Privacy Notice
We are 29k, a non-profit organization, funded by private and public donors. There are no fees and no ads in our app, and we do not sell user data to any third parties. We are based in Stockholm Sweden, and you can reach us at privacy@29k.org. This is our privacy notice for users of the Aware app.
Data Controllers
The 29k Foundation (organizational number 802481-5261) and 29k International AB (organizational number 559095–7949) are joint controllers for the processing of your personal data and are responsible for ensuring compliance with applicable legislation.
The joint controllers have appointed a point contact for users of the Aware App and others whose personal data are to be processed (the data subjects). The point of contact is 29k International AB (29k).
Email: privacy@29k.org
Web site: https://wiki.29k.org/aware-privacy-notice
Purpose and processing in short
The Aware app helps you grow and make the most out of life. It includes courses, exercises and sharing groups, all based on the latest psychology research. We have six main processes of processing your data and use your data for the following purposes (in short):
1. The app user process
To give you the basic service of the app we need to process your data, such as which exercises you have done and which you still haven’t, which sessions you are attending etc., to work. This makes you an App user. Without storing this data, we wouldn’t be able to provide you with meaningful app experience. We also store additional data if you want us to, such as your profile picture and display name, that you are in complete control of. To personalize (which is the purpose) you can choose a display name and a profile picture, and you can change it whenever you want (well, not during a session). If you do, you are an App power user.
2. The exercise session and journaling process
The exercise sessions for inner development and to increase psychological well-being is one of the main services in the Aware app and the purpose of the processing of personal data. You can choose to participate in the sessions by yourself (private) or with friends (see private live session process). After the exercise is completed, you can choose to write your reflections, private or public – with your display name or anonymous. This is what we call journaling.
When journaling you might write about your feelings and thoughts about your own health. If so, that is special categories of personal data, and our legal basis for processing is legitimate activities for private journaling, and your explicit consent if you would like to share your self-reflections with others by public journaling in the app.
When you publish self-reflections in the Aware app, we use AI to make sure the text is aligned with our User code of conduct (the purpose of this processing). The journaling text you publish is automatically moderated (using machine learning) first, and if it is flagged as not approved it is often manually moderated by the Aware team.
3. The public live session process
In the Aware app you can participate in live video sessions open to all App users. If you do, sharing a camera and microphone is optional. The purpose is to share your experience of the session with other users and the host in live video and audio feeds. If you don’t already have a display name, a temporary display name is required for the live session. The profile picture (if you have chosen one) is shown when the video camera is off. If you are the host of a public live session, you are an App privileged user, and picture, display name, live video and audio feeds are required processing of your personal data.
During the public live sessions, you may choose to share your feelings and thoughts. This is optional, if you only want to listen it is okay too. If you share feelings and thoughts about your own health these are special categories of personal data, our legal basis for processing is legitimate activities.
4. The private live session process
A private live session is when you invite friends or colleagues for a private session, hosted by one of you (App power user host). To participate you must receive an invitation to the private live session (by link) and for the purpose of access control we are processing user-ids. When you participate in live video sessions, sharing camera and microphone is optional . The purpose of private live sessions is to create peer-to-peer groups for inner development and to increase psychological well-being in a group of invitees only. If you don’t already have a display name, a temporary display name is required for the live session. The profile picture (if you have chosen one) is shown when the video camera is off.
During the private live sessions, you may choose to share your feelings and thoughts. This is optional, if you only want to listen it is okay too. If you share feelings and thoughts about your own health these are special categories of personal data, our legal basis for processing is legitimate activities.
5. The development of the app process
To improve the app and troubleshoot technical issues we ask you for feedback and reporting, follow the aggregated behavior of users from the analytics id, crash and error reporting and use data of app installation attribution (also aggregated).
6. The Collection of data for research and statistic reasons Process
We get free resources from the scientific community, and to contribute back to the science and research we provide anonymized data from our aggregate datasets. We don’t transfer any identifiable information to third parties, and we never share data for profit.
This process is not used right now but we want to give you heads up on the purpose when we collect your information. When we start this process, we will update the information with more details on how we process your personal data here.
Do you want to know more about how we process your personal data?
The processing of personal data for each main process (1-5) is described in more detail further down in our Privacy notice. There is detailed information about the purpose of processing, legal basis for processing and balance of interests, categories of personal data and data subjects, security measures, as well as exceptions, if there are any, from the general information in this section.
