Privacy

04 September 2019   /   In Finnish

Hintsa Performance’s Privacy Policy

This document covers all products, services, and other operations of Hintsa Performance Oy.

Updates to previous version (dated 29 October 2018):
- Improved readability: Table of Contents that links directly to service specific Privacy Policies
- Elaborated “Participating in activity campaigns” privacy description for HeiaHeia, MarsMars and Parempi Vire
- New Hintsa Diagnostic service included
- Fixed typos, reference to obsolete legislation replaced by the GDPR removed (Personal Data Act (HetiL 523/99, §10) of the Finnish law)

Table of Contents:

1. General privacy principles for all services by Hintsa Performance Oy
2. Privacy Principles for services we provide for customers of Ilmarinen Mutual Pension Insurance Company
3. Privacy Principles for services we provide for the Finnish Defence Forces
4. Privacy Principles for Hintsa Performance’s coaching services
5. Privacy Principles for the Better Life service
6. Privacy Principles for the HeiaHeia service
7. Privacy Principles for Hintsa Surveys services
8. Privacy Principles for the Hintsa.com marketing site
9. Privacy Principles for Hintsa’s support pages

1. General privacy principles for all services by Hintsa Performance Oy

1.1 General

Your privacy is important to us. The Hintsa Performance Privacy Policy (“Privacy Policy”) is designed to protect your privacy and to help you understand, what personal data Hintsa Performance Ltd (“Hintsa Performance”) collects from you, how we collect the data, and how use the data. Hintsa Performance offers a range of services directly to customers, via employers, and via channel partners. Our services include but are not limited to personal coaching, remote coaching via digital tools, and digital wellbeing services. When taking any of our services into use, you have actively given consent to our Terms of Service and this Privacy Policy.  Please read the product-specific details in this Privacy Policy, which provide detailed information about Hintsa Performance’s services, including cookie usage practices and register information for products and services, which collect personal data. This Privacy Policy applies to Hintsa Performance’s interactions with you and the Hintsa Performance products and services listed below, as well as other Hintsa Performance products and services that display this Privacy Policy.

1.2 Our Privacy Principles:

  • We fulfil the requirements of the General Data Protection Regulation 2016/679 (GDPR) and the Privacy and Electronic Communications Directive 2002/58/EC (E-Privacy Directive) of the European Union
  • We fulfil the requirements of the Act on the Protection of Privacy in Working Life 759/2004 of the Finnish law
  • You as an end-user have control over your personal data: You decide, how much of your personal details you want to share with others. You can transfer your personal data from our digital tools in machine readable format (“data portability”). You can remove your personal data from our digital tools (“right to erasure”).
  • We only collect and process personal data that is necessary for providing our products and services.
  • We provide aggregate level reporting to our customers. These reports are only shown, when sample sizes are large enough to not enable identifying individuals. These reports do not contain health data. Some of the reports contain personal data, when used e.g. for rewarding as a part of activity campaigns. In these cases, the end-user has been informed about the reporting practices in the service description, the end-user has given consent to the reporting, and can opt out of the reporting at any point.
  • We use data created in our services for anonymised data analysis for research purposes, targeting to create new knowledge on wellbeing and factors impacting it. Anonymised data used in research is not personal data, and individuals cannot be identified from this data. We might work with research partners such as universities. Results of our research might be made public.
  • We do not sell, rent, loan or give out your name, email address, or other personal data to anyone. However, if the service provider or all of its assets would be acquired, customer information might be transferred to the acquiring party.
  • Your personal data may be transferred across international borders to server locations supporting the service. Details of hosting solutions used are covered in Product-specific Privacy Statements.
  • No security system is impenetrable and security risks exist in any system. However, we make consistent efforts to keep your information secure.
  • We may use cookies in order to provide a better service, related to Authentication, Security, User Preferences, Performance, Analytics, Research, and Advertising. Details of our Cookie usage practices are covered in Product-specific Privacy Statements.
  • Changes to our Privacy Policy will be published on our web site.
  • Should you have any privacy related questions or suggestions, please contact us at support@hintsa.com.

2. Privacy Principles for services we provide customers of Ilmarinen Mutual Pension Insurance Company

Privacy Principles for personal data collected and processed in services Hintsa Performance provides for customers of Ilmarinen Mutual Pension Insurance Company

2.1 General

Your privacy is important to us. The Hintsa Performance Privacy Policy (“Privacy Policy”) is designed to protect your privacy and to help you understand, what personal data Hintsa Performance Ltd (“Hintsa Performance”) collects from you, how we collect the data, and how use the data. Hintsa Performance offers a range of services directly to customers, via employers, and via channel partners and other partners. Our services include but are not limited to personal coaching, remote coaching via digital tools, and digital wellbeing services. When taking any of our services into use, you have actively given consent to our Terms of Service and this Privacy Policy.  Please read the product-specific details in this Privacy Policy, which provide detailed information about Hintsa Performance’s services, including cookie usage practices and register information for products and services, which collect personal data. This Privacy Policy applies to Hintsa Performance’s interactions with you and the Hintsa Performance products and services listed below, as well as other Hintsa Performance products and services that display this Privacy Policy.

