PRIVACY STATEMENT ASSISTED SELF-HELP

Last updated 22.01.2024

Assistert Selvhjelp AS ("Assistert Selvhjelp") develops technology to create internet-assisted treatment which, in combination with professional content, can be used to develop "Coping tools" and "Mapping tool". Assistert Selvhjelp is responsible for the collection and use of personal data made via the assistertselvhjelp.no website and associated digital services ("Websites"). Collectively, Websites, Mastering tools and Mapping tools can be described as "Services".

OUR PROCESSING OF PERSONAL INFORMATION

Assistert Selvhjelp stores personal data in accordance with this privacy policy and The service agreement (for Businesses).

The privacy policy describes which personal data we collect when visiting our Websites and/or when using our Services, as well as how we process this. This statement also contains detailed information about our solutions and subcontractors. We have done this to be transparent. Processing of personal data takes place within the framework of the law and regulations in force at all times. If there is a statutory obligation to provide information to public authorities, registered personal data will be handed over in accordance with the authorities' requirements.

Personal information is collected so that Assistert Selvhjelp can perform the tasks and services we are required to perform in accordance with the law, regulations and/or agreement. When we process personal data, it is done in accordance with the Personal Data Act, which makes the EU's personal data protection regulation ("GDPR") Norwegian law. The personal data may be disclosed to third parties with whom Assistert Selvhjelp collaborates, both within and outside the EEA and EU area in order for us to be able to perform the tasks and services we are required to perform in accordance with the law, regulations and/or agreement, and in in line with this privacy policy.

Personal data that is no longer necessary or serves a purpose based on the purpose for which it was stored will be deleted continuously.

The privacy policy contains specific sections based on how the Services are used, as well as general information that applies regardless of the method of use. Before you buy or use Services from Assistert Selvhjelp, we recommend that you familiarize yourself with its contents.

THE MOST IMPORTANT CASES OF PERSONAL DATA PROCESSING

1. "End users" are given access to our Services by a Business

Assistert Selvhjelp does not store any personal data that is directly identifiable when you use the Service. As a rule, you will be able to identify yourself to the Professional in the Business you gained access to. You can give the Business access to your data the first time you use the Service, and you can grant or withdraw the Business' access at any time under Settings. The purpose of this is for you to receive the best possible follow-up. As long as it is possible for the Professional to identify you, your data will be considered personal data. Under Settings, you will also have the option to view and delete your data. Note that if you delete your data, you will also not have access to the Services. If you wish to remain anonymous, you can generate a new access code yourself and end the sharing of data with the Business (under Settings).

See additional description for End Users

2. "Private persons" use the payment solution on the website to access our Services

If you purchase access to the Service directly from the Website as a Private Person, personal information about you will be stored by a third-party provider for the payment solution. Assistert Selvhjelp neither wants nor needs personal information of this nature, and we have taken measures to prevent personal and payment information about you from being linked to use of the Service itself. If you need a receipt, both Assistert Selvhjelp and Stripe must save your email address in order to send out a receipt. Assisted Self-Help deletes stored e-mail addresses when the receipt has been sent. If you manage without a receipt, Assistert Selvhjelp will not have access to personal information about you.

See additional description for Private individuals

3. "Professionals" are employees of a Business that offers the Service.

"Businesses" are organisations, enterprises or private businesses that offer the Service to End Users, for example a health service or GP. Assistert Selvhjelp stores personal information about professionals who work in the Businesses that offer our Services to provide access to functionality and to ensure follow-up of the customer relationship. Defined professionals in the Business are responsible for ensuring correct access on an ongoing basis, including managing the correction and deletion of professionals' access to Services. 

See supplementary description for Professionals

ADDITIONAL DESCRIPTIONS

1. End users

End users' registrations when using the Service are not directly personally identifiable when they are processed by Assistert Selvhjelp. This is done by us:

  • uses unique and randomized access codes consisting of random characters to deliver the Service
  • never ask for name, e-mail, telephone or anything else that can identify a person, and;
  • never sets out to register identifiable personal data when using the Service
  • actively encrypts and removes IP addresses, and/or prevents these from being linked to other data that is recorded

Examples of information that is stored when using the Service:

  • Standardized answers/answer categories related to questions and tasks about behaviour, emotions, thoughts and experience of various situations
  • What content has been reviewed
  • Overview of scores on mapping tools, for example mapping symptoms of anxiety and depression
  • Automatic information about date/time of login, and time spent
  • Clickstream data, type of operating system and browser and other user information which is part of the service analysis
  • Evaluation and feedback related to use of the Services

The purpose of storing such information is to:

  • able to return to where you left off
  • provide an overview of registrations in the Services
  • ensure the best possible benefit from using the Service, for example finding the most relevant content in relation to the problem
  • provide the opportunity to follow developments during the period the Service is used
  • quality assurance, improvement and development of the Services
    ensure safety and maintain operations

As long as it is possible for the Professional to identify End Users, what is registered when using the Service will be considered personal data. This becomes relevant when you choose to share your data with the Company. Your data will then be available to Professionals in the Business where you will receive follow-up.

