Privacy policy

In Finnish | In German

24 May 2024

Change log:
- Updated marketing and support pages' privacy principles
- Updated numbering

1. General privacy principles for all services by HeiaHeia Oy
2. Privacy Principles for the HeiaHeia service
3. Privacy Principles for services we provide for the Finnish Defence Forces
4. Privacy Principles for services we provide for the Estonian Defence Forces
5. Privacy Principles for the HeiaHeia marketing and support pages
6. Google user data

 

 

 

1. General privacy principles for all services by HeiaHeia Oy

1.1 General

Your privacy is important to us. The HeiaHeia Privacy Policy (“Privacy Policy”) is designed to protect your privacy and to help you understand, what personal data HeiaHeia Oy (“HeiaHeia”) collects from you, how we collect the data, and how we use the data. HeiaHeia offers a range of services directly to customers, via employers, and via channel partners. Our services include but are not limited to personal coaching, remote coaching via digital tools, and digital wellbeing services. When taking any of our services into use, you have actively given consent to our Terms of Service and this Privacy Policy.  Please read the product-specific details in this Privacy Policy, which provide detailed information about HeiaHeia’s services, including cookie usage practices and register information for products and services, which collect personal data. This Privacy Policy applies to HeiaHeia’s interactions with you and the HeiaHeia products and services listed below, as well as other HeiaHeia products and services that display this Privacy Policy.

1.2 Our Privacy Principles:

  • We fulfil the requirements of the General Data Protection Regulation 2016/679 (GDPR) and the Privacy and Electronic Communications Directive 2002/58/EC (E-Privacy Directive) of the European Union
  • We fulfil the requirements of the Act on the Protection of Privacy in Working Life 759/2004 of the Finnish law
  • HeiaHeia Oy either a Data Controller or a Data Processor working on behalf of the Data Controller for all personal data collected and processed in all the services it provides.
  • You as an end-user have control over your personal data: You decide, how much of your personal details you want to share with others. You can transfer your personal data from our digital tools in machine readable format (“data portability”). You can remove your personal data from our digital tools (“right to erasure”).
  • We only collect and process personal data that is necessary for providing our products and services.
  • We provide aggregate level reporting to our customers. These reports are only shown, when sample sizes are large enough to not enable identifying individuals. These reports do not contain health data. Some of the reports contain personal data, when used e.g. for rewarding as a part of activity campaigns. In these cases, the end-user has been informed about the reporting practices in the service description, the end-user has given consent to the reporting, and can opt out of the reporting at any point.
  • We use data created in our services for anonymised data analysis for research purposes, targeting to create new knowledge on wellbeing and factors impacting it. Anonymised data used in research is not personal data, and individuals cannot be identified from this data. We might work with research partners such as universities. Results of our research might be made public.
  • We do not sell, rent, loan or give out your name, email address, or other personal data to anyone. However, if the service provider or all of its assets would be acquired, customer information might be transferred to the acquiring party.
  • Your personal data may be transferred across international borders to server locations supporting the service. Details of hosting solutions used are covered in Product-specific Privacy Statements.
  • No security system is impenetrable and security risks exist in any system. However, we make consistent efforts to keep your information secure.
  • We may use cookies in order to provide a better service, related to Authentication, Security, User Preferences, Performance, Analytics, Research, and Advertising. Details of our Cookie usage practices are covered in Product-specific Privacy Statements.
  • Changes to our Privacy Policy will be published on our web site.
  • Should you have any privacy related questions or suggestions, please contact us at helpdesk@heiaheia.com.