2.2 Our Privacy Principles

  • We fulfil the requirements of the General Data Protection Regulation 2016/679 (GDPR) and the Privacy and Electronic Communications Directive 2002/58/EC (E-Privacy Directive) of the European Union
  • We fulfil the requirements of the Act on the Protection of Privacy in Working Life 759/2004 of the Finnish law
  • You as an end-user have control over your personal data: You decide, how much of your personal details you want to share with others. You can transfer your personal data from our digital tools in machine readable format (“data portability”). You can remove your personal data from our digital tools (“right to erasure”).
  • We only collect and process personal data that is necessary for providing our products and services.
  • We provide aggregate level reporting to our customers. These reports are only shown, when sample sizes are large enough to not enable identifying individuals. These reports do not contain health data. Some of the reports contain personal data, when used e.g. for rewarding as a part of activity campaigns. In these cases, the end-user has been informed about the reporting practices in the service description, the end-user has given consent to the reporting, and can opt out of the reporting at any point.
  • We use data created in our services for anonymised data analysis for research purposes, targeting to create new knowledge on wellbeing and factors impacting it. Anonymised data used in research is not personal data, and individuals cannot be identified from this data. We might work with research partners such as universities. Results of our research might be made public.
  • We do not sell, rent, loan or give out your name, email address, or other personal data to anyone. However, if the service provider or all of its assets would be acquired, customer information might be transferred to the acquiring party.
  • Your personal data may be transferred across international borders to server locations supporting the service. Details of hosting solutions used are covered in Product-specific Privacy Statements.
  • No security system is impenetrable and security risks exist in any system. However, we make consistent efforts to keep your information secure.
  • We may use cookies in order to provide a better service, related to Authentication, Security, User Preferences, Performance, Analytics, Research, and Advertising. Details of our Cookie usage practices are covered in Product-specific Privacy Statements.
  • Changes to our Privacy Policy will be published on our web site.
  • Should you have any privacy related questions or suggestions, please contact us at support@hintsa.com.

2.3 Service specific privacy principles:

2.3.1 Vire surveys

Privacy principles of Vire surveys:

  • Vire surveys, i.e. Työvire and Työyhteisövire, offered by Ilmarinen Mutual Pension Insurance Company to its customers, are employee survey tools built for the purpose of improving the quality of working life and employee wellbeing by collecting input and feedback from employees. We collect and process personal data in order to provide the surveys and ensure non-biased sampling in survey data, e.g. by not allowing the same person to answer the same survey many times, when not desirable. Individual users’ survey results are always private, cannot be shared with other users within the service, are never shared to anyone, and are never reported to the employer or other parties. The employer receives anonymous reports from survey answers for the whole organisation and divided to teams, if each reported entity has a minimum of five answers. Ilmarinen receives anonymous reports per employer. Survey results may be used for anonymous, aggregate level reports and anonymous research.

Personal data collection in Vire surveys:

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: Hintsa Performance Oy (Ltd), contact: support@hintsa.com
  • Register name: Vire surveys customer register
  • Purpose of use: The register is used for providing the Vire surveys, and maintaining a customer relationship between the user and Hintsa Performance Oy

Register content:

  • The user’s personal information (name, gender, birthday)
  • Unique customer ID
  • The user’s contact information (email)
  • The user’s organisational identifiers: employer, teams, tags
  • Answers to surveys inputted by the user
  • Reports generated for the user
  • Email messages sent to the user (message header)
  • Internet-server technical logs (including user’s IP address and browser information)
  • Information sources: Information provided by user her/himself or by the employer (name, email, organisational identifiers)
  • Register protection principles: The data is stored on servers located inside the EU, run by Amazon Web Services, Inc (AWS). The application is deployed onto a Virtual Private Cloud (VPC) in AWS. The configuration addresses security by limiting outside access to minimum, applying firewalling for each server instance and deploying services to subnets that have limited access to each other and to outside networks.

2.3.2 Parempi Vire

Parempi Vire Privacy Principles:

