Privacy Statement The Micro Habit Company (TMHC)

Version: 1.1

Introduction

The Micro Habit Company (hereinafter: TMHC or We) processes Personal Data and strives to handle your personal data carefully and securely within the boundaries of the law, including the General Data Protection Regulation (hereinafter: GDPR).

In this Privacy Statement, we describe who we are, how and for what purposes we process your personal data, how you can exercise your privacy rights, and what else may be important for you to know.

To keep the information concise, each topic is divided into two layers of information. First, you'll see a summary on key points. If you would like more detailed information, you can find it by clicking the 'more details' link. We have done our best to make all information clear and readable. If you have any questions about our use of your personal data after reading the Privacy Statement, please feel free to contact us. Later in this statement, you will read how you can do this.

Finally, we would like to point out that our services are evolving, as is our privacy statement. Therefore, we encourage you to regularly check for updates to this privacy statement, so you know exactly where you stand. At the very bottom of this privacy statement, you can see when it was last modified. In the event of significant changes, we will notify you by email.

More details/For more information click here: Second layer: We strive to handle your personal data carefully and securely and at least adhere to the following principles in connection with the processing of personal data:

Data Processing Principles

1. Lawfulness, fairness, transparency: Personal data is processed in a way that is lawful, fair, and transparent to the data subject.

1. Purpose limitation: Personal data is only processed for specific, explicitly described, and justified purposes. These purposes are concrete and documented before processing. Personal data is not further processed in a manner that is incompatible with the purposes for which they were obtained.

1. Data minimization: When processing personal data, the amount and type of data is limited to what is necessary for the specific purpose. The data should be adequate, relevant, and not excessive for that purpose.

1. Necessity and proportionality: Processing of personal data occurs in the least intrusive way and should be reasonably proportionate to the intended purpose.

1. Accuracy: Measures are taken to ensure that personal data is as accurate and up-to-date as possible.

1. Integrity and confidentiality: Personal data is adequately protected according to applicable security standards.

1. Storage limitation: Personal data is not processed longer than necessary for the purposes of processing. TMHC observes at least the statutory retention periods.

Definitions Used

The terms in this Privacy Statement are largely based on the definitions in Article 4 of the GDPR. For more detailed information, click 'more details' and also see Article 4 of the GDPR.

• GDPR: the General Data Protection Regulation, effective as of May 25, 2018.
• Privacy Statement: this document describing who we are, how and for what purposes We process your Personal Data, how you can exercise your privacy rights, and what else may be important for you to know.
• Personal Data: any data about an identified or identifiable natural person (the Data Subject).
• Data Subject: the individual to whom the Personal Data relates.
• Processing: any operation or set of operations on Personal Data, including at least collecting, organizing, updating, modifying, retrieving, consulting, using, transmitting, combining, blocking, erasing, and destroying Personal Data.
• Controller: the (operational) management of TMHC, or the person or entity who, alone or with others, determines the purpose and means of processing Personal Data.
• Processor: person or entity that processes Personal Data on behalf of the Controller.
• Special Personal Data: Personal Data that, due to its nature, requires specific protection, as the processing context may present significant risks to the data subject. This includes data revealing racial or ethnic origin and processing health data. Processing is prohibited unless the GDPR provides an exception.
• Health Data: Personal Data related to physical or mental health.
• User of Personal Data: the individual authorized under the direct authority of the controller or processor to process personal data. This includes people in a hierarchical relationship with the controller or processor, such as employees of TMHC or freelancers working under TMHC instructions.
• Client: the individual or organization that has contracted TMHC to use TMHC's services, including the application, platform, questionnaires, and coaching programs to provide insight into the mental and emotional health, vitality, and development, or sustainable employability of their employees.
• Third Party: anyone other than the data subject, the controller, the processor, or the user of personal data.
• Consent of the data subject: any free, specific, informed, and unambiguous indication by which the Data Subject accepts the Processing of Personal Data concerning them by means of a statement or an unambiguous affirmative action. Consent must be directed towards a specific category of Processing.