 

2. Privacy Principles for the HeiaHeia service

2.1 Basic principles

  • HeiaHeia (including a free service level and premium services such as HeiaHeia Pro) is a social wellbeing service. We collect and process personal data in order to enable personal wellbeing tracking and improvement, as well as peer support among friends and colleagues.
  • Identifying the data controller and data processors: The GDPR differentiates between the “controller” and “processor” of personal data. HeiaHeia Oy is the data controller for the free version of HeiaHeia. HeiaHeia’s premium versions are distributed via “communities”, a community may have its own personal data register and data controller. The personal data register of a premium community includes personal data created in the community in accordance with the purpose of the community. An individual user’s wellbeing data is exported from the premium register also to the free service’s register (excluding data types only available in the premium service) so that the user may continue using the free service also in the case that the premium service is discontinued. The data controller of a premium service may be HeiaHeia Oy (in case the customer of the premium service is an employer), the customer (in case the customer is not an employer), or a reseller (in case the customer is an employer and the reseller defines the contents of the premium service). The Act on the Protection of Privacy in Working Life of the Finnish law limits, what kind of personal data of employees an employer may process and thus also the employer’s possible data processing related roles in HeiaHeia. In cases, where HeiaHeia Oy is not a data controller, it is typically a data processor on behalf of the controller. Data processing related roles and responsibilities are defined in data processing agreements (DPA) between controllers and processors.
  • You as an end-user have control over your personal data: You decide, how much of your personal details you want to share with others. You can control your privacy level from HeiaHeia’s settings. You can transfer your personal data from our digital tools in machine readable format (“data portability”). You can remove your personal data from our digital tools (“right to erasure”).
  • We store the information collected during the registration process, such as your email address, in order to provide the service. We also store your exercise data and potentially other information created at the service.
  • Our data retention policy combines two aspects: storing personal data for only as long as it is required and preventing inadvertent data loss. In practice we recommend inactive users periodically (after three years of inactivity) to remove their user accounts. After three missed recommendations, we automatically remove inactive user accounts.
  • Sharing your exercises and other entries to other HeiaHeia users is managed with friendships. Your friends see all your non-private entries in their ‘feeds’. If you mark individual entries as private, your friends will not see them.
  • Your name is always searchable and your profile picture is visible within HeiaHeia’s friend search. The privacy level you’ve selected defines, who can access your full profile page and training log by clicking your name. The default setting is “Only my HeiaHeia friends”.
  • When utilising coaching services in HeiaHeia, you give consent for the coach to see all the information you have stored in HeiaHeia, including entries you have marked as private.
  • HeiaHeia’s mobile applications may use and store your current location to record your workouts. You may disable location services from mobile application settings, but then you will not be able to add location data to workouts.
  • Location data (GPS data) created by you with HeiaHeia mobile applications or other compatible methods may be stored to create and annotate training log entries, and is treated with the same privacy principles as all training log data. Maps and “check-ins” created from GPS data have more privacy options than other training log data types, enabling stricter privacy. GPS data created on HeiaHeia mobile apps that is not used to create training log entries is not stored permanently by HeiaHeia.
  • Data created by users of HeiaHeia may be used for creating anonymous aggregated statistics.
  • Community admins may have access to aggregate anonymous community statistics as well as possible participant lists of users that have given consent.
  • Most important anonymous aggregated community statistics created from HeiaHeia user data include the following:
    • Amount of active users
    • Distribution of activity levels and accumulation of wellbeing score points from different areas of activity
    • Most popular exercise types, hobbies, and micro actions
    • Amount of training programs and habit challenges started
    • Amount of cheers given
    • Average amount of exercise and steps
    • Amount of users who have reached personal goal during challenge
    • Amount of users who have exercised on average over 2,5 hours per week
    • Amount of users who have taken on average over 10 000 steps per day
  • HeiaHeia may include wellbeing surveys, which may be used for creating anonymous aggregated community statistics. In these statistics, exact figures are shown only, if N ≥ 5.
  • If you join a HeiaHeia community via a community invitation or community code, you give consent to participate in possible activity challenges and rewarding programs. These service elements include being part of participant lists and reporting that may include high level personal activity data, like the amount of steps, kilometers, or “wellbeing points” you have collected during a time period. You can choose to opt-out of or opt-in to this personal data sharing at any point via the settings, under “Participant lists and reporting”.
  • Challenge leaderboards visible to all members of a community governed by the “Participant lists and reporting” consent may include the following data:
    • Amount of exercises, hobbies or micro actions, exercise hours, kilometers / miles, wellbeing points, steps
    • Challenge reports for the challenge organiser may include the same data that is shown for challenge participants, and derivatives thereof
  • Reporting governed by the “Participant lists and reporting” consent may include the following data:
    • Highlights: most popular events in the community based on cheers and comments
    • Leaderboards: the community's most active members in different categories (amount of entries, most entries split to endurance and strength and mobility, amount of cheers, amount of different entry types, distance covered, duration, amount of micro actions, steps, wellbeing points and wellbeing point level)
    • Custom: Leaderboards per entry type including total amount of entries, total duration, total distance. Leaderboards for micro actions including total amount of entries.
  • Premium communities may have a “community wall” enabled. Community members may share exercise and hobby entries to the community wall. These entries can be seen by all community members on the community wall. Images shared with entries to the community wall may be used in photo collages and other summaries. Each entry is shared actively. Entries may be unshared from the community wall at any point. 

