Data Privacy Policy

Last Updated: 2023-09-12

Konfidens' Data Privacy Policy details how Konfidens collects, utilizes, and deletes your data. By using the Konfidens platform (the "Platform") and making use of your Konfidens account (the "Account") and all its related features, including session notes, appointments, payments, and video chat (the "Services"), you acknowledge that your data related to your use of our Services is processed in accordance with the following privacy policy. This privacy policy, along with any product-specific privacy policies (collectively, the "Privacy Policy"), outlines (i) the data we collect during your access and use of the Services; (ii) how we use this data; and (iii) the measures we have in place to safeguard your data. Please consider the Privacy Policy as a supplementary document to our terms and conditions.

Data Controller and Processor

The services are operated by Mindcare AS (Business Registration Number: 925 239 070), headquartered at Rathkes gate 5B, 0558 Oslo. You can reach us via email at hello@konfidens.com.

Mindcare acts as the data controller for information collected from its clients. This typically includes data necessary for service delivery and fulfilling our obligations to our customers.

Our customers utilize our services to manage their mental health care practices. As part of this process, data pertaining to their clients is stored and processed on our platform. For this data, Mindcare assumes the role of the data processor, while the account holder serves as the data controller.

When is Personal Information Collected?

We process information about you in the following situations:

  1. You have registered as a user on the platform.
  2. You create an order or agreement on the platform.
  3. An order or agreement is made on your behalf.
  4. You are invited to the platform by a colleague or friend.
  5. You subscribe to our newsletter.
  6. You have applied for a job with us.
  7. You contact us via chat, email, or other means.

Legal Basis for Processing Personal Information

The personal information collected is processed based on the following:

For platform users

Legal Basis: The legal foundation we operate under for the information pertaining to platform users is established in accordance with ยง 1 of the Personal Data Act, in conjunction with Article 6(1)(b) of the General Data Protection Regulation (GDPR). This legal framework is anchored in the agreements entered into by platform users, as stipulated in our terms of use.

Data Processing Agreement: Regarding the information that our customers input into the platform, we assume the role of a data processor, governed by the provisions set forth in our data processing agreement. This agreement clearly outlines our responsibilities and obligations in managing this data.

For clients

The legal foundation for data processing relies on your consent to utilize our platform for the services we offer, in accordance with Article 9(2)(a) of the General Data Protection Regulation (GDPR). When using our platform as a patient, this consent is granted for the following purposes:

  1. Secure Login: We process your information to facilitate secure login.
  2. Appointment Management: This includes appointment booking and any subsequent changes to your appointments with your healthcare provider.
  3. Booking History: We maintain a history of your past bookings.
  4. Payments: Facilitating payments from you to your healthcare provider.

It's important to note that beyond these specified purposes, your healthcare provider assumes the role of the data controller for information related to you, while we act as the data processor for this information.

Visits to app.konfidens.com

Cookies

For security and privacy reasons, Konfidens does not use any third-party cookies on the website**. Konfidens only uses its own cookies to provide functionality related to user-friendliness and security, but we strive to keep this number to a minimum.

You can read more about our cookies on this page.

Event Logging

Konfidens adheres to the information security and privacy standards set by the Norwegian Directorate of eHealth within the healthcare sector. Consequently, a majority of your actions as a healthcare professional are systematically recorded. These actions encompass, among others:

  • Initiating a session from an unfamiliar device.
  • Accessing a patient's record.
  • Writing session notes.
  • Electronically signing a note.
  • Revising an already signed note.
  • Granting access to a patient's record to a supervisor or colleague (subject to patient consent).

Each log entry comprises a user identifier, the date of the action, and specifics about your login method during that session. In cases involving particularly sensitive actions, such as printing notes from a patient's record, we also log your IP address for added security and accountability.

Who is Your Personal Information Shared With?

Konfidens uses a limited number of subcontractors to provide services on the platform. In cases where the processing of personal information is necessary, we require the data to be processed and stored in Europe, in compliance with the General Data Protection Regulation (GDPR).