Who are We, what is our approach, and how can you reach us?

TMHC is an organization that develops online Micro Habit Tracks together with its partners using Micro Habit Technology. Our tracks are designed to help users build healthy and effective habits.

In the tracks we develop with partners, participants work on Micro Habits, small healthy habits that are scientifically backed and take less than 5 minutes. Employees perform these habits together, sometimes with support from a Micro Habit coach.

We handle the processing of personal data with great care, as misuse of personal data can cause significant harm to Data Subjects, our clients, and TMHC itself.

For our services, we use a web application, which is the information system supporting the registration and guidance of participants in the Micro Habit programs. This is our own application, and the data is stored in the Netherlands.

TMHC is based in Amstelveen, Gondel 1, 1186 MJ, and registered in the Dutch Chamber of Commerce under number 76910865.

This Privacy Statement exclusively concerns TMHC. We are the 'Controller' in terms of the GDPR for the processing of personal data described in this privacy statement.

You can reach us by visiting the above address or by emailing us at privacy@themicrohabitcompany.com. We have also appointed a data protection officer (hereinafter: DPO). This person is our internal supervisor and oversees GDPR compliance within TMHC. The DPO holds an independent position within TMHC. You can reach the DPO at paul@themicrohabitcompany.com

What Personal Data does TMHC collect from you?

TMHC processes your personal data because you use our services and/or because you provide us with this data. Categories of personal data we collect:

We collect different categories of Personal Data:

• Name and email address
• Program information: During the program's duration, information is collected from the habit tracker and questionnaires and processed in an online (personal) dashboard
• Account data: (e.g., username and password).
• Interaction data: (e.g., your contact with customer service or digital and/or written correspondence)
• Health data

The above categories of personal data are provided directly by you to TMHC.

Personal data you provide directly to us

This may include:

• Personal data you provide when creating an account on the TMHC web application or one of the tracks like Wellbeing Leadership, i45, or qihabitapp and/or other information you enter;
• Personal data you provide when filling out the habit tracker, chat, and questionnaires for a program;
• Personal data you provide in connection with (e.g.) correspondence, feedback, support (Q&A), dispute resolution, satisfaction surveys, etc.

Processing of Special Personal Data (Health Data)

Given the nature of our programs, TMHC processes certain health data in some tracks to optimally support you in developing micro-habits that contribute to your mental and physical well-being and to provide you with insight into your progress. This health data is processed and protected with the utmost care, in accordance with the General Data Protection Regulation (GDPR).

Type of Health Data: The health data we process may include your wellness activities, stress levels, sleep habits, and other data you enter in the habit trackers, questionnaires, and during sessions with a Micro Habit Coach. This data is collected solely to support you in achieving program goals, such as improving your well-being, psychological safety, and vitality.

Legal basis for processing: The processing of this data occurs based on your explicit consent, which you give when starting the program. You have the right to withdraw this consent at any time.

Protection of Health Data: TMHC has implemented technical and organizational measures to protect your health data against unauthorized access, loss, or misuse. Only authorized staff and the Micro Habit Coach have access to this data and only as necessary for their tasks. All data is processed within a secure IT environment that meets applicable security standards.

Retention and Deletion of Health Data: Health data is retained for the duration of the program and is automatically deleted no later than one year after program completion, unless a longer retention period is legally required. After program completion, your data is completely and irreversibly removed from our systems.

Use of Anonymized Data: To evaluate and improve the effectiveness and quality of our programs, anonymized data may be used for research purposes. This data contains no identifiable information and cannot be traced back to individual participants.

Personal Data about others you directly provide to us: You may occasionally share other people's personal data with us, such as their address or contact information. We remind you that it is your responsibility to ensure these people agree with providing their personal data to TMHC.

For what purposes do We process your Personal Data?

TMHC collects your personal data for the following purpose related to our service delivery:

• Helping to develop habits (Micro Habits) to reduce stress and improve mental well-being, engagement, resilience, and performance.