 2.2 HeiaHeia cookie usage practices:

  • Authentication: If you’re signed in to HeiaHeia, cookies help us to show you the desired information and personalise your experience.
  • Security: We use cookies to enable and support our security features, and to help us detect malicious activity and violations of our Terms of Service.
  • Preferences, features and services: Cookies can tell us which language you prefer and what your communications preferences are.
  • Advertising: We may use cookies to show you relevant advertising both on and off the HeiaHeia site. We may also use a cookie to learn whether members who saw an ad on HeiaHeia later visited the advertiser’s site. Similarly, our partners may use a cookie to determine whether we’ve shown an ad and how it performed, or provide us with information about how you interact with ads. We may also work with a partner to show you an ad on or off HeiaHeia, such as after you’ve visited a partner’s site or application.
  • Performance, Analytics and Research: Cookies help us learn how well our site performs in different locations. We also use cookies to understand, improve, and research products, features, and services, including when you access HeiaHeia from other websites, applications, or devices such as your work computer or your mobile device.
  • No 3rd party cookies are currently utilised

 

2.3 Personal data collection in HeiaHeia:

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: HeiaHeia Oy (Ltd), contact: helpdesk@heiaheia.com
  • Register name: HeiaHeia user register
  • Purpose of use: The register is used for providing the HeiaHeia service and for managing user relations between HeiaHeia Oy and its service end-users. Register information is not used for direct marketing without the user’s consent, managed by service settings.

2.4 Register content:

  • The user’s personal information (name, gender, birthday)
  • Unique customer ID
  • The user’s contact information (email, phone number optional)
  • The user’s hometown
  • The user’s personal measurement information (height, weight)
  • The user’s wellbeing targets, including free form targets, weekly exercise targets, daily step target, nightly sleep target
  • Exercise types of interest to the user
  • The user’s wellbeing diary information and other wellbeing and other data, including exercises, hobbies, micro actions, notes, recovery days, steps, meals, sleep, and weight, entered to the service by the user
  • Wellbeing data from wearable devices connected to HeiaHeia by the user, e.g. exercise data (including location data as GPS tracks and check-ins), daily step count, sleep data
  • Wellbeing data included in diary entries, inputted by the user or transferred from a wearable device, may include activity type (exercise type, hobby type, micro action type), notes, date, duration, distance, attached photos, mood, text tags, location, GPS track, privacy level, inclusion/exclusion in personal stats, inclusion/exclusion in community wall, calories, average heart rate, maximum heart rate, elevation, steps, status as a favourite, success/failure, selection from pre-given content options
  • Achievements and statistics based on the user's data
  • Possible ongoing programs (which may include surveys and wellbeing-improving tasks)
  • Photos uploaded to the service by the user
  • The user’s social connections and social reactions in the service, including possible coaching relationships
  • The user’s messaging history in the service
  • The user’s membership status in communities and groups
  • Answers to surveys inputted by the user and conclusions based on your answers, which may include e.g. fitness level or level of ability to perform, BMI, or VO2max, as well as recommended programs or workouts
  • “Wellbeing points” based on your activity in the service as well as a level based on collected points