The purpose of the functionality to share data is for Professionals to be able to:

  • follow the progress and use of the person being followed up in advance of agreements
  • adjust workload between follow-up hours as best as possible
  • have a better basis for assessing utility and effect

YOU DECIDE

If you wish to give the Company access to your data, you can give approval when you first log in to the Service. You can grant and withdraw the Company's access at any time via Settings.

If you do not approve the company's access, or do not answer questions when first logging in, Professionals in the Company will not have the opportunity to see your data, and prepare follow-up accordingly.

TIME LIMITATION

If you have chosen to share data, after 22 weeks you will be asked whether you are still receiving follow-up from the Company:

If you choose "Yes" will the same question come up again when 22 new weeks have passed.

If you choose "No" your data will no longer be available to the Business you received follow-up from.

If you do not make a choice within 26 weeks, your data will not be available to the Business. You can give the business access again on a later occasion as needed.

ANONYMISATION

You can use the Service completely anonymously or delete your data at any time. Data that is not deleted will be available as anonymized statistics for Assisted Self-Help and the Business from which you received the Service. 

There are some specific conditions that apply to End Users based on the website you use to log in. Website is determined based on the Business you accessed the Service from.

Read more in sections LOGIN FROM ASSISTERTSELVHJELP.NO and LOGIN FROM HELSENORGE.NO

ANONYMISATION

To gain access to the Service, a unique code is used which is distributed to you as an End User. The business often stores your code in a secure area, for example in your journal. When you share data, the professional can follow your development and prepare follow-up. 

It is only the code that is displayed in the functionality for follow-up, which the business has access to. As long as it is possible for Professionals to link your use of the Service to you as a person through additional information in a journal (or similar), your registrations are considered personal data. 

CHANGE CODE

You can change the code by going to Settings after logging in. By changing your code, you will be guided step by step through a process that gives you a new unique code, which the business does not have access to. The code you received from the Business will then become inactive/invalid for login.

As long as you share data with the Business, they will still be able to identify you because the old code appears in their overview. When you have changed the code, and no longer share data with the Business, your data is only visible to Assistert Self-Help.

If you continue to use the Service, your data will no longer be considered personal data, since Assistert Selvhjelp does not at any time collect or store data that can identify you.

LOG IN WITH APP

If you have a mobile phone or tablet with (iOS and Android operating system) you can search for Assisted Self Help in the Appstore or Google play and download our App. The app contains a login page that forwards you to a browser function ("in-app browser"):

Once you have downloaded the App, you get access to Assisted Self-Help by entering the unique code in the App. You can either do it every time you need access, just like on the website OR check the box for "Automatic login" so that the device remembers the code you have entered when logging in again.

"Automatic login" means that you use biometrics and/or a self-selected code to protect access to the App. Then unauthorized persons who have access to your device will not be able to enter the Assistert Self-Help App directly. The code is only stored locally on your device, and neither Assistert Selvhjelp nor others will see that the code is stored on your device.

NOTIFICATION IN APP

You will be able to receive notifications in the app, for example when the professional who follows you up sends you content or mapping. You can control notification settings on your mobile. We use Google Firebase to handle notifications. The information that is registered when using the notification functionality is de-identified and cannot identify individual users.

LOCAL STORAGE
 
Local storage is a function that is available in some places where you have to fill in individual and/or personal information about yourself. The purpose is that you should be able to register unique answers, as an alternative to standardized categories where it is useful.
 
If you fill in an answer with local storage, the data will not be stored on Assistert Selvhjelp's servers, nor will it be shared with professionals. They will only be stored encrypted in the browser (or app) on your own device. The information can only be displayed (decrypted) if you are logged on to Assisted Self-Help with the same device that you used when you entered your answers (i.e. registered your data).

ANONYMISATION

When a Business grants access to the Service via Helsenorge.no, a pseudonymised code is created by Helsenorge.no, so that Assistert Selvhjelp does not store directly identifiable personal data. When you do not share data with the Business you received follow-up from, your registrations will not be available to Professionals in the Business. At Assistert Selvhjelp there is no data that can be linked to you as a person.

LOG IN WITH APP

If you have a mobile phone or tablet with (iOS and Android operating system) you can search for Assisted Self Help in the Appstore or Google play and download our App. The app contains a login page that forwards you to a browser function ("in-app browser"):

To be able to use the App, you must first log in to Assistert Selvhjelp via Helsenorge.no and go to Settings. There you can create a verification code that you enter in the Assistert Self-Help App you have downloaded. This code will connect your user access on Helsenorge.no with Assistert Self-Help so that you can use the Services directly in the App. Note that the verification code must be used within 15 minutes of creating it, but you can create a new one if you need to.