Categories of personal data
We process these categories of personal data that are system generated
- User-id, usage analytics id, log data of accessed session, timestamp, app language, completed exercises, app navigations, anonymous user or not, public session host or not, app events logging, phone time zone, phone language, phone brand and model, OS type and version, app version, app installation source (UTM).
We process these categories of personal data that are from you (as data subject)
- Display name (optional) or temporary display name (required when participating in live sessions), picture (optional), video live feed (optional), audio live feed (optional), email (optional or required when hosting sessions), journaling text (optional), free text feedback (optional), report and free text in email may include personal data (optional).
Special categories of personal data
- Feelings and thoughts about your own health may be shared with participants and the host during the session (audio live feed and video live feed).
- Feelings and thoughts about your own health may be shared when you choose to publish your journaling in the app (text entry).
Categories of Data Subjects
- App user (has a unique user-id)
- App power user (adds picture and displayed username)
- App power user host (private session host)
- App privileged user (public session host)
Our basis for processing your data
We use the lawful basis consent and legitimate interests for processing your personal data, and legitimate activities and explicit consent for processing special categories of personal data.
Consent for optional processing
We use consent for optional processing when you share your camera and microphone during a session, and when you share display name and/or a picture as an App user or an App power user. When consent is the lawful basis, you can recall your consent by choosing to not share your display name, picture, microphone or video, or contact 29k to get help to delete this personal data form the Aware app (read more about that in the section on Data subject rights).
Legitimate interests as basis for processing and balance of interests
When we use the lawful basis of legitimate interests for processing your personal data, we do a balance of interest to make sure we handle your data with sufficient care. A balance of interest is a risk assessment exercise that includes three tests:
- The necessity test (consider if the processing is necessary)
- The purpose test (identify the legitimate interest)
- The balancing test (consider the individual’s interests)
Legal basis for processing special categories of personal data
During the public live sessions, you may choose to share your feelings and thoughts. This is optional, if you only want to listen it is okay too. If you share feelings and thoughts about your own health these are special categories of personal data, which is only allowed to be processed under certain circumstances. We meet these requirements and process your health data under the legal basis Legitimate activities.
In the section “More about how we process your personal data” you can read more about our legal basis for processing your data.
Source of personal data
29k uses only system generated personal data and the personal data that you as a user of the Aware App have chosen to share with us. We do not gather information about you from publicly accessible sources.
We use your email for communication
If you choose to share your email address with us, we will use it to answer your reporting of system problems or feedback about the Aware App. On some rare occasions we communicate with you, about the Aware App. If you don’t want emails from 29k, there is an opt-out at the end of each email.
You are in control of how long we will save your data
You choose if you want to share a display name and picture, and you may change or delete it, unless you are in an ongoing session. Your completed sessions and private journaling are saved on your device, but you need the Aware app to access it. If you publish your journaling, it will be anonymized when the app is deleted.
Live video feed and audio, and temporary display name is only possessed during the live session. No recording options are available. Session access control information is deleted on request but will, in the future, automatically be removed for past sessions, every 24h.
If you don’t have any activity in the Aware app for 365 days, the user-id and all personal data will be deleted. If you want your personal data deleted earlier, we will remove it on request. Read more about your right to be forgotten (right to erasure) in the section on Data subject rights.
We use a little bit of AI to help us keep a nice tone
When you publish feedback or journaling that is shown to other users in the app, we use AI to make sure it is aligned with our User code of conduct. We have chosen this way to both have a fast publication in the Aware app and keep the content moderated. It is either automatically moderated (using machine learning), manually moderated or a combination of both. Feedback is hidden by default and requires manual moderation, and public journaling text is automatically moderated and optional for manual moderation.
Automatic moderation is done with the help of Open AI Chat Completion API by classifying if the content contains any "religion, illegal drug use, threat, high risk of physical harm, adult, profanity, racist, gibberish, non-English, mostly capital letters, names, persons". When the automatic moderation classifies what a user has written with any of the classifications above, the content becomes disapproved and hidden. It can later be manually moderated. Manual moderation is done by reviewing incoming content in the internal Aware administration system. When we manually moderate your User-id, display name or picture is not shown. The reviewing is done by a small group in the Aware team.
