Explaining what’s important.
- Please read, understand and agree with the materials on this page before you use Wellsome.
- Sometimes we update these documents. If you do not agree with the changes, please stop using Wellsome.
- You need an account for Wellsome. You can stop using the account at any time.
- Wellsome is used for understanding your mental health and provide users with the right mental health services. When using it, you are required to abide by any applicable laws. You can not use Wellsome for unlawful or illegal, defamatory, harmful, abusive, hateful, racially or ethnically offensive purposes. If you violate these terms, we may disable your access to Wellsome.
- We do not approve or endorse any content included in your profile. We respect copyright and the intellectual property rights of others. You are responsible for the content of all of your conversations on Wellsome.
- Your privacy is very important to us.
- There are no ads. Therefore your personal data or the content of your account is never sold or rented to anyone, it will never be used for any third-party advertising.
- We are transparent about the data we collect and what we do and don’t do with it.
- Wellsome follows European privacy laws.
- This was a brief summary of our Privacy Notice. Read the complete version below. If you have any questions about it, please contact us at firstname.lastname@example.org.
Effective Date: Mar 4, 2022
Welcome to Wellsome
Wellsome merely facilitates getting in contact with practitioners, and provides related services, such as scheduling, booking and educational content. Wellsome does not act as well-being service provider itself, nor does it supervise its practitioners using the platform.
Scope of the ToU
The following ToU shall apply to the use of the platform by the users and the practitioners. The ToU shall apply also if the platform is accessed from outside Germany.
Wellsome is a paid service and the platform services shall be chargeable by an agreement between a company and Wellsome.
Description of Services
The services offered by the platform include:
- Regular check-ins with employees to measure where they stand in terms of well-being, stress etc.
- Educational material, mindfulness content
- Booking and scheduling counseling sessions with practitioners
- Integration to Slack workplace of the company via a Slackbot
- Video conference solution for counseling sessions
Wellsome itself will not offer counseling services. Neither will it represent the users or the practitioners with regard to counseling services or any other activity. As a consequence, only the respective practitioner, not Wellsome, shall be responsible for the proper conduct of said service and all related duties. Correspondingly, only the respective user, not Wellsome, shall be responsible for his communicative input with the practitioner.
Wellsome reserves the right to terminate contractual relations pursuant to this ToU and to deny customers, users and/or the practitioners access to the platform without giving further reasons.
The use of the platform requires an online registration for booking and payment purposes. Users of the platform must be at least 18 years of age and contractually capable. No one shall have multiple accounts. All data requested by Wellsome has to be submitted accurately and completely.
During the registration process, practitioners shall provide Wellsome with copies of their ID and evidence of qualification and/or education for verification purposes. Wellsome reserves the right to check this information or to request further proof.
Further Obligations of the users and practitioners
The users and practitioners shall refrain from any misuse of the platform. In particular, they shall not:
- Use the platform to obtain any services that are against the law or otherwise prohibited in the location where the user is accessing services;
- Defame, abuse, harass, stalk, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others on the platform;
- Send or otherwise make available any inappropriate, profane, defamatory, obscene, abusive, racist, indecent or unlawful topic, name, material or information on the platform;
- Send files that contain viruses, trojan horses, worms, corrupted files, or any other similar software or programs that may damage the operation of another’s computer or property of another;
Requesting a counseling sessions
The company has a contractually agreed amount of counseling sessions included. Employees can request a counseling session out of those credits. Once an employee requested a counseling session, Wellsome will match them with a best available counselor who fits their current needs. After a practitioner has been found, Wellsome invites both – employee and practitioner – to a secure video conference room.
A cancellation has to me made prior to 24 hours before the sessions starts. If an employee cancels late, Wellsome will need to have to count that session as used. A no show refers to when an employee doesn’t show up for the counseling appointment, without giving Wellsome advance notice.
Wellsome cannot accept any liability for the practitioners’ performance of his related obligations, in particular repayment of the fee as applicable under statutory law.
Practitioners have the option to link their Google Calendar and Office365 Calendar via OAuth 2.0. This helps potential users to see the counsellors’ availability based their broad working hours, internal events (appointments with other clients) and external appointments (Google or Office 365 Calendar events).
