Skip to content
English
Go to www.movetohappiness.com
  • There are no suggestions because the search field is empty.

DATA ANNEX AI- EXPERT COACH

This arrangement forms an integral part of the Expert AI Coach Service Terms (hereinafter the "Agreement") between Move To Happiness Hub bv ("MTH") and the Expert. (Article 26 General Data Protection Regulation)

 1. Definitions

"General Data Protection Regulation" or "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"Data Subject" means the identifiable natural person whose Personal Data are processed through the AI Coach, being the End User.

"Data Breach" means a breach of the security of Personal Data that accidentally or unlawfully leads to the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed through the AI Coach.

"Data Protection Law" means all applicable Belgian and European data protection legislation, including the GDPR.

"Sub-processor" means any third party engaged by MTH or the Expert to process personal data on behalf of the AI Coach.

"Supervisory Authority" means in Belgium the Data Protection Authority .

 

2. Subject Matter and Context

2.1 MTH acts as the sole data controller within the meaning of the GDPR for all personal data processed in the context of the Platform and the AI Coach. The Expert is not a (joint) data controller.

2.2 The Expert provides exclusively Content (expertise, methodologies, persona settings) that is integrated by MTH into the AI Coach. The Expert:

  • does not determine which personal data are collected from End Users;
  • does not have access to raw personal data, except through the dashboard managed by MTH;
  • does not control technical processing operations;
  • does not determine how long personal data are retained.

2.3 This annex describes the obligations of MTH as data controller and the limited obligations of the Expert with regard to confidentiality and cooperation.

 

3. Allocation of Responsibilities

MTH is responsible for:

  • The technical security of the Platform and the AI Models, including encryption, access control and monitoring;
  • The hosting and storage of personal data within the EEA (Azure infrastructure);
  • Maintaining the record of processing activities for all processing operations through the Platform and the AI Coach (Article 30 GDPR);
  • Reporting Data Breaches to the Supervisory Authority within 72 hours of becoming aware, to the extent that the Data Breach relates to the platform infrastructure;
  • The technical implementation of Data Subject requests (access, rectification, erasure, data portability) through the Platform;
  • The processing of payment data via Stripe Connect;
  • Managing sub-processors engaged for platform services (hosting, AI infrastructure, payment processing);
  • Informing Data Subjects about the processing of their personal data through the AI Coach, in particular through a privacy policy made available to End Users;
  • Obtaining the required legal basis (in particular consent or legitimate interest) for the substantive processing operations through the AI Coach;
  • Carrying out a Data Protection Impact Assessment (DPIA) where required under Article 35 GDPR;
  • The implementation and maintenance of platform-level Guardrails;
  • Managing retention periods per data category.

The Expert is responsible for:

The Expert undertakes the following limited obligations:

  • Confidentiality: the Expert treats all personal data to which it has access through the Platform as Confidential Information and does not process such data for its own purposes;
  • Cooperation in the event of data breaches: the Expert reports to MTH any suspicion of a Data Breach promptly and no later than 24 hours after becoming aware;
  • Cooperation with requests: the Expert cooperates with MTH in answering substantive questions from Data Subjects about the purpose of the coaching;
  • Professional ethics: the Expert complies with the professional rules and codes of conduct applicable to the substantive services provided;
  • No own processing register: the Expert is not required to maintain a processing register (Art. 30 GDPR) for the processing operations through the AI Coach, as MTH maintains this register as the sole data controller.

 

4. Point of Contact for Data Subjects

4.1 In accordance with Article 26(1) GDPR, the Parties designate MTH as the primary point of contact for Data Subjects wishing to exercise their rights. Data Subjects may contact support@movetohappiness.com.

4.2 Notwithstanding the foregoing, the Data Subject retains the right to exercise their rights against each data controller individually, in accordance with Article 26(3) GDPR.

4.3 When MTH receives a request from a Data Subject that relates wholly or in part to the substantive processing operations of the Expert, MTH will notify the Expert without delay. The Expert provides all cooperation necessary to respond to the request within the statutory time limits.

4.4 When the Expert directly receives a request from a Data Subject, the Expert notifies MTH without delay. MTH provides the technical cooperation necessary to fulfil the request.

 

5. Categories of Personal Data

5.1 MTH is designated as the sole point of contact for Data Subjects wishing to exercise their rights. Data Subjects may contact support@movetohappiness.com.

5.2 As MTH is the sole data controller, all Data Subject requests are handled by MTH. If a request relates to the content of the coaching, MTH may consult the Expert for substantive input.

5.3 When the Expert directly receives a request from a Data Subject, the Expert forwards this request to MTH without delay. MTH handles the request as data controller.

