Privacy Policy

General Information

Thank you for visiting our website and using our App! The protection of personal data is of high importance for us. In fact, Meditopia is committed to protecting your personal data and treating it with the utmost care and respect. This Privacy Policy shall inform you about the processing of personal data on our website and in our App according to Art. 13, 14 GDPR. Personal data ("data") is any information relating to an identified or identifiable person. “Processing" of data means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

This Privacy Policy can be accessed and printed out at any time on the website. We reserve the right to amend this Privacy Policy to ensure compliance with the statutory provisions.

Controller

The Controller of your personal data is

The Meditation Company GmbH

Address: Brandenburgische Strasse 86/87

10713 Berlin Deutschland

Email: hello@meditopia.com

Controller is any natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data. The Meditation Company GmbH is the controller in connection with the use of Meditopia’s services and products in the European Union.

Data Protection Officer

For the protection of your data we Appointed a Data Protection Officer DPO.

You can reach our DPO at any time here: gdpr@meditopia.com

Scope of Data Processing

We only process the data as necessary and only for the purpose of providing a functional and user-friendly website and App as well as for the provision of our content and services. The legal basis for data protection can be found in particular in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC ("General Data Protection Regulation", GDPR) as well as in the German Federal Data Protection Act (BDSG) and the German Act on Data Protection in Telecommunication and Telemedia (TTDSG).

We use various third-party providers, e.g. in the areas of hosting or mailing services, each of which processes data on our behalf. We have concluded corresponding order processing agreements with these third-party providers, which ensure that an adequate level of data protection is also guaranteed with respect to our (sub-)processors (Art. 28 GDPR). For more information on the third-party providers used, please feel free to contact our DPO.

We process contact information, usage data or other information that you provide to us. Details are set out in the table below or as otherwise described in this Privacy Policy or to you:

Data

Purpose

Legal Basis

contact data (e.g. name, address, telephone number), other contract data (e.g. orders)

communication or storage/processing of data in order to establish, implement and/or handle a contractual relationship; this may also include our online services

Art. 6 (1) b) GDPR

contact, contract and usage data

analysis of data on the basis of our legitimate interests in the form of quality assurance and marketing

Art. 6 (1) f) GDPR

data that you provide on the basis of consent (e.g. within the scope of registration)

with your consent for the purposes stated when giving it; this Applies, for example, to the data you provide voluntarily

Art. 6 (1) a) GDPR

We only process your data if this is necessary for the stated purposes. Failure to provide the data may have legal disadvantages, such as the loss of legal positions, for example, no response to your enquiry or the impracticability of a contract.

As a matter of principle, we will only transfer or disclose your data to third parties if we have obtained your consent or if there is another legal basis for doing so. We process your data only through our German entity thus process personal data within the EU/EEA. In case your data is processed outside the EU/EEA, e.g. when using third party tools (like Google), compliance with the Applicable laws is ensured in each case. If your data is transferred to third countries, such as the United States, we ensure that the legal requirements according to Art. 44 ff. GDPR for such a transfer are met and that your data is processed in the third country in accordance with the European data protection standards. For this purpose, we generally use the so-called EU standard contractual clauses (SCCs) that we conclude with the respective provider. Further, in accordance with the requirements of the ECJ following the "Schrems II" decision, a case-by-case risk analysis is carried out with regard to the respective third country. For further information, you can also contact our DPO.

Furthermore, we have taken technical and organizational measures to ensure that the regulations on data protection are observed both by us and by external service providers. For security reasons and to protect the transmission of confidential content that you send to us as the site operator, our website uses SSL or TLS encryption.

