HSK Privacy Statement Users English

Privacy statement HSK Flow – English version

Control over your life and control over your personal data

At HSK, your privacy comes first. When you use HSK Flow, you share personal data (“data”) with us. We use your data so that you can use HSK Flow in the best possible way.

Who are we?

We are HSK Bedrijfszorg B.V., part of the Mental Care Group, which also includes NL Mental Care B.V. and all its subsidiaries. We provide Services to Users, both terms as defined in the Terms of Use. Through our Shared Service Center, SSC B.V., we ensure that a high level of data protection is safeguarded throughout the entire group.
HSK Bedrijfszorg B.V., as part of the Mental Care Group, together with SSC B.V., is responsible for the processing of your data within the meaning of the General Data Protection Regulation (“GDPR”). The purpose of this privacy statement is therefore to inform you about how we, HSK Bedrijfszorg B.V. and SSC B.V., process and protect your data.
Your point of contact regarding the processing of your data is the Privacy Officer, who works for the entire Mental Care Group and can be reached at privacy@mentalcaregroup.nl. Of course, you can also always first ask your Coach, as defined in the Terms of Use. If necessary, your Coach will forward your question to the Privacy Officer.
This privacy statement has been written for current and former Users of HSK Flow.

Which data do we use from our current and former users?

We use the following data:
• Your contact details, such as your name, telephone number and email address;
• Your health data, such as the results of the Vitality Meter and information you share with us for the diary;
• Any other data you share with us, for example when you ask us a question.

On what legal basis do we use your data?

We process your data on the basis of one or more of the following legal grounds:
• You have given your explicit consent, in accordance with Article 6(1)(a) and Article 9(2)(a) GDPR. You give this explicit consent when you first log in to HSK Flow. You can withdraw your consent at any time via HSK Flow by deleting your account. Without your consent, we cannot process a large part of your data, which means we cannot provide the Services to you.
• The processing is necessary to comply with our legal obligations, in accordance with Article 6(1)(c) GDPR; or
• The processing is necessary for the purposes of the legitimate interests pursued by HSK, provided that your interests, such as your right to privacy, do not override those interests, in accordance with Article 6(1)(f) GDPR.

For which purposes do we use your data?

We use your data for the following purposes:
• To provide our Services to you.
• To stay in contact with you, for example to send you an appointment confirmation. You cannot unsubscribe from this type of communication. Sometimes we also want to contact you to send newsletters or satisfaction surveys. You can sign up for this type of communication via the website and you can always unsubscribe using the unsubscribe button in the email.
• To handle questions, complaints and disputes. If you submit a complaint to us, it will be reviewed by our Complaints Officer. The Complaints Officer will then contact you and, if necessary, ask for your explicit consent to view your health data and discuss it with your Coach. If you do not give consent, we may not be able to handle your complaint.
• For scientific and statistical research. Sometimes we use part of your data to assess, among other things, how many Users have registered and how many appointments have been scheduled. We cannot directly see that the data relates to you, but we do use it to carry out analyses.
• To measure the effect of our Services and improve quality. We are continuously working to improve our Services. That is why we also use the outcomes of the Services to learn from them. We do this as anonymously as possible. To the extent that personal data is nevertheless processed, we have a legitimate interest in doing so.

With whom do we exchange data?

All your data is confidential, but this does not mean that we never share data with other parties. Below, we explain why we exchange data with certain parties and on what basis we are allowed to do so. We never sell your data. To anyone.
We may exchange data with:
• Certain parent companies, sister companies and/or subsidiaries of HSK Bedrijfszorg B.V., for the purpose of managing and developing the HSK Flow software, carrying out administration related to the Services and conducting research to improve our Services. We have made clear agreements with each other in the form of an intra-group data processing agreement.
• Our processors. To process your personal data, we may engage other service providers. We call these parties Processors. These include hosting providers and IT service providers that help us provide our Services. We make proper agreements with our processors that comply with the requirements of the GDPR.

No international transfer of data

We do not transfer data outside the European Economic Area (EEA).