  • Parempi Vire, a service provided by Ilmarinen Mutual Pension Insurance Company to its customers, is a service that supports and develops the occupational wellbeing of the employee and the work community in a holistic way, based on peer support. We collect and process personal data in order to enable personal wellbeing tracking and peer support among colleagues.
  • You as an end-user have control over your personal data: You decide, how much of your personal details you want to share with others. You can control your privacy level from Parempi Vire’s settings. You can transfer your personal data from our digital tools in machine readable format (“data portability”). You can remove your personal data from our digital tools (“right to erasure”).
  • If your employer decides to discontinue utilising the Parempi Vire service, you can continue to utilise you personal wellbeing data in the HeiaHeia service offered by Hintsa Performance.
  • We store the information collected during the registration process, such as your email address, in order to provide the service. We also store your wellbeing data and potentially other information created at the service.
  • Sharing your exercises and other entries to other users is managed with friendships. Your friends see all your non-private entries in their ‘feeds’. If you mark individual entries as private, your friends will not see them.
  • Your name is always searchable and your profile picture is visible within Parempi Vire’s friend search. The privacy level you’ve selected defines, who can access your full profile page and training log by clicking your name. The default setting is “Only my Parempi Vire friends and colleagues”.
  • When utilising coaching services in Parempi Vire, you give consent for the coach to see all the information you have stored in Parempi Vire, including entries you have marked as private.
  • Parempi Vire mobile applications may use and store your current location to record your workouts. You may disable location services from mobile application settings, but then you will not be able to add location data to workouts.
  • Location data (GPS data) created by you with Parempi Vire mobile applications or other compatible methods may be stored to create and annotate training log entries, and is treated with the same privacy principles as all training log data. Maps and “check-ins” created from GPS data have more privacy options than other training log data types, enabling stricter privacy. GPS data created on Parempi Vire mobile apps that is not used to create training log entries is not stored permanently by Parempi Vire.
  • Data created by users of Parempi Vire may be used for creating anonymous aggregated statistics. In these statics, exact figures are shown only, if N ≥ 5.
  • Most important anonymous aggregated statics created from Parempi Vire user data include the following:
    • Amount of active users
    • Distribution of activity levels and accumulation of wellbeing score points from different areas of activity
    • Distribution of Oma Vire survey results
    • Most popular sport types and wellness entries
    • Amount of training programs and habit challenges started
    • Amount of cheers given
    • Average amount of exercise and steps
    • Amount of users who have reached personal goal during campaign
    • Amount of users who have exercised on average over 2,5 hours per week
    • Amount of users who have taken on average over 10 000 steps per day
  • Some employers reward employees for activity (e.g. activity campaigns). We offer campaign participant lists to enable rewarding. Participating in rewarding programs requires a separate active consent from users, which is prompted at sign-up under “Rewarding programs”. You can choose to opt-out or rejoin activity campaigns at any point via the settings, under “Rewarding programs”.
  • Detailed participant lists:
    • List of people or teams, who have reached a personal or team goal during campaign
    • List of people or teams, who have logged on average over 2,5 hours of exercise per week
    • List of people or teams, who have taken on average over 10 000 steps per day
    • List of people or teams, who have reached a wellbeing score level that reflects active use and good foundation for wellbeing (level 2).
  • Workplace admins have access to the aggregated anonymous statistics as well as possible participant lists of people that have exceeded threshold limits and given consent. Representatives of Ilmarinen have access to aggregated anonymous statistics, but not to participant lists.

Personal data collection in Parempi Vire:

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: Hintsa Performance Oy (Ltd), contact: support@hintsa.com
  • Register name: Parempi Vire customer register
  • Purpose of use: The register is used for providing the Parempi Vire service and for managing customer relations between Hintsa Performance Ltd and its customers and service end-users.
  • Register information is not used for direct marketing without the user’s consent.

Register content:

  • The user’s personal information (name, sex, birthday)
  • Unique customer ID
  • The user’s contact information (email)
  • The user’s hometown
  • The user’s personal measurement information (height, weight)
  • The user’s exercise targets
  • Types of exercise (sports) of interest to the user
  • The user’s training log information and other wellness and other data entered to the service by the user
  • Wellness data from wearable devices connected to the service by the user, e.g. exercise data, daily step count, sleep data, resting heart rate
  • Photos uploaded to the service by the user
  • The user’s social connections in the service
  • The user’s messaging history in the service
  • The user’s membership status in communities and groups
  • Answers to surveys inputted by the user
  • Newsletter sending permission (email marketing)
  • The user’s advertisement click-through history in the service
  • Email messages sent to the user (message header)
  • Internet-server technical logs (including user’s IP address and browser information)
  • Information sources: Information provided by user her/himself or generated by the service.
  • Register protection principles: The data is stored on servers located inside the EU, run by Amazon Web Services, Inc (AWS). The application is deployed onto a Virtual Private Cloud (VPC) in AWS. The configuration addresses security by limiting outside access to minimum, applying firewalling for each server instance and deploying services to subnets that have limited access to each other and to outside networks.

3. Privacy Principles for services we provide for the Finnish Defence Forces

Privacy Principles for personal data collected and processed in services Hintsa Performance provides the Finnish Defence Forces

3.1 General

Your privacy is important to us. The Hintsa Performance Privacy Policy (“Privacy Policy”) is designed to protect your privacy and to help you understand, what personal data Hintsa Performance Ltd (“Hintsa Performance”) collects from you, how we collect the data, and how use the data. Hintsa Performance offers a range of services directly to customers, via employers, and via channel partners and other partners. Our services include but are not limited to personal coaching, remote coaching via digital tools, and digital wellbeing services. When taking any of our services into use, you have actively given consent to our Terms of Service and this Privacy Policy.  Please read the product-specific details in this Privacy Policy, which provide detailed information about Hintsa Performance’s services, including cookie usage practices and register information for products and services, which collect personal data. This Privacy Policy applies to Hintsa Performance’s interactions with you and the Hintsa Performance products and services listed below, as well as other Hintsa Performance products and services that display this Privacy Policy.