Visiting the Website

We collect data about every visit to our website (so-called server log files). The data listed below is processed as follows:

Data

Purpose

Legal Basis

name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, operating system/version, referrer URL (the previously visited page), IP address and the requesting provider, country code, language, device name, if Applicable.

statistical evaluations for the purpose of optimizing our website, ensuring the stability and operational security of the website

Art. 6 (1) f) GDPR based on our legitimate interest in fraud prevention and quality assurance

fulfillment of legal obligations, for reasons of data security

Art. 6 (1) c) GDPR

Contact and Emails

If you send us an email or contact us via the contact form, the information from the respective enquiry, including the contact data provided, will be stored by us for the purpose of processing the enquiry as follows:

Data

Purpose

Legal Basis

your enquiry, contact details (e.g. name, company, country, email address) or other data provided in the enquiry

communicating or storing/processing data in order to determine company enquiries, to establish, perform and/or settle a contractual relationship; this may include responding to your enquiry or making a refund

Art. 6 (1) b) GDPR

processing of data based on your consent to respond to the request

Art. 6 (1) a) GDPR

Download and Use of the App

When downloading the App in the App Store or Play Store, the required information is transferred to the respective store provider in particular

  • username
  • email address
  • customer number of your account
  • time of download
  • payment information
  • individual device code number.

We have no influence on this data collection and are not responsible for it. We process the data only to the extent necessary for downloading the App to your mobile device. When using the App, we collect the personal data described below in order to enable convenient use of the functions:

Data

Purpose

Legal Basis

IP address, Date and time of the request, Time zone, Contents of the request, Access status/HTTP status code, amount of data transferred in each case, website from which the request originates, browser, Operating system and its interface, Language and version of the browser software

Providing our services 

Art. 6 (1) b) GDPR

Ensuring of usability and stability of our system

Art. 6 (1) f) GDPR

Further we need your device identification, unique number of the terminal (IMEI = International Mobile Equipment Identity), unique number of the network subscriber (IMSI = International Mobile Subscriber Identity), mobile phone number (MSISDN), MAC address for WLAN use, name of your mobile terminal, e-mail address. When using the App, the device ID number is assigned to each registered device. Our access to the device ID number is necessary to identify the device and the user account in order to improve the use of the App and to deactivate the App on stolen or lost devices.

In addition to the data mentioned above, cookies are stored on your device when using our App. Cookies are small text files that are stored in the device memory of your mobile device and assigned to the App you are using. Cookies allow certain information to flow to the location that sets the cookie (here: us). Cookies cannot execute programs or transmit viruses to your mobile device. They serve to make mobile Apps more user-friendly and effective overall. Our App uses transient and persistent cookies. Transient cookies are automatically deleted when you close our App. These include in particular session cookies. They store a so-called session ID, which can be used to assign various requests to your mobile App. This enables your mobile device to be recognized when you use our mobile App again. The session cookies are deleted when you log out or close the App. Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. You can configure the settings of your mobile operating system and the App according to your wishes and, for example, reject the acceptance of third-party cookies or all cookies. Please note that you may not be able to use all functions of our mobile App in this case.

Registration / Use of our Service

You may register on our website in order to use our service. We process the data you share with us in the registration process based on your consent or, if Applicable, to fulfill our service contract with you:

Data

Purpose

Legal Basis

Registration / login data (name, company name, date of birth, email address, phone number, password)

fulfillment of our Service-Agreement

Art. 6 (1) b) GDPR

enabling you to register 

Art. 6 (1) a) GDPR

We may also provide you with the option of putting in additional personal information, such as a photograph, and the information you may put into the “My Notes”.

You may be invited to complete a form or a survey, share your testimony, or participate in a promotion (like a contest or challenge) or a user-generated content (like podcasts), either through the Services or a third-party platform. If you participate, we will collect and store the data you provide as part of participating, such as your name, email address, date of birth and/or phone number.

Some of the information we ask you through questionnaires may be regarded as sensitive personal data, such as data concerning your health. We only process this information with your explicit consent (Art. 9 (2) a) GDPR). We use this information only to match you with appropriate mental health professionals and to allow your mental health professional to provide you with their best practice. When we are matching you with a mental health professional, we may use automated individual decision-making or manual methods. We do not use these data with information for any marketing purposes or any other purpose than your wellbeing. This information is only shared with your matched mental health professional and with no other third parties.

