This Privacy Policy explains how we, SalutaCoach AG, collect and process your personal data as a customer or participant in connection with our health coaching sessions (“coaching sessions“), including the use of our health coaching platform. You can reach our health coaching platform at https://app.salutacoach.com/ or by using our app. You can find our Privacy Policy for the general use of our website here.
Your privacy is our utmost priority. Accordingly, we endeavour to process your personal data in accordance with applicable data protection law, namely the Swiss Federal Act on Data Protection (“FADP“) and the EU General Data Protection Regulation (“GDPR“).
We generally collect personal data directly from you. We may also receive individual personal data from your employer, for example if they (co-)fund your coaching sessions, or from other contractual partners such as healthcare organisations. Failure to provide certain personal data may result in restrictions, such as us not being able to contact you, you not being able to participate in our coaching sessions, or you not being able to use our health coaching platform.
If you provide us with personal data about other people (e.g. your family members or employees), we will assume that this data is accurate. By providing such data to us, you confirm that you have the right to provide it to us and that you have informed the individuals concerned of this Privacy Policy.
1. Data controller responsible for data processing
SalutaCoach AG is the data controller responsible for data processing. If you have any concerns about privacy, you can contact us at the following address:
SalutaCoach AG
Aeschenplatz 6
4052 Basel
Switzerland
Phone: +41 (0)800 190 190
Email: info@salutacoach.ch
Contact form: […]
If you are from the European Economic Area, you can also contact our representative:
[…]
2. Categories of personal data, purposes of processing and legal bases
2.1 Digital Services
When you use our digital services, which we provide to you as browser or app-based services through our health coaching platform,we may process personal data about you, including registration data and user data (as defined below), together with coaching data and contract data (in accordance with Sec. 2.2 and 2.3), collectively referred to as “service data”.
Categories of personal data: To register for our digital services, you will need to open an account or set up login details, for which we will need information such as your first name, last name, username, password and email address. This may also include other information that we require from you in order to provide you with our services, such as your address, telephone number, date of birth, gender, nationality, language, occupation, time zone, customer history, etc. (“Registration Data“). When you use our services, we may also process transaction information (date, currency, payer and payee details) and record emails, text messages, social media messages and other communications between you and us. We may also analyse how you use our services to get to know you better and tailor our services to you by collecting data about your habits and preferences (“User Data“).
Processing purposes: In general, we use service data to provide you with our digital services and to comply with applicable laws and our internal policies. We may also process service data to document the provision of our services, for training purposes, for quality assurance, to improve our services and processes, and for market research and product development.
Legal bases: Within the scope of the GDPR, data processing is carried out to conclude or execute a coaching-related contract with you (Art. 6 para. 1 (b) GDPR), to safeguard our legitimate interests (as described above under “Processing Purposes”; Art. 6 (1) (f) GDPR) and/or based on your consent, where such consent is required (Art. 6 (1) (a) GDPR).
2.2 Coaching
If you take advantage of coaching from us or our coaches, we may process personal data about you in connection with this (“coaching data“).
Categories of personal data: Coaching data may include service data and contract data (as described in Sec. 2.1 and 2.3) as well as other information relating to coaching, including in particular health-related data. Depending on the coaching given, we may process:
- Data pertaining to physical exercise and movement, such as activity type, duration, intensity, geodata including GPS data, steps, heart rate, speed/pace, performance, temperature, calories burned and consumed, etc;
- Nutritional data such as food allergies, favourite foods, food dislikes, meals and foods recorded, calories consumed and burned, etc;
- Biometric data such as weight, height, waist-to-hip ratio (WHR), sleep data, resting heart rate, heart rate variability, respiratory rate, muscle percentage, body fat percentage, water content, blood values ;
- Other health data used to track progress, such as heart rate, body weight, body mass index (BMI), waist-to-hip ratio (WHR), height, sleep or stress data, resting heart rate, etc.
- Other data relevant to the specific type of coaching, including, for example, data generated in communication between you and the coaches (e.g. via telephone, video telephony and chat or text messages), availability for consultation, coaching session dates, general physical and mental condition, optimisation needs, medication, health checks, medical history, analyses, etc.
Processing purposes: We use coaching data for coaching purposes, i.e. to analyse your health, develop personalised solutions and help you achieve your goals (e.g. exercise, nutrition and mental health), establish or change habits and improve your well-being. We also process coaching data to facilitate communication between you and your coaches. We also process the coaching data to document the coaching in the digital coaching journal and to provide you with recommendations.
Legal bases: Within the scope of the GDPR, data processing is carried out to conclude or execute a coaching-related contract with you (Art. 6 para. 1 (b) GDPR), to safeguard our legitimate interests (as described above under “Processing Purposes”; Art. 6 (1) (f) GDPR) and/or based on your consent, where such consent is required (Art. 6 (1) (a) GDPR).
2.3 Contract
If we negotiate or enter into and perform a contract with you, we may process personal data about you in connection with that contract (“contract data“). We may also receive and, where permitted, share certain contract data with third parties, for example, if you purchase a subscription through one of our business partners or if they (namely your employer) provide the funding or if you claim benefits from an insurance company.
Categories of personal data: The contract data may include registration data and user data (as described in Sec. 2.1) as well as other information relating to the contract and the services agreed therein.
Processing purposes: We use contract data to prepare, enter into, perform and administer our contractual relationships, including for any enquiries that may arise in this context. Processing may also be necessary to comply with legal requirements and internal policies. We may retain the data to record our communications with you, and for training, quality assurance and follow-up purposes.
