Privacy Policy (App)

We provide you with a mobile app that you can download to your compatible device (iOS, Android). In the following, we inform you about the collection of personal data when using our mobile app. Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior.

TheNextWe® App

1. Entity responsible for data processing

TheNextWe GmbH
Akazienstr. 3A
10823 Berlin
privacy@thenextwe.com

External data protection officer

SONNTAG IT Solutions GmbH & Co. KG
Herr Thomas Fischer
Tel.: +49 821 9998 4323
privacy@thenextwe.com

2. Nature and scope of processing

The TheNextWe^® app accompanies employees in a coaching process lasting several weeks to achieve an individual development goal. To this end, the app supports you in

the Scheduling of coaching meetings,
the Chat with the coach (you alone decide what content is shared in the chat. We recommend to minimize the exchange of personal data.),
the Use of online modules as well as
the Creation of a personal action plan.

The processing of the data provided by you during use is based on Art. 6 (1) a) GDPR and Art. 6 (1) b) GDPR for the provision of our service and participation in the coaching program.

The following data is processed during registration:

First name (can be a pseudonym)
E-mail address (can be an alias)
Password
Participation code
Language preference
Time zone preference
Status Agreement to Terms and Conditions
Status Privacy Policy

When using the app, the following data is automatically processed:

IP address, date, time and time zone of app requests.
Login attempts (IP address, time, device identifier)
Device/operating system metadata (platform, version)
Start and end of coaching
Status of agreement to terms and conditions
Status of consent to privacy policy

The app automatically processes the following data:

First name (can be a pseudonym)
Email address (can be an alias)
Profile picture (optional)
Gender (optional)
Password (optional)
Participation code
Language preference
Time zone preference

The following data is automatically processed in the app:

Chat messages (personalized, depending on what information you share with your coach)
Entries in the online modules

Permissions in the app (to be assigned individually):

Receive push messages
relevant for the chat, modules, action plan (request only when used, can be rejected)
access to Camera/Gallery
relevant for sending pictures in the chat (request only when used, can be rejected)

3. Integration of third party services

When processing data through usage of the App, we use the following third-party service providers:

Heroku For the operation of our application servers, we use the Platform-as-a-Service provider “Heroku” from Salesforce Inc., 415 Mission Street Suite 300, San Francisco, CA 94105, USA. The data processing takes place exclusively on servers in the EU and on the basis of our legitimate interests (Art.6 para.1 lit. f GDPR) in the technically flawless and optimized provision of our services. For more information on data processing by Heroku, please see the Privacy Policy of Salesforce. We have concluded a so-called “Data Processing Agreement” with Heroku, in which we oblige Heroku to protect the data of our customers, not to pass them on to third parties and, in the event of a transfer of personal data via sub-processors or affiliated companies to the USA, to comply with the regulations of the standard contractual clauses pursuant to Art. 46 GDPR.
MongoDB For the central storage of the data generated in the coaching process, we use the service “MongoDB Atlas” from MongoDB Inc, 3 Shelbourne Building, Crampton Avenue Ballsbridge, Dublin 4, Ireland. The data processing takes place exclusively on servers in the EU and on the basis of our legitimate interests (Art.6 para.1 lit. f GDPR) in the technically flawless and optimized provision of our services. You can find more information about data processing by MongoDB in the Privacy Policy of MongoDB. We have concluded a so-called “Data Processing Agreement” with MongoDB, in which we obligate MongoDB to protect our customers’ data, not to disclose it to third parties and, in the event of a transfer of personal data via sub-processors or affiliated companies to the USA, to comply with the provisions of the standard contractual clauses pursuant to Art. 46 GDPR.
Twilio We use “Twilio”, a service of the company Twilio Inc., 645 Harrison St # 3rd Floor, San Francisco, CA 94107 USA, for sending chat messages and setting up telephone conferences for coaching calls. Chat messages are encrypted before being sent via Twilio and decrypted after being received, so that only metadata is processed in plain text with Twilio. The legal basis for the use of Twilio is the provision of the contractually agreed communication measures at the request of the user (Art. 6 para. 1 p. 1 lit. b GDPR). For more information on data processing by Twilio, please refer to the Privacy Policy of Twilio. We have concluded a so-called “Data Processing Agreement” with Twilio, in which we obligate Twilio to protect our customers’ data, not to disclose it to third parties and, in the event of a transfer of personal data via sub-processors or affiliated companies to the USA, to comply with the provisions of the standard contractual clauses pursuant to Art. 46 GDPR.
Sparkpost EU For sending transactional mails (invitations, appointment confirmations, reminders) we use the service “Sparkpost EU” from Message Systems Inc., 9130 Guilford Road Columbia, MD 21046 USA. Sparkpost processes and stores personal data to send the mails and lets us see if and when individual mails were delivered and opened. This data is never shared with third parties and Sparkpost does not obtain the right to share your data. The data processing takes place exclusively on servers in the EU and on the basis of our legitimate interests (Art.6 para.1 lit. f GDPR) in the technically flawless and optimized provision of our services. For more information on data processing by Sparkpost, please see the Sparkpost Privacy Policy. We have concluded a so-called “Data Processing Agreement” with Sparkpost, in which we oblige Sparkpost to protect our customers’ data, not to disclose it to third parties and to comply with the regulations of the standard contractual clauses pursuant to Art. 46 GDPR in the event of a transfer of personal data via sub-processors or affiliated companies to the USA.