6. Security

6.1 In the context of the AI Coach, MTH processes the following categories of personal data:

Category | Data | Retention Period Account data | Name, email address, password (hashed) | Duration of account + 90 days Payment data | Via Stripe Connect (no full card details) | Statutory retention period (7 years) Technical data | IP address, device info, session, logs | 90 days (rolling) Conversation data | Content of conversations between End User and AI Coach | Duration of subscription + 90 days Usage data | Frequency, duration, nature of interactions | Duration of subscription + 90 days Wearable/health data | Heart rate, sleep, stress (via MTH platform) | Duration of subscription + 90 days Wellbeing data (Art. 9 GDPR) | Voluntarily shared by End User during coaching | Duration of subscription + 90 days

6.2 All personal data listed above are collected, processed and managed by MTH. The Expert has no influence over which data are collected or how long they are retained.

6.3 If the AI Coach involves the processing of special categories of personal data (in particular health data), MTH implements additional safeguards, including: explicit consent via the Consent Management System, pseudonymisation where possible, encryption, strict access control, and a DPIA carried out by MTH.

6.4 The Expert informs MTH in advance if the Content is designed to process special categories of personal data (e.g. specific health coaching). MTH assesses whether additional safeguards are required.

 

7. Sub-processors

7.1 MTH makes use of sub-processors for the delivery of platform services. An up-to-date list of sub-processors is available through the Platform or upon request by the Expert.

7.2 The Expert secures access to their Expert account (strong password, MFA where available) and does not export personal data of End Users outside the Platform.

7.3 MTH enters into a data processing agreement with each sub-processor containing at least the same data protection obligations as set out in this annex.

 

8. Data Breaches

8.1 In the event of a Data Breach, the Party that first becomes aware of the Data Breach notifies the other Party without delay and no later than 24 hours after becoming aware.

8.2 MTH bears responsibility for reporting the Data Breach to the Supervisory Authority in accordance with Article 33 GDPR, unless the Data Breach relates exclusively to processing operations for which the Expert is independently responsible.

8.3 The Parties provide each other with all necessary cooperation in investigating and remedying the Data Breach and in communicating with Data Subjects in accordance with Article 34 GDPR.

 

9. Data Protection Impact Assessment

9.1 In the event of a Data Breach, MTH notifies the Expert without delay and no later than 48 hours after becoming aware.

9.2 MTH bears full responsibility for reporting the Data Breach to the Supervisory Authority in accordance with Article 33 GDPR and for communication with Data Subjects in accordance with Article 34 GDPR.

9.3 The Expert reports any suspicion of a Data Breach to MTH without delay. MTH investigates and handles the Data Breach as data controller.

 

10. International Transfers

10.1 MTH carries out the DPIA as sole data controller where required under Article 35 GDPR. The Expert is not required to carry out its own DPIA.

10.2 MTH may consult the Expert for substantive input on the purpose and nature of the coaching, where relevant to the risk assessment.

10.3 The Expert informs MTH in advance of any significant change to the Content or the coaching model that may have an impact on the processing of personal data.

 

11. Retention Periods

11.1 The specific retention periods per data category are set out in the table in Article 6.1.

 

12. Audit and Accountability

12.1 Each Party makes available to the other Party all information necessary to demonstrate compliance with this annex.

12.2 The Expert has the right, following prior written notice of at least thirty (30) calendar days, to have an audit carried out of the processing activities of MTH. This audit is conducted by an independent third party bound by confidentiality obligations.

12.3 The costs of the audit are borne by the Expert, unless the audit reveals shortcomings attributable to MTH.

 

13. Duration

13.1 This annex enters into force on the Start Date of the Agreement and remains in force for as long as the Parties process personal data in the context of the AI Coach.

13.2 The obligations that by their nature are intended to survive termination remain in full force and effect, in particular the obligations regarding confidentiality, security and cooperation in the exercise of Data Subject rights.

 

14. Liability

14.1 MTH, as sole data controller, is liable for compliance with the GDPR in respect of all processing operations through the Platform and the AI Coach.

14.2 The Expert is solely liable for the substantive accuracy and lawfulness of the Content it provides, not for the processing of personal data.

14.3 MTH indemnifies the Expert against all claims from Data Subjects or the Supervisory Authority arising from the processing of personal data through the Platform, unless the claim is the direct result of substantively unlawful Content provided by the Expert.

 

15. Duration

15.1 This annex enters into force on the Start Date of the Agreement and remains in force for as long as MTH processes personal data in the context of the AI Coach.

15.2 The obligations that by their nature are intended to survive termination remain in full force and effect, in particular the obligations regarding confidentiality, security and cooperation in the exercise of Data Subject rights.