No profiling or automated decision-making

We do not profile you on the basis of your data and we do not use automated decision-making.

Retention of data

We do not retain your data for longer than necessary. How long this is depends on the purpose of the processing. We retain all data in your account until one year after your last use, unless there are reasons to retain the data in your account for longer. This may be the case if a complaint or legal proceedings are ongoing, or if we are required to do so by law. After that, we delete your data or anonymise it.
If we anonymise your data, we remove all data that refers to you. The data can then no longer be linked to you. We use this anonymous data for scientific and statistical market research, for example to develop Services or to better align our offering and Services with the needs of our Users.

How do we ensure that your data is safe with us?

We do everything we can to ensure that your data is safe with us. We do this, among other things, by:
• Screening employees and ensuring that every employee is bound by confidentiality, either by law, professional codes or contract.
• Properly securing our systems, for example by securing internet connections, using two-factor authentication and logging what happens in our systems.
• Having ourselves assessed by an external party, as a result of which we also hold a NEN 7510 certificate. This certificate demonstrates that we properly secure our information.
• Paying ongoing and periodic attention to training and awareness in this area.
If, despite all the measures we have taken, you still discover a security issue or other problem, please report it to us via security@mentalcaregroup.nl.

Your privacy rights

Below you will find an overview of the rights you have in relation to our use of your data. These rights are not absolute. This means that we will always assess whether a request to exercise your rights should be granted.

Withdrawing consent

You can withdraw your consent at any time via HSK Flow by deleting your account. You do not need to give a reason for this. Without your consent, we cannot process much of your data and we can no longer provide the Services to you. If you wish, you can create a new account at any time after withdrawing your consent.

Rectification

If you see information in your data that is factually incorrect, you may ask us to correct it. Where possible, you can also do this yourself via HSK Flow.

Access and copy

As a User, you can view as much of your data as possible via HSK Flow. You can also ask us to provide you with a copy of your data.

Deletion / destruction

You can ask us to delete your data. In most cases, we can do this for you, but sometimes this is not possible, or not entirely possible, for example because we are legally required to retain certain data or because otherwise we can no longer provide you with proper Services. If we cannot delete your data, we will always explain why.

Restriction / temporary suspension

You can also ask us to temporarily stop using your data. For example, if you have informed us that you believe your data is incorrect or that we should no longer process it, and we are still investigating this. During that period, you can ask us not to use your data.

Objection

Sometimes we also use your data for our legitimate interests. If we do this, you can object if you believe this is particularly disadvantageous to you personally. We will then carefully assess whether, because of your specific situation, we should stop using your data.

Data portability

You can also ask us to transfer your data to another party. You only have this right in relation to data about you that you have provided to us yourself and that we process on the basis of your consent. Would you like to know more about your rights? Please visit the website of the Dutch Data Protection Authority.

How can I exercise my rights?

You can exercise your privacy request yourself as much as possible via HSK Flow, or submit a direct request by email to flowsupport@hsk.nl.
In most cases, we can fully process your request within one week. Sometimes this is not possible, but in that case you will always receive an initial response within 4 weeks and a final response from us no later than within 3 months. You will also receive a response if we believe we cannot comply with your request.
A Coach always has the option to make their own decision and to partially or fully refuse a request if they believe this is necessary in the interests of the User.

Changes to this privacy statement

If anything changes in the way we process your data, we will update our privacy statement accordingly. In the event of major changes or changes that genuinely affect your privacy, you will be informed. You can always find the latest version of our privacy statement on this website.
This latest version of the privacy statement was created on 7 April 2026.

Do you have a complaint or would you like to report something?

Do you have a complaint about privacy or would you like to report something to the internal supervisory officer of the Mental Care Group? Please send an email to the Data Protection Officer at fg@mentalcaregroup.nl. You can also send a letter to:
HSK Bedrijfszorg B.V.
Attn. Data Protection Officer
Steijnlaan 12
1217 JS Hilversum
The Netherlands
If we cannot resolve the matter together, you can submit your complaint to the Dutch Data Protection Authority.