"Automatic login" means that you use biometrics and/or a self-selected code to protect access to the App. 

You use biometrics and/or a self-selected code to protect access to the App, so that unauthorized persons who have access to your device cannot enter the Assistert Self-Help App directly. The connection does not result in changed conditions for your privacy that apply otherwise, as no directly identifiable personal data (only pseudonymised data) is shared between HelseNorge and Assistert Selvhjelp.

NOTIFICATION IN APP

You will be able to receive notifications in the app, for example when the professional who follows you up sends you content or mapping. You can control notification settings on your mobile. We use Google Firebase to handle notifications. 

The information that is registered when using the notification functionality is de-identified and cannot identify individual users.

LOCAL STORAGE

Local storage is a function that is available in some places where you have to fill in individual and/or personal information about yourself. The purpose is that you should be able to register unique answers, as an alternative to standardized categories where it is useful.

If you fill in an answer with local storage, the data will not be stored on Assistert Selvhjelp's servers, nor will it be shared with professionals. They will only be stored encrypted in the browser on the device you used. The information can only be decrypted if you are logged in to Assistert Selvhjelp with the same device as the data was recorded.

DELETION

You can delete all data/registrations under Settings. You should only do this if follow-up from the Business has ended and/or you do not wish to use the Service in the future. It will also be possible for Businesses and Tool Managers at Helsenorge.no to see deletion registrations if necessary.

COMPILATION AND DELIVERY OF GROUP DATA

Information that cannot be linked to a person will, as long as it is not actively deleted, be available to Assistert Selvhjelp employees in our archives and used to analyze functionality, and to compile group data.

Businesses will have access to a compilation of their own group data. Tool managers at Helsenorge.no will, in addition to group data at Business level, have access to aggregated group data from all End Users who get access from Helsenorge.no. The purpose of this is to ensure the quality, improve and adapt the Services, as well as to assess the usefulness and effect in order to increase the benefit and profit when using the Services. As information is processed on a statistical or aggregated level, it will not constitute personal data.

Assistert Selvhjelp does not store information about you that they do not have access to themselves.

Since Assistert Selvhjelp cannot identify you based on information we have access to, it is generally not recommended to make a request for access that would entail identification, for example by using e-mail. By logging in with the access code, information that you have registered will be available.

Error registration during use of the Service will usually have limited practical significance. If you still want to correct an incorrect registration, it is important that you use the feedback form after logging in, and describe what needs to be corrected briefly and precisely, without giving personal details such as name or telephone number. When submitting, Assistert Self-Help can automatically see a unique code for each submitter. It is not technically possible for Assistert Selvhjelp to give feedback that the correction has been carried out, but the correction of incorrect registration will be carried out as soon as possible, normally within 7 working days.

We recommend that you direct inquiries to employees of the Business where you receive follow-up, so that they can possibly make an inquiry on your behalf without you being identified.

If you nevertheless choose to contact Assistert Selvhjelp, on the basis of a request for correction or access to stored information, communications that identify you will be deleted on an ongoing basis, as soon as the request can be considered fulfilled.

2. Private individuals

INFORMATION THAT ASSISTED SELF-HELP STORES

Private individuals' registrations when using the Service are not directly personally identifiable when they are processed by Assistert Self-Help. This is done by us:

  • uses unique and randomized access codes consisting of random characters to deliver the Service
  • never ask for name, e-mail, telephone or anything else that can identify a person, and;
  • never sets out to register identifiable personal data when using the Service
  • actively encrypts and removes IP addresses, and/or prevents these from being linked to other data that is recorded

Examples of information that is stored when using the Service:

  • Standardized answers/answer categories related to questions and tasks about behaviour, emotions, thoughts and experience of various situations
  • What content has been reviewed
  • Overview of scores on mapping tools, for example mapping symptoms of anxiety and depression
  • Automatic information about date/time of login, and time spent
  • Clickstream data, type of operating system and browser and other user information which is part of the service analysis
  • Evaluation and feedback related to use of the Services

The purpose of storing such information is to:

  • able to return to where you left off
  • provide an overview of registrations in the Services
  • ensure the best possible benefit from using the Service, for example finding the most relevant content in relation to the problem
  • provide the opportunity to follow developments during the period the Service is used
  • quality assurance, improvement and development of the Services
  • ensure safety and maintain operations

LOG IN WITH APP

If you have a mobile phone or tablet with (iOS and Android operating system) you can search for Assisted Self Help in the Appstore or Google play and download our App. The app contains a login page that forwards you to a browser function ("in-app browser"):

Once you have downloaded the App, you get access to Assisted Self-Help by entering the unique code in the App. You can either do it every time you need access, just like on the website OR tick "Automatic login" so that the device remembers the code you have entered when logging in again.

