data processor on our behalf and fulfills the requirements of the GDPR.

 

7. Your California Privacy Rights (California’s Shine the Light law)

7.1. Your California Privacy Rights (California’s Shine the Light law)

Under California Civil Code Section 1798 (California’s Shine the Light law), California residents with an established business relationship with us can request information once a year about sharing their Personal Data with third parties for the third parties’ direct marketing purposes.

If you’d like to request more information under the California Shine the Light law, and if you are a California resident, You can contact Us using the contact information provided below.

7.2. California Privacy Rights for Minor Users (California Business and Professions Code Section 22581)

California Business and Professions Code section 22581 allow California residents under the age of 18 who are registered users of online sites, services or applications to request and obtain removal of content or information they have publicly posted.
To request removal of such data, and if you are a California resident, You can contact Us using the contact information provided below, and include the email address associated with Your account.

Be aware that Your request does not guarantee complete or comprehensive removal of content or information posted online and that the law may not permit or require removal in certain circumstances.