Wellsome is only storing the start end end time of external events. We do not store personal information, such as event summary and participants of the individual events. Appointments from the past will be automatically removed from our databases. Potential users won’t see the individual external events.
Fees, Charges and Billing
Fees for well-being services shall be set individually between Wellsome and each customer company. Wellsome may modify this fee over time at their own discretion. Users are informed during the booking process and before submission, about any fees, taxes and costs (including, if any, delivery costs) that they will be charged.
Quality of Services, Liability
Wellsome offers a platform to find a well-being service provider without guaranteeing any type of success, gain, relief or similar effect to the user/client.
Wellsome will aim to make the platforms services available in the best possible quality.
Any liability shall be excluded in the event of failure of communication networks, gateways, force majeure or other events outside the control and responsibility of Wellsome. Likewise, any liability shall be excluded in case of unlawful or unallowed access by third parties to the platform or the well-being service process by means of hacking or similar means.
Wellsome will be liable for damages for other than the above-mentioned reasons only in case of intent or gross negligence by its managers, officers, employees or agents and only in the proportion such behavior has caused the damage in relation to other causes. This limitation does not apply in case of a violation of cardinal duties, i.e. duties the fulfillment of which the users may justly expect. No loss of profits shall be recoverable. The restrictions of liability do not apply to cases of damages to life, body, or health, to cases of warranting for the condition of a product, and to cases of fraudulent concealment of defects of Wellsome, its legal representatives or assistants in performance.
Wellsome is the sole owner of all intellectual property, in particular the copyright, trademarks and database, incorporated in the platform. Wellsome does not grant any license or sub-license of such intellectual property to the users or the practitioners and shall retain all ownership or rights to it. As a consequence, the users or the practitioners shall not make use of the intellectual property in any way outside the functions of the platform, in particular (but without limitation) by using or adapting the intellectual property for their own commercial or professional gain.
See Privacy Notice: https://wellsome.care/legal/#privacy-notice
Wellsome may update and amend this ToU at any time and will make the updated ToU available and post the updated version of this ToU on the platform. You understand and agree that you will be deemed to have accepted the updated ToU if you use the platform after the updated ToU is made available to you. If at any point you do not agree to any portion of the ToU then in effect, you should immediately stop using the platform.
Wellsome will notify users and practitioners of the amendments at least two weeks before the change comes into force in text form. The change is deemed accepted by users and practitioners if they do not object within two weeks after receipt of the notice. Wellsome will point out the right to object, the period and legal consequences, particularly regarding the failure to object to the changes.
This ToU shall be governed exclusively by the law of the Federal Republic of Germany.
Any disputes under or in connection with this agreement (including those regarding its validity) shall be – as far as validly determinable – exclusively settled in the courts of the federal state of Berlin.
Should individual provisions of the ToU be invalid or unenforceable, all other provisions of the ToU shall remain unaffected. The contract language is English.
Privacy Notice and DPA
You must read and agree to this ToU and the supporting Privacy Notice as well as to the Data Processing Addendum (“DPA”) to use the platform. By using the platform, you represent that you have read and consent to our Privacy notice and DPA in addition to this ToU and agree with their content.
Questions? Contact Us
Data Processing Addendum
Effective Date: Mar 4, 2022
Data protection measures
The following provisions shall apply whenever the Processor processes personal data of the Controller (“Controller Data”) on behalf of the Controller.
Obligations of the Processor
Controller’s Personal Data provided by Controller and/or its affiliates or collected by Processor (if any):
|Type of Personal Data||☐None|
☐Vendor data☐Special categories of personal data:
☐Racial and ethnic origin
☐Religious or philosophical beliefs
☐Other categories of Personal Data:–
|Categories of Data Subjects||☐None|
Partners client information
The Processor shall assure the contractual compliance with all agreed measures in the area of the processing of Controller Data.
Documents and files that are no longer required containing Controller Data may only be destroyed in compliance with data protection regulations subject to the prior consent of the Controller, unless they are deleted within the course of standard deletion procedures agreed upon between the parties.
The Processor shall assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in under applicable data protection law,and shall assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the data processing operations and the information available to the processor.
The Processor shall not directly respond to any enquiries of data subjects and shall refer such data subjects to the Controller. Where a data subject requests the Processor to correct, delete, have access to or block data, the Processor shall refer such data subject to the Controller without undue delay.
