Privacy Policy

Last revision June 24th 2025

Konfidens' Data Privacy Policy details how Konfidens collects, utilizes, and deletes your data. By using the Konfidens platform (the "Platform" or "we") and making use of your Konfidens account (the "Account") and all its related features, including session notes, appointments, payments, and video chat (the "Services"), you acknowledge that your data related to your use of our Services is processed in accordance with the following privacy policy. This privacy policy, along with any product-specific privacy policies (collectively, the "Privacy Policy"), outlines (i) the data we collect during your access and use of the Services; (ii) how we use this data; and (iii) the measures we have in place to safeguard your data. Please consider the Privacy Policy as a supplementary document to our terms and conditions.

Data Controller and Processor
The services are operated by Mindcare AS (Business Registration Number: 925 239 070), headquartered at Rathkes gate 5B, 0558 Oslo. You can reach us via email at hello@konfidens.com.

Mindcare acts as the data controller for information collected from its clients. This typically includes data necessary for service delivery and fulfilling our obligations to our customers.

Our customers utilize our services to manage their mental health care practices. As part of this process, data pertaining to their clients is stored and processed on our platform. For this data, Mindcare assumes the role of the data processor, while the account holder serves as the data controller.

We aim to provide you with transparent privacy policy. If you have any inquiries or concerns regarding any aspects of these terms not covered here, please don't hesitate to reach out to us at hello@konfidens.com.

When is Personal Information Collected?

We process information about you in the following situations:

  1. You have registered as a user on the platform.
  2. You create an order or agreement on the platform.
  3. An order or agreement is made on your behalf.
  4. You are invited to the platform by a colleague or friend.
  5. You subscribe to our newsletter.
  6. You have applied for a job with us.
  7. You contact us via chat, email, or other means.

Legal Basis for Processing Personal Information

The personal information collected is processed based on the following:

For platform users

Legal Basis: The legal foundation we operate under for the information pertaining to platform users is established in accordance with § 1 of the Personal Data Act, in conjunction with Article 6(1)(b) of the General Data Protection Regulation (GDPR). This legal framework is anchored in the agreements entered into by platform users, as stipulated in our terms of use.

Data Processing Agreement: Regarding the information that our customers input into the platform, we assume the role of a data processor, governed by the provisions set forth in our data processing agreement. This agreement clearly outlines our responsibilities and obligations in managing this data.

For clients

The legal foundation for data processing relies on your consent to utilize our platform for the services we offer, in accordance with Article 9(2)(a) of the General Data Protection Regulation (GDPR). When using our platform as a patient, this consent is granted for the following purposes:

  1. Secure Login: We process your information to facilitate secure login.
  2. Appointment Management: This includes appointment booking and any subsequent changes to your appointments with your healthcare provider.
  3. Booking History: We maintain a history of your past bookings.
  4. Payments: Facilitating payments from you to your healthcare provider.

It's important to note that beyond these specified purposes, your healthcare provider assumes the role of the data controller for information related to you, while we act as the data processor for this information.

Visits to app

App includes the domain app.konfidens.com, app.konfidens.no and app.konfidens.uk, booking.konfidens.com, booking.konfidens.uk, booking.konfidens.no and directory.konfidens.uk

For security and privacy reasons, Konfidens does not use third party cookies for marketing og tracking purposes, but has certain cookies to provide functionality related to user-friendliness and security. We strive to keep this number to a minimum.

You can read more about our cookies on this page.

Event Logging

Konfidens adheres to the information security and privacy standards set by the Norwegian Directorate of eHealth within the healthcare sector. Consequently, a majority of your actions as a healthcare professional are systematically recorded. These actions encompass, among others:

  • Initiating a session from an unfamiliar device.
  • Accessing a patient's record.
  • Writing session notes.
  • Electronically signing a note.
  • Revising an already signed note.
  • Granting access to a patient's record to a supervisor or colleague (subject to patient consent).

Each log entry comprises a user identifier, the date of the action, and specifics about your login method during that session. In cases involving particularly sensitive actions, such as printing notes from a patient's record, we also log your IP address for added security and accountability.

Who is Your Personal Information Shared With?

Konfidens uses a limited number of subcontractors to provide services on the platform. In cases where the processing of personal information is necessary, we require the data to be processed and stored in Europe, in compliance with the General Data Protection Regulation (GDPR).

Data subprocessors

To provide the Services, we rely on select data subprocessors, which process different categories of data. Processors never store data outside of the scope of their specific purpose. Subprocessors are as follows:

  • AWS: The platform runs and stores data in data centers located in Frankfurt, Germany, operated by AWS EMEA SARL. All information on the platform is stored in databases in these data centers.
  • Criipto: (Applicable only for Norwegian users).
    When you carry out identification or authentication using BankID, we use Criipto to complete the process. Konfidens does not send personal information to Criipto, but we receive your date of birth, first name, and last name upon successful authentication. Please read Criipto's privacy policy for more information.
  • Adyen: When you make a payment to us, or collect payments from clients, the payment is facilitated using our subcontractor, Adyen. We also use this provider to issue refunds or payments to you or your clients. Data exchanged in the process includes your account information. Please read Adyen's privacy policy for more information.
  • GatewayAPI: The platform uses SMS to verify ownership of phone numbers and for authentication of known users. We use GatewayAPI for sending SMS. Data is stored and processed in Germany, Finland, and/or Denmark. The personal information transmitted includes: Your phone number. We never use your phone number for marketing or newsletters.
  • Brevo: Emails sent automatically from the platform, such as email confirmations or clinic invitations, are sent via Brevo (formerly Sendinblue). Data is stored and processed in Germany, Belgium, and/or Ireland. The personal information transmitted includes:
    – Email address
    – Recipient's name
    – Subject and content of the email