3.2 Our Privacy Principles

  • We fulfil the requirements of the General Data Protection Regulation 2016/679 (GDPR) and the Privacy and Electronic Communications Directive 2002/58/EC (E-Privacy Directive) of the European Union
  • We fulfil the requirements of the Act on the Protection of Privacy in Working Life 759/2004 of the Finnish law
  • You as an end-user have control over your personal data: You decide, how much of your personal details you want to share with others. You can transfer your personal data from our digital tools in machine readable format (“data portability”). You can remove your personal data from our digital tools (“right to erasure”).
  • We only collect and process personal data that is necessary for providing our products and services.
  • We provide aggregate level reporting to our customers. These reports are only shown, when sample sizes are large enough to not enable identifying individuals. These reports do not contain health data. Some of the reports contain personal data, when used e.g. for rewarding as a part of activity campaigns. In these cases, the end-user has been informed about the reporting practices in the service description, the end-user has given consent to the reporting, and can opt out of the reporting at any point.
  • We use data created in our services for anonymised data analysis for research purposes, targeting to create new knowledge on wellbeing and factors impacting it. Anonymised data used in research is not personal data, and individuals cannot be identified from this data. We might work with research partners such as universities. Results of our research might be made public.
  • We do not sell, rent, loan or give out your name, email address, or other personal data to anyone. However, if the service provider or all of its assets would be acquired, customer information might be transferred to the acquiring party.
  • Your personal data may be transferred across international borders to server locations supporting the service. Details of hosting solutions used are covered in Product-specific Privacy Statements.
  • No security system is impenetrable and security risks exist in any system. However, we make consistent efforts to keep your information secure.
  • We may use cookies in order to provide a better service, related to Authentication, Security, User Preferences, Performance, Analytics, Research, and Advertising. Details of our Cookie usage practices are covered in Product-specific Privacy Statements.
  • Changes to our Privacy Policy will be published on our web site.
  • Should you have any privacy related questions or suggestions, please contact us at support@hintsa.com.

3.3 MarsMars Privacy Principles:

  • MarsMars, a service offered by the Finnish Defence Forces to private individuals, is a social wellbeing service, based on peer support. We collect and process personal data in order to enable personal wellbeing tracking and improvement, as well as peer support among friends.
  • You as an end-user have control over your personal data: You decide, how much of your personal details you want to share with others. You can control your privacy level from MarsMars’s settings. You can transfer your personal data from our digital tools in machine readable format (“data portability”). You can remove your personal data from our digital tools (“right to erasure”).
  • We store the information collected during the registration process, such as your email address, in order to provide the service. We also store your wellbeing data and potentially other information created at the service.
  • Sharing your exercises and other entries to other users is managed with friendships. Your friends see all your non-private entries in their ‘feeds’. If you mark individual entries as private, your friends will not see them.
  • Your name is always searchable and your profile picture is visible within MarsMars’s friend search. The privacy level you’ve selected defines, who can access your full profile page and training log by clicking your name. The default setting is “Only my friends and colleagues”.
  • When utilising coaching services in MarsMars, you give consent for the coach to see all the information you have stored in MarsMars, including entries you have marked as private.
  • MarsMars mobile applications may use and store your current location to record your workouts. You may disable location services from mobile application settings, but then you will not be able to add location data to workouts.
  • Location data (GPS data) created by you with MarsMars mobile applications or other compatible methods may be stored to create and annotate training log entries, and is treated with the same privacy principles as all training log data. Maps and “check-ins” created from GPS data have more privacy options than other training log data types, enabling stricter privacy. GPS data created on MarsMars mobile apps that is not used to create training log entries is not stored permanently by MarsMars.
  • Data created by users of MarsMars may be used for creating anonymous aggregated statistics. In these statics, exact figures are shown only, if N ≥ 5.
  • Most important anonymous aggregated statics created from MarsMars user data include the following:
    • Amount of active users
    • Distribution of activity levels
    • Distribution of performance survey results
    • Most popular sport types and wellness entries
    • Amount of training programs and habit challenges started
    • Amount of cheers given
    • Average amount of exercise and steps
    • Amount of users who have exercised on average over 2,5 hours per week

Personal data collection in MarsMars:

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: Hintsa Performance Oy (Ltd), contact: support@hintsa.com
  • Register name: MarsMars customer register
  • Purpose of use: The register is used for providing the MarsMars service and for managing customer relations between Hintsa Performance Ltd and its customers and service end-users.
  • Register information is not used for direct marketing without the user’s consent.

Register content:

  • The user’s personal information (name, sex, birthday)
  • Unique customer ID
  • The user’s contact information (email)
  • The user’s hometown
  • The user’s personal measurement information (height, weight)
  • The user’s exercise targets
  • Types of exercise (sports) of interest to the user
  • The user’s training log information and other wellness and other data entered to the service by the user
  • Wellness data from wearable devices connected to the service by the user, e.g. exercise data, daily step count, sleep data, resting heart rate
  • Photos uploaded to the service by the user
  • The user’s social connections in the service
  • The user’s messaging history in the service
  • The user’s membership status in communities and groups
  • Answers to surveys inputted by the user
  • Newsletter sending permission (email marketing)
  • The user’s advertisement click-through history in the service
  • Email messages sent to the user (message header)
  • Internet-server technical logs (including user’s IP address and browser information)
  • Information sources: Information provided by user her/himself or generated by the service.
  • Register protection principles: The data is stored on servers located inside the EU, run by Amazon Web Services, Inc (AWS). The application is deployed onto a Virtual Private Cloud (VPC) in AWS. The configuration addresses security by limiting outside access to minimum, applying firewalling for each server instance and deploying services to subnets that have limited access to each other and to outside networks.