Processor may transfer Controller Data to a territory which is not a Member State of either the EU or the EEA only in case the specific conditions of Article 44 GDPR have been fulfilled, i.e. appropriate safeguards in the respective territory or for the data transfer to the data recipient are provided.
The Processor is not permitted to commission further sub-processors without the explicit approval by the Controller in writing.
In the event the Processor commissions further sub-processors pursuant to Section 3.1, the respective data sub-processing agreement shall contain provisions back-to-back to those of this Data Processing Addendum.
If a sub-processor involved upon the Processor’s explicit approval by the Controller in writing provides the agreed service outside the EU or the EEA, the Processor shall ensure compliance with EU Data Protection Regulations by appropriate measures.
Authority to issue instructions
Instructions may only be issued by the Controller’s management board, data protection officers and the manager of the Controller’s legal department (hereinafter “Persons authorized to issue instructions”).
If the Processor holds the view that any instruction contravenes statutory regulations and/or the Data Processing Addendum, the Processor shall be obliged to notify the Controller hereof immediately, and is entitled to suspend execution of the instruction concerned, until the Controller confirms such instruction in writing. The Processor has the right to reject a – also written confirmed – instruction in case the Processor itself would be liable to prosecution if he would execute the instruction.
Data Secrecy and Confidentiality
The Processor entrusts only such employees with the data processing operations outlined in the Service Agreement and this Data Processing Addendum who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work.
Save as required by law and other than vis-à-vis its subcontractors, the Processor shall not disclose Controller Data without the written authority of the Controller.
The Controller’s audit rights.
The Controller shall have the right to audit Processor’s compliance with the statutory regulations on data protection and the obligations entered into between the parties (in particular the technical and organizational measures), without interfering with the regular business operations of the Processor. In this respect, the Controller may:
Request information and records about the data processing operations and storage of the Controller Data as well as the data processing routines; Processor shall furnish the relevant information and documentation in due course. Processor may satisfy the request by demonstrating that Processor adheres to an approved code of conduct pursuant to Art. 40 GDPR or an approved certification mechanism pursuant to Art. 42 GDPR.
Request access and the Processor shall – during its regular business hours and upon reasonable prior notice (of at least 5 business days in advance) – grant the Controller access to the work area where the data processing operations take place.
Data security measures
The Processor shall implement technical and organizational measures (“TOMs”) in accordance with Article 32 GDPR. Processor may implement alternative adequate measures providing the same level of security as the TOMs. Any significant changes to the TOMs shall be agreed by the Parties in writing.
Upon request, Processor shall provide suitable evidence to the Controller of compliance with these requirements.
Data Breach notifications and other information duties
The Processor shall notify the Controller of any malfunctions or indications for an infringement of data protection regulations, or in case of irregularities in the processing of Controller Data, including, but not limited to, data security mishaps and presumed or actually traceable data losses.
To the extent the Controller has to meet information obligations pursuant to Art. 33 and 34 GDPR, the Processor shall cooperate with the Controller. The Parties agree and acknowledge that Art. 33 and 34 GDPR may impose a notification obligation in the event of the loss or unlawful disclosure of personal data or access to it; the Processor shall notify potentially relevant Data Breach to the Controller immediately and provide the Controller with all reasonably required support (i) in assessing whether a notification obligation may exist, (ii) mitigating any harm to the data subjects concerned and (iii) supporting the Controller in conducting and filing such notification.
The Processor shall, provided that it is lawful for it to do so, immediately notify the Controller if it receives any request correspondence, notice or other communication whether orally or in writing from a Data Protection Authority or other authority, relating to Controller Data.
International Data Transfers
The Processor shall not transfer Controller Data to any country outside the European Economic Area without the prior written consent of the Controller, such consent may be subject to and given on such terms as the Controller may in its absolute discretion prescribe. Any consent will be conditional upon the transfer being made a) to a country subject to a positive finding of adequacy by the European Commission (Art. 45 para. 3 GDPR) or b) to an organisation (i) that has signed up to standard contractual clauses as approved by the European Commission in Decision 2010/87/EU or any successor decision (“C2P SCCs”) pursuant to Art. 93 para. 2 GDPR, (ii) that is bound by Binding Corporate Rules pursuant to Art. 47 GDPR, (ii) by an approved code of conduct pursuant to Article 40 or (iii) by an approved certification mechanism pursuant to Article 42 GDPR, or c) on the basis of other safeguards pursuant to Art. 46 para. 2 GDPR. Where the Controller provides consent to a transfer of Controller Data subject to the Processor entering into C2P SCCs, it authorises the Processor to enter into those C2P SCCs on its behalf.