We further collect and process personal data for the execution of agreements with you and/or our clients, administration, and to fulfill legal obligations. For quality and management purposes and research purposes, we use anonymous data whenever possible rather than personal data.

The various purposes described above are detailed below. We do not process your personal data further in a way that is incompatible with the purposes for which it was obtained.

Under the terms of an agreement: For the preparation, establishment, execution, and possible termination of the agreement(s) between our Client and TMHC. For example, an Agreement to offer a Micro Habit program.

Administration: For the execution and control of TMHC's administration broadly.

Quality and management purposes: To investigate and improve service quality, processes, and systems, to inform management, and to perform (internal) audits.

Research purposes: To improve service quality, personal data is processed for research purposes. Our research purposes are always compatible with the purposes for which your personal data was obtained by TMHC.

Legal and regulatory obligations: For identification, fraud prevention, internal control, corporate security, and compliance with laws and regulations.

On what legal grounds do We base the processing(s) of your Personal Data?

TMHC always processes your personal data in accordance with one of the legal grounds in the GDPR. For TMHC's service delivery, we use the basis of consent to process your personal data.

Consent

Participation in the Micro Habits program is based on consent. With your consent, we may use your personal data for the purposes of service as described in the privacy statement.

To whom do we disclose your Personal Data?

Your Personal Data is only shared with TMHC's Micro Habit Coach and partners with whom a processor agreement has been concluded. We do not further disclose your personal data to third parties. This only occurs if the disclosure of personal data is in line with this privacy statement and (privacy) laws.

Individual results are never shared with the employer. The reports that the employer receives contain only anonymized results. A reporting group must consist of at least fifteen respondents to ensure that results are not traceable to an individual.

Your Personal Data may be received by the following categories of recipients:

Micro Habit Coach: Part of TMHC's service is providing a Micro Habit Coach. The Micro Habit Coach has individual-level insight to give targeted advice and facilitate lasting change. The Micro Habit Coach processes personal data only in accordance with the purposes of processing. TMHC has a contract with this person and is legally and contractually obligated to maintain confidentiality.

Partners: TMHC collaborates with selected partners to develop and implement its Micro Habit programs. This collaboration may involve sharing certain personal data with partners to properly deliver the service. TMHC ensures that all partners comply with the requirements of the General Data Protection Regulation (GDPR).

Consent for data sharing with partners: Your personal data is only shared with partners when strictly necessary for program delivery. Information shared with partners is limited to the minimum needed to achieve the objective.

Processor agreement with partners: TMHC concludes a processor agreement with each partner specifying how the partner must handle the personal data shared within the program framework. This agreement ensures that the partner processes personal data only per TMHC's instructions and solely for the purposes described in this privacy statement. The partner is obligated to take adequate security measures to protect your personal data against unauthorized access, loss, or misuse.

Restrictions on access and use: The partner has access only to the personal data necessary for the specific agreed purpose and is not authorized to use this data for other purposes. The partner may not employ sub-processors without prior written consent from TMHC.

Anonymized reports: Individual results and health data are not shared with employers or other third parties unless anonymized. Only statistical or group reports that are not traceable to individuals are provided to partners or employers.

Access and transparency: If data is shared with partners, we always inform you beforehand. For an overview of the specific partners with access to your personal data and the purposes of this cooperation, you can request information via privacy@themicrohabitcompany.com.

Data processing duration by partners: Partners retain personal data only as long as necessary to perform their services. After completing the program or terminating the collaboration, all personal data is deleted or returned to TMHC, depending on the agreement in the processor agreement.

Is your Personal Data processed outside the European Economic Area?

No. Your Personal Data is only processed within the European Economic Area (hereinafter: "EEA"). The EEA comprises the EU member states, Iceland, Liechtenstein, and Norway. All EEA countries must adhere to the same GDPR regulations, which aim to ensure a consistent level of protection for Personal Data processing across Europe.