4. Privacy principles for Hintsa Performance’s coaching services

  • Hintsa Performance offers coaching programmes for individuals and teams
  • Before starting any of our coaching programmes, participants are required to give a consent for collecting and processing personal data. Personal data is collected and processed in accordance with the consent and shared only to your nominated coach and supporting team of specialists, whom you have approved to this role.
  • During our coaching programmes, we may collect wellbeing data through Hintsa Surveys. The privacy policy for these surveys is provided in section 7 of this document.
  • Digital tools, including Better Life, HeiaHeia, and Parempi Vire, may be used as a part of our coaching programmes. The relevant privacy policies for these tools can been found in sections 2, 5, and 6 of this document.
  • The coaching programme may include a medical check or other medical services. All medical and patient data created is collected and processed in patient health records of medical service providers. Nominated representatives of Hintsa Performance may during your coaching program have access to briefings based on your medical data in accordance with your consent.
  • We utilise digital services by external service providers for running our coaching services. These service providers work as data processors on our behalf and have committed to privacy and personal data processing compliant with the GDPR:
    • Acuity Scheduling: booking coaching services
    • MailChimp: communications
    • DropBox and BoxCryptor: storage of notes and other programme data
    • Firstbeat: wellbeing diagnostics
    • SurveyMonkey: surveys and enrollments
    • SurveyLegend: surveys and enrollments
    • Shopify: payment system
    • Stripe: payment system
    • SquareSpace: payment system
    • Typeform: surveys

Personal data collection in Hintsa Performance’s coaching services:

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: Hintsa Performance Oy (Ltd), contact: support@hintsa.com
  • Register name: Hintsa Coaching customer register
  • Purpose of use: The register is used for providing coaching services and for managing customer relations between Hintsa Performance Ltd and its customers and end-users.
  • Register information is not used for direct marketing without the user’s consent.

Register content:

  • The register consists of registers we have collected in different services used for providing our coaching services (Hintsa Surveys, Better Life, HeiaHeia, Parempi Vire, Acuity Scheduling, MailChimp, Dropbox, BoxCryptor, SurveyMonkey, SurveyLegend, Shopify, Stripe, SquareSpace).
  • Register content and register protection principles for each of Hintsa Performance’s services (Hintsa Surveys, Better Life, HeiaHeia, Parempi Vire) are listed in personal data collection registers of these services, included in the Hintsa Performance Privacy Policy.
  • Register content and register protection principles for external services that we use for providing coaching services:
  • Information sources: Information provided by user her/himself or generated by the services

5. Privacy Principles for the Better Life service

  • Better Life is a mobile application we utilise in our holistic wellbeing coaching programmes. We collect and process personal data in order to guide and visualise your habit creation journey.
  • The Better Life remote coaching digital service is by default and design a private service: your personal information is shared only to your nominated coach, whom you have approved to this role.
  • We store the information collected during the registration process, such as your email address, in order to be able to provide the service. We also store your wellbeing related data and potentially other information created at the service.
  • When using a coach as a part of Better Life, you give consent for the coach to see all the information you have stored in Better Life, excluding personal diary entries made under the “Journal” view in Better Life.
  • Data created by users of Better Life may be used for creating aggregate and anonymous workplace statistics visible to workplace admins and other employer representatives. Workplace admins and other employer representatives do not have access to user data on the level of individual wellbeing events, statistics of individual users, or detailed profile information. Workplace admins will in most cases know the names and email addresses of individual users, as the users are in most cases invited by the admin.

Personal data collection in Better Life:

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: Hintsa Performance Oy (Ltd), contact: support@hintsa.com
  • Register name: Better Life customer register
  • Purpose of use: The register is used for providing the Better Life service and for managing customer relations between Hintsa Performance Ltd and its customers and service end-users.
  • Register information is not used for direct marketing.

Register content:

  • The user’s personal information (name)
  • Unique customer ID
  • The user’s contact information (email)
  • Information about the user’s progress in the coaching programme
  • Status of education content consumption provided in the service (completed, not completed, progress)
  • Status of daily tasks given in the service (completed, not completed, inputted data)
  • Answers to wellbeing related and other assessments in the service
  • The user’s wellbeing targets
  • The user’s exercise log information and other wellbeing and other data entered to the service by the user, including journal entries created by the user
  • Wellbeing data from wearable devices connected to Better Life by the user, e.g. exercise data, daily step count, sleep data, resting heart rate
  • Wellness data from health hubs such as Apple HealthKit and Google Fit connected to Better Life by the user, e.g. exercise data, daily step count, sleep data, resting heart rate
  • Photos uploaded to the service by the user
  • The user’s messaging history in the service
  • The user’s employer
  • The user’s coach in the service, notes written by the coach
  • The user’s team mates in the service
  • The user’s mobile device type and OS version
  • Header information from email messages sent to the user from the service
  • Information sources: Information provided by user her/himself or generated by the Better Life service or generated by 3rd party services integrated to Better Life by the user.
  • Register protection principles: The data is stored on servers located inside the EU, run byAmazon Web Services, Inc (AWS). The application is deployed onto a Virtual Private Cloud (VPC) in AWS. The configuration addresses security by limiting outside access to minimum, applying firewalling for each server instance and deploying services to subnets that have limited access to each other and to outside networks.

