Vergroot de AI-adoptie in jullie organisatie met Micro Habits

Lees meer
NL
EN
Onze Visie Technologie Micro Habit Tracks Maatschappelijke Impact Klanten en Partners Contact
NL
EN

Privacy Policy

English Nederlands

Last updated: September 1, 2025

Privacy Statement The Micro Habit Company (TMHC)

Effective from: 01-09-2025
Version: 1.2

Introduction

The Micro Habit Company (hereinafter: TMHC, we) processes personal data and strives to use your personal data carefully and securely within the boundaries of applicable law, including the General Data Protection Regulation (GDPR).

In this Privacy Statement we describe who we are, how and for what purposes we process your personal data, on what legal bases, how you can exercise your privacy rights, and what else may be relevant for you to know.

If, after reading the Privacy Statement, you still have questions about our use of your personal data, you can always contact us (see Contact).

Our services continue to develop; the same applies to this Privacy Statement. We therefore recommend that you regularly check whether any changes have been made. At the bottom of this statement you can see when it was last modified. In the event of material changes, we will inform you proactively, for example by email or via the app.

Principles for Data Processing

We apply the following GDPR principles to every processing activity:

  1. Lawfulness, fairness, transparency – processing is lawful, proportionate, and explained in an understandable way.
  2. Purpose limitation – we process personal data only for specified, explicitly described, and legitimate purposes and not in a manner incompatible with those purposes.
  3. Data minimization – we limit data to what is necessary for the purpose (adequate, relevant, and not excessive).
  4. Necessity and proportionality – we choose the least intrusive method of processing that is reasonably proportionate to the objective.
  5. Accuracy – we take measures to keep data as complete, correct, and up to date as possible.
  6. Integrity and confidentiality – we secure personal data appropriately in line with applicable standards.
  7. Storage limitation – we do not retain personal data longer than necessary for the purpose of the processing (taking statutory retention periods into account).

Definitions used

The definitions in this Privacy Statement align with Article 4 GDPR and common contractual definitions in data processing agreements.

  • GDPR – General Data Protection Regulation (EU 2016/679).
  • Privacy Statement – this document, which describes who we are, how and for what purposes we process your personal data, how you can exercise your privacy rights, and other relevant information.
  • Personal data – any information relating to an identified or identifiable natural person.
  • Data subject – the natural person to whom the personal data relate (e.g. participant, customer, employee of a client).
  • Processing – any operation performed on personal data (including collection, recording, organization, storage, updating, retrieval, consultation, use, disclosure, restriction, erasure, destruction).
  • Controller – the party who (alone or jointly with others) determines the purposes and means of the processing.
  • Processor – the party who processes personal data on behalf of the controller.
  • Special categories of personal data – including health data; processing is prohibited unless a specific exception and safeguards apply (such as explicit consent).
  • User of personal data – a person authorized under the direct authority of the controller or processor to process personal data (e.g. TMHC employee, contracted professional).
  • Client (enterprise) – an organization that instructs TMHC to offer programs and the app to its employees (e.g. insurer, healthcare institution, corporate).
  • Subprocessor – a third party that processes personal data on behalf of TMHC (as processor).
  • GTC/DPA standards – requirements that many enterprise clients set out in their General Terms of Purchase and Data Processing Agreement (such as prior written consent for subprocessors and international transfers, 24-hour breach notification, audit rights, data locations).

Who we are, how we work, and how you can reach us

What we do

Together with partners, TMHC develops Micro Habit Tracks using its own Micro Habit Technology (web application). Our programs help participants build small, evidence-based habits (micro-habits) that can be practised in less than five minutes per day. Participants work independently and in groups; support from a Micro Habit Coach is possible.

Two operating models

  • Consumer/direct – when you create an account yourself or are a direct customer, TMHC is the controller.
  • Enterprise/client programs – when you participate via your employer/client, the client is the controller and TMHC is the processor. TMHC acts solely in accordance with the client’s written instructions (data processing agreement). In that case, data subject requests go through the client; TMHC facilitates.

Organization details

TMHC is located at Gondel 1, 1186 MJ Amstelveen, and is registered with the Chamber of Commerce under number 76910865.
Privacy contact: privacy@themicrohabitcompany.com
Data Protection Officer (DPO): stephan@themicrohabitcompany.com

We exercise the utmost care in processing personal data. Misuse or negligence can cause harm to data subjects, clients, and TMHC. We therefore work according to privacy by design and need-to-know access.

What personal data does TMHC collect from you?