"Automatic login" means that you use biometrics and/or a self-selected code to protect access to the App. Then unauthorized persons who have access to your device will not be able to enter the Assistert Self-Help App directly. The code is only stored locally on your device, and neither Assistert Selvhjelp nor others will see that the code is stored on your device.

NOTIFICATION IN APP

You will be able to receive notifications in the app, for example mapping that is repeated after 14 days to measure your development. You can control notification settings on your mobile. We use Google Firebase to handle notifications. The information that is registered when using the notification functionality is de-identified and cannot identify individual users.

LOCAL STORAGE

Local storage is a function that is available in some places where the Private Person must fill in individual and/or personal information about themselves. The purpose is for the Private Person to be able to register unique answers, as an alternative to standardized categories where this is useful. 

If you fill in answers with local storage, the data will not be stored on Assistert Selvhjelp's servers. They will only be stored encrypted in the browser on the Private Person's own device. The information can only be decrypted if the same Private Person is logged on to Assisted Self-Help with the same device as the data was registered.

To prevent Assisted Self-Help from gaining access to Private Persons' identity, we use Stripe as a payment solution. Stripe removes personal data and card information for Assistert Self-Help with the exception of the IP address and the last 4 digits of the card. Stripe does not, however, have access to your access code or other data related to it. The purpose of storing this payment information is to be able to provide documentation for purchases and to be able to offer refunds.

For follow-up of the contract and related work, Assistert Selvhjelp is the data controller and has processing grounds in GDPR article 6 no. 1 letter b (fulfilment of contract) and article 9 no. 2 letter h (provision of healthcare services).

For the payment solution itself, the payment service provider is the controller.

Assistert Selvhjelp stores personal data related to payment only to the extent necessary to offer the Service and documentation of purchases, and deletes these on an ongoing basis as soon as this can be considered fulfilled. On request, you can see all the personal data registered about you, and request the correction of any errors. In the case of such communication, we will delete the communication log as soon as the request can be considered fulfilled.

We emphasize that you have access to all information that you have registered when reviewing and using the Service, and which is consequently stored about you, when you are logged in with the access code.

Deletion and compilation of group data

You can delete all data/registrations under "Settings". When you delete all data/registrations, it will in practice mean that you can no longer log in with the code, and all data linked to the code at Assistert Selvhjelp will be deleted.

With this caveat, the access code will initially be active five (5) years after it was created or last used. If five years pass without it being used for logging in, it will automatically be deactivated. Information that cannot be linked to a person will be available to Assistert Selvhjelp employees in our archives and used to analyze functionality, and to compile group data, as long as it is not actively deleted.

Inspection and correction

Assistert Self-Help does not store information about Private Persons that the user does not have access to himself.

Since Assistert Self-Help cannot identify Private Persons based on information we have access to, it is generally not recommended to make a request for access that will entail identification, for example by using e-mail. By logging in with the access code, the information registered will be available.

Error registration during use of the Service will usually have limited practical significance.

If you still want to correct an incorrect registration, it is important that you use the feedback form after logging in with the access code, and describe what needs to be corrected briefly and precisely. Upon submission, Assistert Self-Help can automatically see which access code has sent the message. It is not technically possible for Assistert Self-Help to give you feedback that the correction has been carried out. Correction will be carried out as soon as possible, normally within 7 working days.

If you nevertheless choose to contact Assistert Selvhjelp, on the basis of a request for correction or access to stored information, communications that identify you will be deleted on an ongoing basis, as soon as the request can be considered fulfilled.

Assistert Selvhjelp does not store information about Private Persons that they do not have access to themselves.

Since Assistert Self-Help cannot identify Private Persons based on information we have access to, it is generally not recommended to make a request for access that will entail identification, for example by using e-mail. By logging in with the access code, the information registered will be available.

Error registration during use of the Service will usually have limited practical significance. If you still want to correct an incorrect registration, it is important that you use the feedback form after logging in, and describe what needs to be corrected briefly and precisely. When submitting, Assistert Self-Help can automatically see a unique code for each submitter. It is not technically possible for Assistert Selvhjelp to give feedback that the correction has been carried out, but the correction of incorrect registration will be carried out as soon as possible, normally within 7 working days.

If you nevertheless choose to contact Assistert Selvhjelp, on the basis of a request for correction or access to stored information, communications that identify you will be deleted on an ongoing basis, as soon as the request can be considered fulfilled.

3. Professionals and Businesses

PROCESSING OF PERSONAL INFORMATION

Assistert Selvhjelp collects and processes the following information from Businesses in order to identify, register, deliver the Service in accordance with the Service Agreement, and perform support:

The customer relationship: Name of business, Organization number, telephone number, etc.
Contact person(s): First name, Surname, Job title, Telephone number and email
Professionals: First name, Surname, e-mail, workplace, position
Professionals with a Health ID: First name, Surname, Job title, Social security number and Health personnel number, workplace, position

NOTE: Professionals' telephone numbers are not collected systematically, but may be stored as a result of direct contact.