6. HeiaHeia Privacy Principles

  • HeiaHeia (including HeiaHeia for Workplaces, HeiaHeia Pro Tools) is a social wellbeing service, it is built around peer support.We collect and process personal data in order to guide and visualise your habit creation journey, as well as social support from your friends and colleagues.
  • You as an end-user have control over your personal data: You decide, how much of your personal details you want to share with others. You can control your privacy level from HeiaHeia’s settings. You can transfer your personal data from our digital tools in machine readable format (“data portability”). You can remove your personal data from our digital tools (“right to erasure”).
  • We store the information collected during the registration process, such as your email address, in order to provide the service. We also store your exercise data and potentially other information created at the service.
  • Sharing your exercises and other entries to other HeiaHeia users is managed with friendships. Your friends see all your non-private entries in their ‘feeds’. If you mark individual entries as private, your friends will not see them.
  • Your name is always searchable and your profile picture is visible within HeiaHeia’s friend search. The privacy level you’ve selected defines, who can access your full profile page and training log by clicking your name. The default setting is “Only my HeiaHeia friends and colleagues”.
  • When utilising coaching services in HeiaHeia, you give consent for the coach to see all the information you have stored in HeiaHeia, including entries you have marked as private.
  • HeiaHeia’s mobile applications may use and store your current location to record your workouts. You may disable location services from mobile application settings, but then you will not be able to add location data to workouts.
  • Location data (GPS data) created by you with HeiaHeia mobile applications or other compatible methods may be stored to create and annotate training log entries, and is treated with the same privacy principles as all training log data. Maps and “check-ins” created from GPS data have more privacy options than other training log data types, enabling stricter privacy. GPS data created on HeiaHeia mobile apps that is not used to create training log entries is not stored permanently by HeiaHeia.
  • Data created by users of HeiaHeia may be used for creating anonymous aggregated statistics. In these statics, exact figures are shown only, if N ≥ 5.
  • Most important anonymous aggregated statics created from HeiaHeia user data include the following:
    • Amount of active users
    • Distribution of activity levels and accumulation of wellbeing score points from different areas of activity
    • Most popular sport types and wellness entries
    • Amount of training programs and habit challenges started
    • Amount of cheers given
    • Average amount of exercise and steps
    • Amount of users who have reached personal goal during campaign
    • Amount of users who have exercised on average over 2,5 hours per week
    • Amount of users who have taken on average over 10 000 steps per day
  • If you join HeiaHeia via a company or community invitation, you give consent to participate in possible activity campaigns, which may include rewarding for activity. Participating in activity campaigns includes sharing high level personal data, like meeting your daily step target, with the campaign organiser. You can choose to opt-out or rejoin activity campaigns at any point via the settings, under “Rewarding programs”.
  • Detailed participant lists:
    • List of people or teams, who have reached a personal or team goal during campaign
    • List of people or teams, who have logged on average over 2,5 hours of exercise per week
    • List of people or teams, who have taken on average over 10 000 steps per day
    • List of people or teams, who have reached a wellbeing score level that reflects active use and good foundation for wellbeing (level 2).
  • Workplace admins have access to the aggregated anonymous statistics as well as possible participant lists of people that have exceeded threshold limits and given consent.

HeiaHeia cookie usage practices:

  • Authentication: If you’re signed in to HeiaHeia, cookies help us to show you the desired information and personalise your experience.
  • Security: We use cookies to enable and support our security features, and to help us detect malicious activity and violations of our Terms of Service.
  • Preferences, features and services: Cookies can tell us which language you prefer and what your communications preferences are.
  • Advertising: We may use cookies to show you relevant advertising both on and off the HeiaHeia site. We may also use a cookie to learn whether members who saw an ad on HeiaHeia later visited the advertiser’s site. Similarly, our partners may use a cookie to determine whether we’ve shown an ad and how it performed, or provide us with information about how you interact with ads. We may also work with a partner to show you an ad on or off HeiaHeia, such as after you’ve visited a partner’s site or application.
  • Performance, Analytics and Research: Cookies help us learn how well our site performs in different locations. We also use cookies to understand, improve, and research products, features, and services, including when you access HeiaHeia from other websites, applications, or devices such as your work computer or your mobile device.