Who within TMHC has access to your Personal Data?

TMHC's quality system specifies who has access to the registration systems based on the established authorization scheme and how the authorizations are granted and managed.

Only employees and professionals directly or indirectly involved in delivering TMHC's contractually agreed services have access to data. Employees and professionals only have access to those parts of the data necessary for their tasks.

How long is your Personal Data retained?

Your Personal Data is deleted when no longer necessary for the purposes described above. Additionally, i45 will never retain your Personal Data longer than legally permitted.

i45 retains your Personal Data only as long as necessary to achieve the purpose for which your data was collected. This means that your Personal Data will be deleted no later than 1 year after completing the program.

How can you manage your Personal Data?

Your Personal Data is deleted when no longer necessary for the purposes described above. Additionally, TMHC will never retain your personal data longer than legally permitted.

TMHC retains your personal data only as long as necessary to achieve the purpose for which your data was collected. This means that your personal data will be deleted no later than 1 year after completing the program.

How can you manage your Personal Data?
You have the right to access, correct, and/or delete your personal data collected by us. Additionally, you can invoke the following rights with us: the right to restrict processing of your personal data, the right to transfer your personal data (data portability), and the right to object. Below you can read where and how you can exercise these rights, as well as information on deadlines, costs, and other relevant details regarding exercising your rights. Note that we may request additional information to verify your identity.

Term: We usually respond to your request to exercise your right(s) within one calendar month. If we cannot meet this one-month deadline, we will notify you of the reason for the delay within that same month. Note that TMHC may request additional information to verify your identity. We may extend our response time by two calendar months, provided we can justify this due to the complexity of your request(s) and/or the number of requests from you.

Cost: In principle, we provide the requested information and respond to the exercise of your right(s) free of charge. However, administrative fees may apply to follow-up requests. For instance, when you request multiple copies of the same information.

Refusal to comply with your request

We only deny a request under exceptional circumstances: if the request is manifestly unfounded or excessive.

A request is manifestly unfounded if it does not meet the requirements for a request or if you are requesting information outside the rights provided by the GDPR. Think of a request for access to another person's personal data. A request is excessive if it places a disproportionate burden on us, for example, if you request your records weekly. We bear the burden of proof to show that a request is manifestly unfounded or excessive.

Your right to access, correct, and/or delete Personal Data

In the TMHC web application, you have access to some of your registered personal data. You can correct or delete certain data yourself at any time, such as updating your account details and personal information.

If you wish to access the Personal Data processed about you and/or wish to correct or delete data (where permissible) that you cannot change yourself, you can contact us at privacy@themicrohabitcompany.com.

We correct or delete your personal data if it is factually incorrect, incomplete, irrelevant for processing purposes, or otherwise in conflict with a legal requirement. The right to have personal data deleted is not absolute. We weigh each request to delete data against other (fundamental) rights and interests on a case-by-case basis.

We will inform third parties to whom this data has been disclosed of an adjustment, deletion of personal data, or restriction. We are not required to inform these parties if it proves impossible or would require a disproportionate effort (in terms of cost and time). You may request a list of individuals to whom we have made this notification.

Your right to restrict Processing, the right to data portability

To exercise your right to restrict Processing of your Personal Data and the right to data portability, you can also send your request to privacy@themicrohabitcompany.com.

The right to restrict processing of your personal data can be described as marking stored personal data with the aim of limiting its future processing. In brief, the processing of personal data is temporarily frozen until an objection or dispute is resolved.

During the restriction, we will only process this personal data…:

• …with your Consent;
• …for the establishment, exercise, or substantiation of a legal claim;
• …to protect the rights of others or for reasons of significant public interest to the European Union or a Member State.

The right to data portability gives you the right to obtain your Personal Data that you have provided to us, to then transfer the Personal Data to another Controller (other than TMHC). This right only applies when processing is based on your (explicit or implied) Consent or necessity for the performance of a contract.