All data or information shared during (video) sessions with your mental health professional remain strictly confidential. We have no whatsoever access to this data/information and your mental health professional must not and will not share any of these data with us. The mental health professional will process your data only based on your consent. For scheduling sessions, we use Calendly (Calendly LLC, BB&T Tower, 271 17th St NW, Atlanta, GA 30363, USA). You will find further information on how Calendly processes your data here:https://calendly.com/de/pages/privacy. For the execution of video sessions with your mental health professional, we use the service Google Meet (Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043 United States; Privacy Policy:https://policies.google.com/privacy?hl=en-US). With regard to the video sessions we only process your IP address, the time and location and the duration of the session. Except for the aforementioned metadata, Google will not have no access to any information or data exchanged with your mental health professional.

Meditopia Soul

Our AI assisted chatbot Soul is powered by OpenAI’s ChatGPT. For this reason, if you choose to have a conversation with Soul, your conversations with Soul will be transferred to OpenAI’s servers, outside the EU, through an API connection. However, we will not transfer your conversations with any data that would allow OpenAI to identify you unless you specifically provide them within your conversations. We share your first name with OpenAI, so that Soul can address you properly, which is necessary for the user experience we aim for. 

Some of the information you provide during your conversations might be considered sensitive data (Art. 9 GDPR). We will only process such information based on your consent and use such information only for the provision of our service to you. You may withdraw your consent at any time with effect in the future.

To comply with GDPR’s requirements, we have executed a Data Processing Agreement with OpenAI which includes the standard contractual clauses adopted by the EU Commission on June 4, 2021. We do not allow OpenAI to use your information for training or improving its models. 

The data transfer between us and OpenAI is carried out throughSOC 2 Type 2 compliant API connection, which been audited by an independent third-party auditor against the2017 Trust Services Criteria for Security according to publicly available information from OpenAI (https://openai.com/policies/api-data-usage-policies).

OpenAI will retain your information sent through the API for a maximum of thirty (30) days, after which it will be deleted, except where OpenAI is required to retain copies under applicable laws, in which case OpenAI will isolate and protect that information from any further processing except to the extent required by applicable laws.

For further information on OpenAI’s API data usage policies, please refer to https://openai.com/policies/api-data-usage-policies.

We may also invite you to participate in surveys in connection with your use of Meditopia Soul. 

The information you provide during these surveys may be regarded as sensitive data (Art. 9 GDPR). We will rely on your explicit consent for processing this information and use it only for research and statistical purposes, and improving our services. We will never share this information with any third parties unless we anonymize it first. You may withdraw your explicit consent at any time with effect in the future.

Connection of third party Services / Single Sign-On Services

We may obtain certain information through your social media profiles or other online accounts you have permitted to be connected to our websites or mobile applications. If you login via Facebook or another third-party platform or service, we ask for your permission to access certain information which is already given under that account, such as your name, profile picture, account ID number, email address, location, physical location of your access devices, and birthday. Those platforms and services make information available to us through their APIs, and therefore, the information given to us is limited with the scope of your privacy settings in the platform or service. If you access or use our products or services through a third-party platform or service, the collection, usage, and sharing of your data will also be subject to the privacy policies and other agreements of that third party. We may also obtain information through third parties, which we have a business or legal relationship with, such as business partners, technical, payment and delivery service subcontractors, advertising networks, analytics providers or search information providers.

Meditopia for Work

If your employer has purchased “Meditopia for Work” for you to access Meditopia Premium Membership we may share your personal data (including without limitation, your name, surname, personal and/or corporate email address and IP) with your employer when it is necessary to affirm, validate, confirm or revoke the activation of your Premium Membership or to detect, prevent, or address fraud, abuse, or misuse of our Services. In such a case, we will always consider data minimization principle and we will never share any of your personal data not necessary to achieve the purposes specified under this paragraph. Without prejudice to the above, we will never share any non-aggregated or non-anonymized personal data with your employer, (such as the time spent on the Application and the content engaged with).