Data subprocessors

To provide the Services, we rely on select data subprocessors, which process different categories of data. Processors never store data outside of the scope of their specific purpose. Subprocessors are as follows:

  • AWS
    The platform runs and stores data in data centers located in Frankfurt, Germany, operated by AWS EMEA SARL. All information on the platform is stored in databases in these data centers.
  • Criipto
    Applicable only for Norwegian users.
    When you carry out identification or authentication using BankID, we use Criipto to complete the process. Konfidens does not send personal information to Criipto, but we receive your date of birth, first name, and last name upon successful authentication. Please read Criipto's privacy policy for more information.
  • Adyen
    When you make a payment to us, or collect payments from clients, the payment is facilitated using our subcontractor, Adyen. We also use this provider to issue refunds or payments to you or your clients. Data exchanged in the process includes your account information. Please read Adyen's privacy policy for more information.
  • GatewayAPI
    The platform uses SMS to verify ownership of phone numbers and for authentication of known users. We use GatewayAPI for sending SMS. Data is stored and processed in Germany, Finland, and/or Denmark. The personal information transmitted includes:
    • Your phone number
    We never use your phone number for marketing or newsletters.
  • Brevo
    Emails sent automatically from the platform, such as email confirmations or clinic invitations, are sent via Brevo (formerly Sendinblue). Data is stored and processed in Germany, Belgium, and/or Ireland. The personal information transmitted includes:
    • Email address
    • Recipient's name
    • Subject and content of the email
    When emails are sent on your behalf, such as clinic invitations, the email text may include your name and email address. We never send healthcare information via email. Invitations to the platform will not grant access to sensitive data without the recipient also confirming with a code sent through another medium (e.g., SMS).
  • Google Cloud / Helpcrunch / Intercom
    Emails to and from us that are not automatic emails are received and sent via HelpCrunch or sent via Intercom or Google Cloud, depending on the recipient's address you send to. When we initiate the email exchange, we will provide your name and email address to the third party. If you initiate the exchange, the personal information exchanged is controlled by your email provider but typically limited to name and email address.
  • Whereby
    In cases where you conduct a video appointment, Whereby is used as the service provider. Konfidens does not directly transfer personal information to the service, but due to the nature of the content, we consider this as processing special categories of personal information. The video stream is encrypted between parties but may be decrypted in small time windows while being processed by Whereby's video routers. Please read Whereby's privacy policy for more information.

How Long Do We Store Your Information?

If you have created a user account but have not been active for a period of 4 years, we will send you a notice that your account will be archived and deactivated. Archiving involves anonymizing your data and occurs 6 months after the notice, unless you log in again in the meantime. Personal information processed under Konfidens' legitimate interests will be stored as long as we are required to keep them. For example, if you have made payments on the platform, information we are legally required to store according to Norwegian accounting regulations will be retained for 10 years after the end of the fiscal year.

Your Rights

You have the right to receive a response without undue delay, and no later than one month. Contact us at hello@konfidens.com if you wish to exercise any of these rights.

  • Access to Your Data
    You have the right to access the data we have about you. If we hold healthcare information about you, we will require identification to provide you with this information. Learn more about the right to access.
  • Correction of Personal Information
    You can ask us to correct or supplement inaccurate or misleading information. Learn more about the right to correct or supplement information.
  • Right to Be Forgotten
    You have the right to be forgotten if our information about you is inadequate, irrelevant, or no longer necessary for the purpose it was processed. Learn more about the right to erasure.
  • Data Portability
    If we process information about you based on consent or a contract, you can request that we transfer information about you to you or to another data controller.

Information in Patient Records

If you are a patient and require corrections or deletions of information entered into the platform by your healthcare provider, kindly reach out to the therapist or clinic responsible for your treatment. Please be aware that healthcare professionals may have legal obligations to maintain records of individuals who have received healthcare services and the nature of the care provided, as stipulated by national legislations.

Complaints About Processing

We hope you will let us know if you believe we are not in compliance with the rules in the Personal Data Act. In that case, please contact us through the contact or channel you have already established with us.