Term of the Data Processing Addendum and Precedence
Indemnification and liability
Without limiting the foregoing, Processor agrees and acknowledges that any data subject that suffers damage as a result of any of Processor’s breach of the obligations hereunder shall be entitled to receive compensation from the Processor for the damages.
Glossary of Terms
Personal data means, without limitation: personally identifiable information or personal data as defined under the laws of the respective jurisdiction, including the EU Regulation (EU) 2016/679; and in any event (i) any information that can be used to distinguish or trace an individual‘s identity, such as person’s name, date and place of birth, biometric records, mother’s maiden name, address, email address, telephone number, social security number, state identification or driver’s license numbers, account information, PIN numbers, access and security codes, login information; and (ii) any other information that is linked or linkable to an individual, such as information about a person’s sex, age, income, health or medical information, educational, financial and employment information. Personal Information includes whole or partial copies of such information or materials derived from such information.
Data Protection Laws:
(a) the EU Regulation (EU) 2016/679 (“GDPR”); and
(b) other applicable privacy and data protection laws, regulations and directives, relating to or impacting on the processing of Personal data of a data subject and/or its privacy.
Data Breach means any (including but not limited to intentional, negligent or accidental) breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal data.
Effective Date: Mar 4, 2022
|What’s this?||Information for you about why and what of your personal data is processed by Wellsome. We tried to make it as readable as possible because who likes a huge wall of legalese?|
This information extends to:
– our website
– our SlackBot
– our Web App
– our newsletter
– our emails
|FYI. Details about us and how to contact us:||We are Generation Wellbeing GmbH who developed Wellsome – a platform which helps on-site and remote teams to understand and improve their well-being through evidence-based mental health programs, online workshops and one-to-one sessions with our team of certified counselors, therapists and licensed well-being coaches. |
Our business is to develop software that makes well-being services more accessible. We don’t trade, swap, or make money from personal data in any other way.
Data protection laws give you rights, and we want to make sure we’re doing it correctly. If you have any questions, concerns or requests about your data, please do get in touch with us at email@example.com.
The sections below describe how your personal data is processed according to the relationship between you and Wellsome. If you think there is any info missing, unclear or incorrect please let us know so we can fix it.
|Where do we get your data from?||We either get the information about you directly from you, or from your browser (e.g. through cookies).|
|What data do we process, why and on what legal grounds?||We will not collect and/or use your personal data without letting you know or having any reasons for that. The sections below tell you about the details of why we process your personal data and on what legal grounds. You can read more about our vendors and their data protection practices below in the vendors section.|
If you are a website visitor:
To provide you with information about Wellsome on our website, we process the following data: ip address. We do that on a legal basis of legitimate interest, and the third party that is involved in that processing is Uberspace.
If you are a representative of our customers:
To communicate internally and with you, to develop our business and satisfy our customers’ needs we process the following data: name, email address. We do that on a legal basis of legitimate interest, and the third parties that are involved in that processing are Slack, Google, Typeform, Pipedrive.
If you are a Wellsome practitioner:
To provide you the service of booking appointments with our users, we process the following data: name, email address, office address, availability. We do that on a legal basis of a contract, and the third party that is involved in that processing is Pipedrive, Scalingo and GraphCMS.
To provide quality assurance and keep high quality of our practitioners we process the following data: name, email address, office address, availability. We do that on a legal basis of legitimate interest, and the third party that is involved in that processing is Pipedrive, Scalingo and GraphCMS.
To communicate internally and with you, we process the following data: name, email address. We do that on a legal basis of legitimate interest, and the third parties that are involved in that processing are Slack, Google, Typeform, Pipedrive.