Examples of information that is stored when using the Service:

The processing of personal data is based on GDPR article 6 no. 1 letter f, legitimate interests. Assistert Selvhjelp's legitimate interests are to enter into and manage customer relationships, generate economic activity and safeguard/strengthen its own reputation.

In this connection, we use collected emails to send updates or important information, normally 2-4 times a year. We only send information we think is relevant, and the recipient can unsubscribe at any time. In connection with support or inquiries to Assistert Self-Help, there may be a need to look at the information in the register about the customer relationship, which will therefore be available to employees of Assistert Self-Help. All our employees have signed a confidentiality and non-disclosure agreement.

Please note that the processing of personal data in relation to specific services and products may be regulated this year The service agreement which applies to Businesses, or in special agreements if this has been entered into.

DELETION AND CORRECTION

Defined professionals in the Business must manage the correction and deletion of other professionals' access to Services. When Businesses and their professionals specifically request the deletion of information or terminate services, some personal data, primarily contact information and order and invoice history, may remain in Assistert Selvhjelp's register to the extent necessary to protect legal rights or legislative requirements for documentation.

Businesses and their professionals can, on request, see all the personal data registered about them. If the information is not correct or relevant, the registered person can request that it be corrected or deleted and removed from our registers, provided that Assistert Selvhjelp is not subject to any legal conditions that prevent this. The contact form on the website can be used for enquiries.

IDENTIFICATION OF END USERS THROUGH ADDITIONAL INFORMATION

Businesses that assign the Service have access to an overview function that provides an overview of a pseudonymised code for each End User. Assuming the End User's active approval to share sharing of data, the Business also gets access to information that is registered when using the Service. Approval from the End User is given either upon first logging into the Service, or later via Settings. The end user can at any time give and withdraw the approval, or delete data and terminate the Service. The company's access to registrations is limited to the End User's decisions in accordance with this right.

As long as it is possible to identify End Users, registrations that the End User makes in the Service will be considered personal data. This will be possible through the use of additional information, usually by the pseudo code being stored together with other personal information, for example in the End User's record. Only the Company has access to the additional information and can decide who should have access to it.

Businesses are responsible for taking appropriate security measures as a result of using additional information to identify the End User in the overview function.

If the Business has such routines, see Data processor agreement i The service agreement.

COMPANY'S RESPONSIBILITY

The business is responsible for ensuring that (at least) one defined employee has the role of Super User, and this keeps the overview of Professionals who must have access to functionality up to date. Professionals who are not to have access must be deactivated. At the end of the customer relationship, personal data registered with Assistert Selvhjelp will be deleted continuously. If Assistert Self-Help becomes aware that the contact information is incorrect, Assistert Self-Help is obliged to update it using public registers, preferably number information services and the Brønnøysund registers (business).

RIGHTS, DATA PROCESSING AND SECURITY

You have the following rights, which you can invoke by contacting us in accordance with the information above.

Access to information etc.

The rights follow from Article 15 of the Personal Data Protection Regulation. Exceptions to the right can be found in Sections 16 and 17 of the Personal Data Act.

The registered person shall have the right to obtain Assistert Selvhjelp's confirmation as to whether personal data about the person concerned is being processed, and, if this is the case, access to the personal data and the following information:

  1. the purposes of the processing,
  2. the categories of personal data concerned (e.g. accounting data, customer information, student information to fulfill rights),
  3. the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients outside the EU/EEA,
  4. if possible, how long it is expected that the personal data will be stored, or, if this is not possible, the criteria used to determine this period,
  5. the right to request Assistert Selvhjelp to correct or delete personal data or limit the processing of personal data concerning the registered person, or to object to said processing, as well as data portability
  6. the right to complain to the Norwegian Data Protection Authority,
  7. if the personal data has not been collected from the data subject, all available information about where the personal data originates,
  8. the occurrence of automated decisions, i.e. whether decisions are made that apply to individuals without any human participating in the proceedings. Relevant information must also be provided about the underlying logic as well as about the meaning and expected consequences of such processing for the data subject. The registered person can also demand that a natural person in Assistert Selvhjelp check the automated decision.
  9. If the personal data is transferred outside the EU/EEA, the data subject shall have the right to be informed of the necessary guarantees to ensure satisfactory processing.

Assisted Self-Help must make available a copy of the personal data that is processed. If the data subject submits the request electronically, and unless the data subject requests otherwise, the information must be provided in a normal electronic form.

Right to correction

Those registered have the right to have personal data that is incorrect or inaccurate corrected. Correction must be made as soon as possible.