  • Participation in community challenges and reporting based on a separate consent
  • Newsletter sending permission (email marketing)
  • The user’s privacy settings and other settings in the service
  • The user’s advertisement click-through history in the service
  • Email messages sent to the user from HeiaHeia (message header)
  • Application logs on all requests sent to the application (including e.g. user ID, the user's IP address and browser information)
  • Server logs
  • Audit logs
  • For all our logs, we have a retention period of 2 years. Cleanup is done periodically, with no separate notifications.
  • Information sources: Information provided by user her/himself or generated by the HeiaHeia service.
  • Register protection principles: The data is stored on servers located inside the EU, run by makandra GmbH. The server configuration addresses security by limiting outside access to minimum, applying firewalling for each server instance and deploying services to subnets that have limited access to each other and to outside networks. We operate a server cluster optimised for data and failure safety with multiple machines in order to be able to guarantee high availability even in case of hardware failures.

 



3. Privacy Principles for services we provide for the Finnish Defence Forces

Privacy Principles for personal data collected and processed in services HeiaHeia provides the Finnish Defence Forces

3.1 MarsMars Privacy Principles

  • MarsMars, a service offered by the Finnish Defence Forces to private individuals, is a social wellbeing service, based on peer support. We collect and process personal data in order to enable personal wellbeing tracking and improvement, as well as peer support among friends.
  • You as an end-user have control over your personal data: You decide, how much of your personal details you want to share with others. You can control your privacy level from MarsMars’s settings. You can transfer your personal data from our digital tools in machine readable format (“data portability”). You can remove your personal data from our digital tools (“right to erasure”).
  • We store the information collected during the registration process, such as your email address, in order to provide the service. We also store your wellbeing data and potentially other information created at the service.
  • Our data retention policy combines two aspects: storing personal data for only as long as it is required and preventing inadvertent data loss. In practice we recommend inactive users periodically (after three years of inactivity) to remove their user accounts. After three missed recommendations, we automatically remove inactive user accounts.
  • Sharing your exercises and other entries to other users is managed with friendships. Your friends see all your non-private entries in their ‘feeds’. If you mark individual entries as private, your friends will not see them.
  • Your name is always searchable and your profile picture is visible within MarsMars’s friend search. The privacy level you’ve selected defines, who can access your full profile page and training log by clicking your name. The default setting is “Only my friends”.
  • When utilising coaching services in MarsMars, you give consent for the coach to see all the information you have stored in MarsMars, including entries you have marked as private.
  • MarsMars mobile applications may use and store your current location to record your workouts. You may disable location services from mobile application settings, but then you will not be able to add location data to workouts.
  • Location data (GPS data) created by you with MarsMars mobile applications or other compatible methods may be stored to create and annotate training log entries, and is treated with the same privacy principles as all training log data. Maps and “check-ins” created from GPS data have more privacy options than other training log data types, enabling stricter privacy. GPS data created on MarsMars mobile apps that is not used to create training log entries is not stored permanently by MarsMars.
  • Data created by users of MarsMars may be used for creating anonymous aggregated statistics.

3.2 Personal data collection in MarsMars:

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: HeiaHeia Oy (Ltd), contact: helpdesk@heiaheia.com
  • Register name: MarsMars user register
  • Purpose of use: The register is used for providing the MarsMars service and for managing user relations between HeiaHeia Oy and its customers and service end-users.
  • Register information is not used for direct marketing without the user’s consent.

