Privacy Policy

1. Responsible

The person responsible for the processing of the data collected through this Website is:

  • EHOLO PSICOLOGIA, S.L., (hereinafter, “eholo”)
  • Consell de Cent Street, number 191, main floor, first door, 08011 — Barcelona.
  • soporte@eholo.health

2. Purpose

The personal data of the User of this Website will be processed for the following purposes:

  • Enable the maintenance, development and management of the business relationship formalized by contracting products and/or services through this Website. The data processed for this purpose will be kept for as long as said business relationship is maintained and, once it has ended, for the legally established retention and limitation periods of responsibility. The legal basis for the processing is: a) In relation to the User's own data, if the User is considered to be a self-employed or self-employed worker, the execution of a contract to which the interested party is a party; and b) In relation to the professional location data (contact data and those relating to the function or position performed) of individuals who, providing their services in a legal entity, contact eholo to enable the maintenance of the formalized business relationship with that legal entity (“Persons” of Contact”), eholo's legitimate interest in maintaining the business relationship with that legal entity through Contact Persons. The User undertakes to transfer the full content of this clause to the Contact Persons.
  • Respond to requests for information and/or inquiries made by the User. The data processed for this purpose will be kept until the request for information and/or consultation has been answered and, after that, for the legally established periods of conservation and prescription of responsibilities. The legal basis for the processing is eholo's legitimate interest in responding to the request for information and/or consultation.
  • Keep the User informed, even by electronic means, about eholo's services, products and news. The data processed for this purpose will be kept until the User withdraws his consent given for the receipt of such communications and, after that, for the legally established retention and limitation periods of responsibility. The legal basis for the treatment is the consent of the User.
  • Enable the open publication of opinions, comments, content and/or images of the User on the Website, freely carried out by the User himself through the functionalities and/or sections specifically made available to him for this purpose. The data processed for this purpose will be kept until the User withdraws their consent for publication and, after that, for the legally established retention and limitation periods of responsibility. The legal basis for the treatment is the consent of the User.

The User knows and accepts that the publication of their opinions, comments, content and/or images on the Website may be accompanied by data that identifies or makes them identifiable.

3. Recipients

The data may be communicated to the following third party recipients: Public Administrations for compliance with legal obligations and to banking institutions for the management of collections and payments. They may also communicate to the following categories of managers: Providers of electronic communications, office automation, hosting, housing, computer maintenance, management, accounting, auditing, consulting and legal representation. These managers may be located outside the European Economic Area, in which case eholo will have previously adopted appropriate guarantees.

4. Rights

The User can exercise before eholo their rights of access, rectification, deletion, limitation of processing, data portability and opposition.
Likewise, in the processing of the User's data whose legitimacy is based on the consent given by the User, the User has the right to withdraw said consent at any time, without affecting the lawfulness of the treatment based on the consent given prior to its withdrawal.
To exercise these rights, the user can send their request to eholo, Calle Consell de Cent, number 191, main floor, first door, 08011 — Barcelona, or to the email address soporte@eholo.health
eholo has appointed a Data Protection Officer, who can be contacted at dpo@eholo.health, or by sending a request to the attention of the Data Protection Officer at the postal address 191 Consell de Cent Street, main floor, first door, 08011 — Barcelona.
In any case, the User has the right to file a complaint with the corresponding supervisory authority if he deems it appropriate.

5. eholo as a data processor

If the User acquires a license to use the eholo Platform (hereinafter, “the Services”), eholo will need to process certain personal data on behalf of the licensee (either the User himself or a legal entity that the User represents). For these purposes, the licensee will be considered Data Controller and Eholo as Data Processor.
The following clauses constitute the regulation of the relationship between the Data Controller and the Data Processor for the purposes of complying with the provisions of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, relating to the protection of individuals with regard to the processing of personal data and the free movement of these data and repealing Directive 95/46/EC (hereinafter, “RGPD”) and Article 33 of Organic Law 3/2018, of December 5, of Protection of Personal Data and guarantee of digital rights (hereinafter, “LOPDGDD”).

5.1. Data processing to be carried out by the Data Processor

The Data Processor will process, on behalf of the Data Controller, the personal data necessary to carry out the Services. The said treatment will last for a duration equal to that of the provision of the Services, so that once the provision of the Services has ended, the treatment will be considered completed.

5.2. Identifying the affected information

For the execution of the Services, the Data Controller will make available to the Data Processor the information described below:

. Identifying data. Personal characteristics data. Data on social circumstances. Academic and professional data. Employment details. Economic, financial and insurance data. Transaction data for goods and services. Data related to health. Data that reveals ethnic or racial origin. Data that reveals political opinions. Data that reveal religious or philosophical convictions. Data relating to the CLIENT's sexual life or sexual orientationPatients. Identifying data. Employment details. Economic, financial and insurance data/CUSTOMER collaborators

5.3. Duties of the Data Processor

The Data Processor is obliged to:
a. Use the personal data being processed, or those you collect for inclusion, only for the strict provision of the Services. Under no circumstances may you use the data for your own purposes.

b. Process the data in accordance with the instructions of the Data Controller. If the Data Processor considers that any of the instructions violates the RGPD or any other data protection provision of the Union or Member States, the Processor will immediately inform the Data Controller of this.

c. Where appropriate, keep in writing the record of all categories of processing activities carried out on behalf of the Data Controller, in accordance with the provisions of article 30.2 of the RGPD.