Most important 3rd party cookies used in HeiaHeia:

  • Google Analytics and Google Tag Manager https://www.google.com/intl/en/policies/privacy/
  • DoubleClick https://www.google.com/intl/en/policies/privacy/
  • New Relic https://docs.newrelic.com/docs/browser/new-relic-browser/page-load-timing-resources/new-relic-cookies
  • Facebook https://www.facebook.com/help/cookies/
  • LinkedIn: https://www.linkedin.com/legal/privacy-policy

Personal data collection in HeiaHeia:

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: Hintsa Performance Oy (Ltd), contact: support@hintsa.com
  • Register name: HeiaHeia customer register
  • Purpose of use: The register is used for providing the HeiaHeia service and for managing customer relations between Hintsa Performance Ltd and its customers and service end-users. Register information is not used for direct marketing without the user’s consent, managed by service settings.

Register content:

  • The user’s personal information (name, sex, birthday)
  • Unique customer ID
  • The user’s contact information (email, phone number optional)
  • The user’s hometown
  • The user’s personal measurement information (height, weight)
  • The user’s wellbeing targets
  • Types of exercise (sports) of interest to the user
  • The user’s training log information and other wellbeing and other data entered to the service by the user
  • Wellbeing data from wearable devices connected to HeiaHeia by the user, e.g. exercise data, daily step count, sleep data, resting heart rate
  • Photos uploaded to the service by the user
  • The user’s social connections in the service
  • The user’s messaging history in the service
  • The user’s membership status in communities and groups
  • Answers to surveys inputted by the user
  • Newsletter sending permission (email marketing)
  • The user’s advertisement click-through history in the service
  • Email messages sent to the user from HeiaHeia (message header)
  • Internet-server technical logs (including user’s IP address and browser information)
  • Information sources: Information provided by user her/himself or generated by the HeiaHeia service.
  • Register protection principles: The data is stored on servers located inside the EU, run by Amazon Web Services, Inc (AWS). The application is deployed onto a Virtual Private Cloud (VPC) in AWS. The configuration addresses security by limiting outside access to minimum, applying firewalling for each server instance and deploying services to subnets that have limited access to each other and to outside networks.

7. Hintsa Surveys

7.1 Hintsa individual wellbeing surveys

Hintsa individual wellbeing surveys’ Privacy Principles:

  • Hintsa individual wellbeing surveys, including Hintsa Better Life wellbeing survey and Hintsa Better Life wellbeing pulse survey are surveys for the purpose of providing a holistic assessment of an individual person’s status across different elements of wellbeing. We collect and process health and personal data with the active consent of the individual in order to provide an individual report based on survey answers. Consent for personal data processing can be removed at any time by contacting us at support@hintsa.com. Individual users’ survey results are always private and are never shared with anyone, with the following exceptions:
    • If you are taking part in Hintsa coaching programmes, your designated coach and possibly other designated specialists will see your data.
    • If you are taking part in Hintsa coaching programmes via your employer, your results may be included in aggregate level, anonymous reporting for the employer. However, your data cannot be identified from the aggregate level reports and we never share any individual level data from the survey to the employer.
    • Hintsa’s analytics team will have access to your data and process your data in order to create the aggregate reports. However, this access right is not used for the purpose of analysing or monitoring your personal data. All members of the analytics team are bound by confidentiality agreements.
    • If you are taking the free version of our pulse survey (https://www.hintsa.com//better-life-pulse/), our customer relations and admin team will have an access to your results. The results can be used to improve the quality of our services. All members of our team are bound by confidentiality agreements.

Personal data collection in Hintsa individual wellbeing surveys:

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: Hintsa Performance Oy (Ltd), contact: support@hintsa.com
  • Register name: Hintsa individual wellbeing surveys customer register
  • Purpose of use: The register is used for providing the Hintsa individual wellbeing surveys service, including Hintsa Better Life wellbeing survey and Hintsa Better Life wellbeing pulse survey.

Register content:

  • The user’s personal information (name)
  • The user’s contact information (email)
  • The user’s organisational identifiers (employer)
  • Answers to surveys inputted by the user
  • Reporting showed to the user
  • Email messages sent to the user (message header)
  • Information sources: Information provided by the user her/himself

Register protection principles: In order to provide Hintsa individual wellbeing surveys, we use external service providers for data collection and data hosting. Our external service providers include Typeform S.L., SurveyLegend AB and Hubspot, Inc. for the data collection and Amazon Web Services, Inc (AWS) and Google Cloud servers for the hosting. Our service providers fulfil the requirements of the General Data Protection Regulation (GDPR) and/or the Privacy Shield.

7.2 Hintsa Diagnostic Service

The purpose of the Hintsa Diagnostic service is to combine several data sources to offer a holistic analysis of an individual person’s current wellbeing status and provide actionable insights for improving his quality of life as well as performance. Collected data includes survey answers to our individual wellbeing surveys (see part 3.4. Hintsa individual wellbeing surveys) and the data collected from Firstbeat’s comprehensive lifestyle assessment. We collect and process personal and health data with the active consent of the individual in order to provide individual reports based on results. Consent for data processing can be removed at any time by contacting us at support@hintsa.com. Individual users’ results are always private and are never shared with anyone, with the following exceptions:

  • Your designated coach and possibly other designated specialists will see your data
  • If you are taking part in the service via your employer, your results may be included in aggregate level, anonymous reporting for the employer. However, your data cannot be identified from the aggregate level reports and we never share any individual level data to the employer.
  • Hintsa’s analytics team can have access to your data and process your data in order to create the reports. However, this access right is not used for the purpose of analysing or monitoring your personal data. All members of the analytics team are bound by confidentiality agreements.