3.3 Register content:

  • The user’s personal information (name, gender, birthday)
  • Unique customer ID
  • The user’s contact information (email)
  • The user’s hometown
  • The user’s personal measurement information (height, weight)
  • The user’s wellbeing targets, including free form targets, weekly exercise targets, daily step target, nightly sleep target
  • Exercise types of interest to the user
  • The user’s wellbeing diary information and other wellbeing and other data, including exercises, hobbies, micro actions, notes, recovery days, steps, meals, sleep, and weight, entered to the service by the user
  • Wellbeing data from wearable devices connected to MarsMars by the user, e.g. exercise data (including location data as GPS tracks and check-ins), daily step count, sleep data
  • Wellbeing data included in diary entries, inputted by the user or transferred from a wearable device, may include activity type (exercise type, hobby type, micro action type), notes, date, duration, distance, attached photos, mood, text tags, location, GPS track, privacy level, inclusion/exclusion in personal stats, inclusion/exclusion in community wall, calories, average heart rate, maximum heart rate, elevation, steps, status as a favourite, success/failure, selection from pre-given content options
  • Achievements and statistics based on the user's data
  • Possible ongoing programs (which may include surveys and wellbeing-improving tasks)
  • Photos uploaded to the service by the user
  • The user’s social connections and social reactions in the service, including possible coaching relationships
  • The user’s messaging history in the service
  • The user’s membership status in communities and groups
  • Answers to surveys inputted by the user and conclusions based on your answers, which may include e.g. fitness level or level of ability to perform, BMI, or VO2max, as well as recommended programs or workouts
  • Newsletter sending permission (email marketing)
  • The user’s privacy settings and other settings in the service
  • The user’s advertisement click-through history in the service
  • Email messages sent to the user (message header)
  • Application logs on all requests sent to the application (including e.g. user ID, the user's IP address and browser information)
  • Server logs
  • Audit logs
  • For all our logs, we have a retention period of 2 years. Cleanup is done periodically, with no separate notifications.
  • Information sources: Information provided by user her/himself or generated by the service.
  • Register protection principles: The data is stored on servers located inside the EU, run by makandra GmbH. The server configuration addresses security by limiting outside access to minimum, applying firewalling for each server instance and deploying services to subnets that have limited access to each other and to outside networks. We operate a server cluster optimised for data and failure safety with multiple machines in order to be able to guarantee high availability even in case of hardware failures.

 


4. Privacy Principles for services we provide for the Estonian Defence Forces

Privacy Principles for personal data collected and processed in services HeiaHeia provides the Estonian Defence Forces

4.1 Spordivägi Privacy Principles

  • Spordivägi, a service offered by the Estonian Defence Forces to private individuals, is a social wellbeing service, based on peer support. We collect and process personal data in order to enable personal wellbeing tracking and improvement, as well as peer support among friends.
  • Identifying the data controller and data processors: The GDPR differentiates between the “controller” and “processor” of personal data. HeiaHeia Oy is the data controller for the free version of HeiaHeia. HeiaHeia’s premium versions are distributed via “communities”, a community may have its own personal data register and data controller. Spordivägi is a white label version of HeiaHeia built for the purpose of distributing a premium community and its content. The personal data register of the Spordivägi premium community includes personal data created in the community in accordance with the purpose of the community. An individual user’s wellbeing data is exported from the premium register also to the free service’s register (excluding data types only available in the premium service) so that the user may continue using the free service also in the case that the premium service is discontinued. The data controller of the Spordivägi premium community is Estonian Defence Forces, HeiaHeia Oy is a data processor for the Spordivägi premium community working on behalf of the Estonian Defence Forces. Data processing related roles and responsibilities are defined in data processing agreements (DPA) between controllers and processors.
  • You as an end-user have control over your personal data: You decide how much of your personal details you want to share with others. You can control your privacy level from Spordivägi’s settings. You can transfer your personal data from our digital tools in machine readable format (“data portability”). You can remove your personal data from our digital tools (“right to erasure”).
  • We store the information collected during the registration process, such as your email address, in order to provide the service. We also store your wellbeing data and potentially other information created at the service.
  • Our data retention policy combines two aspects: storing personal data for only as long as it is required and preventing inadvertent data loss. In practice we recommend inactive users periodically (after three years of inactivity) to remove their user accounts. After three missed recommendations, we automatically remove inactive user accounts.
  • Sharing your exercises and other entries to other users is managed with friendships. Your friends see all your non-private entries in their ‘feeds’. If you mark individual entries as private, your friends will not see them.
  • Your name is always searchable and your profile picture is visible within Spordivägi’s friend search. The privacy level you’ve selected defines who can access your full profile page and training log by clicking your name. The default setting is “Only my friends”.
  • When utilising coaching services in Spordivägi, you give consent for the coach to see all the information you have stored in Spordivägi, including entries you have marked as private.
  • Spordivägi mobile applications may use and store your current location to record your workouts. You may disable location services from mobile application settings, but then you will not be able to add location data to workouts.
  • Location data (GPS data) created by you with Spordivägi mobile applications or other compatible methods may be stored to create and annotate training log entries, and is treated with the same privacy principles as all training log data. Maps and “check-ins” created from GPS data have more privacy options than other training log data types, enabling stricter privacy. GPS data created on Spordivägi mobile applications that is not used to create training log entries is not stored permanently by Spordivägi.
  • Data created by users of Spordivägi  may be used for creating anonymous aggregated statistics.