Processors
Processor | Service | Country | Privacy Policy |
Cloudinary Ltd | Digital Asset Management | Israel | |
Daily.co | Video streaming platform | USA | |
Functional Software, Inc. /Sentry | Sentry Error Monitoring | USA | |
Google Cloud Platform | Cloud infrastructure | Ireland, EU | |
OpenAI OpCo | Chat Completion API | USA | |
PostHog | User behavior analytics | USA | |
Salesforce | Slack | USA | |
Twilio | SendGrid Email API | USA |
Transfers to Third Country or International Organization
We use service providers based in the USA, Israel and EU (see processors above). As an appropriate safeguard for international transfers, we have for each of the processors, entered Standard Contractual Clauses that have been approved by the EU Commission. As an additional safeguards to those Standard Contractual Clauses, we minimize the amount of data we process , anonymize as much of it as we can and where possible, we make sure your data stays on your device. All providers but one (OpenAI) also have an active adequacy decision as a basis for transfer to a third country.
We don’t share your personal data
We do not share your personal data. In all our tools we have made the setting to opt out of all services that require that we share data with recipients. Even the Analytics-id we use is separated to prevent us from disclosing any other personal data.
Data Subject Rights
You (as a data subject) have the right to request access to your personal data, and rectification, erasure of personal data, restriction of processing or to object to processing as well as the right to data portability, from the joint controllers by contacting 29k International at: privacy@29k.org
Right of access: You can always ask us about what personal data we process about you.
Right to rectification: If your data is inaccurate, you can ask us to correct or amend your data.
Right to erasure (right to be forgotten): Just delete your account in your profile and we’ll delete your data. If you want us to delete something specific (and not everything), please contact us.
Right to restrict processing: If you believe we’re processing your data in ways that are unlawful or that you don't agree with, you can ask us to stop processing that data until we finish an investigation.
Right to data portability: You can ask for your data in .json format that you can save or send to anyone. (This is only required in the GDPR when the lawful basis is consent or contract, but we will help you with our best effort if you want more information).
Right to object: You have the right to object to how we process your data (when we do so on the lawful basis of legitimate interest).
Right to withdraw consent: You have the right to recall your consent for future processing of your personal data at any point. The fastest and maybe easiest way for you to recall consent is to delete the data you no longer wish us to process (display name, picture or in the case of an active session end audio or video live feed). You are also welcome to contact us to withdraw your consent. The same is true for explicit consent, if you have given your explicit consent to publish journaling and you change your mind, please contact us to exercise your right to erasure.
Right to complain to a regulator: You have the right to submit a formal complaint about how we process your data to the supervisory authority.
Data Protection Officer
We have a Data Protection Officer that helps us ensure the right level of data protection for your personal data and compliance with the GDPR. If you want to contact our DPO on questions about data protection, please send an email to: dpo@29k.org
Complain to supervisory authority
You have the right to lodge a formal complaint about how we process your personal data, with a supervisory authority. As a data subject you are always able to choose which country's supervisory authority you wish to contact. The supervisory authority that you contact will be your contact point in the matter.
Find the contact details of your national data protection regulator here.
Read more about your digital rights on the European Commission’s website
IMY in Sweden is the lead supervisory authority
For 29k the so-called lead supervisory authority is IMY in Sweden, Integritetsskyddsmyndigheten.
How to contact IMY
Phone number: +46 (0)8 657 61 00
E-mail: imy@imy.se
Postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden
Website: https://www.imy.se/en/
Privacy Pledge
Do we anonymize your data after one year of inactivity? | Yes |
Question | Answer |
Do we track your device location? | No |
Do we track your device location while you aren't using the app? | No |
Do we use cookies? | No |
Do we track your browsing activities on other sites? | No |
Do we listen to you using your device microphone? | No |
Do we record and store video and audio of you? | No |
Do we sell your personal information? | No |
Do we sell any anonymized information? | No |
Do we share your data with third parties? | No |
Are you required to register with personal information? | No |
Do we track your usage of the app? | Yes |
Do we anonymize your data when you delete your account? | Yes |
Can you retrieve a copy of all your data from us? | Yes |
Do we share anonymized data for research purposes? | Yes |
Questions or Comments?
To ask questions or comment on this information contact us at: privacy@29k.org
More about how we process your personal data
We describe, in more detail for each main process how we process your personal data below.