Your right to object

To exercise your right to object, you can contact privacy@themicrohabitcompany.com.

You can invoke your right to object in three cases:

1. Firstly, you may object to processing based on your personal circumstances. The processing must then be based on the legitimate interest of us or a third party to whom the data is disclosed. We will stop processing unless there are compelling legitimate grounds that override your interest to stop processing.

1. Secondly, you can object to the processing of your Personal Data for direct marketing purposes. We will always honor such a request.

1. Thirdly, you can object to processing your data for scientific or historical research or statistical purposes due to specific reasons related to your situation. We will always honor such an objection.

Can you later withdraw your consent?

If you have given consent for a specific processing of your personal data, you can always withdraw this consent. Note that the withdrawal of your consent is not retroactive and is only possible if you have first given consent.

You can withdraw your consent by notifying us at privacy@themicrohabitcompany.com or by post.

Can you file a complaint?

If you have a complaint about TMHC's use of your personal data, such as if you believe TMHC is not handling your personal data carefully, or if you requested access or correction of your Personal Data and are not satisfied with our response, please send your complaint to complaints@themicrohabitcompany.com. Additionally, you may file a complaint directly with the Dutch Data Protection Authority.

If TMHC refuses to comply with a Data Subject's request, TMHC will inform the Data Subject of the reasons. If the Data Subject disagrees with these reasons, they are free to file a complaint. In such cases, the following process applies:

1. The Data Subject may turn to TMHC again;
2. In that case, TMHC registers a complaint;
3. Complaints are handled as soon as possible but no later than one month;
4. In the case of a (privacy-related) complaint, TMHC is required to seek advice from the DPO;
5. If the complaint cannot be resolved to the satisfaction of the Data Subject by TMHC, the Data Subject may file a complaint with the Dutch Data Protection Authority.

The Data Subject also has the option to enforce their request in court.

You can file complaints with the Dutch Data Protection Authority through their website.

When was this Privacy Statement last modified?

This Privacy Statement was last modified and is effective from October 27, 2024.

---

Consent Declaration for Wellbeing Leadership

For leaders concerning the questionnaire for the Wellbeing Leadership program on psychological safety.

With your information, we make the Wellbeing Leadership program relevant to you. We handle your data with care. The Wellbeing Leadership program is an initiative of Achmea Vitaliteit B.V. (operating under the name Zilveren Kruis) and The Micro Habit Company B.V. Participation in the questionnaire is part of the program. By participating in the questionnaire, you explicitly consent to the processing of data, as described in this consent declaration and the privacy policy, for the purpose of offering and implementing the Wellbeing Leadership program. This information is shared and used exclusively for the purposes to which you consent.

I give consent to Wellbeing Leadership to:

1. offer me a questionnaire via the application as part of the Wellbeing Leadership program, providing me with insights into my behaviors surrounding psychological safety. Your employees also receive a questionnaire measuring the perception of psychological safety within the team. This questionnaire focuses on the three main factors of psychological safety: 'fearless communication,' 'inclusion & diversity,' and 'equal participation.' In this way, we can give you insight into the extent to which your efforts impact the perception of employees.

1. provide insight into the results. After completing the questionnaire (15 questions, maximum of 5 minutes), you as a leader will see these insights. Additionally, you gain insights into your team's results, provided at least 5 employees from your team have completed the questionnaire. Only the average scores are displayed in this case.

1. offer me the same questionnaire again after the Wellbeing Leadership program, so you as a leader can see if and what changes have occurred in your behaviors and in your team's perception regarding psychological safety.

1. make my questionnaire results accessible to Zilveren Kruis and The Micro Habit Company B.V. for the purpose of analyses for the following activities:

- adjusting the content or operation of, or communication about, the Wellbeing Leadership program during its duration to improve experience and impact; - providing advice to employers on health and wellbeing policies; - evaluating and improving the proper functioning and effectiveness of the Wellbeing Leadership program; - enhancing products and services related to Wellbeing at work and Wellbeing Leadership.