4. Collection of data in the course of the download by the selected App Store.

You can download our app from the Apple App Store and Google Play Store. There are no other download options. During the download, the providers of the above app stores collect data about you.

When you download our App from the Apple App Store, Apple Distribution, Hollyhill, Cork, Republic of Ireland (contactus.de@euro.apple.com) as a subsidiary of Apple Inc, Infinite Loop, Cupertino, CA 95014 collects a variety of data, including name, address, phone number, email address, preferred contact information, device identifiers, IP addresses, location information and credit card information. We have no influence on the further processing and no further knowledge about it. You can find more information about data protection with this provider at www.apple.com/legal/privacy/en-ww/.
When you download this app from the Google Play Store, Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA collects a variety of data, including your name and a password. We have no influence on the further processing and no further knowledge about it. You can find more information about data protection with this provider at policies.google.com/privacy.

5. Deletion and disclosure of data

The data collected from you will be deleted upon termination of the purpose (as described above) or cessation of the business relationship in accordance with Art. 6 (1) b) GDPR, provided that the deletion does not conflict with any statutory retention periods. Data will not be passed on to third parties other than those listed here.

6. Rights of the data subject

Insofar as you are considered a data subject within the meaning of Art. 4 No. 1 GDPR, you have the following rights with regard to the processing of your personal data under the GDPR.

Right to confirmation and information
Under the conditions of Article 15 of the GDPR, you have the right to request confirmation as to whether personal data relating to you is being processed and to receive free information about the personal data stored about you and a copy of this information from the controller at any time.
Right of rectification
Under the conditions of Art. 16 GDPR, you have the right to demand the immediate correction of inaccurate personal data concerning you. In addition, you have the right, taking into account the purposes of the processing, to request the completion of incomplete personal data - also by means of a supplementary declaration.
Right to erasure
. Under the conditions of Art. 17 GDPR, you have the right to demand that the personal data concerning you be deleted without delay, provided that one of the reasons stated in Art. 17 GDPR applies and insofar as the processing is not necessary.
Right to restriction of processing
. Under the conditions of Art. 18 of the GDPR, you have the right to request the restriction of processing if one of the conditions listed in Art. 18 of the GDPR applies.
Right to data portability
. Under the conditions of Art. 20 GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format, and you have the right to transfer this data to another controller without hindrance from us, provided that the further conditions of Art. 20 GDPR are met.
Right to revoke consent
. You have the right to revoke a consent given to us for the processing of personal data at any time with effect for the future. Please address the revocation to the contact details given above.
Right of objection
Under the conditions of Art. 21 GDPR, you have the right to object to the processing of personal data concerning you at any time. If the conditions for an effective objection exist, processing by us may no longer take place.
Right to lodge a complaint with a supervisory authority
. Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the requirements of the GDPR.

7. Disclosure of your personal data

Data will be passed on if we are entitled or obliged to pass on data due to legal provisions and/or official or court orders. In particular, this may involve the disclosure of information for the purposes of criminal prosecution, to avert danger or to enforce intellectual property rights.

When your data is passed on to service providers, they will only have access to your personal data to the extent necessary to fulfill their tasks. These service providers are obliged to treat your personal data in accordance with the applicable data protection laws, in particular the GDPR.

Beyond the aforementioned circumstances, we generally do not transfer your data to third parties without your consent. In particular, we do not pass on any personal data to a body in a third country or to an international organization.

8. Storage period for the personal data

With regard to the storage period, we delete personal data as soon as their storage is no longer necessary for the fulfillment of the original purpose and there are no longer any legal retention periods. The statutory retention periods ultimately form the criterion for the final duration of the storage of personal data. After expiry of the period, the corresponding data is routinely deleted. In the case of the existence of retention periods, a restriction of the processing takes place in the form of blocking the data.

Last updated: August 2024