4.2 Personal data collection in Spordivägi

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: HeiaHeia Oy (Ltd), contact: helpdesk@heiaheia.com
  • Register name: Spordivägi user register
  • Purpose of use: The register is used for providing the Spordivägi service and for managing user relations between HeiaHeia Oy and its customers and service end-users.
  • Register information is not used for direct marketing without the user’s consent.

4.3 Register content:

  • The user’s personal information (name, gender, birthday)
  • Unique customer ID
  • The user’s contact information (email)
  • The user’s hometown
  • The user’s personal measurement information (height, weight)
  • The user’s wellbeing targets, including free form targets, weekly exercise targets, daily step target, nightly sleep target
  • Exercise types of interest to the user
  • The user’s wellbeing diary information and other wellbeing and other data, including exercises, hobbies, micro actions, notes, recovery days, steps, meals, sleep, and weight, entered to the service by the user
  • Wellbeing data from wearable devices connected to Spordivägi by the user, e.g. exercise data (including location data as GPS tracks and check-ins), daily step count, sleep data
  • Wellbeing data included in diary entries, inputted by the user or transferred from a wearable device, may include activity type (exercise type, hobby type, micro action type), notes, date, duration, distance, attached photos, mood, text tags, location, GPS track, privacy level, inclusion/exclusion in personal stats, inclusion/exclusion in community wall, calories, average heart rate, maximum heart rate, elevation, steps, status as a favourite, success/failure, selection from pre-given content options
  • Achievements and statistics based on the user's data
  • Possible ongoing programs (which may include surveys and wellbeing-improving tasks)
  • Photos uploaded to the service by the user
  • The user’s social connections and social reactions in the service, including possible coaching relationships
  • The user’s messaging history in the service
  • The user’s membership status in communities and groups
  • Answers to surveys inputted by the user and conclusions based on your answers, which may include e.g. fitness level or level of ability to perform, BMI, or VO2max, as well as recommended programs or workouts
  • Newsletter sending permission (email marketing)
  • The user’s privacy settings and other settings in the service
  • The user’s advertisement click-through history in the service
  • Email messages sent to the user (message header)
  • Application logs on all requests sent to the application (including e.g. user ID, the user's IP address and browser information)
  • Server logs
  • Audit logs
  • For all our logs, we have a retention period of 2 years. Cleanup is done periodically, with no separate notifications.
  • Information sources: Information provided by user her/himself or generated by the service.
  • Register protection principles: The data is stored on servers located inside the EU, run by makandra GmbH. The server configuration addresses security by limiting outside access to minimum, applying firewalling for each server instance and deploying services to subnets that have limited access to each other and to outside networks. We operate a server cluster optimised for data and failure safety with multiple machines in order to be able to guarantee high availability even in case of hardware failures.