TMHC processes personal data that you provide yourself or that are necessary for the performance of the service. Depending on the program, this may include:

Personal data you provide directly to us

Account and identification data

Name, (work) email, password or SSO ID (with Single Sign-On), role/department (if supplied by the client), optional profile photo.

Program data

Progress in learning paths and micro-habits, chat (if present), check-ins/quiz scores, read status of content, (optional) feedback and messages in the app, use of templates/prompts.

Support & security

Log and error messages, device/browser information, SSO events (success/failure), timestamps of use, security and performance monitoring.

Special categories of personal data (only if explicitly permitted)

Some programs may include health-related self-reports (e.g. stress or sleep experiences). This happens only with your explicit consent and not in every program. A client may also choose that no special categories of data are processed (this is often the default for enterprise tracks focused on adoption/skills).

Personal data received from your employer

When you participate in enterprise programs, we may receive your name and (work) email address from your employer or client for account creation. You provide other data (such as progress, feedback, or optional answers) yourself via the program.

Mandatory data

To participate in a program, your first name, last name, and (work) email address are required. Without these data we cannot create an account and the program will not function properly.
Providing other data is voluntary but may be necessary to use certain features (such as progress tracking or personalized feedback).

For what purposes do we process your personal data?

The main purpose is to deliver the agreed services: enabling you to practise micro-habits, record them, and gain insight into your progress.

In addition, we process personal data for:

  • Preparation, conclusion, performance, and termination of agreements (with you or with the client).
  • Administration, invoicing, and customer service (e.g. support tickets).
  • Quality and management purposes – improving service delivery, processes, and systems; (internal) audits; product development. For this we prefer aggregated or anonymized data.
  • Research purposes – aimed at quality improvement and measuring the impact of programs; compatible with the original purposes. Where possible, anonymous or aggregated.
  • Compliance with laws and regulations – identification, fraud and abuse prevention, internal control, business security, and legal obligations (e.g. tax retention requirements).

Automated decision-making

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. Any analyses or recommendations within the app (such as reminders or progress feedback) are supportive and have no legal or binding consequences.

We do not process your data further in a manner incompatible with the purposes for which they were obtained.

TMHC always processes personal data on the basis of a valid GDPR legal basis.

Consumer/direct (TMHC = controller)

  • Performance of a contract (Art. 6(1)(b) GDPR) – to deliver the service, manage your account, and provide support.
  • Legitimate interests (Art. 6(1)(f) GDPR) – limited analytics/product improvement, security, and logging (always with minimal impact and anonymized where appropriate).
  • Consent (Art. 6(1)(a) and, for special categories of data, Art. 9(2)(a) GDPR) – only for processing that requires consent (e.g. optional health questions). You can withdraw consent at any time (see Rights).

Enterprise/client programs (TMHC = processor)

  • Purposes and legal bases are determined by the client (e.g. “AI adoption and compliance”, “psychological safety”).
  • TMHC processes solely in accordance with written instructions in the data processing agreement; additional processing is not permitted without the client’s prior written consent.

To whom do we disclose your personal data?

We are cautious about sharing personal data.

Employer/client (enterprise)

Employers do not receive individual progress data unless this is strictly necessary for support or you explicitly request it. By default we provide aggregated/anonymous reports (e.g. adoption figures, participation rates, impact measurements), with pre-agreed thresholds to prevent identifiability.

Micro Habit Coach / support

Need-to-know only; coaches and support staff have limited access for guidance or incident handling.

Subprocessors/infrastructure (EU unless stated)

  • Heroku (IE) – application platform
  • GCP (NL) – data/processing
  • Matomo (EU) – product/usage analytics (enterprise: only activated with the client’s prior consent)
  • AppSignal (NL) – performance monitoring
  • Contentful (EU space) – content management
  • WorkOS (US) – SSO/identity (only with the client’s prior written consent; see international transfers)

Subprocessors

Engaging, changing, or replacing subprocessors happens only with the client’s prior written consent. We inform the client in advance of intended changes; the client may object. Subprocessors are contractually bound to equivalent privacy and security obligations.

Other third parties

We do not disclose personal data to third parties unless this is necessary in accordance with this statement, a legal obligation applies, or you give explicit consent.

Are your personal data processed outside the European Economic Area (EEA)?

We primarily process personal data within the EEA. No transfer outside the EEA takes place without appropriate safeguards (such as EU Standard Contractual Clauses) and – in enterprise engagements – without the client’s prior written consent.