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: Hintsa Performance Oy (Ltd), contact: support@hintsa.com
  • Register name: Hintsa Diagnostic customer register
  • Purpose of use: The register is used for providing the Hintsa Diagnostic service

Register content:

  • The user’s personal information (name)
  • The user’s contact information (email)
  • The user’s organisational identifiers (employer)
  • The user’s age, gender, height, weight
  • Answers to the Better Life wellbeing survey inputted by the user
  • Data from the Firstbeat Lifestyle Assessment and Specialist reports: e.g. heart rate, heart rate variability, stress, sleep and physical activity measurements
  • Individual reports created based on collected data
  • Email messages sent to the user (message header)
  • Information sources: Information provided by the user her/himself or generated by the Firstbeat service
  • Register protection principles: In order to provide the Hintsa Diagnostic service, we use external service providers for data collection and data hosting. Our external service providers include Typeform S.L. and Firstbeat Technologies Oy for the data collection and Amazon Web Services, Inc (AWS) for the hosting. Our service providers fulfil the requirements of the General Data Protection Regulation (GDPR) and/or the Privacy Shield.

8. Privacy Principles for the Hintsa.com marketing site

Upon certain interactions with Hintsa.com (e.g. subscribing to our newsletter), you give consent for your personal details to be added to the Hintsa marketing register, which may contain the following personal data, submitted by the user her/himself:

  • Name
  • E-mail address
  • Mobile phone number
  • Age and gender
  • Job level and position
  • Company name and industry
  • User submitted interests for newsletter subscription preferences

In addition to self-submitted data, we use analytics and marketing automation tools, which collect data on users’ browsing information, such as traffic sources, browser and devices used, time spent in Hintsa Performance’s website, pages visited, geographic location etc.

We collect personal data mainly at the point of subscription, but also later during the customer relationship. Hintsa Performance’s website uses cookies, web beacons and other similar methods in order to improve user experience, to develop our websites and services further, and for targeting content and communications. Cookies are small pieces of data sent from a website and stored on the user’s computer by the user’s web browser. Cookies can be blocked from your browser’s settings. Our pages may also include other third-party components, such as lead trackers.

We process personal data for the uses of customer relationship management and  marketing with the consent of the visitor, without disclosing customer personal data to any third party. We maintain a register on newsletter subscribers and other users of our website’s functionality. Newsletters are sent to subscribers by email based on the marketing register’s information.

Hintsa Performance’s website runs a marketing automation system that is used for improving the general user experience of our website and its content, and for creating target segments for marketing.

We places cookies, when a visitor first arrives to our website, in order to learn, how visitors consume content in the site. A visitor’s personal data remains anonymous to Hintsa Performance until:

  1. Visitor subscribes to Hintsa Performance’s newsletter or other material

A user’s personal data may be linked to the cookie, when a visitor subscribes to a newsletter, white paper etc. Submitted information is stored in the Hintsa marketing register.

  1. Visitor arrives at the website from an email marketing message sent by Hintsa Performance

A user’s personal information may be linked to a cookie, when the user arrives at the website via an email marketing message sent by Hintsa Performance. The source for e-mail marketing messages is Hintsa Performance’s marketing register. A user, whose cookie is linked to personal data, may receive email marketing that is personalised based on her/his website visitor history. In case a user wishes to unassociated from their previous browsing history, they can do so by clearing their browser cookies.

You have the legal right to inspect the data we have collected concerning you. You also have the right to request the correction or deletion of incorrect, defective, unnecessary or outdated personal data.

Your data can be removed from the Hintsa marketing register based on a personal request. Requests for register-related matters shall be submitted in writing to the postal address Hintsa Performance Oy, Lapinlahdenkatu 1C, 00180 Helsinki. Newsletter subscribers can unsubscribe directly from the newsletter.

9. Privacy Principles for Hintsa’s support pages

We run support portals to enable customer service for our different services (support.heiaheia.com, support.luotaamo.fi ja support.marsmars.fi). The support portals enable creation of support tickets, we create a personal data register of people, who have sent these tickets, to enable customer service delivery.

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: Hintsa Performance Oy (Ltd), contact: support@hintsa.com
  • Register name: Hintsa Support customer register
  • Purpose of use: The register is used for providing customer service

Register content:

  • The user’s personal information (name)
  • The user’s contact information (email)
  • The service in case (HeiaHeia, Parempi Vire, Luotaamo, MarsMars)
  • Mobile device and OS of the user (Android, iOS, web)
  • Messaging history between the user and customer service
  • Articles visited in the support portal by the user
  • Possible Android log file sent to customer service by the user
  • Information sources: Information provided by user her/himself
  • Register protection principles: We run our support portals with the FreshDesk service provided by Freshworks Inc. Freshworks acts as a personal data processor on our behalf and fulfills the requirements of the GDPR.