If you are a subscriber of our newsletter:
To send you informative newsletters we process the following data: name, email address. We do that on a legal basis of consent, and the third parties that are involved in that processing are Sendgrid, MailerLite.
|How long do we store your data?||We store the data for as long as it’s needed for the purpose. We might retain it longer in case we have a legal obligation to do so.|
|Your rights under the GDPR:||To be informed about the processing|
You have the right to have a clear explanation of the processing of your personal data provided to you – we hope that’s what we have achieved with this privacy information!
If you’re not satisfied with this privacy information please get in touch with us via firstname.lastname@example.org to let us know what we can do better.
To have access to your data and details of our processing
Exercising this right is known as “making a subject access request”:
You have the right to ask us:
– whether we are processing your personal data,
– why we are doing so,
– under what lawful basis we are processing your data,
– the categories of personal data about you which we are processing,
– whether the data is being sent outside the EU,
– the names of any other Data Controllers your data has been passed to, and the purpose and lawful basis for the transfer,
– how long we’re going to keep the data, or what criteria we’ll use to decide whether to keep it,
– for a copy of the data we are processing.
We’d much appreciate it if you would use our email email@example.com to make a subject access request, as this allows us to identify and handle requests consistently, however you don’t have to use the form – you can use any preferred way of contacting us to make the request. We’ll need to ask you for some information to make sure the request is valid though, so it would save time to use our form from the start.
To object to some processing
Objecting to direct marketing
You have the right to ask us to stop processing your personal data for direct marketing purposes, and if you make this request we will stop sending you marketing and exclude your data from any analytics or reporting we do for marketing. We’d rather keep your contact details on our suppression lists so that if we do collect your data again in the future, we can be sure to exclude you from receiving our marketing materials. However, if you tell us that you prefer us to stop all marketing-related processing of your personal data, then we will remove your details from these lists.
Objecting to processing based on legitimate interests
You can object to any processing of your personal data where that processing is based on legitimate interests. When you make an objection, we will revisit the processing and assess the interests and the risks and decide on a case-by-case basis whether we should cease the processing of your personal data.
If we consider that we have compelling interests that outweigh your preferences (which might be to keep our IT systems secure, or maintain auditing and accounting records) then we will explain our reasoning to you.
To have some data deleted
This right is sometimes referred to as “the right to be forgotten”. It only applies in narrow circumstances, where –
– you have withdrawn your consent and there is no further legitimate interest in continuing to process the data,
– your objection to our processing under legitimate interests outweighs those interests,
– the processing of your personal data is no longer necessary,
– there is a law that requires the data to be deleted, or
– the processing is unlawful (we work hard to make sure this is never the case!)
– you have the right to have your data erased from our systems and files.
We can’t erase any data which we are required by law to process, but we will highlight and explain this to you if your request includes this data.
To limit how your personal data is used
Under some circumstances, you can limit how your personal data is used by us
– the personal data we are processing is inaccurate,
our processing is unlawful,
– the data is no longer necessary for the original purpose of processing but needs to be kept for potential legal claims, or
– you have objected to processing carried out under legitimate interests and we’re still in the process of determining whether there is an overriding need to continue processing.
– you have the right to restrict the processing. This means that the data will only be processed:
with your consent,
– for the establishment, exercise or defence of legal claims, to protect someone else’s rights, or
– if there is an important public interest justification for processing.
To take your data elsewhere
The right of data portability says that you can ask for any data that we process by automated means (which means ‘using a computer’) which
you provided to us either on the basis of consent or
because it was necessary for a contract that you are directly a party to;
to be provided back to you in a computer-based format, or sent directly to another Data Controller.
This is mostly intended for you, the individual end user or consumer, to be able to switch providers without your data being held hostage.
To query automated decision-making
We neither use automated decision-making nor your personal data to automatically assess aspects of your personality (automated profiling). But if we did, you would have the right to ask us to explain the logic behind any such decisions and for the decision to be reviewed by a human being, if the decision had an effect on your rights or freedoms.
To have data corrected
If any of the data we hold on you is inaccurate or out of date, please let us know so that we can correct it as quickly as possible.
|Complaints:||If you’re not happy with any aspect of how we process your personal data, please let us know so that we can make things right. If you’re not satisfied with our response, you can make a complaint to the Data Protection Authorities.|
|Who do we share your data with?||Calendly|
|Automated decisions making||We neither use automated decision-making nor your personal data to automatically assess aspects of your personality (automated profiling).|