WorkOS (US) for SSO/identity

If the client wants SSO and has given prior written consent, WorkOS (US) may be used. This takes place solely under EU SCCs and additional technical and organizational safeguards. WorkOS processes only limited identity and login data (such as email address and SSO ID), never substantive program data (such as progress, answers, special categories of data).

Who within TMHC has access to your personal data?

Access is strictly authorized on a need-to-know basis and recorded in our authorization scheme. Only employees and professionals who – given their role and duties – are directly or indirectly involved in delivering the agreed services have access, and then only to the data that are necessary.

How do we secure your personal data?

We implement appropriate technical and organizational measures, including:

  • Encryption of data in transit and at rest;
  • Access control (roles, MFA for administrators), least privilege;
  • Segmentation/separation of customer data and logging of access;
  • Security monitoring, app/performance monitoring (including AppSignal), and timely patching;
  • Backups and recovery tests;
  • Periodic (penetration) tests and security assessments;
  • Vendor assessment against recognized standards (e.g. ISO 27001);
  • Fixed locations for data centers and subprocessors (EEA), no relocation without the client’s prior written consent (enterprise).

How long do we retain your personal data?

We retain personal data no longer than necessary for the purposes described above, taking statutory retention periods into account.

  • Consumer/direct – personal data are in principle deleted within 12 months after completion of the program or after a period of inactivity, unless legal obligations require longer retention. We may use anonymized program data longer for quality improvement and statistics.
  • Enterprise/client programs – unless otherwise agreed with the client, personal data are deleted no later than 3 months after the end of the program/pilot. Program data (e.g. questionnaires, progress, logs) are anonymized for quality and impact measurements. The client may give different instructions; TMHC follows these in accordance with the data processing agreement.

For certain program-specific questionnaires, additional consent applies.
See Appendix: Consent Declaration Wellbeing Leadership.

How can you manage your personal data? (Rights of data subjects)

You have the following rights under the GDPR: access, rectification, erasure, restriction, portability (data portability), and objection.

Timeframes & verification

We normally respond within one month of receiving your request. This period may be extended by two months in case of complexity or number of requests; we will inform you of this. We may ask for additional information to verify your identity.

Costs

Requests are handled free of charge unless they are manifestly unfounded or excessive (e.g. repeated, excessive). In that case we may charge a reasonable fee or refuse the request (with reasons).

Routes for submitting your request

  • Consumer/direct – via privacy@themicrohabitcompany.com. In any case you can adjust certain account details yourself via the web app.
  • Enterprise/client programs – requests go through your employer/client (the controller). TMHC facilitates handling and provides the necessary information to the client in a timely manner, in accordance with the data processing agreement.

Erasure/correction & notification to recipients

We correct or erase personal data if they are factually incorrect, incomplete, irrelevant, or otherwise processed in breach of the GDPR. Where applicable, we inform recipients to whom the data have been disclosed of correction/erasure/restriction, unless this is impossible or requires disproportionate effort (you may request a list of these recipients).

Objection

You may object to processing based on legitimate interests (explaining your particular circumstances) or to use for direct marketing (we will always comply with the latter). For scientific/historical research or statistics you may object on grounds relating to your specific situation.

If processing is based on consent, you can withdraw it at any time. This does not affect processing already carried out.

Data breaches (incidents relating to personal data)

In the event of a (suspected) breach, we report as follows:

  • Enterprise/client programs – as soon as possible and no later than within 24 hours of discovery to the client, including at least: nature of the breach, (sub)processor/location, categories of personal data/data subjects, contact details of our DPO, encryption status, measures already taken and proposed, and (where known) assessment of risks/impact. We provide full cooperation with investigation, mitigation, and legally required notifications to supervisory authorities/data subjects.
  • Consumer/direct – where required we notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and – if it poses a high risk – data subjects, in accordance with the GDPR.

Audits (enterprise)

The client has the right to conduct audits, itself or via an independent third party, on compliance with privacy and security obligations. TMHC cooperates and makes reasonable information, documentation, and facilities available within agreed timeframes and during business hours. Frequency, scope, and confidentiality are agreed in consultation.

Confidentiality, data ownership, and end of services

Ownership & confidentiality

All data supplied by or on behalf of the client and all data processed or created in the performance (including metadata/telemetry) are the client’s data and are confidential. TMHC uses them only for the agreed performance and in accordance with instructions.

End of services

On the client’s instruction, TMHC returns or destroys personal data, with written confirmation. Any copies in backups are removed according to agreed retention and deletion procedures. Anonymized data may – if agreed – continue to be used for quality improvement/reporting.