Right to deletion

The right to erasure exists when:

- the information is no longer necessary to achieve the purpose of the processing
- consent to the processing has been withdrawn and there is no other legal basis for the processing
- the data subject has made a justified objection
- personal data has been processed in a way that is not legal
- it is necessary to comply with a legal obligation

Right to demand limited processing of personal data

The registered person may have the right to demand restriction of the processing of their own personal data. This means that the personal data cannot be used beyond storage, e.g. if claims are made that incorrect information is used and Assistert Self-Help must investigate whether this is true. The scope and limitations of the right are included in Article 18.

Right to data portability

The registered person shall have the right to receive personal information about himself that he has given to a data controller. The information must be received in a structured, commonly used and machine-readable format and must have the right to transfer said information to another data controller without the data controller to whom the personal data has been provided.

The right requires that the processing is based on consent or an agreement, and that the processing is carried out automatically.

Right to object to the processing of personal data

The data subject has the right to object to processing that takes place on the basis of:

to carry out a task in the interest of society
to exercise public authority
to safeguard legitimate interests that are not overridden by the data subject's interests and fundamental rights and freedoms

The registered person's protest normally means that Assistert Selvhjelp can no longer use the personal data, but there are a number of exceptions, see below. Unless the information is also processed for other purposes to which the data subject cannot or will not object, it must also be deleted.

More detailed framework for the exercise of the right follows from Article 21 of the Personal Data Protection Ordinance.

Correction of incomplete personal data

Assistert Selvhjelp must, on its own initiative and/or at the request of the registered person, correct information that is incorrect, incomplete or delete information that it is not allowed to process.

We greatly appreciate feedback. End users, private individuals and professionals can give feedback through the functions "Suggest changes" and "Evaluation form" after logging into the Service.

When you fill in such digital forms or use logged-in Services, no personal data (for example, name, telephone number or IP address) will be registered by Assistert Selvhjelp. The purpose of these is to improve our Services.

We store information about you when you send us an e-mail directly or use the contact form. Inquiries you send directly via e-mail are not sent encrypted. We therefore encourage you not to send confidential, sensitive or other confidential information via e-mail.

The contact form on the website contains questions about name and telephone number, which it is optional to enter. Email is required so that we can easily reply to the right person. Inquiries are reviewed by the post office, which decides whether it should be forwarded or resolved immediately. We routinely delete messages and emails that contain sensitive personal data.

See also ACCESS AND CORRECTION in sections specific to End Users, Individuals and Business Professionals.

Website Analysis:

When you visit our Websites, or any of the other addresses at which our pages are available, we log information about the visit, usually in the form of cookies. These are used to personalize content and functionality, analyze how you use the website. The information cannot be traced back to a single person.

Necessary cookies only include cookies that ensure basic functionalities and security functions on the website. This is permitted according to Section 2-7 b of the Electronic Communications Act.

Plausible

Assistert Selvhjelp uses the analysis tool Plausible to collect information about visits to the Websites, e.g. how many people visit various pages, how long the visit lasts, which websites the users come from and which browsers are used. The purpose is to compile statistics that we use to improve the quality of the Websites. According to Plausible's guidelines, no information is collected or used that can be used to identify you as a person. Consequently, no personal data is collected in this connection. You can read more about how Plausible collects and protects data here:

Plausible - Privacy

Plausible – Data policy

Encryption of communications:

Let's Encrypt

Let's Encrypt supplies TLS/SSL certificates that we use to encrypt communications in our systems. The information obtained in connection with the registration of a TLS/SSL certificate is stored on servers owned and operated by Let's Encrypt. No personal data is collected in this connection. 

Letsencrypt - Privacy

Notification (only applies to App users):

Google Firebase

Google Firebase handles the interaction between the web application for Assisted Self-Help and notification in the App if the End User has connected their access to the App.  Google Firebase ensures that the correct End User is notified when a professional sends content, mapping or tasks, or other automatic notification is to be sent to the user's App. No personal data is collected in this connection. 

Google Firebase - Privacy

CONFIDENTIALITY AND SECURITY

We use a combination of physical, electronic and procedural security to protect personal data.

All data transmission that takes place over the internet is encrypted. All transactions are processed over an industry-standard SSL/TLS connection, with a minimum of 128-bit encryption. However, there is no guarantee that unauthorized persons cannot gain access to such information, or that it will not be disclosed, changed or destroyed by breaching a firewall or secure server software.

No data transmission over the Internet is 100 % secure, and we cannot therefore guarantee the security of personal data. We emphasize that we have a continuous focus on ensuring that use of the Services does not entail the collection or storage of directly identifiable personal data from End Users and Private Persons. Identification as a result of these using the Services will therefore be less likely. Information available at "Log in" for Business Professionals is password-protected. Furthermore, the account's password is stored with a random salted hash algorithm.