Your employer might have also purchased Meditopia Mindfulness Coaching or Meditopia Mental Wellbeing Coaching/Support Services. In that case, we might share with your employer the completed Session numbers, bookings, and similar information and issues that come up during the Sessions only in an anonymized form, without allowing anyone to match these data with you and identify you. Under no circumstances your employer will receive any data or information with regard to the content of your session with your mental health professional.

Newsletter / Newsletter tracking

With our newsletter we inform you about us and our offers. Only your email address is required to register for the newsletter. If you register for the newsletter, your email address will be transmitted to us (or our mail provider) and stored there. After registering, you will receive an email to confirm your registration ("double opt-in").

Data

Purpose

Legal Basis

contact data (email address, name if Applicable), device data (device name, country code if Applicable, language, name of operating system and version), connection data (IP address, mail provider)

advertising communication

Art. 6 (1) a) GDPR

You can withdraw your consent to the processing of Data for the purpose of sending the newsletter or evaluation of related data at any time. The withdrawal can take place over a link, which is contained in each newsletter, or by separate message to us. You will not incur any costs other than the transmission costs according to the basic tariffs.

Other information emails

If a contractual relationship has been established with us (for example, following successful registration on the website or via the App), we may send you emails with interesting information about similar goods or services. You can request at any time that you no longer receive such information emails from us. To do so, please contact us by message or click on the link at the end of the information emails. You will not incur any costs other than the transmission costs according to the basic rates.

Data

Purpose

Legal Basis

contact data (email address), technical data, usage data

communication to carry out a contractual relationship or on the basis of our legitimate marketing interests, including notification of similar goods or services.

Art. 6 (1) b) or f) GDPR (if Applicable in conjunction with Section 7 (3) UWG), Art. 6 (1) a) GDPR

Cookies and other third party tools

We use so-called cookies. Cookies are small text files that are stored on the end device used and saved by the browser. Cookies serve to make our offer more user-friendly, effective, and secure. There are different types of cookies that are used for different purposes. Some cookies ensure that our offers function properly or that you are recognized on your end device after successful registration ("necessary cookies”). By placing these necessary cookies, we make it easier for you to visit our offers and use the services available there. We place other cookies to analyze user preferences and thus improve our offers ("advanced cookies”).

We only place advanced cookies with your consent. When you visit our services for the first time, you will see a pop-up explaining cookies. Once you click on the relevant consent button, you agree to our use of the particular cookies selected, each of which is described in the pop-up as well as in this Privacy Policy. If you want to manage your consent or receive further information on the cookies used on our website, click here. YOU MAY REVIEW ALL COOKIES USED ON OUR WEBSITE THROUGH THE SAME LINK.

In addition, you can adjust your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. You can manage many online ad cookies from companies via the US sitehttp://www.aboutads.info/choices/ or the EU sitehttps://www.youronlinechoices.com/de/. Please note that if you disable cookies, the functionality of this website may be limited.

Insofar as personal data is processed when "necessary" cookies are used, this is based on the legal basis Art. 6 (1) f) GDPR due to legitimate interests of quality assurance and a technically flawless presentation of the website. The processing of personal data when using so-called "advanced cookies" is based on your consent (legal basis: Art. 6 (1) a) GDPR).

Apple HealthKit

We use Apple’s HealthKit framework, which provides a central repository for health and fitness data on iPhone and Apple Watch and – with your explicit consent – lets Apps communicate with the HealthKit store to access and share this data. If you download and use the Apple Watch version of the Application, we may collect and process your heart rate data, obtained through the HealthKit framework and the Apple CoreMotion processor, with your explicit consent. New data attributes may be added to the HealthKit framework, which will be portrayed in the Application and which you have to consent to.