d. Do not communicate the data to third parties, unless you have the express authorization of the Data Controller, in legally admissible cases.
The Data Processor may communicate the data to other processors of the same Data Controller, in accordance with the Data Controller's instructions. In this case, the Data Controller will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication.
If the Data Processor must transfer personal data to a third country or to an international organization, under Union or Member State law that is applicable to him, he will inform the Data Controller of this legal requirement beforehand, unless such Law prohibits it for important reasons of public interest.

and. Do not outsource any of the services that form part of the Services and involve the processing of personal data.
If it is necessary to subcontract any treatment, this fact must be notified in advance and in writing to the Data Controller, at least 20 calendar days in advance, indicating the treatments that are intended to be outsourced and clearly and unambiguously identifying the subcontractor company and its contact details. Subcontracting may be carried out if the Data Controller does not express his opposition, in writing, within the established deadline.
The subcontractor, who will also have the status of processor, is also obliged to comply with the obligations established here for the Data Processor and the instructions issued by the Data Controller. It is up to the initial Data Processor to regulate the new relationship so that the new processor is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as him, with regard to the proper processing of personal data and the guarantee of the rights of the affected persons. In the event of non-compliance by the subcontractor, the initial Data Processor will remain fully responsible to the Data Controller with regard to compliance with the obligations.
The Data Controller authorizes the Data Processor to carry out the following subcontracts necessary to be able to provide the Services:

Amazon Web Services, Inc.GermanyData hosting in the indicated country.Stripe Payments Europe, Ltd.USA.Payment management tool.8x8, INC.USA.Jitsi tool for video calling.

f. Maintain the duty of secrecy with respect to personal data to which you have had access by virtue of the provision of the Services, even after the provision of the Services ends.

g. Ensure that persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be properly informed.

h. Keep at the disposal of the Data Controller the documentation supporting compliance with the obligation established in the previous section.

i. Ensure the necessary training on the protection of personal data for persons authorized to process personal data.

j. Assist the Data Controller in responding to the exercise of the rights of:
1. Access, rectification, deletion and opposition;
2. Limitation of treatment;
3. Data portability;
4. Not to be subject to automated individualized decisions (including profiling).
When affected persons exercise their rights of access, rectification, deletion and opposition, limitation of processing, data portability and not to be subject to automated individualized decisions before the Data Processor, the Data Processor must communicate this by email to the Data Controller. The communication must be made immediately and in no case beyond the working day following the receipt of the request, together, where appropriate, with other information that may be relevant to resolving the request.

k. Notify the Data Controller without undue delay and, in any case, before a maximum period of 48 hours via email, of any personal data security violations at your expense of which you are aware, together with all the information relevant to the documentation and communication of the incident. Notification will not be necessary when it is unlikely that such a breach of security would constitute a risk to the rights and freedoms of natural persons.
If available, at a minimum, the following information shall be provided:
1. Description of the nature of the personal data security violation, including, where possible, the categories and the approximate number of affected interested parties, as well as the categories and the approximate number of personal data records affected.
2. The name and contact details of the data protection officer or other point of contact where more information can be obtained.
3. Description of the possible consequences of the violation of personal data security.
4. Description of the measures taken or proposed to remedy the breach of personal data security including, if appropriate, the measures taken to mitigate potential negative effects.
If it is not possible to provide the information simultaneously, to the extent that it is not, the information will be provided gradually without undue delay.

l. Provide support to the Data Controller in carrying out impact assessments related to data protection, where appropriate.

m. Provide support to the Data Controller in carrying out prior consultations with the supervisory authority, where appropriate.

n. Make available to the Data Controller all the information necessary to demonstrate compliance with their obligations, as well as to carry out audits or inspections carried out by the Data Controller or other auditor authorized by him.

or. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the application costs and the nature, scope, context and purposes of the treatment, as well as risks of varying probability and severity for the rights and freedoms of individuals. In any case, you must implement mechanisms to:
1. Ensure the ongoing confidentiality, integrity, availability and resilience of treatment systems and services.
2. Restore availability and access to personal data quickly, in the event of a physical or technical incident.
3. Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to ensure the safety of the treatment.
4. Pseudonymize and encrypt personal data, if appropriate.
p. Appoint a data protection officer and communicate your identity and contact details to the Data Controller, where appropriate.

q. Once the provision of the Services has been completed, the Data Controller will have a maximum period of 30 calendar days to access the eholo Platform and download all the information stored there. After this period has elapsed, the Data Processor will delete such information hosted on the eholo Platform. In any case, the Data Processor may keep a copy, with the data duly blocked, for as long as responsibilities may arise from the execution of the provision.

r. Comply with the rest of the obligations established by the GDPR, the LOPDGDD and their implementing regulations for the Data Processor.

5.4. Obligations of the Data Controller

It is the responsibility of the Data Controller:
a. Deliver or allow access by the Data Processor to the data specified above.

b. Carry out an assessment of the impact on the protection of personal data of the processing operations to be carried out by the Data Processor, where appropriate.

c. Make appropriate prior inquiries.

d. Ensure, prior to and throughout the processing, that the Data Processor complies with the GDPR, the LOPDGDD and its implementing regulations.

and. Monitor treatment, including carrying out inspections and audits.

f. Provide the right to information at the time the data is collected.

g. Comply with the rest of the obligations established by the RGPD, the LOPDGDD and their implementing regulations for the Data Controller.

Ready to get started?
software-for-psychologists
Talk to an expert
If you have questions about the options and benefits of Eholo, ask our team.
Contact us
software-for-psychologists
Ask for a demo
Book a free video call and discover everything Eholo can do for you.
Schedule a demo

Optimize the management of your

Psychology consultation with Eholo

More than 10,000 psychologists already trust Eholo to manage their inquiries.

Get started for freeDiscover the platform