 

 

5. Privacy Principles for the HeiaHeia marketing and support pages

Storing personal data from our websites:

Upon certain interactions with www.heiaheia.com (e.g. submitting forms), you give consent for the following personal personal to be added to the HeiaHeia marketing and support register, submitted by the user her/himself for the purpose of customer service:

  • Name
  • E-mail address
  • Mobile phone number
  • Employer and job title
  • Other user submitted information: e.g. requesting a demo or offer

Information sources: Information provided by user her/himself

Subscribing to newsletters:

You can subscribe to our newsletters from our website. Upon doing this, you give consent for storing the following details in the HeiaHeia newsletter register for the purpose of newsletter delivery:

  • E-mail address

Information sources: Information provided by user her/himself

Support portals and ticketing systems:

We run support portals to enable customer service for our different services (support.heiaheia.com, support.marsmars.fi, support.spordivagi.ee). The support portals enable creation of support tickets. When submitting a support ticket, you give consent for adding the following personal data to our Marketing and support register for the purpose of customer service:

  • The user’s personal information (name)
  • The user’s contact information (email)
  • The service in case (HeiaHeia, MarsMars, Spordivägi)
  • Mobile device and OS of the user (Android, iOS, web)
  • Messaging history between the user and customer service
  • Articles visited in the support portal by the user
  • Possible Android log file sent to customer service by the user

Information sources: Information provided by user her/himself

Direct marketing:

We send direct marketing via email and other means. In such cases, the recipient of the direct marketing works in a position essentially related to the services being offered via our direct marketing. Our direct marketing messages are sent to these individuals’ work email addresses by virtue of "authorisation by position".

We add the following personal data of people, to whom we send direct marketing, to our Marketing and support register for the purpose of sending out direct marketing:

  • The recipient’s personal information (name)
  • The recipient’s contact information (email)
  • The recipient’s employer and job title
  • Messaging history between us and the recipient

Information sources: Publicly available information

Cookie usage practices:

Our marketing site (www.heiaheia.com and its sub-pages) places cookies, when a visitor first arrives at the website. These cookies are placed according to a separate cookie consent, which allows users also to decline cookies based on their usage and to view details of the cookies.

We use analytics and marketing automation tools, which collect data on users’ browsing information, such as traffic sources, browser and devices used, time spent on HeiaHeia’s website, pages visited, geographic location etc.

Most important 3rd party cookies used in the HeiaHeia marketing site:

We place cookies, when a visitor first arrives to our website, in order to learn how visitors consume content in the site. A visitor’s personal data remains anonymous to HeiaHeia until:

  1. Visitor fills a form or subscribes to a newsletter. A user’s personal data may be linked to a cookie, when a visitor fills a form or our site, etc. Submitted information is stored in the HeiaHeia marketing and support register.
  2. Visitor arrives at the website from an email marketing message sent by HeiaHeia. A user’s personal information may be linked to a cookie, when the user arrives at the website via an email marketing message sent by HeiaHeia. The source for e-mail marketing messages is HeiaHeia’s marketing and support register. A user, whose cookie is linked to personal data, may receive email marketing that is personalised based on her/his website visitor history. In case a user wishes to unassociated from their previous browsing history, they can do so by clearing their browser cookies.