If you grant the App access to HealthKit, it can add information to certain sections of HealthKit, ie. adding the minutes of meditation that the User is listening to in the Application to the Awareness Time section in HealthKit.

Google Fit

We use Google’s Fit SDK which is an open platform that lets users control their fitness data. We do not collect or process any data from Google Fit. However, we may add information to certain sections of Google Fit, ie. adding the minutes of meditation that the User is listening to in the App to the Awareness Time section in Google Fit. New data attributes may be added to the Google Fit framework, which will be portrayed in the App and which you have to consent to.

Social Media

We are present on various social media platforms and process user data within this framework in order to communicate with users active there or to offer information about us. User data is usually processed within social networks for market research and advertising purposes. For example, usage profiles can be created based on the usage behavior and resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which the usage behavior and the interests of the users are stored. Furthermore, data independent of the devices used by the users may also be stored in the usage profiles (especially if the users are members of the respective platforms and are logged in to them). For a detailed presentation of the respective forms of processing and the options to object (opt-out), we refer to the data protection declarations and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users' data and can take Appropriate measures and provide information directly. If you still need help, you can contact us.

Data

Purpose

Legal Basis

inventory data (e.g. names, addresses), contact data (e.g. email, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses)

contact requests and communication, tracking (e.g. interest/behavioral profiling, use of cookies), remarketing, reach measurement (e.g. access statistics, recognition of returning visitors), affiliate tracking.

Art. 6 (1) f). GDPR. The use of common social media channels is in our legitimate interest in marketing our offer.

Services used and service providers:

Data Processing of Applicants

In the event that you apply for a job with us, we will process certain data about you. This data includes your name, email, address and telephone number, gender, work history, qualifications, country of residence, language skills and any other personal information you provide in your interactions with us. We may also ask for additional information to assist us in our recruitment process and if you are offered a job, an example would be date of birth and employment documents.

We process your personal data to fulfill our contractual or pre-contractual obligations (based on Art. 6 (1) b) GDPR) or, where applicable, for the purpose of the employment relationship with you (Section 26 BDSG), in particular we use your data:

Storage and Deleting of Data

We only store your personal data for as long as it is necessary for the respective processing purpose and limit the storage period to the minimum necessary. You may delete your personal data at any time directly in the account settings on www.meditopia.com or our mobile application. In order to do so you have to click on the “Delete my account” button. Please note that you cannot delete your account/data in case of an active subscription as the processing of your data is necessary for the execution of the contract. If the processing purpose for your data lapsed or you actively decided to delete your data, we will only process your data, if we are obliged to do so under the statutory retention periods (for example, in accordance with the German Commercial Code (HGB) or the German Fiscal Code (AO)).

Your Rights

You have the following rights:

  • the right to information,
  • the right to correction or deletion,
  • the right to restrict processing,
  • the right to data portability,
  • the right to revoke your consent with effect for the future.
  • the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 (1) e) or f) GDPR; this also applies to profiling based on these provisions.

To exercise your aforementioned rights, you can send an email to gdpr@meditopia.com. In addition, you also have the right to lodge a complaint with a data protection supervisory authority.

If you have any questions with regard to the processing of your data, feel free to contact us at any time.

September 2023



Join millions of people who feel better every day with Meditopia.
Company
About
Editorial Process
Career
For work
Press and News
Services
Plans for Businesses
Workplace Articles
Blog
EAP
Traditional EAP vs Meditopia
Gift
Redeem a Code
Member happiness
Help
Help for Businesses
Terms & Conditions
Privacy Policy
Language 🌐
ISO 27001: ISO 27001 Certification
GDPR: European Union General Data Protection Regulation Compliance
SSL Secure: Secure Data Communication Certificate
Peryön: People Management Association of Turkey
G2: High Performer Business in Fall 2024
Great Place to Work: Certified Great Workplace (September 2023-September 2024)
SaaSHub: Verified Software Platform