If Assistert Selvhjelp becomes aware of a breach in one of the security systems dealing with personal data, we will notify the affected parties as quickly as possible and without undue delay, so that they can take the necessary protective measures. Assistert Selvhjelp is also obliged to notify security breaches to the Norwegian Data Protection Authority at the latest within 72 hours after we become aware of the breach.

THIRD PARTY FUNCTIONALITY AND WEBSITES

Our services in some cases include third-party features from other providers and websites whose privacy practices may differ from ours. These third-party features may collect your IP address, which page you visit on the website, and they may store a cookie so that third-party features work properly. Third-party functions may also collect sensitive information, for example financial information (credit card) to expedite the purchase of products or services (cf. Private individuals).

If you submit personal information to any of these websites, that information is subject to their privacy policies. We encourage you to carefully read the privacy policy of all websites you visit before giving out personal information.

Nordlo (Data processor)

All information that is registered, generated and stored in connection with the use of the Services is stored on two separate servers owned and operated by Nordlo located in Norway. They are therefore obliged to fulfill the EU's privacy regulations. The main server is located in Vennesla, but there is a back-up of data stored on the main server in Haugesund. The servers' locations have been chosen to reduce geographical vulnerability (cf. geo redundancy).

Nordlo does not have access to additional information that makes it possible to identify End Users. In order to safeguard security and maintain operations, Nordlo may need to remove encryption of IP addresses temporarily. The IP addresses are not connected to other data that is recorded. Nordlo does not at any time have access to directly identifiable personal data in this connection. Nordlo must have access to this information in order to safeguard information security, maintain server operation and create a solution that satisfies the requirements of the Personal Data Act. This is authorized in the GDPR itself, in that it gives the Data Processor the opportunity to "implement suitable technical and organizational measures to ensure and demonstrate that the processing is carried out in accordance with" the Personal Data Act, cf. GDPR article 6 no. 1 letter c (legal obligation) and see GDPR article 24 no. 1 and 32. Nordlo undertakes to inform about cases where there has been a need to remove encryption of IP addresses, as well as having a system for logging such events, including the identity of personnel and time of the event. On request, Nordlo must also hand over a log of who has had access to Assistert Selvhjelp's servers.

Nordlo – Privacy policy

 

Only relevant for private individuals:

Stripe

Stripe processes payment for purchases from Private individuals. Stripe will have access to link card information, name of cardholder and name of purchased Service. Stripe will not access the Access Access Code at any time:

Stripe - Privacy

 

Only relevant for Businesses:

Account

Conta operates the platform for handling business information and invoices. When paying by invoice, information about (1) Customer relationship and (2) Contact person in the Business is stored at PayEx. This applies regardless of how the invoice is issued or how it is paid. Other personal information is provided on a voluntary basis.

Conta – User agreement

Google Workspace

Google Workspace manages our e-mails and storage related to external communication. All information that is registered, generated and stored in connection with email correspondence with Assistert Selvhjelp AS is stored on servers owned and operated by Google (Google mail). Here we also receive inquiries via the contact form on the Websites.

Google Workspace - Secure by design

Microsoft
Microsoft Office 365 is an office support tool, primarily reserved for internal overviews, workflow and communication between employees related to operations. This means that some information about customer relationships is stored.

Privacy statement - Microsoft

Aider AS

Aider AS is an Assistert Selvhjelp accountant and will have access to invoice information for Business customers and information about related customer relationships, contact persons and other accounting-related information. 

Aider - Privacy statement

Xledger

Xledger is an accounting system that Assistert Selvhjelp uses in connection with Virksomheter's customer relations, accounting and auditing.

Xledger - Privacy

Permanent developers outside the EU

The main rule is that none of the personal data processed by Assistert Selvhjelp shall be exported from Norway and/or the EU as a result of using the services. Assisted self-help has the following exceptions which involve a transfer abroad:

Permanent developers are used who have a place of residence outside the EU (Vietnam/Philippines/Turkey).They design solutions for the websites, so that Assistert Selvhjelp's services are simple, clear and work satisfactorily, including complying with the requirements for privacy. When designing and testing the solution, developers will need access to de-identified information about End Users or Private Persons (pseudonymisation). In order to safeguard security and maintain operations, they may also need to remove encryption of IP addresses temporarily, without these being connected to other data that is recorded. Neither Assistert Selvhjelp nor our developers have access to directly identifiable personal data in this connection at any time. In certain cases, for example to correct errors, the developers must have access to personal information about Professionals that appears in Profile on My page (for Professionals).

The developers must have access to this information in order to safeguard information security and create a solution that satisfies the requirements of the Personal Data Act. This is authorized in the GDPR itself, in that it gives the Data Processor the opportunity to "implement suitable technical and organizational measures to ensure and demonstrate that the processing is carried out in accordance with" the Personal Data Act, see GDPR articles 6 no. 1 letter c ( legal obligation) and 9 no. 2 letter g (important public interests), cf. GDPR articles 24 no. 1 and 32.