Legal bases: Within the scope of the GDPR, data processing is carried out to conclude or execute a coaching-related contract with you (Art. 6 (1) (b) GDPR), for the fulfilment of a legal obligation to which we are subject (Art. 6 (1) (c) GDPR), to safeguard our legitimate interests (as described above under “Processing purposes”; Art. 6 (1) (f) GDPR) and/or based on your consent, where such consent is required (Art. 6 (1) (a) GDPR).
2.4 Marketing
We may process personal data for marketing and customer relationship purposes, in particular to send newsletters, feature articles and links (collectively referred to as “marketing data“).
Categories of personal data: Marketing data includes, but is not limited to, contact data (e.g., first name, last name, email address, postal address, etc.), preferences (e.g., areas of interest), and other data such as service data, coaching data, and contract data.
Processing purposes: We process marketing data for marketing and relationship management purposes, for example to provide you with personalised recommendations and promotions about our services and products or those of third parties, for example in the form of newsletters, either in person, by email or other electronic form, by telephone or by any other communication channel, provided you have provided us with the relevant contact details.
Legal bases: Within the scope of the GDPR, data processing is carried out to protect our legitimate interests (as described above under “Processing purposes”; Art. 6 (1) (f) GDPR) and/or based on your consent, where such consent is required (Art. 6 (1) (a) GDPR).
3. Hosting
The information we collect is stored in the Microsoft Azure cloud, and in other places. The databases used for the health coaching platform are hosted entirely in Switzerland. The data remains under our control. Microsoft does not analyse or use the data for any purpose other than the agreed purpose. Azure Switzerland complies with the relevant compliance and data protection certifications.
Data transfer (e.g. during coaching sessions in a call or chat) is fully encrypted end-to-end. The health coaching platform is secured by multi-factor authentication (MFA). Login credentials such as passwords are strongly encrypted.
Further information can be found here: https://azure.microsoft.com/en-gb/explore/trusted-cloud/.
4. Data disclosure to third parties and overseas
For the purposes described in Sec. 2, personal data may be transferred to the following categories of recipients:
- Hosting providers and other service providers (including communication service providers);
- Business partners (e.g. booking partners, insurance companies, external coaches) and your employer (limited to certain personal data, e.g. if they fund a subscription for you);
- Consultants and transaction partners (e.g. in the case of mergers, acquisitions or other transactions in which we are involved);
- Competent authorities and representatives to the extent necessary to comply with a legal obligation or official request or to establish, exercise or enforce legal claims.
In connection with the above disclosures, personal data may be transferred to the following countries or territories:
- European Economic Area;
- […].
If personal data is transferred to a country that does not provide an adequate level of protection under applicable data protection law, we will enter into standard contractual clauses with the relevant recipient, unless there is another appropriate means of protecting the data or a legal exception applies to the transfer abroad.
5. Data Retention
We process and store your personal data for as long as is necessary for the purposes of processing (see Sec. 2), legal retention periods and our legitimate interests (e.g. documentation, quality assurance or similar business purposes and the assessment, assertion or defence of legal claims). Unless there are legal or contractual obligations to the contrary, we will delete or anonymise your personal data at the end of the retention period.
For example, we may retain certain service data, coaching data and contract data for the duration of the limitation period for contractual claims, calculated from the end of the contractual relationship, if and to the extent that (a) we are not legally obliged to retain such data for a longer period (e.g. for billing or document retention purposes) or (b) we have no overriding legitimate interest in retaining such data for a longer period for documentation, quality assurance or similar business purposes or for the assessment, assertion or defence of legal claims.
6. Rights of data subjects
As a data subject, you generally have the following rights, depending on the applicable data protection law:
- a) Information: This means that you can ask us whether we are processing personal data about you and, if we are, you can ask us to provide you with more information.
- b) Rectification: This means that you can ask us to correct or complete your personal data if it is inaccurate or incomplete.
- c) Deletion: This means that you can ask for your personal data to be deleted. We will comply with a request for deletion unless we are required by law or have an overriding legitimate interest in retaining the data.
- d) Objection: This means that you have the right to object to the processing of your personal data on the basis of our legitimate interest (Art. 6 (1) (f) GDPR), by stating your particular reasons and the specific circumstances on which your objection is based.
- e) Restriction: This means that you can ask us to temporarily restrict the processing of your personal data.
- f) Data portability: This means that you can ask us to provide you with the personal data you have provided to us in electronic form (where this is technically possible).
- g) Withdrawal of your consent: This means that you can withdraw your consent if and insofar as you have previously consented to the processing of your personal data for a specific purpose. This will not affect the lawfulness of any processing carried out before you withdraw your consent (or any processing based on a legal basis other than your consent) and may result in us no longer being able to provide you with our services.
The above rights are subject to certain conditions and exceptions. We may have a right of refusal in accordance with the law.
If you wish to exercise your rights, please contact us using the contact details provided in Sec. 1. In order to process your request, we need to be able to unambiguously identify you as the data subject. This may require your assistance.
If you believe that the processing of your personal data is in breach of applicable data protection laws, you may lodge a complaint with the relevant data protection authority. The Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland, is responsible for SalutaCoach AG (https://www.edoeb.admin.ch/). Depending on where you live, you may also be able to lodge a complaint with your local data protection authority.
7. Data Security
We have taken appropriate technical and organisational measures to protect your data from loss, manipulation, misuse and unauthorised disclosure or access. We restrict access to personal data in general. Also see Sec. 3 with regard to hosting.
8. Changes to this Privacy Policy
This Privacy Policy does not form part of any contract with you and is subject to change by us at any time. The version published on our website is the current version.
Last updated: 11/23