 

Marketing and support register:

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: HeiaHeia Oy (Ltd), contact: helpdesk@heiaheia.com
  • Register name: HeiaHeia marketing and support register
  • Purpose of use: The register is used for marketing and providing customer service

Register content:

1. Data from forms:
  • Name
  • E-mail address
  • Mobile phone number
  • Employer name and industry
  • Job title
  • User submitted information: e.g. requesting a demo or offer
  • Information sources: Information provided by user her/himself

2. Ticketing system data:

  • The user’s personal information (name)
  • The user’s contact information (email)
  • The service in case (HeiaHeia, MarsMars, Spordivägi)
  • Mobile device and OS of the user (Android, iOS, web)
  • Messaging history between the user and customer service
  • Articles visited in the support portal by the user
  • Possible Android log file sent to customer service by the user
  • Information sources: Information provided by user her/himself

3. Direct marketing data:

  • The recipient’s personal information (name)
  • The recipient’s contact information (email)
  • The recipient’s employer and job title
  • Messaging history between us and the recipient
  • Information sources: Publicly available contact data, information provided by recipient her/himself

 

4. Cookies and related data:

  •  Traffic sources, browser and devices used, time spent on HeiaHeia’s website, pages visited, geographic location etc. Full list of cookies and their purposes available, before giving cookie consent.

5. Activity data:

  • Timestamp of latest activity

Register protection principles:

  • The data is stored on HubSpot, a service run by HubSpot, Inc. HubSpot acts as a processor of personal data on our behalf and fulfils the requirements of the GDPR. Data transfers between EU and the US are governed by EU Standard Contractual Clauses (“SCCs”).

Data retention:

  • Contacts (name and email) and all data related to them are automatically removed from our Marketing and Support register after five years of inactivity (based on the timestamp of latest activity). No separate notifications are sent about the removal.


Other rights:

  • Users have the legal right to inspect the data we have collected concerning you. You also have the right to request the correction or deletion of incorrect, defective, unnecessary or outdated personal data.
  • Your data can be removed from the HeiaHeia marketing and supports register at any time based on a personal request by contacting our support at support.heiaheia.com.

Newsletter register:

Personal data collection register information according to the GDPR (679/2016), articles 12-14:

  • The register is maintained by: HeiaHeia Oy (Ltd), contact: helpdesk@heiaheia.com
  • Register name: HeiaHeia newsletter register
  • Purpose of use: The register is used for sending out newsletters

Register content:

  • User submitted email addresses

Register protection principles: 

  • The data is stored on HubSpot, a service run by HubSpot, Inc. HubSpot acts as a processor of personal data on our behalf and fulfils the requirements of the GDPR. Data transfers between EU and the US are governed by EU Standard Contractual Clauses (“SCCs”).

Data retention:

  • The data is stored in the register until a newsletter subscriber unsubscribes. This can be done directly from the newsletter. If the purpose of sending out the newsletters would no longer exist, the register would be removed.

Other rights:

  • Users have the legal right to inspect the data we have collected concerning you. You also have the right to request the correction or deletion of incorrect, defective, unnecessary or outdated personal data.

 

6. Google user data

Accessing Google user data:

  • HeiaHeia, MarsMars and Spordivägi users are able to connect to external providers, like Google Fit, to get wellbeing data automatically, e.g. exercise data, daily step count, sleep data, and weight data. The connection is enabled by the user in the app, and users can revoke the connection at any time.

Using Google user data:

  • Wellbeing data from Google Fit is used similarly as wellbeing data from all other sources (e.g. data created manually in the app, data from wearable connections): the data is used to create statistics and achievements for the user, e.g. exercise data is used for entries that can be cheered by your friends, exercise and step data may be used as input for activity challenges in communities.

Storing Google user data:

  • Data is stored as all other data, and follows the same principles for sharing and privacy levels, set by the user. If the user chooses to delete their account, also all automatically fetched data will be deleted.

Sharing Google user data:

  • HeiaHeia, MarsMars and Spordivägi are social wellbeing services based on peer support. Some of the wellbeing data from Google Fit (e.g. exercises, weekly level step streaks) is used to create events that can be shared to your friends in a feed in HeiaHeia. Sharing can be managed in settings of the service and in individual entries. It is also possible to share individual entries outside HeiaHeia, MarsMars and Spordivägi e.g. to social media services. This is always done manually by the user.

Protecting Google user data:

  • We employ robust security procedures, including encryption measures, to safeguard the confidentiality and integrity of your data.

Get the application