Assistert Selvhjelp confirms that none of the subcontractors transfer personal data covered by this agreement abroad, with the exception of such transfers as specified here. This also includes remote access for developers from abroad.

When transferring personal data to countries outside the EU/EEA (third countries), Assistert Selvhjelp uses an approved transfer basis, i.e. the EU's model agreement for transfer to data processors.

Other subcontractors

Subcontractors outside the EU, and who do not offer storage of data within the EU, have declared compliance with the framework agreement Trans-Atlantic Data Privacy Framework which is set by the EU and US authorities, and undertakes to subject all personal data from EU member states to the trust the framework agreements provide, according to the framework agreement's applicable principles.

No personal data is handed over to third parties without the explicit consent of the data subject, but a subcontractor may transfer data to a third party acting as an agent on their behalf. Such a transfer cannot, however, take place without complying with the principles of the Trans-Atlantic Data Privacy Framework for all subsequent transfers of personal data from the EU, including the provisions on responsibility for onward transfer:

Google (USA)

Google - Privacy shield

Microsoft (USA)

Microsoft - Privacy shield

Stripe (USA)

Stripe – Privacy shield

End users, private individuals, as well as businesses and their employees who use the Services accept that Assistert Selvhjelp reserves the right to make changes to the Privacy Policy on an ongoing basis.

Assistert Selvhjelp is obliged to notify End Users, Private Persons, as well as Businesses and their employees of significant changes that affect them. Material changes include any matter that restricts rights, or that otherwise changes the obligations or rights of the parties.

Possibility of appeal

If you have objections with regard to privacy or the use of data that has not been processed in a satisfactory manner, you can contact us or complaint to the Norwegian Data Protection Authority. However, we appreciate it if you contact Assistert Self-Help first, so that we can accommodate any wishes.

Changes from version published 21.11.2023 to version published 22.01.2024:

  • The title of the previous point "Fixed developers outside the EU" is replaced by the title "Subcontractors outside the EU".
  • In Subcontractors outside the EU, we have updated the text that refers to the current agreement for the transfer of information between the EU and the US - from "Privacy Shield - Safe harbor" to "Trans-Atlantic Data Privacy Framework".

Changes from version published 05.12.2022 to version published 21.11.2023:

  • The title of the previous point "Subcontractors outside the EU" is replaced by the title "Fixed developers outside the EU".
  • We have added Turkey as a local location for non-EU developers.

Changes from version published 16.05.2022 to version published 05.12.2022:

  • We have made minor changes to the text to make the Data Processor Agreement easier to read. 
  • We have updated the names of G Suite, which is now called Google Workspace and Tet Regnskap, which is now called Aider AS.
  • We have collected descriptions of functions for website analysis, encryption and notifications in the app.
  • We have updated the local location for developers outside the EU.

Changes from version published 08.12.2021 to version published 16.05.2022:

  • We have updated subcontractors (Nordlo)
  • Plausible replaces Google analytics
  • We have developed functionality for varling in the App. We have therefore added information aimed at end users who log in via AssistertSelvhjelp.no and Helsenorge.no. 

Changes from version published 02.09.2021 to version published 08.12.2021:

  • We have developed functionality for "Automatic login" with the use of biometrics and/or a self-selected code to protect access to the App. We have added information aimed at end users who log in via AssistertSelvhjelp.no and Helsenorge.no, as well as information for private individuals

Changes from version published 27/11/2020 to version published 02/09/2021:

  • We have changed the duration of consent to share data with businesses from 14 to 26 weeks. This has been done on the basis of feedback from several Companies, where consent is terminated before the user has finished follow-up, for example in connection with holiday processing. End users can nevertheless withdraw consent from settings at any time. 

Changes from version published 05/05/2020 to version published 27/11/2020:

  • We have reduced the amount of text and made the content more clear. This has been done on the basis of feedback from several businesses.
  • We switched during the 1st quarter of 2020 from Digitalocean (Amsterdam, The Netherlands) to Dedia AS (Oslo, Norway), but are now switching back. The background is that this will reduce vulnerability related to geo-redundancy, as Dedia AS uses the same data center as our main server (Syse AS). The server providers are within the EU where the EU's personal data protection regulation (GDPR) applies.
  • IP addresses are encrypted and/or removed so that these are not linked with other data. We specify that we may need to remove the encryption temporarily. The purpose is to prevent/block/prevent common cyberattacks that can affect most websites. Should this become necessary, the IP address will still not be linked to other registered data that is stored separately.
  • We have added information aimed at End Users who log in via Helsenorge.no, and Professionals who log in with Health ID.