    When emails are sent on your behalf, such as clinic invitations, the email text may include your name and email address. We never send healthcare information via email. Invitations to the platform will not grant access to sensitive data without the recipient also confirming with a code sent through another medium (e.g., SMS).
  • Google Workspace / Intercom: Emails to and from us that are not automatic emails are received and sent via Intercom or Google Workspaces, depending on the recipient's address you send to. When we initiate the email exchange, we will provide your name and email address to the third party. If you initiate the exchange, the personal information exchanged is controlled by your email provider but typically limited to name and email address.
  • Whereby: In cases where you conduct a video appointment, Whereby is used as the service provider. Konfidens does not directly transfer personal information to the service, but due to the nature of the content, we consider this as processing special categories of personal information. The video stream is encrypted between parties but may be decrypted in small time windows while being processed by Whereby's video routers. Please read Whereby's privacy policy for more information.
  • hCaptcha: Our digital services needs to ensure that it is interacting with a human, not a bot, and that activities performed by the user are not related to fraud or abuse. To do this, hCaptcha analyzes the behavior of the website or mobile app visitor based on various characteristics, including information about your browser and operating system. Konfidens does not directly transfer any personal information to hCaptcha, but due to the purpose of the service we consider this as processing special categories of personal information. The analysis hCaptcha does starts automatically as soon as you visit the login or registration page, and ends immediately after the login has succeeded. For more information about hCaptcha’s privacy policy and terms of use, please visit the following links: hcaptcha.com/privacy and hcaptcha.com/terms.
  • Chargebee: Konfidens uses Chargebee, a subscription billing and revenue operations platform, to manage billing, invoicing, and subscription services. In the course of providing these services, Chargebee may process personal data such as names, email addresses, payment details, and billing information. Chargebee acts as a data subprocessor on our behalf and is committed to maintaining high standards of data protection and compliance. For more information, you can review Chargebee’s privacy policy.
  • Speechmatics: We use Speechmatics, a speech-to-text transcription service, to provide real-time transcription for our AI Journal feature. This service is only activated when users choose to use the AI Journal during live sessions. Audio is transcribed live, and no audio files are stored at any point in the process. Speechmatics acts as a data subprocessor on our behalf and processes the audio data solely for the purpose of generating text transcriptions. The service is hosted in the United Kingdom and operates in compliance with applicable data protection laws. For more information, please refer to Speechmatics’ privacy policy.
  • Microsoft Azure: When users choose to use our AI Journal feature, we process text transcripts of therapy sessions using Microsoft Azure cloud services, hosted in secure data centers within Europe (currently located in Norway). No audio data is stored or transmitted — only the text transcript is used to generate session summaries. We do not transfer identifiable information directly to the same data centers, but due to the varied content of the transcriptions, these may still become identifiable. All transcripts and summaries are deleted from Microsofts datacenters within 48 hours. For more information, please see Microsoft’s privacy statement.

How Long Do We Store Your Information?

If you have created a user account but have not been active for a period of 4 years, we will send you a notice that your account will be archived and deactivated. Archiving involves anonymizing your data and occurs 6 months after the notice, unless you log in again in the meantime. Personal information processed under Konfidens' legitimate interests will be stored as long as we are required to keep them. For example, if you have made payments on the platform, information we are legally required to store according to Norwegian accounting regulations will be retained for 10 years after the end of the fiscal year.

Your Rights

You have the right to receive a response without undue delay, and no later than one month. Contact us at hello@konfidens.com if you wish to exercise any of these rights.

  • Access to Your Data
    You have the right to access the data we have about you. If we hold healthcare information about you, we will require identification to provide you with this information. Learn more about the right to access.
  • Correction of Personal Information
    You can ask us to correct or supplement inaccurate or misleading information. Learn more about the right to correct or supplement information.
  • Right to Be Forgotten
    You have the right to be forgotten if our information about you is inadequate, irrelevant, or no longer necessary for the purpose it was processed. Learn more about the right to erasure.
  • Data Portability
    If we process information about you based on consent or a contract, you can request that we transfer information about you to you or to another data controller.

Information in Patient Records

If you are a patient and require corrections or deletions of information entered into the platform by your healthcare provider, kindly reach out to the therapist or clinic responsible for your treatment. Please be aware that healthcare professionals may have legal obligations to maintain records of individuals who have received healthcare services and the nature of the care provided, as stipulated by national legislations.

Complaints About Processing

We hope you will let us know if you believe we are not in compliance with the rules in the Personal Data Act. In that case, please contact us through the contact or channel you have already established with us.