Export

Upon request, TMHC provides an export in a common format to the client within a reasonable period.

Cookies & SSO

TMHC uses only necessary cookies for basic functionality and security. Analytics (e.g. PostHog EU) are activated in enterprise environments only with the client’s prior consent. Where SSO is required, WorkOS (US) may use functional cookies/storage for a secure login flow; use only with prior written consent and under SCCs.

Complaints

Questions/complaints to TMHC – privacy@themicrohabitcompany.com (DPO: stephan@themicrohabitcompany.com).

For enterprise/client programs – please contact your employer/client in the first instance; TMHC supports the handling.

You may also file a complaint with the Dutch Data Protection Authority via autoriteitpersoonsgegevens.nl.

Contact

The Micro Habit Company (TMHC)
Gondel 1, 1186 MJ Amstelveen • Chamber of Commerce 76910865
Privacy email: privacy@themicrohabitcompany.com
DPO: stephan@themicrohabitcompany.com

When was this Privacy Statement last modified?

Last modified and effective as of: 01-09-2025 (Version 1.2).
Future changes will be updated here; in case of material changes we will inform you proactively.

Consent Declaration Wellbeing Leadership

For managers regarding the questionnaire for the Wellbeing Leadership program on psychological safety.

With your data we make the Wellbeing Leadership program relevant to you. We handle your data with care. The Wellbeing Leadership program is an initiative of Achmea Vitaliteit B.V. (trading as Zilveren Kruis) and The Micro Habit Company B.V.

Participation in the questionnaire is part of the program. By participating in the questionnaire you explicitly consent to the processing of data, as described in this consent declaration and the Privacy Statement, for offering and running the Wellbeing Leadership program. This information is shared and used only for the purposes for which you give consent.

  1. Offering me a questionnaire via the application as part of the Wellbeing Leadership program, through which I gain insight into my behaviours regarding psychological safety. Your employees also receive a questionnaire in which the perception of psychological safety within the team is measured. This questionnaire focuses on the three most important factors of psychological safety: speaking up without fear, inclusion & diversity, and equal participation. In this way we can give you insight into the extent to which your efforts influence employees’ perception.
  1. Providing insight into the results. After completing the questionnaire (15 questions, maximum 5 minutes), you as a manager will see these insights. In addition, you will gain insight into your team’s results, provided at least 5 employees from your team have completed the questionnaire. In that case only average scores are shown.
  1. Offering me the same questionnaire again after the Wellbeing Leadership program has ended, so that you as a manager can see whether and what has changed in your behaviours and in your team’s perception regarding psychological safety.
  1. Making my questionnaire results available to Zilveren Kruis and The Micro Habit Company B.V., for analyses for the following activities:
- adjusting the content or operation of, or communication about, the Wellbeing Leadership program during its term to improve experience and impact; - providing advice to employers on health and wellbeing policy; - evaluating and improving the proper functioning and effectiveness of the Wellbeing Leadership program; - improving products and services relating to wellbeing at work and Wellbeing Leadership.

Table of Contents

Introduction Principles for Data Processing Definitions used Who we are, how we work, and how you can reach us What we do Two operating models Organization details What personal data does TMHC collect from you? Personal data you provide directly to us Account and identification data Program data Support & security Special categories of personal data (only if explicitly permitted) Personal data received from your employer Mandatory data For what purposes do we process your personal data? Automated decision-making On what legal bases do we rely for processing? Consumer/direct (TMHC = controller) Enterprise/client programs (TMHC = processor) To whom do we disclose your personal data? Employer/client (enterprise) Micro Habit Coach / support Subprocessors/infrastructure (EU unless stated) Subprocessors Other third parties Are your personal data processed outside the European Economic Area (EEA)? WorkOS (US) for SSO/identity Who within TMHC has access to your personal data? How do we secure your personal data? How long do we retain your personal data? How can you manage your personal data? (Rights of data subjects) Timeframes & verification Costs Routes for submitting your request Erasure/correction & notification to recipients Objection Withdrawal of consent Data breaches (incidents relating to personal data) Audits (enterprise) Confidentiality, data ownership, and end of services Ownership & confidentiality End of services Export Cookies & SSO Complaints Contact When was this Privacy Statement last modified? I consent to Wellbeing Leadership:

Questions about this privacy policy? Contact us at privacy@themicrohabitcompany.com

Empowering the
Future of Learning
© 2026 - The Micro Habit Company®
NL
EN
Privacy Policy